当前位置:网站首页>BugkuCTF-web21(详细解题思路及步骤)
BugkuCTF-web21(详细解题思路及步骤)
2022-07-02 06:34:00 【hangshao0.0】
审题
题目并没有什么信息,只是鼓励你不要放弃,never give up。
F12获取信息
没有额外信息,刷新了几下,也没有出现新东西。
Burp suite抓包
提示了 1p.html ,于是把GET参数改为 1p.html ,得到一串JS代码
解码
于是,在线解码
解码后仍然存在注释内容,尝试用base64解码
解码之后,发现了新信息,出现了一些函数和判断语句,同时还有许多百分号
可以看出,还需要URL解码
分析PHP代码
得到PHP代码如下,总会有些函数是你不了解的,直接查一下就知道了
";if(!$_GET['id']) { header('Location: hello.php?id=1'); exit(); } $id=$_GET['id']; $a=$_GET['a']; $b=$_GET['b']; if(stripos($a,'.')) { echo 'no no no no no no no'; return ; } $data = @file_get_contents($a,'r'); if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4) { $flag = "flag{
***********}" } else { print "never never never give up !!!";
}
?>
构造payload
参数为: /hello.php?id=0e&a=php://input&b=.123542
变量a,文件上传
变量b,首字母是一个点,不等于4,”111“和一个点拼接,可以与”1114“正则匹配
本来没打算写,后来又觉得这个题出得还是很好的,所以就写了一下,有帮助的话,欢迎点赞评论收藏。
边栏推荐
- Chrome browser tag management plug-in – onetab
- Knife4j 2.X版本文件上传无选择文件控件问题解决
- What are the waiting methods of selenium
- idea查看字节码配置
- Data type case of machine learning -- using data to distinguish men and women based on Naive Bayesian method
- Beats (filebeat, metricbeat), kibana, logstack tutorial of elastic stack
- 数构(C语言)——第四章、矩阵的压缩存储(下)
- Chrome用户脚本管理器-Tampermonkey 油猴
- Enterprise level SaaS CRM implementation
- [go practical basis] how can gin get the request parameters of get and post
猜你喜欢
Watermelon book -- Chapter 5 neural network
Elastic Stack之Beats(Filebeat、Metricbeat)、Kibana、Logstash教程
From concept to method, the statistical learning method -- Chapter 3, k-nearest neighbor method
![[go practical basis] gin efficient artifact, how to bind parameters to structures](/img/c4/44b3bda826bd20757cc5afcc5d26a9.png)
[go practical basis] gin efficient artifact, how to bind parameters to structures
Chrome video download Plug-in – video downloader for Chrome
Typeerror: X () got multiple values for argument 'y‘
微服务实战|微服务网关Zuul入门与实战
Complete solution of servlet: inheritance relationship, life cycle, container, request forwarding and redirection, etc
![[go practical basis] how to customize and use a middleware in gin](/img/fb/c0a4453b5d3fda845c207c0cb928ae.png)
[go practical basis] how to customize and use a middleware in gin
Solution to amq4036 error in remote connection to IBM MQ
随机推荐
Activity的创建和跳转
ClassFile - Attributes - Code
idea查看字节码配置
Supplier selection and prequalification of Oracle project management system
Idea view bytecode configuration
How to install PHP in CentOS
Chrome browser plug-in fatkun installation and introduction
Microservice practice | fuse hytrix initial experience
Knife4j 2. Solution to the problem of file control without selection when uploading x version files
Matplotlib swordsman - a stylist who can draw without tools and code
在SQL注入中,为什么union联合查询,id必须等于0
C语言之最小数
FragmentTabHost实现房贷计算器界面
Matplotlib swordsman line - first acquaintance with Matplotlib
Number structure (C language) -- Chapter 4, compressed storage of matrices (Part 2)
Redis 序列化 GenericJackson2JsonRedisSerializer和Jackson2JsonRedisSerializer的区别
MySQL error: unblock with mysqladmin flush hosts
机器学习之数据类型案例——基于朴素贝叶斯法,用数据辩男女
Talk about the secret of high performance of message queue -- zero copy technology
Chrome浏览器插件-Fatkun安装和介绍