Your mission is to exploit this code, which has obviously an LFI vulnerability:

GeSHi`ed PHP code
1

2

$filename = 'pages/'.(isset($_GET["file"])?$_GET["file"]:"welcome").'.html';

include $filename;

There is a lot of important stuff in ../solution.php, so please include and execute this file for us.

Here are a few examples of the script in action (in the box below):
index.php?file=welcome
index.php?file=news
index.php?file=forums

For debugging purposes, you may look at the whole source again, also as highlighted version.

解题:

  因为字符串后面加了个".html",完全不知道怎么处理,去搜了题解,发现可以用%00来截断,然后就试了下?file=../../solution.php%00,发现不存在这个文件,看了题解发现是?file=../../solution.php%00。。

WeChall_Training: PHP LFI (Exploit, PHP, Training)的更多相关文章

  1. WeChall_Training: Crypto - Caesar I (Crypto, Training)

    As on most challenge sites, there are some beginner cryptos, and often you get started with the good ...

  2. Wechall 部分WP

    前言: 开始打CTF,掌握一些新的姿势与知识. 这里我选择的平台是Wechall.这里从简单到难 WP部分: Training: Get SourcedAnswer: 查看网页源代码 Training ...

  3. 【HTB系列】Beep

    出品|MS08067实验室(www.ms08067.com) 这次挑战的是 HTB 的第5台靶机:Beep,评分很高,难度中等 靶机描述 Beep 运行了大量的服务,这对正确发掘入口点有一定的挑战,由 ...

  4. [WeChall] Training: MySQL I (MySQL, Exploit, Training)

    Training: MySQL I (MySQL, Exploit, Training) MySQL Authentication Bypass - The classic This one is t ...

  5. Training: MySQL I (MySQL, Exploit, Training)

    题目链接:http://www.wechall.net/challenge/training/mysql/auth_bypass1/index.php?highlight=christmas 的确是非 ...

  6. WeChall_Training: Programming 1 (Training, Coding)

    When you visit this link you receive a message.Submit the same message back to http://www.wechall.ne ...

  7. WeChall_Training: Get Sourced (Training)

    The solution is hidden in this page Use View Sourcecode to get it 解题: 网页源码,最后一行 <!-- You are look ...

  8. WeChall_Training: ASCII (Training, Encoding)

    In a computer, you can only work with numbers.In this challenge you have to decode the following mes ...

  9. WeChall_Training: Encodings I (Training, Encoding)

    We intercepted this message from one challenger to another, maybe you can find out what they were ta ...

随机推荐

  1. mui选择器和软键盘冲突解决

    只需要让此节点失焦即可: onfocus="this.blur();"

  2. 客户端访问windows server2016 服务器共享 速度慢

    客户端(windows10)敲完地址后,要过很久才会谈出窗口.  所有的客户端都出现过此现象. 解决:关闭server的 Smb1.0

  3. [UWP]用画中画模式(CompactOverlay Mode)让用总在最前端显示

    1. 什么是,以及怎么用画中画 Windows 10 Creators Update以后UWP提供了一个新的视图模式CompactOverlay,中文翻译成 紧凑的覆盖层?反正大部分时间我们都会称它为 ...

  4. .net core2.2上传文件总结

    总结一下.net core的上传文件操作,这里主要分上传到本地的也就是MVC的,另一种是上传到WebAPi的. 一.Web端 1.新建一个.net core mvc项目 2.这里的版本是.net co ...

  5. webpack进阶用法你都get到了么?

    如何消除无用代码:打包自己的私有js库:实现代码分割和动态import提升初次加载速度:配置eslint规范团队代码规范:打包异常抓捕你都get到了么? 摇树优化:Tree Shaking webpa ...

  6. SuperSocket Code解析

    SuperSocket1.6Code解析 Normal Socket System.Net.Sockets.dll程序集中使用socket类: 服务器: 创建socket:_socket = new ...

  7. 关于idea修改当前使用的git账户的问题

    原文地址:https://www.cnblogs.com/xuxiaojian/p/8890656.html 1.问题描述: 由于前一段时间公司迁移git,就是将项目代码等迁移到另一个git服务器上, ...

  8. Java程序员学习Go语言—之一

    转载:https://www.luozhiyun.com/archives/206 GOPATH 工作空间 GOPATH简单理解成Go语言的工作目录,它的值是一个目录的路径,也可以是多个目录路径,每个 ...

  9. [ Python入门教程 ] Python中日期时间datetime模块使用实例

    Python中datetime模块提供强大易用的日期处理功能,用于记录程序操作或修改时间.时间计算.日志时间显示等功能.datatime模块重新封装了time模块,提供的类包括date.time.da ...

  10. 创建dynamics CRM client-side (六) - form & field notification

    form 和 field 的notification在开发当中会经常使用到 // Converting functions to Namespace Notation var Sdk = window ...