第十八届全国大学生信息安全竞赛（CISCN）暨第二届“长城杯”铁人三项赛 部分Writeup

a = [0x0a,0x0d,0x06,0x1c,0x1f,0x54,0x56,0x53,0x57,0x51,0x00,0x03,0x1d,0x14,0x58,0x56,0x03,0x19,0x1c,0x00,0x54,0x03,0x4b,0x14,0x58,0x07,0x02,0x49,0x4c,0x02,0x07,0x01,0x51,0x0c,0x08,0x00,0x01,0x00,0x03,0x00,0x4f,0x7d]

for i in range(len(a)-2, -1, -1):
    a[i] = a[i] ^ a[i+1]

print(''.join([chr(x) for x in a]))
# flag{d0f5b330-9a74-11ef-9afd-acde48001122}

import re
import json
from urllib.parse import unquote

# 解析access.log
with open('access.log', 'r', encoding='utf-8') as f:
    lines = f.readlines()

pattern = re.compile(
    r'(?P<ip>\d+\.\d+\.\d+\.\d+):(?P<port>\d+)\s'   # IP地址和端口
    r'(?P<client_ip>\d+\.\d+\.\d+\.\d+)\s-\s-\s'   # 客户端IP
    r'\[(?P<timestamp>.*?)\]\s'                    # 时间戳
    r'"(?P<method>\w+)\s(?P<path>[^\s]+)\sHTTP/1.1"\s'  # 请求方法和path
    r'(?P<status>\d+)\s(?P<size>\d+)\s'            # 状态码和返回字节数
    r'"(?P<referrer>.*?)"\s'                       # 来源链接
    r'"(?P<user_agent>.*?)"'                       # 用户代理
)

logs = []
for line in lines:
    match = pattern.match(line)
    if match:
        log = match.groupdict()
        log['size'] = int(log['size'])
        log['status'] = int(log['status'])
        log['path'] = unquote(log['path'])
        logs.append(log)

print('[+] 共解析出%d条日志' % len(logs))

# 筛选出user-agent为sqlmap/1.8.9.1#dev (https://sqlmap.org)，且时间在01/Nov/2024:03:07:32 +0000及之后的请求，且path开头为"/publishers.php?pub_id=9952",末尾为"-- 任意四字符"
filter_log = []
for log in logs:
    if log['user_agent'] == 'sqlmap/1.8.9.1#dev (https://sqlmap.org)' and log['timestamp'] >= '01/Nov/2024:03:07:32 +0000':
        pattern = re.compile(r'-- [a-zA-Z]{4}')
        if pattern.match(log['path'][-7:]) and log['path'].startswith('/publishers.php?'):
            filter_log.append(log)

print('[+] 共筛选出%d条日志' % len(filter_log))


# 将log根据特征进行分组
grouped_logs = {}
for log in filter_log:
    key = log['path'][-4:]
    if key not in grouped_logs:
        grouped_logs[key] = []
    grouped_logs[key].append(log)

print('[+] 共分组%d组' % len(grouped_logs))

grouped = {}
for key, logs in grouped_logs.items():
    pattern = r"SUBSTR\(\((.*?)\),(\d+),\d+\)([>=])CHAR\((\d+)\)"
    if len(logs) > 1:
        for log in logs:
            match = re.search(pattern, log['path'])
            if match:
                if key not in grouped:
                    grouped[key] = {'sql': match.group(1), 'chars': []}
                pos = int(match.group(2))
                if pos > len(grouped[key]['chars']):
                    grouped[key]['chars'].append([])
                grouped[key]['chars'][pos-1].append((match.group(3), int(match.group(4)), log['size'] == 459))


for key, value in grouped.items():
    result_str = ''
    print(value['sql'])
    for i, chars in enumerate(value['chars']):
        larger = []
        smaller_equal = []
        skip = False
        for char in chars:
            if char[0] == '=' and char[2]:
                result_str += chr(char[1])
                skip = True
                break
            if char[0] == '>' and char[2]:
                larger.append(char[1])
            else:
                smaller_equal.append(char[1])
        if not skip:
            if len(smaller_equal) > 0:
                result_str += chr(min(smaller_equal))
            else:
                result_str += chr(max(larger))
    print(result_str)
    print()