Your mission is to exploit this code, which has obviously an LFI vulnerability:

GeSHi`ed PHP code
1

2

$filename = 'pages/'.(isset($_GET["file"])?$_GET["file"]:"welcome").'.html';

include $filename;

There is a lot of important stuff in ../solution.php, so please include and execute this file for us.

Here are a few examples of the script in action (in the box below):
index.php?file=welcome
index.php?file=news
index.php?file=forums

For debugging purposes, you may look at the whole source again, also as highlighted version.

解题:

  因为字符串后面加了个".html",完全不知道怎么处理,去搜了题解,发现可以用%00来截断,然后就试了下?file=../../solution.php%00,发现不存在这个文件,看了题解发现是?file=../../solution.php%00。。

WeChall_Training: PHP LFI (Exploit, PHP, Training)的更多相关文章

  1. WeChall_Training: Crypto - Caesar I (Crypto, Training)

    As on most challenge sites, there are some beginner cryptos, and often you get started with the good ...

  2. Wechall 部分WP

    前言: 开始打CTF,掌握一些新的姿势与知识. 这里我选择的平台是Wechall.这里从简单到难 WP部分: Training: Get SourcedAnswer: 查看网页源代码 Training ...

  3. 【HTB系列】Beep

    出品|MS08067实验室(www.ms08067.com) 这次挑战的是 HTB 的第5台靶机:Beep,评分很高,难度中等 靶机描述 Beep 运行了大量的服务,这对正确发掘入口点有一定的挑战,由 ...

  4. [WeChall] Training: MySQL I (MySQL, Exploit, Training)

    Training: MySQL I (MySQL, Exploit, Training) MySQL Authentication Bypass - The classic This one is t ...

  5. Training: MySQL I (MySQL, Exploit, Training)

    题目链接:http://www.wechall.net/challenge/training/mysql/auth_bypass1/index.php?highlight=christmas 的确是非 ...

  6. WeChall_Training: Programming 1 (Training, Coding)

    When you visit this link you receive a message.Submit the same message back to http://www.wechall.ne ...

  7. WeChall_Training: Get Sourced (Training)

    The solution is hidden in this page Use View Sourcecode to get it 解题: 网页源码,最后一行 <!-- You are look ...

  8. WeChall_Training: ASCII (Training, Encoding)

    In a computer, you can only work with numbers.In this challenge you have to decode the following mes ...

  9. WeChall_Training: Encodings I (Training, Encoding)

    We intercepted this message from one challenger to another, maybe you can find out what they were ta ...

随机推荐

  1. webpack4的配置你都掌握了么?

    webpack5都出了,webpack4的的基本配置,解析ES6,引入CSS,编译Less,设置image等等,你都会了么? ​解析ES6 了解Babel Babel是一个JavaScript编译器, ...

  2. Jenkins2构建pipeline流水线

    流水线有两种方式: 1.脚本式流水线 2.声明式流水线 构建流水线的简单示例: 脚本式流水线 node ('master'){ stage("Source"){ //从Git仓库中 ...

  3. 【转】Matlab多项式拟合

    转:https://blog.csdn.net/hwecc/article/details/80308397 例: x = [0.33, 1.12, 1.41, 1.71, 2.19] y = [0. ...

  4. css写斜角

    项目开发中遇到了这样的效果,百度了一波,可以使用css3的伪类实现: /*斜角公用*/1.外层的div加class='wrapper' 并需要设置相对定位 .wrapper:before { -moz ...

  5. extract函数的使用

    EXTRACT(field FROM source) extract函数从日期/时间数值里抽取子域,比如年.小时等. source必须是一个timestamp, time, interval类型的值表 ...

  6. 3maven常用命令和配置依赖

    依赖: 例:spring-context.jar 依赖 spring-aop.jar... A中的某些类 需要使用B中的某些类,则称为A依赖于B 在maven项目中,如果要使用 一个当时存在的Jar或 ...

  7. Inception V1、V2、V3和V4

    Inception模块分为V1.V2.V3和V4. V1(GoogLeNet)的介绍 论文:Going deeper with convolutions 论文链接:https://arxiv.org/ ...

  8. C++ string 常用函数

    C++ String常用函数 一,类型别名 size_type 无符号整型 iterator 迭代器类型 const_iterator 只读迭代器 reverse_iterator 逆序迭代器 con ...

  9. WiFi模块Demo(新手教程)图文详解模块使用教程

    本文出自APICloud官方论坛,感谢论坛版主 Mr.ZhouHeng 的分享. 第一步我们需要在开发控制台创建一个Native App应用以及添模块的准备工作: 按照下图步骤 输入完点创建完成之后 ...

  10. 一文搞定Spring Boot + Vue 项目在Linux Mysql环境的部署(强烈建议收藏)

    本文介绍Spring Boot.Vue .Vue Element编写的项目,在Linux下的部署,系统采用Mysql数据库.按照本文进行项目部署,不迷路. 1. 前言 典型的软件开发,经过" ...