<?php

$a = 1;

$b = 0;

while (1)

{

    $b = $a;

    $a = md5($a);

    if (substr($a, 0, 5)  == 'asuej')

    {

        echo $b;

        break;

    }

}

<?php

$res = FALSE;

if (isset($_GET['ip']) && $_GET['ip']) {

    $ip = $_GET['ip'];

    $m = [];

    if (!preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/", $ip, $m)) {

        $cmd = "ping -c 4 {$ip}";

        exec($cmd, $res);

    } else {

        $res = $m;

    }

}

?>

<!DOCTYPE html>

<html>

<head>

    <title>命令注入-综合</title>

</head>

<body>

<h1>命令注入-综合</h1>

<form action="#" method="GET">

    <label for="ip">IP : </label><br>

    <input type="text" id="ip" name="ip">

    <input type="submit" value="Ping">

</form>

<hr>

<pre>

<?php

if ($res) {

    print_r($res);

}

?>

</pre>

<?php

show_source(__FILE__);

?>

</body>

</html>

<html>

<head>

    <title>上传</title>

</head>

<body>

<!-- ?file=flag.php-->

<form name="form" enctype="multipart/form-data" method="post" action="index.php">

<input type="file" name="file" id="file"></input>

<input type="submit" name="submit" value="上传">

</form>

</body>

</html>

<?php

$F = $_GET['file'];

include($F);

$error=$_FILES['file']['error'];

$tmpName=$_FILES['file']['tmp_name'];

$name=$_FILES['file']['name'];

$size=$_FILES['file']['size'];

$type=$_FILES['file']['type'];

$time=time();

try{

    $name1=substr($name,-4);

if(($name1!==".gif") and ($name1!==".jpg"))

{

    echo "<script language=javascript>alert('上传照片只能是JPG或者GIF！')</script>";

    die("错误");

}

if(mime_content_type($tmpName)!=="image/jpeg"&&mime_content_type($tmpName)!=="image/gif"&&mime_content_type($tmpName)!=="application/zip")

{

    echo mime_content_type($tmpName);

    echo "<script language=javascript>alert('上传照片只能是JPG或者GIF！');</script>";

    die("错误");

}

if(is_uploaded_file($tmpName)){

    $rootpath='uploads/'.$time.$name1;

    if(!move_uploaded_file($tmpName,$rootpath)){

    echo "<script language='JavaScript'>alert('文件移动失败!');</script>";

    die("错误");

    }

}

echo "图片ID：".$time.$name1;

}

catch(Exception $e)

{

    echo "ERROR";

}

?>

<?php

error_reporting(0);

Class HaHa

{

    private $date = ['hello' => 'welcome'];

    public function __construct($data)

    {

        $this->date = array_merge($this->date, $data);

        extract($this->date);

        $this->listdata("value=list module=$mod");

    }

    public function listdata($_params)

    {

        //var_dump($_params);

        $system =

            [

                'can' => 'oh',

                'you' => 'may',

                'give' => 'be',

                'me' => 'you',

                'a' => 'can',

                'value' => 'do',

                '?' => 'it'

            ];

        $_params = trim($_params);

        $params = explode(' ', $_params);

        if (in_array($params[0], ['list','fuck'])) {

            $params[0] = 'value='.$params[0];

        }

        foreach ($params as $t) {

            $var = substr($t, 0, strpos($t, '='));

            $val = substr($t, strpos($t, '=') + 1);

            if (!$var) {

                continue;

            }

            if (isset($system[$var])) {

                $system[$var] = $val;

            } else {

                $param[$var] = $val;

            }

        }

        switch ($system['value']) {

            case "fuck":

                echo $param['name'];

                call_user_func($param['name'],$param['youfindit']);

                break;

            case 'list':

                return json_encode($this->date);

        }

    }

}

highlight_file(__FILE__);

$HaHa = new HaHa($_POST);

<?php

highlight_file(__FILE__);

error_reporting(0);

$upload = 'upload/';

if (isset($_POST['file'])) {

    if (preg_match('/htaccess/is', $_POST['file'])) {

        die('?搁这儿干嘛呢？');

    }

    if (preg_match('#\w{2,}|[678]|<\?|/#', $_POST['content'])) {

        die('你这🐎保绿吗？？？');

    }

    file_put_contents($upload .  $_POST['file'], $_POST['content']);

}