diff --git a/players/NaiveTomcat/2020-11-07-dockerWP.md b/players/NaiveTomcat/2020-11-07-dockerWP.md new file mode 100644 index 0000000..8920e94 --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-dockerWP.md @@ -0,0 +1,6 @@ +# Docker WP + +## 思路 + +`/var/lib/docker/overlay2`中有pull下来的docker镜像的文件,而这个docker的构建是先有flag.txt +后来删除的,于是就能在这个目录中搜索到flag.txt。 diff --git a/players/NaiveTomcat/2020-11-07-字符串工具WP.md b/players/NaiveTomcat/2020-11-07-字符串工具WP.md new file mode 100644 index 0000000..9b87938 --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-字符串工具WP.md @@ -0,0 +1,35 @@ +# 字符串工具WP + +## 大小写转换 + +### 思路 + +本问利用Unicode连字U+FB02(fl连写),该字符被传入python的upper()方法后会被转为FL, +进而达到绕过过滤的方法 + +### 脚本 + +```python +#!/usr/bin/python +import pwn +token="token" +p=pwn.remote("202.38.93.111",10233) +p.sendline(token) +p.recvuntil("2. Convert my UTF-7 string to UTF-8!!") +p.sendline("1") +p.recvuntil("Welcome to the capitalizer tool, please input your string:") +payload="\ufb02\u0061\u0067" +p.sendline(payload) +p.interactive() +``` + +## UTF-7到UTF-8转换 + +### 思路 + +本问利用UTF-7编码规则,将flag中每个字母扩充为双字节(即在前面加/x00),整体base64编码 +并在最前面加上“+”以及去除末尾“=”,发送到服务,被UTF-7解码成flag进而获取flag + +### payload + +`+AGYAbABhAGc` diff --git a/players/NaiveTomcat/2020-11-07-狗狗银行WP.md b/players/NaiveTomcat/2020-11-07-狗狗银行WP.md new file mode 100644 index 0000000..019bf36 --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-狗狗银行WP.md @@ -0,0 +1,18 @@ +# 狗狗银行WP + +## 切入点 + +后端计算利息的近似方法为四舍五入,故构造合理余额可使得借记卡利息达到0.6%,高于信用卡的0.5%从而获取利润 + +## 解题方法 + +分析创建卡、转账的请求,使用burp的intruder批量发包,首先自行手动创建一张信用卡,再通过burp批量创建998张借记卡 +(为了满足题目新增要求),再通过burp从信用卡向每一张新增的信用卡转账167元 + +吃饭后,此时,每张卡都会有理论0.501元的利息,经过后端计算舍入得1元利息,共获得998元利息,而信用卡欠款166666元, +利息833.33元,有164元差额。除去吃饭的10元仍有利润。重复几天就可以使净资产大于2000。 + +## 错误解题方法 + +看到题我的第一思路是整型溢出,于是借了很多钱,用burp请求/api/eat很多次,最后返回的欠款有2^1000不止。后端应该用 +的BigDecimal,不会出现溢出。 diff --git a/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md b/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md new file mode 100644 index 0000000..1ea7373 --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md @@ -0,0 +1,23 @@ +# 超简陋的OpenGL小程序WP + +## 思路 + +着色器脚本中更改视角和光源位置,更改完后运行即可 + +## patch + +basic_lighting.fs +```diff +19c19 +< vec3 lightDir = normalize(-0.9* lightPos + FragPos); +--- +> vec3 lightDir = normalize(lightPos - FragPos); +``` + +basic_lighting.vs +```diff +14c14 +< FragPos = vec3(-1 *model * vec4(aPos, 1.0)); +--- +> FragPos = vec3(model * vec4(aPos, 1.0)); +```