1.签到
2.find_it
签到
附件的文件名为EBCDIC.zip、
联想到EBCDIC编码
拖入010editor选择EBCDIC编码
flag出来了
find_it
扫描后台扫到了robots.txt
访问
存在1ndexx.php
访问是空白页
猜测可能存在备份文件
一个个尝试,发现存在vim备份
访问url+.1ndexx.php.swp查看源代码
<?php $link = mysql_connect(‘localhost‘, ‘root‘); ?> <html> <head> <title>Hello worldd!</title> <style> body { background-color: white; text-align: center; padding: 50px; font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif; } #logo { margin-bottom: 40px; } </style> </head> <body> <img id="logo" src="logo.png" /> <h1><?php echo "Hello My freind!"; ?></h1> <?php if($link) { ?> <h2>I Can‘t view my php files?!</h2> <?php } else { ?> <h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2> <?php } ?> </body> </html> <?php #Really easy... $file=fopen("flag.php","r") or die("Unable 2 open!"); $I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php")); $hack=fopen("hack.php","w") or die("Unable 2 open"); $a=$_GET[‘code‘]; if(preg_match(‘/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/‘,$a)){ die("you die"); } if(strlen($a)>33){ die("nonono."); } fwrite($hack,$a); fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh); fclose($file); fclose($hack); ?>
构造
/index.php?code=<?=phpinfo();?>
查看下
访问后台扫出来的hack.php
发现flag就藏在里面
原文:https://www.cnblogs.com/c0d1/p/14797099.html