随笔分类 -  CTFShow

萌新web17
摘要:It involves file-inculding, I wanna use php:// protocal but then I notice 'php' is filtered. Therefore, I prepare to use another method -- Log Penetra 阅读全文
posted @ 2021-08-24 22:57 _4_FUN 阅读(94) 评论(0) 推荐(0)
萌新web16
摘要:It needs us to decode this md5 string. Casually find a md5-decoding website and decode it. The link of above website is: https://www.somd5.com/ 阅读全文
posted @ 2021-08-23 12:28 _4_FUN 阅读(52) 评论(0) 推荐(0)
萌新web15
摘要:All the methods we used are invaild, and notice that ';' is not matched. But we still cannot use passthru() cuz '(' is filtered. It is a little bit co 阅读全文
posted @ 2021-08-22 16:19 _4_FUN 阅读(37) 评论(0) 推荐(0)
萌新web14
摘要:In 萌新web13, I introduce a new method to figure this kinds of questions out. And luckily, it still works here. 阅读全文
posted @ 2021-08-21 16:23 _4_FUN 阅读(36) 评论(0) 推荐(0)
萌新web13
摘要:We can even not use ';' to execute passthru() function. Excluding those PHP functions that we know can execute Linux commands, how to do this? Actuall 阅读全文
posted @ 2021-08-20 21:02 _4_FUN 阅读(42) 评论(0) 推荐(0)
萌新web12
摘要:Although we still can use passthru() to execute commands but we can not appoint 'config.php' to be inspected. Even though we all know that the flag is 阅读全文
posted @ 2021-08-19 21:24 _4_FUN 阅读(31) 评论(0) 推荐(0)
萌新web11
摘要:Anyway, this constraint of regular expression cannot stop us to penetrate. We just exploit that payload which is as same as web10's. 阅读全文
posted @ 2021-08-18 19:53 _4_FUN 阅读(35) 评论(0) 推荐(0)
萌新web10
摘要:Compared with 萌新web10, the condition of the function if() is inverse that means we cannot use those three functions. To execute shell commands, we can 阅读全文
posted @ 2021-08-17 22:21 _4_FUN 阅读(38) 评论(0) 推荐(0)
萌新web9
摘要:Obviously, it's something about shell execution and we just only use 'system'. 'exec', 'highlight' those three functions to execute linux shell comman 阅读全文
posted @ 2021-08-16 18:20 _4_FUN 阅读(33) 评论(0) 推荐(0)
萌新web8
摘要:Nothing we could get, so we gonna inspect the hint. According to the hint, it's easily to associate with that prevailing meme -- remove everything and 阅读全文
posted @ 2021-08-15 20:27 _4_FUN 阅读(30) 评论(0) 推荐(0)
萌新web7
摘要:Unfortunately, the operator '~' which we always used is filtered. But we still could utilize BINARY to construct the payload we need. 阅读全文
posted @ 2021-08-14 17:30 _4_FUN 阅读(37) 评论(0) 推荐(0)
萌新web6
摘要:Well, maybe the operator '~' is scarce or not be utilized frequently, therefore it still not be filtered. 阅读全文
posted @ 2021-08-07 22:11 _4_FUN 阅读(60) 评论(0) 推荐(0)
萌新web5
摘要:Inspect the regular expression condition whether contans '~', if not ,go ahead with the previous payload '~~1000'. 阅读全文
posted @ 2021-08-05 21:42 _4_FUN 阅读(30) 评论(0) 推荐(0)
萌新web4
摘要:Luckily, the addtional regular expression dose not contains the prefix '~', so wo still could exploit that payload '~~1000' to bypass the filiter. Don 阅读全文
posted @ 2021-08-04 22:17 _4_FUN 阅读(34) 评论(0) 推荐(0)
萌新web3
摘要:Obviously, in comparision to 萌新web2,here adding additional filter conditions that regular expression can match those stuff: 'or', '-', '\', '*', '<', 阅读全文
posted @ 2021-08-03 17:58 _4_FUN 阅读(19) 评论(0) 推荐(0)
萌新web2
摘要:This is similar to 萌新web1, but the only difference between them is here adding the function preg_match() that is a regular expression to filter 'or' a 阅读全文
posted @ 2021-08-02 12:35 _4_FUN 阅读(31) 评论(0) 推荐(0)
萌新web1
摘要:We notice that it's related to bypassing. The below annotation reminds us that the true id is 1000, so we need bypass the function intval(). In order 阅读全文
posted @ 2021-08-01 19:39 _4_FUN 阅读(16) 评论(0) 推荐(0)