YCTF-共克时艰.停课不停赛题解

(Updated: )
ctfwp

WEB

0x 01 rce nopar

  • 考点

    无参数rce

  • 解题步骤

根据代码审计得知是无参数rce,用session读文件

img

0x 02 SSRF

  • 考点

    SSRF

  • 解题过程

  1. 首先用base64二次编码读源码 img

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
error_reporting(E_ALL || ~E_NOTICE);

header('content-type:text/html;charset=utf-8');
if(! isset($_GET['file']))
    header('Refresh:0;url=./index.php?file=WTNSbWFXMWhaMlV1YW5Cbg==');
$file = base64_decode(base64_decode($_GET['file']));
echo '<title>'.$_GET['file'].'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo 'input_filename:   '. $file.'</br>';
$file = str_replace("ctf","flag", $file);
echo 'real_filename:   '.$file.'</br>';
$txt = base64_encode(file_get_contents($file));
 
echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
 * Can you find the flag file?
 *
 * Hint: hal0flagi5here.php
 */

读取hal0flagi5here.php代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
$argv[1]=$_GET['url'];
if(filter_var($argv[1],FILTER_VALIDATE_URL))
{
	$r = parse_url($argv[1]);
	print_r($r);
	if(preg_match('/happyctf\.com$/',$r['host']))
	{
		$url=file_get_contents($argv[1]);
		echo($url);
	}else
	{
		echo("error");
	}

}else
{
	echo "403 Forbidden";
}
?>

利用0://绕过filter_var($argv[1],FILTER_VALIDATE_URL)然后目录穿越即可 img img

0x 03 WEB3-SQLI

  • 考点

    二次注入+报错注入

  • 解题过程

注册这边邮箱存在waf,不能存在@符号,直接置空就行

paylod:test"||(updatexml(1,concat(0x3a,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#

得到数据表

img

查询flag表的flag字段(TABLENAME:flag columnname:flag) img

0x 04 XXE

  • 考点

    xxe

  • 解题过程

1.下载泄露的文件得到源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
if(isset($_POST["submit"])) {
    $target_file = getcwd()."/upload/".md5($_FILES["file"]["tmp_name"]);
    if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
        try {
            $result = @file_get_contents("zip://".$target_file."#docProps/core.xml");
            $xml = new SimpleXMLElement($result, LIBXML_NOENT);
            $xml->registerXPathNamespace("dc", "http://purl.org/dc/elements/1.1/");
            foreach($xml->xpath('//dc:title') as $title){
                echo "Title '".$title . "' has been added.<br/>";
            }
        } catch (Exception $e){
            echo $e;
            echo "上传文件不是一个docx文档.";
        }
    } else {
        echo "上传失败.";
    }
}

解法参考:https://www.jianshu.com/p/40d6d0e7117f

将sample,docx解压,修改docProps/core.xml然后再压缩改后缀上传得到flag

MISC

0x 01 XOR

赛后群里的师傅给了博客参考:

https://shawroot.hatenablog.com/entry/2019/11/04/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Ccrypto%3Acr2-many-time-secrets

0x 02 Misc2

题目给了一个disk3,用file查一下,是Linux etx3,我们创个文件夹挂载 img 里面有一个readme和一个压缩包,里面有加密的flag.pngreadme说密码被删除了 img

用DiskGenius工具恢复一下文件得到压缩包密码don0tgu355p@sswd,最后这个png文件改一下高度,得到flag

image-20200327215149221

0x 03 Keyboard

参考:https://www.cnblogs.com/cnnnnnn/p/11939107.html原题

CRYPTO

0x 01 签到

1
2
openssl rsautl -decrypt -in flag.en -inkey rsa_private_key.pem -out flag.txt
flag{We1c0meCtf3r_elab}

0x 02 CRC32

CRC32爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import binascii
crcs = set([0x308E1D5B,0x5194C2D0,0x5C48F6CA])

def crackfour():
    r = xrange(32, 127)
    for a in r:
        for b in r:
         for c in r:
            for d in r:
               txt = chr(a)+chr(b)+chr(c)+chr(d)
               crc = binascii.crc32(txt)
               if (crc & 0xFFFFFFFF) in crcs:
                  print txt
crackfour()

得到压缩包密码是64p2@sworD20,解压得到flag

0x 03 RSABackDoor

原题,参考https://xz.aliyun.com/t/6703

得到flag{4e8954396d69c8daaf849655cee3dc9bd6486a0e}