【Web】记录Polar靶场<简朴>难度题一遍过(全)
目次swp
简朴rce
蜜雪冰城吉警店
召唤神龙
seek flag
jwt
login
iphone
浮生日记
$$
爆破
XFF
rce1
GET-POST
被黑掉的站
签到题
签到
session文件包罗
Don't touch me
robots
php very nice
ezupload
cookie欺骗
upload
干正则
cool
uploader
覆盖
PHP反序列化初试
机器人
明天XYCTF开始,今天干啥也不是,过过签到八股吧。
swp
https://img-blog.csdnimg.cn/direct/fe92753ed6b841fcaf6cae1230b8fb49.png
随手试试,直接访问到/.index.php.swp
https://img-blog.csdnimg.cn/direct/fb8ad1f496de4c4380593ae53999eaa2.png
最大回溯上限绕过preg_match
import requests
url = 'http://c7800bea-2a12-428d-b1d0-f2272162efa4.www.polarctf.com:8090/'
data = {
'xdmtql': 'sys nb'+'very' * 250000
}
r = requests.post(url=url, data=data).text
print(r) 运行脚本拿到flag
https://img-blog.csdnimg.cn/direct/5a3aa75b22f54220b300e2e5d67e9294.png
简朴rce
https://img-blog.csdnimg.cn/direct/dcd6188043504190b392209d2419085b.png
过滤了空格,可以联想到用include直接包罗/flag
https://img-blog.csdnimg.cn/direct/8907b871f888425483b8cf9d3e366372.png
蜜雪冰城吉警店
https://img-blog.csdnimg.cn/direct/1c35ed990aa24a718f3402bda0d72759.png
8个奶茶,要找第9个
js有点难审&调试比较牛马,下断一直不中,直接结果论吧,改id为9
https://img-blog.csdnimg.cn/direct/26f84aad55ce4df0bca8806b3b48f29d.png
改前端,点单乐成
https://img-blog.csdnimg.cn/direct/4043bda6c0b249c19757c7d72d36813b.png
召唤神龙
进来是一个js小游戏,但没有胜利条件啥的,js关键词搜不出什么头绪
在main.js中看到一段很耀眼的jsfuck
https://img-blog.csdnimg.cn/direct/2a395f3716614c4bae820e56405f9bdf.png
JSFuck 是一种 JavaScript 的混淆技术,它可以将 JavaScript 代码转换成仅由六个字符构成的代码,即 []()!+。这种技术基于 JavaScript 语言的强大特性,尤其是逼迫范例转换和 JavaScript 中的一些奇技淫巧。
CTF在线工具-在线JSfuck加密|在线JSfuck解密|JSfuck|JSfuck原理|JSfuck算法
乐成解码拿到flag
https://img-blog.csdnimg.cn/direct/5fe4184e6cf846eab21156952edd8d05.png
seek flag
访问/robots.txt拿到第三段flag
https://img-blog.csdnimg.cn/direct/4596cf78b80b4114bd0a81aa3f65602f.png
抓包,在响应头处拿到flag2
https://img-blog.csdnimg.cn/direct/ff5a0772d6a0490db67fd890af545c89.png
留意到响应头setcookie,让id=0
本着叛逆的原则,我们可以修改cookie让id为1,乐成拿到flag1
https://img-blog.csdnimg.cn/direct/74ed14e6f29344e3a75d85923cff4cb8.png
jwt
https://img-blog.csdnimg.cn/direct/12e9177565574020ad7cb81eb26b5db5.png
这个一眼垂直越权啊,先注册一个平凡用户,然后jwt伪造乐成以admin登录
https://img-blog.csdnimg.cn/direct/12d13e0f59844367b2f478755b466d25.png
JSON Web Tokens - jwt.io
jwt-cracker爆破出密钥为SYSA
https://img-blog.csdnimg.cn/direct/53793d8ac02c46428b59e1abbfbe86a6.png
然后jwt伪造
https://img-blog.csdnimg.cn/direct/68af8819aed6409eab7c7cbdef7e1e49.png
改cookie中的jwt,然后再次访问
https://img-blog.csdnimg.cn/direct/c09e4468dc094d559164f1e69bcfb318.png
进入个人中心,拿到flag
https://img-blog.csdnimg.cn/direct/0199018699ad496bb36291695b62604d.png
login
f12看到注释,知道学号密码都是20200101
https://img-blog.csdnimg.cn/direct/69b52cc0519745d9b2f1873857a4acb3.png
然而只是回显登录乐成
https://img-blog.csdnimg.cn/direct/3198c717a3a3450e979f45a1fa9a95ef.png
爆破后发现就是学号02-11的登录回显,进行拼凑得到flag{dlcg}
iphone
https://img-blog.csdnimg.cn/direct/e7d5790b5aeb422386813ce7192beaed.png
恣意点下Enter
https://img-blog.csdnimg.cn/direct/330816cf3c27426ab0c4aa63ab745a37.png
右键查看源码,提示改UA
https://img-blog.csdnimg.cn/direct/8115a5cd1f194800a8aece01d7b1b5e1.png
改UA为iphone即可拿到flag
https://img-blog.csdnimg.cn/direct/3b6b2ba49179490896013cc2a2d3c361.png
浮生日记
https://img-blog.csdnimg.cn/direct/82cd45d782ac460eb8982b20e2daa1b8.png
title提示让我们弹个窗
https://img-blog.csdnimg.cn/direct/d4e8814e305545aeae2cbce06777f50d.png
测过无ssti,结合题目名字,合理可以想到js注入
发现替换了script为空,然后赋值给value
https://img-blog.csdnimg.cn/direct/d6e282051bca4d32a2066e646a5630f0.png
https://img-blog.csdnimg.cn/direct/c11fb50ce4cd40328a2387806b7a05e8.png
显然可以先闭合value,然后独立出一个script执行恶意代码
payload:
"><scrscriptipt>alert(1)</scrscriptipt> https://img-blog.csdnimg.cn/direct/ef300879e5f34bec8c70416f0f44ba5e.png
点击确定后拿到flag
https://img-blog.csdnimg.cn/direct/0e5fb604ccd343d89a3400af74d9fd45.png
$$
https://img-blog.csdnimg.cn/direct/74a44ea0a75241e9afdcc0e7e986939b.png
直接$GLOBALS读全局变量就可
payload:
?c=GLOBALS https://img-blog.csdnimg.cn/direct/a268ab0fdfe04fc5853d39f2d7d7f178.png
爆破
https://img-blog.csdnimg.cn/direct/0b504891ba394128a038998940b66275.png
if(substr($pass, 1,1)===substr($pass, 14,1) && substr($pass, 14,1) ===substr($pass, 17,1)){ ... }:这行代码检查颠末 MD5 加密后的字符串的特定位置的字符是否类似。详细地,它检查字符串的第 2、15 和 18 个字符是否类似。如果这三个位置的字符类似,则执行内部代码块。
if((intval(substr($pass, 1,1))+intval(substr($pass, 14,1))+substr($pass, 17,1))/substr($pass, 1,1)===intval(substr($pass, 31,1))){ ... }:这行代码对特定位置的字符进行处理,并将它们转换为整数进行计算。详细地,它计算字符串的第 2、15 和 18 个字符的整数值相加,然后除以第 2 个字符的整数值,并检查结果是否即是字符串的第 32 个字符的整数值。如果相等,则执行内部代码块。
这个肯定不是啥php特性了,只能如题所说,爆破!
2位就能爆出来https://img-blog.csdnimg.cn/direct/5d5cf130158d4c909533c07422223fde.png
https://img-blog.csdnimg.cn/direct/e313422a36464443abef43fec38881cf.png
XFF
https://img-blog.csdnimg.cn/direct/a0cbcda656a34123ab2ba2ba68cb845e.png
直接xff伪造ip即可
https://img-blog.csdnimg.cn/direct/7169366f3b494b7ea6eff87aa5909193.png
rce1
https://img-blog.csdnimg.cn/direct/377b329996eb4fc89ec9720cd5488a52.png
过滤空格用${IFS}绕过即可
https://img-blog.csdnimg.cn/direct/f9ed407c935e4c89b8017b1b595b1a51.png
;tac${IFS}fllllaaag.php 右键查看源码,拿到flag
https://img-blog.csdnimg.cn/direct/bbeb0a96e54640ff9948986a65b1a3b5.png
GET-POST
https://img-blog.csdnimg.cn/direct/05b57d762262430eb6ed3fc5fc63f627.png
正常传参就行
https://img-blog.csdnimg.cn/direct/2144f2dbeac64809a364485515592bb2.png
被黑掉的站
https://img-blog.csdnimg.cn/direct/42495ebbb2bd4f8bad547eeed570b416.png
提示站里还有马
扫出来index.php.bak和shell.php
访问index.php.bak,就是给到一个字典
https://img-blog.csdnimg.cn/direct/e501146e80ca4ebd8fba93295693d7eb.png
访问shell.php,显然就是拿字典爆破
https://img-blog.csdnimg.cn/direct/0b158b49371b492cbef4536d2c0d8176.png
开爆就完了
https://img-blog.csdnimg.cn/direct/b02e5576e0ed42e98ab3aee1dfb46111.png拿到flag
https://img-blog.csdnimg.cn/direct/8026163e20584a58b80399847d246427.png
签到题
https://img-blog.csdnimg.cn/direct/629b452acb4b418590080fb0dc647fee.png
承认是个弟弟,但setcookie初始值为no
https://img-blog.csdnimg.cn/direct/b212dba8cb33485681ebe26164c9fc2a.png
改didi=yes,发包
https://img-blog.csdnimg.cn/direct/5ba87b0f700e41028f6211857e68561f.png
base64解码
https://img-blog.csdnimg.cn/direct/369b84be03054153b4333bca299074c8.png 访问/data/index.php
https://img-blog.csdnimg.cn/direct/39b975e89808433caf84674417ec67d4.png
替换为空双写绕过即可
payload:
/data/index.php?file=php://filter/convert.base64-encode/resource=..././..././..././..././flag https://img-blog.csdnimg.cn/direct/484133c3413b4f76869cdbcf007db505.png
base64解码即可
https://img-blog.csdnimg.cn/direct/4bffda5ddffa45a0b43670de175ab7fd.png
签到
https://img-blog.csdnimg.cn/direct/d0a8a82b18764041b4e2469136aaa287.png
把disabled删掉就可
https://img-blog.csdnimg.cn/direct/99eec964462d4ce2a49b01e1c3c3c106.png
弹窗
https://img-blog.csdnimg.cn/direct/a15d95ea8a48473e8ca8efcf499b0cfd.png
但提交后还是不行,继续看前端
把maxlength改大即可
https://img-blog.csdnimg.cn/direct/44a3c623ea304580ae1e61c0b06c501f.png
如下
https://img-blog.csdnimg.cn/direct/68688f312681404ab2cb8caed3c24616.png
https://img-blog.csdnimg.cn/direct/4c39f3cac2af4dc8bb7eefaebbffeca7.png
session文件包罗
https://img-blog.csdnimg.cn/direct/7f374819ad9f421b9fae3eab25014de2.png
发包,看到响应头给了一个PHPSESSID
https://img-blog.csdnimg.cn/direct/569b806ce9144165902f2d9065a50abe.png点击mydirectory,回显如下
https://img-blog.csdnimg.cn/direct/946d71c01a8747459e531a394c859e85.png
右键查看源码:
https://img-blog.csdnimg.cn/direct/9fb8911f5dbc437294adf7beb02c1ddf.png
似乎可以恣意文件包罗,尝试读文件
base64解码
https://img-blog.csdnimg.cn/direct/662723b87f764a64b721b7c7304642ee.png
<?php
session_start();
error_reporting(0);
$name = $_POST['name'];
if($name){
$_SESSION["username"] = $name;
}
include($_GET['file']);
?>
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<a href=action.php?file=1.txt>my dairy</a>
<a href=action.php?file=2.txt>my booklist</a>
</body>
</html> session_start()一般是给session反序列化用的,这题考的不是反序列化
可以直接利用恶意session文件包罗
https://img-blog.csdnimg.cn/direct/932bcdd5f78c45749c4dbde499774583.png
笑死,直接读环境变量的flag是假的,只能读文件
https://img-blog.csdnimg.cn/direct/998382bc39664ddabf2d4f9f3154ca9a.png
Don't touch me
右键查看源码
https://img-blog.csdnimg.cn/direct/bdc56a6f7ce14bdba7b5811e86a43671.png
访问/2.php
https://img-blog.csdnimg.cn/direct/91a058214526451ca7b75b9e8d56fbe9.png
把bottom的disabled属性给删掉,点击后跳转/3.php
右键查看源码
https://img-blog.csdnimg.cn/direct/ca6441574738425e8cfeaa436e2ce542.png
访问/fla.php拿到flag
https://img-blog.csdnimg.cn/direct/4e8977f21bf44f17b4ab37240a9445c7.png
robots
https://img-blog.csdnimg.cn/direct/506183c7627d46edb7c12d7131d01951.png
访问/robots.txt
https://img-blog.csdnimg.cn/direct/a13b69ad72cb420281d0a84fedfc572f.png 访问/fl0g.php拿到flag
https://img-blog.csdnimg.cn/direct/dc4fea4f7aa9455b9ff08f538b0c45e5.png
php very nice
https://img-blog.csdnimg.cn/direct/5b8ea4ef451c4ce9bfc55884fbde248d.png
这不直接喂到嘴边了
$a=new Example();
$a->sys="system('tac f*');";
echo serialize($a); https://img-blog.csdnimg.cn/direct/4050ee52b4cd409c847ff6ba704269b6.png
ezupload
https://img-blog.csdnimg.cn/direct/427b34e10d784797947edc4cf25dc26e.png
https://img-blog.csdnimg.cn/direct/81178a5a8d854526b6d242a5073bc712.png
改mime type为image/gif即可
https://img-blog.csdnimg.cn/direct/615be7c55fa84242b29436338331e5a6.png
连蚁剑,拿flag
https://img-blog.csdnimg.cn/direct/5f2385debde24e24ae2295074bffd1df.png
cookie欺骗
https://img-blog.csdnimg.cn/direct/a073a4274de84a21b80c7c6b16aa8e83.png
cookie改user=admin即可
https://img-blog.csdnimg.cn/direct/585446a9fa98456bb24435f16f55973a.png
upload
https://img-blog.csdnimg.cn/direct/51a03474c2ea47f9bc7d836f3ed89388.png
恣意上传一个php文件,发现直接拿掉了后缀,不对其作为php文件进行解析
https://img-blog.csdnimg.cn/direct/0f3c73468b504b3bbc686fef3ee556a0.png 回到初始界面,右键查看源码
https://img-blog.csdnimg.cn/direct/568ed0d8a68442e791ea50399d40b935.png
访问?action=show_code拿到源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.rand(10000,99999).$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
} 替换为空,直接双写绕过即可
https://img-blog.csdnimg.cn/direct/6136bf1017204aca952ce95f701986e3.png
可以看到乐成上传php文件
https://img-blog.csdnimg.cn/direct/0b76b3a1f9dc4698a18925babeb81da7.png
连蚁剑,拿flag
https://img-blog.csdnimg.cn/direct/dc26a1e8d490444aa8c7a2fecf59789c.png
干正则
https://img-blog.csdnimg.cn/direct/67effe1b0f284dd28739065a1c75759d.png
页:
[1]