84,【8】BUUCTF WEB [羊城杯 2020]Blackcat
![84,【8】BUUCTF WEB [羊城杯 2020]Blackcat_第1张图片](http://img.e-com-net.com/image/info8/cf461ffd75204f888e6430b748ac53df.jpg)
进入靶场
![84,【8】BUUCTF WEB [羊城杯 2020]Blackcat_第2张图片](http://img.e-com-net.com/image/info8/42456729c6de49f8ad9dd0fa6074e304.jpg)
音乐硬控我3分钟
回去看源码
开始解题
运行得到04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6PHP
运行得到afd556602cf62addfe4132a81b2d62b9db1b6719f83e16cce13f51960f56791b
最终组成payload:White-cat-monitor[]=1&Black-Cat-Sheriff=afd556602cf62addfe4132a81b2d62b9db1b6719f83e16cce13f51960f56791b&One-ear=;env
传post类型时可以用插件或BP
我用BP更方便一点
![84,【8】BUUCTF WEB [羊城杯 2020]Blackcat_第3张图片](http://img.e-com-net.com/image/info8/fbef024c4d814903b5053706c3b36b81.jpg)
flag{4117c718-7501-4c0c-827e-323a8d9ea551}
![84,【8】BUUCTF WEB [羊城杯 2020]Blackcat_第4张图片](http://img.e-com-net.com/image/info8/a93bf453a1854fffabca3663206e1457.jpg)