wooyun 镜像站( 二 )

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00"""
.replace("","").replace("\r","").replace("\n","").decode("hex")
byte_402138= """00 00 00 00 01 00 00 00
0200 00 00 03 00 00 00 04 00 00 00 05 00 00 00
0600 00 00 07 00 00 00 08 00 00 00 09 00 00 00
0A00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00
0E00 00 00 0F 00 00 00"""
.replace("","").replace("\r","").replace("\n","").decode("hex")
dword_403018="""0200 00 00 02 00 00 00
0200 00 00 02 00 00 00 00 00 00 00 00 00 00 00
""".replace("","").replace("\r","").replace("\n","").decode("hex")
#text:0040110E mov ecx, [ebp+var_4]
#.text:00401111 xor ecx, ebp
#.text:00401113 mov dword_40301C, 3
#.text:0040111D mov dword_403020, 6
#.text:00401127 mov dword_403024, 7
#内存值有所改变，所以修改一下
dword_403018= dword_403018[0:4] + '\x03' + dword_403018[5:8]
+'\x06' + dword_403018[9:12] + '\x07'
+dword_403018[13:]
printdword_403018.encode("hex")
fori in range(0,42):
hightnum= ord(dword_403018[ord(byte_402178[i])*4])<<4
numbershow= hightnum+ ord(byte_402138[ord(var_6c[i])*4])
printchr(numbershow),
flag{06b16a72-51cc-4310-88ab-70ab68290e22}

0x03 sqli
本题是sql约束攻击，注册用户名为“admin ” ，密码为符合规定的密码就可以，然后登陆就能看到flag
flag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}

0x04 word
这算是一道签到题， word文件内容要求关注比赛官方平台公众号，回复“部分flag” ，获得flag{71d7ce04-197a-4d ，将doc文件重命名ZIP解压，在document.xml发现第二部分flagb3-9c1d-0c419406a594}
flag{71d7ce04-197a-4db3-9c1d-0c419406a594}

0x05 RSA
opensslrsa -inform PEM -in pubkey1.pem -pubin -text
Public-Key:(2048 bit)
Modulus:
00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:
3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:
8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:
bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:
a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:
c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:
dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:
70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:
03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:
ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:
2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:
8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:
42:17
Exponent:2333 (0x91d)
opensslrsa -inform PEM -in pubkey2.pem -pubin -text
Public-Key:(2048 bit)
Modulus:
00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df:
3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d:
8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e:
bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da:
a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4:
c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a:
dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e:
ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42:
4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48:
70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17:
03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8:
79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9:
ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95:
2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7:
e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb:
e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a:
8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:
42:17
Exponent:23333 (0x5b25).
可见，这两个公钥n是一样的，只是e不同，使用RSA的共模攻击