2021廣東省強網杯WriteUp
個人賽
網路詐騙
參考
https://github.com/Heyxk/notes/issues/1
先把EnMicroMsg.db提出來
CompatibleInfo.cfg是0kb,用第一種方法
IMEI獲取不到,用預設的1234567890ABCDEF
auth_info_key_prefs.xml裡面"_auth_uin" value="1729159668"
取前8
48b55e5
sqlcipher EnMicroMsg.db 'PRAGMA key = "48b55e5"; PRAGMA cipher_use_hmac = off; PRAGMA kdf_iter = 4000; ATTACH DATABASE "decrypted_database.db" AS decrypted_database KEY "";SELECT sqlcipher_export("decrypted_database");DETACH DATABASE decrypted_database;'
用mac失敗了,windows上下的sqlcipher
用sqllitestudio檢視
message表中記錄了所傳送的所有訊息資訊https://blog.csdn.net/muzhicihe/article/details/109902849
88.88+500
找到攻擊痕跡
CVE-2017-9993 找mp4附近
C
CVE-2017-8917 找index.php
A
CVE-2019-15107 找password
D
CVE-2020-1938 ajp的沒找到,就剩下的三個裡面猜了
ACDF
完美上傳器
麻了 帶字尾上傳就失敗
最後傳個/flag
goodpy
python位元組碼逆向
https://bbs.pediy.com/thread-246683.htm
參考手撕
逆到一半發現只要關鍵地方演算法就可以了
a = [56, 17, 99, 1, 47, 4, 2, 62, 75, 102, 8, 242, 16, 242, 97, 97, 100, 107, 16, 9, 10, 3, 117, 20, 80, 87, 242, 2, 6, 119, 7, 17] flag = '' for i in range(len(a)): if i%7==1: flag += (chr(((a[i]-8)^51)+9)) else: flag += (chr((((a[i]^119)-8)^51)+9)) print(flag)
前面有輸入判斷開頭是不是flag
移下位flag{yCMWuWFsA0uNOhgq54WgcedvHC}
團隊賽
love_Pokemon
<?php
error_reporting(0);
highlight_file(__FILE__);
$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
if(!file_exists($dir)){
mkdir($dir);
}
function DefenderBonus($Pokemon){
if(preg_match("/'| |_|\\$|;|l|s|flag|a|t|m|r|e|j|k|n|w|i|\\\\|p|h|u|v|\\+|\\^|\`|\~|\||\"|\<|\>|\=|{|}|\!|\&|\*|\?|\(|\)/i",$Pokemon)){
die('catch broken Pokemon! mew-_-two');
}
else{
return $Pokemon;
}
}
function ghostpokemon($Pokemon){
if(is_array($Pokemon)){
foreach ($Pokemon as $key => $pks) {
$Pokemon[$key] = DefenderBonus($pks);
}
}
else{
$Pokemon = DefenderBonus($Pokemon);
}
}
switch($_POST['myfavorite'] ?? ""){
case 'picacu!':
echo md5('picacu!').md5($_SERVER['REMOTE_ADDR']);
break;
case 'bulbasaur!':
echo md5('miaowa!').md5($_SERVER['REMOTE_ADDR']);
$level = $_POST["levelup"] ?? "";
if ((!preg_match('/lv100/i',$level)) && (preg_match('/lv100/i',escapeshellarg($level)))){
echo file_get_contents('./hint.php');
}
break;
case 'squirtle':
echo md5('jienijieni!').md5($_SERVER['REMOTE_ADDR']);
break;
case 'mewtwo':
$dream = $_POST["dream"] ?? "";
if(strlen($dream)>=20){
die("So Big Pokenmon!");
}
ghostpokemon($dream);
echo shell_exec($dream);
}
?>
萬用字元位運算子都ban了
/F[B-Z][@-C]G 過正則 od讀
8進位制解碼
flag{Php_Rc3_1s_V3Ry_C001_But_I_l0v3_Pokemon~}