-
SWPU NSS新生赛(校外通道)
目录
numgame
打开界面以后,发现禁用了ctrl+u和查看源码,
然后抓包或f12,看见提示了超链接/js/1.js,访问试一下
base64解码,NsScTf.php ,访问
- error_reporting(0);
- //hint: 与get相似的另一种请求协议是什么呢
- include("flag.php");
- class nss{
- static function ctf(){
- include("./hint2.php");
- }
- }
- if(isset($_GET['p'])){
- if (preg_match("/n|c/m",$_GET['p'], $matches))
- die("no");
- call_user_func($_GET['p']);
- }else{
- highlight_file(__FILE__);
- }
我们的目的,就是通过get传参p然后,借助 call_user_func调用nss中的ctf静态方法
if (preg_match("/n|c/m",$_GET['p'], $matches))
就是禁用了n和c,然后/m以多文本形式,
call_user_func($_GET['p']);调用p传入的函数
这里普及一个知识点
可以通过NSS::CTF调用类中的CTF的静态方法,这里的类名和方法名不区分大小写
所以我们就可以大写绕过
看见提示然后查看源码,出flag
Ez_upload
一开始只要用,.htaccess AddType application/x-httpd-php .jpg
然后更改 content-type的类型为:jpeg/image
然后上传一个.jpg文件木马就可以,禁了
用这个代替,可是链接上了建蚁
flag为空
js_sign
打开源码,访问超链接
- document.getElementsByTagName("button")[0].addEventListener("click", ()=>{
- flag="33 43 43 13 44 21 54 34 45 21 24 33 14 21 31 11 22 12 54 44 11 35 13 34 14 15"
- if (btoa(flag.value) == 'dGFwY29kZQ==') {
- alert("you got hint!!!");
- } else {
- alert("fuck off !!");
- }
- })
发现如下源码,看见base64解密tapcode百度是一种编码的格式
得到flagTap Code | Boxentriq
funny_web
- session_start();
- highlight_file(__FILE__);
- if(isset($_GET['num'])){
- if(strlen($_GET['num'])<=3&&$_GET['num']>999999999){
- echo ":D";
- $_SESSION['L1'] = 1;
- echo "=================";
- }else{
- echo ":C";
- }//让num长度小于3,并且大于999999999,想到了浮点型9e9
- }
- if(isset($_GET['str'])){
- $str = preg_replace('/NSSCTF/',"",$_GET['str']);
- if($str === "NSSCTF"){//经过过滤仍然等于NSSCTF
- echo "wow";
- $_SESSION['L2'] = 1;//这里想到了 NSSNSSCTFCTF 这样双写绕过
- }else{
- echo $str;
- }
- }
- if(isset($_POST['md5_1'])&&isset($_POST['md5_2'])){
- if($_POST['md5_1']!==$_POST['md5_2']&&md5($_POST['md5_1'])==md5($_POST['md5_2'])){
- echo "Nice!";
- if(isset($_POST['md5_1'])&&isset($_POST['md5_2'])){
- if(is_string($_POST['md5_1'])&&is_string($_POST['md5_2'])){
- echo "yoxi!";
- $_SESSION['L3'] = 1;//md5弱类型,并且双方为字符串
- }else{
- echo "X(";
- }
- }
- }else{
- echo "G";
- echo $_POST['md5_1']."\n".$_POST['md5_2'];
- }
- }
- ?>
file_master
比赛结束后,放出了源码,才恍然大悟,其实不难,就是自己要重复实验操作
- session_start();
- if(isset($_GET['filename'])){
- echo file_get_contents($_GET['filename']);
- }
- else if(isset($_FILES['file']['name'])){
- $whtie_list = array("image/jpeg");
- $filetype = $_FILES["file"]["type"];
- if(in_array($filetype,$whtie_list)){
- $img_info = @getimagesize($_FILES["file"]["tmp_name"]);
- if($img_info){
- if($img_info[0]<=20 && $img_info[1]<=20){
- if(!is_dir("upload/".session_id())){
- mkdir("upload/".session_id());
- }
- $save_path = "upload/".session_id()."/".$_FILES["file"]["name"];
- move_uploaded_file($_FILES["file"]["tmp_name"],$save_path);
- $content = file_get_contents($save_path);
- if(preg_match("/php/i",$content)){
- sleep(5);
- @unlink($save_path);
- die("hacker!!!");
- }else{
- echo "upload success!! upload/your_sessionid/your_filename";
- }
- }else{
- die("image hight and width must less than 20");
- }
- }else{
- die("invalid file head");
- }
- }else{
- die("invalid file type!image/jpeg only!!");
- }
- }else{
- echo '
base64_encode(file_get_contents("welcome.jpg")).'">';
- }
- ?>
提醒我们无效的头文件,
然后GIF89a,提示我们图像宽高小于20
去掉文件头上传成功,然后写一句话木马
有延迟然后报错,估计是php被过滤掉了
php短标签上传成功,上传路径由upload/sessionid/文件名构成
获得flag
Power!
- class FileViewer{
- public $black_list = "flag";
- public $local = "http://127.0.0.1/";
- public $path;
- public function __call($f,$a){
- $this->loadfile();
- }
- public function loadfile(){
- if(!is_array($this->path)){
- if(preg_match("/".$this->black_list."/i",$this->path)){
- $file = $this->curl($this->local."cheems.jpg");
- }else{
- $file = $this->curl($this->local.$this->path);
- }
- }else{
- $file = $this->curl($this->local."cheems.jpg");
- }
- echo '
- }
- public function curl($path){
- $url = $path;
- $curl = curl_init();
- curl_setopt($curl, CURLOPT_URL, $url);
- curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($curl, CURLOPT_HEADER, 0);
- $response = curl_exec($curl);
- curl_close($curl);
- return $response;
- }
- public function __wakeup(){
- $this->local = "http://127.0.0.1/";
- }
- }
- class Backdoor{
- public $a;
- public $b;
- public $superhacker = "hacker.jpg";
- public function goodman($i,$j){
- $i->$j = $this->superhacker;
- }
- public function __destruct(){
- $this->goodman($this->a,$this->b);
- $this->a->c();
- }
- }
- if(isset($_GET['source'])){
- highlight_file(__FILE__);
- }else{
- if(isset($_GET['image_path'])){
- $path = $_GET['image_path']; //flag in /flag.php
- if(is_string($path)&&!preg_match("/http:|gopher:|glob:|php:/i",$path)){
- echo '
- }else{
- echo '
Seriously??
- }
- }else if(isset($_GET['path_info'])){
- $path_info = $_GET['path_info'];
- $FV = unserialize(base64_decode($path_info));
- $FV->loadfile();
- }else{
- $path = "vergil.jpg";
- echo '
POWER!!
- }
- }
- ?>
呃呃呃还没弄懂,先欠着
-
相关阅读:
iOS 将字符串分割成单个字符| 字符串转成数组
学习Python低手之路【三】python基础之函数
【Node.JS 】服务器相关的概念
linux apt-get安装Jenkins
Zenmap安装及安装时遇到的问题解决办法(Windows)
8 - 函数
python socket 传输opencv读取的图像
侯捷 C++ STL标准库和泛型编程 —— 9 STL周围
30出头成为复旦博导,陈思明:敲代码和写诗,我两样都要
vue导出word文档
- 原文地址:https://blog.csdn.net/qq_62046696/article/details/127540354
