当前位置:网站首页>Bugku web guide
Bugku web guide
2022-07-06 09:52:00 【XRSec】
web
web1
https://segmentfault.com/a/1190000016750234
Knowledge base
Several functions involved :
1.$_REQUEST: Can be obtained to POST Methods and GET Data submitted by method , But it's slow
2.eval: Follow the string as PHP Code to calculate , The string must be legal PHP Code , And it must end with a semicolon .
<?php eval("echo'hello';echo' world';"); ?> # output hello world
3.var_dump: Function is used to output information about variables
# Numbers var_dump(1); > int(1) # character string var_dump("string"); > string(6) "string"
Their thinking
eval It should be the breakthrough of this problem , Be able to execute php Code .
hello Is a variable that accepts parameters , The next step is to build hello Variable , Enable it to close var_dump, utilize print_r Output
First close var_dump: 1)";
The second step is to build print_r:print_r(file("./flag.php"));
URL End of build :
http://123.206.87.240:8003/index.php?hello=1);print_r(file("./flag.php")
Built URL The trigger eval Operation for
eval("var_dump(1);print_r(file("./flag.php")")
Output successful flag.php The contents of the document
web2
This question is about blasting code
web3
There is a problem with the source code
Knowledge base PHP Automated global variables :**$GLOBALS** — References all variables available in the global scope , A global composite array containing all variables . The name of the variable is the key problem solving idea of the array
Regular expressions ”/^\w+$/“, Match string ,\w According to the character + Numbers + Underline { a-z,A-Z,_,0-9 }. If it doesn't match, it will output ‘’args error!‘’\
Two `/``/` Indicates the beginning and end of a regular expression ,`^` Start character ,`$` End character ,`+` Representatives can have one or more `\w`
PHP The variable in can be used as the variable name of another variable :$$args, Combine the first sentence flag In the variable !
So structure payload:URL?args=BLOBLAS
You can explode all args, It includes flag
web4
Knowledge base
Modify by capturing packets file Value method to run some files that should not be run
You can also output some sensitive configuration files and remote contains directly through this method shell( The target host needs to be turned on allow_url_fopen)
Their thinking
By constructing the following statement :
http://xxx.com/index.php?file=php://filter/read=convert.base64-encode/resource=xxx.php
Can get xxx.php Of the code base64 Encryption result , adopt base64 After decryption, you can get xxx.php Code for
web5
Knowledge base is not difficult , see php Language can understand the idea of the problem
$what=$_GET['what']; echo $what; if($what=='flag') echo 'flag{****}';
http://xxx.com/?what=flag
web6
Knowledge base
$what=$_POST['what']; echo $what; if($what=='flag') echo 'flag{****}';
The idea of solving the problem is obvious. This is post request
web7
Knowledge base > JavaScript Is a kind of script language belonging to the network , Has been widely used Web application development , Used to add various dynamic functions to web pages , Provide users with more smooth and beautiful browsing effect . Usually JavaScript The script is embedded in the HTML To realize its own functions . > jother It's different javascript Tools > a pile +! Just use the things jother decode > You can open Google browser Press F12 > then console Copy that pile of decoded things Press enter to decode > Think more about the source code , I don't know what the hell this is
copy To console
Show ”ctf{whatfk}”
obtain flag
web8
Knowledge base
php $num=$_GET['num'];//GET How to get parameters if(!is_numeric($num))//is_numeric() The function is to judge whether it is a number or a numeric string { echo $num; if($num==1)// Contradiction is both 1 And it's not a number echo 'flag{**********}'; }
Problem solving thinking structure num=1X X It can also be any letter or string , structure url:http://xxx.com/get/index1.php?num=1xx
obtain flag
web9
Knowledge base
1
Their thinking
1
web10
Knowledge base
1
Their thinking
1
web11
Knowledge base
1
Their thinking
1
web12
Knowledge base
1
Their thinking
1
web13
Knowledge base
1
Their thinking
1
web14
Knowledge base
1
Their thinking
1
web15
Knowledge base
1
Their thinking
1
web16
Knowledge base
1
Their thinking
1
边栏推荐
- Single chip microcomputer realizes modular programming: Thinking + example + system tutorial (the degree of practicality is appalling)
- MapReduce工作机制
- Contrôle de l'exécution du module d'essai par panneau dans Canoe (primaire)
- 为什么要数据分层
- Cooperative development in embedded -- function pointer
- Hard core! One configuration center for 8 classes!
- 小白带你重游Spark生态圈!
- MapReduce instance (VI): inverted index
- Learning SCM is of great help to society
- [deep learning] semantic segmentation: thesis reading (neurips 2021) maskformer: per pixel classification is not all you need
猜你喜欢
Use of activiti7 workflow
小白带你重游Spark生态圈!
在CANoe中通过Panel面板控制Test Module 运行(高级)
CAP理论
Une grande vague d'attaques à la source ouverte
112 pages of mathematical knowledge sorting! Machine learning - a review of fundamentals of mathematics pptx
Sqlmap installation tutorial and problem explanation under Windows Environment -- "sqlmap installation | CSDN creation punch in"
解决小文件处过多
Solve the problem of too many small files
max-flow min-cut
随机推荐
竞赛vscode配置指南
[untitled]
June brush question 02 - string
一大波開源小抄來襲
Nc17 longest palindrome substring
Single chip microcomputer realizes modular programming: Thinking + example + system tutorial (the degree of practicality is appalling)
Counter attack of noodles: redis asked 52 questions in a series, with detailed pictures and pictures. Now the interview is stable
Listen to my advice and learn according to this embedded curriculum content and curriculum system
Compilation of libwebsocket
The replay block of canoe still needs to be combined with CAPL script to make it clear
[deep learning] semantic segmentation: paper reading: (CVPR 2022) mpvit (cnn+transformer): multipath visual transformer for dense prediction
Hard core! One configuration center for 8 classes!
Defensive C language programming in embedded development
大学C语言入门到底怎么学才可以走捷径
Cooperative development in embedded -- function pointer
MapReduce instance (VI): inverted index
33岁可以学PLC吗
May brush question 03 - sorting
五月刷题26——并查集
Design and implementation of online snack sales system based on b/s (attached: source code paper SQL file)