THUCTF 待补题(web)
我真的会谢!(THU提前把通道关了)
看了一下T1
1. What is $
<?php // error_reporting(1); function autoload($class) { @include_once(__DIR__.'/'.strtolower(str_replace('\\', '/', $class)).'.php'); } spl_autoload_register('autoload'); session_start(); if (!isset($_GET['action']) || ($_GET['action'] == 'login' && (!isset($_POST['cb_user']) || !isset($_POST['cb_pass'])))) die(); if ($_GET['action'] == 'login' && $_POST['cb_user'] == 'admin' && $_SERVER['REMOTE_ADDR'] != '127.0.0.1') die('access denied'); function require_admin() { if (!isset($_SESSION['admin']) || !$_SESSION['admin']) die('access denied'); } switch ($_REQUEST['action']) { case 'login': if ($_POST['cb_user'] == 'admin' && !preg_match('/a/si', $_POST['cb_pass']) && md5($_POST['cb_pass']) == md5($_POST['cb_salt'].'a')) { $_SESSION['admin'] = true; die(lib\Flag::FLAG1); } else die('try harder'); break; case 'save_item': require_admin(); $item_name = $_POST['item']['name']; $item_uuid = $_POST['item']['uuid']; $item_content = $_POST['item']['content']; $item_filename = 'up/'.substr(md5($item_name),0,4).'.php'; if (!preg_match('/^[a-zA-Z0-9]*$/', $item_name) || !preg_match('/^\S{8}-\S{27}$/', $item_uuid)) die('blanket and special characters is not allowed in item name or uuid is invalid'); $db = new lib\DB(); if ($db->query("INSERT INTO items (`name`, `uuid`, `filename`) VALUES ('$item_name', '$item_uuid', '$item_filename')")) { @file_put_contents($item_filename, $item_content); die('success'); } else die('internal server error'); case 'list_item': require_admin(); $db = new lib\DB(); $res = $db->query("SELECT * FROM items"); if (!$res) die('error'); while ($row = mysqli_fetch_assoc($res)) { echo '--- start '.$row['name'].' '.$row['uuid'].' ---<br/>'; echo 'Content: '.file_get_contents($row['filename']).'<br/>'; echo '--- end '.$row['name'].' '.$row['uuid'].' ---<br/><br/>'; } break; default: die('unsupported action'); }
2. 结、枷锁
const express = require("express");
const bodyParser = require("body-parser");
const path = require("path");
const session = require("express-session");
const _ = require("lodash");
const app = express();
const PORT = process.env.PORT || 8000;
const flag1 = process.env.FLAG1 || "flag{fake_flag}";
process.env.FLAG1 = "redacted";
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(
session({
secret: Math.random().toString(),
resave: false,
saveUninitialized: true,
})
);
app.set("view engine", "ejs");
app.get("/", (req, res) => {
res.render("index", { session: req.session });
});
app.get("/static", (req, res) => {
res.sendFile(path.join(__dirname, "static", req.query.file));
});
app.get("/login", (req, res) => {
res.render("login", { session: req.session });
});
app.post("/login", (req, res) => {
if (
typeof req.body.username === "undefined" ||
typeof req.body.password === "undefined"
) {
res.send("bad request");
return;
}
const username = req.body.username;
const password = req.body.password;
if (
req.ip !== "127.0.0.1" &&
(username.length !== password.length ||
username === password ||
username[0] === password[0])
) {
res.send("hacker!");
return;
}
if (username == "admin" && password == "admin") {
req.session.login = true;
res.redirect("/dashboard");
} else {
res.send("failed");
}
});
app.get("/logout", (req, res) => {
req.session.login = false;
res.redirect("/");
});
app.get("/dashboard", (req, res) => {
if (req.session.login) {
if (typeof req.session.bullshits === "undefined")
req.session.bullshits = { 鲁迅: "我啥都说过" };
res.render("dashboard", { session: req.session });
} else {
res.redirect("/login");
}
});
app.post("/dashboard", (req, res) => {
if (typeof req.session.bullshits === "undefined")
req.session.bullshits = { 鲁迅: "我啥都说过" };
_.merge(req.session.bullshits, req.body);
res.send("success");
});
app.get("/flag", (req, res) => {
if (req.session.i_can_get_flag) {
res.send(flag1); // flag2 ??
} else {
res.send("try harder!");
}
});
app.listen(PORT, "0.0.0.0", () => {
console.log(`Server listening on port ${PORT}`);
});
让我有空的时候再来看看......
本文来自博客园,作者:Alaso_shuang,转载请注明原文链接:https://www.cnblogs.com/Alaso687/p/17030682.html
