Contents
WEB
0x01 easfbypass
写shell,传入
eval($_POST[%27cd%27]);
用蚁剑连接同时可以在phpinfo中看到被禁用了很多函数
那就可以上传bypass来readflag
0x04 ezupload
首先F12看到有.swp的备份文件,放到linux里用vim -r恢复一下得到源码,
$sql = "select password from user where name=?";
if ($stmt = $mysqli->prepare($sql)) {
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($dpasswd);
$stmt->fetch();
if ($dpasswd === $password){
$_SESSION['login'] = 1;
header("Location: /upload.php");
}else{
die("login failed");
}
$stmt->close();
访问upload,会提示plz login,首先在登录页面抓包到reapter,去掉后面的password
会发现有302跳转,再次访问upload会来到上传界面
此时上传php5后缀的一句话,内容前面加上jpg图片的信息
上传成功
然后用蚁剑连接
MISC
0x01 misc1
下载文件打开,发现是乱码,尝试一下修改编码,直接修改一下后缀,使用word打开。选择编码,查看文件一段类似flag的字符串
大括号没有正确显示,修改一下即可获取flag
0x02 misc2
访问页面
给了我们网站源码,可以看到在/r路由下存在任意文件读取
不过根目录下的flag已经被删除了,我们不能用常规方法去读取文件,不过,在原来做题的时候使用过 文件描述符,已经在使用的文件,被删除时,在文件描述符中还存在,我们可以通过读取文件描述符进行flag的获取,文件描述符目录:/dev/fd,遍历读取fd下面的目录,获取到flag
0x03 misc3
首先下载附件,发现是一个html页面
然后F12查看源代码
发现有一堆这么奇怪的东西
然后讲其提取出来将&zwnj替换为0,替换为1,得到一串二进制数
0110011001101100011000010110011101111011011001010011001001100001001110010110001100111000011000100011000100110001001101110011010101100101001101100011011001100011011001100011001000110001011001100011100000110101001110010011001101100010011000110011100000110101011000100110011000111001001100110011100101111101
然后将这串二进制数转换为字符得到flag:flag{e2a9c8b1175e66cf21f8593bc85bf939}
0x04 webshell
分析数据包,跟一下HTTP流,发现存在加密的木马文件
对木马文件进行解密
整理一下马的格式,发现传输的数据是以AES加密传输的,看一下返回的数据
根据php代码逻辑,删除前面和后面附加的字符串,最后根据获取到的key和木马进行解密
可以看到最后一段加密字符为base64加密,直接解密一下,直接获取到flag
0x05 twocats
看到给了两张图片,意识到可能是盲水印,用盲水印脚本提取出图片来:
用stegosovle打开,凑活着看出来了:
flag{BlindWaterMark1234}
RE
0x01 RE1
程序在init部分的算法才是真正的算法。逻辑是利用key算出一个256字节的box,通过box和输入值计算出output。
值得注意的是key初始值要进行一个每位异或7的处理
由于box的生成没有受输入干扰,直接动调dump出每次和input异或的内容,编写如下脚本:
xorbox = [0xc,0x1,0x33,0x2f,0x7a,0x7c,0xe0,0x0,0x3,0x7a,0x73,0x4e,0x88,0x6d,0xd2,0xcc]
output = [0xFF,0xE1,0x5F,0xD7,0x25,0x10,0x13,0x71,0x74,0xBF,0x19,0x16,0x5F,0x5E,0x30,0x7F]
inputbox = []
for i in range(8):
tmp = output[16 - i - 1]
output[16 - i - 1] = output[i]
output[i] = tmp
for i in range(0x10):
inputtmp = xorbox[i] ^ output[i]
inputbox.append(inputtmp)
print(chr(inputtmp), end = "")
flag{s1mple_trick_233}
###0x02 RE2
打开程序分析,是一个32个未知数的多项式方程
matlab编写程序解方程组
得到flag
Crypto
0x01 RSA1
分析题目,首先是得到400位的p,q是通过p的高低位互换,用n的高199位和低199位,中间一位不确定,靠尝试可知为2,通过n来获得q和高位和低位的乘积,通过iroot开方得到p和q的值,求d,从而获取m的值,详细代码如下所示:
from Crypto.Util.number import *
import gmpy2
import random
def getpq(x):
y=((n-x*pow(10,400))-x)/pow(10,200)
p=gmpy2.iroot((y+gmpy2.iroot(y*y-4*x*x,2)[0])/2,2)[0]
q=x//p
p=str(p)
q=str(q)
p=int(str(p+q))
q=n/p
return p,q
e = 65537
n=21173064304574950843737446409192091844410858354407853391518219828585809575546480463980354529412530785625473800210661276075473243912578032636845746866907991400822100939309254988798139819074875464612813385347487571449985243023886473371811269444618192595245380064162413031254981146354667983890607067651694310528489568882179752700069248266341927980053359911075295668342299406306747805925686573419756406095039162847475158920069325898899318222396609393685237607183668014820188522330005608037386873926432131081161531088656666402464062741934007562757339219055643198715643442608910351994872740343566582808831066736088527333762011263273533065540484105964087424030617602336598479611569611018708530024591023015267812545697478378348866840434551477126856261767535209092047810194387033643274333303926423370062572301
c=16396023285324039009558195962852040868243807971027796599580351414803675753933120024077886501736987010658812435904022750269541456641256887079780585729054681025921699044139927086676479128232499416835051090240458236280851063589059069181638802191717911599940897797235038838827322737207584188123709413077535201099325099110746196702421778588988049442604655243604852727791349351291721230577933794627015369213339150586418524473465234375420448340981330049205933291705601563283196409846408465061438001010141891397738066420524119638524908958331406698679544896351376594583883601612086738834989175070317781690217164773657939589691476539613343289431727103692899002758373929815089904574190511978680084831183328681104467553713888762965976896013404518316128288520016934828176674482545660323358594211794461624622116836
x=2117306430457495084373744640919209184441085835440785339151821982858580957554648046398035452941253078562547380021066127607547324391257803263684574686690799140082210093930925498879813981907487546461281266736088527333762011263273533065540484105964087424030617602336598479611569611018708530024591023015267812545697478378348866840434551477126856261767535209092047810194387033643274333303926423370062572301
if __name__ == "__main__":
p,q=getpq(x)
d=gmpy2.invert(e,(p-1)*(q-1))
m=pow(c,d,n)
print hex(m)
print(hex(m)[2:].decode('hex'))