Your mission is to exploit this code, which has obviously an LFI vulnerability:

GeSHi`ed PHP code
1

2

$filename = 'pages/'.(isset($_GET["file"])?$_GET["file"]:"welcome").'.html';

include $filename;

There is a lot of important stuff in ../solution.php, so please include and execute this file for us.

Here are a few examples of the script in action (in the box below):
index.php?file=welcome
index.php?file=news
index.php?file=forums

For debugging purposes, you may look at the whole source again, also as highlighted version.

解题:

  因为字符串后面加了个".html",完全不知道怎么处理,去搜了题解,发现可以用%00来截断,然后就试了下?file=../../solution.php%00,发现不存在这个文件,看了题解发现是?file=../../solution.php%00。。

WeChall_Training: PHP LFI (Exploit, PHP, Training)的更多相关文章

  1. WeChall_Training: Crypto - Caesar I (Crypto, Training)

    As on most challenge sites, there are some beginner cryptos, and often you get started with the good ...

  2. Wechall 部分WP

    前言: 开始打CTF,掌握一些新的姿势与知识. 这里我选择的平台是Wechall.这里从简单到难 WP部分: Training: Get SourcedAnswer: 查看网页源代码 Training ...

  3. 【HTB系列】Beep

    出品|MS08067实验室(www.ms08067.com) 这次挑战的是 HTB 的第5台靶机:Beep,评分很高,难度中等 靶机描述 Beep 运行了大量的服务,这对正确发掘入口点有一定的挑战,由 ...

  4. [WeChall] Training: MySQL I (MySQL, Exploit, Training)

    Training: MySQL I (MySQL, Exploit, Training) MySQL Authentication Bypass - The classic This one is t ...

  5. Training: MySQL I (MySQL, Exploit, Training)

    题目链接:http://www.wechall.net/challenge/training/mysql/auth_bypass1/index.php?highlight=christmas 的确是非 ...

  6. WeChall_Training: Programming 1 (Training, Coding)

    When you visit this link you receive a message.Submit the same message back to http://www.wechall.ne ...

  7. WeChall_Training: Get Sourced (Training)

    The solution is hidden in this page Use View Sourcecode to get it 解题: 网页源码,最后一行 <!-- You are look ...

  8. WeChall_Training: ASCII (Training, Encoding)

    In a computer, you can only work with numbers.In this challenge you have to decode the following mes ...

  9. WeChall_Training: Encodings I (Training, Encoding)

    We intercepted this message from one challenger to another, maybe you can find out what they were ta ...

随机推荐

  1. VMware上安装Kali Linux 超详细教程

    一.下载镜像文件 下载好系统对应镜像文件  https://www.kali.org/downloads/ 二.创建新的虚拟机 1.创建新的虚拟机 我们使用自定义的配置方法. 2.添加镜像文件的路径 ...

  2. schedule of 2016-11-7~2016-11-10(Monday~Thursday)——1st semester of 2nd Grade

    most important things to do 1.joint phd preparations 2.journal paper to write 3.solid fundamental kn ...

  3. MVC 统一验证Token demo

    /// <summary> /// 获取token /// </summary> /// <param name="staffId"></ ...

  4. AES中ECB模式的加密与解密(Python3.7)

    本文主要解决的问题 本文主要是讲解AES加密算法中的ECB模式的加密解密的Python3.7实现.具体AES加密算法的原理这里不做过多介绍,想了解的可以参考文末的参考链接. 主要解决了两个问题: 在P ...

  5. springboot2 + grpc + k8s + istio

    项目情况说明: ubuntu - 16.04 springboot - 2.2.2.RELEASE mysql - 5.7 mongodb - 4.0.14 redis - 3.0.6 grpc -  ...

  6. AttributeError: 'list' object has no attribute 'sorted'

    效果图: 解决办法: 原因: AttributeError: 'list' object has no attribute 'sorted' 属性错误: list对象没有sorted属性方法. sor ...

  7. DP-Fibonacci

    善于发现 DP 中的 Fibonacci 我们在做 DP  题时  , 会发现有一些题 类似于找规律的题 ,观察测试样例 , 要对数据敏感 , 比如输入 2 输出 1 , 输入 3 就输出 2 …… ...

  8. DbCommand :执行超时已过期。完成操作之前已超时或服务器未响应。

    问题:“Timeout 时间已到.在操作完成之前超时时间已过或服务器未响应.”的解决方法 在一个链接数据库的时候,老是出现超时的错误:执行超时已过期.完成操作之前已超时或服务器未响应. 就是给这个链接 ...

  9. 史上最简单的vi教程,10分钟包教会

    从第一次接触vi/vim到现在已经十几年了,在这个过程中,来来回回,反反复复,学习vi很多次了. 虽然关于vi的使用,我还远未达到"专家"的水平,但对于vi的使用,我有话说. 1. ...

  10. Flsak学习笔记(1)

    Day 01 最近项目里要用python写后端,同学推荐了flask框架就来学一学.写这个博客的目的主要是记录一下自己学习的内容,有基础知识忘了不用一个个去百度,还有就是跟大家分享一下,有不是很容易理 ...