红帽杯wp

1.签到

2.find_it

 

签到

附件的文件名为EBCDIC.zip、

联想到EBCDIC编码

拖入010editor选择EBCDIC编码

flag出来了

 

 

find_it

扫描后台扫到了robots.txt

访问

 

 

存在1ndexx.php

 访问是空白页

猜测可能存在备份文件

一个个尝试,发现存在vim备份

访问url+.1ndexx.php.swp查看源代码

<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
    <title>Hello worldd!</title>
    <style>
    body {
        background-color: white;
        text-align: center;
        padding: 50px;
        font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
    }

    #logo {
        margin-bottom: 40px;
    }
    </style>
</head>
<body>
    <img id="logo" src="logo.png" />
    <h1><?php echo "Hello My freind!"; ?></h1>
    <?php if($link) { ?>
        <h2>I Can't view my php files?!</h2>
    <?php } else { ?>
        <h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
    <?php } ?>
</body>
</html>
<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));


$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
    die("you die");
}
if(strlen($a)>33){
    die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

构造

/index.php?code=<?=phpinfo();?>

查看下

访问后台扫出来的hack.php

发现flag就藏在里面

 

posted @ 2021-05-21 19:02  c0d1  阅读(152)  评论(0)    收藏  举报