{"id":152,"date":"2026-05-19T18:18:58","date_gmt":"2026-05-19T10:18:58","guid":{"rendered":"https:\/\/asum1.fun\/?p=152"},"modified":"2026-05-21T19:32:43","modified_gmt":"2026-05-21T11:32:43","slug":"wustctf2020%e6%9c%b4%e5%ae%9e%e6%97%a0%e5%8d%8e","status":"publish","type":"post","link":"https:\/\/asum1.fun\/index.php\/2026\/05\/19\/wustctf2020%e6%9c%b4%e5%ae%9e%e6%97%a0%e5%8d%8e\/","title":{"rendered":"buuctf-[WUSTCTF2020]\u6734\u5b9e\u65e0\u534e"},"content":{"rendered":"\n

\u5148\u626b\u63cf<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u5728robots.txt\u91cc\u6709\u4e00\u4e2a\/fAke_flagggg.php\uff0c\u6253\u5f00\u540e\u5728look_at_me\u4e2d\u770b\u5230\/fl4g.php\u62ff\u5230\u6e90\u7801<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u8fd9\u91cc\u6587\u5b57\u770b\u4e0d\u61c2\u662f\u56e0\u4e3a\u6587\u5b57\u7684\u7f16\u7801\u65b9\u5f0f\u51fa\u4e86\u95ee\u9898\uff0c\u8fd9\u91cc\u5b89\u88c5\u4e00\u4e2aCharset\uff0c\u9009unicode\uff08utf-8\uff09\u5c31\u884c<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
<img src=\"\/img.jpg\">\n<?php\nheader('Content-type:text\/html;charset=utf-8');\nerror_reporting(0);\nhighlight_file(__file__);\n\n\n\/\/level 1\nif (isset($_GET['num'])){\n    $num = $_GET['num'];\n    if(intval($num) < 2020 && intval($num + 1) > 2021){\n        echo \"\u6211\u4e0d\u7ecf\u610f\u95f4\u770b\u4e86\u770b\u6211\u7684\u52b3\u529b\u58eb, \u4e0d\u662f\u60f3\u770b\u65f6\u95f4, \u53ea\u662f\u60f3\u4e0d\u7ecf\u610f\u95f4, \u8ba9\u4f60\u77e5\u9053\u6211\u8fc7\u5f97\u6bd4\u4f60\u597d.<\/br>\";\n    }else{\n        die(\"\u91d1\u94b1\u89e3\u51b3\u4e0d\u4e86\u7a77\u4eba\u7684\u672c\u8d28\u95ee\u9898\");\n    }\n}else{\n    die(\"\u53bb\u975e\u6d32\u5427\");\n}\n\/\/level 2\nif (isset($_GET['md5'])){\n   $md5=$_GET['md5'];\n   if ($md5==md5($md5))\n       echo \"\u60f3\u5230\u8fd9\u4e2aCTFer\u62ff\u5230flag\u540e, \u611f\u6fc0\u6d95\u96f6, \u8dd1\u53bb\u4e1c\u6f9c\u5cb8, \u627e\u4e00\u5bb6\u9910\u5385, \u628a\u53a8\u5e08\u8f70\u51fa\u53bb, \u81ea\u5df1\u7092\u4e24\u4e2a\u62ff\u624b\u5c0f\u83dc, \u5012\u4e00\u676f\u6563\u88c5\u767d\u9152, \u81f4\u5bcc\u6709\u9053, \u522b\u5b66\u5c0f\u66b4.<\/br>\";\n   else\n       die(\"\u6211\u8d76\u7d27\u558a\u6765\u6211\u7684\u9152\u8089\u670b\u53cb, \u4ed6\u6253\u4e86\u4e2a\u7535\u8bdd, \u628a\u4ed6\u4e00\u5bb6\u5b89\u6392\u5230\u4e86\u975e\u6d32\");\n}else{\n    die(\"\u53bb\u975e\u6d32\u5427\");\n}\n\n\/\/get flag\nif (isset($_GET['get_flag'])){\n    $get_flag = $_GET['get_flag'];\n    if(!strstr($get_flag,\" \")){\n        $get_flag = str_ireplace(\"cat\", \"wctf2020\", $get_flag);\n        echo \"\u60f3\u5230\u8fd9\u91cc, \u6211\u5145\u5b9e\u800c\u6b23\u6170, \u6709\u94b1\u4eba\u7684\u5feb\u4e50\u5f80\u5f80\u5c31\u662f\u8fd9\u4e48\u7684\u6734\u5b9e\u65e0\u534e, \u4e14\u67af\u71e5.<\/br>\";\n        system($get_flag);\n    }else{\n        die(\"\u5feb\u5230\u975e\u6d32\u4e86\");\n    }\n}else{\n    die(\"\u53bb\u975e\u6d32\u5427\");\n}\n?><\/code><\/pre>\n\n\n\n
\u8fd9\u91cclevel 1\u662f\u8003\u4e00\u4e2aintval()\u51fd\u6570\u7684\u7279\u6027\uff0cintval\u51fd\u6570\u4f1a\u622a\u81f3\u5728\u7b2c\u4e00\u4e2a\u975e\u6570\u5b57\u5b57\u7b26\uff0c\u6bd4\u5982\u4f1a\u628a2020.5\u6362\u62102025\uff0c\u4f1a\u628a12e4\u6362\u621012\uff0c\u4f46\u662f\u5982\u679c\u5185\u90e8\u6709\u8ba1\u7b97\u4f1a\u4f18\u5148\u8ba1\u7b97\uff0c\u6bd4\u5982intval(12e4+1)=intval(120001)=120001\uff0c\u6240\u4ee5num=12e4\u53ef\u4ee5\u8fc7\u7b2c\u4e00\u5173\uff0c\u8fd8\u6709\u7b2c\u4e8c\u79cd\u65b9\u6cd5\u901a\u8fc716\u8fdb\u5236\u6765\u7ed5\u8fc7\uff0cintval(0x7E5)=0<2020\uff0cintval(0x7E5+1)=intval(2022)=2022>2021\uff0cnum2=0x7E5<\/p>\n\n\n\n
level 2\u8003\u7684\u662fmd5\u540e\u7684\u5f31\u6bd4\u8f83\uff0c\u6bd4\u8f83\u597d\u60f3\u7684\u5c31\u662f\u4e24\u4e2a0eXXXX\uff0c\u7f51\u4e0a\u641c\u4e00\u4e0b\u5c31\u627e\u5230\u4e860e215962017<\/p>\n\n\n\n
lexel 3\u662f\u8981\u7ed5\u8fc7cat\u548c\u7a7a\u683c\uff0c\u8fd9\u91cc\u8d34\u4e00\u4e9b\u65b9\u6cd5<\/p>\n\n\n\n
\u4ee3\u66ffcat:\u00a0more\u3001less\u3001head\u3001tail\u3001sort\u3001ca\\t\uff08\u8fd9\u91ccless\u4e0d\u884c\uff09
\u4ee3\u66ff\u7a7a\u683c\uff1a$IFS\u3001${IFS}\u3001$IFS$1\u3001$IFS$9<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5148ls\u67e5\u770b\u76ee\u5f55\uff0c\u7136\u540e\u6253\u5f00fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag<\/p>\n\n\n\n
payload:\/fl4g.php?num=0x7E5&md5=0e215962017&get_flag=ca\\t$IFS.\/fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag<\/code><\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5148\u626b\u63cf \u5728robots.txt\u91cc\u6709\u4e00\u4e2a\/fAke_flagggg.php\uff0c\u6253\u5f00\u540e\u5728look_at_me\u4e2d\u770b\u5230\/ […]<\/p>\n","protected":false},"author":1,"featured_media":182,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-152","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn"],"_links":{"self":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts\/152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/comments?post=152"}],"version-history":[{"count":2,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts\/152\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts\/152\/revisions\/158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/media\/182"}],"wp:attachment":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/media?parent=152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/categories?post=152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/tags?post=152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}