目录

  • Misc1——We1come
  • Misc2——Mine Sweeping
  • Web1——SSRF Me
  • Crypto1——xorz

去De1CTF划了划水,发现自己是真的菜━┳━ ━┳━

Misc1——We1come


https://t.me/De1CTF ,需要加Telegram群,需要VPN,群里有发签到的flag

Misc2——Mine Sweeping


下载下来是一个扫雷游戏

在没有雷的地方组成的其实是一个二维码,因为踩雷后不会重置雷的位置,所以爆破每一个点是否有雷就可以了。表示此生不再想玩扫雷了。

最后得到了大概是这样的布局

写个脚本画出来

from PIL import Image
import random
str2=[]
with open('p.txt', 'r') as f:str2=f.readlines()
str1=[]
for i in str2:str1.append(i)str1.append(i)str1.append(i)str1.append(i)str1.append(i)str1.append(i)print(len(str1[0]))
print(len(str1))
c = Image.new("RGB",(len(str1[0]),len(str1)))
for j in range (0,len(str1)):for i in range (0,len(str1[0])-1):a=str1[j]if a[i]=="1":c.putpixel([i,j],(255,255,255))else :c.putpixel([i,j],(0,0,0))c = c.resize((200, 200),Image.ANTIALIAS)
c.show()
c.save("c.png")


最后扫码得到网址,访问即可得到flag

Web1——SSRF Me


SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF是要目标网站的内部系统。(因为他是从内部系统访问的,所有可以通过它攻击外网无法访问的内部系统,也就是把目标网站当中间人)

源码如下

#! /usr/bin/env python
#encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')app = Flask(__name__)secert_key = os.urandom(16)class Task:def __init__(self, action, param, sign, ip):self.action = actionself.param = paramself.sign = signself.sandbox = md5(ip)if(not os.path.exists(self.sandbox)):          #SandBox For Remote_Addros.mkdir(self.sandbox)def Exec(self):result = {}result['code'] = 500if (self.checkSign()):if "scan" in self.action:tmpfile = open("./%s/result.txt" % self.sandbox, 'w')resp = scan(self.param)if (resp == "Connection Timeout"):result['data'] = respelse:print resptmpfile.write(resp)tmpfile.close()result['code'] = 200if "read" in self.action:f = open("./%s/result.txt" % self.sandbox, 'r')result['code'] = 200result['data'] = f.read()if result['code'] == 500:result['data'] = "Action Error"else:result['code'] = 500result['msg'] = "Sign Error"return resultdef checkSign(self):if (getSign(self.action, self.param) == self.sign):return Trueelse:return False#generate Sign For Action Scan.
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():param = urllib.unquote(request.args.get("param", ""))action = "scan"return getSign(action, param)@app.route('/De1ta',methods=['GET','POST'])
def challenge():action = urllib.unquote(request.cookies.get("action"))param = urllib.unquote(request.args.get("param", ""))sign = urllib.unquote(request.cookies.get("sign"))ip = request.remote_addrif(waf(param)):return "No Hacker!!!!"task = Task(action, param, sign, ip)return json.dumps(task.Exec())
@app.route('/')
def index():return open("code.txt","r").read()def scan(param):socket.setdefaulttimeout(1)try:return urllib.urlopen(param).read()[:50]except:return "Connection Timeout"def getSign(action, param):return hashlib.md5(secert_key + param + action).hexdigest()def md5(content):return hashlib.md5(content).hexdigest()def waf(param):check=param.strip().lower()if check.startswith("gopher") or check.startswith("file"):return Trueelse:return Falseif __name__ == '__main__':app.debug = Falseapp.run(host='0.0.0.0',port=80)

说实话题目不是很难,就是代码有点长,要好好分析下代码逻辑。

首先可以知道,这段代码的主要的一个入口是在这里

@app.route('/De1ta',methods=['GET','POST'])
def challenge():action = urllib.unquote(request.cookies.get("action"))param = urllib.unquote(request.args.get("param", ""))sign = urllib.unquote(request.cookies.get("sign"))ip = request.remote_addrif(waf(param)):return "No Hacker!!!!"task = Task(action, param, sign, ip)return json.dumps(task.Exec())

通过访问/De1ta,会去获取cookie中的action和sign两个参数,同时还会获得一个url传参param。然后会去初始化一个Task对象,并且执行Task对象的Exec方法

然后执行Exec方法就看到调用了checkSign这个方法

 def checkSign(self):if (getSign(self.action, self.param) == self.sign):return Trueelse:return False

他会去将我们传入的sign和getSign(self.action, self.param)比较,相等才能执行后面的关键代码

def getSign(action, param):return hashlib.md5(secert_key + param + action).hexdigest()

这个sign我们还有一个入口是可以获取的

@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():param = urllib.unquote(request.args.get("param", ""))action = "scan"return getSign(action, param)

所以其实我们只要之后传入的param和这个/geneSign传入的param一样,然后action也等于scan,然后拿这边返回给我们的sign是肯定可以通过checkSign的

if (self.checkSign()):if "scan" in self.action:tmpfile = open("./%s/result.txt" % self.sandbox, 'w')resp = scan(self.param)if (resp == "Connection Timeout"):result['data'] = respelse:print resptmpfile.write(resp)tmpfile.close()result['code'] = 200if "read" in self.action:f = open("./%s/result.txt" % self.sandbox, 'r')result['code'] = 200result['data'] = f.read()if result['code'] == 500:result['data'] = "Action Error"

但是我们现在是要令scan和read都是action内容的一部分,才可以成功读到那边写入的数据。

def scan(param):socket.setdefaulttimeout(1)try:return urllib.urlopen(param).read()[:50]except:return "Connection Timeout"

scan()这个方法就是访问param这个地址,将内容的前50读取出来
所以我们可以利用这个来读服务器内部的flag.txt文件

现在就是要令param等于”flag.txt”,action等于”readscan”,就可以获得flag。
所以我们需要知道的是
hashlib.md5(secert_key +”flag.txtreadscan”).hexdigest()
这个的返回值。

@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():param = urllib.unquote(request.args.get("param", ""))action = "scan"return getSign(action, param)

通过/geneSign可以构建,令param等于flag.txtread,然后action是scan,这样我们就能获得正确的sign

Crypto1——xorz

题目如下

from itertools import *
from data import flag,plainkey=flag.strip("de1ctf{").strip("}")
assert(len(key<38))
salt="WeAreDe1taTeam"
ki=cycle(key)
si=cycle(salt)
cipher = ''.join([hex(ord(p) ^ ord(next(ki)) ^ ord(next(si)))[2:].zfill(2) for p in plain])
print cipher
# output:
# 49380d773440222d1b421b3060380c3f403c3844791b202651306721135b6229294a3c3222357e766b2f15561b35305e3c3b670e49382c295c6c170553577d3a2b791470406318315d753f03637f2b614a4f2e1c4f21027e227a4122757b446037786a7b0e37635024246d60136f7802543e4d36265c3e035a725c6322700d626b345d1d6464283a016f35714d434124281b607d315f66212d671428026a4f4f79657e34153f3467097e4e135f187a21767f02125b375563517a3742597b6c394e78742c4a725069606576777c314429264f6e330d7530453f22537f5e3034560d22146831456b1b72725f30676d0d5c71617d48753e26667e2f7a334c731c22630a242c7140457a42324629064441036c7e646208630e745531436b7c51743a36674c4f352a5575407b767a5c747176016c0676386e403a2b42356a727a04662b4446375f36265f3f124b724c6e346544706277641025063420016629225b43432428036f29341a2338627c47650b264c477c653a67043e6766152a485c7f33617264780656537e5468143f305f4537722352303c3d4379043d69797e6f3922527b24536e310d653d4c33696c635474637d0326516f745e610d773340306621105a7361654e3e392970687c2e335f3015677d4b3a724a4659767c2f5b7c16055a126820306c14315d6b59224a27311f747f336f4d5974321a22507b22705a226c6d446a37375761423a2b5c29247163046d7e47032244377508300751727126326f117f7a38670c2b23203d4f27046a5c5e1532601126292f577776606f0c6d0126474b2a73737a41316362146e581d7c1228717664091c

给出脚本

import string
from binascii import unhexlify, hexlify
from itertools import *def bxor(a, b):     # xor two byte strings of different lengthsif len(a) > len(b):return bytes([x ^ y for x, y in zip(a[:len(b)], b)])else:return bytes([x ^ y for x, y in zip(a, b[:len(a)])])def hamming_distance(b1, b2):differing_bits = 0for byte in bxor(b1, b2):differing_bits += bin(byte).count("1")return differing_bitsdef break_single_key_xor(text):key = 0possible_space = 0max_possible = 0letters = string.ascii_letters.encode('ascii')for a in range(0, len(text)):maxpossible = 0for b in range(0, len(text)):if(a == b):continuec = text[a] ^ text[b]if c not in letters and c != 0:continuemaxpossible += 1if maxpossible > max_possible:max_possible = maxpossiblepossible_space = akey = text[possible_space] ^ 0x20return chr(key)salt = "WeAreDe1taTeam"
si = cycle(salt)
b = unhexlify(b'49380d773440222d1b421b3060380c3f403c3844791b202651306721135b6229294a3c3222357e766b2f15561b35305e3c3b670e49382c295c6c170553577d3a2b791470406318315d753f03637f2b614a4f2e1c4f21027e227a4122757b446037786a7b0e37635024246d60136f7802543e4d36265c3e035a725c6322700d626b345d1d6464283a016f35714d434124281b607d315f66212d671428026a4f4f79657e34153f3467097e4e135f187a21767f02125b375563517a3742597b6c394e78742c4a725069606576777c314429264f6e330d7530453f22537f5e3034560d22146831456b1b72725f30676d0d5c71617d48753e26667e2f7a334c731c22630a242c7140457a42324629064441036c7e646208630e745531436b7c51743a36674c4f352a5575407b767a5c747176016c0676386e403a2b42356a727a04662b4446375f36265f3f124b724c6e346544706277641025063420016629225b43432428036f29341a2338627c47650b264c477c653a67043e6766152a485c7f33617264780656537e5468143f305f4537722352303c3d4379043d69797e6f3922527b24536e310d653d4c33696c635474637d0326516f745e610d773340306621105a7361654e3e392970687c2e335f3015677d4b3a724a4659767c2f5b7c16055a126820306c14315d6b59224a27311f747f336f4d5974321a22507b22705a226c6d446a37375761423a2b5c29247163046d7e47032244377508300751727126326f117f7a38670c2b23203d4f27046a5c5e1532601126292f577776606f0c6d0126474b2a73737a41316362146e581d7c1228717664091c')
plain = ''.join([hex(ord(c) ^ ord(next(si)))[2:].zfill(2) for c in b.decode()])
b = unhexlify(plain)
print(plain)normalized_distances = []for KEYSIZE in range(2, 40):# 我们取其中前6段计算平局汉明距离b1 = b[: KEYSIZE]b2 = b[KEYSIZE: KEYSIZE * 2]b3 = b[KEYSIZE * 2: KEYSIZE * 3]b4 = b[KEYSIZE * 3: KEYSIZE * 4]b5 = b[KEYSIZE * 4: KEYSIZE * 5]b6 = b[KEYSIZE * 5: KEYSIZE * 6]normalized_distance = float(hamming_distance(b1, b2) +hamming_distance(b2, b3) +hamming_distance(b3, b4) +hamming_distance(b4, b5) +hamming_distance(b5, b6)) / (KEYSIZE * 5)normalized_distances.append((KEYSIZE, normalized_distance))
normalized_distances = sorted(normalized_distances, key=lambda x: x[1])for KEYSIZE, _ in normalized_distances[:5]:block_bytes = [[] for _ in range(KEYSIZE)]for i, byte in enumerate(b):block_bytes[i % KEYSIZE].append(byte)keys = ''try:for bbytes in block_bytes:keys += break_single_key_xor(bbytes)key = bytearray(keys * len(b), "utf-8")plaintext = bxor(b, key)print("keysize:", KEYSIZE)print("key is:", keys, "n")s = bytes.decode(plaintext)print(s)except Exception:continue

De1CTF-2019部分wp相关推荐

  1. BUUCTF [De1CTF 2019] SSRF Me

    BUUCTF [De1CTF 2019] SSRF Me 考点: Flask代码审计 Python字符串拼接 Hint: flag is in ./flag.txt 启动环境,给出了源码: #! /u ...

  2. Google Capture The Flag 2019 (Quals) WP

    0x00 前言 一篇更新的推文 0x01 BNV 题目描述: There is not much to see in this enterprise-ready™ web application. 题 ...

  3. BUUCTF持续更新中

    目录 [HCTF 2018]WarmUp [强网杯 2019]随便注 [SUCTF 2019]EasySQL [GYCTF2020]Blacklist [GKCTF2020]cve版签到 GXYCTF ...

  4. BUU刷题记录——6

    [De1CTF 2019]Giftbox De1CTF Web WriteUp – 赵 login命令处盲注获取登录密码 登陆后其他可用命令 targeting code position => ...

  5. BUUCTF刷题记录(2)

    文章目录 web [De1CTF 2019]SSRF Me(未完成) [极客大挑战 2019]PHP [极客大挑战 2019]Knife [极客大挑战 2019]LoveSQL [RoarCTF 20 ...

  6. buu(ssti模板注入、ssrf服务器请求伪造)

    目录 目录 [CISCN2019 华东南赛区]Web11 [BJDCTF2020]EasySearch [De1CTF 2019]SSRF Me [CSCCTF 2019 Qual]FlaskLigh ...

  7. BUUCTF-刷题记录-3

    WEB [HCTF 2018]admin 页面没什么功能点,注册一个账号并登录,在更改密码的页面发现注释,存在源码. 在config.py中发现SECRET_KEY:ckj123,同时发现sessio ...

  8. BUUCTF笔记之Web系列部分WriteUp(四)

    1.[BJDCTF2020]Mark loves cat dirb扫描目录发现.git泄露. githack获取源码 <?php$flag = file_get_contents('/flag' ...

  9. BUUCTF Web 第二页全部Write ups

    更多笔记,可以关注yym68686.top 目录 [强网杯 2019]高明的黑客 [BUUCTF 2018]Online Tool [RoarCTF 2019]Easy Java [GXYCTF201 ...

  10. 浅谈域渗透中的组策略及gpp运用

    组策略(英语:Group Policy)是微软Windows NT家族操作系统的一个特性,它可以控制用户帐户和计算机帐户的工作环境.组策略提供了操作系统.应用程序和活动目录中用户设置的集中化管理和配置 ...

最新文章

  1. linux 服务器FTP服务安装教程
  2. python multiprocessing — 基于进程的并行
  3. how to make academic sentences
  4. 利用一根同轴电缆互连主机构成以太网,则主机间的通信方式为( )
  5. java+web+415_使用json返回HTTP状态415的Web服务 - 不支持的媒体类型
  6. opc调试软件_组态王和三菱OPC软件完美演绎天塔之光
  7. java简单密码验证程序
  8. 光绘文件 c语言 解析,AltiumDesigner输出光绘文件
  9. php报错致命错误203,Centos7 下安装PHP7 phpredis扩展报错解决办法 致命错误:ext/standard/php_smart_str.h...
  10. 使用内存文件映射MappedByteBuffer读超大文件可能会遇到的问题
  11. Linux宝库名人轶事栏目 | 感恩每一天
  12. DOM、JDOM、DOM4J解析XML
  13. JavaScript高级程序设计(第四版) 第二章 HTML中的javascript
  14. vijos1655萌萌的糖果博弈
  15. 普林斯顿宣布开源 25 核处理器
  16. c语言数组相同字符主元素,C语言数组考点归纳
  17. error C2059: syntax error : 'constant'
  18. Android 禁止状态栏下拉
  19. 负载均衡过程中的一台机器当掉了
  20. 为XV6系统扩展一个系统调用需要修改的文件

热门文章

  1. php对象里面存对象,PHP:在$ _SESSION中存储'对象'
  2. js调用c语言程序设计,HTML页面,测试JS对C函数的调用简单实例
  3. 保存光谱曲线出现问题_直读光谱仪计量周期-这家好【博越仪器】
  4. 七十四、完成Vue项目城市详细页,并实现打包
  5. 期末复习、化学反应工程科目(第四章)
  6. 四十四、Hexo搭建自己的博客
  7. Mysql安装两种方法
  8. 来试试读论文的新神器!AMiner发布“论文背景文献”一键生成工具,帮你搞清一篇论文的“来龙去脉”...
  9. 一块V100运行上千个智能体、数千个环境,这个曲率引擎框架实现RL百倍提速
  10. 基于多域连接卷积神经网络的精神分裂症脑功能网络分类