记一次对C语言课测评程序进行分析

Author： Juneha
发布时间：November 29, 2023
3446 views
6 comments
8822 words
Categories：学习笔记

0x01前言

c语言课每周都要进行小测(平时分呀|´・ω・)ノ)，小测用的是学校自己开发的软件，每次小测会发个压缩包目录结构如下,他这里带了Test.mdb是带密码的

运行client.exe界面如下,要求填入自己的学号+姓名这个没有对接到数据库随意填的

登入后主界面如下,做题过程中老师会拉取我们的文件然后过去测评，最后给出分数

0x02 静态分析

对于逆向只会F5的来说只能看看字符串了,他这里退出程序是需要密码的(当然任务管理器也可以)

查看一下字符串很轻松看到退出密码是 fjxxxx

然后在找一下数据库的密码,很轻松找到连接的密码fjxxxx

数据库里面也就存放题目跟题目类型，没啥东西

0x03网络行为

3.1 捕获分析广播包

首先打开程序学号跟姓名随便输入

然后打开Wireshark抓包,这里看到了几个udp广播包

通过查看数据流内容,可以发现是我们学号+姓名+路径+主机名

由于我不太会逆向这里用土办法来,通过上课抓取局域网内的广播包,发现数据包内容从我箭头指的位置开始存放学号+姓名也就是开始->88位的长度可能是存放版本或者其他信息的这里没去看软件封装过程不太清楚

这里数据为

01000000010000005f0000000d24bf0060818403afee07448ec1dd1b7b16b139799db92fa82cefbab6a61a1731323331323331323331323331323361736461736461736473616461736400000000000000000000000000000000000000000000000000000000000000000000433a5c55736572735c546573745c4465736b746f705c415744415344415344415344415344415344000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000057696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000

前88位是

01000000010000005f0000000d24bf0060818403afee07448ec1dd1b7b16b139799db92fa82cefbab6a61a17

去掉后内容为下面的内容，可以看到开头就是学号+姓名的字符串了，有固定长度不足的补0了，那么很简单就能取出学号+姓名

31323331323331323331323331323361736461736461736473616461736400000000000000000000000000000000000000000000000000000000000000000000433a5c55736572735c546573745c4465736b746f705c415744415344415344415344415344415344000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000057696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000

也就是这部分一共是128位来存放这部分内容

31323331323331323331323331323361736461736461736473616461736400000000000000000000000000000000000000000000000000000000000000000000

取出学号后现在值为开头部分为代码路径

433a5c55736572735c546573745c4465736b746f705c415744415344415344415344415344415344000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000057696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000

也就是这部分总共528位

433a5c55736572735c546573745c4465736b746f705c4157444153444153444153444153444153440000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

后面的部分也是528位来存放主机名

57696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000

现在得到了这个数据包的构成

88位(头部信息)+128(学号+姓名)+528(代码路径)+528(主机名)

写个python函数来格式化他

def process_data(data):
    # 提取头部内容
    head = data[:88]
    # 去除头部部分
    body = data[88:]
    # 提取姓名学号 128位
    name_hex = body[:128]
    # 提取路径 除去128位取 528
    path_hex = body[128:656]
    # 提取主机名 剩下部分
    hostname_hex = body[656:]
    # 转换为字符串
    name = bytes.fromhex(name_hex).decode()
    # 分离学号和姓名
    last_digit_index = None
    for i in range(len(name)):
        if name[i].isdigit():
            last_digit_index = i
    if last_digit_index is not None:
        student_id = name[:last_digit_index+1]
        name = name[last_digit_index+1:]
    else:
        # 如果找不到数字，则默认将整个name作为姓名，学号为空
        student_id = ""
    
    path = bytes.fromhex(path_hex).decode()
    hostname = bytes.fromhex(hostname_hex).decode()

    # 输出处理后的内容
    print("Student ID:", student_id)
    print("Name:", name)
    print("Path:", path)
    print("Hostname:", hostname)
    return student_id, name, path, hostname

然后利用scapy模块抓取流量然后分析输出信息，即可分析出局域网里面的所有学生用户信息

在机房实测效果

3.2 拉取他人文件

这里在平时小测的时候抓包然后分析,可以看到这里172.24.23.121为服务端跟我这里本机的12570发起握手

查看端口可以发现固定监听本机的12750

数据包内容为,GET然后要获取的文件名跟后缀名

本地用NC测试一下

然后这里用python的socket模块发送数据，配合多线程然后把获取到的内容保存到txt

在机房小测效果图,可以拉取别人作业的文件

3.3 伪造上线

既然是通过广播的方式去获取学生的信息，那么可以通过python一直构造数据包让服务端显示一大堆学生,但是前88位里面的部分值是有变动的不晓得只改学号部分重发会不会在服务都端显示，这里没有服务端文件无法测试，当然也没必要测试，c语言老师人还挺好的

0x04 思考

还是需要学一下逆向，希望下次分析这种类似的程序是通过逆向分析代码逻辑进行利用而不是像这次这样，也希望c语言期末考分数能高一点哈哈

Last modification：March 21, 2024

本文作者：Juneha
本文链接：https://blog.mo60.cn/index.php/archives/1353.html
版权声明：本博客所有文章除特别声明外，均默认采用 CC BY-NC-SA 4.0 许可协议。
法律说明：
文章声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任，本人坚决反对利用文章内容进行恶意攻击行为，推荐大家在了解技术原理的前提下，更好的维护个人信息安全、企业安全、国家安全，本文内容未隐讳任何个人、群体、公司。非文学作品，请勿过度理解，根据《计算机软件保护条例》第十七条，本站所有软件请仅用于学习研究用途。

如果觉得我的文章对你有用，请随意赞赏,可备注留下ID方便感谢

6 comments

yy
2024-01-15 00:19

好好玩

Reply
Xmonkey
2023-12-18 08:09

好好好，是你。

Reply
1. Juneha
  2023-12-18 12:48
  
  @Xmonkey
  
  是我
  
  Reply
二十八华生
2023-12-09 13:16

该评论仅登录用户及评论双方可见

Reply
兔子 4
2023-11-30 10:36

受益匪浅感觉人生都得到了升华这是一个非常具有挑战性的文章技术性甚至能申报迪士尼世界纪录

Reply
1. Juneha 1
  2023-11-30 16:31
  
  @兔子
  
  尬黑我是吧
  
  Reply

记一次对C语言课测评程序进行分析

Juneha • 2023 年 11 月 29 日

<h2>0x01前言</h2>c语言课每周都要进行小测(平时分呀|´・ω・)ノ)，小测用的是学校自己开发的软件，每次小测会发个压缩包目录结构如下,他这里带了Test.mdb是带密码的<img src="https://blog.mo60.cn/usr/uploads/2023/11/601062275.png" alt="42247-c831cythg9k.png" title="42247-c831cythg9k.png"style="">运行client.exe界面如下,要求填入自己的学号+姓名 这个没有对接到数据库随意填的<img src="https://blog.mo60.cn/usr/uploads/2023/11/1071191394.png" alt="30763-jfklh6rz75j.png" title="30763-jfklh6rz75j.png"style="">登入后主界面如下,做题过程中老师会拉取我们的文件然后过去测评，最后给出分数<img src="https://blog.mo60.cn/usr/uploads/2023/11/4163703531.png" alt="89942-97mn9o8h89.png" title="89942-97mn9o8h89.png"style=""><h2>0x02 静态分析</h2>对于逆向只会F5的来说只能看看字符串了,他这里退出程序是需要密码的(当然任务管理器也可以)<img src="https://blog.mo60.cn/usr/uploads/2023/11/55950754.png" alt="65427-elszj6qyy1l.png" title="65427-elszj6qyy1l.png"style="">查看一下字符串很轻松看到退出密码是 fjxxxx<img src="https://blog.mo60.cn/usr/uploads/2023/11/4294225974.png" alt="62768-yg97681q32p.png" title="62768-yg97681q32p.png"style="">然后在找一下数据库的密码,很轻松找到连接的密码fjxxxx<img src="https://blog.mo60.cn/usr/uploads/2023/11/2562235181.png" alt="21819-ecpy5xj5c0n.png" title="21819-ecpy5xj5c0n.png"style="">数据库里面也就存放题目跟题目类型，没啥东西<img src="https://blog.mo60.cn/usr/uploads/2023/11/2724385771.png" alt="19963-fs31um54qdt.png" title="19963-fs31um54qdt.png"style=""><h2>0x03网络行为</h2><h3>3.1 捕获分析广播包</h3>首先打开程序学号跟姓名随便输入<img src="https://blog.mo60.cn/usr/uploads/2023/11/915012304.png" alt="31267-oqbwfphdshs.png" title="31267-oqbwfphdshs.png"style="">然后打开Wireshark抓包,这里看到了几个udp广播包<img src="https://blog.mo60.cn/usr/uploads/2023/11/884714914.png" alt="81351-vd3zjhr4oh.png" title="81351-vd3zjhr4oh.png"style="">通过查看数据流内容,可以发现是我们学号+姓名+路径+主机名<img src="https://blog.mo60.cn/usr/uploads/2023/11/1028363322.png" alt="99173-2i2p1rr7qto.png" title="99173-2i2p1rr7qto.png"style="">由于我不太会逆向这里用土办法来,通过上课抓取局域网内的广播包,发现数据包内容从我箭头指的位置开始存放学号+姓名 也就是 开始-&gt;88位的长度可能是存放版本或者其他信息的这里没去看软件封装过程不太清楚<img src="https://blog.mo60.cn/usr/uploads/2023/11/271060000.png" alt="84293-n1ak7j1e3p.png" title="84293-n1ak7j1e3p.png"style="">这里数据为<pre><code>01000000010000005f0000000d24bf0060818403afee07448ec1dd1b7b16b139799db92fa82cefbab6a61a1731323331323331323331323331323361736461736461736473616461736400000000000000000000000000000000000000000000000000000000000000000000433a5c55736572735c546573745c4465736b746f705c415744415344415344415344415344415344000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000057696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000</code></pre>前88位是<pre><code>01000000010000005f0000000d24bf0060818403afee07448ec1dd1b7b16b139799db92fa82cefbab6a61a17</code></pre>去掉后内容为下面的内容，可以看到开头就是学号+姓名的字符串了，有固定长度不足的补0了，那么很简单就能取出学号+姓名<pre><code>31323331323331323331323331323361736461736461736473616461736400000000000000000000000000000000000000000000000000000000000000000000433a5c55736572735c546573745c4465736b746f705c415744415344415344415344415344415344000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000057696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000</code></pre>也就是这部分一共是128位来存放这部分内容<pre><code>31323331323331323331323331323361736461736461736473616461736400000000000000000000000000000000000000000000000000000000000000000000</code></pre>取出学号后现在值为开头部分为代码路径<pre><code>433a5c55736572735c546573745c4465736b746f705c415744415344415344415344415344415344000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000057696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000</code></pre>也就是这部分总共528位<pre><code>433a5c55736572735c546573745c4465736b746f705c4157444153444153444153444153444153440000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</code></pre>后面的部分也是528位来存放主机名<pre><code>57696e646f7773203720486f6d652045646974696f6e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000</code></pre>现在得到了这个数据包的构成<pre><code>88位(头部信息)+128(学号+姓名)+528(代码路径)+528(主机名)</code></pre>写个python函数来格式化他<pre><code>def process_data(data):
 # 提取头部内容
 head = data[:88]
 # 去除头部部分
 body = data[88:]
 # 提取姓名学号 128位
 name_hex = body[:128]
 # 提取路径 除去128位取 528
 path_hex = body[128:656]
 # 提取主机名 剩下部分
 hostname_hex = body[656:]
 # 转换为字符串
 name = bytes.fromhex(name_hex).decode()
 # 分离学号和姓名
 last_digit_index = None
 for i in range(len(name)):
 if name[i].isdigit():
 last_digit_index = i
 if last_digit_index is not None:
 student_id = name[:last_digit_index+1]
 name = name[last_digit_index+1:]
 else:
 # 如果找不到数字，则默认将整个name作为姓名，学号为空
 student_id = &quot;&quot;
 
 path = bytes.fromhex(path_hex).decode()
 hostname = bytes.fromhex(hostname_hex).decode()

# 输出处理后的内容
 print(&quot;Student ID:&quot;, student_id)
 print(&quot;Name:&quot;, name)
 print(&quot;Path:&quot;, path)
 print(&quot;Hostname:&quot;, hostname)
 return student_id, name, path, hostname</code></pre><img src="https://blog.mo60.cn/usr/uploads/2023/11/1547269732.png" alt="71198-zt4fvk28msg.png" title="71198-zt4fvk28msg.png"style="">然后利用scapy模块抓取流量然后分析输出信息，即可分析出局域网里面的所有学生用户信息<img src="https://blog.mo60.cn/usr/uploads/2023/11/3568927009.png" alt="28318-sww8wv40bh.png" title="28318-sww8wv40bh.png"style="">在机房实测效果<img src="https://blog.mo60.cn/usr/uploads/2023/11/2751969767.png" alt="14028-ecdq4llrj3c.png" title="14028-ecdq4llrj3c.png"style=""><h3>3.2 拉取他人文件</h3>这里在平时小测的时候抓包然后分析,可以看到这里172.24.23.121为服务端跟我这里本机的12570发起握手<img src="https://blog.mo60.cn/usr/uploads/2023/11/4026414892.png" alt="48542-s6iwyj827x.png" title="48542-s6iwyj827x.png"style="">查看端口可以发现固定监听本机的12750<img src="https://blog.mo60.cn/usr/uploads/2023/11/717010617.png" alt="73353-1fk45waxpvrh.png" title="73353-1fk45waxpvrh.png"style="">数据包内容为,GET然后要获取的文件名跟后缀名<img src="https://blog.mo60.cn/usr/uploads/2023/11/2764934905.png" alt="52524-b05uf4zpof.png" title="52524-b05uf4zpof.png"style="">本地用NC测试一下<img src="https://blog.mo60.cn/usr/uploads/2023/11/2455403963.png" alt="34564-wx5mfw8tzjc.png" title="34564-wx5mfw8tzjc.png"style="">然后这里用python的socket模块发送数据，配合多线程然后把获取到的内容保存到txt<img src="https://blog.mo60.cn/usr/uploads/2023/11/468918274.png" alt="69898-2ed03ir5smb.png" title="69898-2ed03ir5smb.png"style="">在机房小测效果图,可以拉取别人作业的文件<img src="https://blog.mo60.cn/usr/uploads/2023/11/3650329760.png" alt="69254-pfm1zahjjb.png" title="69254-pfm1zahjjb.png"style=""><h3>3.3 伪造上线</h3>既然是通过广播的方式去获取学生的信息，那么可以通过python一直构造数据包让服务端显示一大堆学生,但是前88位里面的部分值是有变动的不晓得只改学号部分重发会不会在服务都端显示，这里没有服务端文件无法测试，当然也没必要测试，c语言老师人还挺好的<h2>0x04 思考</h2>还是需要学一下逆向，希望下次分析这种类似的程序是通过逆向分析代码逻辑进行利用而不是像这次这样，也希望c语言期末考分数能高一点哈哈

记一次对C语言课测评程序进行分析

0x01前言

0x02 静态分析

0x03网络行为

3.1 捕获分析广播包

3.2 拉取他人文件

3.3 伪造上线

0x04 思考

6 comments

Leave a Comment Cancel reply
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款，评论的邮箱不会被公开仅用于接收回复。

题目+答案+2023年全国职业院校技能大赛信息安全管理与评估真题

2023年全国职业院校技能大赛信息安全管理与评估-3阶段web复盘模拟解析

后渗透神器Cobalt Strike使用教程

1Panel面板前台sql注入到网站功能rce漏洞(CVE-2024-39911)

记第一次cve申请之旅

题目+答案+2023年全国职业院校技能大赛信息安全管理与评估真题

记2022年福建省第三届“闽盾杯”网络空间安全大赛黑盾赛道从线上初赛到决赛writeup解析

Edusrc漏洞审核通过通知监控脚本

记一次mssql注入到cs上线

Typecho1.2 - 1.2.1-rc前台评论存储xss到rce 漏洞复现-分析-修复

记一次对C语言课测评程序进行分析

0x01前言

0x02 静态分析

0x03网络行为

3.1 捕获分析广播包

3.2 拉取他人文件

3.3 伪造上线

0x04 思考

6 comments

Leave a Comment Cancel reply 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款，评论的邮箱不会被公开仅用于接收回复。

记一次对C语言课测评程序进行分析

Leave a Comment Cancel reply
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款，评论的邮箱不会被公开仅用于接收回复。