目录
除夕
弱比较绕过 payload:?year=2022.
初一
U2FsdGVkX1+M7duRffUvQgJlESPf+OTV2i4TJpc9YybgZ9ONmPk/RJje
一眼丁真rabbit解密,key是2023
初二
题目描述
附件内容:
打开脚本看看
运行一下看看
附件只有两个,可能flag在脚本里
初三
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2023-01-19 10:31:36
# @Last Modified by: h1xa
# @Last Modified time: 2023-01-19 13:11:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
extract($_GET);
include "flag.php";
highlight_file(__FILE__);
$_=function($__,$___){
return $__==$___?$___:$__;
};
$$__($_($_GET{
$___
}[$____]{
$_____
}(),$flag));
变量覆盖
用下划线做变量名,而且花里胡哨的看上去有点难受
稍微美化一下
$_=function($__,$___){return $__==$___?$___:$__;};
$$__($_($_GET{$___}[$____]{$_____}(),$flag));
定义了一个函数$_,对于传入$__,$___ 两个参数进行弱比较,相等则返回$___,不相等则返回$__
($_($_GET{$___}[$____]{$_____}(),$flag));
这里调用函数,将$_GET{$___}[$____]{$_____}()作第一个参数与$flag作弱比较
这样子思路就是要让弱比较相等,让函数返回$flag,再将它打印出来
给$__赋值a,则$$__等价于$a,再给a赋值print_r,则$$__==print_r
那么整体$$__($_($_GET{$___}[$____]{$_____}(),$flag));就等价于print_r($flag)
//var_dump也可以,但是echo不行,有个()
接下来就是让弱比较相等了
($_GET{$___}[$____]{$_____}等价于$_GET[$___][$____][$_____]
相当于一个三维数组
需要用到无参函数,最常见的就是phpinfo()啦
构造x[b][c]=phpinfo&___=x&____=b&_____=c就相当于构造传入了phpinfo
将phpinfo()和字符串弱比较返回true,这就是为什么要用phpinfo
最终payload:
?__=a&a=print_r&___=x&____=b&_____=c&x[b][c]=phpinfo
初四(复现
流量分析,过滤http流
观察后面的数据流,应该是一个盲注的流量
import pyshark, re
from z3 import Ints, Solver, sat
from urllib.parse import unquote
t1 = pyshark.FileCapture(r'misc.pcapng', display_filter='http')
cacheCharControl = {}
searchChar = re.compile("1' and (ascii|ord)\(substr\(\(\(select concat_ws\(char\([0-9]+\), hackerHasNoFlag\) from flagInHere limit 0,1\)\), [0-9]+, 1\)\)<[0-9]+;--", re.RegexFlag.IGNORECASE)
for first in t1:
if hasattr(first, 'http'):
if hasattr(first.http, 'response_for_uri'):
requestURI = unquote(str(first.http.response_for_uri))
if searchChar.search(requestURI) is not None:
locationID = int(requestURI.split('limit 0,1)), ')[1].split(',')[0]) - 1
biggerNum = int(requestURI.split(', 1))<')[1].split(';--')[0])
if locationID not in cacheCharControl:
cacheCharControl[locationID] = []
if 'Hacker' in str(first.http.file_data):
cacheCharControl[locationID].append((biggerNum, False))
else:
cacheCharControl[locationID].append((biggerNum, True))
t1.close()
x = Ints('x')[0]
flag = Solver()
for startID in range(len(cacheCharControl)):
flag.push()
for unit in cacheCharControl[startID]:
if unit[1]:
flag.add(x < unit[0])
else:
flag.add(x >= unit[0])
if flag.check() == sat:
print(chr(int(str(flag.model()[x]))), end='')
flag.pop()
不知道为啥,可能是python版本的问题,在windows没跑通,在kali跑出来了
得到
丢网站里面爆破
初五
YDHML_QKA_PDK_HVD_NAHI_OQ_K_GR
一开始还以为是啥外星电码或者和三体有关呢
仓颉编码解码:仓颉编码为YDHML的汉字_仓颉编码查询_就要查 (quchacha.com)
NAHI 这个是兔,在这个网站找不到,
还有那个k查出来也是错的,
换个网站查或者猜一手flag
ctfshow{新春快乐兔年大吉}