你与春风皆过客

[vulnhub]Five86-2靶机

开放了20,21,80端口


[vulnhub]Five86-1靶机

开放端口


[vulnhub]Me and My Girlfriend 1靶机

1。确定目标
目标为192.168.0.179
2。端口扫描
只开放了22和80


BJDCTF Web题解

[BJDCTF2020]Mark loves


[2020 新春红包题]反序列化pop链

这题也是根据2019全国大学生安全运维赛 EZPOP改编的
具体代码如下

<?php
error_reporting(0);

class A {

    protected $store;

    protected $key;

    protected $expire;

    public function __construct($store, $key = 'flysystem', $expire = null) {
        $this->key = $key;
        $this->store = $store;
        $this->expire = $expire;
    }

    public function cleanContents(array $contents) {
        $cachedProperties = array_flip([
            'path', 'dirname', 'basename', 'extension', 'filename',
            'size', 'mimetype', 'visibility', 'timestamp', 'type',
        ]);

        foreach ($contents as $path => $object) {
            if (is_array($object)) {
                $contents[$path] = array_intersect_key($object, $cachedProperties);
            }
        }

        return $contents;
    }

    public function getForStorage() {
        $cleaned = $this->cleanContents($this->cache);

        return json_encode([$cleaned, $this->complete]);
    }

    public function save() {
        $contents = $this->getForStorage();

        $this->store->set($this->key, $contents, $this->expire);
    }

    public function __destruct() {
        if (!$this->autosave) {
            $this->save();
        }
    }
}

class B {

    protected function getExpireTime($expire): int {
        return (int) $expire;
    }

    public function getCacheKey(string $name): string {
        // 使缓存文件名随机
        $cache_filename = $this->options['prefix'] . uniqid() . $name;
        if(substr($cache_filename, -strlen('.php')) === '.php') {
          die('?');
        }
        return $cache_filename;
    }

    protected function serialize($data): string {
        if (is_numeric($data)) {
            return (string) $data;
        }

        $serialize = $this->options['serialize'];

        return $serialize($data);
    }

    public function set($name, $value, $expire = null): bool{
        $this->writeTimes++;

        if (is_null($expire)) {
            $expire = $this->options['expire'];
        }

        $expire = $this->getExpireTime($expire);
        $filename = $this->getCacheKey($name);

        $dir = dirname($filename);

        if (!is_dir($dir)) {
            try {
                mkdir($dir, 0755, true);
            } catch (\Exception $e) {
                // 创建失败
            }
        }

        $data = $this->serialize($value);

        if ($this->options['data_compress'] && function_exists('gzcompress')) {
            //数据压缩
            $data = gzcompress($data, 3);
        }

        $data = "<?php\n//" . sprintf('%012d', $expire) . "\n exit();?>\n" . $data;
        $result = file_put_contents($filename, $data);

        if ($result) {
            return $filename;
        }

        return null;
    }

}

if (isset($_GET['src']))
{
    highlight_file(__FILE__);
}

$dir = "uploads/";

if (!is_dir($dir))
{
    mkdir($dir);
}
unserialize($_GET["data"]);


[XNUCA2019Qualifier]EasyPHP(.htaccess利用)

<?php
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    include_once("fl3g.php");
    if(!isset($_GET['content']) || !isset($_GET['filename'])) {
        highlight_file(__FILE__);
        die();
    }
    $content = $_GET['content'];
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
        echo "Hacker";
        die();
    }
    $filename = $_GET['filename'];
    if(preg_match("/[^a-z\.]/", $filename) == 1) {
        echo "Hacker";
        die();
    }
    $files = scandir('./'); 
    foreach($files as $file) {
        if(is_file($file)){
            if ($file !== "index.php") {
                unlink($file);
            }
        }
    }
    file_put_contents($filename, $content . "\nJust one chance");
?>


[jactf]sawed

上上下下左左右右BABA
全是awsde组成的字符串


[jactf]simple_transfer(nsf数据分析)

开始是端口扫描的TCP数据


[jactf]USB

difficult_programming_language.pcap


不多BB。直接脚本提取出内容
tshark -r difficult_programming_language.pcap -T fields -e usb.capdata > usbdata.txt


[jactf]soeasy(vmdk取证)


[jactf]WireLess(WIFI数据包破解)

一个WIFI数据包。看不到协议。只能看到802.11

首先。我们要去爆破WIFI密码。解密数据包。


[jactf]二维码藏到哪里了(python PIL库使用)

就给了一串。看起来好像是RGB色。
255.255.255=白色
0.0.0=黑色


[jactf]过滤语法

wireshark数据包。只有TCP数据。一大堆看不懂的东西。


[GXY]Baby nc(判断数大小)

from pwn import *
context.log_level='debug'
r=remote("183.129.189.60",10014)
flag='34028236692093846346337460'
for a in range(10):
    for i in range(10):
    	guess=str(flag)+str(i)+(27-1-len(flag))*'0'
        r.sendline(guess)
        result=r.recv(10)
        if 'big' in result:
            flag+=str(i-1)
            break
        if i==9 and 'small' in result:
            flag+='9'
            break
    print(flag)


LCTF bestphp’s revenge(SOAP反序列化)

index.php

 <?php
highlight_file(__FILE__);
$b = 'implode';
call_user_func($_GET['f'], $_POST);
session_start();
if (isset($_GET['name'])) {
    $_SESSION['name'] = $_GET['name'];
}
var_dump($_SESSION);
$a = array(reset($_SESSION), 'welcome_to_the_lctf2018');
call_user_func($b, $a);
?>

← 上一页 下一页 →