HCTF 2015 Write-ups
404
咦,404了 http://120.26.93.115:12340/3d9d48dc016f0417558ff26d82ec13cc/webI.php 奖励金币:50
echo "TXIuQ2VuZytHcmVhdFlZWCtKYWNrUGFuPXdhdGNoMHV0LCBhIHRlYW0gb2YgMyBjb21wdXRlciBnZWVrcy4" | base64 -d
咦,404了 http://120.26.93.115:12340/3d9d48dc016f0417558ff26d82ec13cc/webI.php 奖励金币:50
这个程序不能直接运行,我队友试了,直接死机。看了看是用C#写的,直接用.NET Reflector反编译,源码如下:123456789101112131415161718192021public static void Main(){ Console.WriteLine("Generating data..."); StreamWriter writer = new StreamWriter("temp.txt"); ulong num = 1L; do { writer.Write("ISG"); num += (ulong) 1L; } while (num <= 0xfa00000000L); writer.Close(); Console.WriteLine("Almost done..."); SHA1CryptoServiceProvider provider = new SHA1CryptoServiceProvider(); FileStream inputStream = new FileStream("temp.txt", FileMode.Open, FileAccess.Read); byte[] buffer = provider.ComputeHash(inputStream); inputStream.Close(); File.Delete("temp.txt"); Console.WriteLine("ISG{" + BitConverter.ToString(buffer).ToLower() + "}"); Console.ReadKey();}
点击界面上的链接http://202.120.7.104:8888/?view-source即可看到界面源码,其中php部分如下:123456789101112131415161718192021222324252627<?php if (isset($_GET['view-source'])) { show_source(__FILE__); exit(); } include('flag.php'); $smile = 1; if (!isset ($_GET['^_^'])) $smile = 0; if (ereg ('\.', $_GET['^_^'])) $smile = 0; if (ereg ('%', $_GET['^_^'])) $smile = 0; if (ereg ('[0-9]', $_GET['^_^'])) $smile = 0; if (ereg ('http', $_GET['^_^']) ) $smile = 0; if (ereg ('https', $_GET['^_^']) ) $smile = 0; if (ereg ('ftp', $_GET['^_^'])) $smile = 0; if (ereg ('telnet', $_GET['^_^'])) $smile = 0; if (ereg ('_', $_SERVER['QUERY_STRING'])) $smile = 0; if ($smile) { if (@file_exists ($_GET['^_^'])) $smile = 0; } if ($smile) { $smile = @file_get_contents ($_GET['^_^']); if ($smile === "(●'◡'●)") die($flag); } ?>
Category: Web Points: 200
Description:
http://203.66.14.43/cgi-bin/py4h4sher