CTF
7536
16 分钟
前言 最后几天都没登进去。。。这验证码河里 🐎
Web easy_ssrf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php echo'<center><strong>welc0me to 2020UNCTF!!</strong></center>'; highlight_file(__FILE__); $url = $_GET['url']; if(preg_match('/unctf\.com/',$url)){ if(!preg_match('/php|file|zip|bzip|zlib|base|data/i',$url)){ $url=file_get_contents($url); echo($url); }else{ echo('error!!'); } }else{ echo("error"); } ?> 本来以为是利用bypass技巧达到php伪协议嵌套一层unctf.com的,但是bypass不了,僵了好久。。。
CTF
1276
3 分钟
题目描述 hint1: Try to read the spider source code, maybe you can test it locally
hint2: How to attack distributed system and get rce on the spider node?
CTF
1567
4 分钟
解题过程 开局一个登录框,给了一个警告:
注意: 你需要启用cookies才能登录或切换语言
CTF
1890
4 分钟
FlagShop F12查看源码,发现一段js代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 setInterval(function() { $.get("backend.php", { readfile: "data/FakeCTFer.txt" }, function(data, status) { $('#fake').html(data); }); $.get("backend.php", { readfile: "data/RealCTFer.txt" }, function(data, status) { $('#real').html(data); }); }, 1000); $('#real-sub').click(function() { $.get("backend.php", { writefile: "data/RealCTFer.txt", buffer: $('#real-text').val()+ "\n\n", offset: $('#real').html().length }); $('#real-text').val(""); }); $('#fake-sub').click(function() { $.get("backend.php", { writefile: "data/FakeCTFer.txt", buffer: $('#fake-text').val() + "\n\n", offset: $('#fake').html().length }); $('#fake-text').val(""); }); 大概就是GET传参readfile或writefile访问/backend.php路由读写文件,此处存在一个任意文件读取漏洞,通过readfile可以读取backend.php内容:
CTF
924
2 分钟
SignIn 源码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 <?php class ip { public $ip; public function waf($info){ } public function __construct() { if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){ $this->ip = $this->waf($_SERVER['HTTP_X_FORWARDED_FOR']); }else{ $this->ip =$_SERVER["REMOTE_ADDR"]; } } public function __toString(){ $con=mysqli_connect("localhost","root","********","n1ctf_websign"); $sqlquery=sprintf("INSERT into n1ip(`ip`,`time`) VALUES ('%s','%s')",$this->waf($_SERVER['HTTP_X_FORWARDED_FOR']),time()); if(!mysqli_query($con,$sqlquery)){ return mysqli_error($con); }else{ return "your ip looks ok!"; } mysqli_close($con); } } class flag { public $ip; public $check; public function __construct($ip) { $this->ip = $ip; } public function getflag(){ if(md5($this->check)===md5("key****************")){ readfile('/flag'); } return $this->ip; } public function __wakeup(){ if(stristr($this->ip, "n1ctf")!==False) $this->ip = "welcome to n1ctf2020"; else $this->ip = "noip"; } public function __destruct() { echo $this->getflag(); } } if(isset($_GET['input'])){ $input = $_GET['input']; unserialize($input); } 先看一下整体,ip类存在一个变量赋值和数据库插入;flag类能够读取flag,但是需要check值。真実はいつもひとつ,check需要SQL注入得到,注入类型:insert注入,而实现注入需要我们插入构造的SQL语句,看向ip类的变量赋值过程: