Web
代码审计
#! /usr/bin/env python
# encoding=utf-8
from flask import Flask
from flask import request
import hashlib
import urllib.parse
import os
import json
app = Flask(__name__)
secret_key = os.urandom(16)
class Task:
def __init__(self, action, param, sign, ip):
self.action = action
self.param = param
self.sign = sign
self.sandbox = md5(ip)
if not os.path.exists(self.sandbox):
os.mkdir(self.sandbox)
def Exec(self):
result = {}
result['code'] = 500
if self.checkSign():
if "scan" in self.action:
resp = scan(self.param)
if resp == "Connection Timeout":
result['data'] = resp
else:
print(resp)
self.append_to_file(resp) # 追加内容到已存在的文件
result['code'] = 200
if "read" in self.action:
result['code'] = 200
result['data'] = self.read_from_file() # 从已存在的文件中读取
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
def checkSign(self):
if get_sign(self.action, self.param) == self.sign:
return True
else:
return False
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.parse.unquote(request.args.get("param", ""))
action = "scan"
return get_sign(action, param)
@app.route('/De1ta', methods=['GET', 'POST'])
def challenge():
action = urllib.parse.unquote(request.cookies.get("action"))
param = urllib.parse.unquote(request.args.get("param", ""))
sign = urllib.parse.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if waf(param):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
@app.route('/')
def index():
return open("code.txt", "r").read()
def scan(param):
try:
with open(param, 'r') as file:
content = file.read()
return content
except FileNotFoundError:
return "The file does not exist"
def md5(content):
return hashlib.md5(content.encode()).hexdigest()
def get_sign(action, param):
return hashlib.md5(secret_key + param.encode('latin1') + action.encode('latin1')).hexdigest()
def waf(param):
check = param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
if __name__ == '__main__':
app.debug = False
app.run()
审计代码,最终要访问的是De1ta,并且提供action,sign作为cookie,param中是我们要读取的flag.txt。
随后调用Task类,通过scan动作,把flag.txt读取并写入到临时文件中,然后通过read动作,把写在临时文件中的字符串返回。
在执行action之前会有个checksign的验签函数,调用getsign函数,把key,param,action进行拼接。
虽然我们不知道key,但是发现存在genesign函数,同样使用了key和param,并且action固定为scan。
因此我们先调用genesign并把param传值为flag.txtread,就可以构造出checksign要使用的key+flag.txtreadscan这个串的md5
最后构造payload即可获取flag。
Reverse
迷失之门
逆向代码后可发现存在check1和check2两个函数,check2是比对最终flag,可以跟据比对内容反推出最终flag应为“FSBBhKguIibsScDqgKzakWsVoa6”
check1函数是将输入与v3串做差值,然后跟据差值进行不同的处理,逆向操作该函数即可得到flag。
v16="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
v10="abcdefghijklmnopqrstuvwxyz"
v4="0123456789+/-=!#&*()?;:*^%"
v3="DABBZXQESVFRWNGTHYJUMKIOLPC"
flag="FSBBhKguIibsScDqgKzakWsVoa6"
f=""
i=0
for c in flag:
temp=0
if c>='A' and c<='Z':
temp=ord(c)-ord('A')
else:
if c>='a' and c<='z':
temp=ord(c)-ord('a')+26
else:
temp=ord(c)-ord('0')+52
f=f+chr(ord(v3[i])+temp)
i=i+1
print(f)
Misc
一道简单的RSA
题目给出n,e,c,(p-2)*(q-1),(p-1)*(q-2)
# n=p*q
# phi=(p-1)*(q-1)
#
# (p-2)*(q-1)=pq-p-2q+2
# (p-1)*(q-2)=pq-2p-q+2
# (p-2)*(q-1)+(p-1)*(q-2)=2pq-3p-3q+4=2n-3(p+q)+4
#
# p+q={2n-[(p-2)*(q-1)+(p-1)*(q-2)]+4}/3
#
# phi=(p-1)*(q-1)=qp-p-q+1=n-(p+q)+1
import gmpy2
from Crypto.Util.number import *
n=129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668100946205876629688057506460903842119543114630198205843883677412125928979399310306206497958051030594098963939139480261500434508726394139839879752553022623977
e=65537
c=51518667118381278477627700350423102429776676581577331085270368196272060145548342984043810743618087606163386279307047292933106493569541976939050254974252244013831301960071316341468330608281341872211745059683319875591139239345816548949447864182443966627910451617628300085919745530446373374581794092552290729186
n1=129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668067056973833292274532016607871906443481233958300928276492550916101187841666991944275728863657788124666879987399045804435273107746626297122522298113586003834 #(p-2)*(q-1)
n2=129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668066482326285878341068180156082719320570801770055174426452966817548862938770659420487687194933539128855877517847711670959794869291907075654200433400668220458 #(p-1)*(q-2)
ppq=(n-n1+n-n2+4)//3 #p+q
phi=n-ppq+1
d=gmpy2.invert(e,phi)
flag=long_to_bytes((pow(c,d,n)))
print(flag)
文章评论
6666
博主咋不更新呢