文章目录
- Defcon 2018 Qualify: Easy Pisy
-
- 1. Source Code
- 2. Writeup
- 3. Info
- 4. Analysis of Author
- 5. 语言中的签名函数
- 6. 密码学知识点
- 7. Bucket 配置错误
- 8. [《Non-interactive cryptographic timestamping based on verifiable delay functions》](https://eprint.iacr.org/2019/197.pdf)
- 9. [sha1collisiondetection](https://github.com/cr-marcstevens/sha1collisiondetection)
- 10. [《On immutability of blockchains》](https://dl.eusset.eu/bitstream/20.500.12015/3160/1/blockchain2018_04.pdf)
- 11. collect Crypto 2021 Paper
- 12. [A Hacker’s guide to reducing side-channel attack surfaces using deep-learning](https://elie.net/talk/a-hacker-guide-to-side-channel-attack-surface-reduction-using-deep-learning/)
- 13. 基于旁路攻击的AES算法中间变量脆弱点
- 总结
Defcon 2018 Qualify: Easy Pisy
1. Source Code
题目给了俩PHP:
execute.php
<?php
include 'common.php';
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
print highlight_string(file_get_contents("execute.php"), TRUE);
exit(0);
}
$keys = get_keys();
$privkey = $keys[0];
$pubkey = $keys[1];
$file_info = $_FILES['userfile'];
check_uploaded_file($file_info);
$data = file_get_contents($file_info['tmp_name']);
$signature = hex2bin($_POST['signature']);
if (openssl_verify($data, $signature, $pubkey)) {
print 'Signature is OK.<br/>';
} else {
die('Bad signature.');
}
$text = pdf_to_text($file_info['tmp_name']);
print "Text: \"$text\"<br/>";
$execute_query = "EXECUTE ";
$echo_query = "ECHO ";
if (substr($text, 0, strlen($execute_query)) === $execute_query) {
$payload = substr($text, strlen($execute_query));
print "About to execute: \"$payload\".<br/>";
$out = shell_exec($payload);
print "Output: $out";
} else if (substr($text, 0, strlen($echo_query)) === $echo_query) {
$payload = substr($text, strlen($echo_query));
print "About to echo: \"$payload\".<br/>";
echo $payload;
} else {
print "I can't recognize the command type. Go away.<br/>";
}
?>
shellme.php
<?php
include 'common.php';
if ($_SERVER