跳至主要內容
Easycms Writeup

题目描述

简单的 cms,可以扫扫看?

提示 1: /flag.php:

if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
   echo "Just input 'cmd' From 127.0.0.1";
   return;
}else{
   system($\_GET['cmd']);
}
H@yn3$原创2024年11月30日...大约 3 分钟CTFCISCNWeb
Simple_php Writeup

题目描述

小明在学习 CTF 的过程中遇到了一道 PHP 的题目,以他有限的水平做不出来,可以帮帮他吗?

观察源码,只要我们传进去的 cmd 不被正则匹配到,就可以执行系统命令。

if(isset($_POST['cmd'])){
    $cmd = escapeshellcmd($_POST['cmd']);
    if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget|\'|\"|id|whoami/i', $cmd)) {
         system($cmd);
    }
}
H@yn3$原创2024年11月28日...大约 1 分钟CTFCISCNWeb
Custom Web Server Writeup

Custom Web Server (1)

题目描述

Someone said: 'One advantage of having a homemade server is that it becomes much harder to hack.' Do you agree? Give reasons.

Note: The files in src/public are unrelated for the challenge.

Chilli Level:

H@yn3$原创2024年11月12日...大约 3 分钟CTFHKCertWeb
Mystiz's Mini CTF Writeup

Mystiz's Mini CTF (2)

题目描述

"A QA engineer walks into a bar. Orders a beer. Orders 0 beers. Orders 99999999999 beers. Orders a lizard. Orders -1 beers. Orders a ueicbksjdhd."

I am working on yet another CTF platform. I haven't implement all the features yet, but I am confident that it is at least secure.

H@yn3$原创2024年11月11日...大约 5 分钟CTFHKCertWeb
Webpage to PDF Writeup

Webpage to PDF (1)

题目描述

Thanks to Poe I coded a webpage to PDF in seconds! I am genius right?

Chilli Level:

H@yn3$原创2024年11月11日...大约 3 分钟CTFHKCertWeb
Prying Eyes Writeup

该网站是一个可以发布帖子的网站,同时可以上传图片,所以在源码中关注一下图片上传的地方有没有漏洞

观察源码我们可以发现,这里对每张上传的图片都用 convert 函数进行了处理

router.post(
    "/post",
    AuthRequired,
    fileUpload({
        limits: {
            fileSize: 2 * 1024 * 1024,
        },
    }),
    ValidationMiddleware("post", "/forum"),
    async function (req, res) {
        const { title, message, parentId, ...convertParams } = req.body;
        if (parentId) {
            const parentPost = await db.getPost(parentId);

            if (!parentPost) {
                req.flashError("That post doesn't seem to exist.");
                return res.redirect("/forum");
            }
        }

        let attachedImage = null;

        if (req.files && req.files.image) {
            const fileName = randomBytes(16).toString("hex");
            const filePath = path.join(__dirname, "..", "uploads", fileName);

            try {
                const processedImage = await convert({
                    ...convertParams,
                    srcData: req.files.image.data,
                    format: "AVIF",
                });

                await fs.writeFile(filePath, processedImage);

                attachedImage = `/uploads/${fileName}`;
            } catch (error) {
                req.flashError(
                    "There was an issue processing your image, please try again."
                );
                console.error("Error occured while processing image:", error);
                return res.redirect("/forum");
            }
        }

        const { lastID: postId } = await db.createPost(
            req.session.userId,
            parentId,
            title,
            message,
            attachedImage
        );

        if (parentId) {
            return res.redirect(`/forum/post/${parentId}#post-${postId}`);
        } else {
            return res.redirect(`/forum/post/${postId}`);
        }
    }
);
H@yn3$2024年11月8日...大约 3 分钟CTFHTBWeb
Insomnia Writeup

点击页面中的所有按钮,发现整个网站只有登录和注册两个功能,所以我们在源码中关注这两个功能。

在源码中全局搜索 flag 后,在 ProfileController 中发现了读取 flag 的代码。

public function index() {
    $token = (string) $_COOKIE["token"] ?? null;
    $flag = file_get_contents(filename: APPPATH . "/../flag.txt");
    if (isset($token)) {
        $key = (string) getenv("JWT_SECRET");
        $jwt_decode = JWT::decode($token, new Key($key, "HS256"));
        $username = $jwt_decode->username;
        if ($username == "administrator") {
            return view("ProfilePage", [
                "username" => $username,
                "content" => $flag,
            ]);
        } else {
            $content = "Haven't seen you for a while";
            return view("ProfilePage", [
                "username" => $username,
                "content" => $content,
            ]);
        }
    }
}
H@yn3$2024年11月7日...大约 2 分钟CTFHTBWeb
ApacheBlaze Writeup

点击页面的按钮后发现提示 This game is currently available only from dev.apacheblaze.local.

在源码中搜索这个域名,找到对应处理函数

@app.route('/', methods=['GET'])
def index():
    game = request.args.get('game')

    if not game:
        return jsonify({
            'error': 'Empty game name is not supported!.'
        }), 400

    elif game not in app.config['GAMES']:
        return jsonify({
            'error': 'Invalid game name!'
        }), 400

    elif game == 'click_topia':
        print(request.headers)
        if request.headers.get('X-Forwarded-Host') == 'dev.apacheblaze.local':
            return jsonify({
                'message': f'{app.config["FLAG"]}'
            }), 200
        else:
            return jsonify({
                'message': 'This game is currently available only from dev.apacheblaze.local.'
            }), 200

    else:
        return jsonify({
            'message': 'This game is currently unavailable due to internal maintenance.'
        }), 200
H@yn3$2024年11月6日...大约 3 分钟CTFHTBWeb
第八届'强网杯'全国网络安全挑战赛 Writeup

Snake

观察 game.js 源码

if (data.status === "game_over") {
    alert(`Game Over! Your score: ${data.score}`);
    reset_game();
} else if (data.status === "win") {
    window.location.href = `${data.url}`;
} else {
    snake = data.snake;
    food = { x: data.food[0], y: data.food[1] };
    score = data.score;
    draw();
}
H@yn3$原创2024年11月3日...大约 7 分钟CTFWeb
CISCN-2019 Web11

题目来源:CISCN-2019 华东南-Web11

WriteUp

观察首页,在 footer 发现到是 PHP 的 smarty 模板引擎

随手在 X-Forwarded-For 写入一个 IP,可以看到 Current IP 显示了我们写入的 IP,于是可以判断他是通过 X-Forwarded-For 来获取 IP 的,猜测存在 SSTI 漏洞。

Haynes2024年4月26日...大约 2 分钟CTFCISCNWeb
Made with ❤️ by Haynes.
Copyright © 2024 𝓗𝓪𝔂𝓷𝓮𝓼