Your mission is to exploit this code, which has obviously an LFI vulnerability:

GeSHi`ed PHP code
1

2

$filename = 'pages/'.(isset($_GET["file"])?$_GET["file"]:"welcome").'.html';

include $filename;

There is a lot of important stuff in ../solution.php, so please include and execute this file for us.

Here are a few examples of the script in action (in the box below):
index.php?file=welcome
index.php?file=news
index.php?file=forums

For debugging purposes, you may look at the whole source again, also as highlighted version.

解题:

  因为字符串后面加了个".html",完全不知道怎么处理,去搜了题解,发现可以用%00来截断,然后就试了下?file=../../solution.php%00,发现不存在这个文件,看了题解发现是?file=../../solution.php%00。。

WeChall_Training: PHP LFI (Exploit, PHP, Training)的更多相关文章

  1. WeChall_Training: Crypto - Caesar I (Crypto, Training)

    As on most challenge sites, there are some beginner cryptos, and often you get started with the good ...

  2. Wechall 部分WP

    前言: 开始打CTF,掌握一些新的姿势与知识. 这里我选择的平台是Wechall.这里从简单到难 WP部分: Training: Get SourcedAnswer: 查看网页源代码 Training ...

  3. 【HTB系列】Beep

    出品|MS08067实验室(www.ms08067.com) 这次挑战的是 HTB 的第5台靶机:Beep,评分很高,难度中等 靶机描述 Beep 运行了大量的服务,这对正确发掘入口点有一定的挑战,由 ...

  4. [WeChall] Training: MySQL I (MySQL, Exploit, Training)

    Training: MySQL I (MySQL, Exploit, Training) MySQL Authentication Bypass - The classic This one is t ...

  5. Training: MySQL I (MySQL, Exploit, Training)

    题目链接:http://www.wechall.net/challenge/training/mysql/auth_bypass1/index.php?highlight=christmas 的确是非 ...

  6. WeChall_Training: Programming 1 (Training, Coding)

    When you visit this link you receive a message.Submit the same message back to http://www.wechall.ne ...

  7. WeChall_Training: Get Sourced (Training)

    The solution is hidden in this page Use View Sourcecode to get it 解题: 网页源码,最后一行 <!-- You are look ...

  8. WeChall_Training: ASCII (Training, Encoding)

    In a computer, you can only work with numbers.In this challenge you have to decode the following mes ...

  9. WeChall_Training: Encodings I (Training, Encoding)

    We intercepted this message from one challenger to another, maybe you can find out what they were ta ...

随机推荐

  1. Python库的安装(Windows/Linux通用)

    pip安装 最简单的安装方式,自动下载并安装. pip:包管理工具 安装步骤 执行安装命令:pip install <package_name> wheel安装 在网速较差的情况下适用. ...

  2. 个人博客-vue-blog

    http://47.100.126.169/zmengBlog/

  3. Vim区块选择

    区块选择的按键意义: 区块选择的按键意义 v 字符选择,光标经过的地方反白 V 列选择,光标经过的列反白 [ctrl]+v 区块选择,可以用长方形的方式选择资料 d 将发白的地方删除掉 y 将反白的地 ...

  4. 开发STM32MP1,你需要一块好开发板

    STM32MP1系列的出现吸引了很多STM32的新老用户的关注,但是很多的人都会担心一个问题:以前是基于Cortex M系列MCU惊醒开发,对于cortex-A架构的处理器以及Linux系统都不熟悉. ...

  5. CS0656 缺少编译器要求的成员“Microsoft.CSharp.RuntimeBinder.CSharpArgumentInfo.Create”

    问题出现原因:在net core使用动态类型dynamic,在编译的时候提示错误信息如上. 解决方案: 1.不用dynamic类型 2.在使用的地方添加一个dll,Microsoft.CSharp,或 ...

  6. 设置Linux主机SSH访问服务

    检查是否开启22端口访问权限. 检查是否安装openssh-server 开启ssh服务:sudo service sshd start 使用ssh客户端进行访问:ssh userName@IP

  7. MySQL:如何查询出每个分组中的 top n 条记录?

    问题描述 需求: 查询出每月 order_amount(订单金额) 排行前3的记录. 例如对于2019-02,查询结果中就应该是这3条: 解决方法 MySQL 5.7 和 MySQL 8.0 有不同的 ...

  8. [bzoj4443] [loj#2006] [洛谷P4251] [Scoi2015]小凸玩矩阵

    Description 小凸和小方是好朋友,小方给小凸一个 \(N \times M\)( \(N \leq M\) )的矩阵 \(A\) ,要求小秃从其中选出 \(N\) 个数,其中任意两个数字不能 ...

  9. Processing 3!

    Welcome to Processing 3! Dan explains the new features and changes; the links Dan mentions are on th ...

  10. 使用静态URL片段 URL路由 精通ASP-NET-MVC-5-弗瑞曼