Author:颖奇L’Amore
Blog:www.gem-love.com
五天前打的,题都非常简单,当时刚打完De1CTF比较累,一直懒得写WP。今天打网鼎,结果上了两波题都没web(无语),抽个空来把wp写一下
一共5+1个web(其中一个题不在web分类内),都是签到题
Are you the Master? 1 (546pt)
打开之后没东西,查看html源码:
<!DOCTYPE html>
<h1><b>Hello</b></h1><h2>Welcome to the best collision</h2><br><img src='extras/lol.webp'><!--view.php may help you -->来到view.php:
<!DOCTYPE html>
<?php
include "./ans.php";
error_reporting(0);
echo "<h1><b>Hello</b></h1><h2>Welcome to the best collision</h2>";
$black_list = "/admin|guest|limit|by|substr|mid|like|or|char|union|select|greatest|%00|\'|";
$black_list .= "=|_| |in|<|>|-|chal|_|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i";
if(preg_match($black_list, $_GET['one'])) exit(":P");
if(preg_match($black_list, $_GET['two'])) exit(":P");
$one=$_GET['one'];
$two=$_GET['two'];
if($one!=$two)
{
if(md5($one)==md5($two))
{
echo $ans;
}
else
{
echo "<br><img src='extras/easyhmm.webp'>";
}
}
else
{
echo "<br><img src='extras/lol.webp'>";
}
?>
<!--view.php may help you -->只有源码,没有echo的结果,也没有highlight_file()等,这是index.php的源码,view.php里只是highlight_file('index.php'),所以还要回主页去碰撞
非常简单的md5的碰撞,构造0e开头的md5也行,用数组也行,两种方法:
?one[]=1&two[]=2 ?one=s878926199a&two=s155964671a
之后得到:
<img src='..' height='200px' width='200px' onclick='alert(String.fromCharCode(104,116,116,112,115,58,47,47,116,105,110,121,117,114,108,46,99,111,109,47,121,56,116,52,104,121,52,117))'>点击一下就会出现:
https://tinyurl.com/y8t4hy4u
点开之后是谷歌云盘,可以下载两个东西,但是没有flag,然后突然想起来题目flag是填个url
flag: zh3r0{https://tinyurl.com/y8t4hy4u}
PIzza (50pt)
一个验证:
<form action="index.html" method="post">
<input type="text" id="pass" size="8" />
<br/>
<input type="submit" value="Check" onclick="verify(); return false;" />
</form>
</div>
</div>
<script src="res/script.js"></script>访问script.js看下js源码:
function verify() {
checkpass = document.getElementById("pass").value;
split = 4;
if (checkpass.substring(split*7, split*8) == '}') {
if (checkpass.substring(split*6, split*7) == '3st1') {
if (checkpass.substring(split*5, split*6) == 'h3_b') {
if (checkpass.substring(split*4, split*5) == '1s_7') {
if (checkpass.substring(split*3, split*4) == '1ta_') {
if (checkpass.substring(split*2, split*3) == 'rgar') {
if (checkpass.substring(split, split*2) == '0{Ma') {
if (checkpass.substring(0,split) == 'zh3r') {
alert("You got the flag!")可以看到是把flag给substring()了,所以直接拼起来即可:
flag:zh3r0{Margar1ta_1s_7h3_b3st1}
Cake (50pt)
注释:
<!--I think I saw a robot running with it-->robots.txt:
User-agent: *
Disallow: /gdakdshlghuighuhgds.html访问得到flag:zh3r0{R0b0t_St0l3_My_P1um_C4k3}
Tasty Snacks (50pt)
直接cookie得到flag:zh3r0{CooK13s_4r3_7asty}
pasta (150pt)
查看源码,有jsfuck,解一下:
if (document.forms[0].sauce.value == "4ma7r1ci4na" && document.forms[0].type.value == "Rig4t0n1") document.location = "drhgbonaygaocvnwyrub.html"
直接访问drhgbonaygaocvnwyrub.html得到flag:zh3r0{4ma7r1ci4na_is_4ws0m3}
Ice Cream (150pt)
Find out which is my favorite ice cream. It may contain a flag.
I have told it to my name server friends.
Author Finch
没给url,但是题目关键字有name server,之前y老师出的MetasequoiaCTF Rabbit Hole题目就是把隐藏信息藏在了TXT记录里,所以dig一下:
zh3r0{Str4wberry_1c3cream_1s_4ws0me}
颖奇L'Amore原创文章,转载请注明作者和文章链接
本文链接地址:https://blog.gem-love.com/ctf/2314.html
注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示