Ctf on Xrntkk's Blog

强网拟态2025决赛awd_rasp复现

Thu, 11 Dec 2025 11:00:00 +0800

这是一个含有非常多危险依赖的题，如下：

  1 <dependencies>
  2
  3        <!-- AOP / Aspect -->
  4        <dependency>
  5            <groupId>org.glassfish.hk2.external</groupId>
  6            <artifactId>aopalliance-repackaged</artifactId>
  7            <version>2.6.1</version>
  8        </dependency>
  9
 10        <dependency>
 11            <groupId>org.aspectj</groupId>
 12            <artifactId>aspectjweaver</artifactId>
 13            <version>1.9.2</version>
 14        </dependency>
 15
 16        <!-- Oracle Coherence -->
 17        <dependency>
 18            <groupId>com.oracle.coherence.ce</groupId>
 19            <artifactId>coherence</artifactId>
 20            <version>14.1.1-0-3</version>
 21        </dependency>
 22
 23        <dependency>
 24            <groupId>com.oracle.coherence.ce</groupId>
 25            <artifactId>coherence-rest</artifactId>
 26            <version>14.1.1-0-3</version>
 27        </dependency>
 28
 29        <!-- Commons -->
 30        <dependency>
 31            <groupId>commons-beanutils</groupId>
 32            <artifactId>commons-beanutils</artifactId>
 33            <version>1.9.2</version>
 34        </dependency>
 35
 36        <dependency>
 37            <groupId>commons-collections</groupId>
 38            <artifactId>commons-collections</artifactId>
 39            <version>3.2.1</version>
 40        </dependency>
 41
 42        <dependency>
 43            <groupId>org.apache.commons</groupId>
 44            <artifactId>commons-collections4</artifactId>
 45            <version>4.0</version>
 46        </dependency>
 47
 48        <dependency>
 49            <groupId>commons-logging</groupId>
 50            <artifactId>commons-logging</artifactId>
 51            <version>1.2</version>
 52        </dependency>
 53
 54        <!-- Groovy -->
 55        <dependency>
 56            <groupId>org.codehaus.groovy</groupId>
 57            <artifactId>groovy</artifactId>
 58            <version>2.3.9</version>
 59        </dependency>
 60
 61        <!-- HK2 -->
 62        <dependency>
 63            <groupId>org.glassfish.hk2</groupId>
 64            <artifactId>hk2-api</artifactId>
 65            <version>2.6.1</version>
 66        </dependency>
 67
 68        <dependency>
 69            <groupId>org.glassfish.hk2</groupId>
 70            <artifactId>hk2-locator</artifactId>
 71            <version>2.6.1</version>
 72        </dependency>
 73
 74        <dependency>
 75            <groupId>org.glassfish.hk2</groupId>
 76            <artifactId>hk2-utils</artifactId>
 77            <version>2.6.1</version>
 78        </dependency>
 79
 80        <!-- Jackson -->
 81        <dependency>
 82            <groupId>com.fasterxml.jackson.core</groupId>
 83            <artifactId>jackson-annotations</artifactId>
 84            <version>2.13.4</version>
 85        </dependency>
 86
 87        <dependency>
 88            <groupId>com.fasterxml.jackson.core</groupId>
 89            <artifactId>jackson-core</artifactId>
 90            <version>2.13.4</version>
 91        </dependency>
 92
 93        <dependency>
 94            <groupId>com.fasterxml.jackson.core</groupId>
 95            <artifactId>jackson-databind</artifactId>
 96            <version>2.13.4.2</version>
 97        </dependency>
 98
 99        <dependency>
100            <groupId>com.fasterxml.jackson.datatype</groupId>
101            <artifactId>jackson-datatype-jdk8</artifactId>
102            <version>2.13.4</version>
103        </dependency>
104
105        <dependency>
106            <groupId>com.fasterxml.jackson.datatype</groupId>
107            <artifactId>jackson-datatype-jsr310</artifactId>
108            <version>2.13.4</version>
109        </dependency>
110
111        <dependency>
112            <groupId>com.fasterxml.jackson.jaxrs</groupId>
113            <artifactId>jackson-jaxrs-base</artifactId>
114            <version>2.13.4</version>
115        </dependency>
116
117        <dependency>
118            <groupId>com.fasterxml.jackson.jaxrs</groupId>
119            <artifactId>jackson-jaxrs-json-provider</artifactId>
120            <version>2.13.4</version>
121        </dependency>
122
123        <dependency>
124            <groupId>com.fasterxml.jackson.module</groupId>
125            <artifactId>jackson-module-jaxb-annotations</artifactId>
126            <version>2.13.4</version>
127        </dependency>
128
129        <dependency>
130            <groupId>com.fasterxml.jackson.module</groupId>
131            <artifactId>jackson-module-parameter-names</artifactId>
132            <version>2.13.4</version>
133        </dependency>
134
135        <!-- Jakarta -->
136        <dependency>
137            <groupId>jakarta.activation</groupId>
138            <artifactId>jakarta.activation-api</artifactId>
139            <version>1.2.2</version>
140        </dependency>
141
142        <dependency>
143            <groupId>jakarta.annotation</groupId>
144            <artifactId>jakarta.annotation-api</artifactId>
145            <version>1.3.5</version>
146        </dependency>
147
148        <dependency>
149            <groupId>jakarta.validation</groupId>
150            <artifactId>jakarta.validation-api</artifactId>
151            <version>2.0.2</version>
152        </dependency>
153
154        <dependency>
155            <groupId>jakarta.ws.rs</groupId>
156            <artifactId>jakarta.ws.rs-api</artifactId>
157            <version>2.1.6</version>
158        </dependency>
159
160        <dependency>
161            <groupId>jakarta.xml.bind</groupId>
162            <artifactId>jakarta.xml.bind-api</artifactId>
163            <version>2.3.3</version>
164        </dependency>
165
166        <!-- Javassist -->
167        <dependency>
168            <groupId>org.javassist</groupId>
169            <artifactId>javassist</artifactId>
170            <version>3.25.0-GA</version>
171        </dependency>
172
173        <!-- Jersey -->
174        <dependency>
175            <groupId>org.glassfish.jersey.core</groupId>
176            <artifactId>jersey-client</artifactId>
177            <version>2.35</version>
178        </dependency>
179
180        <dependency>
181            <groupId>org.glassfish.jersey.core</groupId>
182            <artifactId>jersey-common</artifactId>
183            <version>2.35</version>
184        </dependency>
185
186        <dependency>
187            <groupId>org.glassfish.jersey.containers</groupId>
188            <artifactId>jersey-container-jdk-http</artifactId>
189            <version>2.35</version>
190        </dependency>
191
192        <dependency>
193            <groupId>org.glassfish.jersey.containers</groupId>
194            <artifactId>jersey-container-servlet</artifactId>
195            <version>2.35</version>
196        </dependency>
197
198        <dependency>
199            <groupId>org.glassfish.jersey.containers</groupId>
200            <artifactId>jersey-container-servlet-core</artifactId>
201            <version>2.35</version>
202        </dependency>
203
204        <dependency>
205            <groupId>org.glassfish.jersey.ext</groupId>
206            <artifactId>jersey-entity-filtering</artifactId>
207            <version>2.35</version>
208        </dependency>
209
210        <dependency>
211            <groupId>org.glassfish.jersey.inject</groupId>
212            <artifactId>jersey-hk2</artifactId>
213            <version>2.35</version>
214        </dependency>
215
216        <dependency>
217            <groupId>org.glassfish.jersey.media</groupId>
218            <artifactId>jersey-media-json-jackson</artifactId>
219            <version>2.35</version>
220        </dependency>
221
222        <dependency>
223            <groupId>org.glassfish.jersey.media</groupId>
224            <artifactId>jersey-media-sse</artifactId>
225            <version>2.35</version>
226        </dependency>
227
228        <dependency>
229            <groupId>org.glassfish.jersey.core</groupId>
230            <artifactId>jersey-server</artifactId>
231            <version>2.35</version>
232        </dependency>
233
234        <!-- JTA -->
235        <dependency>
236            <groupId>javax.transaction</groupId>
237            <artifactId>jta</artifactId>
238            <version>1.1</version>
239        </dependency>
240
241        <!-- Logging -->
242        <dependency>
243            <groupId>org.slf4j</groupId>
244            <artifactId>jul-to-slf4j</artifactId>
245            <version>1.7.36</version>
246        </dependency>
247
248        <dependency>
249            <groupId>org.slf4j</groupId>
250            <artifactId>slf4j-api</artifactId>
251            <version>1.7.36</version>
252        </dependency>
253
254        <dependency>
255            <groupId>org.apache.logging.log4j</groupId>
256            <artifactId>log4j-api</artifactId>
257            <version>2.17.2</version>
258        </dependency>
259
260        <dependency>
261            <groupId>org.apache.logging.log4j</groupId>
262            <artifactId>log4j-to-slf4j</artifactId>
263            <version>2.17.2</version>
264        </dependency>
265
266        <dependency>
267            <groupId>ch.qos.logback</groupId>
268            <artifactId>logback-classic</artifactId>
269            <version>1.2.11</version>
270        </dependency>
271
272        <dependency>
273            <groupId>ch.qos.logback</groupId>
274            <artifactId>logback-core</artifactId>
275            <version>1.2.11</version>
276        </dependency>
277
278        <!-- OSGI -->
279        <dependency>
280            <groupId>org.glassfish.hk2</groupId>
281            <artifactId>osgi-resource-locator</artifactId>
282            <version>1.0.3</version>
283        </dependency>
284
285        <!-- SnakeYAML -->
286        <dependency>
287            <groupId>org.yaml</groupId>
288            <artifactId>snakeyaml</artifactId>
289            <version>1.29</version>
290        </dependency>
291
292        <!-- Spring Framework -->
293        <dependency>
294            <groupId>org.springframework</groupId>
295            <artifactId>spring-aop</artifactId>
296            <version>5.3.23</version>
297        </dependency>
298
299        <dependency>
300            <groupId>org.springframework</groupId>
301            <artifactId>spring-beans</artifactId>
302            <version>5.3.23</version>
303        </dependency>
304
305        <dependency>
306            <groupId>org.springframework</groupId>
307            <artifactId>spring-context</artifactId>
308            <version>5.3.23</version>
309        </dependency>
310
311        <dependency>
312            <groupId>org.springframework</groupId>
313            <artifactId>spring-core</artifactId>
314            <version>5.3.23</version>
315        </dependency>
316
317        <dependency>
318            <groupId>org.springframework</groupId>
319            <artifactId>spring-expression</artifactId>
320            <version>5.3.23</version>
321        </dependency>
322
323        <dependency>
324            <groupId>org.springframework</groupId>
325            <artifactId>spring-jcl</artifactId>
326            <version>5.3.23</version>
327        </dependency>
328
329        <dependency>
330            <groupId>org.springframework</groupId>
331            <artifactId>spring-web</artifactId>
332            <version>5.3.23</version>
333        </dependency>
334
335        <dependency>
336            <groupId>org.springframework</groupId>
337            <artifactId>spring-webmvc</artifactId>
338            <version>5.3.23</version>
339        </dependency>
340
341        <dependency>
342            <groupId>org.springframework</groupId>
343            <artifactId>spring-tx</artifactId>
344            <version>5.3.30</version>
345        </dependency>
346
347        <!-- Spring Boot -->
348        <dependency>
349            <groupId>org.springframework.boot</groupId>
350            <artifactId>spring-boot</artifactId>
351            <version>2.6.13</version>
352        </dependency>
353
354        <dependency>
355            <groupId>org.springframework.boot</groupId>
356            <artifactId>spring-boot-autoconfigure</artifactId>
357            <version>2.6.13</version>
358        </dependency>
359
360        <dependency>
361            <groupId>org.springframework.boot</groupId>
362            <artifactId>spring-boot-jarmode-layertools</artifactId>
363            <version>2.6.13</version>
364        </dependency>
365
366        <!-- Tomcat -->
367        <dependency>
368            <groupId>org.apache.tomcat.embed</groupId>
369            <artifactId>tomcat-embed-core</artifactId>
370            <version>9.0.68</version>
371        </dependency>
372
373        <dependency>
374            <groupId>org.apache.tomcat.embed</groupId>
375            <artifactId>tomcat-embed-el</artifactId>
376            <version>9.0.68</version>
377        </dependency>
378
379        <dependency>
380            <groupId>org.apache.tomcat.embed</groupId>
381            <artifactId>tomcat-embed-websocket</artifactId>
382            <version>9.0.68</version>
383        </dependency>

相对的waf也非常长，分别是在resolveClass中的Waf和在Rasp中的waf

羊城杯2025 金Java&ezsigin Writeup

Mon, 13 Oct 2025 14:00:00 +0800

菜菜web手第一次给比赛出题，如果题目出的不太好或者有什么问题欢迎加我扣扣(58896863)拷打我

金Java

考点：CVE-2025-59340漏洞复现+RASP绕过

LilCTF-2025-Web-Writeup

Mon, 18 Aug 2025 18:53:55 +0800

这次我们第二名，大家太强了，彦门万岁！

这里是我个人的wp，这次Web我做了5题，所以这里就只写我自己做的题目。

ez_bottle

关键代码

 1@post('/upload')
 2def upload():
 3    zip_file = request.files.get('file')
 4    if not zip_file or not zip_file.filename.endswith('.zip'):
 5        return 'Invalid file. Please upload a ZIP file.'
 6
 7    if len(zip_file.file.read()) > MAX_FILE_SIZE:
 8        return 'File size exceeds 1MB. Please upload a smaller ZIP file.'
 9
10    zip_file.file.seek(0)
11
12    current_time = str(time.time())
13    unique_string = zip_file.filename + current_time
14    md5_hash = hashlib.md5(unique_string.encode()).hexdigest()
15    extract_dir = os.path.join(UPLOAD_DIR, md5_hash)
16    os.makedirs(extract_dir)
17
18    zip_path = os.path.join(extract_dir, 'upload.zip')
19    zip_file.save(zip_path)
20
21    try:
22        with zipfile.ZipFile(zip_path, 'r') as z:
23            for file_info in z.infolist():
24                if is_symlink(file_info):
25                    return 'Symbolic links are not allowed.'
26
27                real_dest_path = os.path.realpath(os.path.join(extract_dir, file_info.filename))
28                if not is_safe_path(extract_dir, real_dest_path):
29                    return 'Path traversal detected.'
30
31            z.extractall(extract_dir)
32    except zipfile.BadZipFile:
33        return 'Invalid ZIP file.'
34
35    files = os.listdir(extract_dir)
36    files.remove('upload.zip')
37
38    return template("文件列表: {{files}}\n访问: /view/{{md5}}/{{first_file}}",
39                    files=", ".join(files), md5=md5_hash, first_file=files[0] if files else "nofile")
40
41@route('/view/<md5>/<filename>')
42def view_file(md5, filename):
43    file_path = os.path.join(UPLOAD_DIR, md5, filename)
44    if not os.path.exists(file_path):
45        return "File not found."
46
47    with open(file_path, 'r', encoding='utf-8') as f:
48        content = f.read()
49
50    if contains_blacklist(content):
51        return "you are hacker!!!nonono!!!"
52
53    try:
54        return template(content)
55    except Exception as e:
56        return f"Error rendering template: {str(e)}"

上传一个zip，他会解压并显示文件列表，并且可以查看文件内容

H&NCTF-2025-Web-Writeup

Sun, 08 Jun 2025 22:29:00 +0800

Web

Really_Ez_Rce

源码

 1<?php
 2header('Content-Type: text/html; charset=utf-8');
 3highlight_file(__FILE__);
 4error_reporting(0);
 5
 6if (isset($_REQUEST['Number'])) {
 7    $inputNumber = $_REQUEST['Number'];
 8    
 9    if (preg_match('/\d/', $inputNumber)) {
10        die("不行不行,不能这样");
11    }
12
13    if (intval($inputNumber)) {
14        echo "OK,接下来你知道该怎么做吗";
15        
16        if (isset($_POST['cmd'])) {
17            $cmd = $_POST['cmd'];
18            
19            if (!preg_match(
20                '/wget|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\\*|sort|zip|mod|sl|find|sed|cp|mv|ty|php|tee|txt|grep|base|fd|df|\\\\|more|cc|tac|less|head|\.|\{|\}|uniq|copy|%|file|xxd|date|\[|\]|flag|bash|env|!|\?|ls|\'|\"|id/i',
21                $cmd
22            )) {
23                echo "你传的参数似乎挺正经的,放你过去吧<br>";
24                system($cmd);
25            } else {
26                echo "nonono,hacker!!!";
27            }
28        }
29    }
30}

Payload:

POST: Number[]=1&cmd=ec``ho Y2F0IC9mKg== | ba``se64 -d | bas``h

Watch

出题人写了一个基于 ntdll.dll 的 Windows NT 原生 API 调用实现的文件读取库

D^3CTF-2025-Web-Writeup

Mon, 02 Jun 2025 16:00:00 +0800

Web

比赛时就打出了d3invitation和d3model，比赛结束复现一下，还是学到了不少新东西。

d3invitation

第一次在大赛中拿到血，纪念一下（新手就是爱记录

TGCTF-2025-Web-Writeup

Fri, 18 Apr 2025 00:27:55 +0800

Web

(ez)upload

hint写有源码泄露

index.php.bak拿源码

 1<?php
 2define('UPLOAD_PATH', __DIR__ . '/uploads/');
 3$is_upload = false;
 4$msg = null;
 5$status_code = 200; // 默认状态码为 200
 6if (isset($_POST['submit'])) {
 7    if (file_exists(UPLOAD_PATH)) {
 8        $deny_ext = array("php", "php5", "php4", "php3", "php2", "html", "htm", "phtml", "pht", "jsp", "jspa", "jspx", "jsw", "jsv", "jspf", "jtml", "asp", "aspx", "asa", "asax", "ascx", "ashx", "asmx", "cer", "swf", "htaccess");
 9
10        if (isset($_GET['name'])) {
11            $file_name = $_GET['name'];
12        } else {
13            $file_name = basename($_FILES['name']['name']);
14        }
15        $file_ext = pathinfo($file_name, PATHINFO_EXTENSION);
16
17        if (!in_array($file_ext, $deny_ext)) {
18            $temp_file = $_FILES['name']['tmp_name'];
19            $file_content = file_get_contents($temp_file);
20
21            if (preg_match('/.+?</s', $file_content)) {
22                $msg = '文件内容包含非法字符，禁止上传！';
23                $status_code = 403; // 403 表示禁止访问
24            } else {
25                $img_path = UPLOAD_PATH . $file_name;
26                if (move_uploaded_file($temp_file, $img_path)) {
27                    $is_upload = true;
28                    $msg = '文件上传成功！';
29                } else {
30                    $msg = '上传出错！';
31                    $status_code = 500; // 500 表示服务器内部错误
32                }
33            }
34        } else {
35            $msg = '禁止保存为该类型文件！';
36            $status_code = 403; // 403 表示禁止访问
37        }
38    } else {
39        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
40        $status_code = 404; // 404 表示资源未找到
41    }
42}
43
44// 设置 HTTP 状态码
45http_response_code($status_code);
46
47// 输出结果
48echo json_encode([
49    'status_code' => $status_code,
50    'msg' => $msg,
51]);

审计一下代码，看到有个name，可以对文件名进行修改，想到目录穿越

XYCTF-2025-Web-Writeup

Thu, 10 Apr 2025 00:27:55 +0800

Web

题目

 1# -*- encoding: utf-8 -*-
 2'''
 3@File    :   main.py
 4@Time    :   2025/03/28 22:20:49
 5@Author  :   LamentXU 
 6'''
 7'''
 8flag in /flag_{uuid4}
 9'''
10from bottle import Bottle, request, response, redirect, static_file, run, route
11with open('../../secret.txt', 'r') as f:
12    secret = f.read()
13
14app = Bottle()
15@route('/')
16def index():
17    return '''HI'''
18@route('/download')
19def download():
20    name = request.query.filename
21    if '../../' in name or name.startswith('/') or name.startswith('../') or '\\' in name:
22        response.status = 403
23        return 'Forbidden'
24    with open(name, 'rb') as f:
25        data = f.read()
26    return data
27
28@route('/secret')
29def secret_page():
30    try:
31        session = request.get_cookie("name", secret=secret)
32        if not session or session["name"] == "guest":
33            session = {"name": "guest"}
34            response.set_cookie("name", session, secret=secret)
35            return 'Forbidden!'
36        if session["name"] == "admin":
37            return 'The secret has been deleted!'
38    except:
39        return "Error!"
40run(host='0.0.0.0', port=8080, debug=False)

目录穿越拿secret

NCTF-2025-Web-Writeup

Mon, 24 Mar 2025 00:27:55 +0800

sqlmap-master

题目

 1from fastapi import FastAPI, Request
 2from fastapi.responses import FileResponse, StreamingResponse
 3import subprocess
 4
 5app = FastAPI()
 6
 7@app.get("/")
 8async def index():
 9    return FileResponse("index.html")
10
11@app.post("/run")
12async def run(request: Request):
13    data = await request.json()
14    url = data.get("url")
15    
16    if not url:
17        return {"error": "URL is required"}
18    
19    command = f'sqlmap -u {url} --batch --flush-session'
20
21    def generate():
22        process = subprocess.Popen(
23            command.split(),
24            stdout=subprocess.PIPE,
25            stderr=subprocess.STDOUT,
26            shell=False
27        )
28        
29        while True:
30            output = process.stdout.readline()
31            if output == '' and process.poll() is not None:
32                break
33            if output:
34                yield output
35    
36    return StreamingResponse(generate(), media_type="text/plain")

其实就是一个网页端的sqlmap

看一下sqlmap的使用文档

TPCTF2025-Web-赛后复现Writeup

Sat, 15 Mar 2025 00:27:55 +0800

参考文章

https://blog.0xfff.team/posts/tpctf_2025_writeup/

https://z3n1th1.com/2025/03/tpctf2025-writeup/

TPCTF2025 Writeup - 星盟安全团队

baby layout

这是一道关于绕过DOMPurify库，进行xss cookie窃取的题目

DOMPurify 是一个专门用于清理 HTML 输入的 JavaScript 库，旨在防止跨站脚本 (XSS) 攻击。它通过过滤和净化用户提供的 HTML 内容，确保其安全地嵌入到网页中，避免恶意代码的执行。

GHCTF-2025-Web-Writeup

Sun, 09 Mar 2025 00:27:55 +0800

战队名：我要打奥斯汀major

比赛排名：5

Web

upload?SSTI!

读取文件中的内容并进行模板渲染，存在ssti

有waf

1def contains_dangerous_keywords(file_path):
2    dangerous_keywords = ['_', 'os', 'subclasses', '__builtins__', '__globals__','flag',]
3
4    with open(file_path, 'rb') as f:
5        file_content = str(f.read())
6
7        for keyword in dangerous_keywords:
8            if keyword in file_content:
9                return True  # 找到危险关键字，返回 True

简单绕一下

HGAME2025-Web-Writeup

Thu, 20 Feb 2025 00:27:55 +0800

Web

week1

Level 24 Pacman

拿到环境

一个小游戏，猜测应该是js审计

查看index.js发现代码进行了混淆

可以用工具反混淆一下，增加一下可读性

https://tool.yuanrenxue.cn/decode_obfuscator

反混淆之后找到这个

CTFSHOW-SQL注入-Writeup

Wed, 22 Jan 2025 00:27:55 +0800

无过滤注入（对输出内容进行过滤）

web171

$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

flag是存在于username为flag的用户的数据中，我们只需要通过

1' or 1=1 --+

即可输出所有用户数据

web172

相比上一题，这题增加了过滤

国城杯决赛-Web-Writeup

Fri, 27 Dec 2024 22:03:55 +0800

CTF

mountain

Python Bottle框架伪造session打pickle反序列化

拿到题目看一下源码，有hint

访问/display

根据提示，尝试用photo参数读图片

CTFSHOW-反序列化-Writeup

Sun, 22 Dec 2024 00:27:55 +0800

PHP的魔法方法

PHP 将所有以 __（两个下划线）开头的类方法保留为魔术方法。所以在定义类方法时，除了上述魔术方法，建议不要以 __ 为前缀。常见的魔法方法如下：

 1__construct()，类的构造函数
 2
 3__destruct()，类的析构函数
 4
 5__call()，在对象中调用一个不可访问方法时调用
 6
 7__callStatic()，用静态方式中调用一个不可访问方法时调用
 8
 9__get()，获得一个类的成员变量时调用
10
11__set()，设置一个类的成员变量时调用
12
13__isset()，当对不可访问属性调用isset()或empty()时调用
14
15__unset()，当对不可访问属性调用unset()时被调用。
16
17__sleep()，执行serialize()时，先会调用这个函数
18
19__wakeup()，执行unserialize()时，先会调用这个函数
20
21__toString()，类被当成字符串时的回应方法
22
23__invoke()，调用函数的方式调用一个对象时的回应方法
24
25__set_state()，调用var_export()导出类时，此静态方法会被调用。
26
27__clone()，当对象复制完成时调用
28
29__autoload()，尝试加载未定义的类
30
31__debugInfo()，打印所需调试信息

web254

1<?php
2
3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ?>';
4    public $code='xrntkk';
5}
6
7$poc = new ctfshowvip();
8echo urlencode(serialize($poc));

web262

字符串逃逸

CTFSHOW-命令执行-Writeup

Sun, 22 Dec 2024 00:27:55 +0800

web29

 1<?php
 2
 3/*
 4# -*- coding: utf-8 -*-
 5# @Author: h1xa
 6# @Date:   2020-09-04 00:12:34
 7# @Last Modified by:   h1xa
 8# @Last Modified time: 2020-09-04 00:26:48
 9# @email: h1xa@ctfer.com
10# @link: https://ctfer.com
11
12*/
13
14error_reporting(0);
15if(isset($_GET['c'])){
16    $c = $_GET['c'];
17    if(!preg_match("/flag/i", $c)){
18        eval($c);
19    }
20    
21}else{
22    highlight_file(__FILE__);
23}

可以看到通过eval函数可以执行php代码或者系统命令，其中过滤了flag。

CTFSHOW-文件包含-Writeup

Sun, 22 Dec 2024 00:27:55 +0800

以PHP为例,常用的文件包含函数有以下四种include(),require(),include_once(),require_once()

Web78

php伪协议

CTFSHOW-文件上传-Writeup

Sun, 22 Dec 2024 00:27:55 +0800

web151

前台验证

将一句话木马改成png，抓包修改后缀即可

payload:

1=system('cat /var/www/html/flag.php');

web152

这道题没有前端检验，但是解法跟web151是一样的

web153

一开始尝试了大小写绕过

上传后发现服务器不解析

CTFSHOW-爆破-Writeup

Sun, 20 Oct 2024 00:27:55 +0800

web21

抓个包

我们可以看到他的账号密码是通过base64编码加密后再发送的，问题不大

payload设置如下

我们还要设置一下payload处理

开始爆破，根据长度或者状态码判断即可

CTFSHOW-信息收集-Writeup

Sun, 20 Oct 2024 00:27:55 +0800

Web 1-5

查看网页源代码
抓个包看有没有藏东西
查看robots.txt
phps源码泄露，访问index.phps，通过其源码泄露，在其中找到flag

Web6

网页提示下载源码查看，访问url/www.zip得到源码文件

Ctf on Xrntkk's Blog

强网拟态2025决赛awd_rasp复现

羊城杯2025 金Java&ezsigin Writeup

金Java

LilCTF-2025-Web-Writeup

ez_bottle

H&NCTF-2025-Web-Writeup

Web

Really_Ez_Rce

Watch

D^3CTF-2025-Web-Writeup

Web

d3invitation

TGCTF-2025-Web-Writeup

Web

(ez)upload

XYCTF-2025-Web-Writeup

Web

Signin

NCTF-2025-Web-Writeup

sqlmap-master

TPCTF2025-Web-赛后复现Writeup

baby layout

GHCTF-2025-Web-Writeup

Web

upload?SSTI!

HGAME2025-Web-Writeup

Web

week1

Level 24 Pacman

CTFSHOW-SQL注入-Writeup

无过滤注入（对输出内容进行过滤）

web171

web172

国城杯决赛-Web-Writeup

CTF

mountain

CTFSHOW-反序列化-Writeup

PHP的魔法方法

web254

web262

CTFSHOW-命令执行-Writeup

web29

CTFSHOW-文件包含-Writeup

Web78

CTFSHOW-文件上传-Writeup

web151

web152

web153

CTFSHOW-爆破-Writeup

web21

CTFSHOW-信息收集-Writeup

Web 1-5

Web6