2021-08-24

虚拟机里搭 CVE-2020-14882环境用了一天半。。。。 help me…哎= =
2021-08-24

1,整理下Shiro-550漏洞

2. hws 预夏令营的wp 两道re题

一: ubuntu 切换到nat模式
docker run -d -p 8081:8080 medicean/vulapps:s_shiro_1
2021-08-24
得ip
2021-08-24
2021-08-24
特征
2021-08-24
打开工具
2021-08-24
输入cmd
2021-08-24
在弹出的命令行 输入以下命令 指定java环境 ( tab键自动补全
2021-08-24
2021-08-24
2021-08-24
准备连冰蝎

2021-08-24
同理开冰蝎
2021-08-24
得到受害机目录
2021-08-24
漏洞原理:
由于Apache Shiro cookie中通过 AES-128-CBC 模式加密的rememberMe字段存在问题,用户可通过Padding Oracle 加密生成的攻击代码来构造恶意的rememberMe字段,并重新请求网站,进行反序列化攻击,最终导致任意代码执行。
影响版本:Apache Shiro < 1.4.2

二,hws

xtea

一个tea加密,再逆向解密:

#include <stdio.h>

unsigned char KEY[] = {0x0, 0x1, 0x3, 0x4, 0x5, 0x6, 0x7
				, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0x0};

unsigned char ENC[] = {0x42, 0xC7, 0xCA, 0x40, 0xC1, 0x75, 0x16, 0xEF,
 0xE7, 0x37, 0x6E, 0x69, 0x1B, 0x0B, 0x0F, 0x78, 0xDF, 0xE0, 0xE0, 0x7B, 0x5F, 0x50, 0x57, 0x05, 0xF4, 0x73, 0xD2, 0x35, 0x47, 0xD5, 0x6C, 0x5A};

unsigned int get_delat()
{
	int i = 0;
	unsigned int ans = 0, delat = 0x61c88647;
	
	for(i = 0; i < 32; i++)
		ans -= delat;
	
	return ans;
}

void byte_order(unsigned char *a, int len)
{
	for(int i = 0; i < len/4; i++)
	{
		unsigned char *b = a+4*i;
	    for(int j = 0; j < 2; j++)
	    {
	        unsigned char tmp = b[j];
	        b[j] = b[3-j];
	        b[3-j] = tmp;
	    }
	}
}

void tea_decode()
{
	byte_order(KEY, 16);
	byte_order(ENC, 32);
	unsigned int *key = (unsigned int *)KEY;
	for(int i = 0; i < 4; i++)
	{
		unsigned int delat = get_delat();
		unsigned int *enc = (unsigned int *)(ENC+8*i);
		for(int j = 0; j < 32; j++)
		{
			enc[1] -= (enc[0] >> 5) + key[3]^delat + enc[0]^enc[0]*0x10 + key[2];
			enc[0] -= (enc[1] >> 5) + key[1]^delat + enc[1]^enc[1]*0x10 + key[0];
			delat += 0x61c88647;
		}
	}
	byte_order(ENC, 32);
} 

int main(void)
{
	tea_decode();
	
	for(int i = 0; i < 0x20; i++)
	{
		printf("%c", ENC[i]);
	} 

	return 0;
}
//flag{th1s_is_TEA_enc0de_hahaha_}

BabyTrans

先对输入加6,然后进行了密钥为[1]*16的aes_ecb加密,接着是对密文进行几十次的加法,使用paddb,16字节为一组的加。

逆向解密:
#coding:utf-8
import base64
from Crypto.Cipher import AES

class AesEncry(object):
key = [0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01]
key = bytes(key)

def decrypt(self, data):
    cryptos = AES.new(self.key, AES.MODE_ECB)
    decrpytBytes = list(base64.b64decode(data))
    decrpytBytes = bytes(decrpytBytes) 
    meg = cryptos.decrypt(decrpytBytes)
    return meg

num = [111, 95, 63, 62, 52, 21, 115, 70, 18, 19, 20, 59, 97, 44, 49, 45, 13, 29, 39, 89, 74, 104, 14, 28, 12, 10, 113, 84, 83, 93, 40, 27, 125, 112, 90, 91, 114, 4, 48, 47, 5, 66, 77, 72, 122, 71, 73, 9, 78, 17, 61, 98, 124, 3, 87, 8, 2, 58, 119, 46, 15, 34, 69, 51, 26, 105, 56, 37, 109, 16, 38, 118, 23, 35, 117, 86, 92, 82, 53, 31, 88, 24, 57, 33, 99, 103, 76, 120, 116, 41, 11, 65, 55, 6, 68, 123, 32, 108, 110, 7, 54, 60, 96, 107, 67, 127, 64, 75, 94, 79, 42, 22, 101, 100, 43, 1, 126, 30, 36, 81, 25, 102, 80, 121, 106, 85, 50]

enc = [0x70, 0xC2, 0x2D, 0xDF, 0xD8, 0x1C, 0x87, 0xEA, 0x1D, 0x28, 0x93, 0x5B, 0xCF, 0x4D, 0x02, 0xFC, 0xFF, 0xD9, 0xC6, 0x61, 0x4D, 0x56, 0x4F, 0x5B, 0x3A, 0x4E, 0xCA, 0xE6, 0x70, 0x25, 0x8F, 0x8B]
for i in num[::-1]:
for j in range(32):
enc[j] -= i
enc[j] &= 0xff
enc = base64.b64encode(bytes(enc))

flag = AesEncry().decrypt(enc)
flag = list(flag)

for i in range(len(flag)):
flag[i] -= 6

print(bytes(flag))

#160d2ef62f297d3e576e7e048fb9c16

2021-08-24
hws夏令营 yyds
2021-08-24

上一篇:ignav中IMU与GNSS间的杆臂


下一篇:DASCTF2021五月赛