i春秋-2016-2017年信息安全竞赛 Web writeup 补题 By Assassin

从i春秋上补一补题目，玩了一个假期了，况且也没人疼没人爱的，做题吧…

破译

首先看到了两拖密文

TW5650Y - 0TS UZ50S S0V LZW UZ50WKW 9505KL4G 1X WVMUSL510 S001M0UWV 910VSG S0 WFLW0K510 1X LZW54 WF5KL50Y 2S4L0W4KZ52 L1 50U14214SLW X5L0WKK S0V TSK7WLTS88 VWNW8129W0L 50 W8W9W0LS4G, 95VV8W S0V Z5YZ KUZ118K SU41KK UZ50S.LZW S001M0UW9W0L ESK 9SVW SL S K5Y050Y UW4W910G L1VSG TG 0TS UZ50S UW1 VSN5V KZ1W9S7W4 S0V FM LS1, V54WUL14 YW0W4S8 1X LZW 50LW40SL510S8 U112W4SL510 S0V WFUZS0YW VW2S4L9W0L 1X LZW 9505KL4G 1X WVMUSL510.
"EW S4W WFU5LWV L1 T41SVW0 1M4 2S4L0W4KZ52 E5LZ LZW 9505KL4G 1X WVMUSL510 L1 9S7W S 810Y-8SKL50Y 592SUL 10 LZW 85NWK 1X UZ50WKW KLMVW0LK LZ41MYZ S 6150L8G-VWK5Y0WV TSK7WLTS88 UM445UM8M9 S0V S E5VW 4S0YW 1X KUZ118 TSK7WLTS88 241Y4S9K," KS5V KZ1W9S7W4. "LZ5K U1995L9W0L 9S47K S01LZW4 958WKL10W 50 LZW 0TS'K G1MLZ S0V TSK7WLTS88 VWNW8129W0L WXX14LK 50 UZ50S." X8SY { YK182V9ZUL9STU5V}

看到最后的很想FLAG{XXXXX}嗯，所以初步判断是凯撒加密，经过比对后发现（i+8）%26规律解出来的相对有规律嗯，但是有很多数字替换了原来的大写字母！这个时候！英语的功底就很重要了…猜吧…但是总是对不了…中间写成了这样（猜得）

import requests
import string
sss ="TW5650Y - 0TS UZ50S S0V LZW UZ50WKW 9505KL4G 1X WVMUSL510 S001M0UWV 910VSG S0 WFLW0K510 1X LZW54 WF5KL50Y 2S4L0W4KZ52 L1 50U14214SLW X5L0WKK S0V TSK7WLTS88 VWNW8129W0L 50 W8W9W0LS4G, 95VV8W S0V Z5YZ KUZ118K SU41KK UZ50S.LZW S001M0UW9W0L ESK 9SVW SL S K5Y050Y UW4W910G L1VSG TG 0TS UZ50S UW1 VSN5V KZ1W9S7W4 S0V FM LS1, V54WUL14 YW0W4S8 1X LZW 50LW40SL510S8 U112W4SL510 S0V WFUZS0YW VW2S4L9W0L 1X LZW 9505KL4G 1X WVMUSL510."+\
    """"EW S4W WFU5LWV L1 T41SVW0 1M4 2S4L0W4KZ52 E5LZ LZW 9505KL4G 1X WVMUSL510 L1 9S7W S 810Y-8SKL50Y 592SUL 10 LZW 85NWK 1X UZ50WKW KLMVW0LK LZ41MYZ S 6150L8G-VWK5Y0WV TSK7WLTS88 UM445UM8M9 S0V S E5VW 4S0YW 1X KUZ118 TSK7WLTS88 241Y4S9K," KS5V KZ1W9S7W4. "LZ5K U1995L9W0L 9S47K S01LZW4 958WKL10W 50 LZW 0TS'K G1MLZ S0V TSK7WLTS88 VWNW8129W0L WXX14LK 50 UZ50S." X8SY { YK182V9ZUL9STU5V}"""
for i in range(8,9):
    temp =""
    for j in sss:
        if ord(j)>=ord('A') and ord(j)<=ord('Z'):
            temp+=chr((ord(j)-ord('A')+i)%26+ord('A'))
        else :
            temp+=j
    #print temp

middle=temp
answer=""
for i in middle:
    if i=='5':
        answer+='I'
    elif i=='0':
        answer+='N'
    elif i=='6':
        answer+='J'
    elif i=='1':
        answer+='O' 
    elif i=='7':
        answer+='K' 
    elif i=='8':
        answer+='L'     
    elif i=='4':
        answer+='R'     
    elif i=='9':
        answer+='H' 
    elif i=='2':
        answer+='P'     
    elif i=='M':
        answer+='W'         
    else :
        answer+=i
print answer

心血来潮搜索了一下结果发现是个新闻…然后对比着改动吧…

import requests
import string
sss ="TW5650Y - 0TS UZ50S S0V LZW UZ50WKW 9505KL4G 1X WVMUSL510 S001M0UWV 910VSG S0 WFLW0K510 1X LZW54 WF5KL50Y 2S4L0W4KZ52 L1 50U14214SLW X5L0WKK S0V TSK7WLTS88 VWNW8129W0L 50 W8W9W0LS4G, 95VV8W S0V Z5YZ KUZ118K SU41KK UZ50S.LZW S001M0UW9W0L ESK 9SVW SL S K5Y050Y UW4W910G L1VSG TG 0TS UZ50S UW1 VSN5V KZ1W9S7W4 S0V FM LS1, V54WUL14 YW0W4S8 1X LZW 50LW40SL510S8 U112W4SL510 S0V WFUZS0YW VW2S4L9W0L 1X LZW 9505KL4G 1X WVMUSL510."+\
    """"EW S4W WFU5LWV L1 T41SVW0 1M4 2S4L0W4KZ52 E5LZ LZW 9505KL4G 1X WVMUSL510 L1 9S7W S 810Y-8SKL50Y 592SUL 10 LZW 85NWK 1X UZ50WKW KLMVW0LK LZ41MYZ S 6150L8G-VWK5Y0WV TSK7WLTS88 UM445UM8M9 S0V S E5VW 4S0YW 1X KUZ118 TSK7WLTS88 241Y4S9K," KS5V KZ1W9S7W4. "LZ5K U1995L9W0L 9S47K S01LZW4 958WKL10W 50 LZW 0TS'K G1MLZ S0V TSK7WLTS88 VWNW8129W0L WXX14LK 50 UZ50S." X8SY { YK182V9ZUL9STU5V}"""
for i in range(8,9):
    temp =""
    for j in sss:
        if ord(j)>=ord('A') and ord(j)<=ord('Z'):
            temp+=chr((ord(j)-ord('A')+i)%26+ord('A'))
        else :
            temp+=j
    #print temp

middle=temp
answer=""
for i in middle:
    if i=='5':
        answer+='I'
    elif i=='0':
        answer+='N'
    elif i=='6':
        answer+='J'
    elif i=='1':
        answer+='O' 
    elif i=='7':
        answer+='K' 
    elif i=='8':
        answer+='L'     
    elif i=='4':
        answer+='R'     
    elif i=='9':
        answer+='M' 
    elif i=='2':
        answer+='P'     
    elif i=='M':
        answer+='W'     
    elif i=='O':
        answer+='Y'
    elif i=='N':
        answer+='X'             
    else :
        answer+=i
print answer

23333，但是FLAG格式不能有空格嗯！而且这哪里是web！！！而且…为啥就一道啊…

PHP execise

既然是可以运行php那就好说多了，注意这里面貌似过滤了一些指令，我们用纯php指令，遍历一下，使用指令

print_r(glob("*"))

然后打开哪个show_flag.php好了
这里写图片描述

flag{php_mail_ld_preload}

wanna to see your hat?

一开始看到题目没什么思路，还是用dirsearch先跑一下！

是否是.svn泄漏！下个工具试试好了，可以选择dvcs-ripper

链接地址：https://github.com/kost/dvcs-ripper

也可以选择Seay-Svn
链接地址：https://pan.baidu.com/s/1eQiRF02

都失败了…但是没关系，并不是没有方法做了，那么我们用burp抓一下login的数据包

会出现

select count(*) from t_info where username = 'admin\#' or nickname = 'admin\#'

而且这是典型的万能绕过的语句，明显是吧' 替换成了\，而且通过构造发现，如下构造name=1 or(1=1)--&submit=check 回显是

select count(*) from t_info where username = '1or(1=1)--' or nickname = '1or(1=1)--'

过滤了空格，所以可以用括号绕过，而且这里它还限制了长度。
注需要构造最后一个为\就能发现可以转义，那么加入构造如下

name=or(1=1)#'&submit=check

发现语句会变成

select count(*) from t_info where username = 'or(1=1)#\' or nickname = 'or(1=1)#\'

巧妙变成了万能钥匙