CTFshow-web21-28 - Crzliang

655 字

3 分钟

CTFshow-web21-28

2022-10-13

WriteUP

web

/

CTF

web21#

题目：

burp抓包利用Intruder模块进行爆破，在根据hint1里的提示知道这是一个tomcat认证爆破，所以标记Authorization: Basic

Authorization字段后面的值经过了base64的加密，所以爆破时也要进行相应的加密

Payload sets的设置，字典利用题目给的附件，用户名猜一手admin，最后也是证明猜对了

web22#

域名失效了做不了

web23#

题目：

源码：

1
<?php
2

3
/*
4
# -*- coding: utf-8 -*-
5
# @Author: h1xa
6
# @Date:   2020-09-03 11:43:51
7
# @Last Modified by:   h1xa
8
# @Last Modified time: 2020-09-03 11:56:11
9
# @email: h1xa@ctfer.com
10
# @link: https://ctfer.com
11

12
*/
13
error_reporting(0);
14

15
include('flag.php');
16
if(isset($_GET['token'])){
17
    $token = md5($_GET['token']);
18
    if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
19
        if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
20
            echo $flag;
21
        }
22
    }
23
}else{
24
    highlight_file(__FILE__);
25

26
}
27
?>

分析源码编写php脚本：

1
<?php
2

3
for ($i=0;$i<10000;$i++) {
4

5
    $token = md5($i);
6

7
    if (substr($token, 1, 1) === substr($token, 14, 1) && substr($token, 14, 1) === substr($token, 17, 1)) {
8
        if ((intval(substr($token, 1, 1)) + intval(substr($token, 14, 1)) + substr($token, 17, 1)) / substr($token, 1, 1) === intval(substr($token, 31, 1))){
9
            echo 'token'.$i.'md5'.$token;
10
        }
11
}
12
}
13
?>

flag

web24#

源码：

1
<?php
2

3
/*
4
# -*- coding: utf-8 -*-
5
# @Author: h1xa
6
# @Date:   2020-09-03 13:26:39
7
# @Last Modified by:   h1xa
8
# @Last Modified time: 2020-09-03 13:53:31
9
# @email: h1xa@ctfer.com
10
# @link: https://ctfer.com
11

12
*/
13

14
error_reporting(0);
15
include("flag.php");
16
if(isset($_GET['r'])){
17
    $r = $_GET['r'];
18
    mt_srand(372619038);
19
    if(intval($r)===intval(mt_rand())){
20
        echo $flag;
21
    }
22
}else{
23
    highlight_file(__FILE__);
24
    echo system('cat /proc/version');
25
}
26

27
?> Linux version 5.4.0-126-generic (buildd@lcy02-amd64-072) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 Linux version 5.4.0-126-generic (buildd@lcy02-amd64-072) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022

hint

根据hint写php脚本

1
<?php
2
mt_srand(372619038);
3
echo (mt_rand());
4
?>

flag

web25#

源码：

1
<?php
2

3
/*
4
# -*- coding: utf-8 -*-
5
# @Author: h1xa
6
# @Date:   2020-09-03 13:56:57
7
# @Last Modified by:   h1xa
8
# @Last Modified time: 2020-09-03 15:47:33
9
# @email: h1xa@ctfer.com
10
# @link: https://ctfer.com
11

12
*/
13

14

15
error_reporting(0);
16
include("flag.php");
17
if(isset($_GET['r'])){
18
    $r = $_GET['r'];
19
    mt_srand(hexdec(substr(md5($flag), 0,8)));
20
    $rand = intval($r)-intval(mt_rand());
21
    if((!$rand)){
22
        if($_COOKIE['token']==(mt_rand()+mt_rand())){
23
            echo $flag;
24
        }
25
    }else{
26
        echo $rand;
27
    }
28
}else{
29
    highlight_file(__FILE__);
30
    echo system('cat /proc/version');
31
}
32
Linux version 5.4.0-126-generic (buildd@lcy02-amd64-072) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 Linux version 5.4.0-126-generic (buildd@lcy02-amd64-072) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022