Table of contents
1. [LitCTF 2023] PHP is the best language in the world! !
3. [SWPUCTF 2021 Freshman Competition] easyupload1.0
4. [SWPUCTF 2021 Freshman Competition] easyupload2.0
5. [SWPUCTF 2021 Freshman Competition] caidao
1. [LitCTF 2023] PHP is the best language in the world! !
Knowledge points: PHP language, command execution
topic:
1. The topic reminds us that the flag is in the root (/) directory, because the topic needs to use php language, so we use PHP syntax + system commands to construct the payload:
<?php system('cat /flag')?>
get the flag
Two, [LitCTF 2023] Ping
Knowledge points: command execution, bypassing front-end restrictions, Burp capturing packets to modify data
Problem-solving ideas:
Try to use the local address, the result is as above, add ls, it will be filtered
1. Check the source code of the website and find that there are restrictions on the front end, so it can be bypassed on the front end and executed on the back end
2. Use Burp to capture packets, then modify the data to bypass
The captured data packets are sent to the repeater module, and the command is executed. First, use ls to view the existing files (this step does not take a screenshot), and then ls / to view the flag file in the root (/) directory, and view the flag
3. [SWPUCTF 2021 Freshman Competition] easyupload1.0
Knowledge points: file upload, bypass front-end restrictions
Problem-solving ideas:
1. Upload a PHP file and find that the file size and suffix name are restricted. I don’t know if the server has any restrictions. I construct a one-sentence Trojan horse file, change the file name to jpg, and use BP to capture the package and change it to PHP. Upload again, and find that the upload is successful, indicating that the client has made restrictions, and the server has not detected
2. After the upload is successful, use Ant Sword to connect and find the flag
3. It is found that the flag is wrong. Through WP on the Internet, we know that the real flag is hidden in phpinfo.
Restructure the payload: <?php phpinfo();?>
After re-uploading the file, visit the page, CTRL+F, look for the flag field, and get the flag
4. [SWPUCTF 2021 Freshman Competition] easyupload2.0
Knowledge points: file upload, bypass server-side restrictions
Problem-solving ideas:
This question is an upgrade of the previous question. Not only the client side is restricted, but the server side is also restricted.
The idea of solving the problem is the same as the previous one, consider how to bypass the server-side restrictions
1. Construct a php file, change the file extension to jpg, and capture packets through BP
It was found that the server side made a limit
2. There are several ways to bypass server-side detection, the simplest is to modify the file extension
The suffixes .php .php3 .php4 .php5 .pht .phtml all point to the PHP parser, you can bypass the suffix inspection through these suffixes, you can try them all
Using phtml to bypass detection
The file content can be parsed successfully
3. ctrl+F to find the flag
get the flag
5. [SWPUCTF 2021 Freshman Competition] caidao
Knowledge points: use kitchen knife, ant sword and other connection tools
Problem-solving ideas:
1. The title gives the connection password of a one-sentence Trojan horse: wllm, use the kitchen knife tool to connect
Enter the corresponding url and password
2. The connection is successful, and the flag is found in the root directory
This article is written here first, if there are any bad ones, please criticize and correct!