题目:XSS
首先看一下题目,题目说alert出xss三个字母,才会有flag
输入 xss123输出123,说明小写xss被过滤了
绕过方法一
编码绕过<script>alert(String.formCharCode(120,115,115))</script>
还可以把 <script>alert("xss")</script> hex编码绕过
绕过方法二
按f12打开调试器,在console中输入alert('xss')即可
绕过方法三
利用大小写绕过<script>alert("xSS")</script>
绕过方法四
bp抓一下包,构造payloadflag.php?msg=xss
方法五
使用分号”;”截断<script>alert("XSS");;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</script>
题目:easy(本地登录)
点开链接,可以发现如下图所示。打开burpsuite抓包。然后伪造ip地址提交过去。常见文件泄露: .index.php.swp .index.php.swo .index.php.swn
加上:X-Forwarded-For: 127.0.0.1
思路对的,但是解题直接down源码:
windows下curl http://106.39.10.134:20000/web2/index.php~
linux下:curl http://106.39.10.134:20000/web2/index.php\~
flag{a5717a649d346ed0c51be68888c130cd}
直接获取源码:
WEB题目:Venus’Champion
点开链接,可以发现如下图所示。1996年访问的为冠军,你现在是1994年。修改某值为1994年。
打开burpsuite抓包,获取Visitor值请求头中:MTk5NDowMDhiZDVhZDkzYjc1NGQ1MDAzMzhjMjUzZDljMTc3MA%3D%3D其实是base64的编辑MTk5NDowMDhiZDVhZDkzYjc1NGQ1MDAzMzhjMjUzZDljMTc3MA==
解码后:1994:008bd5ad93b754d500338c253d9c1770修改为1996年,后续为md5加密字符.1996:6351bf9dce654515bf1ddbd6426dfa97
base64加密:MTk5Njo2MzUxYmY5ZGNlNjU0NTE1YmYxZGRiZDY0MjZkZmE5Nw==
Crypto题目:简单编码
题目文件名提示desc
flag被下面一串字符所隐藏,请尝试找出其中的密码吧:0x253464253534253431253739253433253661253435253737253466253431253666253335253465253737253666253738253464253434253464253462253464253534253439253761253433253661253539253332253433253661253435253737253465253531253666253332253465253531253666253738253464253534253431253462253464253534253431253335253433253661253662253333253433253661253662253331253433253661253633253761253433253661253435253738253465253531253666253335253465253531253666253333253464253431253666253334253465253531253666253333253466253431253666253738253464253534253431253462253464253534253439253738253433253661253464253761253433253661253435253739253465253531253364253364
converter工具HEX转base64解码:
ACU0ZCU1NCU0MSU3OSU0MyU2YSU0NSU3NyU0ZiU0MSU2ZiUzNSU0ZSU3NyU2ZiU3OCU0ZCU0NCU0ZCU0YiU0ZCU1NCU0OSU3YSU0MyU2YSU1OSUzMiU0MyU2YSU0NSU3NyU0ZSU1MSU2ZiUzMiU0ZSU1MSU2ZiU3OCU0ZCU1NCU0MSU0YiU0ZCU1NCU0MSUzNSU0MyU2YSU2YiUzMyU0MyU2YSU2YiUzMSU0MyU2YSU2MyU3YSU0MyU2YSU0NSU3OCU0ZSU1MSU2ZiUzNSU0ZSU1MSU2ZiUzMyU0ZCU0MSU2ZiUzNCU0ZSU1MSU2ZiUzMyU0ZiU0MSU2ZiU3OCU0ZCU1NCU0MSU0YiU0ZCU1NCU0OSU3OCU0MyU2YSU0ZCU3YSU0MyU2YSU0NSU3OSU0ZSU1MSUzZCUzZA==
得URL解码:
%4d%54%41%79%43%6a%45%77%4f%41%6f%35%4e%77%6f%78%4d%44%4d%4b%4d%54%49%7a%43%6a%59%32%43%6a%45%77%4e%51%6f%32%4e%51%6f%78%4d%54%41%4b%4d%54%41%35%43%6a%6b%33%43%6a%6b%31%43%6a%63%7a%43%6a%45%78%4e%51%6f%35%4e%51%6f%33%4d%41%6f%34%4e%51%6f%33%4f%41%6f%78%4d%54%41%4b%4d%54%49%78%43%6a%4d%7a%43%6a%45%79%4e%51%3d%3d
再次base64解码:
MTAyCjEwOAo5NwoxMDMKMTIzCjY2CjEwNQo2NQoxMTAKMTA5Cjk3Cjk1CjczCjExNQo5NQo3MAo4NQo3OAoxMTAKMTIxCjMzCjEyNQ==
ASCII码值:
102 108 97 103 123 66 105 65 110 109 97 95 73 115 95 70 85 78 110 121 33 125flag{BiAnma_Is_FUNny!}
WEB题目:Login
点击登录,报错在返回cookie中: tips_1=There+is+a+picture+called+uname.jpg
构造路径:http://106.39.10.134:20000/web1/uname.jpg
下载回来的图片,文本格式打开,有一个字典,拿来抓包爆破用户名,观察有一个返回包数据长度不同。uname=V1nus
tips_2=There+is+another+picture+called+u_pass.jpg
构造路径:http://106.39.10.134:20000/web1/u_pass.jpg
下载回来的图片,文本格式打开,有一个字典,拿来抓包爆破密码。uname=V1nus&upass=V1nus_zh1
flag{43cb0a29f318f96c5ce106aebc1bd5e7}
WEB题目:hacking
过滤http包,
17:27.5 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),1,1)))=102%23
17:27.9 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),2,1)))=108%23
17:28.3 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),3,1)))=97%23
17:28.7 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),4,1)))=103%23
17:29.1 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),5,1)))=123%23
17:29.4 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),6,1)))=115%23
17:29.8 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),7,1)))=107%23
17:30.2 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),8,1)))=121%23
17:30.5 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),9,1)))=115%23
17:30.9 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),10,1)))=113%23
17:31.2 HTTP GET http://192.168.173.134/index.php?id=1%27and%20(select%20ascii(substr((select%20skyflag_is_here2333%20from%20flag%20limit%200,1),11,1)))=108%23
....
查到ASCII:102 108 97 103 123 115 107 121 115 113 108 95 105 115 95 118 101 114 121 95 99 111 111 108 33 50 51 51 125flag{skysql_is_very_cool!233}
此方法特别笨重,很慢。
RE:strcmp
IDA Pro (64-bit),
打开选择第二个点击main函数,
可以直接看到flag。
MISC:happy birthday
下载回来后将文件添加后缀:
happy_birthday.pcapng
Wireshark文件导出Http对象,Birthday.zip,Ziperello文件破解,题目是生日构造格式 年份月份日 XXXX XX XX共八位数
爆破八位数得密码:19970818
图片右键属性得:flag{H4PPY_81RTHD4Y}
Crypto:ccrack
提示:ccrackcrc32爆破,github地址: https://github.com/theonlypwner/crc32
依次执行:这个地方有点坑,生成特别多要找出有意义的字符串:
python crc32.py reverse 0x03BBA369
python crc32.py reverse 0x38D36816
python crc32.py reverse 0x50546A3E
python crc32.py reverse 0x23EE148C
python crc32.py reverse 0x1EC43B00
得:keyisc32cryptonotverydifficult
拿此密码解压压缩文档,得到flag.txt
得到一窜base32编码字符串:MFXEE3DBGN2G4ZDNMN5E23KWPFQUOZDXLJMGIM3CK5SHOYJTJZ5GCSBQHU======
解码得base64编码字符串anBla3tndmczMmVyaGdwZXd3bWdwa3NzaH0=
base64解码得到:jpek{gvg32erhgpewwmgpkssh}
米斯特工具凯撒密码解密:flag{crc32andclassiclgood}
Crypto:古今中外风火轮
base64 32 16多重解密脚本:
import random
from base64 import *
result={
'16':lambda x:b16decode(x),
'32':lambda x:b32decode(x),
'64':lambda x:b64decode(x),
}
f='base64的内容=='
while True:
try:
f=result['16'](f)
continue
except:
pass
try:
f=result['32'](f)
continue
except:
pass
try:
f=result['64'](f)
continue
except:
pass
break
print f
得到:CEB4BFDAgCEB4B2DDgB2DDB4F3gB7F2C8CBgCEB4C8CBgB2DDB4F3gCEB4CDF5gCDF5B2DDgCEB4D6D0gCEB4B2DDgB2DDB4F3gB7F2D3C9gB7F2B2DDgB7F2B2DDgCDF5CEB4g
去除多余的g:
CEB4BFDA
CEB4B2DD
B2DDB4F3
B7F2C8CB
CEB4C8CB
B2DDB4F3
CEB4CDF5
CDF5B2DD
CEB4D6D0
CEB4B2DD
B2DDB4F3
B7F2D3C9
B7F2B2DD
B7F2B2DD
CDF5CEB4GB2312转换为文字得到:
未口未草草大夫人未人草大未王王草未中未草草大夫由夫草夫草王未
当铺密码解密(简介:当前汉字有多少笔画出头,就是转化成数字几。(例:王夫井工夫口 = 678470)):
未0未草草573未3草5未66草未2未草草5717草7草6未
草是9,未是8
80 89 95 73 83 95 86 69 82 89 95 71 79 79 682未为一隔断:
ASCII解码得:
PY_IS_VERY_GOOD
flag{PY_IS_VERY_GOOD}
MISC:FTP流量分析
kali下:foremost ftp.pcapng得到一个有密码的zip压缩文件,flag在其中,Wireshark过滤ftp发现还上传了一个doc文件,提取出。Wireshark下搜索字符串(ctrl+f),zip文件头为PK选择原始数据保存为1.docx打开docx提示:
密码是wakaka+5位数字
Ziperello构造字符集掩码,
得到密码:wakaka21051
解压出flag:flag{3dgru54gfdhyi7ksf36#%}
Steg:中国心
LSB隐写,将图片加载到隐写术利用Stegsolve.jar工具中,来回切换色道,发现red 0,green 0,blue 0存在部分数据,
执行下面五部,发现存在JFIF文件头,存在一张jpg格式的图片,将数据包点击save bin导出二进制。
扔进010 Editor,删除文件头的杂乱数据。
另存为jpg格式图片得到flag。
Steg:joker
首先下载到图片,joker.jpg,扔到foremost joker.jpg得到一个zip加密文件,readme.txt 共2个文件。
参考:04明文攻击:https://www.cnblogs.com/ECJTUACM-873284962/p/9387711.html
明文攻击:https://www.cnblogs.com/ECJTUACM-873284962/p/9884416.html
将readme.txt压缩为zip压缩文件,发现与加密zip中的readme.txt,CRC32值相同,Advanced Archive Password Recovery软件爆破,配置如图:
[ aca0184e 912e1d61 7bafa247 ]
另存为文件到桌面,
解压出new.txt是base64的图片格式文件,直接将全部内容复制到浏览器地址栏回车即可生成图片。
另存为图片,查看图片内容发现hint.txt文件,后缀改为rar文件无法解压出,是伪加密。010 Editor将 14 改为00,右键解压则无密码。
hint.txt得到如下:33326b6c6d763bf61129bf9b385420a5=mk?**ijnb??*7yg?
33326b6c6d763bf61129bf9b385420a5
md5解密: flag{mko09ijnbhu87ygv}
python大法好!
这里有一段丢失的md5密文e9032???da???08????911513?0???a2
要求你还原出他
已知线索 明文为: TASC?O3RJMV?WDJKX?ZM
import hashlib
for i in range(32,127):
for j in range(32,127):
for k in range(32,127):
m=hashlib.md5()
m.update('TASC'+chr(i)+'O3RJMV'+chr(j)+'WDJKX'+chr(k)+'ZM')
des=m.hexdigest()
if 'e9032' in des and 'da' in des and '911513' in des:
print des