2020 网鼎 Web wp

2

太菜了没进决赛呜呜呜,这次比赛宣传上是照着国内安全奥运会规格来着,但是实际运行起来问题多多。首先 py 就不说了,目前基本无解;其次是让我们队仨 web 手大早上起来看密码和 misc,中午才放出来第一个web题,这个操作是真的秀;最后不知道为啥主办方只让一个队伍同时开一个环境,导致我们只能到处去蹭别人的环境(这也加剧了 py 的程度),体验极差。希望主办方能重视这些问题,下次能给选手良好的做题体验。 notes 题目给了源码,主要功能就是实现了个留言板,有增删改查等操作。有个查询当前状态的功能可以执行 bash 命令: app.route('/status') .get(function(req, res) { let commands = { "script-1": "uptime", "script-2":...

SHARKY CTF Web wp

S

XXExternalXX Firstly, I found the LFI ( local file iclude ) in , so lets try to read some sensitive files like /etc/passwd. The server returns a null page which means our wish are shattered. But something good is that the administrator have not hide the error report so that we can figure out why it doesn’t show the file. According to the error, it seems the interface only accept a xml file...

SHARKY CTF BlockChain wp

S

This morning called by my teammate QiQi to attant this Sharky CTF, very pleasure to ak the BlockChain. Warmup code: pragma solidity = 0.4.25; contract Warmup { bool public locked; constructor() public payable { locked = true; } function unlock() public payable { require(msg.value == 0.005 ether); locked = false; } function withdraw() public payable { require(!locked); msg.sender.call...

WPICTF Web WP

W

👉😎👉 This challege confused me for a long time. Firstly, we can find some JavaScript source code in /static/zoop.js: // ATTENTION: READING THIS SOURCE CODE MAY NOT ONLY BURN YOUR EYES, IT IS IN VIOLATION OF OFFICIAL ZOOP CORP(TM) LTD. LLC OMGWTFBBQ POLICIES $(document).ready(() => { $('#send').click(() => { $('#send-indicator').css('visibility', 'visible'); $('#send-indicator')...

[WUSTCTF2020]TRAIN YOURSELF TO BE GODLY WP

[

质量非常高的一道题,由于不太熟悉 JSP,所以比赛的时候没怎么用心看,题目上了 BUU 之后发现复现起来比较困难,就写个 wp 帮助下其他师傅(骗骗流量)。 tomcat 目录穿越 Orange 师傅在 BlackHat 上有个议题(DEF CON 26 – Orange Tsai – Breaking Parser Logic Take Your Path Normalization Off and Pop 0Days Out,强烈推荐大家去看看),大意就是由于中间件的一些特性,导致了一些神奇的目录穿越现象。比如: 针对于本题的环境,题目是由 Nginx 做反向代理,真实的后端中间件是 Tomcat,两种中间件识别的路径不同,就会造成解析不一致的情况。引用上面 Orange 师傅的总结: 上图可知,Nginx 会解析...

[BUU] 刷题合集1

[

[BUUCTF 2018]Online Tool 访问得到源码: <?php if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; } if(!isset($_GET['host'])) { highlight_file(__FILE__); } else { $host = $_GET['host']; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']); echo 'you are in sandbox '.$sandbox;...

MRCTF 2020 BlockChain Wp

M

SIMPLEREVEAL 区块链签到题,直接找到合约查看一下变量就行: Unwanted Coin 合约代码给出来了: pragma solidity >=0.6.1; contract Modcoin { mapping(uint256 => bool) public is_successful; function recvpay() public payable { require(((msg.value / 0.001 ether ) % 2 == 0 &amp;&amp; ((msg.value % 0.001 ether) == 0)), "Not Accepting These Coins."); } function getflag(uint256 target) public { require((address(this)...

WUST-CTF2020 Web Wp

W

武科新生赛,由于 TaQini 师傅号丢了,所以共享了一波账号,被带了个第一,不得不说 TaQini Tql! CheckIn 这题有点恶心,上来就给你放音乐洗脑,还问你 Author 是谁,从题目连接处查到出题人 id,修改下 html 提交: 我怎么就想不到这种给博客引流的办法呢! 翻了翻博客,发现有一个 1970 年的文章,真的是远古博客,文末有一半 flag: 博客首页源代码有另一半: 耗费了我半天经历终于把这个题做了出来,此时不得不叹息出题人的良苦用心,赶紧拿起我的手机给出题人转了一笔辛苦费 admin 万能密码绕登录框,构造 xff 头,get post 传个参,最后给的地址排列组合一下就能拿到flag CV Maker 头像处文件上传,检查了内容,GIF89 文件头绕过直接 getshell。 easyweb...

MRCTF 2020 Web wp

M

北邮新生赛,纪念一下 Nep 登顶(大佬们都是单人打,就我们不要脸的组了个队) 23333 ez_bypass 直接给了源码: <?php include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg']) &amp;&amp; isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) &amp;&amp; $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $passwd=$_POST['passwd']; if (...

[BUU] 刷题合集0

[

区块链的内容先告一段落,好久没去 buu 刷题了。buu上有的题目太简单,单开写一篇文章不太合适,所以专门开了个合集简单记录一下。 [SUCTF 2019]CheckIn 文件上传,检测头用 GIF89 绕过,.htaccess 在有脏数据情况下不解析,用 .user.ini (不用重启 apache 也能生效)写入图片马并引用。payload: // .user.ini GIF89a auto_prepend_file=a.png auto_append_file=a.png // 1.png <script language="php">echo file_get_contents("/flag");</script> [CISCN2019 华北赛区 Day2 Web1]Hack World fuzz...

Imagin 丨 京ICP备18018700号-1


Your sidebar area is currently empty. Hurry up and add some widgets.