試驗一下部落格園的基礎功能,順便把學校戰隊招新賽的Wp傳一下,
alpaca_search:
直接burp爆破把密碼搞出來,在burp多抓幾次包會在正確的包裡發現一個新的cookie名count,count記錄了正確的值
,然後把它改成999再多發幾次包,發到正確的那一個後就拿到了flag
RCE_ME!!!
題目直接說明了是RCE,根據ctfhub學到的經驗進行程式碼審計,顯然是透過GET方式傳cmd這個引數來利用漏洞,而且eval這個函式沒有被ban掉,第一個
preg_match('/data://|filter://|php://|phar://|zip:///i正規表示式基本不用管,第二個if(';' === preg_replace('/[a-z,_]+((?R)?)/', NULL, $cmd))說明是個無引數RCE(說實話這個無引數RCE看了半天才搞懂),大概就是隻能用函式來利用漏洞,繼續審計第三個正則,發現應該被ban的defined被寫成了dfined,很明顯突破口在這了,傳入var_dump(current(get_defined_vars()));發現給了string(38) "var_dump(current(get_defined_vars()));" },說明可以執行shell的命令,最後用eval(end(current(get_defined_vars())));&shell=phpinfo();把phpinfo()開啟,用Ctrl +F開啟搜尋框,輸入flag就找到了,想學習無引數RCE的推薦去https://blog.csdn.net/Manuffer/article/details/120738755看看
傳張圖片試試
School New Competition WP
相關文章
- school dictionary, kids dictionary, children dictionary
- CSS tutorials (w3school)CSS
- MJUCTF—WP
- attachment WP
- 前端知識:w3school前端
- picoCTF-WP
- wp4
- WMCTF 2024 wp
- 2024 ciscn WP
- 離線w3school下載
- new self()與new static()
- cryptohack wp day(4)
- cryptohack wp day (2)
- CUMTCTF'2020 已做wp
- Hackergame2020 wpGAM
- moectf-wp(web)Web
- ISCC 2024 部分WP
- PolarCTF-Misc WP
- BUU BRUTE 1 wp
- 2021能源PWN wp
- W3school的CSS筆記(定位)CSS筆記
- New
- JavaScript中的new map()和new set()使用詳細(new map()和new set()的區別)JavaScript
- Opinion dynamics analysis for stubborn individuals in cooperation–competition networks based on path-dependence frameworOOP
- The 2024 Hunan Multi-School Programming Training Contest, Round 4NaNAI
- W3school的CSS筆記(框模型)CSS筆記模型
- wordpress wp-postviews使用View
- 最近比賽的wp
- buuctf部分題目wp
- 2020 10月CUMTCTF wp
- 2024熵密杯wp熵
- 羊城杯2024WP
- PolarCTF-Pwn的WP
- 2024黃河流域WP
- PolarCTF-Pwn(中等)WP
- 【wp】2021V&NCTF
- 【wp】2020XCTF_逆向
- WP-摩斯電碼