n0o0b's blog

large picture of the cover

ctfshow-web之爆破

爆破(web21-web28)

web21

爆破什么的,都是基操

随便输个123登录抓包发现认证头

image-20240714154559845

base64加密image-20240714154837117

用他的字典进行爆破

image-20240714160119923

ctfshow{7787a6d7-5130-4dec-a0ef-a29894088ed1}

web22

域名也可以爆破的,试试爆破这个ctf.show的子域名

flag{ctf_show_web}

web23

还爆破?这么多代码,告辞!

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 11:43:51
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 11:56:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
error_reporting(0);

include('flag.php');
if(isset($_GET['token'])){
    $token = md5($_GET['token']);
    if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
        if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
            echo $flag;
        }
    }
}else{
    highlight_file(__FILE__);

}
?>

image-20240714215019217

满足token作md5运算后第2位等于第15位等于第18位且最后1位等于3

不用理解,直接爆,总有合适的

image-20240714182724691

ctfshow{154ec3b1-7b96-4bbe-b0c1-2de200446a36}

web24

爆个🔨

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 13:26:39
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 13:53:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
    $r = $_GET['r'];
    mt_srand(372619038);
    if(intval($r)===intval(mt_rand())){
        echo $flag;
    }
}else{
    highlight_file(__FILE__);
    echo system('cat /proc/version');
}

?> Linux version 5.4.0-163-generic (buildd@lcy02-amd64-067) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #180-Ubuntu SMP Tue Sep 5 13:21:23 UTC 2023 Linux version 5.4.0-163-generic (buildd@lcy02-amd64-067) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #180-Ubuntu SMP Tue Sep 5 13:21:23 UTC 2023

mt_srand伪随机

image-20240714224842049

/?r=1155388967

image-20240714224904360

ctfshow{61cec1d6-a24c-4db9-ac0b-b43271587795}

web25

爆个🔨,不爆了

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 13:56:57
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 15:47:33
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
    $r = $_GET['r'];
    mt_srand(hexdec(substr(md5($flag), 0,8)));
    $rand = intval($r)-intval(mt_rand());
    if((!$rand)){
        if($_COOKIE['token']==(mt_rand()+mt_rand())){
            echo $flag;
        }
    }else{
        echo $rand;
    }
}else{
    highlight_file(__FILE__);
    echo system('cat /proc/version');
}

mt_srand(hexdec(substr(md5($flag), 0,8)));种子固定。

?r=0爆出seed

image-20240714234309644

seed=1998740970,传参r=1998740970返回空白,说明已经绕过(!$rand)

现在需要知道seed值才可计算出token值,使用php_mt_seed工具openwall/php_mt_seed: PHP mt_rand() seed cracker (github.com)

image-20240715010933114

版本为7.3,seed=741739666或3415994057

image-20240715010940959

计算token

image-20240715011354303

测试发现seed为前者image-20240715011446023

ctfshow{07118b62-bcfb-4e2b-9582-e8351f5be0c0}

web26

这个可以爆

爆个🥚

image-20240715015743609

ctfshow{cc861d7c-b2ff-4ad0-b522-4f15eb84117d}

web27

CTFshow菜鸡学院招生啦!

一个登录页面image-20240715015912990

录取名单会下载一个xlsx,有录取姓名和缺少生日的身份证号

image-20240715165006437
学生学籍信息查询系统需要姓名与身份证号

image-20240715165144729

bp爆破一下身份证号的日期,拿到身份证号621022199002015237

image-20240715165328920

解unicode编码拿到学号02015237和密码

image-20240715165433293

登录拿flag

image-20240715165637253

ctfshow{0aa51145-e47c-4772-83a7-10c982c6533b}

web28

大海捞针

爆破目录

image-20240715171502187

ctfshow{b24818e7-a974-48b6-b9aa-1a6e703ac0ab}

site logo

Welcome 2 n0o0b's home

© 2025 n0o0b's blog