hhblog
d3ctf writeup d3ctf writeup
easyweb(二次注入)看一下控制器,就user.php和file.php ci框架+smarty模版,猜测可能是模版注入 查找一下smarty的display()函数,在user.php的index里的display参数可控 //use
2019-11-24
高校运维赛 writeup 高校运维赛 writeup
miscmisc1当过滤条件为tcp.stream eq 7时,shell.php执行cat flag|base64,还带有回显的加密方法 L2Jpbi9zaA== Y2QgIi92YXIvd3d3L2h0bWwvdG1wIjtjYXQgZ
2019-11-21
unctf writeup unctf writeup
unctf2019审计一下世界上最好的语言(代码审计)看一下源码,文件命令如下,flag在flag.php里。是海洋cms,这个cms解析模版,会调用eval,之前爆cve bbcode_parse.php common.php index
2019-11-07
hack.lu hack.lu
Car repairjs题目,car.class.js定义car类的方法,util.js调用函数 //car.class.js class Car { constructor(type, model, color, pic, key
2019-11-07
roarctf writeup roarctf writeup
Easy_calc(url解析)<?php error_reporting(0); if(!isset($_GET['num'])){ show_source(__FILE__); }else{ $str =
2019-10-25
Code-Breaking-Puzzles writeup Code-Breaking-Puzzles writeup
easy - function<?php $action = $_GET['action'] ?? ''; $arg = $_GET['arg'] ?? ''; if(preg_match('/^[a-z0-9_]*$/isD',
2019-10-11
bytectf writeup bytectf writeup
boring code(绕正则)在index.php中 // index.php <!-- flag in this file and code in /code --> // /code <?php function is_v
2019-09-07
suctf writeup suctf writeup
checkin(文件上传 user.ini)上传一个文件 <?php // error_reporting(0); $userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]); if (!
2019-08-20