PolarCTF
Open the range found that you need to ip 1.1.1.1 users to work, open BurpSuite to capture packets and modify the packets, according to the title XFF prompts
flag{847ac5dd4057b1ece411cc42a8dca4b7}
An extension of the knowledge examined in this question (for constructing local user statements)
X-Forwarded-For:127.0.0.1
X-Forwarded:127.0.0.1
Forwarded-For:127.0.0.1
Forwarded:127.0.0.1
X-Forwarded-Host:127.0.0.1
X-remote-IP:127.0.0.1
X-remote-addr:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
Client-IP:127.0.0.1
X-Real-IP:127.0.0.1
Ali-CDN-Real-IP:127.0.0.1
Cdn-Src-Ip:127.0.0.1
Cdn-Real-Ip:127.0.0.1
CF-Connecting-IP:127.0.0.1
X-Cluster-Client-IP:127.0.0.1
WL-Proxy-Client-IP:127.0.0.1
Proxy-Client-IP:127.0.0.1
Fastly-Client-Ip:127.0.0.1
True-Client-Ip:127.0.0.1
Host: 127.0.0.1
2. Blasting
Open the range to find the PHP code, probably in the directory / hidden flag
flag{8277e0910d750195b448797616e091ad}
This question can also be answered by using the tool dirsearch to blast out the directory
An extension to the php source code for this question
1. substr () function returns a portion of the string
substr(string, start, length) where string and start are required parameters and length is an optional parameter
Note: If start is a negative number and length is less than or equal to start, then length is 0 by default.
Detailed explanation of the start parameter: (1) If it is positive, then length is 0.
(1) If it is positive, it starts at the specified position in the string.
(2) if negative, that is, from the end of the character out of the specified position to start
(3) if 0, that is, in the first character in the string to start
For a detailed explanation of the length parameter.
(1) if positive, that is, from the start parameter where the length of the return position
(2) If negative, the length returned from the end of the string.
Return Value: Returns the extracted portion of the string, or FALSE if it fails, otherwise it returns a string.
2. intval() function is used to get the integer value of a variable.
The intval() function returns the integer value of the variable var by using the specified base conversion (decimal by default). intval() cannot be used with object, otherwise it will generate an E_NOTICE error and return 1.
Open the range, first F12 to view the page source code, found that there are two strings of numbers, guessing that the student number and password
back to show that successfully logged in, according to speculation to change the last two of the student number, respectively tried 02-05 found to burst out of the head of the flag, then open BurpSuite for blasting
flag{dlcg}
When you open the range, you'll see hate windows, so try hitting Enter.
This means that you need to access it from an iphone or ipad, so let's open BurpSuite and make the changes.
flag{ba4c2f175f0dba2f2974e676c6dfbbab}
5.$$
Open the range found that the request GET pass parameters, but the can filter basically all filtered, I was indecisive on the matter first dirsearch shuttle a little bit to no avail, went to the Internet to search there is no way, found that you can use the super-global variable GLOBALS
flag{9f8a2133f0cad361ff6d22a445c2531a}
For the superglobal variable GLOBALS and PHP-related knowledge to be added
Many of the predefined variables in PHP are "super-global", meaning that they are available in all scopes of a script. They can be accessed in a function or method without having to execute global $variable;.
$GLOBALS - references all variables available in the global scope, unlike other super-global variables $GLOBALS are always available anywhere in the PHP code.
**Difference between $GLOBALS and the keyword global
$GLOBALS: Used to access all global variables (variables from the global scope), i.e. variables that can be accessed from any scope in the PHP script.
global keyword: Used to declare a global variable inside a function. However, this global variable is not applied to the whole website, but to the current page, including all files included or required.
**** summarizes:
With global, you need to declare the global variable you want to use inside each function.
With $GLOBALS, global variables can be accessed and modified directly without declaring them inside the function.
6.rce1
Open the range to know that this is a command to execute the question, prompted by the filtering of spaces, the first hidden flag file name back to show, here we use &ls to get the name of the file
If you have a filename, you can just cat it, the question suggests filtering spaces, we can just use ${IFS}, but I didn't realize that the flag is hidden in the source code.
flag{a3949821f7627a7fd30ab0722ff9b318}
To add to the knowledge of this question (the splice character command)
| Execute only the second command
|| Execute the first command first, if the first command succeeds, then continue to execute the second command.
& The second command will be executed regardless of whether the first command succeeds or not.
&& Both commands must succeed before executing the second command.
The usage of & is similar to that of & (this question can also be directly ;ls)
-POST
Open the range, found that you need to do GET parameter, we use HackBar to do the parameter directly
Then follow the prompts, and pass the POST parameters
flag{a52b7cac3af0b081349001c92d79cc0a}
8. Hacked stations
Open the range found nothing unusual but suggests that the site still exists horse, with the tool dirsearch sweep directory, found the existence of / and /, respectively, access to it
Guess it's a dictionary, then access /.
Open BurpSuite and blast it with the dictionary you just got.
flag{8e539a7a46fea05dea18b9b9f9ff6a63}
Scanning the directory with the tool dirsearch, I found the existence of /.
**
**
A visit to the directory yields the following code
function jiuzhe($xdmtql){ //pass in xdmtql variable
return preg_match('/sys.*nb/is',$xdmtql); //match the variable
}
$xdmtql=@$_POST['xdmtql'];
// Determine if the variable is an array
if(!is_array($xdmtql)){
//Use the function jiuzhe to determine this
if(!jiuzhe($xdmtql)){
// Match the variable after bypassing the preg_match function and output a flag if it matches.
if(strpos($xdmtql,'sys nb')! == false){
echo 'flag{*******}';
}else{
echo 'true .swp file?';
}
}else{
echo 'nijilenijile'; //output if it matches /sys.*nb/is
}
}
Thinking about preg_match() bypasses.
We all know that preg_match()'s backtracking number is 1,000,000 times by default (the number of times in Chinese and English is different, the actual backtracking is 100w times), but it is also possible to set the number of times, you can find out the specifics of the
exp:
import requests
result = (":8090/", data={"xdmtql":"sys nb"+"aa"*1000000})
print()
#flag{4560b3bfea9683b050c730cd72b3a099}
10. Simple rce
Opened the range to find a code audit, which presumably filters out command execution functions, output functions, and spaces.
We replace system() with passthru(), and replace spaces with ${IFS}.
The ls command finds the flag file, and uses sort instead of cat to read the flag file.
#flag{j6856fd063f0a04874311187da1191h6}
To summarize the bypass.
1. Command Execution Functions
system() //outputs and returns the result of the last shell line.
exec() //does not output the result, returns the result of the last shell line, and all the results can be saved in an array to return to
passthru() //only call the command written in, and the command with the results of the reverse line directly to the device output (can replace system)
2. output function
cat outputs everything from the first line
tac outputs all contents in reverse order from the last line.
nl output line number when displaying (similar to cat -n)
more displays the contents of a file page by page according to the window size.
less is similar to more, but has the advantage of being able to page forward and search for characters.
head displays only the first few lines
tail displays only the last few lines
sort Sorts the contents of a text file.
3. space bypass
${IFS}
${IFS}
{IFS}$9
Redirection: <>(but does not support wildcards)
Horizontal tab %09
%0a Carriage return
%0d line feed