1、 First, open the title as follows :
2、 Observe the access address information , Find out img The message should be an encrypted string , Attempt to decrypt , The resulting img name :555.png, as follows :
3、 After getting the file name , It should be thought that there is a File Inclusion Vulnerability here , Because the transmission parameters are controllable , Try to img The parameter value of is changed to :index.php, Encrypted as :TmprMlpUWTBOalUzT0RKbE56QTJPRGN3, Then access the results to obtain encrypted base64 Decrypt the string , get index.php Source code :
4、 An audit of the code found a command execution vulnerability , But the commands are filtered and md5 Collision , There are command execution vulnerabilities as follows :
5、 Observe the filtered information , Not found dir To filter , So with dir To get directory information ,md5 The collision of is fastcoll To get , Through the command :fastcoll.exe -p init.txt -o 1.txt 2.txt Generate two file information , Then read the file information :
6、 Start trying to read directory information , Because it needs to pass a and b Value , So we use post For the request , give the result as follows :
7、 Discover that there is no flag Relevant information about , Try to read the directory information under the root directory , give the result as follows :
8、 obtain flag Information , Check the information on the Internet , It is understood that... Is not implemented \ The filter , So we use ca\t%20fl\ag To read flag Information about , as follows :
9、index.php The complete source code is as follows :
<?php $file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file); ?> |
[ An Xun Cup 2019]easy_web-1 More articles about
- [ An Xun Cup 2019]easy_web
0x00 Knowledge point md5 Strongly typed bypass The method is relatively fixed : POST: a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%d ...
- Brush problem [ An Xun Cup 2019]easy_web
Pre knowledge md5 Collision : %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e% ...
- buuctfweb Brush problem wp Detailed explanation and knowledge arrangement ----[ An Xun Cup 2019]easy_web
The road of trial wp Look at the source code and get The transmitted parameters can be guessed img Parameters passed img It is this picture that has passed through twice base64 Code and once hex After coding, you can get 555.png Result verification guess Then I found the picture with data The metadata encapsulation method is put into the source ...
- [ An Xun Cup 2019]iamthinking&&thinkphp6.0 Deserialization vulnerability
[ An Xun Cup 2019]iamthinking&&thinkphp6.0 Deserialization vulnerability At first it was 403, Scan the following directory , Scan to three directories . [18:06:19] 200 - 1KB - /REA ...
- [ An Xun Cup 2019]easy_serialize_php
0x00 Knowledge point PHP Deserialized objects escape Any data with a certain structure , As long as we change our structure after some treatment , It may cause loopholes . Reference link : https://blog.csdn.net/a3320315/a ...
- An Xun Cup iamthinking(tp6 Deserialization chain )
An Xun Cup iamthinking tp6pop chain Examination site : 1.tp6.0 Deserialization chain 2.parse_url() Bypass Using the chain : The first half uses the chain (tp6.0) think\Model --> __des ...
- 2019 An Xun Cup Re part WP
0x01.EasyEncryption The test file :https://www.lanzous.com/i7soysb 1.IDA open int sub_416560() { int v0; // eax i ...
- 2021 Meituan Anxin dark spring re Partial reproduction
typora-copy-images-to: ./ An Xun Cup sign_in snake It doesn't work smc Decrypt take it flag Relevant part Look backwards sub_40105F and sub_401055 function Write decryption arithmetic ...
- 2019 The second Kecheng Anxin Cup official WriteUp -17 Network security
Long warning : Please add Penguin Group to get the corresponding source code :861677907 0x01 WEB 1.1 Brave the snake adventure As soon as I went in, I saw that it was a web page JS The little game , The prompt says enter CDUESTC CTF You can successfully break through the pass , There is, but d ...
- The 10th Blue Bridge Cup 2019 year C/C++ university B The provincial competition questions
2019 The 10th Blue Bridge Cup software provincial competition C/C++ university B Group test questions A: organize a team The total score of this question :5 branch [ Problem description ] As a basketball coach , You need to choose... From the list below 1 Number to 5 One player for each position , The starting lineup of the team . Every ball ...
Random recommendation
- python3 Blackboard crawler game ( 3、 ... and )
The third level , Log on first , Guess the password again , This level is much more difficult than the second level , You have to register a login account first , Then open the F12, Log in a few more times , Observe headers Data change Give the code , The notes are very detailed import urllib.reques ...
- js006- Object oriented programming
js006- Object oriented programming object-oriented (Object-Oriented,OO) There's a sign of our language , That is, they all have the concept of class . With classes, you can create multiple objects with the same properties and methods . ECMA-262 Define an object as : ...
- Server knowledge ----IIS The problem of erecting
1, Basic configuration , Application pool , Path, etc . 2, permissions Iuser IIS_users Read only permission 3,isapi mapping framework Installation directory function aspnet_regiis.exe -i notes ...
- C# Design patterns —— Visitor mode (Visitor Pattern)
One . Overview due to changing needs , Some classes often need to add new features , But for a variety of reasons, these class hierarchies must remain stable , Developers are not allowed to modify at will . Regarding this , Visitor mode can add new functions to each class transparently without changing the class hierarchy . Two . visit ...
- Xcode 7 Support http request info.plist Set up
because iOS9 Switch to safer https, In order to be able to iOS9 Moderate normal use http Send network request , Please be there. "Info.plist" In the following configuration , Otherwise it will affect SDK Use . 1. Find... In the project Info ...
- Linux Shell Reverse quotation marks in , Single quotation marks , Double quotes
The counter quotation marks are in (`) Keyboard Tab Above the key .1 The left side of the key . stay Linux It plays the role of command replacement . Command substitution means shell It can insert the standard output of a command anywhere in a command line . as follows ,shell Will perform the date life ...
- python try/except/finally
To sum up a little , Otherwise, I always forget . [python] view plaincopyprint? x = 'abc' def fetcher(obj, index): return obj[index] fet ...
- ASP.NET MVC Learning notes -7. Custom configuration information
ASP.NET In program web.config In file , stay appSettings Some configurations can be saved in this configuration section , such as , <appSettings> <add key="LogInf ...
- The android mobile phone ADB What's driving for ?
Adb What does drive mean ? /div> Adb It's English Android Debug Bridge English abbreviations , yes debug Tools , If it's not writing IT It's probably hard to understand debug It means . To be frank is Adb It's the hand ...
- Auto Layout on iOS Versions prior to 6.0
Use XCODE5.0, This small mistake occurred ... terms of settlement : Choose your XIB or storyboard, Here's the picture Check the property bar on the right Remove the bottom Use Autolayout , complete . turn :http://blog. ...
![[upgraded student information management system] + file operation + more details](/img/a3/de30e67e1ad73262a9e2cf38e6520c.png)
