CTF
924
2 分钟
SignIn 源码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 <?php class ip { public $ip; public function waf($info){ } public function __construct() { if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){ $this->ip = $this->waf($_SERVER['HTTP_X_FORWARDED_FOR']); }else{ $this->ip =$_SERVER["REMOTE_ADDR"]; } } public function __toString(){ $con=mysqli_connect("localhost","root","********","n1ctf_websign"); $sqlquery=sprintf("INSERT into n1ip(`ip`,`time`) VALUES ('%s','%s')",$this->waf($_SERVER['HTTP_X_FORWARDED_FOR']),time()); if(!mysqli_query($con,$sqlquery)){ return mysqli_error($con); }else{ return "your ip looks ok!"; } mysqli_close($con); } } class flag { public $ip; public $check; public function __construct($ip) { $this->ip = $ip; } public function getflag(){ if(md5($this->check)===md5("key****************")){ readfile('/flag'); } return $this->ip; } public function __wakeup(){ if(stristr($this->ip, "n1ctf")!==False) $this->ip = "welcome to n1ctf2020"; else $this->ip = "noip"; } public function __destruct() { echo $this->getflag(); } } if(isset($_GET['input'])){ $input = $_GET['input']; unserialize($input); } 先看一下整体,ip类存在一个变量赋值和数据库插入;flag类能够读取flag,但是需要check值。真実はいつもひとつ,check需要SQL注入得到,注入类型:insert注入,而实现注入需要我们插入构造的SQL语句,看向ip类的变量赋值过程:
CTF
1373
3 分钟
解题过程 看到题目关键字shop,怀疑需要抓包修改money进行购买,而金额一般通过加密隐藏在cookie字段中,接下来就着重观察cookie字段。